Sovereign Mesh Networking

Overview

NØN-OS operates entirely on a vendor-agnostic, sovereign mesh network designed to replace traditional DNS, ISP, and centralized routing dependencies. The mesh layer is the primary transport for:

Capsule distribution

zkProof receipt broadcasting

Peer discovery

Trust score propagation

Unlike typical overlay networks that ride on top of corporate-controlled infrastructure, NØN-OS treats the mesh as first-class infrastructure — bootstrapped locally, discovered peer-to-peer, and verified cryptographically.

Core Design Goals

No Hardcoded Authorities — The mesh must function without root servers, public bootstrap nodes, or fixed entry points.

Privacy by Default — Onion-routed paths prevent observer correlation.

Resilience to Partitioning — Nodes continue operation in isolated mesh segments with eventual consistency.

Proof-Aware Transport — Every data payload can carry an attached zkProof receipt for verifiable authenticity.

Layered Architecture

The NØN-OS mesh stack is implemented across several key modules in the repository:

Discovery & Beaconing

Signed Presence Packets

Every node periodically emits Beacon Packets containing:

Node onion address

Public ed25519 identity key

Supported capabilities (zkProof, storage capacity, bandwidth class)

Trust score

Security — The packet is signed by the node’s private key, making spoofing or impersonation computationally infeasible.

Adaptive Broadcast Domains

Beacon intervals and target peers are adaptive:

• Dense meshes → Reduced broadcast frequency to avoid saturation.

• Sparse meshes → Increased frequency for rapid convergence.

Routing, Onion-Routed Paths

All mesh traffic is encapsulated in multi-layer encryption envelopes empowering Anyone Network, but with:

Short-lived circuit IDs bound to proof cycles.

Integration with onion.rs for key exchange and layered decryption.

Multipath Resilience

Capsule data is split into chunks and routed over multiple independent paths. This:

Prevents single-path correlation.

Improves throughput in volatile topologies.

Allows partial reconstruction even if some paths are disrupted.

Gossip Protocol

Proof-Aware Gossip

gossip.rs implements a selective rebroadcast algorithm:

Prioritizes zkProof receipts and capsule manifest updates.

Uses an exponential backoff to avoid redundant flooding.

Anti-Sybil Flood Control

Nodes cross-reference gossip source keys against trust.rs:

Low-trust peers’ messages propagate slower.

Proof-verified peers enjoy fast-lane rebroadcast privileges.

State Synchronization

Hash-Based State Snapshots

state.rs periodically computes Merkle root hashes of local runtime state:

Running capsules and their digests.

Stored capsule manifests.

Pending proof receipts.

These hashes are exchanged with peers to detect divergence without full data transfer.

Eventual Consistency

If discrepancies are detected:

Nodes request missing proofs or manifests.

Requests travel over onion-routed channels.

Data is reconciled locally and hash trees updated.

Trust-Weighted Topology

trust.rs assigns each peer a dynamic trust score based on:

Proof submission reliability.

Uptime and availability.

Absence of malicious gossip or invalid proofs.

Routing Bias — High-trust peers are more likely to be selected for critical proof and manifest transfers.

Failure Modes & Countermeasures

Integration with zkProof-Bound Execution

The mesh layer is proof-native:

Capsules and their proofs are first-class network objects.

Verification can happen in-flight before storage or execution.

Operators earn micro-fees for proof relay and capsule seeding.

Future Extensions

Mesh-Layer Market — Operators can price relay/bandwidth as a service for higher-value capsule distribution.

Post-Quantum Onion Layer — Replace curve25519 key exchanges with Kyber/Dilithium for PQ security.

Cold-Start Bootstrap Protocol — Satellite or LoRa-based broadcast for fully air-gapped mesh seeding.