IRONMESH
v0.8.3 · Pre-1.0

Your agents. Your network.
Your rules.

Zero-config, end-to-end encrypted agent-to-agent communication that never leaves your local network. No cloud. No internet. No compromises.

View on GitHub Get Started
pip install ironmesh Click to copy
docker pull wiztheagent/ironmesh:0.8.3 Click to copy
The Problem

Every agent protocol assumes you're online.

We looked for a way to make AI agents talk to each other on a local network. There was nothing.

Google A2A

× Requires HTTPS and internet. Your agents go silent when the cloud goes down.

Anthropic MCP

× Solves agent-to-tool, not agent-to-agent. IronMesh fills that gap — the two stack together.

ACP

× Local IPC only. Can't cross machines on your LAN.

ANP

× Decentralized but complex DID setup, still assumes internet connectivity.

Where it fits

IronMesh is a layer, not a competitor.

It sits under the agent frameworks and protocols you already use — giving them a transport that survives a router reboot, a dead ISP, or no internet at all.

 ┌─────────────────────────────────────────────────────┐
 │  Your application                                   │
 ├─────────────────────────────────────────────────────┤
 │  Agent frameworks  — LangChain · CrewAI · AutoGen   │  adapters ship with IronMesh
 ├─────────────────────────────────────────────────────┤
 │  Tool / context protocols  — MCP · A2A              │
 ├─────────────────────────────────────────────────────┤
 │  IronMesh — identity · encryption · routing · queue   │  this project
 ├─────────────────────────────────────────────────────┤
 │  Transport  — WebSocket over LAN · Reticulum / LoRa │
 └─────────────────────────────────────────────────────┘
Doesn't MCP already do this?
MCP connects agents to tools. IronMesh connects agents to each other. They compose.
What about LangGraph / CrewAI?
They orchestrate agent logic. IronMesh carries the messages between machines. They compose.
Isn't Tailscale / WireGuard enough?
Those give you an encrypted tunnel. IronMesh adds identity pinning, capability discovery, offline queueing, and an agent-aware routing table on top.
Why not use Reticulum directly?
Reticulum is a great low-level mesh; IronMesh uses it as one of its transports. We add per-agent identity, capability discovery, and an authenticated handshake on top.
0
Cloud dependencies
E2E
Encrypted by default
582
Passing tests
v0.8.3
Current release
On the offline-first axis

If you need the internet to be optional.

For offline-capable, peer-to-peer agent communication specifically, here's how the field looks.

Feature IronMesh Google A2A Anthropic MCP ACP ANP
Works offline / no internetYesNoN/AYesNo
True peer-to-peerYesNoNoNoYes
Zero-config LAN discoveryYesNoNoNoNo
End-to-end encryptionNaClTLS onlyN/ANoYes
Forward secrecyYesDependsN/ANoNo
Multi-hop mesh routingYesNoNoNoNo
Capability discoveryYesNoNoNoNo
LoRa / radio transportYesNoNoNoNo
Self-hosted, no vendor lockYesNoNoNoPartial
Survives internet outageYesNoN/AYesNo
Under the hood

Security isn't a feature. It's the architecture.

NaCl / libsodium crypto — the same library as Signal and WireGuard. Not homebrew. Not "encrypt later." Not "TLS is enough."

🔒

Forward Secrecy

Ephemeral X25519 keys per session, destroyed after handshake. Compromising today's keys can't decrypt yesterday's traffic.

🔍

Zero-Config Discovery

mDNS auto-discovers agents on your LAN. No manual IP config. Identity keys only exchanged during authenticated handshake.

🛡

Mutual Authentication

HMAC-SHA256 passphrase proof. Both client and server prove identity. Ed25519 signatures on every single frame.

🌐

Multi-Hop Mesh

Distance-vector routing with split horizon and poisoned reverse. Messages traverse intermediate peers automatically.

📡

LoRa / Reticulum

Optional transport over LoRa radio at 915 MHz via Reticulum. No internet at all. Just RNode hardware and open spectrum.

Offline Queue

Messages queued in encrypted SQLite when peers are offline. Automatically delivered on reconnect. Priority ordering built in.

What it looks like

Three peers talking. Zero cloud.

The operator console — embedded in every node, reachable at http://127.0.0.1:8766 with a per-session bearer token. The same handshake diagram from the spec, lit live for the selected peer. Encrypted A2A dialogue turn-by-turn in the feed. CSP-locked to same-origin so the page renders with the router unplugged.

IronMesh operator console: three live encrypted peers (bench-resp, gatekeeper, kingpi), the 3-stage handshake diagram lit green, and a live A2A dialogue between two local LLMs ending on [END] goal-achieved

Live capture: wiz (Windows) ↔ kingpi (Pi 5, Ollama kingpi:latest) ↔ gatekeeper (NAS, Ollama hermes3:3b). A2A dialogue: three turns, ended on goal-achieved.

New in v0.8.3

AI agents can have bounded conversations. On your LAN. With no cloud.

v0.8.1 fixed the duplicate-handshake race. v0.8.2 shipped multi-turn AI-to-AI dialogue, persona presets, budgets, and a one-click A2A panel. v0.8.3 rebuilds the dashboard to match this site, fixes two latent GUI serialization bugs, and closes the v0.8.3 E2E audit (Hypothesis fuzzing, concurrency tests, crash matrix, macOS CI). Full write-up: v0.8.3 release notes.

💬

Multi-turn AI-to-AI dialogue

New MessageType.CONV envelope (conv_id, turn, max_turns, byte + time budgets) and a [DONE] smart-termination rider. Five stacked protections keep two LLM bridges from looping: turn cap, per-conv cooldown, byte + time budgets, [LLM] reply-prefix ignore, graceful [DONE] exit.

🏛

Operator console rebuild

Dashboard now matches this site: monospace wordmark, the 3-stage handshake ASCII diagram baked in and lit live per peer, TOFU trust tri-state (✓ pinned / … handshaking / ✗ mismatch), transport column (WS / RNS / BOTH), bearer-token masked reveal, CSP-enforced offline rendering.

🎭

Seven persona presets

Roles ship in ironmesh.roles: assistant, security-analyst, network-engineer, historian, coder, ops, devil. Advertised as role:<name> capability, so agent.discover("role:security-analyst") finds specialists on the mesh.

🛠

Opt-in tool-use registry

LLM bridges can expose echo, http-get, file-read (the last gated by a strict operator allowlist). Model emits <tool name="X">args</tool>; the bridge substitutes <tool-out> before reply. Per-call timeouts, result-size cap, no recursive model call.

🐍

Agent SDK — 3 lines to join the mesh

High-level Agent class wraps the bridge daemon. Decorator-based message handlers, sync+async send, capability discovery. No asyncio boilerplate, no WebSocket plumbing.

🔗

LangChain · CrewAI · AutoGen

First-party adapters for the three major agent frameworks. create_ironmesh_toolkit(), create_mesh_crew_agent(), register_ironmesh() — drop the mesh into an existing agent stack in one call.

🧩

MCP server for agents

Ship an MCP server out of the box. Any MCP-capable agent (Claude Desktop, Claude Code, custom clients) can use IronMesh as a transport for agent-to-agent messaging. Eight tools over stdio JSON-RPC.

📱

Android via Sideband + LXMF

Bundled LXMF gateway bridges IronMesh to the Reticulum LXMF ecosystem. Send from your phone's Sideband app to any IronMesh peer. Verified end-to-end with a real Pixel over LoRa (100% delivery at SF8/BW125, 1.07–1.98 s RTT).

Under the Hood

The handshake.

Mutual passphrase auth, signed ephemeral ECDH, channel binding. Three stages. Zero trust assumptions. The same diagram renders live inside the operator console — click any peer row and watch the stages go green in real time.

Client                                   Server
  |                                        |
  |<── PASSPHRASE_CHALLENGE ──────────────| (32-byte server nonce)
  |─── HMAC-SHA256(pass, nonce) ─────────>|
  |<── PASSPHRASE_VERIFIED + server_proof─| (mutual auth)
  |    verify server_proof                 |
  |                                        |
  |─── HELLO (eph_pub_A, id_pub_A) ──────>| signed(Ed25519) + channel_binding
  |<── HELLO (eph_pub_B, id_pub_B) ───────| signed(Ed25519) + channel_binding
  |    TOFU check on id_pub_B             | TOFU check on id_pub_A
  |                                        |
  | ECDH(eph_priv_A, eph_pub_B)           | ECDH(eph_priv_B, eph_pub_A)
  |    = shared_secret                     |    = shared_secret
  |  (ephemeral privkeys destroyed)        | (ephemeral privkeys destroyed)
  |                                        |
  |<═══ Encrypted + Signed Messages ═════>| SecretBox + Ed25519 on every message
Who It's For

Built for people who don't trust the cloud.

Home AI Mesh

Raspberry Pi running Ollama talks to your desktop coding agent. No cloud. No API keys. No third parties.

Off-Grid Comms

Agents on a network with no internet coordinate tasks, share data, and run workflows over LoRa radio.

Prepper Infrastructure

Self-contained AI network that works when the internet doesn't. Solar-powered Pi cluster. Local models.

Air-Gapped Labs

Agents in isolated environments that can never touch the internet. Full encryption at rest and in transit.

Privacy-First AI

All agent communication stays on your LAN. Nothing leaves your network. Nothing gets logged by anyone.

Multi-Device Workflows

Phone, desktop, and server agents all talk directly to each other. mDNS discovery. Zero config.

Pull the plug on your router.
IronMesh keeps working.

Local-first. Offline-capable. Mesh-ready. Zero-config. No cloud required. Ever.

Star on GitHub Read the Docs
pip install ironmesh Click to copy