Blackhole Mesh
Terminal sovereignty for AI companies

AdsPower for Terminals. AI Mesh OS. Your Agents, Your Network.

Browser farms got profile isolation. AI companies need the same discipline for terminals, agents, devices, credentials, and routes. Blackhole Mesh turns that operating layer into a founder-led product you can actually roll out.

Latency targets ledgered12+ provider candidates6 e2e tests trackedAssisted beta evidence
$
Apply for secure mesh onboarding Start Pitt Suite implementation sprint
Blackhole brand package

A command-center brand for people running AI companies at scale.

Blackhole Mesh now has a repo-saved media system for founder sales, comparison pages, pricing moments, launch graphics, and marketplace cards. The visual language is private networks, operator desks, governed terminals, and high-trust company control.

Hero-ready
No watermark
Mobile crop
Contrast-safe
Repo-saved
Optimized JPEG
Blackhole Mesh cinematic command center with terminal workspaces, private routes, and AI company control layers
operator command mediaLIVE
problem

Terminal profiles become company infrastructure

Content teams, scrapers, operators, and AI founders need isolated terminal identities with network, credential, and role boundaries.

product

Private mesh identity for every operator

Each company, worker, and machine gets a governed mesh presence that can be reviewed during assisted onboarding.

proof

Built on infrastructure buyers recognize

WireGuard, embedded NATS, CRDT state, MagicDNS, Cap’n Proto, and health telemetry become visible proof instead of hidden plumbing.

upsell

The first layer of Pitt company formation

Mesh workspaces connect naturally to AISP roles, Gatekeeper budgets, and Pitt Management company templates.

cta

Activate the private layer

Start with founder-led mesh onboarding, then attach AISP roles and Gatekeeper controls after first-value proof.

blackhole@mesh ~ validation-plan

$ blackhole validate --assisted

mesh: peer count confirmed during onboarding

nats: cluster topology validated per deployment

wireguard: tunnel health checked before launch

latency: assisted-beta target

xdp: fast-path evidence captured in setup

──────────────────────────────────────

evidence: customer-specific release: assisted beta

Linux
macOS
iOS (soon)
Android (soon)
Docker
Kubernetes
WireGuard
NATS
Cap'n Proto
Ed25519
XDP BPF
CRDT
ZK Proofs
JetStream
Go
ARM64
RISC-V
AWS
Azure
GCP
Raspberry Pi
Linux
macOS
iOS (soon)
Android (soon)
Docker
Kubernetes
WireGuard
NATS
Cap'n Proto
Ed25519
XDP BPF
CRDT
ZK Proofs
JetStream
Go
ARM64
RISC-V
AWS
Azure
GCP
Raspberry Pi
Zero Layer

Layer −1 of the Network Stack

While others process packets in userspace, Blackhole processes them at the NIC — before Linux even sees them. This is unprecedented in consumer mesh networking.

XDP BPF Fast Path

internal/bpf/bh-xdp.c

WireGuard packets are processed at the NIC using eBPF XDP hooks. The Linux kernel network stack never touches them — no socket buffers, no interrupt coalescing delay, no scheduler latency.

NIC → [XDP HOOK] → WireGuard → NATS → App
Competitors: userspace VPN paths add extra packet-processing work; exact overhead is benchmarked per environment
Packet latency
targeted
Processing layer
Layer −1
Kernel bypass
XDP/BPF
Sched overhead
~0

Embedded NATS

internal/natsembed/server.go

Every Blackhole agent IS a NATS server. No external broker needed. Disconnect the coordinator — the mesh still routes messages. The broker is the node.

Node A (NATS)
Node B (NATS)
Node C (NATS)
← each node routes independently →
Intra-mesh latency
Target
External broker
None
Atomic ops/sec
Measured
Atomic op latency
Target

"Zero external dependencies. Zero external coordinators. Latency targets stay evidence-led. That's what Layer  −1means."

Architecture

9 Layers. From Silicon to AI.

A complete operating system for your mesh — from NIC interrupt to agent session.

L-1
XDP BPFNEW

NIC-speed kernel bypass — WireGuard at hardware interrupt

L0
Kernel Agent

The mesh OS kernel — agent.go, lifecycle orchestration

L1
Embedded NATSNEW

Built-in message bus — every node is a broker

L2
Bootstrap

Identity, certs, Cap'n Proto wire format

L3
Discovery

mDNS, PeerRegistry CRDT, hub announcements

L4
Connectivity

WireGuard tunnels, STUN, relay fallback

L5
Addressing

MagicDNS *.bh, IPAM, route propagation

L6
Policy

ACLs, Zero Trust tokens, posture, flow logs

L7
Applications

AISP sessions, Gatekeeper, BMAP, exec channels

CRDT Suite

6 CRDT Types. No Coordinator. Ever.

The network can partition. The state always converges.

Commutativity ✓
A ⊕ B = B ⊕ A
Associativity ✓
(A ⊕ B) ⊕ C = A ⊕ (B ⊕ C)
Idempotency ✓
A ⊕ A = A
3 nodes write concurrently → automatic merge
Node A
set("x", 1)
Node B
set("y", 2)
Node C
inc("z")
Merged state (all 3 nodes, no coordinator)
{ x: 1, y: 2, z: 1 }
GCounter

Distributed increment with no coordinator. Each node owns its partition.

LWW-Map

Last-write-wins key-value. Timestamp arbitration, zero conflicts.

OR-Set

Add and remove concurrently without coordination. Unique tags prevent phantom deletes.

VectorClock

Causal ordering across nodes. Detect causality, detect concurrency.

PeerRegistry

Distributed peer discovery. The mesh knows itself.

FileSync

CRDT-based file synchronization. Your files converge like distributed state.

Zero Trust

Tokens That Verify Offline

No server contact. No revocation list. Device health baked into the token itself.

Capability Chain

Root Token
Full mesh access + mint authority
Delegated Token
Subnet + service access, reduced scope
Sub-delegated Token
Single endpoint, time-scoped

Token Properties

Offline Verificationbenchmarked

Cryptographic proof designed to avoid a server roundtrip

Posture Checkingbuilt-in

Device health is part of the token. Sick device = invalid token.

Time-Scopedconfigurable

Expiry baked in. Short-lived tokens by default.

Epoch Kill Switchvalidated in setup

Increment epoch to invalidate issued tokens after propagation.

ZK prove time12µs
ZK verify time64µs
Test coverage32 passing ✓
Data Infrastructure

Enterprise-Grade Data Infrastructure

Your mesh ships with a distributed database, binary wire format, and auto-provisioned streams.

Cap'n Proto Wire Format

Schema-first binary serialization
JSON100% size
Protobuf40% size
Cap'n Proto10% size
Schema-aware binary decoding
Peer registry uses Cap'n Proto
CRDT state uses Cap'n Proto
Capability tokens use Cap'n Proto
Binary payload benchmarks captured per workflow

JetStream Provisioner

Provisioning validated during assisted setup
6 Streams auto-created
BH_MESHstream
BH_AUDITstream
BH_TASKSstream
BH_OPSstream
BH_BENCH_ARCHIVEstream
BH_BACKUPSstream
5 KV Buckets auto-created
BH_CONFIGBH_PEERSBH_TOKENSBH_STATEBH_OPS_FILES
BMAP

The Mesh Heals Itself

Assisted-beta target: 7 automated playbooks with sub-30-second MTTR after evidence review.

01
Peer reconnect on network change
02
Hub failover + automatic re-election
03
WireGuard key rotation without downtime
04
STUN re-probing on NAT change
05
Relay fallback when P2P fails
06
DNS cache flush on peer expiry
07
Certificate renewal without restart

Mesh State Machine

HEALTHY
node drops
DEGRADED
playbook runs
HEALING
<30s MTTR
HEALTHY
<30s
Assisted-beta MTTR target
Benchmarks

Evidence-Led Benchmarks

Assisted-beta targets stay in the claim ledger until reproducible benchmark evidence is published.

Measured
Atomic ops/sec
Target
Atomic latency
Target
NATS latency
Target
ZK prove

Packet Latency Targets (ledgered until reproduced)

Blackhole XDP targetbenchmarked
WireGuard userspacebaseline
Tailscale~45ms
ZeroTier~67ms
Assisted Beta Activity

Claim-Led Mesh Activity

Simulated launch telemetry for the assisted-beta claim ledger.

blackhole mesh — simulated claim traceBETA TARGET
0msNode joined: master [darwin/arm64]
Install

Assisted Install Target

One-command onboarding target for supported platforms after proof.

bash
# Confirm Linux installer path during assisted onboarding

# Start the agent
$ blackhole agent start

# Validate mesh status during onboarding
$ blackhole validate --assisted

Supports Linux, macOS, Docker, and Kubernetes in assisted onboarding; dependency claims remain ledgered until release packaging is published.

Comparison

How We Stack Up

FeatureBlackholeTailscaleZeroTierWireGuardNebulaHeadscale
XDP kernel-bypass fast path
Embedded NATS message bus
CRDT distributed state
Cap'n Proto wire format
JetStream auto-provisioning
Offline token verification
CRDT file sync
Evidence-gated proof checks
Latency evidence ledger
Intra-mesh RPC target ledger
Self-healing BMAP
MagicDNS (*.bh)
Open protocol / MIT license
Coordinator-minimized target
AI agent session layer

Works everywhere your code runs

macOS
Linux
iOS
Android
Raspberry Pi
Docker
Kubernetes
AWS
Google Cloud
Azure
WireGuard
Ubuntu
Home Assistant
Samsung
LG webOS
Apple TV
Roku
DigitalOcean
Synology
Arduino
NVIDIA
OpenWrt
Ubiquiti
Grafana
Prometheus
Cloudflare
GitHub Actions
FreeBSD
Tailscale
macOS
Linux
iOS
Android
Raspberry Pi
Docker
Kubernetes
AWS
Google Cloud
Azure
WireGuard
Ubuntu
Home Assistant
Samsung
LG webOS
Apple TV
Roku
DigitalOcean
Synology
Arduino
NVIDIA
OpenWrt
Ubiquiti
Grafana
Prometheus
Cloudflare
GitHub Actions
FreeBSD
Tailscale
Assisted Launch

The Infrastructure Layer of the Next Trillion Devices

XDP kernel bypass. Embedded NATS. CRDT state. ZK proofs. Cap'n Proto. Founder-led setup for secure mesh workspaces, with first-value proof before broad self-serve rollout.

Apply for secure mesh onboarding Start Pitt Suite implementation sprint GitHub
benchmarked
Latency target
ledgered
Mesh RPC target
measured
Ops/sec target
<30s
MTTR target
Tests
Release gate