NakliTechie Private Mesh — a sovereign, browser-native, agent-aware capability fabric.

Status: Phase 1 — M0 skeleton (alpha).

Seven primitives (Identity, Grant, Vault, History, Sync, LLM, Bridge), three transports (Hub, Cloudflare Worker, Local Network), two SDKs (Go and JavaScript), one CLI, one consumer tool (shared list).

The full vision, locked decisions, and complete spec set live under docs/.

• Vision — what this is, who it's for, why this shape
• Decisions — every locked decision with rationale
• Specs — wire protocol, SDK specs, transport specs, consumer specs
• Agent handoff — Phase 1 implementation playbook
• STATUS.md — milestone progress log

The wire protocol fabric-spec-001-v1.0.md is the contract. Everything else implements or consumes it.

./scripts/build-all.sh

In M0 this runs each subdirectory's smoke.sh and prints OK. Real builds arrive at later milestones.

The two SDKs (fabric-sdk-go and fabric-sdk-js) are wire-compatible by contract. Cross-SDK interop gates live under scripts/:

• scripts/m1-interop.sh — basic FIF + macaroon round-trip between Go and JS.
• scripts/m1-interop-nonce.sh — AEAD nonce-rotation gate; each SDK re-serializes the other's FIF and the produced ciphertext must still decrypt, proving the new nonce is correctly bound via AAD.

Both gates must be green before any change to a primitive (cryptographic envelope, on-wire format, macaroon mint/verify, FIF parse/serialize, vault/history event encoding) lands on main. See CONTRIBUTING.md § Interop gate for primitives for the full policy.

Supply-chain hygiene: GitHub Actions are SHA-pinned and refreshed weekly by Dependabot (see .github/dependabot.yml). All workflows run with permissions: contents: read to minimize the GITHUB_TOKEN scope.

See CONTRIBUTING.md.

Apache-2.0. See LICENSE.