Struct MeshGenesis 

pub struct MeshGenesis {
    pub mesh_name: String,
    pub created_at_ms: u64,
    pub policy: MembershipPolicy,
    /* private fields */
}

Genesis event for creating a new mesh formation.

Contains all cryptographic material needed to bootstrap a mesh from zero. The genesis artifact is the root of trust — the authority keypair signs all certificates and the formation_secret authenticates transport.

Security

The mesh_seed is the root secret. Protect it carefully:

• Store encrypted at rest
• Never transmit over the network
• Only the genesis creator needs it (for recovery)

Shareable credentials (via MeshCredentials) exclude the seed and authority private key.

Fields

mesh_name: String

Human-readable mesh name.

created_at_ms: u64

Timestamp of creation (milliseconds since Unix epoch).

policy: MembershipPolicy

Membership policy for this mesh.

Implementations

impl MeshGenesis

pub fn create(mesh_name: &str, policy: MembershipPolicy) -> Self

Create a new mesh formation with a random seed.

The authority keypair is deterministically derived from the seed.

pub fn with_seed( mesh_name: &str, mesh_seed: [u8; 32], policy: MembershipPolicy, ) -> Self

Create a genesis with a specific seed (for testing or deterministic creation).

Safety

Only use with cryptographically random seeds in production.

pub fn with_authority( mesh_name: &str, mesh_seed: [u8; 32], authority: DeviceKeypair, policy: MembershipPolicy, ) -> Self

Create a genesis with a specific seed and an externally-provided authority keypair.

Use when the authority keypair is generated independently (e.g., from a hardware security module) rather than derived from the seed.

pub fn mesh_id(&self) -> String

Derive the mesh_id from name and seed.

The mesh_id is 8 hex characters derived from HKDF-SHA256. Format: uppercase hex, e.g., “A1B2C3D4”.

pub fn formation_secret(&self) -> [u8; 32]

Derive the formation secret.

The formation secret is shared with all mesh members and used for HKDF-based Iroh EndpointId derivation:

HKDF(formation_secret, "iroh:" + node_id) → EndpointId

pub fn authority(&self) -> &DeviceKeypair

Get the authority keypair.

pub fn authority_public_key(&self) -> [u8; 32]

Get the authority’s public key bytes.

pub fn mesh_seed(&self) -> &[u8; 32]

Get the mesh seed for secure storage.

Security: This is the root secret. Protect it carefully.

pub fn root_certificate(&self, node_id: &str) -> MeshCertificate

Generate a self-signed root certificate for the authority node.

The root cert identifies the genesis authority in the mesh:

• subject_public_key = issuer_public_key (self-signed)
• tier = Enterprise (highest trust)
• permissions = AUTHORITY (all permissions)
• expires_at_ms = 0 (no expiration, root cert is permanent)

pub fn issue_certificate( &self, subject_public_key: [u8; 32], node_id: &str, tier: MeshTier, permissions: u8, validity_ms: u64, ) -> MeshCertificate

Issue a signed certificate for a new member.

This is a convenience method for the genesis authority to enroll a node.

pub fn credentials(&self) -> MeshCredentials

Build shareable credentials (no seed, no authority private key).

pub fn encode(&self) -> Vec<u8>

Encode genesis data for secure persistence.

Format:

• mesh_name length (2 bytes, LE)
• mesh_name (variable)
• mesh_seed (32 bytes)
• authority secret key (32 bytes) — SENSITIVE!
• created_at_ms (8 bytes, LE)
• policy (1 byte)

Total: 75 + mesh_name.len() bytes

pub fn decode(data: &[u8]) -> Result<Self, SecurityError>

Decode genesis data from bytes.

Trait Implementations

impl Clone for MeshGenesis

fn clone(&self) -> MeshGenesis

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for MeshGenesis

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.