{"id":51141410,"url":"https://github.com/somoore/cmesh","last_synced_at":"2026-06-25T23:30:45.602Z","repository":{"id":365067815,"uuid":"1267679075","full_name":"somoore/cmesh","owner":"somoore","description":"Policy-gated agent delegation over Tailscale for handing coding tasks to machines you control.","archived":false,"fork":false,"pushed_at":"2026-06-15T19:18:28.000Z","size":1205,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-15T19:26:14.736Z","etag":null,"topics":["agent-delegation","audit-log","claude-code","cli","codex","coding-agents","devtools","golang","mcp","policy-engine","remote-execution","tailscale"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/somoore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-12T19:05:57.000Z","updated_at":"2026-06-15T19:17:46.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/somoore/cmesh","commit_stats":null,"previous_names":["somoore/cmesh"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/somoore/cmesh","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/somoore%2Fcmesh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/somoore%2Fcmesh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/somoore%2Fcmesh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/somoore%2Fcmesh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/somoore","download_url":"https://codeload.github.com/somoore/cmesh/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/somoore%2Fcmesh/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34796761,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-25T02:00:05.521Z","response_time":101,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-delegation","audit-log","claude-code","cli","codex","coding-agents","devtools","golang","mcp","policy-engine","remote-execution","tailscale"],"created_at":"2026-06-25T23:30:44.759Z","updated_at":"2026-06-25T23:30:45.589Z","avatar_url":"https://github.com/somoore.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/assets/cmesh-wordmark.png\" alt=\"cmesh\" width=\"480\"\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003cstrong\u003eLet your coding agent hand off work to a machine you control — without leaving your session.\u003c/strong\u003e\u003c/p\u003e\n\ncmesh gives the coding agent on your machine (Claude Code, Codex) a tool to delegate a scoped, policy-gated task to a coding agent on **another** machine you control, over a private Tailscale tailnet, and get a structured, auditable result back.\n\n## What it does\n\nYou're on your Mac with Claude Code open, but the work belongs elsewhere: a Linux box for production-like builds, a Windows machine for native tests, a bare-metal server with the exact service state you need to inspect. If both machines are on your tailnet and the far one has a runner installed, cmesh turns that handoff into a single tool call your agent makes for you.\n\n```text\nUse cmesh to ask the datacenter server to inspect /srv/myapp and check why the deploy failed.\n```\n\nYour agent keeps running on your Mac. The work runs on the server. In testing, cmesh has run Linux builds, inspected services, and changed a Windows wallpaper — all driven from a Mac over the tailnet.\n\n\u003e \u003cstrong\u003e\u003cfont color=\"#0969da\"\u003eExperimental - read this:\u003c/font\u003e\u003c/strong\u003e cmesh causes real changes on real machines. **Do not use it on anything you love:** machines, repos, credentials, or data you cannot afford to lose. This is not enterprise remote management; it is an experimental agent delegation mesh for trusted private networks, and every worker profile is real authority on that machine. Start on trusted machines with narrow peer and cwd allowlists and the `query` profile. See [docs/security.md](docs/security.md).\n\n## How the handoff works\n\n1. Your local agent calls the cmesh MCP tool on loopback.\n2. Your local daemon checks **outbound** policy and dispatches over Tailscale.\n3. The worker daemon rejects any non-tailnet source.\n4. It verifies the caller via Tailscale LocalAPI `whois` — Tailscale decides who is connected.\n5. It checks **inbound** policy: allowed peer, cwd, profile, runner — cmesh decides what they may do.\n6. It runs its local Claude Code / Codex runner and stores a durable, audited result.\n7. Your agent polls status and fetches the result, treated as untrusted claims.\n\nThe MCP surface is never exposed to the network: the only endpoint is local loopback on the machine running the agent.\n\n## Get started\n\nTwo things you do by hand. Everything else, you do by talking to your agent.\n\n**1. Install the binary and register the MCP** (do this on each machine):\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/somoore/cmesh/main/scripts/install.sh | sh\n```\n\nOn Windows, run the PowerShell one-liner instead:\n\n```powershell\npowershell -NoProfile -ExecutionPolicy Bypass -Command \"irm https://raw.githubusercontent.com/somoore/cmesh/main/scripts/install.ps1 | iex\"\n```\n\nThe installer detects your OS and CPU architecture, downloads the matching release archive, puts `cmesh` on PATH, and registers a stdio MCP entry in the agents it detects.\n\n**2. Open a new agent session and say:**\n\n```text\nhelp me setup cmesh\n```\n\nFrom there the cmesh MCP wizard drives everything — detecting Tailscale and peers, writing config after you confirm, starting the daemon, and walking the two-machine handshake. To add a second machine, install cmesh there and say `continue helping me configure cmesh for this new node`. Full instructions, profiles, and example prompts live in [docs/quickstart.md](docs/quickstart.md).\n\n## Documentation\n\n| Doc | What's inside |\n| --- | --- |\n| [Why cmesh?](docs/why-cmesh.md) | The latest thesis for cmesh over SSH plus tmux |\n| [Concepts](docs/concepts.md) | What cmesh is, why it exists, and the mental models |\n| [Quickstart](docs/quickstart.md) | Install, setup wizard, two-machine handshake |\n| [Architecture](docs/architecture.md) | Surfaces, request lifecycle, trust boundaries, data model |\n| [Commands](docs/commands.md) | The `cmesh` CLI surface |\n| [MCP tools](docs/mcp-tools.md) | Delegation tools your agent calls |\n| [MCP onboarding tools](docs/mcp-onboarding.md) | The setup-wizard tool surface |\n| [Configuration](docs/configuration.md) | `config.toml` reference |\n| [Security model](docs/security.md) | Threat model, defense in depth, hardening |\n| [Delegation guidance](docs/delegation-guidance.md) | Writing good tasks and reading results |\n| [Runner manifests](docs/runner-manifests.md) | How runners declare capabilities |\n| [Tailscale grants](docs/tailscale-grants.md) | Restricting mesh reachability |\n| [Roadmap](ROADMAP.md) | Planned hardening and intentional non-goals |\n| [Contributing](CONTRIBUTING.md) | Local checks and contribution expectations |\n| [Release](docs/release.md) | Release process |\n| [Development](docs/development.md) | Building and contributing |\n\n## Project shape\n\n```text\ncmd/cmesh    CLI and daemon entrypoint\ninternal/    daemon, policy, store, runner, and RPC packages\nschemas/     JSON Schemas\nexamples/    runnable config and Tailscale grant examples\ndocs/        architecture and operator guidance\n```\n\n## Uninstall\n\n```bash\ncmesh uninstall\n```\n\nIt mirrors the installer — removing the MCP is the core action; anything else is separately consented. Details in [docs/quickstart.md](docs/quickstart.md).\n\n## License\n\ncmesh is licensed under the [Apache License 2.0](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsomoore%2Fcmesh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsomoore%2Fcmesh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsomoore%2Fcmesh/lists"}