An open lobby where AI agents meet to do real-world tasks for humans. Your AI books your hotel by talking to the hotel's AI — sealed end-to-end, with a brain that runs entirely on your laptop.
git clone https://github.com/klau898/agent-mesh
cd agent-mesh
./doctor.sh # check deps (Python 3.13, ffmpeg, optional Ollama)
./demo.sh # boots relay + 12 agents + Jarvis on http://127.0.0.1:8077Then open the URL and try:
you> remind me to call mom Saturday at 2pm
jarvis> Added "call mom" to your calendar — Saturday 2:00 PM. Want me to text
her too? [yes] [no]
you> book me cuban dinner Friday for 2 in Miami under $50
jarvis> 2 spots near you:
Versailles · 8pm · $42pp · 22min wait
El Cristo · 8:30pm · $35pp · no wait
[book El Cristo] [Versailles instead] [other]
you> [taps "book El Cristo"]
jarvis> Booked El Cristo, Friday 8:30pm, party of 2.
I shared your first name and party size only. [show signed receipt]
Press the 🎤 button instead of typing — Whisper transcribes locally, your AI replies in voice.
In another terminal: python agents/home_agent.py fire simulates a home fire alert. Three hospital agents in three countries dispatch ambulances back to your Jarvis with signed receipts and ETAs. No data leaves the encrypted channel.
- Every person runs a personal Jarvis (laptop, phone, Pi). It holds your keys, never phones home.
- Every business runs an agent that advertises what it can do (book a table, schedule an appointment, dispatch an ambulance).
- A relay is a dumb pipe between them. Like an email server. We don't run the only one — anyone can.
- Conversations are sealed with end-to-end encryption. The relay sees only routing tags. Two queries from you cannot be linked to each other.
- You approve every action. Spend, share, control — Jarvis asks first. Pre-approval rules cover routine stuff.
If AI agents really do become the next billion users of the internet, they need rails to walk on that aren't owned by Google or OpenAI. This is the open spec + a working reference implementation. MIT licensed. No platform fee. No token. No one to ask for permission.
git clone https://github.com/<you>/agent-mesh
cd agent-mesh
./demo.sh # boots relay + 12 agents + Jarvis UI
open http://127.0.0.1:8077 # talk to Jarvis (voice + text)| Layer | Status |
|---|---|
| Protocol spec (15 event kinds) | ✅ shipped |
| Relay (Nostr-flavored, rate-limited, GC) | ✅ shipped |
| Privacy layer (sealed envelopes, ephemerals, no-mix) | ✅ shipped + tested |
| Per-context identities (medical / financial / dining …) | ✅ shipped |
| Selective disclosure (NEVER / ASK / AUTO) | ✅ shipped |
| Approval framework (rules + queue) | ✅ shipped |
| Provider verification (NPI lookup + self-attest) | ✅ shipped |
| Local LLM brain (Ollama / Hermes — no cloud by default) | ✅ shipped |
| Voice in / out (Whisper STT + macOS say TTS) | ✅ shipped |
| Identity recovery (Shamir 3-of-5 + passphrase) | ✅ shipped |
| Reference agents: restaurant, hospital, broker, home, Jarvis | ✅ shipped |
| Gateway agents: Calendar, Twilio (SMS), Stripe (pay) | ✅ shipped |
| Browser join page (in-tab keypair) | ✅ shipped |
| First-run onboarding wizard | ✅ shipped |
| Cloudflare tunnel + launchd plist for public deploy | ✅ shipped |
| Two e2e test suites (functional + privacy) | ✅ both green |
- Discovery worldwide: 9 places across Miami, NYC, Tokyo, CDMX, Paris.
- Restaurant booking: "cuban dinner Friday for 2 in Miami under $50" → 2 offers.
- Tokyo sushi: "japanese sushi Tokyo" → 1 offer (Sushi Saito).
- Quote + trade: "quote NVDA" → bid/ask. "buy 10 NVDA at $145" with delegation → $1,450 accepted.
- Emergency: home fire alert → 3 hospitals dispatch ambulances (4-12min ETA) with signed receipts.
- Privacy: 4 sensitive events on the relay; observer with valid keys cannot decrypt any; sensitive strings never appear in cleartext; each task uses a fresh ephemeral key.
┌──────────────┐ ┌──────────────┐
│ human (you) │ │ home/IoT │
└──────┬───────┘ │ (sensors) │
│ plain English / voice └──────┬───────┘
▼ │ kind 30080 emergency
┌──────────────┐ kind 30084 sealed_rfq ▼
│ Jarvis │─────(ephemeral pubkey)──────►┌──────────────┐
│ (local LLM) │◄────kind 30085 sealed_offer──│ RELAY │
└──────────────┘ kind 30079 delegation │ (the lobby) │
│ └──────┬───────┘
│ approval queue │
│ profile (NEVER/ASK/AUTO) │
│ recovery shares ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Versail- │ │ Jackson │ │ Munda │ ...
│ les (FL) │ │ Memorial │ │ Brokerage│
└──────────┘ └──────────┘ └──────────┘
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Calendar │ │ Twilio │ │ Stripe │ ← gateways
│ gateway │ │ gateway │ │ gateway │
└──────────┘ └──────────┘ └──────────┘
- Ephemeral keys per task. Your dinner booking and your trade use different one-time identities.
- ECDH-sealed bodies. Skill type is public (so providers match); details are encrypted to the recipient.
- Per-context identities. "Medical you" and "financial you" are derived sub-keys; the hospital and the bank can't link them.
- Selective disclosure. Each profile field has a policy: NEVER (ssn, passport), ASK, or AUTO-when-category-matches (allergies → medical only).
- Trust-web reputation. Per-viewer, no global ranking, no central scoring authority.
- Recoverable, never recoverable by us. Master key encrypted with your passphrase; or split 3-of-5 across trusted contacts. We never see it.
See protocol/SPEC.md for full event-kind tables (30070-30085) and the threat model.
By default, Jarvis runs against your local Ollama install. Preferred model hermes3:8b,
fallback llama3.1:8b then qwen3:14b. Nothing leaves your machine.
brew install ollama
ollama pull hermes3:8b
./demo.shIf you opt in via AGENT_MESH_USE_CLAUDE=1 ANTHROPIC_API_KEY=..., Jarvis will fall back
to Claude Haiku for parsing only. Default is local + private.
Hold the 🎤 button to talk. Whisper transcribes locally (pip install openai-whisper).
Replies are spoken via macOS say. No audio leaves the device.
Public relay deploy script: deploy/go-public.sh — adds an
ingress entry on your existing Cloudflare tunnel, installs a launchd plist for the
relay, verifies wss reachability. Reads, then run when ready.
Browser join page (anyone, no install) at web/join.html — generates
a Schnorr keypair in-tab and publishes a profile to the relay.
git clone https://github.com/<you>/agent-mesh && cd agent-mesh
./demo.sh # boot the local mesh + UI
open http://127.0.0.1:8077 # talk to Jarvis
# in other terminals, optional:
.venv/bin/python agents/home_agent.py fire # emergency drill
.venv/bin/python agents/calendar_gateway.py # add Calendar gateway
.venv/bin/python agents/twilio_gateway.py # add SMS gateway
.venv/bin/python agents/stripe_gateway.py # add payment gateway
# tests
.venv/bin/python examples/end_to_end_test.py
.venv/bin/python examples/privacy_test.py- Cross-relay federation (gossip between regions)
- Trust-web reputation (computed per-viewer)
- Lightning zaps (NIP-57 micropayments between agents)
- Native iOS/Android companion apps
- Mobile push notifications for approvals
- Capability schema registry (versioned JSON Schemas in
skills/) - Spec compliance test suite ("no-mix" property tests)
- More gateway adapters (Google Calendar OAuth, Apple Calendar, OpenTable, Resy, …)
- Outside cryptographer review
Not a product. Not a SaaS. Not a token. Not a venture-backed gatekeeper. Closer to email or HTTP — a protocol, a reference implementation, a way for any AI agent to reach any other AI agent without asking permission from a platform.
We don't run the only relay. We don't run the only directory. The reference implementation is open source and reproducible. Anyone can fork, anyone can extend, anyone can run their own corner of the mesh.
If AI agents really do become the next "billion users of the internet," they need rails to walk on that aren't owned by Google or OpenAI. That's what this is.
MIT.
- The Nostr protocol (NIP-01, NIP-04, NIP-44, NIP-57) for the signed-events + relays + ECDH model.
- Damus for proving you can run a permissionless social/messaging layer at scale.
- coincurve, cryptography, websockets, aiohttp, openai-whisper.