Releases: milosaysyolo/Orqenix
Releases · milosaysyolo/Orqenix
v0.6.0-phase-6 - Real Mesh, Local-First
v0.6.0-phase-6 — Real Mesh, Local-First
Phase 6 of the Orqenix roadmap closes here. Orqenix moves from an in-process mesh to a real multi-process, multi-host mesh on the same LAN, with capability-gated cross-scope calls over HTTP and libp2p, observable everywhere, and zero DHT or public bootstrap by default.
This release was developed across 14 delivery docs (CR v7.2 + D6.1 to D6.10 + D6F1 + D6F2) and totals ~20,000 LOC of source, tests, gate runners, CI workflow, and operator documentation. All 8 OSS charter gates (G36 to G43) PASS in �erify-phase-6 orchestrator at 102.15 seconds.
Highlights
- Real mesh transport layer. One pure-TypeScript MeshTransport abstraction with two production implementations: HTTP (
ode:http + undici) and js-libp2p (@libp2p/* v2, Noise XX, yamux, custom protocol /orqenix/mesh/1.0.0). - Capability-gated identity. Ed25519 signing and verification via WebCrypto only; capability tokens canonicalized with msgpackr; verification p95 is 0.597 ms (target was 10 ms, 16x headroom).
- Local-first discovery. mDNS for the LAN, explicit �ootstrap.yaml for everything else. No DHT. No public bootstrap server. A static-import lint blocks DHT and circuit-relay packages from ever entering the OSS codebase.
- Cross-transport routing. Priority libp2p > http by default. Circuit-breaker with Closed > Open > HalfOpen states. Sequential failover within the request deadline. Cross-transport dedup keyed by
equest.id. - Observability built in. Structured JSON log schema, OpenTelemetry-compatible metric names, W3C raceparent propagation, redaction middleware that strips capability tokens and payload bytes.
- Native CI matrix. 10-run trimmed matrix (6 Tier-1 blocking + 4 Tier-2 informational) over �etter-sqlite3, �lake3-wasm, sqlite-vec on darwin-arm64, linux-x64-gnu, win32-x64 plus informational darwin-x64, linux-arm64-gnu.
- orqenix-node binary. A single CLI that wires Parts 1 through 9 into a runnable local node. Commands: start, status, �erify, �ersion, help.
- All packages published to npm registry. @orqenix/* OSS packages and @orqenix-pro/cli are live on npm.
npm Packages (Live on Registry)
OSS Packages (Apache-2.0)
| Package | Version | Command |
|---|---|---|
| @orqenix/mesh-transport-core | 0.6.0-phase-6 | |
| pm install @orqenix/mesh-transport-core@0.6.0-phase-6 | ||
| @orqenix/mesh-transport-http | 0.6.0-phase-6 | |
| pm install @orqenix/mesh-transport-http@0.6.0-phase-6 | ||
| @orqenix/mesh-transport-libp2p | 0.6.0-phase-6 | |
| pm install @orqenix/mesh-transport-libp2p@0.6.0-phase-6 | ||
| @orqenix/mesh-discovery | 0.6.0-phase-6 | |
| pm install @orqenix/mesh-discovery@0.6.0-phase-6 | ||
| @orqenix/transport-security | 0.6.0-phase-6 | |
| pm install @orqenix/transport-security@0.6.0-phase-6 | ||
| @orqenix/mesh-observability | 0.6.0-phase-6 | |
| pm install @orqenix/mesh-observability@0.6.0-phase-6 | ||
| @orqenix/mesh-router | 0.6.0-phase-6 | |
| pm install @orqenix/mesh-router@0.6.0-phase-6 |
Pro CLI (BUSL-1.1)
| Package | Version | Command |
|---|---|---|
| @orqenix-pro/cli | 0.6.0-phase-6 | |
| pm install -g @orqenix-pro/cli@0.6.0-phase-6 |
Charter gates
All 8 OSS charter gates locked in CR v7.2 are passing.
| Gate | Subject | Package |
|---|---|---|
| G36 | Transport Abstraction | @orqenix/mesh-transport-core |
| G37 | HTTP Mesh Transport | @orqenix/mesh-transport-http |
| G38A | libp2p Foundation | @orqenix/mesh-transport-libp2p |
| G38B | libp2p Adapters (TCP + WebSockets) | @orqenix/mesh-transport-libp2p |
| G39 | Mesh Discovery | @orqenix/mesh-discovery |
| G40 | Transport Security | @orqenix/transport-security |
| G41 | Native Binding CI Matrix | .github/workflows/native-matrix.yml |
| G42 | Observability Hooks | @orqenix/mesh-observability |
| G43 | Cross-Transport Routing | @orqenix/mesh-router |
Verify on your machine:
�ash pnpm tsx scripts/verify-phase-6.ts
Expected output ends with:
Orqenix Phase 6 verify: ALL GATES PASS (total ~100s) Repo is READY for tag v0.6.0-phase-6
Test coverage
All 7 OSS packages meet the locked thresholds (lines/statements >= 85%, branches >= 80%, functions >= 85%).
| Package | Stmts | Branch | Funcs | Lines |
|---|---|---|---|---|
| mesh-transport-core | 91.97 | 90.22 | 100 | 91.97 |
| mesh-transport-http | 93.16 | 82.14 | 93.75 | 93.16 |
| mesh-transport-libp2p | 93.06 | 81.25 | 93.47 | 93.06 |
| mesh-discovery | 91.56 | 83.69 | 89.28 | 91.56 |
| ransport-security | 88.53 | 88.05 | 92.1 | 88.53 |
| mesh-observability | 91.26 | 81.6 | 86 | 91.26 |
| mesh-router | 92.59 | 89.51 | 87.17 | 92.59 |
| �pps/local-node | 80.06 | (n/a) | (n/a) | 80.06 |
�pps/local-node thresholds are relaxed to 80/70 because it is an application binary, not a library.
New packages
| Package | Purpose |
|---|---|
| @orqenix/mesh-transport-core | MeshTransport interface, canonical msgpackr envelope, TransportRegistry, lifecycle state machine, error taxonomy, loopback reference impl |
| @orqenix/mesh-transport-http | Single HttpMeshTransport implementing both inbound ( |
| ode:http) and outbound (undici) over POST /orqenix/mesh/v1/rpc with X-Orqenix-* headers | |
| @orqenix/mesh-transport-libp2p | js-libp2p v2 with TCP + WebSockets adapters, Noise XX, yamux, HKDF-derived peer key, connection manager (idle timeout 5 min default), bounded dialer |
| @orqenix/mesh-discovery | mDNS local discovery + explicit �ootstrap.yaml + observation-only event lifecycle state machine |
| @orqenix/transport-security | Ed25519 IdentityVerifier, Ed25519Signer, CapabilityVerifier 6-step pipeline, LRUKeyStore with 4096-entry default, glob method matcher safe by construction |
| @orqenix/mesh-observability | MeshLogger JSON schema + MeshMetrics registry (6 OTel-named metrics) + W3C raceparent helpers + redaction middleware |
| @orqenix/mesh-router | PriorityList, CircuitBreaker, CrossTransportDedup, inbound dispatch pipeline, fluent MeshRouterBuilder |
| @orqenix/local-node | Binary orqenix-node that wires every package into a runnable mesh node |
Two new database migrations were added to the existing Phase 5 framework: 200-transport-config and 201-dedup-state.
What is intentionally NOT included
These are recorded as out-of-scope for Phase 6 OSS in CR v7.2 and remain so:
- No DHT and no public bootstrap server. Local-first by design. Operators may opt into bootstrap via �ootstrap.yaml.
- No browser-side libp2p. Browser support arrives in Phase 7 (Cloud tier).
- No Pro CLI commands. The @orqenix-pro/cli (commands: �uth status, mesh inspect, mesh route, delegation chain show, delegation revoke, quota show/set/reset, �ackend status/switch) is specified across D6.11A.md, D6.11B.md, D6.12.md and lives in the separate Orqenix-Pro repository under BSL 1.1.
- No Rust acceleration. The MeshTransport interface is intentionally abstract so a future rust-libp2p binding can swap in at Phase 7+ as a Pro-only performance edge, with no API break.
- No production on-disk identity registry. LRUKeyStore accepts an injected KeyResolver; the file-backed store ships in Phase 7.
Quick start
`�ash
Clone and bootstrap
git clone https://github.com/milosaysyolo/Orqenix
cd Orqenix
bash scripts/setup-dev.sh # Linux / macOS / WSL
or, on Windows:
.\scripts\setup-dev.ps1
Build and verify
pnpm install
pnpm -r build
pnpm tsx scripts/verify-phase-6.ts # should print ALL GATES PASS
Run the binary
orqenix-node version
orqenix-node start --config .orqenix
`
A minimal .orqenix/mesh/transports.yaml:
`yaml
transports:
- kind: libp2p
enabled: true
listen: ["/ip4/0.0.0.0/tcp/0"] - kind: http
enabled: true
listen: ["http://0.0.0.0:0"]
priority: ["libp2p", "http"]
circuit_breaker:
failure_threshold: 3
cooldown_ms: 30000
deadline_default_ms: 5000
`
Performance
| Metric | Value | Spec target |
|---|---|---|
| erify-phase-6 end-to-end | 102.15 s | < 120 s |
| Capability verification p95 (G40) | 0.597 ms | < 10 ms |
| Native binding matrix Tier-1 jobs | 6 (blocking) | 6 |
| Native binding matrix Tier-2 jobs | 4 (informational) | 4 |
Architecture decisions locked in this release
| ID | Decision | Reasoning |
|---|---|---|
| D1 | js-libp2p (pure TypeScript) for both OSS and Pro in Phase 6 | Knowledge-fabric workloads are not throughput-bound; CI complexity savings outweigh the throughput penalty |
| D2 | rust-libp2p accelerator deferred to Phase 7+ as Pro-only edge | The MeshTransport interface stays abstract for the future swap |
| D3 | Noise (XX, mutual auth), not TLS, for libp2p security | Standard libp2p convention, integrates cleanly with Ed25519 peer-key binding |
| D4 | Default transport priority libp2p > http | libp2p is the steady-state mesh transport; HTTP is the simpler fallback |
| D5 | Native binding CI matrix trimmed to 10 runs (6 blocking + 4 informational) | The original 24-run matrix was over-engineered |
| D6 | mDNS local discovery default, no DHT, no public bootstrap by default | Local-on-device first; operators opt in to bootstrap explicitly |
| D7 | Charter gates G36 to G43 (OSS), G44-pro to G47-pro (Pro) | Continues numbering from Phase 5; no reset |
| D8 | Migration IDs continue existing ranges (OSS) and Pro from 160 | Continuity with Phase 5 |
Full text in CR-v7.2.md Appendix D.
Two fix-kit waves before this tag
This release went through two post-delivery review cycles to clean up integration drift and verify cross-package wiring.
D6F1 (Fix Kit Phase 1) closed 9 cross-cutting issues:
- HTTP transport realignment with AlwaysFalseIdentityVerifier (FK-1)
- libp2p ecosystem bump to ^2.0.0 era, removing 13 �s any casts (FK-2)
- HttpMeshTransport unification, deleting CombinedHttpTransport shim (FK-3)
- BLAKE3 fixture digest verified: 2a5b50f7feeb2368934d55d2bd7b3ea6f0a6f7f0f1613654c2c1663e830a3ffd (FK-4)
- Coverage threshold restoration to 85/85/85/80 across 6 packages (FK-5)
- CLI unit tests and real spawn-ba...