Chain as the source of truth
Membership, attestation policy, peer keys, and mesh addresses all live on chain. Nodes bootstrap from nothing but an RPC endpoint — no rendezvous servers, no STUN, no config files listing peers.
AttestMesh
Membership, encrypted messaging, and wireguard mesh signalling for attested nodes — with the blockchain as the only coordinator.
Why AttestMesh
Section titled “Why AttestMesh”Attestation-gated membership
A node joins by proving what code it runs. The cluster contract verifies the attestation (dstack/TDX in v1) before admitting a member, and the design keeps every attestation method behind its own facet so new methods drop in cleanly.
Encrypted by construction
Member-to-member messages are sealed-box encrypted to the recipient’s on-chain key. Mesh traffic runs over wireguard with peer keys pinned from chain state. The Cluster Shared Key never touches the chain — only its commitment does.
Gasless nodes
Nodes hold zero ETH. Every state-changing call is an EIP-4337 UserOperation, sponsored by a paymaster behind an operator-controlled provenance webhook.
Proven live
Section titled “Proven live”AttestMesh v1 runs on Base mainnet: real dstack CVMs self-register through sponsored UserOperations, form a wireguard mesh through the dstack gateway, exchange encrypted endpoint envelopes, distribute the Cluster Shared Key peer-to-peer, and subscribe to a TEE-attested event indexer — end to end, with no off-chain coordination.