meshmapper Graph¶
meshmapper uses a small typed directed graph with deterministic serialization. The graph is meant for offline review and hashing, not for live orchestration.
Node Types¶
Valid node types are:
agenttoolmemory_storehumanexternal_service
When an input does not declare a node type, meshmapper infers a conservative type from the node ID.
Edge Types¶
Valid edge types are:
can_invokedelegates_toreads_memorywrites_memorytrusts
Repeated observations between the same source and destination are merged. The graph keeps a primary edge type plus the observed edge_types list.
Trust Basis¶
Valid trust bases are:
signedauthenticatedimplicit
When multiple sources describe the same edge, meshmapper keeps the weakest observed trust basis. implicit is the weakest and is the main signal used by the privilege-laundering and confused-deputy rules.
Deterministic Serialization¶
graph.json contains sorted nodes and edges. graph_ref is the structural
SHA-256 hash of the canonical graph after run-specific provenance fields are
removed, and is copied into every path hypothesis.
structural_graph_ref is the same value exposed explicitly for workbench
consumers. provenance_ref hashes the graph with source references,
observations, and record sequence metadata included.
This lets reviewers compare equivalent topologies across different captures while still retaining enough provenance to audit where the graph came from.
Compatibility note: before T9, graph_ref meant a hash of the full serialized
graph including provenance-like fields. T9+ graph output uses
schema_version: "1.1" and defines graph_ref == structural_graph_ref;
provenance_ref is the run/source-specific audit hash.
Provenance And Warnings¶
Nodes and edges preserve non-secret source_refs, observations, record
sequence numbers, and optional confidence metadata. When a trust or privilege
edge depends only on cooperative meshmapper metadata or static config rather
than observed protocol facts, graph output includes a warnings entry.
AIT workbench surfaces node/edge counts, hypothesis classes, graph refs, and warnings so operators can tell whether a path came from traffic, config, or lab metadata.
Privilege Inference¶
Inputs may declare node privilege directly. If they do not, meshmapper infers rough privilege from node IDs: billing, refund, admin, root, privileged, filesystem, file, and sink names skew high; public, support, client, entry, guest, and user names skew public.
Explicit metadata is better than name inference. Treat inferred privilege as a triage aid, not proof.