Skip to content

meshmapper Graph

meshmapper uses a small typed directed graph with deterministic serialization. The graph is meant for offline review and hashing, not for live orchestration.

Node Types

Valid node types are:

  • agent
  • tool
  • memory_store
  • human
  • external_service

When an input does not declare a node type, meshmapper infers a conservative type from the node ID.

Edge Types

Valid edge types are:

  • can_invoke
  • delegates_to
  • reads_memory
  • writes_memory
  • trusts

Repeated observations between the same source and destination are merged. The graph keeps a primary edge type plus the observed edge_types list.

Trust Basis

Valid trust bases are:

  • signed
  • authenticated
  • implicit

When multiple sources describe the same edge, meshmapper keeps the weakest observed trust basis. implicit is the weakest and is the main signal used by the privilege-laundering and confused-deputy rules.

Deterministic Serialization

graph.json contains sorted nodes and edges. graph_ref is the structural SHA-256 hash of the canonical graph after run-specific provenance fields are removed, and is copied into every path hypothesis.

structural_graph_ref is the same value exposed explicitly for workbench consumers. provenance_ref hashes the graph with source references, observations, and record sequence metadata included.

This lets reviewers compare equivalent topologies across different captures while still retaining enough provenance to audit where the graph came from.

Compatibility note: before T9, graph_ref meant a hash of the full serialized graph including provenance-like fields. T9+ graph output uses schema_version: "1.1" and defines graph_ref == structural_graph_ref; provenance_ref is the run/source-specific audit hash.

Provenance And Warnings

Nodes and edges preserve non-secret source_refs, observations, record sequence numbers, and optional confidence metadata. When a trust or privilege edge depends only on cooperative meshmapper metadata or static config rather than observed protocol facts, graph output includes a warnings entry.

AIT workbench surfaces node/edge counts, hypothesis classes, graph refs, and warnings so operators can tell whether a path came from traffic, config, or lab metadata.

Privilege Inference

Inputs may declare node privilege directly. If they do not, meshmapper infers rough privilege from node IDs: billing, refund, admin, root, privileged, filesystem, file, and sink names skew high; public, support, client, entry, guest, and user names skew public.

Explicit metadata is better than name inference. Treat inferred privilege as a triage aid, not proof.