<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Developer Guide on SAM</title><link>https://sam-mesh.dev/docs/development/</link><description>Recent content in Developer Guide on SAM</description><generator>Hugo</generator><language>en-us</language><atom:link href="https://sam-mesh.dev/docs/development/index.xml" rel="self" type="application/rss+xml"/><item><title>Kubernetes Deployment and Local Testing Guide</title><link>https://sam-mesh.dev/docs/development/kubernetes-deployment/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://sam-mesh.dev/docs/development/kubernetes-deployment/</guid><description>&lt;p>This guide explains how to deploy the &lt;code>sam-hub&lt;/code> in a Kubernetes cluster and how to test it locally using &lt;code>kind&lt;/code> and &lt;code>cloud-provider-kind&lt;/code>.&lt;/p>
&lt;blockquote>
&lt;p>[!TIP]
This guide focuses on local development sandboxing. For production-grade Kubernetes deployments (GKE, EKS, AKS), see the &lt;a href="../../user/kubernetes-deployment/">Production Kubernetes Deployment&lt;/a> guide.&lt;/p>
&lt;/blockquote>
&lt;p>This guide supports using either &lt;strong>Google OIDC&lt;/strong> or a &lt;strong>Mock OIDC Provider&lt;/strong> for authentication. The mock provider is recommended for quick local testing as it does not require creating external credentials.&lt;/p></description></item><item><title>Release Tracks, Autoupdate, and Autoscaling</title><link>https://sam-mesh.dev/docs/development/release-tracks/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://sam-mesh.dev/docs/development/release-tracks/</guid><description>&lt;p>Sovereign Agent Mesh (SAM) is deployed to public endpoints using automated environments, release tracks, and self-healing/scaling infrastructure.&lt;/p>
&lt;hr>
&lt;h2 id="1-release-tracks">1. Release Tracks&lt;/h2>
&lt;p>The public deployment has two isolated release tracks:&lt;/p>
&lt;h3 id="a-testnet-track-bananas">A. Testnet Track (Bananas)&lt;/h3>
&lt;ul>
&lt;li>&lt;strong>Domain Name:&lt;/strong> &lt;code>bananas.sam-mesh.dev&lt;/code>&lt;/li>
&lt;li>&lt;strong>Source Branch:&lt;/strong> Tracks the &lt;code>main&lt;/code> branch.&lt;/li>
&lt;li>&lt;strong>Deployment Trigger:&lt;/strong> Automatically deployed on every new push/commit to the &lt;code>main&lt;/code> branch.&lt;/li>
&lt;li>&lt;strong>Target Tag:&lt;/strong> The deployment is tagged with the Git commit SHA (&lt;code>github.sha&lt;/code>).&lt;/li>
&lt;li>&lt;strong>Purpose:&lt;/strong> Serves as the staging/testing playground for the latest features and continuous integration.&lt;/li>
&lt;/ul>
&lt;h3 id="b-production-track-hub">B. Production Track (Hub)&lt;/h3>
&lt;ul>
&lt;li>&lt;strong>Domain Name:&lt;/strong> &lt;code>hub.sam-mesh.dev&lt;/code>&lt;/li>
&lt;li>&lt;strong>Source Branch:&lt;/strong> Tracks semantic version tags matching &lt;code>v*.*.*&lt;/code>.&lt;/li>
&lt;li>&lt;strong>Deployment Trigger:&lt;/strong> Automatically deployed whenever a new version tag is pushed to GitHub.&lt;/li>
&lt;li>&lt;strong>Target Tag:&lt;/strong> The deployment is tagged with the exact Git release tag (e.g. &lt;code>v1.0.0&lt;/code>).&lt;/li>
&lt;li>&lt;strong>Purpose:&lt;/strong> Stable, audited release track for production workloads.&lt;/li>
&lt;/ul>
&lt;hr>
&lt;h2 id="2-autoupdate-mechanism">2. Autoupdate Mechanism&lt;/h2>
&lt;p>Updates to both release tracks are fully automated via a robust &lt;strong>Continuous Deployment&lt;/strong> pipeline:&lt;/p></description></item><item><title>SAM Policy &amp; Authorization Reference</title><link>https://sam-mesh.dev/docs/development/policy/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://sam-mesh.dev/docs/development/policy/</guid><description>&lt;p>SAM uses a decentralized authorization model powered by &lt;a href="https://www.biscuitsec.org/">Biscuit&lt;/a>.
The &lt;code>sam-hub&lt;/code> authenticates users via OIDC and injects &lt;strong>Facts&lt;/strong> into their token based on &lt;code>policies.yaml&lt;/code>. The &lt;code>sam-node&lt;/code> operates offline, evaluating the token against baseline rules and optional local attenuation policies.&lt;/p>
&lt;h2 id="1-oidc-to-biscuit-translation">1. OIDC to Biscuit Translation&lt;/h2>
&lt;p>The Hub automatically translates OIDC claims into undeniable cryptographic facts:&lt;/p>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th style="text-align: left">OIDC Claim / Data&lt;/th>
 &lt;th style="text-align: left">Biscuit Fact&lt;/th>
 &lt;th style="text-align: left">Description&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td style="text-align: left">&lt;code>sub&lt;/code>&lt;/td>
 &lt;td style="text-align: left">&lt;code>user(&amp;quot;&amp;lt;sub-id&amp;gt;&amp;quot;)&lt;/code>&lt;/td>
 &lt;td style="text-align: left">The unique subject ID from the identity provider.&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td style="text-align: left">&lt;code>email&lt;/code>&lt;/td>
 &lt;td style="text-align: left">&lt;code>email(&amp;quot;&amp;lt;email&amp;gt;&amp;quot;)&lt;/code>&lt;/td>
 &lt;td style="text-align: left">The user&amp;rsquo;s email address (if present).&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td style="text-align: left">&lt;code>groups&lt;/code>&lt;/td>
 &lt;td style="text-align: left">&lt;code>group(&amp;quot;&amp;lt;group-name&amp;gt;&amp;quot;)&lt;/code>&lt;/td>
 &lt;td style="text-align: left">One fact is injected for &lt;em>each&lt;/em> group the user possesses.&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td style="text-align: left">&lt;code>roles&lt;/code> / Resolved Roles&lt;/td>
 &lt;td style="text-align: left">&lt;code>role(&amp;quot;&amp;lt;role-name&amp;gt;&amp;quot;)&lt;/code>&lt;/td>
 &lt;td style="text-align: left">One fact is injected for &lt;em>each&lt;/em> role mapped or direct role.&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td style="text-align: left">Peer ID&lt;/td>
 &lt;td style="text-align: left">&lt;code>node(&amp;quot;&amp;lt;peer-id&amp;gt;&amp;quot;)&lt;/code>, &lt;code>client_peer_id(&amp;quot;&amp;lt;peer-id&amp;gt;&amp;quot;)&lt;/code>&lt;/td>
 &lt;td style="text-align: left">Binds the token to the specific agent&amp;rsquo;s libp2p cryptographic identity.&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td style="text-align: left">Expiration&lt;/td>
 &lt;td style="text-align: left">&lt;code>expiration(&amp;lt;date&amp;gt;)&lt;/code>&lt;/td>
 &lt;td style="text-align: left">The token expiration date based on the OIDC session.&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h3 id="11-translating-identity-to-capability-oidc-to-biscuit">1.1 Translating Identity to Capability: OIDC to Biscuit&lt;/h3>
&lt;p>The core innovation of the SAM Network&amp;rsquo;s security model is translating standard web identity (OIDC JSON Web Tokens defined in &lt;a href="https://openid.net/specs/openid-connect-core-1_0.html#Claims">OpenID Connect Core 1.0&lt;/a>) into decentralized capability tokens (Biscuits). This translation happens securely at the &lt;code>sam-hub&lt;/code> during the authentication phase.&lt;/p></description></item><item><title>Testing</title><link>https://sam-mesh.dev/docs/development/testing/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://sam-mesh.dev/docs/development/testing/</guid><description>&lt;p>Current testing is intentionally minimal and aligned with the current binaries.&lt;/p>
&lt;h2 id="test-layers">Test Layers&lt;/h2>
&lt;ol>
&lt;li>Go tests: &lt;code>make test&lt;/code>&lt;/li>
&lt;li>BATS CLI tests: &lt;code>make test-e2e&lt;/code>&lt;/li>
&lt;li>Containerized BATS mesh tests: &lt;code>make test-e2e-container&lt;/code>&lt;/li>
&lt;/ol>
&lt;h2 id="commands">Commands&lt;/h2>
&lt;div class="highlight">&lt;pre tabindex="0" class="chroma">&lt;code class="language-bash" data-lang="bash">&lt;span class="line">&lt;span class="cl">make build
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">make &lt;span class="nb">test&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">make test-e2e
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">make test-e2e-container
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="go-tests">Go Tests&lt;/h2>
&lt;p>Run all Go tests with race detection:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" class="chroma">&lt;code class="language-bash" data-lang="bash">&lt;span class="line">&lt;span class="cl">make &lt;span class="nb">test&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Run only integration package:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" class="chroma">&lt;code class="language-bash" data-lang="bash">&lt;span class="line">&lt;span class="cl">go &lt;span class="nb">test&lt;/span> ./tests/integration/...
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="bats-cli-tests">BATS CLI Tests&lt;/h2>
&lt;p>These tests validate current command behavior for:&lt;/p>
&lt;ul>
&lt;li>&lt;code>sam-node&lt;/code>&lt;/li>
&lt;li>&lt;code>sam-hub&lt;/code>&lt;/li>
&lt;/ul>
&lt;p>Run:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" class="chroma">&lt;code class="language-bash" data-lang="bash">&lt;span class="line">&lt;span class="cl">make test-e2e
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;h2 id="containerized-mesh-bats">Containerized Mesh BATS&lt;/h2>
&lt;p>The container framework is implemented in:&lt;/p></description></item><item><title>Testnet &amp; Mesh Validation Tutorial</title><link>https://sam-mesh.dev/docs/development/testnet-validation/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://sam-mesh.dev/docs/development/testnet-validation/</guid><description>&lt;p>This tutorial guides you through validating your local environment integration with the public Sovereign Agent Mesh (SAM) testnets (&lt;code>bananas.sam-mesh.dev&lt;/code> or &lt;code>hub.sam-mesh.dev&lt;/code>). You will learn how to verify your node&amp;rsquo;s connection, discover remote MCP services, and invoke remote tools.&lt;/p>
&lt;hr>
&lt;h2 id="prerequisites">Prerequisites&lt;/h2>
&lt;p>Before starting, ensure you have:&lt;/p>
&lt;ol>
&lt;li>Compiled the local binaries (&lt;code>sam-node&lt;/code> and &lt;code>mcp-client&lt;/code>) by running:
&lt;div class="highlight">&lt;pre tabindex="0" class="chroma">&lt;code class="language-bash" data-lang="bash">&lt;span class="line">&lt;span class="cl">make build
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;li>An active local &lt;code>sam-node&lt;/code> container or process running and successfully joined to the target public testnet.
For example, join via:
&lt;div class="highlight">&lt;pre tabindex="0" class="chroma">&lt;code class="language-bash" data-lang="bash">&lt;span class="line">&lt;span class="cl">bin/sam-node join https://bananas.sam-mesh.dev
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>And run via:
&lt;div class="highlight">&lt;pre tabindex="0" class="chroma">&lt;code class="language-bash" data-lang="bash">&lt;span class="line">&lt;span class="cl">docker run --name sam-node &lt;span class="se">\
&lt;/span>&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="se">&lt;/span> -v ~/.config/sam-mesh:/data &lt;span class="se">\
&lt;/span>&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="se">&lt;/span> -p 5001:5001/udp -p 5002:5002 -p 8080:8080 &lt;span class="se">\
&lt;/span>&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="se">&lt;/span> sam-node:local &lt;span class="se">\
&lt;/span>&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="se">&lt;/span> run --data-dir /data &lt;span class="se">\
&lt;/span>&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="se">&lt;/span> --hub https://bananas.sam-mesh.dev &lt;span class="se">\
&lt;/span>&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="se">&lt;/span> --bind-addr 0.0.0.0:8080 &lt;span class="se">\
&lt;/span>&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="se">&lt;/span> --api-token secret-token &lt;span class="se">\
&lt;/span>&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="se">&lt;/span> --log-level debug
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;/li>
&lt;/ol>
&lt;hr>
&lt;h2 id="step-1-verifying-local-connection-to-the-testnet">Step 1: Verifying Local Connection to the Testnet&lt;/h2>
&lt;p>Check the logs of your local &lt;code>sam-node&lt;/code> to ensure it has successfully joined and is online:&lt;/p></description></item></channel></rss>