<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>User and Operator Guides on SAM</title><link>https://sam-mesh.dev/docs/user/</link><description>Recent content in User and Operator Guides on SAM</description><generator>Hugo</generator><language>en-us</language><atom:link href="https://sam-mesh.dev/docs/user/index.xml" rel="self" type="application/rss+xml"/><item><title>Hub Configuration Guide</title><link>https://sam-mesh.dev/docs/user/hub-configuration/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://sam-mesh.dev/docs/user/hub-configuration/</guid><description>&lt;p>The &lt;code>sam-hub&lt;/code> acts as the control plane for the Sovereign Agent Mesh. It is responsible for bridging user identities from OpenID Connect (OIDC) providers, issuing cryptographically signed Biscuit authorization tokens, and distributing network and tool policies to nodes.&lt;/p>
&lt;hr>
&lt;h2 id="1-core-services">1. Core Services&lt;/h2>
&lt;p>When you run &lt;code>sam-hub&lt;/code>, it launches two core service endpoints:&lt;/p>
&lt;ol>
&lt;li>&lt;strong>libp2p P2P Endpoint&lt;/strong>: Used by &lt;code>sam-node&lt;/code> clients to execute cryptographic handshakes and perform DHT resource discovery.&lt;/li>
&lt;li>&lt;strong>HTTP/HTTPS Service Endpoint&lt;/strong>: Used for health status checks (&lt;code>/healthz&lt;/code>), prometheus metrics (&lt;code>/metrics&lt;/code>), and administrative commands (like banning nodes).&lt;/li>
&lt;/ol>
&lt;hr>
&lt;h2 id="2-command-line-arguments--environment-variables">2. Command-Line Arguments &amp;amp; Environment Variables&lt;/h2>
&lt;p>The hub is highly configurable. Each setting can be passed as a command-line flag or bound to a corresponding environment variable:&lt;/p></description></item><item><title>Node Configuration Guide</title><link>https://sam-mesh.dev/docs/user/node-configuration/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://sam-mesh.dev/docs/user/node-configuration/</guid><description>&lt;p>The &lt;code>sam-node&lt;/code> acts as a local security gateway and tool proxy for AI agents. While the Hub acts as the central control plane, each Node independently defines its own local tool catalogue and enforces its own local security identity.&lt;/p>
&lt;hr>
&lt;h2 id="1-node-configuration-file-sam-nodeyaml">1. Node Configuration File (&lt;code>sam-node.yaml&lt;/code>)&lt;/h2>
&lt;p>By default, &lt;code>sam-node&lt;/code> runs without exposing any local tools to the mesh. To expose local tools or strictly enforce your node&amp;rsquo;s network identity, you must create a Node configuration file and pass it to the daemon using the &lt;code>--config&lt;/code> flag:&lt;/p></description></item><item><title>Agent Usage &amp; Connectivity Guide</title><link>https://sam-mesh.dev/docs/user/agent-usage/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://sam-mesh.dev/docs/user/agent-usage/</guid><description>&lt;p>SAM nodes (&lt;code>sam-node&lt;/code>) act as local security gateways and tool proxies for your AI agents (such as Google Gemini, Claude Code, or Claude Desktop). This document explains how to authenticate a node to the mesh and configure your agents to use it.&lt;/p>
&lt;hr>
&lt;h2 id="1-node-lifecycle-overview">1. Node Lifecycle Overview&lt;/h2>
&lt;p>Connecting your AI agent to the Sovereign Agent Mesh involves two phases:&lt;/p>
&lt;pre class="mermaid">sequenceDiagram
 actor User as Developer/Operator
 participant Node as sam-node (Local)
 participant Hub as sam-hub (Mesh)
 participant Agent as AI Agent (Gemini/Claude)
 
 Note over User,Hub: Phase 1: Mesh Join (OIDC Authorization)
 User-&amp;gt;&amp;gt;Node: sam-node join &amp;lt;hub-url&amp;gt;
 Node-&amp;gt;&amp;gt;Hub: Get Hub OIDC Info
 Hub--&amp;gt;&amp;gt;Node: OIDC Issuer, Client ID
 Node-&amp;gt;&amp;gt;User: Display Login URL &amp;amp; Code
 User-&amp;gt;&amp;gt;User: Login in Browser
 Node-&amp;gt;&amp;gt;Hub: Exchange Code for Biscuit Identity
 Node-&amp;gt;&amp;gt;Node: Persist Biscuit in Local Store (agent.db)

 Note over User,Agent: Phase 2: Agent Tool Invocation
 User-&amp;gt;&amp;gt;Node: sam-node run --api-token &amp;#34;secret-key&amp;#34;
 Node-&amp;gt;&amp;gt;Node: Start local MCP server on 127.0.0.1:8080
 Agent-&amp;gt;&amp;gt;Node: Connect to local MCP (with Bearer &amp;#34;secret-key&amp;#34;)
 Agent-&amp;gt;&amp;gt;Node: Call Remote P2P Tool
 Node-&amp;gt;&amp;gt;Hub: Verify Biscuit / Allowed Policies
 Node--&amp;gt;&amp;gt;Agent: Execute tool and return result&lt;/pre>
&lt;hr>
&lt;h2 id="2-phase-1-joining-the-mesh-sam-node-join">2. Phase 1: Joining the Mesh (&lt;code>sam-node join&lt;/code>)&lt;/h2>
&lt;p>Before starting the node daemon, you must authorize your node and obtain a cryptographic Biscuit identity.&lt;/p></description></item><item><title>Production Kubernetes Deployment</title><link>https://sam-mesh.dev/docs/user/kubernetes-deployment/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://sam-mesh.dev/docs/user/kubernetes-deployment/</guid><description>&lt;p>This guide explains how to deploy a production-grade SAM cluster (Hub, DNS synchronizer, OIDC bridge, and Nodes) in a Kubernetes environment (like GKE, EKS, AKS, or custom bare-metal clusters), based on our official public testnet architectures.&lt;/p>
&lt;hr>
&lt;h2 id="1-architecture-overview">1. Architecture Overview&lt;/h2>
&lt;p>A production SAM deployment consists of:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Dex (OIDC Provider)&lt;/strong>: Serves as the identity bridge, federation point, and login broker.&lt;/li>
&lt;li>&lt;strong>SAM Hub (&lt;code>sam-hub&lt;/code>)&lt;/strong>: Runs as a &lt;strong>StatefulSet&lt;/strong> to maintain stable network identity. P2P nodes query these bootstrap pods to connect to the mesh.&lt;/li>
&lt;li>&lt;strong>DNS Sync CronJob&lt;/strong>: Dynamically queries the StatefulSet pod IP addresses and updates DNS A/AAAA records for P2P bootstrap resolution.&lt;/li>
&lt;li>&lt;strong>SAM Nodes (&lt;code>sam-node&lt;/code>)&lt;/strong>: Deployed as containerized gateways that authenticate securely to the hub using Kubernetes Workload Identity (ServiceAccount token projection).&lt;/li>
&lt;/ul>
&lt;pre class="mermaid">graph TD
 User([User / Client]) --&amp;gt;|HTTPS / OIDC| Dex[Dex Identity Bridge]
 Node[sam-node Gateway Pod] --&amp;gt;|ServiceAccount Token| Hub[sam-hub StatefulSet]
 Hub --&amp;gt;|OIDC Discovery Check| Dex
 Cron[DNS Sync CronJob] --&amp;gt;|Poll Pod IPs| K8sApi[Kubernetes API]
 Cron --&amp;gt;|Update A Records| CloudDNS[Cloud DNS / DNS Registry]
 Node --&amp;gt;|Bootstrap DNS Resolution| CloudDNS&lt;/pre>
&lt;hr>
&lt;h2 id="2-step-1-deploying-the-oidc-provider-dex">2. Step 1: Deploying the OIDC Provider (Dex)&lt;/h2>
&lt;p>Dex maps external accounts (Google, GitHub, LDAP) to standard OIDC identities in the cluster.&lt;/p></description></item></channel></rss>