MeshKit is a TypeScript SDK for adding encrypted, IPFS-ready storage to apps with a developer experience closer to a normal cloud SDK than raw decentralized infrastructure.
The first package set is the shared npm foundation for web, React Native, Node.js, agents, and CLIs. Flutter and Ionic can bind to the same provider and envelope protocol once their dedicated packages are implemented.
import { meshkit } from "meshkit";
const mk = await meshkit();
const file = await mk.files.put("report.pdf", bytes);
const opened = await mk.files.get(file.cid);
await mk.identity.create("alice");
const capsule = await mk.share.file(file).with("alice", { expiresIn: "24h" });meshkit: one-import facade for apps.@meshkit/core: envelope encryption, provider protocol, proofs, sharing, messages, records, batches, and interop vectors.@meshkit/cli:meshkit init,meshkit dev,meshkit doctor,meshkit inspect,meshkit logs,meshkit policies,meshkit deals, andmeshkit providers test.@meshkit/mcp: scoped agent tools with schemas and input limits.@meshkit/web: browser/PWA adapter entrypoint and capability detection.@meshkit/react-native: React Native adapter entrypoint and capability detection.@meshkit/node: Node.js/server adapter entrypoint and capability detection.
- Quickstart
- TypeScript runtime recipes
- Provider production setup
- Identity and public key directory
- MeshKitError and provider troubleshooting
MeshKit encrypts by default before content enters the provider:
- Per-object envelope encryption with a fresh data encryption key.
- AES-256-GCM for authenticated encryption.
- ECDH P-256 plus HKDF-SHA256 to wrap object keys for recipients.
- Envelope metadata is authenticated as AEAD additional data.
- Explicit recipient identities are required before sharing.
- Key rotation, rekey, and revoke are first-class APIs.
- Envelope and wrap metadata include algorithm/version labels for crypto agility.
This is FIPS-ready architecture, not a FIPS 140-3 certification claim. Production mobile adapters should bind keys to Android Keystore, iOS Keychain/Secure Enclave where available, and WebCrypto with a lower-trust browser profile.
MeshKit does not treat to as a centralized email-style address. Content is addressed by CID, and access is routed by encrypted share capsules:
- Files and records are stored as encrypted MeshKit envelopes.
- Recipients are local or imported identities with public keys.
- Sharing creates a capsule that wraps the file key to recipient public keys.
- Messages are encrypted files plus a capsule placed into a provider mailbox.
- Verified retrieval returns content plus proof metadata instead of blind gateway reads.
The current local-dev provider is for SDK development and deterministic tests. Production IPFS, Filecoin, and policy flows use explicit provider classes such as HttpIpfsProvider, PinningServiceProvider, GatewayRetrievalProvider, HttpIpfsClusterProvider, FallbackProvider, HttpFilecoinPersistenceProvider, and HttpLitPolicyProvider.
npx meshkit init
npx meshkit dev
npx meshkit dev put hello.txt "hello mesh"
npx meshkit providers test --json
npx meshkit logs --json
npx meshkit policies test --json
npx meshkit deals status <dealId> --json
npx meshkit deals retrieve <dealId> --output payload.bin --json
npx meshkit inspect <cid> --json
npx meshkit doctor --jsonThe CLI persists local-dev state in .meshkit/local-dev.json so separate invocations can inspect content written earlier. The documented CLI surface is command-line setup/status, object writes, diagnostics, proof inspection, logs, policy checks, Filecoin deal helpers, and provider testing. meshkit.config.json configures local-dev, IPFS HTTP, pinning service, gateway retrieval, private cluster, fallback, Filecoin, and policy profiles without committing secrets; use tokenEnv to reference credentials.
@meshkit/mcp exposes scoped tools:
meshkit.files.putmeshkit.inspectmeshkit.identity.createmeshkit.share.with
Each tool publishes an input schema, scope list, and rejects malformed or oversized inputs before touching storage.
This repository is the final-grade TypeScript SDK foundation: encrypted core, provider protocol, npm facade, CLI, MCP tools, web adapter, and React Native adapter. Next production work should validate these providers against live services, add native mobile key vaults, expand framework examples, and complete external identity import.