— security

Trust by design.

TOSS is mesh hardware an AI agent can act through. We made the trust story load-bearing: signed drivers, CRC'd packets, one network-facing node, and zero accounts — nothing about it is incidental.

every driver

ed25519

every frame

crc-16

network-exposed nodes

phone-home

never

01 — Signed drivers

No driver runs until we've checked who signed it.

Every driver fetched from the online registry carries an ed25519 signature over its full 248-byte descriptor. The firmware verifies that signature against a public key pinned in NVS before the descriptor touches the bus.

Tampered, replayed, or unsigned drivers are silently rejected. Verified descriptors are cached in the on-chip /drvcache SPIFFS partition so the next boot is offline.

registry

drivers.opentoss.io

248 B blob + sig

→

verify

ed25519

tweetnacl on-chip

→

cache

/drvcache

spiffs · 384 KB

→

run

bus driver

i²c · 1-wire · uart

02 — Mesh integrity

Every frame is checksummed and deduped.

The TOSS Wire Protocol (TWP v2) puts a CRC-16 in every frame. Frames that fail CRC are dropped before they ever reach a handler.

A 32-entry origin-based dedup ring keyed on origin_mac + seq blocks replay attempts across the relay graph. TTL decrements on every hop, so nothing bounces forever.

frame header

26 B

src_mac6 B
dst_mac6 B
origin_mac6 B
seq2 B
type/flag/ttl/len4 B
crc-162 B

dedup ring

32 entries

keyorigin_mac
windowseq · uint16_t
ttldecrement on relay
replayrejected
broadcastff:ff:ff:ff:ff:ff
ack8-frame window

peer table

16 peers

heartbeatevery 3 s
timeout10 s
evictionautomatic
auth statetracked
rssilogged
last seentracked

03 — Gateway boundary

One node on the LAN. The rest are silent.

Sensor nodes only speak ESP-NOW. They have no IP stack, no DHCP, no port to scan. Only the elected gateway has a WiFi STA connection, and it serves a local-only MCP server.

The setup portal is CSRF-protected, rate-limited with exponential backoff, and idle-times-out after 10 minutes. Holding BOOT for 5 seconds wipes WiFi creds and the auth key from NVS.

attack surface

mesh

gateway

mesh

1 of 16 nodes exposed to ip

sensor nodesesp-now only · no ip

gatewaywifi sta · mcp on local lan

setup portalcsrf · rate-limit · 10 min ttl

factory resetboot 5 s · wipes nvs

outbounddrivers registry only

04 — Stored secrets

Credentials live on-chip, encrypted at rest.

WiFi credentials, the mesh auth key, and the driver public key sit in the ESP32 NVS partition. With NVS encryption enabled at provisioning, they're hardware-encrypted at rest.

No identifiers leave the device. No accounts. No analytics. Outbound HTTPS only to a configurable driver registry that serves signed blobs and asks for nothing in return.

partition map · esp32 flash

total 2980 KB

nvs24 KB

wifi creds · auth key · pubkey

phy_init4 KB

radio cal

ota_data8 KB

ota slot

ota_01280 KB

firmware

ota_11280 KB

firmware

drvcache384 KB

signed driver cache (spiffs)

nvs encryption on · hardware-bound at provisioning

05 — Agent sandbox

The agent gets a tool surface, not a shell.

An LLM talks to the mesh through MCP tool calls — read a sensor, write an actuator, list capabilities. The gateway dispatches each call through the local driver manager.

No raw frame injection. No driver swaps from a tool call. In a real install you pick which actuators the agent is allowed to write to, and the scope is enforced every call.

allowed

MCP tool surface

read_sensor

write_actuator

list_capabilities

list_drivers

mesh_status

system_info

query_capability

start_stream

denied

what the agent cannot do

inject raw twp frames
swap or replace a driver
open outbound connections from the gateway
touch actuators outside the install's allowlist
read or write the auth key / pubkey from nvs