OpenGov Mesh
EXPLORATORY · PRE-PILOT Spec Onboarding Somalia

OpenGov Mesh · National data-exchange substrate

Trust, made provable.

X-Road as it would be designed in 2026 — lightweight, federation-ready, consent-native. A national data-exchange substrate that makes trust demonstrable rather than assumed.

Every government already holds the facts about its citizens. The agencies just don't talk to each other. The Mesh is the wire that lets them — and the proof, published in the open, that they did it right.

Not a promise of trust. A ledger of it.

See why it matters Start a pre-pilot conversation

Maseru · 06:40 · A Tuesday

Tšepo lost his ID. The state already knew everything about him.

He just had to prove it four times, in four buildings, to four agencies that already held the answer.

He needs a new national ID. To get it, a birth certificate. For that, a tax-clearance certificate. For that, a proof of residence. And proof of residence requires — the very ID he came to replace.

A circle. Home Affairs, the Civil Registry, the Revenue Authority, the chief's office. Every one of them holds a fact about Tšepo. None of them will say it to another. So Tšepo carries the paper himself, on foot and by minibus, between offices that could have answered each other in fifteen minutes.

They hold every fact about him. They do not talk to each other.
  • 3Working days lost
  • 2Minibus rides
  • ~240 MCost to Tšepo, in maloti
  • 35 MCost to print the card
  • 15 minIf the agencies were connected

The cost of doing nothing

Multiply Tšepo by a nation. This is what the silence costs.

Not a software problem. A line item in the national accounts — paid every single year, by everyone.

Disconnected agencies aren't an inconvenience. They're a recurring tax on citizens, on clerks, on the treasury, and on every digitisation plan that dies because no one can finance another bespoke point-to-point integration.

These are honest ranges, not vendor math — but even the floor of each is a number a finance minister cannot unsee.

  • 0.5–2%of GDP / yrCitizen-hours lost to redundant procedures
  • 5–15%Clerk time verifying paper another agency already holds
  • 1–4%of programme budgetsFraud loss from facts that can't be cross-checked
  • 60–80%Digitisation roadmaps killed by integration cost
  • 15–40%Vendor lock-in renewal premium, point-to-point

The turn · Why now

Build the wire once. Open it. Prove it.

Five planes. One substrate. Trust, Transport, Catalog, Observability, Consent.

X-Road proved the idea: a shared, signed exchange so agencies stop building one-off bridges. That idea is sound — and twenty years old. It predates GDPR, predates OpenTelemetry, predates the modern signature standards, and predates the political reality of the global south, where the appliance is too heavy, the consortium too costly, and consent an afterthought.

The Mesh keeps what X-Road got right and rebuilds the rest for 2026: a sidecar light enough for a Raspberry Pi, a public Merkle log instead of a trusted word, contract gates instead of silent breakage, and — the one genuinely new idea — consent checked at the wire before any request is delivered.

This is national infrastructure as a public good. Status today: exploratory, pre-pilot. The spec says so plainly, and so do we.

  1. I Trust
  2. II Transport
  3. III Catalog
  4. IV Observability
  5. V Consent

Plane I · Trust · Part III §15–§23

A registry that cannot lie about its own past.

Who is who. Who is allowed. Who has been revoked — appended to a public log the moment it changes.

Under the Mesh sits a two-tier Ed25519 PKI: an offline root, an online issuing CA. Ordinary, proven, boring — by design.

What's new is the accountability. Every registry change is appended to an RFC 6962 Certificate Transparency Merkle log, anchored daily and co-signed by at least three independent witnesses — civil society, the press, a federation peer. So the opposition, a journalist, or an oversight body can prove the registry was never quietly edited after the fact. Split-view attacks become detectable — a single honest witness is enough to expose them.

Trust you can audit, not trust you're asked to grant.

The press can prove the registry was never tampered with. That is the whole point.
Transparency log
RFC 6962 Merkle
Independent witnesses per anchor
≥ 3
Cert validity · root / CA / member / service
20y / 5y / 1y / 90d

Plane II · Transport · Part IV §24–§31

The whole stack fits on a Raspberry Pi.

A sidecar, not a Java appliance. It signs every message, and it waits when the other side is offline.

Every message between members is signed with RFC 9421 HTTP Message Signatures over mTLS — the modern IETF standard, not WS-Security-era cryptography. When the recipient is down, NATS JetStream holds the message and forwards it on reconnect. Nothing is lost; replay is detected.

The full per-agency stack — sidecar, Redis, NATS — idles at around 270 MB and runs on a Raspberry Pi 4 or a 1 GB VM. X-Road's Security Server appliance wants 4–8 GB minimum and a multi-day install. For a ministry in Maseru, that difference is the difference between joining and not.

~270 MB on a Pi, versus a 4–8 GB appliance. That gap is who gets to participate.
Per-agency stack RAM, idle
~270 MB
In-mesh sync latency, P95
≤ 300 ms
Sidecar sustained throughput
≥ 1000 req/s

Honest note — the sidecar is Python (~270 MB), not a single ~20 MB binary. A Rust port is a Phase-2 item only if benchmarks demand it.

Plane III · Catalog · Part V §32–§36

You can't silently break your consumers.

A service directory where a change that would break a live consumer is stopped at publication — not discovered by them in production.

Services are published as OpenAPI 3.1 and AsyncAPI 3.0. At publication time an oasdiff gate inspects the change: if it would break an existing consumer, it is refused. The publisher must revise it — or cut a new major version on its own path, leaving existing consumers untouched. Pact-style consumer-driven contract tests hold both sides to their promises.

And the entire catalogue is mirrored to a public repository as signed JSON — so an outside auditor can see exactly what every agency offers, and verify it hasn't been quietly rewritten.

X-Road lets a publisher push a change that breaks live consumers with no warning. The Mesh refuses the silent break by construction.

Breaking changes don't get caught later. They don't get shipped silently.
Service contracts
OpenAPI 3.1 + AsyncAPI 3.0
Breaking-change gate
oasdiff @ publish
Public mirror
signed JSON

Plane IV · Observability · Part VI §37–§41

An audit log whose head is published every day.

So a court, a donor, or the opposition can replay it — and prove not one record was altered.

The Mesh is OpenTelemetry-native, with a hash-chained audit ledger you verify with a single command: mesh-cli audit verify. The chain's head is anchored daily in public. Tamper with any past record and the chain breaks visibly.

And it can forget. The ledger stores HMAC-SHA-256(K_citizen, consent_id) — not the raw link. Erase a citizen's per-person key and the link is cryptographically shredded, irreversibly, while the chain's integrity stays intact. Provable memory and lawful forgetting in the same structure.

Replay the ledger. Prove nothing was changed. In one command.
Audit append, sustained
≥ 5000 events/s
Verify
mesh-cli audit verify
Forgetting
HMAC erasable-key crypto-shred

Honest note — the mesh.* OpenTelemetry namespace is project-local, not yet registered with the upstream semantic-conventions registry.

Plane V · Consent · Part VII §42–§47

Consent checked at the wire — before the request is ever delivered.

Granted over USSD on a feature phone. Revocable any time. An SMS on every access. The part X-Road has no analogue for.

Consent is a first-class record: a GDPR Article 6(1)(a) consent basis, a specific purpose, a specific data class, a specific period, with both the consuming agency and the holder bound. Every cross-agency request carries a consent ID, and the sidecar checks it at the wire — before delivery, not bolted on afterward.

It's captured USSD-first, with a PIN second factor, so the 50–80% of citizens on feature phones can grant it for real. The citizen gets an SMS on every grant and every access. eIDAS 2.0 SD-JWT-VC makes it wallet-portable. And right-to-be-forgotten propagates as a signed event to every agency that ever held a reference — no silent retention.

A substrate that never says no isn't consent-native. It's theatre. The Mesh denies.

Consent-native, not consent-theatre. The gate shuts when the answer is no.
Lawful basis
GDPR Art. 6(1)(a), purpose-bound
Capture
USSD-first + PIN
Erasure
signed RTBF event, propagated

Federation · Lesotho ↔ South Africa

Countries as a mesh. No institution to join.

Two nations cross-sign each other. That's the whole ceremony.

Tšepo crosses to Johannesburg. For an agency in South Africa to trust him, the chain walks: his leaf → Lesotho's root → South Africa's cross-signature → South Africa's local trust anchor. No central authority. No consortium membership. Just two countries publishing their root CAs and cross-signing — the bilateral data-sharing agreement they'd need anyway.

Raw PKI trust is paired with a signed trust manifest: which services may be called, at what rate, with what data classifications, under what audit obligations, for how long — checked by every sidecar at request time. Either side can revoke unilaterally — pushed to connected sidecars and effective within about thirty seconds, with a ≤5-minute manifest-refresh fallback for sidecars behind restrictive firewalls. And every cross-mesh request writes mutually hash-chained audit entries in both Meshes, so each country can prove the exchange to the other.

This is the one part the Mesh claims as a genuine contribution beyond X-Road. Everything else is X-Road's ideas, modernised. This is new — and it fits the political reality of AfCFTA.

No NIIS. No consortium. Just a bilateral agreement and a cross-signature.
Trust path
leaf → root → cross-sig → anchor
Unilateral revocation effective
~30 s live push · ≤5 min fallback
Federation E2E scenario
12 steps, every CI run

The manifesto · Five tenets

What we will not compromise.

  1. 01

    Demonstrable over assumed

    Trust isn't a letterhead. It's a public Merkle log, a hash-chained ledger, a witness co-signature. If you can't replay it and prove it, we don't claim it.

  2. 02

    Light over heavy

    A substrate the poorest ministry can't afford isn't infrastructure — it's exclusion. ~270 MB on a Pi, not an 8 GB appliance and a multi-day install.

  3. 03

    Consent over collection

    The citizen consents to a specific agency, for a specific purpose, for a specific period — checked at the wire, revocable always, forgotten on request. The gate that can't say no is no gate.

  4. 04

    Open over captive

    OpenAPI, AsyncAPI, CloudEvents, signed public mirrors. The wire is an open protocol, not a vendor's moat. We reduce lock-in by making integration a standard.

  5. 05

    Honest over hyped

    The Mesh does not authenticate citizens, certify legal compliance, guarantee semantic meaning, or run itself. It's pre-pilot, development-grade, with a hardening delta a sponsor CIO must read and sign. We'd rather tell you the limits than sell you past them.

If you can't replay it and prove it, we don't claim it.

The invitation · Pre-pilot

Three agencies. Six months. One proof of concept your nation can audit.

An indicative pilot envelope of USD 250,000–400,000, all-inclusive — with UNCTAD typically funding 60–70% from its own or partner-donor pooled resources.

The full five-plane stack cold-starts to first dispatch in ninety seconds on commodity hardware, and runs a pilot on roughly USD 500 of cloud compute a month. The Lesotho↔South Africa federation scenario passes all twelve of its steps on every CI run — you can watch it work before you fund it.

This is for ministers and permanent secretaries, national digital-agency leads, agency CIOs running point-to-point integration fleets, donors seeking scale leverage, and the oversight bodies who want demonstrable trust, not institutional assurance.

Start small. Prove it in public. Then connect a nation.

  • USD 250–400KIndicative six-month envelope
  • 60–70%Typical UNCTAD funding share
  • ~USD 500Monthly pilot cloud compute
  • ≤ 90 sCold start to first dispatch
Begin a pre-pilot conversation

OpenGov Mesh

The facts already exist. Build the trust to move them.

Tšepo shouldn't have to prove what the state already knows. Neither should anyone.

Governments don't lack data. They lack a way to move it that citizens can trust and auditors can prove. That's the whole gap — and it's a wire, a log, and a gate away from closing.

Not trust we ask you to assume. Trust we let you check.

Trust, made provable.