net: derive gossip topic from team root; drop --topic flag

The gossip topic name was a separate string the user picked
and coordinated with invitees, alongside the team root pubkey
they already had to share for auth. Two identifiers per team
that were effectively one — and a footgun: invitee types
`--topic our-team` instead of `our-team-graph`, joins a
different gossip mesh, sees no live HEAD updates, no error.

Collapse them. The team root is already 32 uniform bytes (an
ed25519 pubkey, perfect as a `TopicId` directly — no hashing
needed). One identifier per team handles both:

  - cap chain verification (auth)
  - gossip mesh rendezvous (live HEAD updates)

Breaking changes:

* triblespace-net: `PeerConfig.gossip_topic: Option<String>` →
  `PeerConfig.gossip: bool`. `gossip = true` derives the topic
  from `team_root.to_bytes()`. `gossip = false` is serve/pull-
  only (no subscription). Migration: `Some(_)` → `true`,
  `None` → `false`.

* trible: `pile net sync --topic NAME` flag removed. Sync
  always joins the team's gossip mesh, identified by
  `TRIBLE_TEAM_ROOT` (or single-user fallback to the node's
  own pubkey when unset).

Doc/example updates: triblespace-net/README, trible/README,
book/src/distributed-sync, book/src/capability-auth.

Tests green: `triblespace-net` unit (3) + integration (2),
`trible` bin (1). Network-touching e2e tests not exercised in
this commit — their PeerConfig sites don't reference the old
field name.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: somethingelseentirely

book/src/capability-auth.md

@@ -127,7 +127,7 @@ The invitee then runs the relay (or any pile-net peer) with
 ```bash
 $ TRIBLE_TEAM_ROOT=1a8a6a9d... \
   TRIBLE_TEAM_CAP=7afe59e7... \
-  trible pile net sync /path/to/their.pile --peers <founder-id> --topic team-graph
+  trible pile net sync /path/to/their.pile --peers <founder-id>
 ```
 
 Without those env vars the peer falls back to a single-user
@@ -234,8 +234,9 @@ use std::collections::HashSet;
 let pile = triblespace::core::repo::pile::Pile::open(path)?;
 let peer = Peer::new(pile, signing_key.clone(), PeerConfig {
     peers: vec![bootstrap_endpoint_id],
-    gossip_topic: Some("my-team-graph".into()),
-    team_root: team_root_pubkey,            // 32 bytes, the team's CA
+    gossip: true,                           // false = pull/serve-only
+    team_root: team_root_pubkey,            // 32 bytes — the team's CA AND
+                                            // the gossip mesh id when gossip=true
     revoked: HashSet::new(),                // boot-time seed (usually empty)
     self_cap: my_own_cap_sig_handle,        // what we present on OP_AUTH
 });

book/src/distributed-sync.md

@@ -46,9 +46,11 @@ use std::collections::HashSet;
 let pile = triblespace::core::repo::pile::Pile::open(path)?;
 let peer = Peer::new(pile, signing_key.clone(), PeerConfig {
     peers: vec![bootstrap_endpoint_id],
-    gossip_topic: Some("my-team-graph".into()),
+    gossip: true,                            // false = pull/serve-only
     // Auth is mandatory — see the Capability Auth chapter for the
     // team-root + self_cap setup, or run `trible team create`.
+    // The team root pubkey doubles as the gossip mesh id when
+    // `gossip = true`.
     team_root: signing_key.verifying_key(),  // single-user team-of-one
     revoked: HashSet::new(),
     self_cap: [0u8; 32],
@@ -201,13 +203,15 @@ The `trible` CLI exposes sync via the `pile net` subcommand:
 trible pile net identity [--key PATH]
     Print this node's iroh identity (generates a key if needed).
 
-trible pile net sync <PILE> [--peers ...] [--topic T] [--key PATH]
-    Long-running bidirectional sync. Without --topic, serves only
-    (accepts direct pulls but doesn't gossip). With --topic, joins
-    the gossip mesh and auto-merges incoming tracking branches into
-    same-named local ones every tick. Reads `TRIBLE_TEAM_ROOT` and
-    `TRIBLE_TEAM_CAP` env vars for multi-user team operation; falls
-    back to single-user team-of-one without them.
+trible pile net sync <PILE> [--peers ...] [--key PATH]
+    Long-running bidirectional sync on the team's gossip mesh.
+    The mesh is identified by the team root pubkey directly (no
+    separate --topic flag): every team has exactly one mesh,
+    derived from its identity. Auto-merges incoming tracking
+    branches into same-named local ones every tick. Reads
+    `TRIBLE_TEAM_ROOT` and `TRIBLE_TEAM_CAP` env vars for multi-
+    user team operation; falls back to single-user team-of-one
+    using the node's own pubkey when those aren't set.
 
 trible pile net pull <PILE> <REMOTE> --branch NAME [--key PATH]
     One-shot pull of a named branch from a specific peer (REMOTE is

trible/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Removed (breaking)
+- **`pile net sync --topic` flag.** The gossip mesh is now
+  identified by `TRIBLE_TEAM_ROOT` directly — every team has
+  exactly one gossip mesh, derived from its identity. Users no
+  longer pick + coordinate a separate topic string with
+  invitees. Migration: drop the `--topic` flag from any sync
+  invocation; the mesh topic is now always the team root
+  pubkey. Falls back to single-user team-of-one (the node's
+  own pubkey) when `TRIBLE_TEAM_ROOT` isn't set.
+
 ## [0.37.0] - 2026-05-06
 
 ### Added

trible/README.md

@@ -103,7 +103,7 @@ their own team root).
 
 - `pile net identity [--key PATH]` — print this node's iroh identity (auto-generates a key if missing).
 - `pile net status [--key PATH]` — print the auth configuration this node would present on `OP_AUTH`: node id, team root, self_cap, and where each value comes from (env var vs fallback). For debugging stuck-auth scenarios.
-- `pile net sync <PILE> [--peers ID,...] [--topic NAME] [--key PATH]` — long-running bidirectional sync. Without `--topic`, serves only (accepts direct pulls but doesn't gossip). With `--topic`, joins the gossip mesh and auto-merges incoming tracking branches into same-named local ones every tick. Reads `TRIBLE_TEAM_ROOT` and `TRIBLE_TEAM_CAP` env vars for multi-user team operation.
+- `pile net sync <PILE> [--peers ID,...] [--key PATH]` — long-running bidirectional sync on the team's gossip mesh. The mesh is identified by the team root pubkey directly (no separate topic argument): every team has exactly one mesh, derived from its identity. Auto-merges incoming tracking branches into same-named local ones every tick. Reads `TRIBLE_TEAM_ROOT` and `TRIBLE_TEAM_CAP` env vars; falls back to the node's own pubkey for single-user / team-of-one workflows.
 - `pile net pull <PILE> <REMOTE> --branch NAME [--key PATH]` — one-shot pull of a named branch from a specific peer (REMOTE is the peer's iroh node id, 64-char hex). Pull-only mode — no gossip subscription, direct QUIC + DHT fetch, materializes a tracking branch and merges into local. Same env-var fallback as `sync`.
 
 ### Capability auth

trible/src/cli/pile/net.rs

@@ -84,14 +84,15 @@ pub enum Command {
         #[arg(long)]
         key: Option<PathBuf>,
     },
-    /// Sync with peers. No topic = serve only. With topic = live bidirectional sync.
+    /// Sync with peers — live bidirectional gossip on the team's
+    /// gossip mesh (topic = team root pubkey). The team root is read
+    /// from `TRIBLE_TEAM_ROOT`, falling back to this node's own
+    /// pubkey for single-user / team-of-one workflows.
     Sync {
         pile: PathBuf,
         #[arg(long, value_delimiter = ',')]
         peers: Vec<String>,
         #[arg(long)]
-        topic: Option<String>,
-        #[arg(long)]
         key: Option<PathBuf>,
     },
     /// One-shot pull a branch from a remote peer.
@@ -109,8 +110,8 @@ pub fn run(cmd: Command) -> Result<()> {
     match cmd {
         Command::Identity { key } => run_identity(key),
         Command::Status { key } => run_status(key),
-        Command::Sync { pile, peers, topic, key } => {
-            run_sync(pile, peers, topic, key)
+        Command::Sync { pile, peers, key } => {
+            run_sync(pile, peers, key)
         }
         Command::Pull { pile, remote, branch, key } => {
             run_pull(pile, remote, branch, key)
@@ -168,7 +169,7 @@ fn run_status(sk: Option<PathBuf>) -> Result<()> {
 
 // ── Sync ─────────────────────────────────────────────────────────────
 
-fn run_sync(pile_path: PathBuf, peer_strs: Vec<String>, topic: Option<String>, key_path: Option<PathBuf>) -> Result<()> {
+fn run_sync(pile_path: PathBuf, peer_strs: Vec<String>, key_path: Option<PathBuf>) -> Result<()> {
     use triblespace_core::repo::Repository;
 
     let key = load_or_create_key(&key_path, key_dir(&pile_path))?;
@@ -183,7 +184,7 @@ fn run_sync(pile_path: PathBuf, peer_strs: Vec<String>, topic: Option<String>, k
     let self_cap = self_cap_from_env()?;
     let peer = Peer::new(pile, key.clone(), PeerConfig {
         peers,
-        gossip_topic: topic.clone(),
+        gossip: true,
         team_root,
         revoked: std::collections::HashSet::new(),
         self_cap,
@@ -192,12 +193,8 @@ fn run_sync(pile_path: PathBuf, peer_strs: Vec<String>, topic: Option<String>, k
         .map_err(|e| anyhow!("repo: {e:?}"))?;
 
     eprintln!("node: {}", repo.storage().id());
-    if let Some(ref t) = topic {
-        eprintln!("topic: {t}");
-        eprintln!("live sync active. (Ctrl-C to stop)\n");
-    } else {
-        eprintln!("serving. (Ctrl-C to stop)");
-    }
+    eprintln!("team_root: {}  (gossip topic)", hex::encode(team_root.to_bytes()));
+    eprintln!("live sync active. (Ctrl-C to stop)\n");
 
     // Initial broadcast so peers connecting later can learn our state.
     repo.storage_mut().republish_branches();
@@ -207,7 +204,7 @@ fn run_sync(pile_path: PathBuf, peer_strs: Vec<String>, topic: Option<String>, k
         // Periodic re-broadcast: helps newly-joined gossip neighbors learn
         // about us. iroh-gossip dedupes identical messages so re-publishing
         // the same state is cheap.
-        if topic.is_some() && last_announce.elapsed() > std::time::Duration::from_secs(10) {
+        if last_announce.elapsed() > std::time::Duration::from_secs(10) {
             repo.storage_mut().republish_branches();
             last_announce = std::time::Instant::now();
         }
@@ -246,15 +243,15 @@ fn run_pull(pile_path: PathBuf, remote: String, branch: String, key_path: Option
         .map_err(|e| anyhow!("bad node ID: {e}"))?;
     let remote_endpoint: iroh_base::EndpointId = remote_key.into();
 
-    // Spin up the Peer — pull-only mode (gossip_topic: None), no flood
+    // Spin up the Peer — pull-only mode (gossip: false), no flood
     // subscription, just direct fetch + DHT.
     use triblespace_core::repo::Repository;
     let pile = open_pile(&pile_path)?;
     let team_root = team_root_from_env(&key)?;
     let self_cap = self_cap_from_env()?;
     let peer = Peer::new(pile, key.clone(), PeerConfig {
         peers: Vec::new(),
-        gossip_topic: None,
+        gossip: false,
         team_root,
         revoked: std::collections::HashSet::new(),
         self_cap,

triblespace-net/CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Changed (breaking)
+- **`PeerConfig.gossip_topic: Option<String>` →
+  `PeerConfig.gossip: bool`.** The gossip topic is now derived
+  from `team_root` directly (an ed25519 pubkey is already 32
+  uniform bytes — perfect as a `TopicId`, no hashing needed),
+  so users no longer pick + coordinate a separate topic
+  string. One identifier per team handles both auth (cap
+  chain) and rendezvous (gossip mesh) — no way to join the
+  right team on the wrong gossip channel and silently see no
+  HEAD updates.
+  Migration: `gossip_topic: Some(_)` → `gossip: true`,
+  `gossip_topic: None` → `gossip: false`.
+
 ## [0.37.0] - 2026-05-06
 
 The auth-arc tests-and-polish release. No protocol changes —

triblespace-net/README.md

@@ -20,9 +20,12 @@ triblespace = { version = "0.35", features = ["net"] }
 use triblespace::net::peer::{Peer, PeerConfig};
 
 let pile = triblespace::core::repo::pile::Pile::open(path)?;
-let peer = Peer::new(pile, signing_key, PeerConfig {
+let peer = Peer::new(pile, signing_key.clone(), PeerConfig {
     peers: vec![bootstrap_endpoint_id],
-    gossip_topic: Some("my-team-graph".into()),
+    gossip: true,
+    team_root: signing_key.verifying_key(), // single-user fallback
+    revoked: HashSet::new(),
+    self_cap: [0u8; 32],
 });
 // From here it's just a triblespace store — commit, push, pull, query.
 ```

triblespace-net/src/host.rs

@@ -27,11 +27,15 @@ use crate::protocol::*;
 pub struct PeerConfig {
     /// Peers to connect to (used for both gossip and DHT bootstrap).
     pub peers: Vec<EndpointId>,
-    /// Gossip topic name (None = no gossip, serve-only).
-    pub gossip_topic: Option<String>,
+    /// Whether to subscribe to live HEAD-update gossip. The topic id
+    /// is the team root pubkey's 32 bytes — every team has exactly
+    /// one gossip mesh, derived from its identity. `false` = serve-
+    /// /pull-only (no subscription, no broadcasts).
+    pub gossip: bool,
     /// The team root public key — verifies all incoming capability
     /// chains. Every connection's first stream must present a cap that
     /// chains back to this key. See `triblespace_core::repo::capability`.
+    /// When `gossip = true`, also serves as the gossip topic id.
     pub team_root: ed25519_dalek::VerifyingKey,
     /// Pubkeys whose capabilities are revoked. Cascades transitively
     /// through the chain.
@@ -386,13 +390,15 @@ async fn host_loop(
 
     // Gossip.
     let mut gossip_sender: Option<GossipSender> = None;
-    if let Some(topic_name) = config.gossip_topic {
+    if config.gossip {
         let gossip = Gossip::builder().spawn(ep.clone());
         router_builder = router_builder.accept(iroh_gossip::ALPN, gossip.clone());
 
-        let topic_id = iroh_gossip::TopicId::from_bytes(
-            *blake3::hash(topic_name.as_bytes()).as_bytes()
-        );
+        // Topic id is the team root pubkey directly: the team root is
+        // already 32 uniform bytes (an ed25519 pubkey), so no hashing
+        // is needed. One gossip mesh per team — knowing the team
+        // identifies the rendezvous channel.
+        let topic_id = iroh_gossip::TopicId::from_bytes(config.team_root.to_bytes());
         // Always use subscribe (non-blocking). The join happens in the background
         // as peers come online. subscribe_and_join blocks until at least one peer
         // is reachable, which causes hangs if peers start at different times.

triblespace-net/src/peer.rs

@@ -15,7 +15,7 @@
 //!
 //! Use [`track`](Peer::track) to start tracking a remote branch from a
 //! specific peer (the `pile net pull` workflow), and [`fetch`](Peer::fetch)
-//! for single-blob pulls. Set `gossip_topic: None` in [`PeerConfig`] for
+//! for single-blob pulls. Set `gossip: false` in [`PeerConfig`] for
 //! pull-only mode where the peer doesn't subscribe to a flood mesh.
 
 use std::collections::HashMap;
@@ -73,7 +73,7 @@ pub use crate::host::PeerConfig;
 /// let pile: Pile<Blake3> = Pile::open(Path::new("./team.pile")).unwrap();
 /// let peer = Peer::new(pile, key.clone(), PeerConfig {
 ///     peers: vec![],                       // bootstrap nodes
-///     gossip_topic: Some("my-team".into()), // None = serve-only mode
+///     gossip: true,                        // false = serve/pull-only
 ///     team_root: key.verifying_key(),      // single-user fallback
 ///     revoked: HashSet::new(),
 ///     self_cap: [0u8; 32],
@@ -141,8 +141,8 @@ where
     /// reachable from its head and materialize a local tracking branch.
     ///
     /// Used by `pile net pull` and other "go get this from over there"
-    /// workflows. Does not require `gossip_topic` to be set — works in
-    /// pull-only mode too. The fetched data lands in the wrapped store
+    /// workflows. Does not require `gossip = true` — works in pull-
+    /// only mode too. The fetched data lands in the wrapped store
     /// via the same auto-drain path that `refresh` uses.
     ///
     /// Fire-and-forget: returns immediately. Use [`pull_branch`](Self::pull_branch)