Hypha: Own the Code You Use

March 26, 2026 by CMN Contributors

The CMN command-line client — spawn forks with traceable lineage, sync upstream, cross-pollinate from siblings, and release under your own domain.

You depend on a library. The maintainer goes quiet. A bug sits unfixed for months. You have three options: wait, vendor the source into your repo and lose all connection to the original, or maintain a fork on GitHub that nobody discovers and slowly drifts out of sync. All three are bad. The moment you copy code somewhere else, the lineage disappears.

And even when the maintainer is active, you’re trusting a chain you can’t see. A compromised registry account, a malicious patch slipped into a dependency of a dependency, a build artifact that doesn’t match the source — supply chain attacks work because package managers install first and ask questions never. By the time you notice, the code is already running.

Hypha is the command-line client for the Code Mycelial Network. It handles the full lifecycle — discover a spore, evaluate it, spawn your own copy, sync upstream, merge from siblings, and release under your own domain. The lineage doesn’t disappear. Every fork, every merge, every cross-pollination is declared in the bond graph and traceable across domains.

Sense and taste: nothing runs until you say so

Supply chain attacks succeed because the install step and the trust step are the same step — npm install fetches code and places it on your machine in one move. Hypha separates them. Before any code touches your filesystem, you evaluate it.

sense inspects a spore’s metadata — who signed it, what it claims to do, where it came from — without downloading the content:

hypha sense cmn://cmn.dev/b3.3yMR7vZQ9hL2xKJdFtN8wPcB6sY1mXgU4eH5pTa2

{
  "code": "ok",
  "result": {
    "spore": {
      "capsule": {
        "core": {
          "name": "CMN Protocol Specification",
          "domain": "cmn.dev",
          "synopsis": "A sovereign-first protocol for code distribution",
          "license": "CC0-1.0",
          "bonds": [
            { "uri": "cmn://cmn.dev/b3.8cQnH4xPm...", "relation": "spawned_from" }
          ]
        },
        "core_signature": "ed25519.5XmkQ9vZP8nL3x..."
      }
    }
  },
  "trace": {
    "verified": { "core_signature": true, "capsule_signature": true }
  }
}

Hypha fetches the domain’s public key from https://cmn.dev/.well-known/cmn.json and verifies both signatures — the core signature (author) and capsule signature (host). Two layers so mirrors can re-host spores by re-signing the capsule without breaking authorship.

taste goes further. It downloads the content to your local cache and asks you to evaluate it:

hypha taste cmn://cmn.dev/b3.3yMR7vZQ9hL2xKJdFtN8wPcB6sY1mXgU4eH5pTa2

Five verdict levels: sweet (endorsed), fresh (reviewed), safe (scanned), rotten (broken), toxic (malicious). Your verdict is stored locally and checked before any operation that places foreign code on your machine. Untasted code is blocked. Toxic code is blocked. No exceptions. This is how Hypha closes the supply chain gap — code cannot arrive on your filesystem without passing through an explicit trust gate that you control.

Verdicts are shareable through Synapse indexers. Trust networks form organically — you choose whose judgment to factor into yours.

Spawn: your fork, your domain

spawn is where ownership begins. It creates a working copy of a spore with a declared spawned_from bond:

hypha spawn cmn://cmn.dev/b3.3yMR7vZQ9hL2xKJdFtN8wPcB6sY1mXgU4eH5pTa2
cd cmn-spec

Hypha verifies the signature, checks your taste verdict, extracts the code, and writes spore.core.json:

{
  "id": "my-fork",
  "name": "My Fork",
  "bonds": [
    {
      "uri": "cmn://cmn.dev/b3.3yMR7vZQ9hL2xKJdFtN8wPcB6sY1mXgU4eH5pTa2",
      "relation": "spawned_from"
    }
  ]
}

Notice: no domain field. The code is yours to develop. When you’re ready to publish, set your domain and release. Until then, it’s a sovereign project with traceable lineage.

Grow and absorb: the code evolves

When the original publishes a new version, grow syncs your fork:

hypha grow

Hypha reads the spawned_from bond, fetches the latest version, verifies the signature, and merges — preserving your spore.core.json and local modifications. Conflicts are reported for manual resolution.

absorb goes further. While grow syncs from your direct parent, absorb merges from any spore — a sibling fork, a cousin, anything in the network:

hypha absorb cmn://other.com/b3.8cQnH4xPmZ2vLkJdRt7wNbA9sF3eYgU1hK6pXq5

Hypha fetches the target to .cmn/absorb/, generates a structured ABSORB.md prompt, and hands off to an AI agent for analysis and merge. The agent compares source trees, proposes a merge plan, and waits for your approval. After the merge, an absorbed_from bond records the cross-pollination in the graph.

# Discover sibling forks via lineage and absorb from all of them
hypha absorb --lineage --synapse https://synapse.example.com

This is what makes CMN different from “git clone and pray.” Every fork, every merge, every cross-pollination is declared and traversable. Run hypha lineage on any spore and trace the full ancestry across any number of forks and domains.

Bond: dependencies with taste gates

Bonds are typed relationships declared in spore.core.json. hypha bond fetches all bonded spores to .cmn/bonds/:

hypha bond

my-spore/
├── src/
├── spore.core.json
└── .cmn/bonds/
    ├── bonds.json
    ├── signing-lib/content/    ← depends_on
    └── cmn-spec/content/       ← follows

Every bonded spore must be individually tasted before Hypha places it in your working directory. Trusting one spore from a domain does not extend to others — no transitive trust, no “this domain is safe so everything on it is safe.” The fetched bonds are plain directories — your build system points at .cmn/bonds/{id}/content/ however it normally references local paths.

Release: your domain is your registry

Initialize your domain once with an Ed25519 keypair, then release as many spores as you want:

# One-time setup
hypha mycelium root yourdomain.com

# In your project
hypha hatch --domain yourdomain.com
hypha release --domain yourdomain.com

release computes the BLAKE3 merkle tree hash, signs the core and capsule, generates a .tar.zst archive, and updates your domain’s mycelium catalog. Deploy the output to any static file host — CDN, S3, nginx, Cloudflare Workers. Your spore is live at cmn://yourdomain.com/b3.<hash>.

Before releasing, replicate bonds so visitors can reach everything from your domain:

hypha replicate --bonds --domain yourdomain.com

A replicate is an exact copy — same hash, same core, same authorship. Your domain only re-signs the capsule.

Agent-first output

Every Hypha command outputs Agent-First Data JSONL. Errors are structured events with stable error_code fields, not exit codes or stderr prose. Secrets are auto-redacted. Agents can sense, taste, spawn, and release code as naturally as humans.

hypha sense cmn://cmn.dev/... --output json   # default, structured
hypha sense cmn://cmn.dev/... --output yaml   # human-readable
hypha sense cmn://cmn.dev/... --output plain  # logfmt

Install

brew install cmnspore/tap/hypha     # macOS/Linux
scoop bucket add cmnspore https://github.com/cmnspore/scoop-bucket && scoop install hypha  # Windows
cargo install cmn-hypha             # any platform

Docs: cmn.dev/tools/hypha Source: github.com/cmnspore/cmn-hypha License: MIT