DAMM Project Site

Get DAMM onto this device with the fewest honest steps.

DAMM is being built as a real VPN system rather than a mood board. This front page should act like an install concierge: inspect the current device, point you at the right client path, and keep the backend evidence one click away.

Get connected →

Get connected now Inspect or recover Walkthrough VPN Report Backoffice Profiling Permeability Manifest

Current Build

dc8bf8e
branch postgres-backend-hardening
generated 2026-05-04T11:19:57.107Z

This page will inspect the current device and route you to the least painful honest setup path.

Why DAMM Exists

Identity, policy, and evidence on top of boring transport.

The design choice is deliberate: keep WireGuard as the packet primitive, and move product differentiation into enrollment, policy, reporting, placement, and operational discipline. That gives us something fast enough to run, honest enough to inspect, and small enough to harden.

Published Docs 35

Published Evidence 10

Package Version 0.3.7

Product Shape Client, Control Plane, Gateway

Cross-platform WireGuard onboarding, signed catalogs, reporting, metering, and provider-aware capacity planning.

Trust Boundary Client keys stay client-side

Gateway private keys stay on gateways. The control plane stores public keys, policy, assignment state, and audit trail.

Validation Style Tracer bullets and drills

Local end-to-end traces, real host WireGuard smokes, failure drills, and generated evidence artifacts backed by hashes.

Run DAMM

Click here if you want the VPN on your computer or phone.

The fastest honest path is: open the DAMM onboarding wizard, let it detect the platform and issue a profile for this device, then hand the tunnel off to WireGuard or the native OS integration. The browser surface is there to remove guesswork, not to fake the tunnel.

Best Entry Point /get/ wizard

Native Targets iPhone, macOS, Android, Linux

Get connected now

The first-visitor wizard. It should issue a real profile for this device, show the right import path, and keep synthetic validation artifacts out of the happy path.

Open the DAMM wizard

Platform Guide

Direct instructions for importing DAMM bundles into the official WireGuard clients or Linux wg-quick, with the trust boundary and tradeoffs spelled out.

Open Platform Clients

Boundary Spec

Why the native client owns the tunnel, why the PWA is client-side only, and why a browser extension should stay a thin companion rather than becoming the VPN itself.

Open Client Boundaries

Profiling

Current enrollment throughput, CPU and memory snapshots, and the latest live tunnel workload metrics in one generated page.

Open Profiling Report

Network Permeability

Operator backdrop for interference, weak user-network slices, and the next ingress or egress move justified by current evidence.

Open Permeability Report

Backoffice

A page for backend node stewardship: gateways, egress pools, headroom, and the evidence that we are actually taking care of the fleet that user onboarding depends on.

Open Backoffice

Use Paths

Two ways into the project.

One path is for users and operators trying to understand the running system. The other is for engineers trying to understand the code and the design decisions behind it.

Primary Pages Report, Spec, Harness

Audience Users, Operators, Engineers

Walkthrough

Annotated local and cross-host DAMM sessions showing enrollment, failover, handshakes, and tunnel pings with direct source artifacts.

Open the DAMM Walkthrough

Inspect or Recover

The browser-side companion for people who already have a profile, need to reissue one with a real server URL, or want to inspect and export the exact WireGuard config before import.

Open the DAMM Companion

Profiling Report

A generated page for enrollment throughput, RSS and heap snapshots, and live tunnel workload metrics. It is the shortest path to current load/resource shape.

Open the Profiling Report

Permeability Backdrop

A generated page for interference incidents, weak network slices, and placement recommendations. It is how DAMM should connect external network reality to routing and fleet decisions.

Open the Permeability Report

Operator Docs

The operational core: runbooks, validation journal, roadmap, deployment model, and the generated VPN Report.

Open the VPN Report

Engineering Docs

The straight implementation layer: system spec, architecture, engineering decisions, validation harness notes, and client boundary decisions.

Open the System Spec

Documentation

Reference pages generated from the working tree.

The point of these pages is coverage, not decoration. They should tell a newcomer what exists, what is validated, and where the design is intentionally constrained.

Landing Promise No separate marketing copy

iPhone Apps

Generated portfolio page for iPhone-targeted builds, backed by structured source data.

Open iphone-apps.html

VPN Report

Generated operator panel showing current VPN state, activity, load, headroom, and placement guidance.

Open vpn-report.html

DAMM Walkthrough

Generated walkthrough of real DAMM sessions: local enroll and failover plus healthy cross-host WireGuard smokes.

Open vpn-walkthrough.html

DAMM Client

Installable client-side companion for bundle import, platform guidance, and diagnostics without pretending the browser owns the tunnel.

Open damm-client.html

Get connected

First-visitor onboarding wizard: pick device, install WireGuard, generate keys, get a tunnel, import, verify.

Open index.html

Profiling Report

Generated profiling surface for control-plane enrollment throughput and live tunnel workload transfer metrics.

Open profiling-report.html

Network Permeability

Generated operator backdrop for interference, weak user-network slices, and where capacity should be added next.

Open network-permeability.html

Backoffice

Backend node stewardship surface showing gateways, egress pools, and the headroom we are actually caring for.

Open backoffice.html

System Spec

Straight implementation spec for the DAMM control plane, gateway, client, and operator surfaces.

Open system-spec.md

Architecture

System structure, control-plane/data-plane boundaries, and operational model.

Open architecture.md

Engineering Decisions

Direct rationale for the current tech choices and code design decisions.

Open engineering-decisions.md

Client Boundaries

Clean boundary between native VPN clients, the client-side companion PWA, the browser extension, and control-plane logic.

Open client-boundaries.md

Onboarding Flow

Current honest DAMM onboarding path and the future server-driven flow without pretending the browser is the tunnel.

Open onboarding-flow.md

Validation Harness

Exactly what each harness proves, what it does not prove, and where the evidence lands.

Open validation-harness.md

Network Permeability Model

Schema and operating model for observations, incidents, permeability scores, and placement recommendations.

Open network-permeability.md

Roadmap

Milestones ordered by architectural dependency and validation readiness.

Open roadmap.md

Runbook

Operational procedures for tracer bullets, smoke runs, and evidence capture.

Open runbook.md

Validation Ledger

Evidence-backed record of what has actually been exercised and where limits remain.

Open validation-ledger.md

Achievements

Completed milestones and notable system capabilities already in place.

Open achievements.md

Documentation Index

Canonical map of every doc, its status, and how the doc set steers development.

Open INDEX.md

Roadmap to v0.4.0

Concrete release-by-release plan from v0.3.2 to v0.4.0 with exit criteria each.

Open roadmap-next.md

Issue Triage

Compact register of every open concern, categorized blocking / important / nice-to-have / abandoned / resolved.

Open issue-triage.md

Transport Tiers

Canonical spec for T0-T4 obfuscation tiers: what each defeats, costs, server runtime, client app requirements.

Open transport-tiers.md

Tech Debt Register

Running register of debt accrued in tracer-bullet work. Each entry: what we shipped fast, what's owed, trigger to pay back.

Open tech-debt.md

Field Manual

Manifest, postmortem, demands per concern, storyboards, brainstorm register, profile data — the lookup-first doc.

Open field-manual.md

Architecture Map

Resilience-by-statistics: threat-blind score loop, signed catalogs, polymorphic transport, ingress/egress separation.

Open architecture-map.md

Architecture Premortem

Peer-architect critique of Phase-0 trajectory plus a competing stateless-tickets alternative.

Open architecture-premortem.md

Coordination Layer

Provider-polyglot architecture: capability interface, adapter pattern, per-provider competitive analysis.

Open coordination-layer.md

Sanity Check (2026-04-28)

Component-by-component critique with sharp API boundaries and the v0.3 done-when checklist.

Open sanity-check-2026-04-28.md

Bring-Up Notebook

13-cell idempotent walkthrough from fresh hub2 to working /get/ wizard.

Open bring-up-notebook.md

Operational Runbook

26 sections, ~120 specific runnable steps for halt / freeze / wedged-state recovery.

Open operational-runbook.md

Design Brief

Visual + interaction designer hand-off grounded in the live deployment.

Open design-brief.md

Deployment Model

Ingress and egress separation, provider automation contract, and rotation model.

Open deployment.md

Observatory Integration

Advisory integration path for quota, provider, and validation telemetry.

Open observatory-integration.md

Site Deployment

How this project site is built, deployed, and verified on raindesk.dev.

Open site-deployment.md

Validation Evidence

Artifacts that show what has actually been exercised.

Evidence files are copied from local tracer bullets, smokes, drills, and benchmarks. Each published file is tracked in manifest.json with a content hash so the site can be treated as a reproducible publication, not a screenshot gallery.

Evidence Contract Artifact + hash + source path

Tracer Apply Results

Latest traced orchestration apply artifact when present.

tracer-apply-results.json

sha256 2e22029eb19a98c6... · 16305 bytes

Tracer Catalog

Signed public catalog artifact from the latest tracer run when present.

tracer-catalog.json

sha256 e0deb87a817b83d0... · 1306 bytes

Tracer Report

Admin-authenticated operator report artifact from the latest tracer run when present.

tracer-report.json

sha256 8ee4e4630fed016b... · 2987 bytes

Host Smoke: hub2 to finml

Cross-host WireGuard smoke showing handshake and tunnel ping between hub2 and finml.

host-smoke-hub2-finml.txt

sha256 bfc46345faf12334... · 1781 bytes

Host Smoke: hub2 to hyle

Cross-host WireGuard smoke showing handshake and tunnel ping between hub2 and hyle.

host-smoke-hub2-hyle.txt

sha256 b47e78b5750fb1e9... · 1787 bytes

Host Workload: hub2 to hyle

Cross-host WireGuard workload showing bidirectional HTTP transfer, SHA-256 verification, and transfer metrics over the tunnel.

host-workload-hub2-hyle.txt

sha256 4a719486667a1a2e... · 2147 bytes

Hetzner Ingress Validate

Ingress smoke-plan validation artifact for Hetzner.

hetzner-ingress-validate.json

sha256 3e58b567f0066602... · 1674 bytes

Hetzner Egress Validate

Egress smoke-plan validation artifact for Hetzner.

hetzner-egress-validate.json

sha256 2a4cad157e4f27ab... · 1913 bytes

Enroll Benchmark

Local enrollment throughput benchmark artifact.

benchmark-enroll-commit2.json

sha256 c5fe518fd66b3403... · 222 bytes

Permeability Sample

Sample network interference and permeability artifact used to exercise the operator-facing backdrop.

permeability-sample.json

sha256 ae1a0b95e66fcf00... · 4027 bytes

Build Contract

How the site itself is made.

Deployment Target damm.raindesk.dev

Generated directly from the repo Run node scripts/build-site.js to generate the publication bundle. Generated pages include the iPhone portfolio and VPN report.

Deployed with one explicit script Run bash scripts/deploy-site.sh to push the generated bundle to the current static host.

Validated as part of the test surface The site build is exercised by the test suite, so landing-page regressions are part of normal repo validation.