Daemonet/How it works

How Daemonet works

Finding a device is not the same as carrying its data.

Daemonet separates identity, authorization, discovery, and transport so no single coordinator has to own the relationship. Devices keep their keys. Profiles define authority. Approved endpoints connect directly whenever possible.

One approved connection

Identity first.
Route second.
Bytes last.

A device generates its own key and becomes part of a user-controlled authority graph only after an existing authority approves it. Membership alone does not grant every application.

When a client requests a service, the destination’s policy and any required entitlement are checked before a short-lived route is returned. The client then authenticates the service endpoint and connects using the permitted transport.

Prove the device

The requester signs a fresh challenge. No password account stands in for the device key.

Resolve authority

Signed profile and service policy decide whether this device may perform this action now.

Discover a path

Tor-assisted or managed rendezvous exchanges the minimum expiring information needed to attempt a connection.

Connect endpoints

WireGuard protects the private route; origin HTTPS authenticates the application. Coordination leaves the ordinary data path.

The open system

Authority lives with the devices using it.

Daemonet is not one server or one account. It is a set of signed entities and replaceable roles that can be operated by the owner, a community, or optional providers.

DAEMON

The device runtime

Generates and retains device keys, applies local policy, discovers authorized peers, and creates secure connections.

PROFILE

The authority graph

Defines members, devices, services, approvals, revocation, recovery, and the relationships the owner actually authorizes.

PRIVATE DNS

Stable names

Maps signed service identities to current approved endpoints. Naming describes authority and route information; it does not carry traffic.

NIGHTCRAWLER

Ephemeral discovery

Coordinates an introduction through encrypted, expiring state. It is never the user’s network and never an accidental content relay.

WIREGUARD + HTTPS

Two protected layers

WireGuard authenticates and encrypts the private route. Origin-held TLS authenticates and protects the application endpoint.

1MAN · OPTIONAL

Managed plumbing

Operates bounded enrollment, rendezvous, naming, certificate, entitlement, and availability services without taking device authority.

Direct when possible

Fallback must never change the trust model silently.

A direct route is the ordinary goal. If the network cannot form it, the connection fails visibly unless the user has deliberately enabled another named access mode.

An approved relay can later carry traffic as an explicit service. Daemon Hub can carry traffic for an explicitly published browser service. Neither role is implied by rendezvous, DNS, HTTPS, or entitlement.

Critical boundary

1Man may authenticate a client, resolve a private service name, validate an entitlement, and return a signed endpoint record. It must not receive, relay, cache, inspect, or store ordinary application traffic unless a separately authorized byte-carrying product is selected.

Inspect the evidence

Run the open system before trusting the managed one.