Prove the device
The requester signs a fresh challenge. No password account stands in for the device key.
How Daemonet works
Daemonet separates identity, authorization, discovery, and transport so no single coordinator has to own the relationship. Devices keep their keys. Profiles define authority. Approved endpoints connect directly whenever possible.
One approved connection
A device generates its own key and becomes part of a user-controlled authority graph only after an existing authority approves it. Membership alone does not grant every application.
When a client requests a service, the destination’s policy and any required entitlement are checked before a short-lived route is returned. The client then authenticates the service endpoint and connects using the permitted transport.
The requester signs a fresh challenge. No password account stands in for the device key.
Signed profile and service policy decide whether this device may perform this action now.
Tor-assisted or managed rendezvous exchanges the minimum expiring information needed to attempt a connection.
WireGuard protects the private route; origin HTTPS authenticates the application. Coordination leaves the ordinary data path.
The open system
Daemonet is not one server or one account. It is a set of signed entities and replaceable roles that can be operated by the owner, a community, or optional providers.
Generates and retains device keys, applies local policy, discovers authorized peers, and creates secure connections.
Defines members, devices, services, approvals, revocation, recovery, and the relationships the owner actually authorizes.
Maps signed service identities to current approved endpoints. Naming describes authority and route information; it does not carry traffic.
Coordinates an introduction through encrypted, expiring state. It is never the user’s network and never an accidental content relay.
WireGuard authenticates and encrypts the private route. Origin-held TLS authenticates and protects the application endpoint.
Operates bounded enrollment, rendezvous, naming, certificate, entitlement, and availability services without taking device authority.
Direct when possible
A direct route is the ordinary goal. If the network cannot form it, the connection fails visibly unless the user has deliberately enabled another named access mode.
An approved relay can later carry traffic as an explicit service. Daemon Hub can carry traffic for an explicitly published browser service. Neither role is implied by rendezvous, DNS, HTTPS, or entitlement.
1Man may authenticate a client, resolve a private service name, validate an entitlement, and return a signed endpoint record. It must not receive, relay, cache, inspect, or store ordinary application traffic unless a separately authorized byte-carrying product is selected.
Inspect the evidence