Specification-first Rust workspace for a censorship-resistant overlay network.
The current repository stage is
milestone-28-production-gates-packaging-safety-hardening.
Milestones 0-26 are landed baseline work. Current tasks should stay narrow: maintain the hardened bootstrap and bounded recovery boundary, keep the release/packaging docs honest, tighten bounded production gates, and improve safety validation without widening protocol scope.
Use this repository in the current stage with one sign-off flow:
- run the applicable commands in
VALIDATION.md; - run
./devnet/run-production-gate.shon the same commit; - use
docs/PILOT_RUNBOOK.mdto collect separate-host evidence before claiming bounded production release status on that commit; - generate the ship artifact with
./devnet/package-release.shon that same validated commit.
./devnet/run-first-user-acceptance.sh remains the landed functional
acceptance component inside that production flow.
./devnet/run-launch-gate.sh and
./devnet/run-distributed-pilot-checklist.sh remain the landed component
scripts inside that acceptance flow. ./devnet/run-pilot-checklist.sh is
retained only as the older Milestone 18 localhost rehearsal pack.
The current validated surface includes:
- node identity, wire framing, handshake, transport/session, peer/bootstrap,
presence publish, exact lookup by
node_id, relay fallback, path scoring, service registration/open, and structured metrics/logs; overlay-cli run,status,status --summary,doctor,inspect,bootstrap-serve,bootstrap-sign,publish,lookup,open-service, andrelay-intro;./devnet/run-production-gate.sh,./devnet/run-production-soak.sh,./devnet/run-packaging-check.sh, and./devnet/package-release.shfor bounded production release validation and operator packaging;- repo-local proof paths in
devnet/run-smoke.sh,devnet/run-distributed-smoke.sh,devnet/run-multihost-smoke.sh,devnet/run-launch-gate.sh,devnet/run-first-user-acceptance.sh, anddevnet/run-distributed-pilot-checklist.sh; - bounded per-source bootstrap diagnostics in
runtime_status.health.bootstrapwithlast_attempt_summaryandlast_sources, including explicitunavailable,integrity_mismatch,trust_verification_failed,stale, andempty_peer_setoutcomes; - bounded restart recovery from persisted bootstrap-source preference,
last-known active bootstrap peers, and local service registration intent
embedded in
runtime_status, plus continued bootstrap retry until a live source succeeds again; - a bounded operator inspection surface through
overlay-cli inspect, which combines one local persisted status/doctor report with an explicit set of requestedlookup,open-service, andrelay-introprobes in one machine-readable result; - an explicit acceptance pack covering fresh join, service publish/open, deterministic three-relay candidate proof, one-bootstrap-down startup, one-relay-down service open, repeated relay-bind failure recovery, ordinary restart recovery, and stale-state cleanup;
- the dedicated distributed pilot pack under
devnet/pilot/.
The current repo may be described as a bounded production release only within this claim:
./devnet/run-production-gate.shpassed on the same commit;- the exact acceptance scenarios in
docs/FIRST_USER_ACCEPTANCE.mdremain green on that same commit as a production-gate component; - operators use static signed bootstrap artifacts over
http://, pinned signer keys with optional SHA-256 pins, explicit bounded operator surfaces, reproducible checked release packages, and the checked-in bounded three-relay pilot topology; - expected degraded cases remain explicit, including one failed primary relay-intro during relay-unavailable rehearsal, two failed relay-intro attempts before tertiary recovery in the repeated-failure rehearsal, and rejected tampered bootstrap artifacts;
- separate-host evidence from
docs/PILOT_RUNBOOK.mdis still attached before the claim is used for a release note.
HANDOFF.md: current stage summary and first-task guidanceIMPLEMENT.md: repository stage history and current execution boundariesVALIDATION.md: required validation commands and current sign-off orderdocs/PRODUCTION_CHECKLIST.md: bounded production release gatedocs/PRODUCTION_RELEASE_TEMPLATE.md: bounded production release note templatedocs/KNOWN_LIMITATIONS.md: limitations that must ship with every releasedocs/FIRST_USER_ACCEPTANCE.md: exact acceptance scenarios and boundarydocs/LAUNCH_CHECKLIST.md: current launch gate and localhost sign-off flowdocs/PILOT_RUNBOOK.md: separate-host pilot execution and evidencedocs/DEVNET.md: checked-in devnet layouts and proof wrappersdocs/OPEN_QUESTIONS.md: conservative defaults for underspecified areas
- bootstrap is still static signed artifact delivery over
http://, not HTTPS or a public trust framework - operator surfaces remain explicit and operator-directed;
overlay-cli inspectbundles requested remote probes, but the repo still has no general distributed control plane or discovery layer - release packages are validated and installable, but they still target operator-managed hosts with Rust-free binary distribution only; there is no platform matrix, service manager integration, or auto-updater
- restart recovery remains bounded to bootstrap-source state, last-known active bootstrap peers, and local service registration intent; presence records, service-open sessions, relay tunnels, and path probes are still rebuilt
- relay fallback is proven for the checked-in bounded three-relay pilot topology, not arbitrary relay graphs or public-network conditions
- off-box evidence still must be collected on the validated commit before a release note can claim bounded production release status
The repository stage marker lives in the root REPOSITORY_STAGE file and in
overlay_core::REPOSITORY_STAGE. Keep README.md, HANDOFF.md,
IMPLEMENT.md, VALIDATION.md, docs/FIRST_USER_ACCEPTANCE.md,
docs/PRODUCTION_CHECKLIST.md, docs/PILOT_RUNBOOK.md, docs/DEVNET.md,
docs/LAUNCH_CHECKLIST.md, and docs/OPEN_QUESTIONS.md synchronized with
that marker whenever the stage changes.
In sandboxed Linux-on-Windows environments, set TMPDIR=/tmp for commands
that link test binaries if the default temp directory is not writable.