Skip to content

steadytao/waymark

Waymark

Waymark is a desired-state DNS and edge-policy control plane.

It is designed to model, diff, plan and eventually apply DNS, TLS, HTTPS, ECH and post-quantum readiness policy through provider adapters.

Status

Waymark is in early development and is not ready for production use.

The current implementation is a minimal dry-run planner. It reads desired state from a local configuration file, compares it with supplied current state and prints a deterministic plan. It does not yet query live providers or apply changes.

Goals

Waymark aims to:

  • provide deterministic desired-state policy for DNS and related edge posture
  • support provider-backed planning and orchestration without hiding provider-specific behaviour
  • integrate with Surveyor evidence where useful while keeping Surveyor observational
  • make trust boundaries explicit
  • support serious operational use without pretending to replace every network control
  • maintain a repository and release process that can withstand professional scrutiny

Non-goals

Waymark is not intended to be:

  • a generic ad-blocking DNS clone
  • a recursive resolver or DNS forwarder
  • a full firewall replacement
  • a catch-all zero trust platform
  • a vague privacy or security tool without explicit guarantees and boundaries

See docs/architecture/scope.md for the canonical project scope.

Intended users

Waymark is being designed for:

  • technically capable individual operators
  • infrastructure operators managing DNS and edge-provider posture
  • managed organisational environments
  • security, infrastructure, enterprise and public-sector practitioners who value explicit control and operational clarity

Documentation

Core documentation:

Architecture and security:

Development and compliance:

Quick Start

Run the example dry-run plan:

go run ./cmd/waymark plan -f examples/waymark.yaml

The command prints the zone, provider binding, policy modes, planned record changes and detected risks or unknowns.

To read current state from Cloudflare instead of the embedded example fixture, set a scoped API token and use the Cloudflare example:

CLOUDFLARE_API_TOKEN=... go run ./cmd/waymark plan -f examples/cloudflare.yaml

The Cloudflare path is read-only. It lists DNS records for the configured zone and feeds them into the same dry-run planner.

Security

Please do not report security vulnerabilities in public issues.

See SECURITY.md for reporting guidance.

Contributing

Before opening an issue or pull request, read CONTRIBUTING.md.

All commits must be signed off in accordance with the Developer Certificate of Origin. See DCO.md.

Licence

Waymark is licensed under the Apache License 2.0. See LICENSE.

About

Desired-state DNS and edge-policy control plane for DNS, TLS, HTTPS, ECH and post-quantum readiness

Resources

License

Code of conduct

Contributing

Security policy

Stars

Watchers

Forks

Releases

No releases published

Sponsor this project

 

Contributors

Languages