Katafract Enclave — developer documentation
The platform underneath
the apps you install.
Sigil identity. Haven DNS. WraithVPN. Vaultyx encrypted storage. Shards object store. Thin apps, heavy infrastructure — and nothing to betray.
Katafract is a privacy platform. The apps you install — WraithVPN, Vaultyx, Haven, DocArmor, SafeOpen — are thin surfaces over a shared control plane that runs the network nodes, holds your identity tokens, replicates your encrypted storage, and exposes APIs the apps consume.
These docs are for the people who want to see underneath.
Start here
Section titled “Start here”- Architecture
Platform overview
The whole map — control plane, data plane, edge — and how they connect.
- Threat model
What we defend against
What Katafract defends against, what it does not, and what we’d lie about if we could.
- Trust
Logs, retention, incidents
Exact logging and retention policy. Canary. Incident history. Bug bounty.
- Identity
Sigil tokens
Our identity primitive. No email, no password, no third-party IdP. How the token actually works.
- Storage
Vaultyx internals
Client-side encryption, FastCDC chunking, manifest-keyed uploads, cross-device replication.
- Roadmap
What ships next
Keyring, Authenticator, RouteArmor, virtual cards, disposable numbers.
Platform today
Section titled “Platform today”| Module | Purpose | API status |
|---|---|---|
| Sigil | Zero-knowledge identity tokens backed by Zitadel | Internal — public SDK planned |
| Haven | DoH DNS (AdGuard Home + OISD blocklists) on every Katafract node | Public DNS endpoints |
| WraithVPN | WireGuard-based VPN via self-operated exit nodes | Internal provisioning API |
| Vaultyx | Zero-knowledge encrypted storage over Garage S3 | Chunk / manifest API |
| Shards | Garage S3 cluster behind *.s3.objstore.io | S3-compatible |
| Artemis | Control plane — provisions nodes, issues tokens, orchestrates subscriptions | Internal |
Conventions
Section titled “Conventions”- Every code sample ships runnable. No pseudo-code.
- API endpoints live at
api.katafract.comunless prefixed otherwise. - Mesh-only services are labelled. If it references
100.64.0.0/10, it is not reachable from the public internet. - We publish what ships. We don’t document vaporware.