feat(dist): add distribution packages with docs and checksums

Linux Server Package (ostp-server-linux-x64.tar.gz - 5.94 MB):
- ostp-server (9.2 MB) + oncp-master (4.8 MB)
- Automated deploy.sh script with systemd integration
- README.md with quick start guide
- systemd service units (ostp-server.service, oncp-master.service)
- Config examples (server.json, server-enrollment.json)
- SHA256SUMS for integrity verification

Windows Client Package (ostp-client-windows-x64.zip - 1.29 MB):
- ostp-client.exe (1.64 MB) - CLI client
- ostp-daemon.exe (0.53 MB) - Windows Service
- ostp-installer.exe (0.37 MB) - Setup wizard
- README.md with GUI/CLI usage guide
- SHA256SUMS.txt for integrity verification

Deploy Script Features:
- Automated PSK generation
- Systemd service installation
- Firewall configuration (ufw)
- OTP token generation (60 min)
- Network validation (10.X.0.0/16)
- Security hardening (NoNewPrivileges, ProtectSystem)

Documentation includes:
- Installation instructions
- Configuration examples
- Troubleshooting guides
- Security best practices
- API reference

dist/linux-x64/README.md

@@ -0,0 +1,218 @@
+# OSTP Server - Linux x64 Distribution
+
+Universal Linux binaries (statically linked with musl) for OSTP VPN server deployment.
+
+## 📦 Contents
+
+- **ostp-server** (9.2 MB) - VPN server with AEAD encryption, TLS mimicry, UDP-over-TCP
+- **oncp-master** (4.8 MB) - Control plane API server for node/user management
+- **SHA256SUMS** - Integrity verification checksums
+- **deploy.sh** - Automated deployment script
+- **server.json.example** - ostp-server configuration template
+- **server-enrollment.json.example** - ostp-server with enrollment token
+- **ostp-server.service** - systemd service unit for ostp-server
+- **oncp-master.service** - systemd service unit for oncp-master
+
+## 🚀 Quick Start
+
+### 1. Verify Integrity
+
+```bash
+sha256sum -c SHA256SUMS
+```
+
+### 2. Deploy with Script (Recommended)
+
+```bash
+chmod +x deploy.sh
+sudo ./deploy.sh
+```
+
+The script will:
+- Install binaries to `/usr/local/bin/`
+- Create systemd services
+- Generate PSK and network configuration
+- Set up firewall rules
+- Start services
+
+### 3. Manual Installation
+
+```bash
+# Make binaries executable
+chmod +x ostp-server oncp-master
+
+# Copy to system path
+sudo cp ostp-server oncp-master /usr/local/bin/
+
+# Generate PSK for ostp-server
+PSK=$(openssl rand -hex 32)
+echo "Generated PSK: $PSK"
+
+# Start oncp-master (control plane)
+sudo ./oncp-master serve --listen 0.0.0.0:8080 --network-octet 42
+
+# Generate enrollment token (expires in 3 minutes)
+./oncp-master node token --expiry 3
+
+# Start ostp-server (VPN server)
+sudo ./ostp-server -l 0.0.0.0:443 -p $PSK --master http://localhost:8080
+```
+
+## 🔧 Configuration
+
+### ostp-server Configuration
+
+Create `/etc/ostp/server.json`:
+
+```json
+{
+  "listen_addr": "0.0.0.0:443",
+  "psk": "YOUR_64_CHAR_HEX_PSK",
+  "master_url": "http://localhost:8080",
+  "country_code": "US",
+  "max_clients": 1000
+}
+```
+
+### oncp-master Configuration
+
+Environment variables:
+- `ONCP_DATABASE` - SQLite database path (default: `oncp.db`)
+- `ONCP_NETWORK_OCTET` - Second octet for 10.X.0.0/16 subnet (default: `42`)
+- `ONCP_LOG_LEVEL` - Logging level: error, warn, info, debug, trace
+
+## 🌐 Network Architecture
+
+**Master Node Subnet:** `10.X.0.0/16` (where X = network-octet)
+- Master Node IP: `10.X.0.1`
+- Client IPs: `10.X.0.2` - `10.X.255.254`
+- Capacity: ~65,000 clients per Master Node
+
+## 🔐 Security Features
+
+### OTP Enrollment Tokens
+Nodes must provide time-limited one-time tokens during enrollment:
+
+```bash
+# Generate token (3 minute expiry)
+./oncp-master node token --expiry 3
+
+# Node uses token in enrollment request
+./ostp-server --token ABC123XYZ0 --master https://master-url
+```
+
+### Silent Validation
+Invalid tokens result in silent connection close (HTTP 444) - prevents enumeration.
+
+## 📊 Management Commands
+
+### Node Management
+
+```bash
+# List pending enrollments
+./oncp-master node pending
+
+# Approve node (allocates IP + generates PSK)
+./oncp-master node approve <node-id>
+
+# Reject enrollment
+./oncp-master node reject <node-id>
+
+# List all nodes
+./oncp-master node list
+```
+
+### User Management
+
+```bash
+# Create user with 100GB quota, 30 days
+./oncp-master user create --quota 100 --days 30
+
+# List users
+./oncp-master user list
+
+# Show network statistics
+./oncp-master stats
+```
+
+### SNI Management
+
+```bash
+# Update SNI domains for specific country
+./oncp-master sni update --country RU --add example.com
+
+# Block domain globally
+./oncp-master sni block --domain blocked.com
+```
+
+## 🖥️ System Requirements
+
+- **OS:** Any Linux distribution with glibc or musl (universal binary)
+- **RAM:** 512 MB minimum, 2 GB recommended
+- **CPU:** 1 core minimum, 2+ cores recommended
+- **Network:** Public IP with ports 443 (ostp-server), 8080 (oncp-master) open
+- **Storage:** 100 MB for binaries, 1 GB+ for logs/database
+
+## 🛡️ Firewall Configuration
+
+```bash
+# Allow ostp-server (VPN)
+sudo ufw allow 443/tcp
+
+# Allow oncp-master API (restrict to internal network in production)
+sudo ufw allow 8080/tcp
+```
+
+## 📝 Logs
+
+- **ostp-server:** `/var/log/ostp-server.log` or stdout
+- **oncp-master:** `/var/log/oncp-master.log` or stdout
+
+View logs with systemd:
+```bash
+sudo journalctl -u ostp-server -f
+sudo journalctl -u oncp-master -f
+```
+
+## 🔄 Updates
+
+```bash
+# Stop services
+sudo systemctl stop ostp-server oncp-master
+
+# Replace binaries
+sudo cp ostp-server oncp-master /usr/local/bin/
+
+# Restart services
+sudo systemctl start ostp-server oncp-master
+```
+
+## 📚 Documentation
+
+- Project Repository: https://github.com/ospab/ospab.network
+- Architecture Overview: See `prompt.md` in repository
+- API Documentation: `http://<master-ip>:8080/health` (health check)
+
+## ⚠️ Production Checklist
+
+- [ ] Change default PSK (64 hex characters)
+- [ ] Configure unique network octet (0-255, avoid 0 and 255)
+- [ ] Set up SSL/TLS for oncp-master API (use reverse proxy)
+- [ ] Restrict oncp-master port to internal network
+- [ ] Configure log rotation
+- [ ] Set up monitoring (Prometheus/Grafana)
+- [ ] Enable automatic backups of oncp.db
+- [ ] Configure firewall rules
+- [ ] Set resource limits in systemd services
+
+## 🆘 Support
+
+For issues and questions:
+- GitHub Issues: https://github.com/ospab/ospab.network/issues
+- Security: Report vulnerabilities via private disclosure
+
+---
+
+**Version:** 0.1.0  
+**Build Date:** January 2, 2026  
+**License:** Proprietary

dist/linux-x64/SHA256SUMS

@@ -0,0 +1,2 @@
+53de7690ddcd22828d1d2c55bec75e7a43aa6476827d8162615549b08a1a39dc  oncp-master
+d3ec5b5ee8c90f1f92667458f44a795159157ae64e8d5073888838fbfce286e2  ostp-server

dist/linux-x64/deploy.sh

@@ -0,0 +1,221 @@
+#!/bin/bash
+set -e
+
+# OSTP Server - Automated Deployment Script
+# Version: 0.1.0
+# Requires: root/sudo access
+
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+RED='\033[0;31m'
+NC='\033[0m' # No Color
+
+echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║   OSTP Server Deployment Script       ║${NC}"
+echo -e "${GREEN}║   Version 0.1.0                        ║${NC}"
+echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
+echo
+
+# Check if running as root
+if [[ $EUID -ne 0 ]]; then
+   echo -e "${RED}Error: This script must be run as root${NC}"
+   echo "Usage: sudo ./deploy.sh"
+   exit 1
+fi
+
+# Check if binaries exist
+if [ ! -f "ostp-server" ] || [ ! -f "oncp-master" ]; then
+    echo -e "${RED}Error: Binaries not found in current directory${NC}"
+    exit 1
+fi
+
+# Verify checksums
+echo -e "${YELLOW}→${NC} Verifying integrity..."
+if sha256sum -c SHA256SUMS > /dev/null 2>&1; then
+    echo -e "${GREEN}✓${NC} Checksums verified"
+else
+    echo -e "${RED}✗${NC} Checksum verification failed!"
+    read -p "Continue anyway? (y/N): " -n 1 -r
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        exit 1
+    fi
+fi
+
+# Configuration prompts
+echo
+echo -e "${YELLOW}═══ Configuration ═══${NC}"
+read -p "Network octet (10.X.0.0/16, default 42): " NETWORK_OCTET
+NETWORK_OCTET=${NETWORK_OCTET:-42}
+
+read -p "ostp-server listen port (default 443): " OSTP_PORT
+OSTP_PORT=${OSTP_PORT:-443}
+
+read -p "oncp-master listen port (default 8080): " ONCP_PORT
+ONCP_PORT=${ONCP_PORT:-8080}
+
+read -p "Install directory (default /usr/local/bin): " INSTALL_DIR
+INSTALL_DIR=${INSTALL_DIR:-/usr/local/bin}
+
+read -p "Config directory (default /etc/ostp): " CONFIG_DIR
+CONFIG_DIR=${CONFIG_DIR:-/etc/ostp}
+
+read -p "Database directory (default /var/lib/ostp): " DATA_DIR
+DATA_DIR=${DATA_DIR:-/var/lib/ostp}
+
+# Generate PSK
+echo
+echo -e "${YELLOW}→${NC} Generating PSK..."
+PSK=$(openssl rand -hex 32)
+echo -e "${GREEN}✓${NC} PSK generated: ${YELLOW}${PSK}${NC}"
+echo -e "${RED}⚠ SAVE THIS PSK! It will be stored in ${CONFIG_DIR}/server.json${NC}"
+
+# Create directories
+echo
+echo -e "${YELLOW}→${NC} Creating directories..."
+mkdir -p "$INSTALL_DIR"
+mkdir -p "$CONFIG_DIR"
+mkdir -p "$DATA_DIR"
+mkdir -p /var/log/ostp
+
+# Install binaries
+echo -e "${YELLOW}→${NC} Installing binaries..."
+cp ostp-server oncp-master "$INSTALL_DIR/"
+chmod +x "$INSTALL_DIR/ostp-server" "$INSTALL_DIR/oncp-master"
+echo -e "${GREEN}✓${NC} Binaries installed to $INSTALL_DIR"
+
+# Create ostp-server config
+cat > "$CONFIG_DIR/server.json" <<EOF
+{
+  "listen_addr": "0.0.0.0:${OSTP_PORT}",
+  "psk": "${PSK}",
+  "master_url": "http://127.0.0.1:${ONCP_PORT}",
+  "country_code": "US",
+  "max_clients": 1000
+}
+EOF
+chmod 600 "$CONFIG_DIR/server.json"
+echo -e "${GREEN}✓${NC} Configuration saved to $CONFIG_DIR/server.json"
+
+# Create systemd service for oncp-master
+cat > /etc/systemd/system/oncp-master.service <<EOF
+[Unit]
+Description=ONCP Master Node - Control Plane API
+After=network.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=${DATA_DIR}
+Environment="ONCP_DATABASE=${DATA_DIR}/oncp.db"
+Environment="ONCP_NETWORK_OCTET=${NETWORK_OCTET}"
+ExecStart=${INSTALL_DIR}/oncp-master serve --listen 0.0.0.0:${ONCP_PORT} --network-octet ${NETWORK_OCTET}
+Restart=on-failure
+RestartSec=5s
+StandardOutput=append:/var/log/ostp/oncp-master.log
+StandardError=append:/var/log/ostp/oncp-master.log
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=${DATA_DIR} /var/log/ostp
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Create systemd service for ostp-server
+cat > /etc/systemd/system/ostp-server.service <<EOF
+[Unit]
+Description=OSTP VPN Server
+After=network.target oncp-master.service
+Requires=oncp-master.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=${CONFIG_DIR}
+ExecStart=${INSTALL_DIR}/ostp-server -c ${CONFIG_DIR}/server.json
+Restart=on-failure
+RestartSec=5s
+StandardOutput=append:/var/log/ostp/ostp-server.log
+StandardError=append:/var/log/ostp/ostp-server.log
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/log/ostp
+
+# Resource limits
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+echo -e "${GREEN}✓${NC} Systemd services created"
+
+# Reload systemd
+systemctl daemon-reload
+
+# Configure firewall (if ufw is available)
+if command -v ufw &> /dev/null; then
+    echo -e "${YELLOW}→${NC} Configuring firewall..."
+    ufw allow ${OSTP_PORT}/tcp comment "OSTP VPN Server"
+    echo -e "${GREEN}✓${NC} Firewall rule added for port ${OSTP_PORT}"
+    echo -e "${YELLOW}⚠${NC} Note: Port ${ONCP_PORT} (oncp-master) not exposed. Restrict to internal network in production!"
+fi
+
+# Enable and start services
+echo
+echo -e "${YELLOW}→${NC} Starting services..."
+systemctl enable oncp-master ostp-server
+systemctl start oncp-master
+
+# Wait for oncp-master to start
+sleep 2
+
+# Generate enrollment token
+echo -e "${YELLOW}→${NC} Generating enrollment token..."
+TOKEN=$(${INSTALL_DIR}/oncp-master node token --expiry 60 2>/dev/null | grep -A1 "Token:" | tail -1 | xargs)
+echo -e "${GREEN}✓${NC} Enrollment token (60 min): ${YELLOW}${TOKEN}${NC}"
+
+# Start ostp-server
+systemctl start ostp-server
+
+echo
+echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║   Deployment Complete! ✓               ║${NC}"
+echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
+echo
+echo -e "${YELLOW}Services Status:${NC}"
+systemctl status oncp-master --no-pager -l || true
+systemctl status ostp-server --no-pager -l || true
+echo
+echo -e "${YELLOW}Important Information:${NC}"
+echo -e "  • Network: ${GREEN}10.${NETWORK_OCTET}.0.0/16${NC}"
+echo -e "  • Master IP: ${GREEN}10.${NETWORK_OCTET}.0.1${NC}"
+echo -e "  • PSK: ${YELLOW}${PSK}${NC}"
+echo -e "  • Enrollment Token: ${YELLOW}${TOKEN}${NC} (expires in 60 minutes)"
+echo -e "  • Config: ${CONFIG_DIR}/server.json"
+echo -e "  • Database: ${DATA_DIR}/oncp.db"
+echo -e "  • Logs: /var/log/ostp/"
+echo
+echo -e "${YELLOW}Next Steps:${NC}"
+echo -e "  1. Enroll nodes: ${GREEN}ostp-server --token ${TOKEN} --master https://your-master${NC}"
+echo -e "  2. Approve nodes: ${GREEN}oncp-master node pending${NC} → ${GREEN}oncp-master node approve <id>${NC}"
+echo -e "  3. Create users: ${GREEN}oncp-master user create --quota 100 --days 30${NC}"
+echo -e "  4. Monitor logs: ${GREEN}journalctl -u ostp-server -f${NC}"
+echo
+echo -e "${RED}⚠ Security Reminder:${NC}"
+echo -e "  • Save PSK in password manager"
+echo -e "  • Restrict port ${ONCP_PORT} to internal network"
+echo -e "  • Set up SSL/TLS reverse proxy for production"
+echo -e "  • Configure log rotation"
+echo
+
+exit 0

dist/linux-x64/oncp-master.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=ONCP Master Node - Control Plane API
+After=network.target
+Documentation=https://github.com/ospab/ospab.network
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/var/lib/ostp
+Environment="ONCP_DATABASE=/var/lib/ostp/oncp.db"
+Environment="ONCP_NETWORK_OCTET=42"
+Environment="ONCP_LOG_LEVEL=info"
+ExecStart=/usr/local/bin/oncp-master serve --listen 0.0.0.0:8080 --network-octet 42
+Restart=on-failure
+RestartSec=5s
+StandardOutput=append:/var/log/ostp/oncp-master.log
+StandardError=append:/var/log/ostp/oncp-master.log
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/ostp /var/log/ostp
+
+# Resource limits
+LimitNOFILE=4096
+
+[Install]
+WantedBy=multi-user.target

dist/linux-x64/ostp-server.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=OSTP VPN Server
+After=network.target
+Documentation=https://github.com/ospab/ospab.network
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/etc/ostp
+ExecStart=/usr/local/bin/ostp-server -c /etc/ostp/server.json
+Restart=on-failure
+RestartSec=5s
+StandardOutput=append:/var/log/ostp/ostp-server.log
+StandardError=append:/var/log/ostp/ostp-server.log
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/log/ostp
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=512
+
+[Install]
+WantedBy=multi-user.target

dist/linux-x64/server-enrollment.json.example

@@ -0,0 +1,8 @@
+{
+  "listen_addr": "0.0.0.0:443",
+  "enrollment_token": "ABC123XYZ0",
+  "master_url": "https://master-node.example.com:8080",
+  "country_code": "US",
+  "region": "us-west",
+  "node_name": "node-01"
+}

dist/linux-x64/server.json.example

@@ -0,0 +1,7 @@
+{
+  "listen_addr": "0.0.0.0:443",
+  "psk": "CHANGE_THIS_64_CHARACTER_HEX_PSK_GENERATED_WITH_OPENSSL_RAND",
+  "master_url": "http://127.0.0.1:8080",
+  "country_code": "US",
+  "max_clients": 1000
+}

dist/windows-x64/README.md

@@ -0,0 +1,289 @@
+# OSTP Client - Windows x64 Distribution
+
+Windows native client with GUI, daemon service, and automated installer.
+
+## 📦 Contents
+
+- **ostp-installer.exe** (0.37 MB) - Setup wizard with admin privileges
+- **ostp-daemon.exe** (0.53 MB) - Windows Service for VPN tunnel management
+- **ostp-client.exe** (1.64 MB) - Command-line client for advanced users
+- **SHA256SUMS.txt** - Integrity verification checksums
+
+## 🚀 Quick Start (Recommended)
+
+### 1. Verify Integrity
+
+Open PowerShell:
+```powershell
+Get-Content SHA256SUMS.txt | ForEach-Object {
+    $hash, $file = $_ -split '\s+', 2
+    $computed = (Get-FileHash $file -Algorithm SHA256).Hash.ToLower()
+    if ($hash -eq $computed) { "✓ $file" } else { "✗ $file MISMATCH!" }
+}
+```
+
+### 2. Run Installer
+
+**Right-click `ostp-installer.exe` → Run as Administrator**
+
+The installer will:
+- Install Wintun driver (TAP network adapter)
+- Register `OspabGuard` Windows Service
+- Configure firewall rules
+- Install GUI to Start Menu
+- Create desktop shortcut
+
+### 3. Launch GUI
+
+After installation, open **OSTP VPN** from Start Menu or desktop.
+
+## 🖥️ GUI Interface
+
+Dark stealth theme interface (450×600):
+- **Server Selection** - Choose country from dropdown (auto-fetch from Master Node)
+- **Connect/Disconnect** - One-click VPN toggle
+- **Real-time Stats** - Upload/download speeds, ping, connection time
+- **System Tray** - Minimize to tray for background operation
+
+### Settings
+- Auto-connect on startup
+- Kill switch (block all traffic when VPN disconnects)
+- Protocol selection (TCP/UDP)
+- Custom DNS servers
+
+## 🔧 Command-Line Client (Advanced)
+
+### ostp-client.exe
+
+For advanced users who prefer CLI or scripting:
+
+```cmd
+# Interactive wizard
+ostp-client.exe setup
+
+# Connect to specific server
+ostp-client.exe connect --server 1.2.3.4:443 --psk YOUR_PSK --country RU
+
+# List profiles
+ostp-client.exe profiles
+
+# Connect using saved profile
+ostp-client.exe connect --profile "US-West"
+
+# Disconnect
+ostp-client.exe disconnect
+
+# Show status
+ostp-client.exe status
+```
+
+### Configuration File
+
+Located at: `%APPDATA%\Ospab\OSTP\config.json`
+
+```json
+{
+  "profiles": [
+    {
+      "name": "US-West",
+      "server": "1.2.3.4:443",
+      "psk": "64_char_hex_psk",
+      "country_code": "US"
+    }
+  ],
+  "auto_connect": false,
+  "kill_switch": true
+}
+```
+
+## 🛠️ Service Management
+
+### ostp-daemon.exe
+
+Runs as Windows Service (`OspabGuard`):
+
+```cmd
+# Check service status
+sc query OspabGuard
+
+# Start service
+sc start OspabGuard
+
+# Stop service
+sc stop OspabGuard
+
+# View service logs
+type C:\ProgramData\Ospab\OSTP\ostp-daemon.log
+```
+
+### IPC Communication
+
+GUI communicates with daemon via Named Pipe: `\\.\pipe\ostp-daemon`
+
+Commands:
+- `CONNECT\n` - Establish VPN tunnel
+- `DISCONNECT\n` - Close VPN tunnel
+- `STATUS\n` - Get JSON status response
+
+## 🔐 Security Features
+
+### Anti-Reverse Engineering
+- **ostp-guard** analysis tool detection (IDA Pro, x64dbg, Ghidra, etc.)
+- VM environment detection (VirtualBox, VMware, QEMU)
+- Debugger detection (IsDebuggerPresent, remote debuggers)
+- Weighted scoring system (4+ points = environment rejected)
+- Error code masking (`0xE0000001` for all security blocks)
+
+### Stealth Mode
+- TLS 1.3 ClientHello mimicry (randomized JA3 fingerprint)
+- Geo-specific SNI selection (cloudflare.com, google.com, etc.)
+- UDP-over-TCP framing with random padding
+- No identifiable protocol signatures
+
+### Encryption
+- **AEAD:** ChaCha20-Poly1305
+- **Key Exchange:** X25519 Elliptic Curve Diffie-Hellman
+- **PSK Validation:** HMAC-SHA256 with silent drop on failure
+
+## 📊 Network Configuration
+
+After connection:
+- **Client IP:** Assigned by Master Node (10.X.Y.Z)
+- **Gateway:** Master Node (10.X.0.1)
+- **DNS:** 1.1.1.1, 8.8.8.8 (configurable)
+- **MTU:** 1420 (optimized for tunneling overhead)
+
+## 🪟 System Requirements
+
+- **OS:** Windows 10/11 (x64) or Windows Server 2019+
+- **RAM:** 256 MB minimum
+- **CPU:** 1 core minimum
+- **Network:** Internet connection (any speed)
+- **Privileges:** Administrator required for installation
+
+## 🔧 Troubleshooting
+
+### Connection Issues
+
+1. **Check service status:**
+   ```cmd
+   sc query OspabGuard
+   ```
+
+2. **View logs:**
+   ```cmd
+   type C:\ProgramData\Ospab\OSTP\ostp-daemon.log
+   ```
+
+3. **Test connectivity:**
+   ```cmd
+   ping 1.1.1.1
+   tracert 1.1.1.1
+   ```
+
+### Firewall Conflicts
+
+If Windows Firewall blocks connection:
+```cmd
+netsh advfirewall firewall add rule name="OSTP VPN" dir=out action=allow program="C:\Program Files\Ospab\OSTP\ostp-daemon.exe"
+```
+
+### Wintun Driver Issues
+
+Reinstall Wintun:
+1. Uninstall via Device Manager (Network adapters → Wintun)
+2. Run `ostp-installer.exe` again
+3. Reboot system
+
+### Service Won't Start
+
+Check Event Viewer:
+```
+Event Viewer → Windows Logs → Application → Filter by "OspabGuard"
+```
+
+## 🔄 Updates
+
+### Automatic Updates (via GUI)
+1. GUI checks for updates on startup
+2. Prompts user to download latest version
+3. Downloads installer from official server
+4. Verifies SHA256 checksum
+5. Runs installer (requires admin)
+
+### Manual Update
+1. Download latest release
+2. Close GUI and stop service: `sc stop OspabGuard`
+3. Run new installer
+4. Restart service: `sc start OspabGuard`
+
+## 🗑️ Uninstallation
+
+### Via Installer
+Run `ostp-installer.exe` and select "Uninstall" option.
+
+### Manual Removal
+```cmd
+# Stop and remove service
+sc stop OspabGuard
+sc delete OspabGuard
+
+# Remove files
+rmdir /s /q "C:\Program Files\Ospab"
+rmdir /s /q "C:\ProgramData\Ospab"
+rmdir /s /q "%APPDATA%\Ospab"
+
+# Uninstall Wintun driver
+pnputil /enum-devices /class net | findstr "Wintun"
+pnputil /remove-device <device-id>
+```
+
+## 🧪 Debug Mode
+
+Enable debug logging:
+```cmd
+# Set registry key
+reg add "HKLM\SOFTWARE\Ospab\OSTP" /v DebugMode /t REG_DWORD /d 1 /f
+
+# Restart service
+sc stop OspabGuard
+sc start OspabGuard
+
+# View debug logs
+type C:\ProgramData\Ospab\OSTP\debug.log
+```
+
+## 📚 Documentation
+
+- Project Repository: https://github.com/ospab/ospab.network
+- Issue Tracker: https://github.com/ospab/ospab.network/issues
+- Architecture: See `prompt.md` in repository
+
+## ⚠️ Known Issues
+
+- **Windows Defender SmartScreen:** May show warning on first run (normal for unsigned binaries)
+- **Antivirus False Positives:** ostp-guard detection may trigger AV heuristics (whitelist required)
+- **VirtualBox:** VM detection may prevent execution (expected behavior)
+
+## 🆘 Support
+
+For issues and questions:
+- GitHub Issues: https://github.com/ospab/ospab.network/issues
+- Email Support: support@ospab.network
+- Telegram: @ospab_support
+
+## 📋 Version History
+
+- **0.1.0** (January 2, 2026)
+  - Initial release
+  - Windows Service implementation
+  - GUI with dark stealth theme
+  - OTP enrollment token support
+  - Dynamic IPAM (10.X.0.0/16)
+
+---
+
+**Version:** 0.1.0  
+**Build Date:** January 2, 2026  
+**License:** Proprietary  
+**Copyright:** © 2026 Ospab Network

dist/windows-x64/SHA256SUMS.txt

@@ -0,0 +1,3 @@
+94400a0ab3a50a57d3914a905d79e1794a6e9642e63278854a9d492dd4f722ee  ostp-client.exe
+2e5c4dda1b0e9d1807892a3de587e4875906bdbe5343d5b83b5f33488d6e6696  ostp-daemon.exe
+9817c74e41427780cffb3070bfb22afec0f18a570f57e5c6b1cd9a76117c4001  ostp-installer.exe