feat(dist): add distribution packages with docs and checksums

Linux Server Package (ostp-server-linux-x64.tar.gz - 5.94 MB):
- ostp-server (9.2 MB) + oncp-master (4.8 MB)
- Automated deploy.sh script with systemd integration
- README.md with quick start guide
- systemd service units (ostp-server.service, oncp-master.service)
- Config examples (server.json, server-enrollment.json)
- SHA256SUMS for integrity verification

Windows Client Package (ostp-client-windows-x64.zip - 1.29 MB):
- ostp-client.exe (1.64 MB) - CLI client
- ostp-daemon.exe (0.53 MB) - Windows Service
- ostp-installer.exe (0.37 MB) - Setup wizard
- README.md with GUI/CLI usage guide
- SHA256SUMS.txt for integrity verification

Deploy Script Features:
- Automated PSK generation
- Systemd service installation
- Firewall configuration (ufw)
- OTP token generation (60 min)
- Network validation (10.X.0.0/16)
- Security hardening (NoNewPrivileges, ProtectSystem)

Documentation includes:
- Installation instructions
- Configuration examples
- Troubleshooting guides
- Security best practices
- API reference

dist/linux-x64/README.md

@@ -0,0 +1,218 @@
+# OSTP Server - Linux x64 Distribution
+
+Universal Linux binaries (statically linked with musl) for OSTP VPN server deployment.
+
+## 📦 Contents
+
+- **ostp-server** (9.2 MB) - VPN server with AEAD encryption, TLS mimicry, UDP-over-TCP
+- **oncp-master** (4.8 MB) - Control plane API server for node/user management
+- **SHA256SUMS** - Integrity verification checksums
+- **deploy.sh** - Automated deployment script
+- **server.json.example** - ostp-server configuration template
+- **server-enrollment.json.example** - ostp-server with enrollment token
+- **ostp-server.service** - systemd service unit for ostp-server
+- **oncp-master.service** - systemd service unit for oncp-master
+
+## 🚀 Quick Start
+
+### 1. Verify Integrity
+
+```bash
+sha256sum -c SHA256SUMS
+```
+
+### 2. Deploy with Script (Recommended)
+
+```bash
+chmod +x deploy.sh
+sudo ./deploy.sh
+```
+
+The script will:
+- Install binaries to `/usr/local/bin/`
+- Create systemd services
+- Generate PSK and network configuration
+- Set up firewall rules
+- Start services
+
+### 3. Manual Installation
+
+```bash
+# Make binaries executable
+chmod +x ostp-server oncp-master
+
+# Copy to system path
+sudo cp ostp-server oncp-master /usr/local/bin/
+
+# Generate PSK for ostp-server
+PSK=$(openssl rand -hex 32)
+echo "Generated PSK: $PSK"
+
+# Start oncp-master (control plane)
+sudo ./oncp-master serve --listen 0.0.0.0:8080 --network-octet 42
+
+# Generate enrollment token (expires in 3 minutes)
+./oncp-master node token --expiry 3
+
+# Start ostp-server (VPN server)
+sudo ./ostp-server -l 0.0.0.0:443 -p $PSK --master http://localhost:8080
+```
+
+## 🔧 Configuration
+
+### ostp-server Configuration
+
+Create `/etc/ostp/server.json`:
+
+```json
+{
+  "listen_addr": "0.0.0.0:443",
+  "psk": "YOUR_64_CHAR_HEX_PSK",
+  "master_url": "http://localhost:8080",
+  "country_code": "US",
+  "max_clients": 1000
+}
+```
+
+### oncp-master Configuration
+
+Environment variables:
+- `ONCP_DATABASE` - SQLite database path (default: `oncp.db`)
+- `ONCP_NETWORK_OCTET` - Second octet for 10.X.0.0/16 subnet (default: `42`)
+- `ONCP_LOG_LEVEL` - Logging level: error, warn, info, debug, trace
+
+## 🌐 Network Architecture
+
+**Master Node Subnet:** `10.X.0.0/16` (where X = network-octet)
+- Master Node IP: `10.X.0.1`
+- Client IPs: `10.X.0.2` - `10.X.255.254`
+- Capacity: ~65,000 clients per Master Node
+
+## 🔐 Security Features
+
+### OTP Enrollment Tokens
+Nodes must provide time-limited one-time tokens during enrollment:
+
+```bash
+# Generate token (3 minute expiry)
+./oncp-master node token --expiry 3
+
+# Node uses token in enrollment request
+./ostp-server --token ABC123XYZ0 --master https://master-url
+```
+
+### Silent Validation
+Invalid tokens result in silent connection close (HTTP 444) - prevents enumeration.
+
+## 📊 Management Commands
+
+### Node Management
+
+```bash
+# List pending enrollments
+./oncp-master node pending
+
+# Approve node (allocates IP + generates PSK)
+./oncp-master node approve <node-id>
+
+# Reject enrollment
+./oncp-master node reject <node-id>
+
+# List all nodes
+./oncp-master node list
+```
+
+### User Management
+
+```bash
+# Create user with 100GB quota, 30 days
+./oncp-master user create --quota 100 --days 30
+
+# List users
+./oncp-master user list
+
+# Show network statistics
+./oncp-master stats
+```
+
+### SNI Management
+
+```bash
+# Update SNI domains for specific country
+./oncp-master sni update --country RU --add example.com
+
+# Block domain globally
+./oncp-master sni block --domain blocked.com
+```
+
+## 🖥️ System Requirements
+
+- **OS:** Any Linux distribution with glibc or musl (universal binary)
+- **RAM:** 512 MB minimum, 2 GB recommended
+- **CPU:** 1 core minimum, 2+ cores recommended
+- **Network:** Public IP with ports 443 (ostp-server), 8080 (oncp-master) open
+- **Storage:** 100 MB for binaries, 1 GB+ for logs/database
+
+## 🛡️ Firewall Configuration
+
+```bash
+# Allow ostp-server (VPN)
+sudo ufw allow 443/tcp
+
+# Allow oncp-master API (restrict to internal network in production)
+sudo ufw allow 8080/tcp
+```
+
+## 📝 Logs
+
+- **ostp-server:** `/var/log/ostp-server.log` or stdout
+- **oncp-master:** `/var/log/oncp-master.log` or stdout
+
+View logs with systemd:
+```bash
+sudo journalctl -u ostp-server -f
+sudo journalctl -u oncp-master -f
+```
+
+## 🔄 Updates
+
+```bash
+# Stop services
+sudo systemctl stop ostp-server oncp-master
+
+# Replace binaries
+sudo cp ostp-server oncp-master /usr/local/bin/
+
+# Restart services
+sudo systemctl start ostp-server oncp-master
+```
+
+## 📚 Documentation
+
+- Project Repository: https://github.com/ospab/ospab.network
+- Architecture Overview: See `prompt.md` in repository
+- API Documentation: `http://<master-ip>:8080/health` (health check)
+
+## ⚠️ Production Checklist
+
+- [ ] Change default PSK (64 hex characters)
+- [ ] Configure unique network octet (0-255, avoid 0 and 255)
+- [ ] Set up SSL/TLS for oncp-master API (use reverse proxy)
+- [ ] Restrict oncp-master port to internal network
+- [ ] Configure log rotation
+- [ ] Set up monitoring (Prometheus/Grafana)
+- [ ] Enable automatic backups of oncp.db
+- [ ] Configure firewall rules
+- [ ] Set resource limits in systemd services
+
+## 🆘 Support
+
+For issues and questions:
+- GitHub Issues: https://github.com/ospab/ospab.network/issues
+- Security: Report vulnerabilities via private disclosure
+
+---
+
+**Version:** 0.1.0  
+**Build Date:** January 2, 2026  
+**License:** Proprietary

dist/linux-x64/SHA256SUMS

@@ -0,0 +1,2 @@
+53de7690ddcd22828d1d2c55bec75e7a43aa6476827d8162615549b08a1a39dc  oncp-master
+d3ec5b5ee8c90f1f92667458f44a795159157ae64e8d5073888838fbfce286e2  ostp-server

dist/linux-x64/deploy.sh

@@ -0,0 +1,221 @@
+#!/bin/bash
+set -e
+
+# OSTP Server - Automated Deployment Script
+# Version: 0.1.0
+# Requires: root/sudo access
+
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+RED='\033[0;31m'
+NC='\033[0m' # No Color
+
+echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║   OSTP Server Deployment Script       ║${NC}"
+echo -e "${GREEN}║   Version 0.1.0                        ║${NC}"
+echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
+echo
+
+# Check if running as root
+if [[ $EUID -ne 0 ]]; then
+   echo -e "${RED}Error: This script must be run as root${NC}"
+   echo "Usage: sudo ./deploy.sh"
+   exit 1
+fi
+
+# Check if binaries exist
+if [ ! -f "ostp-server" ] || [ ! -f "oncp-master" ]; then
+    echo -e "${RED}Error: Binaries not found in current directory${NC}"
+    exit 1
+fi
+
+# Verify checksums
+echo -e "${YELLOW}→${NC} Verifying integrity..."
+if sha256sum -c SHA256SUMS > /dev/null 2>&1; then
+    echo -e "${GREEN}✓${NC} Checksums verified"
+else
+    echo -e "${RED}✗${NC} Checksum verification failed!"
+    read -p "Continue anyway? (y/N): " -n 1 -r
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        exit 1
+    fi
+fi
+
+# Configuration prompts
+echo
+echo -e "${YELLOW}═══ Configuration ═══${NC}"
+read -p "Network octet (10.X.0.0/16, default 42): " NETWORK_OCTET
+NETWORK_OCTET=${NETWORK_OCTET:-42}
+
+read -p "ostp-server listen port (default 443): " OSTP_PORT
+OSTP_PORT=${OSTP_PORT:-443}
+
+read -p "oncp-master listen port (default 8080): " ONCP_PORT
+ONCP_PORT=${ONCP_PORT:-8080}
+
+read -p "Install directory (default /usr/local/bin): " INSTALL_DIR
+INSTALL_DIR=${INSTALL_DIR:-/usr/local/bin}
+
+read -p "Config directory (default /etc/ostp): " CONFIG_DIR
+CONFIG_DIR=${CONFIG_DIR:-/etc/ostp}
+
+read -p "Database directory (default /var/lib/ostp): " DATA_DIR
+DATA_DIR=${DATA_DIR:-/var/lib/ostp}
+
+# Generate PSK
+echo
+echo -e "${YELLOW}→${NC} Generating PSK..."
+PSK=$(openssl rand -hex 32)
+echo -e "${GREEN}✓${NC} PSK generated: ${YELLOW}${PSK}${NC}"
+echo -e "${RED}⚠ SAVE THIS PSK! It will be stored in ${CONFIG_DIR}/server.json${NC}"
+
+# Create directories
+echo
+echo -e "${YELLOW}→${NC} Creating directories..."
+mkdir -p "$INSTALL_DIR"
+mkdir -p "$CONFIG_DIR"
+mkdir -p "$DATA_DIR"
+mkdir -p /var/log/ostp
+
+# Install binaries
+echo -e "${YELLOW}→${NC} Installing binaries..."
+cp ostp-server oncp-master "$INSTALL_DIR/"
+chmod +x "$INSTALL_DIR/ostp-server" "$INSTALL_DIR/oncp-master"
+echo -e "${GREEN}✓${NC} Binaries installed to $INSTALL_DIR"
+
+# Create ostp-server config
+cat > "$CONFIG_DIR/server.json" <<EOF
+{
+  "listen_addr": "0.0.0.0:${OSTP_PORT}",
+  "psk": "${PSK}",
+  "master_url": "http://127.0.0.1:${ONCP_PORT}",
+  "country_code": "US",
+  "max_clients": 1000
+}
+EOF
+chmod 600 "$CONFIG_DIR/server.json"
+echo -e "${GREEN}✓${NC} Configuration saved to $CONFIG_DIR/server.json"
+
+# Create systemd service for oncp-master
+cat > /etc/systemd/system/oncp-master.service <<EOF
+[Unit]
+Description=ONCP Master Node - Control Plane API
+After=network.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=${DATA_DIR}
+Environment="ONCP_DATABASE=${DATA_DIR}/oncp.db"
+Environment="ONCP_NETWORK_OCTET=${NETWORK_OCTET}"
+ExecStart=${INSTALL_DIR}/oncp-master serve --listen 0.0.0.0:${ONCP_PORT} --network-octet ${NETWORK_OCTET}
+Restart=on-failure
+RestartSec=5s
+StandardOutput=append:/var/log/ostp/oncp-master.log
+StandardError=append:/var/log/ostp/oncp-master.log
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=${DATA_DIR} /var/log/ostp
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Create systemd service for ostp-server
+cat > /etc/systemd/system/ostp-server.service <<EOF
+[Unit]
+Description=OSTP VPN Server
+After=network.target oncp-master.service
+Requires=oncp-master.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=${CONFIG_DIR}
+ExecStart=${INSTALL_DIR}/ostp-server -c ${CONFIG_DIR}/server.json
+Restart=on-failure
+RestartSec=5s
+StandardOutput=append:/var/log/ostp/ostp-server.log
+StandardError=append:/var/log/ostp/ostp-server.log
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/log/ostp
+
+# Resource limits
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+echo -e "${GREEN}✓${NC} Systemd services created"
+
+# Reload systemd
+systemctl daemon-reload
+
+# Configure firewall (if ufw is available)
+if command -v ufw &> /dev/null; then
+    echo -e "${YELLOW}→${NC} Configuring firewall..."
+    ufw allow ${OSTP_PORT}/tcp comment "OSTP VPN Server"
+    echo -e "${GREEN}✓${NC} Firewall rule added for port ${OSTP_PORT}"
+    echo -e "${YELLOW}⚠${NC} Note: Port ${ONCP_PORT} (oncp-master) not exposed. Restrict to internal network in production!"
+fi
+
+# Enable and start services
+echo
+echo -e "${YELLOW}→${NC} Starting services..."
+systemctl enable oncp-master ostp-server
+systemctl start oncp-master
+
+# Wait for oncp-master to start
+sleep 2
+
+# Generate enrollment token
+echo -e "${YELLOW}→${NC} Generating enrollment token..."
+TOKEN=$(${INSTALL_DIR}/oncp-master node token --expiry 60 2>/dev/null | grep -A1 "Token:" | tail -1 | xargs)
+echo -e "${GREEN}✓${NC} Enrollment token (60 min): ${YELLOW}${TOKEN}${NC}"
+
+# Start ostp-server
+systemctl start ostp-server
+
+echo
+echo -e "${GREEN}╔════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║   Deployment Complete! ✓               ║${NC}"
+echo -e "${GREEN}╚════════════════════════════════════════╝${NC}"
+echo
+echo -e "${YELLOW}Services Status:${NC}"
+systemctl status oncp-master --no-pager -l || true
+systemctl status ostp-server --no-pager -l || true
+echo
+echo -e "${YELLOW}Important Information:${NC}"
+echo -e "  • Network: ${GREEN}10.${NETWORK_OCTET}.0.0/16${NC}"
+echo -e "  • Master IP: ${GREEN}10.${NETWORK_OCTET}.0.1${NC}"
+echo -e "  • PSK: ${YELLOW}${PSK}${NC}"
+echo -e "  • Enrollment Token: ${YELLOW}${TOKEN}${NC} (expires in 60 minutes)"
+echo -e "  • Config: ${CONFIG_DIR}/server.json"
+echo -e "  • Database: ${DATA_DIR}/oncp.db"
+echo -e "  • Logs: /var/log/ostp/"
+echo
+echo -e "${YELLOW}Next Steps:${NC}"
+echo -e "  1. Enroll nodes: ${GREEN}ostp-server --token ${TOKEN} --master https://your-master${NC}"
+echo -e "  2. Approve nodes: ${GREEN}oncp-master node pending${NC} → ${GREEN}oncp-master node approve <id>${NC}"
+echo -e "  3. Create users: ${GREEN}oncp-master user create --quota 100 --days 30${NC}"
+echo -e "  4. Monitor logs: ${GREEN}journalctl -u ostp-server -f${NC}"
+echo
+echo -e "${RED}⚠ Security Reminder:${NC}"
+echo -e "  • Save PSK in password manager"
+echo -e "  • Restrict port ${ONCP_PORT} to internal network"
+echo -e "  • Set up SSL/TLS reverse proxy for production"
+echo -e "  • Configure log rotation"
+echo
+
+exit 0

dist/linux-x64/oncp-master.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=ONCP Master Node - Control Plane API
+After=network.target
+Documentation=https://github.com/ospab/ospab.network
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/var/lib/ostp
+Environment="ONCP_DATABASE=/var/lib/ostp/oncp.db"
+Environment="ONCP_NETWORK_OCTET=42"
+Environment="ONCP_LOG_LEVEL=info"
+ExecStart=/usr/local/bin/oncp-master serve --listen 0.0.0.0:8080 --network-octet 42
+Restart=on-failure
+RestartSec=5s
+StandardOutput=append:/var/log/ostp/oncp-master.log
+StandardError=append:/var/log/ostp/oncp-master.log
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/ostp /var/log/ostp
+
+# Resource limits
+LimitNOFILE=4096
+
+[Install]
+WantedBy=multi-user.target

dist/linux-x64/ostp-server.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=OSTP VPN Server
+After=network.target
+Documentation=https://github.com/ospab/ospab.network
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/etc/ostp
+ExecStart=/usr/local/bin/ostp-server -c /etc/ostp/server.json
+Restart=on-failure
+RestartSec=5s
+StandardOutput=append:/var/log/ostp/ostp-server.log
+StandardError=append:/var/log/ostp/ostp-server.log
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/log/ostp
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=512
+
+[Install]
+WantedBy=multi-user.target

dist/linux-x64/server-enrollment.json.example

@@ -0,0 +1,8 @@
+{
+  "listen_addr": "0.0.0.0:443",
+  "enrollment_token": "ABC123XYZ0",
+  "master_url": "https://master-node.example.com:8080",
+  "country_code": "US",
+  "region": "us-west",
+  "node_name": "node-01"
+}

dist/linux-x64/server.json.example

@@ -0,0 +1,7 @@
+{
+  "listen_addr": "0.0.0.0:443",
+  "psk": "CHANGE_THIS_64_CHARACTER_HEX_PSK_GENERATED_WITH_OPENSSL_RAND",
+  "master_url": "http://127.0.0.1:8080",
+  "country_code": "US",
+  "max_clients": 1000
+}