Push your container image via GitHub Actions. The deploy-workload action POSTs your deploy spec to dd-agent's API through the Cloudflare tunnel. No SSH keys, no raw IPs.
Write your app as one JSON spec at apps/<name>/workload.json — or paste it inline in your GitHub Actions workflow. A workload is {app_name, cmd, env, github_release}: a container, a binary, a shell script, your call.
The TDX VM generates a cryptographic quote proving the exact code running inside the enclave. EasyEnclave's attestation API lets you verify the measurement against known-good builds.
+Push via GitHub Actions — the deploy-workload action POSTs the spec to the agent's /deploy through its Cloudflare tunnel. No SSH, no raw IPs, no port forwards. Or skip the action and bake it as a boot workload.
Your workload runs inside hardware-encrypted memory. The fleet dashboard shows health, metrics, and attestation status across all your agents. Logs stay inside the enclave boundary.
+Intel TDX seals the guest memory; the agent mints a quote and the CP verifies it via Intel Trust Authority at /register. Your workload runs inside hardware-encrypted memory while the fleet dashboard streams live CPU, disk, and network metrics.
dd-web dashboard shows all agents across your infrastructure. Prometheus-style collector scrapes /health. Federation for horizontal scaling.
+CP dashboard scrapes /health on every agent: CPU, memory, per-disk capacity, per-NIC rx/tx, ITA attestation status. Click an agent for detail; open a per-app terminal in the browser.
GitHub Actions deploy workloads via POST /deploy. No SSH. GITHUB_TOKEN auth works out of the box. Retry logic handles tunnel instability.
+Every app — cloudflared, dd-agent, ollama, openclaw, yours — is one file at apps/<name>/workload.json. Boot workloads and runtime deploys share the same schema. Drop in a JSON, ship it.
Every agent gets a tunnel hostname. No public IPs, no firewall rules, no port forwarding. dd-register provisions tunnels automatically on registration.
+Every agent gets a tunnel hostname. No public IPs, no firewall rules, no port forwarding. The CP provisions tunnels automatically on registration.
+Every devopsdefender binary CI publishes carries a Sigstore-backed GitHub build attestation. gh attestation verify proves a binary came from this repo's release workflow — provable provenance, not trust us.
1 binary, 2 modes, zero trust.
+1 binary, 2 modes, workloads as code.
Customer (browser) @@ -114,20 +119,20 @@Architecture
Cloudflare Edge ──── tunnel ────> TDX VM | easyenclave (PID 1) - ├── unix socket API - ├── workload: devopsdefender agent - │ ├── /health, /deploy, /exec - │ ├── ITA-signed attestation - │ └── registers with devopsdefender cp - └── workload: openclaw + ollama (podman) - ├── llama3.1:8b (GPU, prod) - └── qwen2.5:0.5b (CPU, preview) + | + └── spawns workloads from apps/*/workload.json + ├── cloudflared (fetch-only, gives us a tunnel) + ├── devopsdefender agent (/health, /deploy, /exec) + ├── podman (static, rootful, daemon-less) + └── container: ollama + openclaw + ├── llama3.1:8b on H100 (prod) + └── qwen2.5:0.5b on CPU (preview) devopsdefender cp (fleet dashboard + management) ├── discovers agents via CF tunnels - ├── scrapes /health (Prometheus-style) - ├── verifies agent ITA tokens at /register - └── web UI: fleet, per-agent terminal, logs + ├── scrapes /health (per-disk + per-NIC metrics) + ├── verifies each agent's ITA quote at /register + └── web UI: fleet table, per-agent detail, in-browser shell
- uses: devopsdefender/dd/.github/actions/deploy-workload@main with: agent-url: https://app.devopsdefender.com - # deploy-spec: apps/myapp/deploy.json # or a file path + # deploy-spec: apps/myapp/workload.json # or a file path deploy-spec-inline: | { "app_name": "myapp", @@ -159,6 +164,7 @@+Deploy with GitHub Actions
deployment: myapp timeout: 300
Every workload — dd-agent, cloudflared, ollama, openclaw, yours — is one JSON spec at apps/<name>/workload.json. Boot-time, runtime, first-class; same schema everywhere.