Unimars NMS — Maritime Network Operating System

Executive Summary

What We're Building for Unimars NMS

A complete maritime network operating platform that lets Unimars manage entire vessel fleets through a single pane of glass — while every ship keeps running even when satellites drop.

⚓

Multi-Tenant SaaS

Three-level hierarchy: Unimars NMS → Distributors → Customers. Strict data isolation through PostgreSQL Row-Level Security.

🛰️

Satellite-Aware

Native drivers for Starlink (gRPC), VSAT (SNMP), 4G/5G (AT commands). Cost-aware routing with bandwidth budget enforcement.

🔌

Vendor-Agnostic

Unified abstraction over MikroTik RouterOS, Cisco IOS-XE, and Fortinet FortiOS. One platform. Three router families. Zero lock-in.

📦

Edge Box on Every Vessel

A pre-imaged mini-PC that runs FreeRADIUS, captive portal, DNS filtering, and sync agent — offline-first, always available.

🔐

Triple-Tunnel Security

WireGuard primary, SSH-over-TLS fallback, Cloudflare Tunnel optional. Encrypted with ChaCha20-Poly1305. License-bound binaries.

📊

Production Observability

Prometheus + Grafana + Loki for platform metrics. Feature flags, staged OTA updates, GDPR-compliant audit trails.

Design Philosophy

Maritime Reality, Reflected in the Code

Every architectural decision exists because vessels are not data centers. Networks drop. Bandwidth costs money. Crews change. Satellites fail.

🌊 Offline-First, Always

Vessels must operate when the cloud is unreachable. Satellite drops can last minutes, hours, or weeks (vessel in port).

How we deliver this: Edge Box runs all critical services locally. Configurations cached. Vouchers redeemed offline. Telemetry buffered and replayed on reconnect.

💰 Bandwidth is Money

Satellite data plans are expensive and capped. A streaming crew member can blow a vessel's monthly budget in a weekend.

How we deliver this: Per-VLAN bandwidth limits, application-level QoS, monthly budget enforcement with auto-actions, and content filtering to block bandwidth-hungry apps.

🚢 Vessels Differ

A small tugboat with a hAP and 10 crew is not a cruise ship with 6-port firewalls and 2,000 guests.

How we deliver this: Three Edge Box hardware tiers (Standard/Industrial/Heavy). Three router vendor drivers. Configurable per-vessel feature flags for safe per-vessel customization.

🔒 IP & Data Protection

Source code stays with us. Customer data stays in customer tenancy. Compromised app code cannot leak across tenants.

How we deliver this: Compiled binaries on Edge Box only. PostgreSQL Row-Level Security. License validation every 24 hours. Tamper detection with auto-shutdown.

Complete Scope

109 Features Across 20 Modules

Every feature listed here is in scope for Phase 1. Click each module to expand and see the individual capabilities being built.

A

Tenant & Fleet Management

8 features • F-01 to F-08

+

F-01 Multi-tenant SaaS with strict data isolation (Platform → Distributor → Customer)
F-02 Tenant onboarding wizard (15-minute setup)
F-03 Vessel registration with one-time enrolment tokens
F-04 Auto-enrolment of edge devices (zero-touch)
F-05 Live fleet world map with health colour coding
F-06 Per-vessel detail view with live telemetry
F-07 Fleet-wide search and saved filters
F-08 Vessel groups and tags for bulk operations

B

User & Access Management

6 features • F-09 to F-14

+

F-09 RBAC with five built-in roles (Super Admin, Tenant Admin, Fleet Manager, Captain, Viewer)
F-10 Email invitation and onboarding flow
F-11 Two-factor authentication (TOTP)
F-12 Session management and force-logout
F-13 Hierarchical access tree (Distributor → Franchise → Dealer)
F-14 Audit log of every state-changing action

J

Platform & DevOps

6 features • F-60 to F-65

+

F-60 Multi-tenant data isolation at PostgreSQL level (RLS)
F-61 Automated daily backups with cross-region replication
F-62 Point-in-time database recovery (7 days)
F-63 Platform health monitoring for operators
F-64 Comprehensive logging and tracing (12-month retention)
F-65 Automated CI/CD deployment with auto-rollback

M

Multi-lingual UI

5 features • F-82 to F-86

+

F-82 Full UI translation in 5 languages (EN, RU, ES, AR, ZH)
F-83 Language detection (browser locale + user preference)
F-84 Per-tenant default language setting
F-85 RTL (right-to-left) support for Arabic
F-86 Translated notification emails and Telegram alerts

C

Network Configuration

10 features • F-15 to F-24

+

F-15 VLAN segmentation (Operations, Business, Crew, Guest)
F-16 Custom VLAN management for special needs
F-17 Multi-WAN management (VSAT, Starlink, 4G, port WiFi)
F-18 Automatic WAN failover with health monitoring
F-19 Cost-aware routing rules
F-20 Firewall rule management with templates
F-21 Configuration templates for fleet-wide rollout
F-22 Daily automated configuration backups
F-23 One-click rollback to any historical config
F-24 Bulk config push to multiple vessels

D

User & Voucher Management

10 features • F-25 to F-34

+

F-25 PPPoE user management with bulk CSV import
F-26 Hotspot user management with quotas
F-27 Voucher generation engine (bulk batches)
F-28 Voucher PDF printing with tenant branding
F-29 Voucher tracking, redemption, and analytics
F-30 Branded captive portal per tenant
F-31 Multi-language captive portal (EN, RU, ES, AR, FR)
F-32 Bandwidth profiles per user/group
F-33 Per-user data quotas with auto-disconnect
F-34 Force-disconnect from dashboard

E

Bandwidth & QoS

4 features • F-35 to F-38

+

F-35 Per-VLAN bandwidth limits with guaranteed minimums
F-36 Application priority (operations, voice, web, bulk)
F-37 Burst control for responsive browsing
F-38 Time-based bandwidth profiles (day/night)

F

Security & VPN

5 features • F-39 to F-43

+

F-39 VPN management (WireGuard primary, IPsec IKEv2 fallback)
F-40 Encrypted ship-shore traffic (ChaCha20-Poly1305)
F-41 Fleet-wide MAC address blocklist
F-42 Failed-login monitoring with auto-lockout
F-43 Encrypted secrets management with KMS

K

Content Filtering & Application Control

8 features • F-66 to F-73

+

F-66 Block YouTube, WhatsApp, TikTok, Facebook, Instagram, Telegram per VLAN
F-67 Category filters — gambling, adult, social, gaming, crypto, weapons
F-68 Force YouTube Restricted Mode and SafeSearch at network level
F-69 Detect and block VPN, proxy, and Tor bypass attempts
F-70 Whitelist trusted domains (banking, ERP) with subdomain support
F-71 Blacklist phishing and malware domains fleet-wide
F-72 DNS activity reports per vessel, per user, per VLAN
F-73 Custom failover scripts on WAN events (cost-saving automation)

T

Security & Compliance

2 features • F-108, F-109

+

F-108 Security incident response automation (breach detection, automated credential rotation, IP block lists, GDPR 72-hour notification workflow)
F-109 Enhanced audit trail with GDPR-compliant data access logs (immutable, exportable for compliance audits)

G

Monitoring & Alerts

6 features • F-44 to F-49

+

F-44 Real-time telemetry (CPU, RAM, sessions, throughput)
F-45 Live bandwidth charts with drill-down
F-46 Top talkers report (per vessel and fleet-wide)
F-47 Threshold-based alerts with severity escalation
F-48 Multi-channel delivery (email, Telegram, webhook)
F-49 Alert history and acknowledgement workflow

H

Reporting & Analytics

5 features • F-50 to F-54

+

F-50 Pre-built reports (bandwidth, usage, SLA, revenue)
F-51 Custom date range reporting
F-52 PDF and Excel export
F-53 Scheduled reports via email
F-54 WAN cost attribution per vessel

L

Vessel Records & Asset Management

8 features • F-74 to F-81

+

F-74 Stakeholder records per vessel (Owner, DPA, Manager, Agent)
F-75 Service plan tracking (Connectivity, IT Solution, GSM, VoIP)
F-76 Detailed WAN provider records (Primary/Secondary/Emergency)
F-77 GSM SIM card management (SIM1/2/3 per vessel)
F-78 Equipment inventory (serial, MAC, IP, delivery date, status)
F-79 MarineTraffic/AIS integration for live vessel position
F-80 Per-vessel document library (certificates, contracts, photos)
F-81 Service history timeline (every change tracked)

O

Billing & Invoicing

4 features • F-88 to F-91

+

F-88 Invoice generation with tenant branding (PDF + email delivery)
F-89 Payment status tracking (paid / unpaid / overdue / partial)
F-90 Subscription lifecycle management (start / pause / cancel / upgrade)
F-91 Pricing plan UI showing current plan, usage vs limits

P

User Profile & Account

3 features • F-92 to F-94

+

F-92 User profile management (avatar, password, 2FA setup)
F-93 Notification preferences per user (email, Telegram, in-app)
F-94 Account settings (timezone, language, theme)

Q

UI Essentials

5 features • F-95 to F-99

+

F-95 Global search functionality (vessels, users, vouchers, alerts)
F-96 Bulk actions UI (multi-select with progress feedback)
F-97 CSV/Excel export on every list view
F-98 Loading states and skeleton loaders
F-99 Empty states + branded error pages (404, 500, 403)

R

Support & Onboarding

3 features • F-100 to F-102

+

F-100 In-app contact support form with attachment upload
F-101 Help center / FAQ with searchable knowledge base
F-102 First-time user onboarding tour (interactive walkthrough)

I

Offline-First Resilience

5 features • F-55 to F-59

+

F-55 Local edge dashboard accessible over ship LAN
F-56 Offline command queue with auto-execution
F-57 Telemetry buffering during WAN outages
F-58 Automatic VPN reconnection
F-59 Conflict resolution on sync (cloud + ship merge)

N

Advanced Health Classification

1 feature • F-87

+

F-87 Router health states classification: ONLINE_REACHABLE / ONLINE_AUTH_FAIL / ONLINE_UNRESPONSIVE / OFFLINE / DEGRADED — five distinct states for better debugging and reduced support tickets

S

Platform Observability & Operations

5 features • F-103 to F-107

+

F-103 Prometheus + Grafana for platform metrics (cloud health, API latency, queue depth, error rates) — internal NOC dashboard
F-104 Centralized log aggregation (Loki + Promtail) with search and 90-day retention
F-105 Feature flag system (Unleash self-hosted) for safe per-vessel/per-tenant rollout with kill-switch
F-106 Staged OTA update orchestration (canary → 10% → 50% → 100%) with automatic rollback
F-107 Edge Box update health dashboard (per-vessel update status, success rate, rollback count)

System Architecture

The Complete Data Flow

From a user's phone in the crew lounge, all the way through the captive portal, the router, the satellite, the cloud platform, and back — every layer designed to keep working when something fails.

⬇

Commands (cloud → ship)

⬆

Telemetry (ship → cloud)

⟲

Offline buffer + replay

🛡

Encrypted end-to-end

Cloud Layer

What Runs in the Cloud

The Unimars NMS cloud is the brain. Multi-tenant, EU-hosted, horizontally scalable, and designed so that every tenant's data is provably isolated by the database itself.

🚪

NestJS API on Fastify

The primary HTTP/WebSocket layer. Multi-tenant guards inject the tenant context on every request. RBAC enforced at controller level.

REST WebSocket OpenAPI

🗄️

PostgreSQL 16 + Timescale

Row-Level Security policies enforce tenant boundaries at SQL level — even compromised app code cannot leak data across tenants. TimescaleDB hypertables for telemetry.

RLS PITR HA

⚡

Redis + BullMQ

Sessions, cache, and the job queue. BullMQ processes async tasks like voucher batch generation, scheduled reports, and bulk config pushes.

Cache Queue Pub/Sub

📨

EMQX MQTT Broker

3-node cluster handling vessel telemetry. Designed for IoT scale — offline buffering, QoS levels, and store-and-forward semantics that survive long satellite outages.

QoS 1/2 TLS

🤖

Go Poller Service

High-frequency poller that talks to Edge Boxes via gRPC over WireGuard. Compiled binary, native concurrency, low memory footprint — designed for thousands of concurrent vessel connections.

gRPC Concurrent

📊

Prometheus + Grafana + Loki

Internal NOC dashboard. Tracks API latency, queue depth, error rates, and aggregates logs from cloud + every Edge Box. 90-day log retention, searchable from a single pane.

Metrics Logs Alerts

Edge Layer

What Runs on the Vessel

Every vessel ships with one Edge Box — a pre-imaged mini-PC running Debian 12 and Docker. It's the local brain that keeps the vessel running even when the cloud is unreachable.

🤖

sync-agent

Go binary • talks to cloud

🖥️

local-ui

Next.js compiled

🗃️

SQLite

embedded ~5MB RAM

🔑

freeradius

auth + voucher backend

🌐

coova-chilli

captive portal

🛡️

adguard-home

DNS filtering

🔐

wireguard

tunnel client

📊

node-exporter

metrics → cloud

🔋 Self-Healing

The Edge Box watches itself. Hardware watchdog reboots if the kernel hangs. Sync-agent restarts on crash. WireGuard tunnel renegotiates if stale. Disk >90% triggers log rotation. LED on the front panel shows status at a glance — green = healthy, yellow = degraded, red = needs attention.

📦 Offline Telemetry Buffer

1 GB local buffer. Telemetry compressed with zstd (~10:1 ratio). Up to 30 days of data buffered if cloud unreachable. Five priority levels — critical events never dropped, verbose debug logs dropped first when buffer fills. Replays in priority order when cloud returns.

🛟 Recovery Partition

Two partitions on internal storage: primary (active OS) and fallback (read-only baseline). If a software update bricks the primary, the system boots from fallback automatically. Captain just needs to power-cycle.

⚖️ Conflict Resolution

When the Edge Box reconnects after a long outage, conflicts can arise. Last-write-wins with version vectors. Network configs → cloud wins. Voucher redemptions → edge wins. Telemetry → edge wins. Manual override available in dashboard for ambiguous cases.

Connectivity Layer

Triple-Tunnel Strategy

Three independent paths from vessel to cloud. If the primary fails, the secondary takes over. If both fail, the optional third path uses Cloudflare's edge network — harder to block, even on hostile networks.

✅ Tunnel 1 — Primary

WireGuard over UDP. Modern, fast, ChaCha20-Poly1305 encryption. Default for 95% of vessels. Sub-5ms handshake. Persistent keepalive every 25 seconds.

⚠️ Tunnel 2 — Fallback

SSH wrapped in TLS on port 443. Activates when UDP is blocked (some hotel/port WiFi networks). Looks identical to HTTPS to firewalls. Zero customer configuration.

🛡️ Tunnel 3 — Premium

Cloudflare Tunnel. Outbound-only — no inbound ports needed at all. Works on the most restricted networks. Optional add-on for vessels with extreme network constraints.

Vendor Support

Three Router Families. One Platform.

The vendor abstraction layer means Unimars NMS speaks the same language to every router brand. Issue a "create VLAN" command in the dashboard, and the platform translates it into the right API call for whatever router that vessel happens to have.

MikroTik RouterOS

Minimum v7.10+ (v6 not supported)

The most common vendor in commercial maritime. Cost-effective, capable, with native WireGuard and a clean REST API.

Native REST API (HTTPS port 443)
Binary API (TCP 8729) for telemetry
Native WireGuard from v7.0
Container support from v7.4
Built-in hotspot + voucher
Free firmware upgrades from MikroTik

Cisco IOS-XE

Minimum v16.6+ (Classic IOS not supported)

Premium tier — found on larger commercial vessels and managed service contracts. Modern programmability via NETCONF/RESTCONF/gRPC.

RESTCONF (HTTPS) — primary
NETCONF (SSH 830) — complex configs
gRPC streaming telemetry (port 57400)
YANG-based configuration model
Voucher engine via Edge Box (FreeRADIUS)
Captive portal via Coova-Chilli

Fortinet FortiOS

Minimum v7.0+ (7.4+ for WireGuard)

Security-focused operator on cruise lines, ferries, and offshore platforms. Strong native firewall and VPN feature set.

FortiOS REST API with token auth
Native captive portal
Native WireGuard (v7.4+)
IPsec IKEv2 fallback
Voucher engine via Edge Box
Multi-VDOM aware

Cross-Vendor Feature Parity

✓ = native router support | ⊕ = delivered via Edge Box

Capability	MikroTik	Cisco IOS-XE	Fortinet
VLAN management	✓	✓	✓
Firewall rules	✓	✓	✓
Multi-WAN failover	✓	✓	✓
QoS / traffic shaping	✓	✓	✓
Voucher engine	✓	⊕	⊕
Captive portal	✓	⊕	✓
WireGuard VPN	✓	⊕	✓ (v7.4+)
Streaming telemetry	Binary API	gRPC	REST

WAN Integration

Satellite Drivers

Maritime networks aren't terrestrial. Vessels run on Starlink, VSAT, OneWeb, Iridium, and 4G/5G LTE in port. Each provider exposes data differently — we abstract them all.

📡 Starlink (gRPC)

Local gRPC API on dish at 192.168.100.1:9200. Returns dish health, signal quality, obstruction data, throughput, and latency — real-time. We poll every 30 seconds.

📻 Generic VSAT (SNMP)

Most VSAT modems expose stats via SNMP v2c/v3. Standard MIBs (IF-MIB, HOST-RESOURCES-MIB) plus vendor-specific OIDs for iDirect, Comtech, and Hughes. Bulk GET for efficiency.

📱 4G/5G LTE Modems (AT)

Cellular modems use AT commands over serial (/dev/ttyUSB0). Signal strength, monthly usage counters, network registration, and SIM profile management.

💸 Bandwidth Budget Engine

Drivers feed real usage into the budget engine. At 80% of monthly cap → alert admin. At 95% → switch to secondary WAN, block streaming. At 100% → operations-only mode. Automatic, no manual intervention.

Resilience Scenarios

P1

Satellite drops
Edge Box keeps vessel running. Auto-resume on return.

P2

Edge Box fails
Router keeps working. 7-day replacement SLA.

P3

Router fails
Spare router on board. Detected within 60s.

P4

Cloud down
Edge Boxes operate independently. Auto-resync.

User Journey

What Happens When a Crew Member Connects

From the moment a phone joins the ship's WiFi to streaming Netflix — or being blocked from streaming Netflix — here's the full path.

1

Connect to WiFi

Crew member's phone joins the SSID. Router's DHCP assigns an IP in the Crew VLAN (e.g. 10.10.100.0/24).

2

Auto-redirect

Any web request gets intercepted by Coova-Chilli (Edge Box). Phone is redirected to the captive portal page.

3

Enter Voucher

Branded portal in the user's preferred language. Crew enters their voucher code (printed on a card given by the captain).

4

RADIUS Auth

Voucher is validated against FreeRADIUS, which reads from the local SQLite store. Includes bandwidth profile and time/data limit.

5

Internet Access

Phone gets internet via the satellite uplink. AdGuard filters DNS (no gambling/adult/etc.). QoS enforces bandwidth caps.

6

Telemetry to Cloud

Session data buffered and synced to cloud when satellite is up. Captain sees live usage on the dashboard.

Operations

Safe Updates: Staged OTA Rollout

Pushing a software update to 100 vessels at once is a recipe for disaster. Unimars NMS rolls out updates in stages — with automatic rollback if failures are detected.

🐤

Stage 1 — Canary

1 vessel for 24 hours.
Internal pilot vessel.
If issues → STOP.

🚢

Stage 2 — Early

10% of fleet for 48h.
Diverse vendor mix.
Auto-rollback triggers active.

⛴️

Stage 3 — Wide

50% of fleet for 72h.
Production validation.
Health metrics monitored.

🌐

Stage 4 — Complete

100% of fleet.
Full rollout.
Ongoing monitoring.

Plus: feature flags let us enable/disable individual features per vessel without deploying new code — instant kill-switch if something goes wrong.

Hardware

Three Edge Box Tiers

One vessel, one Edge Box. We support exactly three hardware models — chosen for their reliability, fanless designs, low power draw, and proven track record in industrial environments.

Beelink Mini S12 Pro

Standard Tier

Best for vessels running MikroTik routers with up to 50 concurrent users.

CPUIntel N100
RAM16 GB DDR4
Storage500 GB NVMe
Network1× Gigabit
Power~12W
Form factorMini PC

Protectli V1410

Industrial Tier

For vessels with Cisco/Fortinet routers, 50–200 users, and harsher conditions.

CPUIntel N5105
RAM8 GB DDR4
Storage32 GB eMMC + NVMe
Network4× 2.5GbE
Power~15W (fanless)
Form factorIndustrial

Protectli V1610

Heavy Tier

For cruise ships, ferries, and large vessels with 200+ concurrent users.

CPUIntel N6005
RAM16 GB DDR4
Storage128 GB eMMC + NVMe
Network6× 2.5GbE
Power~18W (fanless)
Form factorIndustrial

🛡️ Why we lock to specific hardware

Customer-procured "any mini-PC" hardware is NOT supported. This single-vendor approach lets us pre-image USB sticks, guarantee 5-minute deployment, and provide single-surface support. Custom hardware requests require additional engineering work and are quoted separately.

Deployment

From Order to Online in 5 Minutes

The Edge Box deployment is fully automated. A USB stick boots the device, installs the OS, configures the network, establishes the cloud tunnel, and the vessel appears in the dashboard — all unattended.

1

🔵 Plug USB & Boot

Vessel IT plugs in the pre-imaged USB. BIOS auto-detects boot device. LED: solid blue.

2

🔵 Auto-Partition

Disk auto-partitioned: primary (80%) + fallback (20%). LED: slow blue blink.

3

🔵 Install OS

Debian 12 + Docker + signed images installed on both partitions. LED: fast blue blink.

4

🟡 Configure Network

Auto-detects network, requests DHCP, fetches enrollment token. LED: yellow.

5

🟢 Connect to Cloud

WireGuard tunnel established. License validated. LED: green slow blink.

6

🟢 Operational

Vessel appears in fleet map. All services healthy. LED: solid green.

LED Status Reference

LED Pattern	Meaning	What to do
🟢 Solid Green	Online, healthy, cloud reachable	Nothing — all good
🟢 Slow Blink	Connecting to cloud / tunnel handshake	Wait 30 seconds
🟢 Fast Blink	Software update in progress	Don't power off
🟡 Yellow	Local OK, cloud unreachable, telemetry buffering	Check satellite link
🔵 Blue	Booting / installing	Wait for green
🔴 Red	Sync agent failure — needs intervention	Check local web UI for diagnosis

Production-Grade

Built-In Observability

You can't fix what you can't see. Unimars NMS ships with the same observability stack used by Netflix, Uber, and modern SaaS — tuned for maritime networks.

📊

Prometheus + Grafana

Internal NOC dashboard tracking API latency, queue depth, error rates, and Edge Box health across the entire fleet. Alerts fire before customers notice problems.

📜

Loki Log Aggregation

Cloud + every Edge Box logs ship to centralized Loki. 90-day retention, full-text search. When a vessel reports an issue, support has all the logs already — no remote login needed.

🚦

Feature Flags (Unleash)

Self-hosted feature flag system. Enable a new feature for one vessel, then 10%, then everyone. Kill-switch any feature instantly without deploying code. Reduces risk dramatically.

🔄

Staged OTA Updates

Updates roll out in stages with automatic rollback. The Edge Box update health dashboard shows per-vessel status, success rate, and any vessels that needed rollback.

🛡️

Security Incident Response

Breach detection alerts, automated credential rotation triggers, IP block lists, and a built-in GDPR 72-hour notification workflow. Incidents handled by procedure, not panic.

📋

GDPR Audit Trail

Immutable, append-only log of who accessed what data when. Exportable for compliance audits. Every state change in the platform is recorded with full context.

Security

How We Protect Your Data & IP

Maritime data is sensitive — vessel positions, crew records, financial data. Multiple security layers protect every byte.

🔐 Multi-Tenant Isolation

PostgreSQL Row-Level Security policies enforce tenant boundaries at the SQL layer. Even if application code has a bug, the database itself refuses to return another tenant's data.

🛡️ Encryption Everywhere

WireGuard tunnels use ChaCha20-Poly1305. TLS fallback uses AES-256-GCM. Database at rest encrypted with AES-256. Backups encrypted with KMS-managed keys. Edge Box storage uses LUKS full-disk encryption.

🔑 Authentication

Cloud users authenticate with email + password + TOTP 2FA. Edge Boxes use mutual TLS with rotating certificates. Vessels are bound to hardware-locked license keys. APIs use JWT with tenant context.

📜 IP Protection

Source code stays on Unimars infrastructure. Edge Boxes only receive compiled, signed binaries. License validation runs every 24 hours. Tamper detection auto-shuts down unauthorized Edge Boxes. 30-day disconnection grace before graceful shutdown.

In Summary

Why This Matters

Unimars NMS isn't another generic dashboard. It's a maritime-first operating platform that solves the actual problems vessel networks face every day.

🌊

Maritime Reality, Built In

Offline-first architecture. Satellite-aware routing. Bandwidth budget enforcement. Vessel-specific feature flags. None of these are afterthoughts — they're foundational design decisions, baked into every layer.

🔓

Vendor Freedom

Three router families supported through a single abstraction layer. Customers don't get locked into one hardware vendor. Add new vendors in Phase 2 without redesigning the platform. Vendor-neutral satellite drivers, too.

⚙️

Production-Grade Operations

Prometheus, Grafana, Loki, feature flags, staged OTA, GDPR audit trails, automated incident response. The same operational toolkit a serious SaaS company would build — available from day one.

🤝

Two Deployment Models

Hosted SaaS for fast onboarding (Plan A — 15 minutes). Self-hosted for enterprise customers with data sovereignty requirements (Plan B). One product, two delivery options — matches whatever the customer needs.

109

Features in Phase 1

20

Modules (A through T)

3

Router Vendors

100%

Offline-First

Built for the Sea.Backed by Code.