FAQ
Is it free?
weldctl is AGPL-3.0 open source — yes. The Naasson Apps managed
SaaS is free up to a small per-user resource budget (one tunnel
route, a handful of free-tier marketplace installs). After that, you
pay per usage — see your account’s billing page for current limits.
The edge network itself (the *.cloud.naasson.com routing layer) is
free for any tunnel route under a modest traffic ceiling. Premium
tier (higher rate limits, custom domains, mTLS) is paid.
Where does my data live?
Production user data (workspaces, drafts, deployments, tunnel routes)
lives in YDB Serverless under
/ru-central1/b1gor3qevntllgvn2qk8/etnncus1vqp66ouunv61 — a Yandex
Cloud datacenter in Moscow. Worker pipeline state and payments
ledgers are in PostgreSQL until the YDB migration completes. The
app you install onto your VM lives on your VM — Naasson never
takes possession of your service’s data.
Can I use this without trusting Yandex Cloud?
The CLI yes (Mode 1 — your laptop talks to your cloud, we never touch it). The managed SaaS no — it runs on YC.
If you want zero-YC for Mode 1, set --provider aws or --provider hetzner or --provider local. Your weldctl install will keep
working; the only YC dependency in Mode 1 is the *.cloud.naasson.com
edge if you choose to use it.
Why a 1000-app marketplace? Most of those must be broken.
A fair concern, and one we audit continuously. The catalog at
cloud.naasson.com/apps/ shows 1166 slugs because that’s what’s been
imported from upstream registries. The subset we call “featured” —
about 80 apps — passes a docker-compose smoke test on each release.
The rest are best-effort: if you try weldctl simple deploy <random-slug> and the install fails, it fails fast with the upstream
error. We don’t pretend it works when it doesn’t.
Can I self-host the SaaS side?
In principle yes — the whole stack is in this repo. In practice it’s a non-trivial bring-up (YDB, YMQ, API Gateway, several Cloud Functions). We’d love your feedback if you try, but it isn’t supported as a turnkey self-host yet.
What happens to my apps if Naasson goes away?
You own them. They run on your VM, behind your firewall, with no phone-home. The tunnel agent is the only persistent connection to Naasson; kill it and the public URL stops resolving, but your service keeps running for anyone who can reach it directly. Replace the tunnel with your own ingress and you’re fully cut over.
Is the tunnel agent rooted on my host?
No. It runs as a dedicated naasson system user with no shell, no
home directory, NoNewPrivileges=true, ProtectSystem=strict,
MemoryDenyWriteExecute=true. Its only outbound capability is TCP to
edge.cloud.naasson.com:8443; its only inbound is localhost:<port>
for the port you specified when creating the route.
Why TCP passthrough at the edge? Why not L7?
Three reasons: it lets you tunnel anything that talks TCP (not just HTTP), the wildcard cert at the edge keeps the cert story simple, and end-to-end TLS gives the user a single point of trust. The cost is that the edge can’t inspect or modify the payload — which we consider a feature, not a bug.
What’s the difference between this and Cloudflare Tunnels / Tailscale Funnel?
Very similar shape, different trade-offs. Cloudflare Tunnels is proprietary, requires a Cloudflare account, and runs on Cloudflare’s global edge. Tailscale Funnel is closer in spirit — peer-to-peer overlay + public hostname — but the funnel is opt-in per node and limited in scale. Naasson sits in between: open-source agent, our own edge fleet, designed to feel like Vercel-for-the-rest-of-the-internet.
Can I run weldctl from CI?
Yes — weldctl --no-tui is the headless mode, and every command
takes --output json for parsing. Authenticate via OIDC if you’re on
GitHub Actions / GitLab CI. The weldctl mcp serve flow also makes
weldctl scriptable from agents like Claude Code.
How do I get involved?
- Star and watch
weldctl/weldctl. - Try the quickstart, file an issue if anything’s wrong.
- Submit a marketplace template (see CONTRIBUTING-APPS).
- Join GitHub Discussions for design conversations.