Phala-Network · h4x3rotab · Jan 27, 2026 · Jan 27, 2026
diff --git a/README.md b/README.md
diff --git a/docs/attestation-nitro-enclave.md b/docs/attestation-nitro-enclave.md
@@ -1,5 +1,7 @@
 # Dstack Nitro Enclave Attestation Flow (NSM)
 
+> **AWS Nitro Support:** Attestation verification is fully implemented. For AWS deployment options, [book a call](https://calendly.com/aspect-ux/30min) with our team.
+
 This document describes how dstack produces and verifies attestation on AWS
 Nitro Enclaves using the NSM attestation document. It follows the
 implementation in `dstack-attest` and `nsm-qvl`.

diff --git a/docs/auth-simple-operations.md b/docs/auth-simple-operations.md
@@ -1,5 +1,7 @@
 # auth-simple Operations Guide
 
+> **This guide is for self-hosted deployments** on your own TDX hardware. For cloud deployments, see [Quickstart](./quickstart.md).
+
 This guide covers day-to-day operations for managing apps and devices with auth-simple.
 
 For initial deployment setup, see [Deployment Guide](./deployment.md).

diff --git a/docs/deployment.md b/docs/deployment.md
@@ -1,5 +1,7 @@
 # Deploying dstack
 
+> **This guide is for self-hosted deployments** on your own TDX hardware. For cloud deployments, see [Quickstart](./quickstart.md).
+
 This guide covers deploying dstack on bare metal TDX hosts.
 
 ## Overview

diff --git a/docs/dstack-gateway.md b/docs/dstack-gateway.md
@@ -1,5 +1,7 @@
 # Setup dstack-gateway for Production
 
+> **This guide is for self-hosted deployments** on your own TDX hardware. For cloud deployments, see [Quickstart](./quickstart.md).
+
 To set up dstack-gateway for production, you need a wildcard domain and SSL certificate.
 
 ## Step 1: Setup wildcard domain

diff --git a/docs/onchain-governance.md b/docs/onchain-governance.md
@@ -1,5 +1,7 @@
 # On-Chain Governance
 
+> **This guide is for self-hosted deployments** on your own TDX hardware. For cloud deployments, see [Quickstart](./quickstart.md).
+
 This guide covers setting up on-chain governance for dstack using smart contracts on Ethereum.
 
 ## Overview

diff --git a/docs/quickstart.md b/docs/quickstart.md
@@ -0,0 +1,209 @@
+# Quickstart
+
+Deploy your first confidential workload on GCP in under 10 minutes.
+
+> **Interested in AWS Nitro Enclaves?** We support AWS Nitro attestation verification and are expanding deployment tooling. [Book a call](https://calendly.com/aspect-ux/30min) to learn more about AWS deployment options.
+
+## Prerequisites
+
+- GCP account with Confidential VM quota (Intel TDX)
+- `gcloud` CLI installed and authenticated
+
+## Install the CLI
+
+Download the `dstack-cloud` CLI:
+
+```bash
+# Clone the repository (temporary until packaged release)
+git clone https://github.com/Phala-Network/meta-dstack-cloud.git
+export PATH="$PATH:$(pwd)/meta-dstack-cloud/scripts/bin"
+```
+
+Verify the installation:
+
+```bash
+dstack-cloud --help
+```
+
+## Configure
+
+Set up your cloud credentials:
+
+```bash
+dstack-cloud config-edit
+```
+
+This opens an editor with the global configuration file. For GCP, configure:
+
+```toml
+[gcp]
+project = "your-gcp-project-id"
+zone = "us-central1-a"
+machine_type = "n2d-standard-4"
+```
+
+## Create a Project
+
+Create a new dstack-cloud project:
+
+```bash
+dstack-cloud new my-app
+cd my-app
+```
+
+This creates a project directory with:
+
+```
+my-app/
+├── app.json           # Application configuration
+├── docker-compose.yaml # Your container definition
+├── .env               # Environment variables
+└── prelaunch.sh       # Pre-launch script (optional)
+```
+
+## Define Your Workload
+
+Edit `docker-compose.yaml` with your application:
+
+```yaml
+services:
+  web:
+    image: nginx:latest
+    ports:
+      - "8080:80"
+```
+
+For AI workloads with GPU:
+
+```yaml
+services:
+  vllm:
+    image: vllm/vllm-openai:latest
+    runtime: nvidia
+    command: --model Qwen/Qwen2.5-7B-Instruct
+    ports:
+      - "8000:8000"
+```
+
+## Add Secrets (Optional)
+
+Add sensitive environment variables to `.env`:
+
+```bash
+API_KEY=your-secret-key
+DATABASE_URL=postgres://...
+```
+
+These are encrypted before leaving your machine and only decrypted inside the TEE.
+
+## Deploy
+
+Deploy to your cloud provider:
+
+```bash
+dstack-cloud deploy
+```
+
+The CLI will:
+1. Build and push your container configuration
+2. Create a Confidential VM
+3. Boot the dstack guest OS
+4. Start your containers
+
+## Check Status
+
+Monitor your deployment:
+
+```bash
+# Check deployment status
+dstack-cloud status
+
+# View console logs
+dstack-cloud logs
+
+# Follow logs in real-time
+dstack-cloud logs --follow
+```
+
+## Configure Firewall
+
+Allow traffic to your application:
+
+```bash
+# Allow HTTPS traffic
+dstack-cloud fw allow 443
+
+# Allow your app port
+dstack-cloud fw allow 8080
+
+# List firewall rules
+dstack-cloud fw list
+```
+
+## Access Your App
+
+Once deployed, access your application via the assigned endpoint. The `dstack-cloud status` command shows the public URL.
+
+For apps with TLS:
+```
+https://<app-id>.<gateway-domain>
+```
+
+For specific ports:
+```
+https://<app-id>-8080.<gateway-domain>
+```
+
+## Verify Attestation
+
+Users can verify your deployment is running in a genuine TEE:
+
+```bash
+# Get attestation quote from your app
+curl https://<your-app>/attestation
+
+# Verify with dstack-verifier
+dstack-verifier verify <quote>
+```
+
+See the [Verification Guide](./verification.md) for details.
+
+## Manage Deployments
+
+```bash
+# List all deployments
+dstack-cloud list
+
+# Stop a deployment
+dstack-cloud stop
+
+# Start a stopped deployment
+dstack-cloud start
+
+# Remove a deployment completely
+dstack-cloud remove
+```
+
+## Next Steps
+
+- [Usage Guide](./usage.md) - Detailed deployment and management
+- [Confidential AI](./confidential-ai.md) - Run AI workloads with hardware privacy
+- [GCP Attestation](./attestation-gcp.md) - How TDX + TPM attestation works
+- [AWS Nitro Attestation](./attestation-nitro-enclave.md) - How NSM attestation works
+- [Security Model](./security/security-model.md) - Understand the trust boundaries
+
+## Troubleshooting
+
+**Deployment stuck at "Creating VM":**
+- Check your cloud quota for Confidential VMs
+- Verify your credentials with `gcloud auth list`
+
+**Container not starting:**
+- Check logs with `dstack-cloud logs`
+- Verify your docker-compose.yaml syntax
+- Ensure images are accessible from the cloud region
+
+**Cannot access application:**
+- Check firewall rules with `dstack-cloud fw list`
+- Verify the port mapping in docker-compose.yaml
+- Check if the container is healthy in the logs
diff --git a/docs/usage.md b/docs/usage.md
@@ -1,8 +1,10 @@
 # dstack Usage Guide
 
-This guide covers deploying and managing applications on dstack. For infrastructure setup and self-hosting, see the [Deployment Guide](./deployment.md).
+> **This guide is for self-hosted deployments** on your own TDX hardware. For cloud deployments, see [Quickstart](./quickstart.md).
 
-You can manage VMs via the dashboard or [CLI](./vmm-cli-user-guide.md).
+This guide covers deploying and managing applications on self-hosted dstack infrastructure. For initial setup, see the [Deployment Guide](./deployment.md).
+
+You can manage VMs via the VMM dashboard or [CLI](./vmm-cli-user-guide.md).
 
 ## Deploy an App
 

diff --git a/docs/vmm-cli-user-guide.md b/docs/vmm-cli-user-guide.md
@@ -1,5 +1,7 @@
 # VMM CLI User Guide
 
+> **This guide is for self-hosted deployments** on your own TDX hardware. For cloud deployments, see [Quickstart](./quickstart.md).
+
 Welcome to the **VMM CLI**! This tool helps you manage CVMs in the dstack platform.
 
 ## Table of Contents