Crypta is a zero-trust, end-to-end encrypted communication platform scaffold designed for high-risk corporate, executive, and security-sensitive environments. It is an alpha-stage, security-focused scaffold, not production-ready secure messaging software and not independently audited.
The backend is intended to ingest, route, and persist ciphertext envelopes, public key material, policy records, encrypted attachment metadata, and audit events while keeping plaintext and private keys on client devices. Some code and package names still use Sovereign Comm.
Copy .env.example to .env, set non-default secret values, then start the backend, database, and Go security verifier with:
docker compose up --buildFor a direct Maven run against the Compose database, export DATABASE_URL, DATABASE_USERNAME, DATABASE_PASSWORD, BOOTSTRAP_TOKEN, TOKEN_PEPPER, WEBAUTHN_RP_ID, WEBAUTHN_RP_NAME, WEBAUTHN_ALLOWED_ORIGINS, and optionally SECURITY_VERIFIER_BASE_URL before running:
mvn spring-boot:runProvision organizations, users, and devices with X-Bootstrap-Token, then exchange a bootstrapped userId and deviceId at POST /api/v1/bootstrap/sessions for a bearer token. The bootstrap token is an onboarding credential only; admin, governance, key, room, message, attachment, and device-revocation paths require bearer sessions. WebAuthn/passkey registration and login use persisted Yubico ceremony options and verified credentials, while external WebAuthn review and production attestation policy remain production-readiness items.
Backend tests can be run with:
mvn testThe full BackendFlowIntegrationTest uses Testcontainers and runs when Docker is available; without Docker it is skipped by design while unit and service-level hardening tests still run.
- Architecture
- Threat Model
- API Overview
- Deployment
- Internal Demo Runbook
- Security Policy
- Roadmap
- Contributing
- Changelog
Verified reference anchors checked on 2026-05-24:
- IETF RFC 9420: Messaging Layer Security
- Signal PQXDH specification
- W3C WebAuthn Level 3
- Spring Security passkeys/WebAuthn
- Apple Secure Enclave key protection
- Android hardware-backed Keystore
- Sigstore Rekor transparency log overview
flowchart TD
User([User]) --> UI["UI Layer (main.dart)"]
subgraph ClientApp ["Mobile Client (Flutter)"]
UI --> AppOrch["Application Orchestrator"]
AppOrch --> CryptoBridge["Crypto Bridge (DirectCryptoProvider, GroupCryptoProvider)"]
AppOrch --> LocalDB["Local Encrypted Database (SQLCipher/Drift)"]
CryptoBridge --> SecureStorage["Secure Storage Interface (SecureStorageProvider)"]
end
subgraph NativeOS ["Native OS Security Modules"]
iOSSecureEnclave["iOS Secure Enclave / Keychain"]
AndroidKeystore["Android KeyStore / StrongBox"]
BiometricUnlock["Biometric Authentication APIs"]
end
SecureStorage --> iOSSecureEnclave
SecureStorage --> AndroidKeystore
AppOrch --> BiometricUnlock
AppOrch -- "TLS 1.3 / HTTPS" --> BackendGateway["Backend Web Gateway (SecurityConfig, RequestIdFilter)"]
subgraph Backend ["Spring Boot Monolith"]
BackendGateway --> AuthFilter["ApiAuthenticationFilter (Bearer token validation)"]
AuthFilter --> PlaintextGuard["PlaintextGuard (Validates metadata structure)"]
PlaintextGuard --> Controllers["Controllers (WebAuthn, Key, Message, Attachment, Room, Admin)"]
Controllers --> Services["Services (JdbcSovereignCommServices implementation)"]
end
subgraph Infrastructure ["Infrastructure Services"]
Services --> DB[("Database (PostgreSQL 16)")]
Services --> SIEM["SIEM Export Sink Records (connector TODO)"]
Services --> MDM["MDM Provider Boundary (connector TODO)"]
end
⸻
The project includes bootstrap onboarding, Yubico-backed WebAuthn/passkey ceremony verification, persisted WebAuthn request options, verified credential storage, and random bearer tokens stored as hashes. Legacy demo credentials are marked separately and excluded from login. Bootstrap is limited to onboarding; normal administration and application use require bearer sessions.
Implemented with:
- Spring Security
- WebAuthn
- WebAuthnController
- ApiAuthenticationFilter
- webauthn_credentials
- webauthn_challenges
- webauthn_verification_boundary
- api_sessions
The project implements API endpoints that ingest and store only encrypted ciphertext envelopes, verifying metadata constraints without exposing message payloads.
Implemented with:
The project uses strict validation logic to reject JSON metadata payloads containing any keys matching patterns for plaintext, body content, or decrypted parameters, including forbidden keys nested inside maps, lists, and arrays.
Implemented with:
The project provides prekey and identity key storage endpoints supporting Signal-style cryptographic handshake setups.
Implemented with:
The project logs key history events in an append-only transparency log to verify public key integrity.
Implemented with:
The project implements audit events hash-chained per organization to verify log integrity and order.
Implemented with:
The project handles upload and download paths for client-side encrypted attachments.
Implemented with:
The project supports organizational and room-level emergency lockdowns that instantly suspend activity.
Implemented with:
The project tracks hardware-backed device attestation status, compliance state, and revocation actions.
Implemented with:
The mobile module defines abstract cryptographic interfaces and visual presentation mockups for secure conversations.
Implemented with:
The project contains local Docker Compose support and Kubernetes base manifests for deployment experimentation. These files require environment-specific hardening before production use.
Implemented with:
The platform integrates a dynamic governance plane for real-time compliance auditing and rule-based policy enforcement:
- Compliance Query Language (CQL): An ANTLR4-parsed, SQL-inspired language designed specifically for bearer-admin querying of
AUDIT_EVENTS,DEVICES, andROOMS. Execution is organization-scoped, table/column allowlisted, parameterized, length-limited, and result-capped.- Grammar: CQL.g4
- Compiler / Service: CqlPolicyService
- Example Query:
SELECT id, event_type FROM AUDIT_EVENTS WHERE event_type = 'AUDIT_EXPORT_REQUESTED'
- Smalltalk Policy Engine: A highly flexible, lightweight Smalltalk message-passing engine embedded within the Java policy layer to evaluate compliance rules with block evaluations (
[ :param | ... ]). It is disabled by default and scans input and returned structures for plaintext-shaped metadata.- Engine: SmalltalkEngine
- Service: SmalltalkService
- Example Script:
[ :device | device platform = 'iOS' ]
- Governance REST Endpoints:
POST /api/v1/governance/cql/parse- Parse CQL query string to abstract AST representation.POST /api/v1/governance/cql/execute- Execute an organization-scoped CQL query against approved governance tables.POST /api/v1/governance/smalltalk/evaluate- Evaluate Smalltalk block against target object contexts dynamically.