Crypta is a zero-trust, end-to-end encrypted communication platform scaffold designed for high-risk corporate, executive, and security-sensitive environments. It is an alpha-stage, security-focused scaffold, not production-ready secure messaging software and not independently audited.
The backend is intended to ingest, route, and persist ciphertext envelopes, public key material, policy records, encrypted attachment metadata, and audit events while keeping plaintext and private keys on client devices. Some code and package names still use Sovereign Comm.
Copy .env.example to .env, set non-default secret values, then start the backend, database, and Go security verifier with:
docker compose up --buildFor a direct Maven run against the Compose database, export DATABASE_URL, DATABASE_USERNAME, DATABASE_PASSWORD, BOOTSTRAP_TOKEN, TOKEN_PEPPER, WEBAUTHN_RP_ID, WEBAUTHN_RP_NAME, WEBAUTHN_ALLOWED_ORIGINS, and optionally SECURITY_VERIFIER_BASE_URL before running:
mvn spring-boot:runProvision organizations, users, and devices with X-Bootstrap-Token, then exchange a bootstrapped userId and deviceId at POST /api/v1/bootstrap/sessions for a bearer token. WebAuthn challenge creation and finish endpoints validate challenge/origin/replay state, but full audited authenticator signature verification remains a production-readiness item.
Verified reference anchors checked on 2026-05-24:
- IETF RFC 9420: Messaging Layer Security
- Signal PQXDH specification
- W3C WebAuthn Level 3
- Spring Security passkeys/WebAuthn
- Apple Secure Enclave key protection
- Android hardware-backed Keystore
- Sigstore Rekor transparency log overview
flowchart TD
User([User]) --> UI["UI Layer (main.dart)"]
subgraph ClientApp ["Mobile Client (Flutter)"]
UI --> AppOrch["Application Orchestrator"]
AppOrch --> CryptoBridge["Crypto Bridge (DirectCryptoProvider, GroupCryptoProvider)"]
AppOrch --> LocalDB["Local Encrypted Database (SQLCipher/Drift)"]
CryptoBridge --> SecureStorage["Secure Storage Interface (SecureStorageProvider)"]
end
subgraph NativeOS ["Native OS Security Modules"]
iOSSecureEnclave["iOS Secure Enclave / Keychain"]
AndroidKeystore["Android KeyStore / StrongBox"]
BiometricUnlock["Biometric Authentication APIs"]
end
SecureStorage --> iOSSecureEnclave
SecureStorage --> AndroidKeystore
AppOrch --> BiometricUnlock
AppOrch -- "TLS 1.3 / HTTPS" --> BackendGateway["Backend Web Gateway (SecurityConfig, RequestIdFilter)"]
subgraph Backend ["Spring Boot Monolith"]
BackendGateway --> AuthFilter["ApiAuthenticationFilter (Bearer token validation)"]
AuthFilter --> PlaintextGuard["PlaintextGuard (Validates metadata structure)"]
PlaintextGuard --> Controllers["Controllers (WebAuthn, Key, Message, Attachment, Room, Admin)"]
Controllers --> Services["Services (JdbcSovereignCommServices implementation)"]
end
subgraph Infrastructure ["Infrastructure Services"]
Services --> DB[("Database (PostgreSQL 16)")]
Services --> SIEM["SIEM Export Sink Records (connector TODO)"]
Services --> MDM["MDM Provider Boundary (connector TODO)"]
end
⸻
The project includes WebAuthn/passkey challenge scaffolding, bootstrap session issuance, and random bearer tokens stored as SHA-256 hashes. WebAuthn credential finish verification is not yet configured.
Implemented with:
- Spring Security
- WebAuthn
- WebAuthnController
- ApiAuthenticationFilter
- webauthn_credentials
- webauthn_challenges
- api_sessions
The project implements API endpoints that ingest and store only encrypted ciphertext envelopes, verifying metadata constraints without exposing message payloads.
Implemented with:
The project uses strict validation logic to reject JSON metadata payloads containing any keys matching patterns for plaintext, body content, or decrypted parameters.
Implemented with:
The project provides prekey and identity key storage endpoints supporting Signal-style cryptographic handshake setups.
Implemented with:
The project logs key history events in an append-only transparency log to verify public key integrity.
Implemented with:
The project implements audit events hash-chained per organization to verify log integrity and order.
Implemented with:
The project handles upload and download paths for client-side encrypted attachments.
Implemented with:
The project supports organizational and room-level emergency lockdowns that instantly suspend activity.
Implemented with:
The project tracks hardware-backed device attestation status, compliance state, and revocation actions.
Implemented with:
The mobile module defines abstract cryptographic interfaces and visual presentation mockups for secure conversations.
Implemented with:
The project contains local Docker Compose support and Kubernetes base manifests for deployment experimentation. These files require environment-specific hardening before production use.
Implemented with:
The platform integrates a dynamic governance plane for real-time compliance auditing and rule-based policy enforcement:
- Compliance Query Language (CQL): An ANTLR4-parsed, SQL-inspired language designed specifically for secure querying of
AUDIT_EVENTS,DEVICES, andROOMS.- Grammar: CQL.g4
- Compiler / Service: CqlPolicyService
- Example Query:
SELECT id, event_type FROM AUDIT_EVENTS WHERE event_type = 'AUDIT_EXPORT_REQUESTED'
- Smalltalk Policy Engine: A highly flexible, lightweight Smalltalk message-passing engine embedded within the Java policy layer to evaluate compliance rules with block evaluations (
[ :param | ... ]).- Engine: SmalltalkEngine
- Service: SmalltalkService
- Example Script:
[ :device | device platform = 'iOS' ]
- Governance REST Endpoints:
POST /api/v1/governance/cql/parse- Parse CQL query string to abstract AST representation.POST /api/v1/governance/cql/execute- Execute secure CQL query against database audit tables.POST /api/v1/governance/smalltalk/evaluate- Evaluate Smalltalk block against target object contexts dynamically.