ShhhsDocs
Trust Updated 2026-06-22

Verifiable security roadmap

Capability map for verifiable privacy signals, hosted JavaScript trust limits, passkeys, sender controls, chunked files, signed receipts, and corporate no-account workflows.

What is deployed today

Shhhs publishes a security whitepaper, crypto specification, threat model, metadata and retention guide, OpenAPI contract, CLI/MCP guides, responsible disclosure path, and automated route smokes. These are evidence signals, not substitutes for an external audit.

  • Security whitepaper
  • Threat model
  • OpenAPI and route smokes

Hosted JavaScript trust boundary

A hosted browser app should not be marketed as independently verified only because it says encryption happens locally. Stronger evidence requires reproducible client builds, signed release artifacts, public test vectors, extension review, or external audit evidence.

  • Reproducible client build
  • Signed release artifacts
  • Public test vectors

Formal proof language

Shhhs should not claim formal cryptographic proofs today. The supported claim is narrower: supported secret payload plaintext is encrypted before upload and private key material is kept out of server-readable URLs or storage in supported flows.

  • No formal-proof claim
  • No proof-system claim
  • Client-side payload encryption

Passkeys and recipients

Paid account access uses passkeys where available. Recipient-side passkey gates without nominal accounts remain roadmap because they require careful WebAuthn ceremony design, replay protection, device-loss handling, and clear recovery limits.

  • Paid passkeys exist
  • Recipient passkey gates are roadmap
  • No recovery overpromise

Sender governance

Remote burn, TTL, view limits, preview-safe no-fragment behavior, request disablement, and owner-only reveal are the current sender-control foundation. IP or country restrictions must be treated as policy gates, not as proof that the server cannot influence access.

  • Remote burn
  • TTL and views
  • Policy gates are metadata-bound

Roadmap signals

Large encrypted file chunks, signed open receipts, and stronger no-account corporate workflows are useful differentiators, but they need implementation, tests, entitlement limits, replay protection, and audit metadata before public claims expand.

  • Chunked encryption roadmap
  • Signed receipt roadmap
  • Corporate no-account workflows