Security Evidence Pack
Public evidence package for Shhhs cryptographic boundaries, metadata rules, test vectors, CLI/MCP release checks, and operational smokes.
What is published
Shhhs publishes operational evidence that can be inspected without opening the backend source. This includes a crypto specification, deterministic test vectors, OpenAPI contract, CLI/MCP checksums, route inventories, and smoke-test references.
- Crypto spec: /crypto-spec
- Test vectors: /test-vectors
- OpenAPI: https://shhhs.net/openapi.json
- CLI/MCP manifest: https://shhhs.net/cli/manifest.json
Allowed claim boundary
Public claims must stay bounded to deployed behavior. Use client-side encryption for supported flows, ciphertext plus operational metadata on the server, no AI processing on secrets, and no recovery of lost secrets or access material.
- Client-side encryption for supported flows
- Server stores ciphertext plus operational metadata
- No AI processing on secrets
- No secret recovery
What is not claimed
This evidence pack is not an external audit, open-source release, formal zero-knowledge proof, compliance certification, or irreversible-deletion guarantee.
- No external audit claim
- No open-source claim
- No absolute zero-knowledge claim
- No certification claim
Useful local checks
The repository uses deterministic checks to keep evidence and implementation aligned. Reports must redact tokens, API keys, full private URLs, fragments, passphrases, recovery codes, and plaintext.
npm run crypto:vectors
npm run cli:release
npm run cli:release:verify
npm run private-rooms:smoke
npm run security:smoke