SIPHR
sign increate key
↳ /roadmap · honest about what ships when

What's built,
what's next,
what's not planned.

Siphr is being built in the open. This page tracks the work against the cryptographic claims on the rest of the site. If a claim isn't shipped yet, it's markedplannedand tied to a phase below. No vapor.

phase shipping now
1.0
production · sessions + RBAC + mobile
phase in progress
1.1
external audit · reproducible builds · bounty payouts
external audit
planned
not yet booked · status will land here
source
github
VisualActions/Siphr
↳ today · v1.0 (production)

Sign up, generate a real keypair, push from git, file issues + PRs, run an org.

HTTPS git push + PAT auth, server-side at-rest encryption for private repos, server sessions, issues / PRs / releases, orgs + RBAC, a mobile shell, and the dogfood site serving its own source. The external crypto audit is the next bar — see below.

↳ live at · siphr.vercel.app
↳ source · github.com/VisualActions/Siphr
00
✓ shipped
v0.1 scaffold

Crypto, identity, and a place to put things

The cryptographic plumbing is real. Object writes go to Supabase; the server holds public material only.

  • WebCrypto identity: P-256 ECDH keypair generated client-side
  • Passphrase-wrapped private key (PBKDF2-SHA256 · 600k iter · AES-GCM)
  • Stable public-key fingerprints (SHA-256 of canonical JWK)
  • Repo-key wrap/unwrap (ECDH + AES-GCM)
  • Per-object AES-256-GCM with fresh nonce
  • Postgres schema (users / repos / refs / objects) via Supabase
  • Signup flow that actually wraps your private key locally
  • Dashboard reads /api/users + /api/repos (real data)
  • Cross-device sign-in via encrypted identity blob
lib/crypto.ts is the source of truth. Everything else gets to assume these primitives work.
design coverage · 01 Landing · 02 Key Ceremony · 04 Dashboard · 05 Transparency (illustrative)
01
✓ shipped
v0.2 · browser-side commits

The first real commit, end-to-end encrypted in the tab

The repo-create UI generates a fresh AES-256 repo key in the browser, wraps it to your public key, and stores ciphertext only. The empty-repo page is a real working in-browser editor.

  • /repos/new matches artboard 08 (step rail, name-availability, segmented visibility)
  • Toggle grid for commits/branches/issues/filenames + rotation cadence
  • Live server-view preview updates as toggles flip
  • isomorphic-git over Lightning FS in the browser
  • In-browser file editor with a working commit button
  • Folder drop via File System Access API · default-skip .git/.env/node_modules/
  • Each loose object encrypted with the repo key before PUT
  • Refs advance server-side after the upload finishes
  • /admin operator console + /featured curation
design coverage · 08 Create a repo · 09 Quick setup (paths 01 + 02) · 06 Featured · 07 Operator
02
● in progress
v0.3 — v0.4 · real transport
↳ target · Q2 — Q3 2026

git clone + git push for public repos · v0.4 includes a private-repo helper

Smart-HTTP discovery returns 403 for private today; v0.3 implements the real upload-pack + receive-pack for public repos so plain `git push` works end-to-end. v0.4 ships a native helper for private.

  • Smart-HTTP upload-pack (real packfile streaming) for public repos
  • Smart-HTTP receive-pack with object validation for public repos
  • File browser hooked to real objects (currently only public-repo tree is real)
  • Amend / multi-commit support in the browser editor
  • Native siphr-helper binary · intercepts plain push for private repos
  • Per-commit signing with Ed25519 keys (separate keypair from the ECDH one)
HTTPS only. SSH is not planned — keys live in the browser, not ~/.ssh.
design coverage · 03 Repo page (with real objects) · 09 Quick setup paths 03 + 04
03
✓ shipped
v0.5 — v0.6 · collaboration
↳ target · shipped

More than one key per repo

The wrap-to-recipient primitives worked for one person; this phase shipped them for multi-collaborator repos and the painful case (revocation).

  • Invite by public-key fingerprint · pending-invite accept/decline handshake
  • Wrap repo key to each accepted collaborator (repo_recipients · client-side)
  • Revoke → flag rotation → client mints a fresh DEK and re-wraps recipients
  • Issues / PRs / comments with encrypted bodies at rest (per-repo DEK)
  • Ed25519 signing keys + server-side signature verification
  • Web of trust: signed cross-attestation of another fingerprint
design coverage · 03 Repo page (collaborator list) · 06 Featured (multi-org model)
04
✓ shipped
v0.7 — v0.8 · trust & verifiability
↳ target · shipped · build-reproducibility next

Make 'verify, don't trust' actually verifiable

A privacy product without verifiable claims is just a sticker. This phase shipped the things that turn the marketing page into evidence.

  • Recovery codes (10-word phrase) generated at signup · second wrap of the private key
  • Public-key transparency log · append-only · sha256 hash-chained · re-derivable
  • /transparency wired to real counts (repos, keys, objects, audit, log chain)
  • Per-repo audit log of key-events (push, ref move, grant, rotate)
  • AGPL-3.0 license committed at the repo root
  • Reproducible build pipeline · published build hash · external reproducers
design coverage · 05 Transparency · 02 Key Ceremony (recovery-words step 4)
05
✓ shipped
v1.0 · production
↳ target · cut · audit-dependent for the public bounty

Doors open. Audit still pending.

1.0 cut with the full forge — push, issues, PRs, releases, orgs, RBAC, sessions, mobile, dogfood serving itself. The external crypto audit is the next bar; we'd rather ship with an honest 'audit pending' label than wait for a perfect ribbon-cutting.

  • Server sessions (scrypt-hashed passphrases · 30-day cookie · revoke list)
  • Production hardening — security headers, rate-limit, RLS on user tables
  • HTTPS git push + PAT auth · per-object PUT bypass for large dogfood pushes
  • Server-side at-rest encryption for private repos (AES-256-GCM · master-key wrap)
  • Issues, PRs, releases — fast-forward merge, comment threads, per-repo numbering
  • Orgs + teams + RBAC (read / write / maintain / admin)
  • Mobile-responsive shell (phones can sign in, browse, file issues)
  • siphr.dev/siphr/siphr — Siphr hosting Siphr's source
  • Operator console live (real fleet metrics · verify/feature actions · transparency chain)
  • BYOK per-org master key · wrapped to the platform key, never stored bare
  • Binary release assets via Vercel Blob (client-direct upload + integrity hash)
  • Amend + multi-commit browser editor (parent-tree materialization)
  • /status page with live server-side health checks · /bounty program page
  • External crypto + threat-model audit (the bar — not yet booked)
  • Public bug bounty payouts (program + scope published on /bounty)
  • Pricing committed (free for public + 1 private; paid for orgs)
design coverage · 06 Featured · 07 Operator console
06
·· later
v1.1+ · ecosystem

The things that come after a launch worth caring about

Deliberately listed last. None of these matter if v0.4–v0.8 aren't real.

  • Native git helper (encrypts on push) · community could ship this earlier
  • Mobile-friendly browse (read-only first)
  • GitHub mirror import · 'send my embargoed branch to Siphr' flow
  • Webhooks (signed, scoped to public-key holders only)
  • Org accounts with key-hierarchy (admin keys delegate to repo keys)
  • Languages other than English in the UI
  • SSH transport — not planned · keys live in the browser, not ~/.ssh
  • Federated forge protocol (ForgeFed) — deferred · not enough adopters yet
  • AI-anything — out of scope on purpose · 'we can't read it' includes us
↳ things we won't build · listed here so you don't wait for them

The deliberate absences.

SSH transport

Private keys live in the browser. We don't want a copy in ~/.ssh — that would double the attack surface for no security gain.

Email-based password reset

If we could reset your access by email, we could be compelled to. The whole pitch breaks. Recovery codes only.

Server-side search across private repos

The server holds ciphertext. Searching it is impossible without a key — by design. Search is client-side.

An LLM trained on your code

'We can't read it either' has to include us. Inference-time access is reading.

USE IT

Try the scaffold.

Sign up. Make a repo. Lose your passphrase on purpose and confirm we can't recover it. File issues.

siphr.vercel.app
REVIEW IT

Audit the crypto.

lib/crypto.ts is ~280 lines. Read it. Tell us what's wrong. The threat model wins from being wrong loudly and early.

lib/crypto.ts
REPRODUCE IT

Build it yourself.

When v0.8 ships, we'll publish a build hash. Until then: clone, build, diff. Any mismatch is interesting.

github.com/VisualActions/Siphr
↳ last updated · 30 May 2026↳ this page is in the repo · edit it via pull request