<!-- SPDX-License-Identifier: AGPL-3.0-or-later -->
# pvtcoms

A private, **serverless, peer-to-peer, anonymous, post-quantum** encrypted messenger.

- **No central server** owns your messages; peers connect over an anonymity network.
- **Anonymous** — no phone number, email, or global user ID; rotating, unlinkable addresses.
- **Post-quantum** end-to-end encryption (hybrid X25519 + ML-KEM-768) with forward secrecy.
- **Cross-platform** from one Rust core: Android + desktop (iOS later).

> ⚠️ **Status: pre-alpha, in active development, NOT yet audited.**
> Do **not** rely on pvtcoms to protect anything sensitive. A named third-party security audit and
> field testing are required before any "production" or "secure" claim. See [`THREAT_MODEL.md`](./THREAT_MODEL.md).

## Why
Encryption hides *what* you say; pvtcoms also works to hide *who is talking to whom*. It targets
high-threat users (journalists, activists, sources) first, with safe defaults and honest trade-offs —
no dark patterns, no telemetry, no fake delivery receipts. Convenience features are opt-in and label
their privacy cost.

## How it works (short version)
- **Transport:** Tor (via `arti`); one uniform anonymity layer.
- **Delivery:** direct peer-to-peer when both are online; otherwise a **sealed, self-hosting, ephemeral
  "oblivious mailbox"** (the relay holds an unreadable blob addressed to a rotating one-time code — it
  can't read content, sender, or recipient). No push by default.
- **Identity & onboarding:** keypair identity; add a contact with a single-use invite (QR / link), then
  verify out-of-band (a short safety-string compared on a call or in person) before trusting.

## Build
Requires Rust (pinned in `rust-toolchain.toml`).

```bash
cargo test          # build + run the test suite
cargo build --release
```

Apps (Android / desktop) are built from the shared core via UniFFI + native UIs — see
[`docs/DEVELOPMENT.md`](./docs/DEVELOPMENT.md) and [`STACK.md`](./STACK.md).

## Security
- Threat model and boundary: [`THREAT_MODEL.md`](./THREAT_MODEL.md)
- Report a vulnerability: [`SECURITY.md`](./SECURITY.md) (please report privately)
- Stack & supply-chain policy: [`STACK.md`](./STACK.md), [`deny.toml`](./deny.toml)

## Contributing
PRs welcome — sign off with `git commit -s` (we use a **DCO**, not a CLA). See
[`CONTRIBUTING.md`](./CONTRIBUTING.md). Security non-negotiables and coding standards apply.

## License
**AGPL-3.0-or-later** (free software) — [`LICENSE`](./LICENSE) +
[`LICENSE-EXCEPTIONS.md`](./LICENSE-EXCEPTIONS.md) (App Store additional permission). The code is
copyleft; the name/logo are governed by [`TRADEMARK.md`](./TRADEMARK.md).