About this prototype
Conduit is a Tor-style overlay network with a vetted human responder layer for anonymous abuse reporting from oppressed populations. This is the prototype: a single-server application that shows the user flow and how each team can only open its own mail. It is not the production system.
What is real in this prototype
- The cryptography. X25519 key agreement; AES-256-GCM authenticated encryption; HKDF-SHA256 key derivation. Real ciphers, real key separation.
- Each team opens only its own mail. Every team has its own key. A case routed to Legal can be opened by Legal's key only. Other teams see an unreadable blob even when looking at the very same database row.
- Names never appear. A Messenger is known by a return code. A Responder is known by a token. The activity log records tokens, never names.
- The add-only log. Every sensitive action is recorded in order. (In the real Conduit the log is hash-chained and cryptographically committed.)
What is simplified for the demo
- Classical crypto only. Real Conduit uses hybrid post-quantum (X25519 + ML-KEM/Kyber768).
- All keys live on the server. Real Conduit keeps the Messenger's private key only on their own device, and the Responder's key only with them (via Wide Point Corporation's ECA-credentialed PKI).
- Single server, no onion routing. Real Conduit routes through three or more federated relays in different countries.
- No mini-HQ partitioning. Real Conduit shards its token map across mini-HQs in Switzerland, Iceland, the US, and elsewhere — each holding only its regional slice, under m-of-n key custody.
- No warrant canary, transport obfuscation, mesh, sneakernet, or mixnet. Those arrive in v1.0 through v1.2.
- Plain JSON on disk. Real Conduit encrypts everything at rest under hardware-backed keys that take multiple people to use.
Documentation
The complete production design suite lives at ~/Documents/conduit/ — about 33 documents, ~82,000 words.
Start with INDEX.md.