DukeInc/Kez
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Kez/kez-chat/document.md
Tudisco 008875a2ad plan(kez-chat): add design doc for the chat + file share project 
Pre-implementation planning document for kez-chat — a Keybase-class chat
and file sharing app built on the KEZ stack.

Architecture (no code yet, just the plan):

- Identity: KEZ ed25519 primary keys; handles look like
  @username@kez.lat (placeholder default home server).
- Messaging: NATS broker, dumb relay, clients do E2E with
  ChaCha20-Poly1305 over X25519-derived keys. nkeys-auth means the
  user's KEZ primary key literally IS their NATS credential.
  JetStream handles offline delivery.
- File transfer: Iroh peer-to-peer, content-addressed blobs.
  On-demand fetch (no folder sync, no surprise downloads).
  Shared-files manifest committed via a new sigchain `set_shared_files`
  op; per-entry encryption for private shares.

Server: a single Rust binary `kez-chat-server` that bundles the
handle registry, NATS auth callout, optional sigchain mirror, and
optional Iroh pinning. NATS broker and Iroh node run alongside it.

Includes:
- End-to-end flows (account creation, add contact, send message,
  share file, browse files)
- Proposed folder restructure: pull kez-core + kez-channels out into
  a top-level `rust-lib/` workspace so downstream projects (sig-server,
  chat-server, future) can path-depend cleanly without reaching into
  each other's crate trees
- MVP scope and explicit out-of-scope list
- 7 open design questions with my recommended defaults
- Sequenced build plan (refactor first → server scaffold → NATS auth
  → CLI client → Iroh → manifest → deploy → GUI)
2026-05-24 22:21:03 -06:00

25 KiB
Raw Blame History

KEZ Chat & File Share — Design Document

Status: Pre-implementation planning. No code yet. Last updated: 2026-05-24 Goal: A Keybase-class chat + file sharing experience built on the KEZ identity stack, with NATS for messaging and Iroh for file transfer.

1. What this is

A real-time chat + file-sharing application with verified identities.

  • Users get human-friendly handles like @tudisco@kez.lat.
  • The handle is bound to a KEZ primary key (ed25519); the same key authenticates to the chat infrastructure.
  • Conversations are end-to-end encrypted; the broker is dumb.
  • Files are visible in the sender's "shared files" list but only downloaded when a recipient actually wants them. No background sync.
  • Identity is portable: the underlying key + sigchain survives the home server going dark. Handles can be migrated to other servers.

This is the Keybase model rebuilt on a decentralized substrate:

  • Identity layer → KEZ (instead of Keybase's central account system)
  • Chat layer → NATS broker with E2E in the client (instead of Keybase Chat servers)
  • File layer → Iroh peer-to-peer with content addressing (instead of KBFS)

2. Three-layer architecture

┌─────────────────────────────────────────────────────────────┐
│                kez-chat application                         │
│           (chat UI, file browser, profile views)            │
└────┬──────────────┬─────────────────────┬───────────────────┘
     │              │                     │
     ▼              ▼                     ▼
┌─────────┐   ┌──────────┐         ┌────────────────┐
│   KEZ   │   │   NATS   │         │     Iroh       │
│         │   │          │         │                │
│ ↓ who   │   │ ↓ chat   │         │ ↓ file blobs   │
│ ↓ what  │   │ ↓ tickets│         │ ↓ on-demand    │
│   they  │   │ ↓ presence         │ ↓ NAT travers. │
│   own   │   │ ↓ small  │         │ ↓ E2E in QUIC  │
│ ↓ where │   │   stuff  │         │                │
│   they  │   │          │         │                │
│   listen│   │ dumb     │         │                │
│         │   │ broker;  │         │                │
│         │   │ clients  │         │                │
│         │   │ do E2E   │         │                │
└─────────┘   └──────────┘         └────────────────┘
     │              ▲                       ▲
     └─────────── sigchain ──────────────────┘
       (handle → KEZ primary → endpoints
        and links to other identities)

Each layer does one thing well. Each is replaceable without touching the others. The KEZ sigchain is the bridge that ties them together — it tells a verifier "this user's broker is X, their Iroh nodes are Y₁ and Y₂."

3. Identity & username model

3.1 Handles

Handles look like email and Mastodon addresses:

@tudisco@kez.lat
@chris@kez.lat
@alice@chris.com         ← custom domain, opted out of default

kez.lat is the placeholder default home server domain. We'll replace this with the actual production domain once chosen. The application treats whatever's after the @ as the user's home server — multiple servers can exist, federation is by convention (same model as email).

In the UI, when the home server matches the app's default, handles are displayed bare (@tudisco). Custom domains always display the full form (@chris@chris.com) so users can tell when they're talking to a non-default-server user.

3.2 Key generation tied to username

When a user creates an account:

  1. App generates a fresh ed25519 keypair locally.
    • This is the user's KEZ primary key.
    • It's also their NATS nkey for the chat broker (same key, same algorithm).
  2. App registers @username on the home server's handle registry
    • POSTs a signed registration request: { "handle": "tudisco", "primary": "ed25519:<hex>" }
    • The signature proves the user controls the private key.
    • The registry rejects squatting (first-come-first-served per home server).
  3. App initializes a sigchain for the new primary
    • First event: add_endpoint advertising the NATS broker the app will use.
    • Second event: add_endpoint advertising the Iroh NodeId the local app is using.
  4. App uploads the sigchain to a kez-sig-server (optional but recommended; otherwise the chain lives only on the user's device).

After this flow the user has a fully working KEZ identity:

  • @tudisco@kez.lat resolves via the handle registry to their primary key.
  • That key's sigchain advertises their NATS broker and Iroh nodes.
  • Other users can verify them and reach them.

3.3 Why ed25519 (not nostr/secp256k1) for this app

Both KEZ primaries work in general, but the chat app must use ed25519 because:

  • NATS nkeys are ed25519. Direct alignment: the user's KEZ primary key is their NATS credential. No second auth scheme.
  • Iroh node IDs are ed25519. Same primitive, native fit.
  • One key type to manage. Users with a pre-existing nostr key can still attach it to their KEZ sigchain as a claim (so they're verifiable on nostr too), but the primary that runs the app is ed25519.

4. The home server (kez-chat-server)

A single Rust binary that bundles the home-server responsibilities. One process. Self-hostable. Anyone can run their own to be their own home for their own users.

4.1 What it does

Responsibility How
Handle registry POST /v1/register to claim @username, GET /v1/u/<handle> to look one up. SQLite-backed. Same shape as kez-id-server discussed earlier.
Sigchain mirror (optional) Mirrors kez-sig-server endpoints for users who don't want to publish elsewhere — POST /v1/sigchains/.../events, GET /v1/sigchains/.... Or proxies through to a separate kez-sig-server instance.
NATS broker host Runs (or co-runs) a NATS server with JetStream enabled for offline message delivery. Configured to use nkey-based auth tied to KEZ primary keys.
Iroh pinning node Runs an Iroh node that users can opt to push their blobs to, so files are served even when the user's own device is offline. (Optional per user.)
WebFinger endpoint /.well-known/webfinger?resource=acct:tudisco@kez.lat returns user discovery info — interop with fediverse tools.
HTTP API for clients Thin REST surface for the chat app to register, look up handles, fetch endpoints, manage settings.

4.2 Process model

For MVP, the server is a coordinator + adapter, not a full reimplementation:

┌───────────────────────────────────────────────────────────┐
│         kez-chat-server process (one Rust binary)         │
│  - HTTP API (axum)                                        │
│  - Handle registry (SQLite)                               │
│  - NATS auth callout (validates nkey signatures)          │
│  - Sigchain mirror (axum routes — could reuse             │
│    rust-sig-server code)                                  │
└──┬──────────────────────┬────────────────────────────────┘
   │ launches/manages     │ talks to via API
   ▼                      ▼
┌──────────────┐      ┌──────────────┐
│ nats-server  │      │ iroh-relay   │  (optional, for users
│ (Go binary)  │      │ (Rust)       │   who want pinning)
│ + JetStream  │      │              │
└──────────────┘      └──────────────┘

The Rust server doesn't reimplement NATS or Iroh — it sits beside them. Operator runs the three processes together (Docker compose, systemd unit, or whatever). The chat-server provides the KEZ-aware integration: authenticating NATS connections against the handle registry, serving sigchain endpoints, exposing a clean HTTP API to client apps.

4.3 Endpoints (sketch)

GET  /v1/healthz
GET  /v1/u/:handle                       handle → { primary, sigchain_url, endpoints }
POST /v1/register                        claim a handle (signed body)
GET  /.well-known/webfinger?resource=...

# Sigchain mirror (same as kez-sig-server)
GET  /v1/sigchains/:scheme/:id
POST /v1/sigchains/:scheme/:id/events
GET  /v1/sigchains/:scheme/:id/head

# NATS auth callout (called by nats-server, not by users)
POST /internal/nats/auth                 verify nkey signature, return permissions

# Iroh pinning (optional)
POST /v1/pin                             pin a blob for offline serving
GET  /v1/pin/:hash                       check pinning status

The NATS broker and Iroh node are out-of-process — clients connect to them directly (mqtt://nats.kez.lat:4222, Iroh direct or via relays).

5. End-to-end flows

5.1 Account creation — @tudisco@kez.lat

1. User opens kez-chat-app, clicks "Create account"
2. App: generates ed25519 keypair locally
3. App: user picks handle "tudisco"
4. App → kez-chat-server:
     POST /v1/register
     { "handle": "tudisco",
       "primary": "ed25519:<pubkey-hex>",
       "registration_sig": "<sig over canonical message>" }
5. Server: validates signature, checks handle is free, stores in registry
6. Server: 201 Created
7. App: initializes sigchain locally, signs:
     { op: "add_endpoint",
       payload: { protocol: "nats",
                  url: "nats://nats.kez.lat:4222",
                  inbox: "kez.inbox.<pubkey-hex>" } }
     { op: "add_endpoint",
       payload: { protocol: "iroh",
                  node_id: "<local iroh node id>" } }
8. App → server:
     POST /v1/sigchains/ed25519/<pubkey-hex>/events  (twice, one per event)
9. App: connects to NATS broker with nkey auth, subscribes to inbox topic
10. Done — user is @tudisco@kez.lat, online, reachable

5.2 Adding a contact

1. Tudisco wants to add Chris. Types "@chris" in app.
2. App → kez-chat-server: GET /v1/u/chris
   Returns: { primary: "ed25519:abc...", sigchain_url: "..." }
3. App fetches the sigchain → walks events → extracts:
     - nostr/github/dns/etc. claims (for verification)
     - NATS broker URL + inbox topic
     - Iroh node IDs
4. App displays Chris's profile: verified accounts, avatar (from sigchain
   metadata if present), join date
5. App stores LOCAL binding: { "@chris@kez.lat" => ed25519:abc... }
   (TOFU — trust on first use)

5.3 Sending a chat message

1. Tudisco types "hello" in the chat with Chris.
2. App: looks up Chris's primary key + NATS endpoint from local store.
3. App: derives a symmetric key via ECDH:
     X25519(tudisco_priv, chris_pub) → KDF → 32-byte symmetric key
4. App: encrypts "hello" with ChaCha20-Poly1305 + the derived key.
5. App: signs the ciphertext with tudisco's KEZ primary (so chris can
   verify the sender, not just decrypt).
6. App: publishes to NATS subject `kez.inbox.<chris-pubkey-hex>` on
   chris's broker, with JetStream delivery (durable, will queue if
   chris is offline).
7. Chris's app receives from his subscribed inbox subject.
8. Chris's app: verifies signature against tudisco's key, decrypts, shows
   "tudisco: hello".

For 1:1 chat, the broker never sees:

  • The message contents
  • Who tudisco is talking to (the subject is chris's inbox, but anyone could publish there)
  • The relationship between sender and recipient (sender's identity is in the encrypted+signed payload, not in the NATS metadata)

5.4 Sharing a file

1. Tudisco drags `report.pdf` into the chat with Chris.
2. App: imports blob into local Iroh node → gets BLAKE3 hash + ticket.
3. App: optionally adds entry to tudisco's shared-files manifest
   (visible in his profile if Chris later browses it).
4. App: encrypts the Iroh ticket (and a content key for the blob, if
   the file is wrapped with a per-recipient symmetric key) with the
   same E2E mechanism as chat messages.
5. App: publishes to chris's NATS inbox: { type: "file_share",
   filename: "report.pdf", ticket: "...", content_key: "..." }
6. Chris's app receives the notification, displays:
   "tudisco shared report.pdf (1.2 MB)"  [Download]
7. Chris clicks Download.
8. App: opens Iroh connection to tudisco's NodeId (from sigchain), pulls
   the blob via the ticket, decrypts with the content key, verifies
   BLAKE3 hash. File appears.

If tudisco is offline at step 8 and he's opted into pinning, Chris's app fetches from kez.lat's pinning node instead. Same protocol, just a different source.

5.5 Browsing someone's files (Keybase-style)

1. Chris opens tudisco's profile.
2. App: resolves @tudisco → primary → sigchain.
3. Sigchain has a `set_shared_files` op with a manifest blob hash.
4. App: fetches the manifest blob (small, fast) via Iroh.
5. App: decrypts entries that are wrapped for chris's key, ignores ones
   it can't decrypt (those are wrapped for other people).
6. App: renders the visible entries with name, size, share date,
   thumbnail if present.
7. Chris clicks an entry to download — same as 5.4 step 8.

The manifest is small (KBs); only blobs Chris actually wants are fetched. No background sync of multi-GB folders.

6. Project & folder layout

6.1 Where this project lives

/Kez
├── rust-lib/                ← (proposed) shared Rust libraries
│   ├── Cargo.toml           workspace
│   └── crates/
│       ├── kez-core/        moved from rust/crates/
│       └── kez-channels/    moved from rust/crates/
│
├── rust/                    ← Rust CLI (kez binary)
│   └── crates/
│       └── kez-cli/         depends on ../../rust-lib/crates/...
│
├── rust-sig-server/         ← optional sigchain HTTP store
│
├── kez-chat/                ← THIS PROJECT
│   ├── document.md          (this file)
│   ├── Cargo.toml
│   ├── src/
│   │   ├── main.rs
│   │   ├── handles.rs       handle registry
│   │   ├── sigchain.rs      sigchain mirror (or proxy)
│   │   ├── nats_auth.rs     NATS auth callout
│   │   ├── pin.rs           Iroh pinning
│   │   └── api.rs           HTTP routes
│   ├── deploy/
│   │   ├── docker-compose.yml   chat-server + nats + iroh
│   │   ├── nats.conf
│   │   └── systemd/
│   └── tests/
│
├── nodejs/                  ← (unchanged)
└── crosstest.sh             ← (path updates if rust-lib moves)

6.2 The rust-lib/ proposal — share code, no duplication

Right now, kez-core and kez-channels live inside rust/crates/. The sig-server and the chat-server both want to use them. With everything in rust/, downstream projects have to do:

kez-core = { path = "../rust/crates/kez-core" }

…which works but feels off (why does a separate project reach into another project's crates/?).

Recommendation: move the pure libraries out into a top-level rust-lib/ workspace. The CLI stays in rust/. Downstream servers depend on ../rust-lib/crates/kez-core. Clean structure, no duplication, no confusion about which folder owns the library code.

Refactor effort: small but real.

  • mv rust/crates/kez-core rust-lib/crates/
  • mv rust/crates/kez-channels rust-lib/crates/
  • Create rust-lib/Cargo.toml (workspace).
  • Update rust/Cargo.toml to have just kez-cli.
  • Update path deps in: rust/crates/kez-cli/Cargo.toml, rust-sig-server/Cargo.toml.
  • Update crosstest.sh if any paths are hardcoded.

Suggested order: do the refactor first, then start kez-chat with clean imports. Otherwise we'll write path = "../rust/crates/..." for the chat-server and have to fix it later anyway.

6.3 Dependencies (planned)

Crate Why
kez-core (path) Identity types, sigchain, claim signing
kez-channels (path) Verify users' linked accounts when displayed
axum 0.8 HTTP API
tokio Async runtime
rusqlite (bundled) Handle registry
async-nats NATS client (for the auth callout and maybe utility)
iroh Iroh node (for pinning)
iroh-blobs Blob handling
serde / serde_json Standard
thiserror / anyhow Standard
tracing / tracing-subscriber Logging
tower-http CORS, request tracing
clap CLI args

6.4 The actual NATS broker

We don't write a NATS broker. We run one alongside the Rust server:

  • Use the official nats-server Go binary (downloaded from nats.io or built from source).
  • Configure with JetStream enabled (for offline delivery via durable consumers).
  • Configure auth callout pointing at the kez-chat-server's internal endpoint, so connection auth defers to the KEZ registry.
  • Run in the same Docker compose / systemd target as the Rust server.

NATS clustering for redundancy is a later concern.

6.5 The actual Iroh node

We DO embed Iroh in-process — Iroh is a Rust library and works as such. The chat-server runs an iroh::Node and offers it as a pinning service for users who opt in.

For client apps: they run their own Iroh node locally too. The chat-server's Iroh node is just a peer — albeit one that's always online and willing to hold blobs.

7. MVP scope

What ships in v0:

  • kez-chat-server binary
    • Handle registry (POST /register, GET /u/:handle)
    • Sigchain mirror (proxy or own copy)
    • NATS auth callout
    • WebFinger endpoint
    • HTTP healthz/metrics
  • NATS broker config + deployment recipe
  • Iroh pinning node embedded (optional per user)
  • Docker compose for the whole bundle (server + nats + iroh node)
  • Integration tests against a real NATS + Iroh

What the client app needs to do (separate project? kez-chat-app/?):

  • Account creation flow (key gen + handle registration)
  • Contact lookup + verification
  • 1:1 chat (E2E via NATS)
  • File send/receive (E2E via Iroh)
  • Shared-files manifest browse + fetch
  • Profile view (sigchain visualization)

For v0, CLI client is fine (kez-chat send @chris "hello"). UI app comes later.

8. Out of scope (v0)

  • Group chat
  • Forward secrecy (Double Ratchet / MLS) — chat is encrypted but not ratcheting in v0
  • Voice / video calls
  • Multi-device key sync — user has one device with their key for v0
  • Account recovery / lost-key flows — protocol's rotate op exists but UX for recovery isn't designed yet
  • Federation across home servers — protocol allows it, but the v0 app may only resolve handles on its configured default server
  • Channel publishing (gist, DNS, ActivityPub, bluesky) — the kez CLI already has these; not duplicated here. User can run kez claim ... separately to add channel proofs to their sigchain.
  • Avatars / display name — could just use nostr:npub metadata or a separate sigchain op; defer the design

9. Open design questions

These need resolving before serious implementation:

  1. Bundle or separate sigchain server?

    • kez-chat-server includes its own sigchain mirror (one less moving piece for operators)
    • …or it depends on a separate kez-sig-server (proper layering)
    • Lean: bundle for MVP, factor out later if multiple chat servers want to share.

  2. Iroh pinning by default or opt-in?

    • Default-on: better UX, more storage cost for the server operator
    • Opt-in: simpler operator story, worse first-use UX for users whose phones are off
    • Lean: opt-in for v0; let users push the pin button per-file. Default-on later.

  3. NATS broker: bundled or BYO?

    • kez-chat-server can spawn/manage nats-server as a child process
    • …or it can assume operator runs NATS separately and just point at it
    • Lean: BYO with documented config. We don't reinvent process management.

  4. Manifest format

    • Single JSON blob, signed, hash committed via sigchain set_shared_files op
    • …or Iroh Doc (CRDT-synced)
    • Lean: single signed blob for v0; simpler, no Iroh Docs dep.

  5. Handle uniqueness scope

    • Per home server (tudisco@kez.lat vs tudisco@example.com can be different people)
    • Globally enforced somehow (not really possible without a central registry)
    • Lean: per home server. Federation handles global resolution.

  6. What about KEZ's existing nostr: channel for messaging?

    • It already works for chat-like messages via NIP-44 DMs
    • NATS is a separate stack — not interoperable
    • Lean: NATS is the chat substrate for this app. Users who want to send a nostr DM can use a separate nostr client. The KEZ identity is the same; the transport is the user's choice per conversation. Document this in the UI.

  7. Recovery story when you lose your key

    • Spec has rotate op — old key signs that new key is now primary
    • But if you lost the old key, you can't sign the rotation
    • Possible solutions:
      • User must keep paper-backup of their key (Bitcoin model)
      • User can pre-sign rotation events to multiple device keys (multi-device redundancy)
      • Home server holds an offline emergency-recovery key (centralized fallback; opt-in)
    • Defer detailed design to a later doc.

10. Risks & honest concerns

  1. NATS auth callout integration depth. The callout pattern is documented but the chat-server needs to handle it correctly for security. nkey signature verification is straightforward but the integration glue (subject permissions per user, JetStream stream creation) needs care.

  2. Iroh is pre-1.0. API may shift. Pin a version, plan for a future upgrade pass. The good news: identity stays stable (it's KEZ); only the transport library needs to be migrated.

  3. Multi-device. The MVP assumes one device per user, one key. Real users have phones + laptops. Multi-device key management is a deep topic — addressed in a follow-up doc.

  4. Spam in handle registration. First-come-first-served is easy to game. Mitigations:

    • Proof-of-work on registration?
    • Email-based gating (introduces centralization)?
    • Rate-limit by IP, accept the leakage
    • Defer to v0; revisit if it becomes a problem.

  5. NAT traversal for Iroh. Iroh handles it via relays, but corporate networks are sometimes hostile. Have a "use server's pinning as relay" fallback documented.

  6. Operational cost. Running NATS + Iroh + a Rust server isn't free.

    • NATS scales horizontally, low resource use
    • Iroh nodes can chew through disk if pinning is enabled liberally
    • Need a clear "I'm running kez.lat for 1000 users — what does it cost?" answer before community adoption.

11. The plan, sequenced

When we start building:

  1. Refactor: move kez-core + kez-channels to rust-lib/. Tiny but unblocks everything else from having clean imports.

  2. Build kez-chat-server scaffold (axum + sqlite + tracing). Handle registry + WebFinger first — these are the simplest endpoints and unblock client-side account creation.

  3. Add NATS auth callout. Spawn nats-server separately, configure it to call our /internal/nats/auth endpoint. End-to-end: client can register a handle and connect to NATS with their nkey.

  4. Build a minimal kez-chat CLI client that does:

    • kez-chat register tudisco
    • kez-chat add @chris
    • kez-chat send @chris "hello"
    • kez-chat listen No UI yet. Enough to prove the chat flow works end-to-end.

  5. Add Iroh integration to both server and CLI client.

    • Server: embedded iroh node for pinning
    • Client: local iroh node, blob send/receive
    • CLI: kez-chat share @chris ./file.pdf, kez-chat browse @tudisco

  6. Shared-files manifest (sigchain set_shared_files op, manifest blob format).

  7. Deployment recipe: docker-compose, systemd unit, deployment doc.

  8. Then start the GUI app. Could be Tauri (Rust + web frontend), Iced (pure Rust UI), or whatever the user wants.

12. One-paragraph summary

kez-chat is a Keybase-class chat and file-sharing app built on the KEZ identity stack. Users get @username@kez.lat handles backed by an ed25519 primary key. The same key authenticates to a NATS broker (chat, presence, file tickets — broker is dumb, clients do E2E with ChaCha20-Poly1305 over ECDH-derived keys) and identifies an Iroh node (P2P bulk transfer, content-addressed blobs, on-demand fetch). A single Rust binary (kez-chat-server) coordinates the handle registry, NATS auth, optional sigchain mirror, and optional Iroh pinning. The chat-app itself is a separate project that consumes the server's HTTP API plus talks directly to NATS and Iroh.