From 39929eb7fe7fd09bdf7c4601a511de8f119d2326 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Guti=C3=A9rrez?= <35082514+alezmad@users.noreply.github.com> Date: Sat, 2 May 2026 20:28:37 +0100 Subject: [PATCH] docs(roadmap): expand v0.3.0 per-topic encryption into three phases Phase 1 (notification table) and phase 2 (schema + creator seal) shipped today. Phase 3 (member-driven re-seal + client-side encrypt/decrypt) is the cut that actually flips the broker to ciphertext-only. Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/roadmap.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/docs/roadmap.md b/docs/roadmap.md index 0e77d3d..99d2279 100644 --- a/docs/roadmap.md +++ b/docs/roadmap.md @@ -201,9 +201,21 @@ Spec: `.artifacts/specs/2026-05-02-roadmap.md`. For teams that want to run their own broker, encrypt at the topic level, or wire claudemesh to messaging surfaces beyond Claude Code. -- **Per-topic HKDF encryption** — symmetric keys derived from - `mesh.root_key + topic.id`. Kills the "broker can read your - messages" wart. Today's `ciphertext` field is base64 plaintext. +- **Per-topic encryption — phase 1: notification table** — write- + time `@-mention` fan-out via `mesh.notification`, replacing the + regex-on-decoded-ciphertext scan. Survives the cutover to real + ciphertext. *Shipped 2026-05-02 (migration 0025).* +- **Per-topic encryption — phase 2: schema + creator seal** — + topics generate a 32-byte symmetric key on creation; broker + seals via `crypto_box` for the creator. New columns: + `topic.encrypted_key_pubkey`, `topic_message.body_version`, and a + `topic_member_key` table for sealed per-member copies. New API: + `GET /v1/topics/:name/key`. *Shipped 2026-05-02 (migration 0026).* + Spec at `.artifacts/specs/2026-05-02-topic-key-onboarding.md`. +- **Per-topic encryption — phase 3: member-driven re-seal** — + pending-seals endpoint, seal POST, client-side decrypt-on-render, + encrypt-on-send. After phase 3 lands the broker holds ciphertext + only. - **Self-hosted broker packaging** — one-command Docker compose, Postgres included. The new migration runner (v1.6.x) makes this practical.