Implemented in the current alpha
- Username-native identity with no phone-number registration.
- Argon2id password hashing, CSRF protection, secure production cookies, CSP, and strict referrer policy.
- Invite-only signup, contact requests, blocks, DM permissions, moderation events, and audit foundations.
- Browser-side local-alpha message sealing, server-side ciphertext envelope persistence, worker-verified OpenMLS readiness, transitional OpenMLS delivery for direct rifts and selected server text channels, multi-credential Welcome delivery, public commit replay, worker-level OpenMLS remove commits, and settings-driven credential retirement that attempts browser-generated remove commits before metadata-only retirement.
- Contact-gated 1:1 WebRTC signaling, TURN credential minting, and diagnostics without media recording.