<feed xmlns='http://www.w3.org/2005/Atom'>
<title>nymdrop/cmd, branch main</title>
<subtitle>Nym-native anonymous submission system (SecureDrop-style), using the Nym mixnet as transport instead of Tor.
</subtitle>
<id>https://git.virebent.art/virebent/nymdrop/atom?h=main</id>
<link rel='self' href='https://git.virebent.art/virebent/nymdrop/atom?h=main'/>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/nymdrop/'/>
<updated>2026-07-12T17:48:39+00:00</updated>
<entry>
<title>Add Fyne GUI and portable --data-dir mode to nymdrop-reader</title>
<updated>2026-07-12T17:48:39+00:00</updated>
<author>
<name>Gab Virebent</name>
<email>gabriel1@virebent.art</email>
</author>
<published>2026-07-12T17:48:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/nymdrop/commit/?id=41d3abd30cb30be8a8e95c8396da5bb84ab72881'/>
<id>urn:sha1:41d3abd30cb30be8a8e95c8396da5bb84ab72881</id>
<content type='text'>
Extract reader logic (key management, embedded nym-client lifecycle,
receive loop, decrypt, save) into internal/reader as a Hooks-driven
package, shared by both the existing headless CLI and a new --gui mode
built with Fyne. Add --data-dir to make a reader instance fully
self-contained: privkey, inbox, and the embedded nym-client's own state
(normally fixed to $HOME/.nym) all live under the given directory via a
HOME override on the subprocess, enabling zero-trace USB operation.

CLI default behavior is unchanged (same paths, same protocol) so the
pietro deployment is unaffected.
</content>
</entry>
<entry>
<title>Switch Nym WS transport to nym-client's binary protocol, drop second base64 layer</title>
<updated>2026-07-11T11:37:23+00:00</updated>
<author>
<name>Gab Virebent</name>
<email>gabriel1@virebent.art</email>
</author>
<published>2026-07-11T11:37:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/nymdrop/commit/?id=bec3734676faf3868ea225e0316e77ad5a7e4421'/>
<id>urn:sha1:bec3734676faf3868ea225e0316e77ad5a7e4421</id>
<content type='text'>
Client.Send now speaks nym-client's native binary websocket protocol
(tag || recipient || conn_id || data_len || data) instead of wrapping
the ciphertext in a JSON text message, which required base64-encoding
it a second time on top of the browser's own base64 layer.

The reader's self-address query also switched to the binary protocol:
nym-client picks text-vs-binary for every later "received" push based
on the format of the last request seen on a connection, so leaving the
reader in JSON/text mode would have made nym-client run a lossy UTF-8
conversion over the now-unencoded binary payload, corrupting it. Fixed
the binary Received-frame parsing along the way (previous code assumed
a fixed 16-byte tag with no length prefix, which never matched the real
protocol and was never exercised while the connection stayed text-mode).

Verified end-to-end against the real embedded nym-client 1.1.76 binary,
with the exact wire format cross-checked against upstream nym source at
the pinned build commit.
</content>
</entry>
<entry>
<title>Guard key material in RAM with memguard, add Markdown preview for message field</title>
<updated>2026-07-06T14:34:47+00:00</updated>
<author>
<name>Gab Virebent</name>
<email>gabriel1@virebent.art</email>
</author>
<published>2026-07-06T14:34:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/nymdrop/commit/?id=16854e8b24a3b00d9d5dbd285bbe3b93ee47ce1c'/>
<id>urn:sha1:16854e8b24a3b00d9d5dbd285bbe3b93ee47ce1c</id>
<content type='text'>
Reader now keeps the private key bytes and the per-submission ECDH/HKDF
secrets in memguard.LockedBuffer (mlock + guaranteed wipe) instead of a
manual zero loop. Added a regression test for the decrypt path.

Message field gets a self-hosted Markdown toggle preview (no external
library): headers, bold/italic, inline code, code blocks, blockquotes,
lists, links. Output is HTML-escaped and link schemes are whitelisted
before rendering. Submitted content is still the raw Markdown source,
unchanged on the wire.
</content>
</entry>
<entry>
<title>Add client-side proof of work and fix X25519 WebCrypto API usage</title>
<updated>2026-07-01T15:41:47+00:00</updated>
<author>
<name>Gab Virebent</name>
<email>gabriel1@virebent.art</email>
</author>
<published>2026-07-01T15:41:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/nymdrop/commit/?id=78d57b1090a5a23abce2a732f091a4ef007d60cc'/>
<id>urn:sha1:78d57b1090a5a23abce2a732f091a4ef007d60cc</id>
<content type='text'>
Self-contained hashcash-style PoW on /submit: client finds a nonce so
SHA-256("&lt;unix-ts&gt;:&lt;nonce&gt;") has enough leading zero bits, sent as an
X-Nymdrop-Pow header; server verifies and rejects expired or replayed
stamps, no challenge round-trip required. Difficulty tunable via
--pow-difficulty without a rebuild.

Also fixes a latent bug in the browser crypto: X25519 was being
requested as ECDH with namedCurve "X25519", which is not a valid
WebCrypto combination and always throws. Modern WebCrypto exposes
X25519 as its own algorithm identifier.
</content>
</entry>
<entry>
<title>Initial public release: Nym-native anonymous submission system</title>
<updated>2026-06-20T01:07:45+00:00</updated>
<author>
<name>Gab Virebent</name>
<email>gabriel1@virebent.art</email>
</author>
<published>2026-06-20T01:07:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/nymdrop/commit/?id=aa459e3b84cc4c5d908f3781c9253848c18640c3'/>
<id>urn:sha1:aa459e3b84cc4c5d908f3781c9253848c18640c3</id>
<content type='text'>
End-to-end verified pipeline (browser -&gt; HTTP relay -&gt; Nym mixnet -&gt; reader).
Client-side X25519+HKDF+AES-GCM-256, no-log blind relay, AGPL-3.0.
</content>
</entry>
</feed>
