{"id":49279611,"url":"https://github.com/gerrxt07/haven","last_synced_at":"2026-04-25T18:04:07.479Z","repository":{"id":348127244,"uuid":"1196568591","full_name":"Gerrxt07/Haven","owner":"Gerrxt07","description":"🎙️A modern, high-performance Voice, Video, and Chat application.","archived":false,"fork":false,"pushed_at":"2026-04-22T17:09:14.000Z","size":2419,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-04-22T19:13:07.170Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Gerrxt07.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-30T20:31:27.000Z","updated_at":"2026-04-22T17:09:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Gerrxt07/Haven","commit_stats":null,"previous_names":["gerrxt07/haven"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/Gerrxt07/Haven","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gerrxt07%2FHaven","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gerrxt07%2FHaven/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gerrxt07%2FHaven/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gerrxt07%2FHaven/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Gerrxt07","download_url":"https://codeload.github.com/Gerrxt07/Haven/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gerrxt07%2FHaven/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32271245,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-25T09:15:33.318Z","status":"ssl_error","status_checked_at":"2026-04-25T09:15:31.997Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-25T18:03:47.053Z","updated_at":"2026-04-25T18:04:07.473Z","avatar_url":"https://github.com/Gerrxt07.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003ch1\u003eHaven\u003c/h1\u003e\n  \u003cp\u003e\u003cb\u003eA security-first desktop chat platform with a hardened Electron client and Rust backend.\u003c/b\u003e\u003c/p\u003e\n\n  \u003cp\u003e\n    \u003ca href=\"https://bun.sh\"\u003e\u003cimg src=\"https://img.shields.io/badge/Bun-black?logo=bun\u0026style=flat-square\" alt=\"Bun\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://www.electronjs.org/\"\u003e\u003cimg src=\"https://img.shields.io/badge/Electron-191970?logo=electron\u0026logoColor=white\u0026style=flat-square\" alt=\"Electron\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://www.solidjs.com/\"\u003e\u003cimg src=\"https://img.shields.io/badge/SolidJS-2c4f7c?logo=solid\u0026logoColor=white\u0026style=flat-square\" alt=\"SolidJS\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://www.typescriptlang.org/\"\u003e\u003cimg src=\"https://img.shields.io/badge/TypeScript-3178C6?logo=typescript\u0026logoColor=white\u0026style=flat-square\" alt=\"TypeScript\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://www.codefactor.io/repository/github/gerrxt07/haven\"\u003e\u003cimg src=\"https://www.codefactor.io/repository/github/gerrxt07/haven/badge\" alt=\"CodeFactor\" /\u003e\u003c/a\u003e\n    \u003ca href=\"./LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-Haven--SAL%20v1.0-blue?style=flat-square\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\n---\n\n## Overview\n\n**Haven** is the desktop client for the Haven communication stack. It is built around a defense-in-depth model: the Electron shell is locked down aggressively, the renderer talks to the OS only through a minimal preload bridge, and the backend uses modern authentication, encrypted data handling, and strict realtime controls.\n\n\u003e **Status: Pre-release**\n\u003e APIs, UI flows, and deployment details are still evolving. Expect breaking changes while the platform matures.\n\n## Security Architecture\n\nHaven is designed as a full platform, not just a UI shell. The client and backend both carry security responsibilities.\n\n### Desktop client protections\n\n- **Strict process isolation:** `contextIsolation: true`, `sandbox: true`, and `nodeIntegration: false`.\n- **Minimal preload bridge:** Renderer access to native capabilities is exposed only through explicit `contextBridge` APIs.\n- **Sender-validated IPC:** Sensitive IPC routes for tokens, secure storage, external links, and window controls validate the calling sender.\n- **Encrypted local secrets:** Access and refresh tokens are protected with Electron `safeStorage` and the app's secure-store layer.\n- **Zero-trust navigation:** The main process restricts navigation, window creation, permission requests, and external URL handling to trusted paths.\n- **Hardened runtime flags:** Dangerous debug and sandbox-bypass flags such as `--inspect`, `--remote-debugging-port`, and `--no-sandbox` are actively blocked.\n- **Build integrity pipeline:** Integrity manifests are generated for packaged runtime assets during the build flow.\n- **Secure updater posture:** The updater window uses the same hardened browser settings as the main window.\n\n### Backend protections exposed through the client\n\n- **SRP login handshake:** Passwords are not sent in plaintext during the primary login flow; the client performs SRP challenge-response authentication.\n- **PASETO session tokens:** Auth uses access and refresh tokens built on `PASETO v4 local`.\n- **Optional 2FA:** The backend supports TOTP and backup-code verification flows.\n- **Encrypted PII handling:** Sensitive backend data uses authenticated encryption and blind indexes for lookup-sensitive fields such as email.\n- **Per-route and per-identity throttling:** Login and verification flows are rate-limited both globally and per account identity.\n- **Strict request validation:** The backend enforces cursor validation, payload validation, request body limits, and account-status checks.\n- **Secure WebSocket auth:** The client now authenticates the socket with an explicit first `authenticate` message instead of putting bearer tokens in query parameters.\n- **Server-enforced realtime identity:** Clients no longer send `user_id` in websocket commands; the backend derives identity from the verified token.\n- **Realtime abuse protection:** Per-connection websocket message throttling and E2EE payload size caps reduce message flooding and oversized ciphertext attacks.\n- **Redis-backed fanout:** Realtime events are distributed through Redis Pub/Sub to support multi-node fanout without trusting local-only event delivery.\n- **Privacy cleanup:** Soft-deleted backend accounts are later anonymized automatically to support privacy retention goals without breaking chat history structure.\n\n\u003e If you are reviewing Haven from a security angle, also see [SECURITY.md](./SECURITY.md) and [HACK_THE_APP.md](./HACK_THE_APP.md).\n\n## Product Capabilities\n\n- Account registration and authenticated sessions\n- SRP login with refresh-token rotation\n- Email verification and optional two-factor authentication\n- Friends, direct messages, channels, and servers\n- End-to-end encryption key-bundle workflows\n- Presence and realtime websocket updates\n- Local avatar caching and secure token persistence\n- Electron packaging, update, and integrity tooling\n\n## Technology Stack\n\n- **Runtime and package manager:** [Bun](https://bun.sh)\n- **Desktop shell:** [Electron](https://www.electronjs.org/)\n- **Frontend UI:** [SolidJS](https://www.solidjs.com/)\n- **Language:** TypeScript\n- **Build tooling:** Vite, electron-builder\n- **Quality tooling:** Biome, Husky, Knip\n\n## Getting Started\n\n### Prerequisites\n\n- [Bun](https://bun.sh)\n- Node.js\n- A reachable Haven backend instance\n\n### Install\n\n```bash\ngit clone https://github.com/Gerrxt07/Haven.git\ncd Haven\nbun install\n```\n\n### Run in development\n\n```bash\nbun run dev\n```\n\n### Quality gate\n\n```bash\nbun run check\n```\n\n## Scripts\n\n### Quality\n\n| Command | Description |\n| :--- | :--- |\n| `bun run format` | Apply Biome formatting and safe auto-fixes. |\n| `bun run lint` | Run Biome checks across the repo. |\n| `bun run typecheck` | Run `tsc --noEmit`. |\n| `bun run test` | Run the Bun test suite. |\n| `bun run knip` | Detect unused files and dependencies. |\n| `bun run check` | Run formatting, tests, typecheck, and repo prep tasks. |\n\n### Build and package\n\n| Command | Description |\n| :--- | :--- |\n| `bun run build` | Build the renderer and Electron bundles after checks. |\n| `bun run build:integrity` | Generate integrity metadata for packaged assets. |\n| `bun run package:win` | Build and package for Windows. |\n| `bun run package:mac` | Build and package for macOS. |\n| `bun run package:linux` | Build and package for Linux. |\n\n## Project Structure\n\n```text\nHaven/\n|-- electron/              Electron main process, preload bridge, updater, secure logging\n|-- src/                   SolidJS renderer application\n|   |-- lib/               API clients, auth, realtime, E2EE, cache, stores\n|   |-- views/             Main application views\n|   `-- components/        Shared UI components\n|-- public/                Static application assets\n|-- scripts/               Build and hardening scripts\n|-- dist/                  Built renderer output\n|-- dist-electron/         Built Electron output\n`-- release/               Packaged release artifacts\n```\n\n## Related Repositories\n\n- Client: this repository\n- Backend: [Haven_Backend](../Haven_Backend)\n\n## Contributing\n\n1. Create a feature branch.\n2. Keep Electron main-process, preload, and renderer responsibilities separated.\n3. Run `bun run check` before opening a PR.\n4. If your change affects IPC, auth, storage, or transport behavior, include the security impact in the PR description.\n\n## License\n\nHaven is distributed under the **Haven Source Available License (Haven-SAL) v1.0**. See [LICENSE](./LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgerrxt07%2Fhaven","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgerrxt07%2Fhaven","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgerrxt07%2Fhaven/lists"}