{"id":47639505,"url":"https://github.com/het4rk/arkora","last_synced_at":"2026-04-02T00:41:52.176Z","repository":{"id":341000206,"uuid":"1164805671","full_name":"het4rk/arkora","owner":"het4rk","description":"Humanity's Message Board. Verified by WorldID on WorldChain. Built on Bittensor.","archived":false,"fork":false,"pushed_at":"2026-03-31T19:38:57.000Z","size":1927,"stargazers_count":1,"open_issues_count":15,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-31T21:33:43.099Z","etag":null,"topics":["anonymous","bittensor","blockchain","decentralized","hippius","message-board","nextjs","open-source","privacy","proof-of-human","sybil-resistant","typescript","vercel","web3","world-app","world-chain","world-id","world-mini-app","worldcoin","zero-knowledge"],"latest_commit_sha":null,"homepage":"https://arkora.app","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/het4rk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-23T14:02:45.000Z","updated_at":"2026-03-31T19:39:01.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/het4rk/arkora","commit_stats":null,"previous_names":["het4rk/arkora"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/het4rk/arkora","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/het4rk%2Farkora","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/het4rk%2Farkora/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/het4rk%2Farkora/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/het4rk%2Farkora/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/het4rk","download_url":"https://codeload.github.com/het4rk/arkora/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/het4rk%2Farkora/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31293493,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T21:15:39.731Z","status":"ssl_error","status_checked_at":"2026-04-01T21:15:34.046Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anonymous","bittensor","blockchain","decentralized","hippius","message-board","nextjs","open-source","privacy","proof-of-human","sybil-resistant","typescript","vercel","web3","world-app","world-chain","world-id","world-mini-app","worldcoin","zero-knowledge"],"created_at":"2026-04-02T00:41:50.625Z","updated_at":"2026-04-02T00:41:52.169Z","avatar_url":"https://github.com/het4rk.png","language":"TypeScript","readme":"# Arkora\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](./LICENSE)\n[![CI](https://github.com/het4rk/arkora/actions/workflows/ci.yml/badge.svg)](https://github.com/het4rk/arkora/actions/workflows/ci.yml)\n[![Version](https://img.shields.io/github/v/release/het4rk/arkora?label=version)](https://github.com/het4rk/arkora/releases)\n\n**A provably human anonymous message board. Every voice is verified.**\n\n\u003e Post, vote, and converse anonymously - but every account is backed by a unique World ID proof of humanity. No bots, no fake accounts, no duplicate identities. World ID Orb proofs are validated onchain via the WorldIDRouter contract on World Chain - not on centralized servers.\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://arkora.app\"\u003e\u003cstrong\u003earkora.app\u003c/strong\u003e\u003c/a\u003e - Try it live in World App\n  \u003cbr /\u003e\n  \u003ca href=\"https://x.com/humansposting\"\u003eTwitter\u003c/a\u003e - \u003ca href=\"https://github.com/het4rk/arkora/releases\"\u003eChangelog\u003c/a\u003e - \u003ca href=\"#developer-api\"\u003eAPI Docs\u003c/a\u003e - \u003ca href=\"#cli\"\u003eCLI\u003c/a\u003e\n\u003c/p\u003e\n\n\n---\n\n## Features\n\n### Feed and Posts\n\n- Infinite-scroll feed with board filtering\n- Three feed modes: Curated (hot-ranked), Following, Local (GPS radius)\n- 40+ topic boards with fuzzy search and dynamic creation\n- Post quotes, reposts, and threaded replies\n- Post impressions (view count, deduplicated per verified human)\n- Multi-entity search across boards, people, and posts with prefix-first matching\n- Bookmarks and native share sheet\n\n### Polls\n\n- Sybil-resistant polls - one verified human, one vote, cryptographically enforced\n- Timed (24h / 3d / 7d) or perpetual duration\n- Live vote percentages with inline results\n\n### Identity and Privacy\n\n- Three identity modes: Anonymous (fresh tag each post), Alias (persistent derived handle), Named (World ID username)\n- Per-action identity: choose anon/alias/named on each post or reply independently\n- Social gating: follow, DM, tip, and subscribe require named mode\n- Confessions board - force-anonymous, completely unlinkable\n- Human Karma and reputation tiers displayed on profiles and feed cards\n\n### Real-time\n\n- Live ephemeral Rooms with Clubhouse-style participant grid and speaking indicators\n- End-to-end encrypted DMs (ECDH Curve25519 + AES-256-GCM)\n- In-app and native push notifications (replies, mentions, follows, DMs, tips, quotes)\n- @ mention autocomplete in composers\n\n### Monetization\n\n- WLD tips with push notification to recipient\n- Creator subscriptions\n- Skin shop (accent color customization, 1 WLD each, with live preview before purchase)\n- Font shop (7 Google Fonts, 1 WLD each, with live preview before purchase)\n\n### Moderation\n\n- Block, report, and auto-hide at 5 reports\n- Community Notes fact-checking system\n- Comprehensive CSP headers, constant-time nonce comparison, private Pusher channels\n- Input sanitization on all user-generated content\n- GDPR-compliant account deletion\n\n### Customization\n\n- Light and dark theme\n- Responsive layout - adapts from mobile (full width) to desktop (centered column with side borders)\n- 10 languages: English, Spanish, Portuguese, French, German, Japanese, Korean, Thai, Indonesian, Turkish (auto-detected, manually overridable)\n- Server-synced preferences (theme, notifications, location persist across devices)\n- Profile picture upload\n\n### Public API\n\n- REST API for verified-human posts, polls, boards, and stats\n- v1: API key authentication with CORS support (read + write)\n- v2: AgentKit proof-of-human auth for AI agents + API key fallback\n- Premium analytics: sentiment, trends, geographic demographics (AgentKit-only)\n- x402 micropayments for premium data (USDC on World Chain)\n- MCP server for native AI agent tooling (Claude, GPT, etc.)\n\n### CLI\n\nTwo implementations available:\n\n- **Rust CLI** (`cli-rust/`) - 4.5MB native binary, no runtime dependencies. Recommended for end users.\n- **Node CLI** (`cli/`) - TypeScript/commander-based, useful for development and prototyping.\n\nAuthenticate with World ID directly in your terminal (ASCII banner on launch).\n\n| Command | Description |\n| --- | --- |\n| `arkora login` | World ID QR code in terminal - scan with World App, logged in instantly |\n| `arkora me` | View your profile (syncs accent color to terminal) |\n| `arkora feed` | Browse posts with colored output |\n| `arkora view \u003cid\u003e` | View a post with replies and poll results |\n| `arkora post \"Title\"` | Create a post (`--body`, `--board` flags) |\n| `arkora reply \u003cid\u003e` | Reply to a post (`--body` flag) |\n| `arkora vote \u003cid\u003e` | Vote on a post (`--up`, `--down`, `--undo`) |\n| `arkora search \"query\"` | Search posts, boards, and people (`--type` flag) |\n| `arkora notifications` | View notifications (`--read` to mark all read) |\n| `arkora boards` | List all boards with post counts |\n| `arkora stats` | Platform stats |\n\nYour accent color from the Arkora skin shop carries over to the CLI - all headings and highlights use your color.\n\n---\n\n## Changelog\n\nSee [Releases](https://github.com/het4rk/arkora/releases) for the full version history and changelog.\n\n---\n\n## Tech Stack\n\n| Layer | Technology |\n| --- | --- |\n| Framework | Next.js 15 (App Router, Turbopack) |\n| Language | TypeScript 5.6 (strict mode) |\n| Database | Neon Postgres via `@neondatabase/serverless` HTTP driver + Drizzle ORM |\n| Auth | SIWE (Sign-In with Ethereum) + World MiniKit + IDKit v4 |\n| Real-time | Pusher Channels (private, server-authorized) |\n| File storage | Hippius S3 - decentralized storage on Bittensor subnet 14 |\n| State | Zustand (with localStorage persistence) |\n| Animations | Framer Motion |\n| Blockchain | World Chain (chain 480) - proof verified onchain via WorldIDRouter |\n| Identity | World ID 4.0 (MiniKit + IDKit, Orb verified) |\n| Monitoring | Sentry (error tracking + session replay) + Vercel Analytics |\n\n---\n\n## Quick Start\n\n### Prerequisites\n\n- Node.js 22 (see `.nvmrc`)\n- pnpm (`npm i -g pnpm`)\n- [Worldcoin Developer Portal](https://developer.worldcoin.org) app\n- [Neon](https://neon.tech) Postgres database\n- [Pusher](https://pusher.com) Channels app\n- [Hippius](https://hippius.com) S3 bucket (or any S3-compatible storage)\n\n### Setup\n\n```bash\npnpm install\ncp .env.example .env.local   # fill in your credentials\npnpm db:push                 # push schema to database\npnpm dev                     # start dev server at http://localhost:3000\n```\n\n### CLI Install\n\n**From source (requires Rust):**\n\n```bash\ncd cli-rust\ncargo build --release\ncp target/release/arkora /usr/local/bin/   # or ~/bin/\n```\n\n**Usage:**\n\n```bash\narkora login                              # scan World ID QR with phone\narkora feed                               # browse posts\narkora post \"Hello from CLI\" --board arkora\narkora view \u003cpost-id\u003e                     # view post + replies\narkora vote \u003cpost-id\u003e --up                # upvote\n```\n\nSee `.env.example` for all required environment variables.\n\n\u003e **World App testing:** To test the full World ID flow you need World App on your phone. Use ngrok or a Vercel preview deployment to expose a public URL, then update your Developer Portal redirect URL to match.\n\n---\n\n## Architecture\n\n### Auth Flow\n\n```text\nWorld App opens miniapp\n  -\u003e WalletConnect auto-triggers walletAuth (MiniKit.commands.walletAuth)\n  -\u003e User signs SIWE message in World App\n  -\u003e POST /api/auth/wallet -\u003e verifies signature, issues httpOnly cookies:\n      arkora-nh      (nullifierHash - unique World ID identifier)\n      wallet-address (EVM address)\n  -\u003e Zustand store hydrates: isVerified=true, nullifierHash, user\n```\n\nWorld ID Orb verification is a separate step. The proof is validated onchain via the WorldIDRouter contract on World Chain (chain 480) - no centralized API. The verification block number is stored and displayed in-app with a link to worldscan.org.\n\n### Identity Modes\n\n| Mode | Description |\n| --- | --- |\n| **Anonymous** | Fresh `Human #XXXX` tag each post (default, most anonymous, unlinkable) |\n| **Alias** | SHA256-derived persistent handle, linkable across posts but not to real identity |\n| **Named** | World ID username shown publicly, required for social features (follow, DM, tip) |\n\n### Feed Modes\n\n| Mode | Description |\n| --- | --- |\n| **Curated** | Global feed, hot-ranked posts (Wilson-score time-decay, server-cached) |\n| **Following** | Posts from followed users (requires auth) |\n| **Local** | Posts near the viewer's GPS coordinates, filtered by radius |\n\n### DMs\n\nEnd-to-end encrypted. Key exchange uses ECDH (Curve25519); messages encrypted with AES-256-GCM. Public keys stored server-side. Private keys live only in the client (Zustand / localStorage) - the server never sees them. Block checks enforced server-side. All DM Pusher channels are private (server-authorized).\n\n### Security\n\nArkora has undergone comprehensive security auditing across all layers. Key properties:\n\n- **No SQL injection** - all queries use Drizzle ORM parameterized builders, no raw SQL string interpolation\n- **Auth isolation** - identity comes exclusively from the `arkora-nh` httpOnly cookie via `getCallerNullifier()`, request body is never trusted for identity\n- **CSRF mitigated** - `SameSite=Strict` on all auth cookies\n- **World ID replay protection** - enforced by the WorldIDRouter contract on World Chain, the EVM reverts on duplicate nullifier submissions\n- **Input sanitization** - all user text passes through `sanitizeLine()` / `sanitizeText()` (NFKC normalization + HTML stripping) before DB writes\n- **Private Pusher channels** - all per-user channels require server-side authorization\n- **CSP hardened** - `unsafe-eval` removed from `script-src`, HSTS 2-year preload, COOP headers set\n- **Constant-time nonce comparison** - SIWE nonce validation uses `crypto.timingSafeEqual()`\n- **Rate limiting** - async per-endpoint, per-user sliding window on all 64+ routes (Upstash Redis in production, in-memory fallback for dev)\n- **Atomic votes** - single CTE statements to prevent race conditions\n- **Session recovery** - `authFetch()` wrapper on all client API calls detects expired sessions and forces re-authentication\n\nFor vulnerability reporting, see [SECURITY.md](./SECURITY.md).\n\n### Decentralization\n\nArkora is being progressively decentralized across every layer:\n\n| Layer | Status | Approach |\n| --- | --- | --- |\n| **Identity** | Live | World ID Orb proofs validated onchain via WorldIDRouter on World Chain |\n| **File storage** | Live (beta) | User-uploaded media stored on [Hippius](https://hippius.com) (Bittensor subnet 14, S3-compatible API). Production transition will move to Hippius mainnet with replication guarantees. |\n| **Compute** | Planned | Migrate backend to [Chutes](https://chutes.ai) (Bittensor subnet 64) with TEE-attested execution |\n| **Database** | Planned | Evaluate decentralized or verifiable data storage options |\n\nThe goal: a social platform where proof of humanity, content storage, and application logic are all decentralized - no single operator can censor, surveil, or shut down the network.\n\n#### Compute Migration - Chutes (Subnet 64)\n\nWhen Arkora transitions out of beta, backend compute will move from centralized Vercel serverless functions to [Chutes](https://chutes.ai) on Bittensor subnet 64. Chutes provides decentralized GPU/CPU compute with Trusted Execution Environment (TEE) attestation, meaning application logic runs inside hardware-isolated enclaves (Intel TDX / AMD SEV-SNP) where neither the node operator nor the host OS can inspect or tamper with the running process.\n\n**Integration plan:**\n\n- **TEE attestation** - Each Chutes compute node generates a cryptographic attestation report signed by the CPU's hardware root of trust. Arkora will verify these attestation chains before routing requests, ensuring every API call is processed inside a genuine TEE enclave. This guarantees that even the compute provider cannot read user data, session tokens, or encryption keys in memory.\n- **Containerized deployment** - Arkora's Next.js server and API routes will be packaged as OCI containers deployed to Chutes nodes. The container image hash is included in the TEE attestation, so clients can verify they're talking to the exact published build - no hidden modifications.\n- **Decentralized routing** - Requests will be load-balanced across multiple Chutes miners on subnet 64 via the Bittensor incentive mechanism. Miners are scored on latency, uptime, and attestation validity. Poor performers lose stake; reliable nodes earn TAO emissions.\n- **Key management** - Database credentials and signing keys will be provisioned inside the TEE via sealed storage (keys encrypted to the enclave's identity). Keys are never exposed to the host filesystem or operator. Rotation happens through re-sealing to new enclave measurements.\n- **Verifiable compute chain** - Combined with World ID onchain verification (World Chain) and Hippius decentralized storage (subnet 14), this creates an end-to-end verifiable stack: identity proven onchain, data stored on decentralized storage, and compute executed in attested TEEs - no single trusted party in the critical path.\n\n---\n\n## Developer API\n\nArkora exposes a public REST API for accessing verified-human posts, polls, and stats. All data originates from World ID-verified accounts.\n\n**Base URL:** `https://arkora.app/api/v1`\n\n**Authentication:** Include your API key in every request:\n\n```http\nX-API-Key: ark_\u003cyour-key\u003e\n```\n\n### Endpoints\n\n| Method | Path | Description |\n| --- | --- | --- |\n| GET | `/v1/posts` | List posts. Params: `boardId`, `type`, `limit` (1-50), `cursor` |\n| GET | `/v1/polls` | List polls with live vote counts. Params: `boardId`, `active=true`, `limit`, `cursor` |\n| GET | `/v1/boards` | All boards with post counts |\n| GET | `/v1/stats` | `totalPosts`, `totalPolls`, `totalVerifiedHumans`, `totalPollVotes` |\n\nAll responses follow the format: `{ success: true, data: [...], nextCursor: \"...\" | null }`\n\n**Getting an API key:** Open Arkora in World App, go to Settings, scroll to \"Developer API\", and tap \"New API key\". You must be a World ID-verified user. Keys are prefixed `ark_` and shown once - copy immediately.\n\n### v2 API (AgentKit + Premium Analytics)\n\n**Base URL:** `https://arkora.app/api/v2`\n\nv2 endpoints accept dual authentication:\n- **AgentKit** (recommended for AI agents) - `agentkit` header with proof-of-human delegation. Agents get 2x rate limits and access to premium endpoints.\n- **API key** fallback - same `X-API-Key` header as v1.\n\n| Method | Path | Description | Auth |\n| --- | --- | --- | --- |\n| GET | `/v2/posts` | List posts | AgentKit or API key |\n| GET | `/v2/polls` | List polls with vote counts | AgentKit or API key |\n| GET | `/v2/boards` | All boards with post counts | AgentKit or API key |\n| GET | `/v2/stats` | Platform aggregate stats | AgentKit or API key |\n| GET | `/v2/sentiment` | Sentiment score per board | AgentKit only |\n| GET | `/v2/trends` | Trending topics by velocity | AgentKit only |\n| GET | `/v2/demographics` | Geographic vote distribution | AgentKit only |\n\nPremium endpoints (sentiment, trends, demographics) include 50 free requests per day per human. After that, x402 micropayments apply.\n\n### MCP Server\n\nArkora ships a standalone MCP server so AI agents (Claude, GPT, etc.) can query verified-human data natively.\n\n```bash\ncd mcp \u0026\u0026 pnpm install\nARKORA_API_KEY=ark_... npx tsx index.ts       # stdio transport\nARKORA_API_KEY=ark_... npx tsx index.ts --sse  # SSE on port 3001\n```\n\nAvailable tools: `arkora_search_posts`, `arkora_get_poll_results`, `arkora_get_sentiment`, `arkora_get_trends`, `arkora_get_stats`.\n\n---\n\n## Project Structure\n\n```text\napp/\n  api/                API routes (auth, posts, replies, votes, dm, rooms, search, ...)\n  boards/             Boards list page\n  post/[id]/          Thread / post detail\n  rooms/              Rooms discovery + room view\n  settings/           Settings page\n  dm/                 DM inbox + conversation pages\n  notifications/      Notifications page\n  profile/            User profile page\n\ncomponents/\n  auth/               World ID verification, WalletConnect\n  compose/            PostComposer, ReplyComposer\n  dm/                 ConversationView, ConversationList\n  feed/               Feed, ThreadCard, FeedSkeleton\n  onboarding/         OnboardingScreen\n  rooms/              RoomsDiscovery, RoomView, RoomCard\n  search/             SearchSheet (multi-entity search)\n  settings/           SettingsView, SkinShop, FontShop\n  thread/             ThreadView, ReplyCard, ReplyTree\n  ui/                 BottomNav, LeftDrawer, BottomSheet, ...\n\nhooks/                Custom React hooks (mentions, search, feed, tips, ...)\n\nlib/\n  db/                 Drizzle schema + per-entity query modules\n  crypto/             DM encryption (Curve25519 + AES-256-GCM)\n  i18n/               Translation dictionaries (10 locales) + lazy loader\n  storage/            Hippius S3 adapter\n  rateLimit.ts        Async sliding-window rate limiter (Upstash Redis + in-memory fallback)\n  cache.ts            Feed cache with TTL\n  sanitize.ts         Input sanitization + mention parsing\n  serverAuth.ts       Session cookie reader\n  worldid.ts          Onchain World ID proof verification\n\nstore/\n  useArkoraStore.ts   Global Zustand store\n\ncontracts/            ArkoraNullifierRegistry.sol (onchain World ID registry, deployed on World Chain)\ncli/                  Node.js CLI (TypeScript + commander)\ncli-rust/             Rust CLI (clap + reqwest + colored)\nmcp/                  MCP server for AI agent tooling\nscripts/              Database seed + migration scripts\ndocs/                 Social preview image + assets\ne2e/                  Playwright E2E tests (5 specs, 11 tests)\nproxy.ts              Edge proxy (payload size gating, Next.js 16.2 convention)\nvercel.json           Per-route function config (timeouts)\nplaywright.config.ts  Playwright configuration\npublic/sw.js          Service worker for PWA offline\n```\n\n---\n\n## Testing\n\n```bash\npnpm test              # 82 Vitest unit tests\npnpm test:watch        # watch mode\npnpm test:coverage     # coverage report\npnpm test:e2e          # 11 Playwright E2E tests (chromium)\n```\n\n**Unit tests:** 82 Vitest tests covering input sanitization, rate limiting, E2E DM encryption (Curve25519 + AES-256-GCM), karma tiers, AgentKit auth middleware, and utility functions. Tests run in CI before lint and build.\n\n**E2E tests:** 11 Playwright tests across 5 specs (API boards, API posts, API search, feed page, health check). Run against a local dev server in headless Chromium.\n\nSee [QA.md](./QA.md) for the full manual testing checklist (80+ test cases across auth, feed, posts, DMs, rooms, monetization, API, and security).\n\n---\n\n## Deployment\n\n1. Push to GitHub and import the repo in the Vercel dashboard.\n2. Add all environment variables from `.env.example`.\n3. Set `NEXT_PUBLIC_APP_ID` and `APP_ID` to your Worldcoin Developer Portal app ID.\n4. Deploy. Update the **Redirect URL** in your Developer Portal to match your production domain.\n\n---\n\n## Contributing\n\nSee [CONTRIBUTING.md](./CONTRIBUTING.md) for development setup, branch conventions, and PR requirements.\n\n## Security Policy\n\nTo report a vulnerability, see [SECURITY.md](./SECURITY.md). Do not open public issues for security findings.\n\n## License\n\n[MIT](./LICENSE) - Copyright 2026 Arkora (by Hetark). Free to use, fork, and build on.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhet4rk%2Farkora","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhet4rk%2Farkora","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhet4rk%2Farkora/lists"}