{"id":50753003,"url":"https://github.com/north9-labs/seam","last_synced_at":"2026-06-11T03:00:26.792Z","repository":{"id":356872818,"uuid":"1234396138","full_name":"North9-Labs/Seam","owner":"North9-Labs","description":"Post-quantum encrypted transport protocol — UDP, multi-stream, built-in FEC, Noise_XX + ML-KEM-768","archived":false,"fork":false,"pushed_at":"2026-06-05T07:13:34.000Z","size":291,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-05T07:16:02.516Z","etag":null,"topics":["cryptography","forward-error-correction","ml-kem","networking","post-quantum","protocol","rust","udp"],"latest_commit_sha":null,"homepage":"https://north9.org","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/North9-Labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"custom":["https://north9.org"]}},"created_at":"2026-05-10T06:01:15.000Z","updated_at":"2026-06-05T07:13:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"ea2077f6-0098-4a17-9a10-2b302e5e6432","html_url":"https://github.com/North9-Labs/Seam","commit_stats":null,"previous_names":["north9llc/seam","north9-labs/seam"],"tags_count":39,"template":false,"template_full_name":null,"purl":"pkg:github/North9-Labs/Seam","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/North9-Labs%2FSeam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/North9-Labs%2FSeam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/North9-Labs%2FSeam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/North9-Labs%2FSeam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/North9-Labs","download_url":"https://codeload.github.com/North9-Labs/Seam/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/North9-Labs%2FSeam/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34180147,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","forward-error-correction","ml-kem","networking","post-quantum","protocol","rust","udp"],"created_at":"2026-06-11T03:00:16.060Z","updated_at":"2026-06-11T03:00:26.756Z","avatar_url":"https://github.com/North9-Labs.png","language":"Rust","funding_links":["https://north9.org"],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# Seam\n\n**Post-quantum encrypted communications over UDP — written in Rust.**\n\n[![CI](https://github.com/North9-Labs/Seam/actions/workflows/ci.yml/badge.svg)](https://github.com/North9-Labs/Seam/actions/workflows/ci.yml)\n[![Security Audit](https://github.com/North9-Labs/Seam/actions/workflows/security.yml/badge.svg)](https://github.com/North9-Labs/Seam/actions/workflows/security.yml)\n[![License: AGPL v3](https://img.shields.io/badge/license-AGPL%20v3-blue.svg)](LICENSE)\n[![Rust 1.88+](https://img.shields.io/badge/rust-1.88+-orange.svg)](#build-from-source)\n\n\u003c/div\u003e\n\n```sh\ncurl -fsSL https://install.north9.org/seam.sh | sh\n```\n\nSeam replaces `scp`, `netcat`, and `ssh -L` with a single tool that is faster on real-world links and safe against quantum computers. All traffic uses a hybrid Noise_XX + ML-KEM-768 handshake so session keys cannot be decrypted even if elliptic-curve cryptography is broken in the future.\n\n---\n\n## Why seam\n\nTCP was designed in 1974. SSH was bolted on top. The result is a stack that:\n\n- **Stalls on packet loss** — one lost packet blocks all subsequent data until it is retransmitted (head-of-line blocking)\n- **Caps out early on high-latency links** — the congestion window math means a 100 ms RTT link with 0.1% loss can only push ~30% of its nominal bandwidth over TCP\n- **Is not quantum-safe** — session keys established today with classical ECDH can be decrypted later once a cryptographically-relevant quantum computer exists\n\nSeam fixes all three.\n\n### Speed comparison\n\n\u003e Measured on loopback (single core, x86_64). WAN advantage is larger — TCP degrades at high latency and loss where seam does not.\n\n| | seam | scp (OpenSSH) | rsync over SSH | netcat (no encryption) |\n|---|---:|---:|---:|---:|\n| **Encrypted throughput** | **568 MiB/s** | ~400 MiB/s | ~380 MiB/s | n/a |\n| **Handshake latency** | **247 µs** | ~10 ms | ~10 ms | ~1 ms |\n| **Quantum-safe** | ✅ ML-KEM-768 | ❌ | ❌ | ❌ |\n| **Head-of-line blocking** | none (UDP + FEC) | yes | yes | yes |\n| **High-latency WAN** | ✅ approaches line rate | degrades | degrades | degrades |\n| **Multi-stream mux** | ✅ | ❌ | ❌ | ❌ |\n\nseam transfers the same data in about 30% less wall time than scp on a clean local link. On a WAN path with 100 ms RTT and 0.5% loss the gap widens to 2–4×, because seam's forward error correction absorbs most lost packets without a round-trip retransmit.\n\nThe FEC arbiter adapts in real time: on high-latency links (RTT \u003e 100 ms) seam proactively adds light FEC repair symbols even before any loss is observed, trading ~10% overhead for zero ARQ round-trips on those paths.\n\n---\n\n## How Seam compares\n\n| Feature | Seam | WireGuard | SSH | QuSecure QuProtect |\n|---|---|---|---|---|\n| Post-quantum KEM | ✅ ML-KEM-768 (FIPS 203) | ❌ | ❌ | ✅ |\n| PQ identity signing | ✅ ML-DSA-65 (FIPS 204) | ❌ | ❌ | Unknown |\n| Transport protocol | UDP (custom) | UDP | TCP | Varies |\n| Head-of-line blocking | None (FEC) | None | Yes | Unknown |\n| Forward secrecy | ✅ Double ratchet | ✅ per-session | ✅ per-session | Unknown |\n| Traffic analysis resistance | ✅ padding + chaff + jitter | ❌ | ❌ | ❌ |\n| Multi-path anti-jamming | ✅ PathScheduler | ❌ | ❌ | ❌ |\n| Session resumption | ✅ zero-RTT | ❌ | ❌ | Unknown |\n| FIPS mode | ✅ --fips-mode | ❌ | Partial | ✅ |\n| Audit logging (SP 800-53) | ✅ | ❌ | Partial | Unknown |\n| Open source | ✅ AGPL-3.0 | ✅ MIT | ✅ | ❌ closed |\n| Air-gap traversal | ✅ --via relay | ❌ | ❌ | ❌ |\n| File transfer built-in | ✅ seam cp/sync | ❌ | ✅ scp | ❌ |\n| Port scanner built-in | ✅ seam scan | ❌ | ❌ | ❌ |\n| Proxy (SOCKS5) built-in | ✅ seam proxy | ❌ | ✅ | ❌ |\n\nWireGuard and SSH rely on classical elliptic-curve cryptography and will be vulnerable to harvest-now-decrypt-later attacks once cryptographically-relevant quantum computers exist. QuSecure QuProtect addresses the quantum risk but is closed-source and targets enterprise licensing. Seam is the only open-source protocol combining FIPS 203/204 post-quantum cryptography with traffic analysis resistance and multi-path anti-jamming.\n\n---\n\n## Install\n\n```sh\ncurl -fsSL https://install.north9.org/seam.sh | sh\n```\n\nInstalls to `~/.local/bin/seam`. Override:\n\n```sh\nSEAM_INSTALL_DIR=/usr/local/bin curl -fsSL https://install.north9.org/seam.sh | sh\n```\n\nThe installer verifies a SHA-256 checksum before placing the binary.\n\n### Shell completions\n\n```sh\nseam completions bash \u003e /etc/bash_completion.d/seam   # system-wide\nseam completions zsh  \u003e ~/.zsh/completions/_seam       # user\nseam completions fish \u003e ~/.config/fish/completions/seam.fish\n```\n\n### First-time setup\n\n```sh\nseam doctor          # check system readiness\n```\n\nSeam respects your `~/.ssh/config` (Host aliases, User, Port, IdentityFile) and stores a persistent identity key in `~/.config/seam/identity` so peers can recognise you across sessions.\n\n---\n\n## Commands\n\n### `seam cp` — file transfer\n\n```sh\n# Send a file (zstd-compressed by default)\nseam cp ./report.pdf alice@server:/home/alice/report.pdf\n\n# Send a directory\nseam cp ./dataset/ alice@server:/data/dataset\n\n# Receive from remote (pull)\nseam cp alice@server:/remote/logs ./local-backup/\n\n# Resume an interrupted transfer\nseam cp --resume ./large.iso alice@server:/data/\n\n# Raw transfer, no compression (already-compressed files)\nseam cp --no-compress ./archive.tar.gz alice@server:/backups/\n```\n\nseam bootstraps itself on the remote over SSH if it is not already installed — no manual setup on the server side.\n\n---\n\n### `seam pipe` — bidirectional pipe\n\nNetcat, but post-quantum encrypted and fast.\n\n```sh\n# Open a remote shell\nseam pipe alice@server -- bash\n\n# Run a command, stream its output locally\nseam pipe alice@server -- journalctl -f\n\n# Pipe data between machines\ntar cf - ./project | seam pipe alice@server -- tar xf - -C /dest\n\n# Remote port scan (pipe through any tool)\nseam pipe alice@server -- nmap -sV 10.0.0.0/24\n```\n\n---\n\n### `seam tunnel` — TCP port forward\n\nSSH `-L`, but over seam's UDP transport. Multiple concurrent connections share one post-quantum session.\n\n```sh\n# Forward local:8080 → server:localhost:3000\nseam tunnel 8080:alice@server:3000\n\n# Access a private database through a jump host\nseam tunnel 5432:alice@server:db.internal:5432\n\n# Then connect normally — seam is invisible\npsql -h localhost -p 5432 -U myuser mydb\n```\n\n---\n\n### `seam fwd` — reverse port forward\n\nExpose a port from a remote machine back to your local machine. Like `ssh -R` but over seam's UDP transport — works through double-NAT, adapts to lossy paths.\n\n```sh\n# Remote server listens on :3000, forwards connections to local :8080\nseam fwd alice@server:3000 8080\n\n# Expose a local dev service to a remote machine\nseam fwd alice@bastion:9090 8080 --local-host 0.0.0.0\n\n# Custom SSH port\nseam fwd -p 2222 alice@server:5432 5432\n```\n\nUseful for:\n- Exposing a local dev server to a remote machine for testing\n- Reverse tunneling without a full Seamless relay setup\n- Giving a temporary remote endpoint to your laptop\n\n---\n\n### `seam stats` — connection statistics\n\nMeasure real-time connection quality to a remote host.\n\n```sh\nseam stats alice@server          # 5-second measurement window\nseam stats alice@server --duration 10\n```\n\n```\n  Seam connection stats  alice@server  (5s window)\n  ─────────────────────────────────────────────────\n  RTT           min 44ms  avg 51ms  max 79ms\n  Throughput    recv 234 MiB/s\n  Path MTU      1400 bytes\n  cwnd          512 KiB\n```\n\n---\n\n### `seam bench` — throughput test\n\nMeasure actual seam speed to a host and compare against known baselines.\n\n```sh\nseam bench alice@server          # 100 MiB test\nseam bench alice@server --mib 1000\n\n# Use BBR congestion control instead of CUBIC\nSEAM_CC=bbr seam bench alice@server\n```\n\n```\n  ────────────────────────────────────────────────────────────────────\n  tool     throughput                            MiB/s   notes\n  ────────────────────────────────────────────────────────────────────\n  seam     █████████████████████████████████       847   0.706 Gbps  ← measured\n  scp      █████████████████░░░░░░░░░░░░░░░░       400   encrypted TCP  (est.)\n  rsync    ████████████████░░░░░░░░░░░░░░░░░       380   encrypted TCP  (est.)\n  netcat   ██████████████████████████████████░     950   unencrypted TCP  (est.)\n  ────────────────────────────────────────────────────────────────────\n\n  seam is 2.1× faster than scp on this path\n  post-quantum safe · UDP · FEC recovery · 247 µs handshake\n```\n\n---\n\n### `seam ls` — remote directory listing\n\n```sh\nseam ls alice@server:/var/log\nseam ls alice@server:/data  # trailing slash optional\n```\n\nLists files with Unix-style permissions, human-readable sizes, and names.\n\n---\n\n### `seam config` — persistent settings\n\nManage defaults so you don't have to pass flags every time.\n\n```sh\nseam config init                  # create ~/.config/seam/config.toml\nseam config list                  # show all settings\nseam config get cc                # current value\nseam config set cc bbr            # switch default CC to BBR\nseam config set compress false    # disable zstd by default\n```\n\nConfig file location: `~/.config/seam/config.toml`.\n\n---\n\n### `seam update` — self-update\n\n```sh\nseam update           # download and replace the binary\nseam update --check   # just print available version\n```\n\n---\n\n## How It Works\n\nEvery seam command follows the same pattern:\n\n1. **SSH bootstrap** — seam uses your existing SSH config to reach the remote, starts a receiver process, and reads back connection parameters. No new ports need to be opened.\n2. **Post-quantum handshake** — client and server perform Noise_XX augmented with ML-KEM-768 in ~247 µs. Each side contributes randomness; neither can force a weak key.\n3. **Encrypted UDP transport** — all data flows over a direct UDP path. The transport layer handles loss recovery, ordering, flow control, and multiplexing internally.\n\n### Transport features\n\n| Feature | What it does |\n|---|---|\n| **CUBIC congestion control** | Fills the pipe without overwhelming routers (switch to BBR with `SEAM_CC=bbr`) |\n| **ARQ retransmission** | Resends dropped packets with exponential backoff |\n| **GF(2⁸) Reed-Solomon FEC** | Recovers up to *r* losses per *k*-packet group without a round-trip; adapts overhead dynamically via EWMA loss tracking |\n| **Adaptive FEC arbiter** | Pure ARQ on clean links, hybrid FEC+ARQ at moderate loss, pure FEC above 15% loss; automatically adds light FEC on high-latency paths (RTT \u003e 100 ms) to avoid ARQ round-trips |\n| **Multi-stream mux** | Tunnel, bench, and pipe share one session; streams are independent |\n| **DDoS-resistant handshake** | BLAKE3 cookie challenge before any per-client state is allocated |\n| **Header protection** | Session ID and packet number encrypted in addition to payload |\n| **Flow control** | Dynamic 16 MiB windows extended via MaxData frames; control packets bypass congestion control |\n| **Keepalive** | Automatic Ping/Pong every 15 s; idle timeout after 60 s |\n\n---\n\n## Security\n\n### What is protected\n\nEvery byte sent over seam is encrypted with **ChaCha20-Poly1305**, an AEAD cipher with a 256-bit key. The packet header — session ID, packet number, flags — is additionally encrypted so passive observers cannot correlate traffic to sessions.\n\n### The handshake\n\nSeam uses **Noise_XX** (mutual authentication with forward secrecy) combined with **ML-KEM-768** (CRYSTALS-Kyber, NIST post-quantum standard). The hybrid construction means:\n\n- A classical adversary cannot break the session (x25519 elliptic-curve hardness)\n- A quantum adversary cannot break the session (ML-KEM-768 hardness)\n- Traffic recorded today cannot be decrypted later even if one primitive is broken in the future\n\nBoth parties authenticate with long-term identity keypairs and exchange ephemeral keys for forward secrecy.\n\n### Anti-replay\n\nEach packet carries a 64-bit sequence number. The receiver maintains a sliding bitmap window; duplicate or out-of-window packets are silently dropped. An attacker who captures and replays a packet cannot cause it to be accepted a second time.\n\n### DDoS resistance\n\nThe server commits no per-client memory until the client echoes a valid BLAKE3 cookie that is tied to its source IP and expires after 30 seconds. This prevents an attacker from exhausting server memory by spoofing connection requests.\n\n### Honest disclaimer\n\nSeam is pre-1.0 software. The cryptographic design follows well-established patterns and uses audited primitives, but the protocol itself has not undergone a third-party security audit. Do not use it where your threat model requires independently audited software.\n\n---\n\n## Troubleshooting\n\n### \"handshake timed out\"\n- Seam automatically retries the handshake up to 3 times with exponential backoff.\n- If it still fails, check that UDP is not blocked by a firewall.\n- Increase kernel socket buffers:\n  ```sh\n  sudo sysctl -w net.core.rmem_max=8388608\n  sudo sysctl -w net.core.wmem_max=8388608\n  ```\n\n### \"seam not found on remote\"\n- seam bootstraps automatically, but if the remote has no internet access, copy the binary manually to `~/.local/bin/seam`.\n\n### Slow throughput on LAN\n- seam is optimised for lossy / high-latency paths. On pristine LAN, scp may be similar. Use `seam bench` to verify.\n\n### Verbose logging\n- Add `-v` (info), `-vv` (debug), or `-vvv` (trace) to any command:\n  ```sh\n  seam -vv cp ./data user@host:/dest\n  ```\n\n---\n\n## Build from Source\n\n```sh\n# Prerequisites: Rust 1.88+\ngit clone https://github.com/North9-Labs/Seam\ncd Seam\ncargo build --release --bin seam\n./target/release/seam --version        # Linux / macOS\n# target\\release\\seam.exe --version    # Windows\n```\n\nTest suite:\n\n```sh\ncargo test\n```\n\nBenchmarks (Criterion, single-core loopback):\n\n```sh\ncargo bench\n```\n\nFuzz targets:\n\n```sh\ncargo install cargo-fuzz\ncargo fuzz run packet_decode\n```\n\n---\n\n## Library Usage\n\n```toml\n# Cargo.toml\nseam-protocol = { git = \"https://github.com/North9-Labs/Seam\" }\n```\n\n### Client / Server\n\n```rust\nuse seam_protocol::{api::{Client, Server}, handshake::IdentityKeypair};\n\n// Server — bind and wait for a connection\nlet id = IdentityKeypair::generate();\nlet mut server = Server::bind(\"0.0.0.0:4433\".parse()?, id).await?;\nlet conn = server.accept().await.unwrap();\n\n// Client — connect to the server\nlet id = IdentityKeypair::generate();\nlet client = Client::bind(\"0.0.0.0:0\".parse()?, id).await?;\nlet conn = client.connect(server_addr, \u0026server_x25519, \u0026server_kem_pk).await?;\n```\n\n### Multiplexed streams\n\nStreams implement `AsyncRead + AsyncWrite + Unpin` and compose directly with tokio I/O utilities.\n\n```rust\nuse seam_protocol::tunnel::SeamMux;\n\nlet mux = SeamMux::new(conn);  // wraps a SeamConn\n\n// Open a stream from either side\nlet mut stream = mux.open_stream().await;           // locally-initiated\nlet mut stream = mux.accept_stream().await.unwrap(); // remote-initiated\n\n// Drop in anywhere tokio I/O is expected\ntokio::io::copy_bidirectional(\u0026mut stream, \u0026mut tcp_socket).await?;\n```\n\n### Datagrams\n\n```rust\n// Unreliable, unordered — useful for real-time data\nconn.send_datagram(b\"ping\").await?;\n```\n\n---\n\n## Performance\n\n\u003e Single-core, loopback, x86_64. Numbers vary with hardware and kernel UDP buffer limits.\n\n**568 MiB/s (~4.76 Gbps) encrypted throughput at 1400 B MTU. 247 µs full Noise_XX + ML-KEM-768 handshake.**\n\n| Payload size | Encrypt + send | Throughput |\n|---|---|---:|\n| 64 B | 350 ns | ~303 MiB/s |\n| 256 B | 644 ns | ~455 MiB/s |\n| 512 B | 1.03 µs | ~519 MiB/s |\n| 1400 B | 2.43 µs | **~568 MiB/s** |\n\n| Operation | Time |\n|---|---:|\n| `IdentityKeypair::generate` | 17.8 µs |\n| `PacketKeys::derive_from_secret` | 370 ns |\n| Full handshake (Noise_XX + ML-KEM-768, 3 messages) | **247 µs** |\n\n---\n\n## Repository Layout\n\n```\nsrc/\n├── api.rs          # Client, Server, SeamConn\n├── tunnel.rs       # SeamMux + SeamStream (AsyncRead + AsyncWrite)\n├── crypto/         # ChaCha20-Poly1305, header protection, anti-replay\n├── handshake/      # Noise_XX + ML-KEM-768, DDoS-resistant cookie\n├── session/        # Streams, ARQ, flow control, priority scheduling\n├── fec/            # GF(2⁸) arithmetic, systematic RS codec, adaptive FEC/ARQ arbiter\n└── transport/      # Connection, endpoint, CUBIC/BBR CC, pacer, path probing\n\nsrc/bin/seam/\n├── main.rs         # CLI entry point\n├── copy.rs         # seam cp\n├── pipe.rs         # seam pipe\n├── tunnel.rs       # seam tunnel (local port forward, ssh -L)\n├── fwd.rs          # seam fwd (reverse port forward, ssh -R)\n├── bench.rs        # seam bench\n├── stats.rs        # seam stats (live connection metrics)\n├── ls.rs           # seam ls\n└── config.rs       # seam config\n\nbenches/            # Criterion benchmarks\nfuzz/               # cargo-fuzz targets\n```\n\n---\n\n## License\n\nSeam is dual-licensed:\n\n- **Open source:** [GNU Affero General Public License v3.0](LICENSE) — free for open source projects and personal use\n- **Commercial:** contact [licensing@north9.org](mailto:licensing@north9.org) for proprietary, SaaS, government, or OEM use\n\nSee [LICENSE-COMMERCIAL](LICENSE-COMMERCIAL) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnorth9-labs%2Fseam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnorth9-labs%2Fseam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnorth9-labs%2Fseam/lists"}