{"id":49569896,"url":"https://github.com/wan0net/trust0","last_synced_at":"2026-05-03T13:13:19.412Z","repository":{"id":347306809,"uuid":"1193472918","full_name":"wan0net/trust0","owner":"wan0net","description":"trust0 — cryptographic identity verification. Trust no one. Verify everything.","archived":false,"fork":false,"pushed_at":"2026-03-27T12:38:33.000Z","size":480,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-27T22:37:28.116Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wan0net.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-27T09:05:45.000Z","updated_at":"2026-03-27T12:38:36.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/wan0net/trust0","commit_stats":null,"previous_names":["wan0net/trust0"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/wan0net/trust0","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wan0net%2Ftrust0","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wan0net%2Ftrust0/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wan0net%2Ftrust0/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wan0net%2Ftrust0/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wan0net","download_url":"https://codeload.github.com/wan0net/trust0/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wan0net%2Ftrust0/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32569993,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T06:36:36.687Z","status":"ssl_error","status_checked_at":"2026-05-03T06:36:09.306Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-03T13:13:18.472Z","updated_at":"2026-05-03T13:13:19.395Z","avatar_url":"https://github.com/wan0net.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# trust0\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eCryptographic identity verification\u003c/strong\u003e\u003cbr\u003e\n  Prove that person X owns account X. Open source. Open data.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#why-trust0\"\u003eWhy\u003c/a\u003e •\n  \u003ca href=\"#how-it-works\"\u003eHow It Works\u003c/a\u003e •\n  \u003ca href=\"#proof-providers\"\u003eProviders\u003c/a\u003e •\n  \u003ca href=\"#document-signing\"\u003eSigning\u003c/a\u003e •\n  \u003ca href=\"#getting-started\"\u003eGet Started\u003c/a\u003e •\n  \u003ca href=\"#deploy-your-own\"\u003eDeploy\u003c/a\u003e •\n  \u003ca href=\"#license\"\u003eLicense\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003e **Early Development** — Core crypto library complete (88 tests), 20+ proof providers, sigchain with key rotation, document signing with Rekor timestamps, BIP39 paper key backup. Web app and deployment in progress.\n\n## Why trust0\n\nKeybase let you cryptographically prove you owned your accounts — then got acquired by Zoom and died. Everyone's identity was on their servers. No export, no migration, no alternatives.\n\ntrust0 fixes the same problem without the single point of failure:\n\n- **Your identity is a set of signed files.** They work anywhere — not just on our server.\n- **Verification is client-side.** The viewer's browser does all the crypto. The server stores bytes.\n- **Your data is portable.** Export everything. Self-host. If trust0.app disappears, your identity survives.\n- **The code is open source.** Fork it. Deploy your own. Audit every line.\n\n**What trust0 adds over Keyoxide** (the other active project in this space):\n\n| Capability | Keyoxide | trust0 |\n|------------|----------|--------|\n| Identity history (sigchain) | No | Yes — append-only signed log |\n| Key rotation | No — new key = new identity | Yes — identity survives key changes |\n| Revocation | No | Yes — explicit revoke links |\n| Document signing | No | Yes — JWS detached + Rekor timestamps |\n| Crypto wallet proofs | No | Yes — Ethereum, Bitcoin, Solana, Nostr |\n| Data export | N/A (no server data) | Yes — full identity as portable files |\n\nCompatible with [Keyoxide](https://keyoxide.org) and the [Ariadne specification](https://ariadne.id). Keyoxide users can verify trust0 profiles and vice versa.\n\n## How It Works\n\n```\n┌───────────────────────────────────────────────────────┐\n│                   YOUR BROWSER                         │\n│                                                        │\n│  1. Generate Ed25519 keypair (WebCrypto)               │\n│  2. Sign an identity profile (ASP format)              │\n│  3. Post fingerprint on GitHub / DNS / Mastodon / etc  │\n│  4. Upload signed profile to trust0.app                │\n│                                                        │\n│  Private key never leaves your browser.                │\n└───────────────────────────────────────────────────────┘\n                         │\n                         ▼\n┌───────────────────────────────────────────────────────┐\n│                 ANYONE CAN VERIFY                      │\n│                                                        │\n│  1. Fetch your profile from trust0.app                 │\n│  2. Verify the Ed25519 signature                       │\n│  3. For each claim: fetch proof from platform           │\n│  4. Check fingerprint matches                          │\n│                                                        │\n│  All verification in the viewer's browser.             │\n│  Server cannot forge results.                          │\n└───────────────────────────────────────────────────────┘\n```\n\nEvery identity action is recorded in a **sigchain** — an append-only, hash-linked log of signed events. The sigchain enables key rotation (change your key without losing your identity), proof revocation (explicitly mark a proof as removed), and full audit history.\n\n## Proof Providers\n\n**Client-verified** (viewer's browser checks directly):\n\nGitHub · GitLab · Sourcehut · Codeberg · Mastodon · Bluesky · Twitter/X · Reddit · Hacker News · Lobsters · ORCID · Keybase · DNS · Personal website\n\n**Server-attested** (bot-witnessed):\n\nEmail (challenge-response) · Discord · Telegram\n\n**Key-to-key** (cryptographic cross-signing):\n\nEthereum · Bitcoin · Solana · Nostr\n\nVerification engine: [@trust0/verify](packages/verify) — forked from [doipjs](https://codeberg.org/keyoxide/doipjs) (31 service providers, Apache-2.0).\n\n## Document Signing\n\nSign files with your verified identity key:\n\n- **JWS detached payload** (RFC 7515 / RFC 7797) — signature separate from document\n- **Rekor timestamps** — submit to [Sigstore](https://rekor.sigstore.dev) transparency log for proof-of-existence\n- **Multi-party signatures** — multiple signers over the same document\n- **SSH key export** — same Ed25519 key works for `git commit -S`\n- **Sigchain audit trail** — every signature recorded in identity history\n\n## Architecture\n\n```\ntrust0/\n├── packages/\n│   ├── identity/         # @trust0/identity — Ed25519 keys, ASP profiles,\n│   │                     # sigchain, document signing, SSH, BIP39 mnemonic\n│   │                     # 88 tests. Apache-2.0.\n│   └── verify/           # @trust0/verify — proof verification engine\n│                         # 31 providers. Forked from doipjs. Apache-2.0.\n├── apps/\n│   ├── api/              # Hono Worker + D1 — ASPE, sigchain, attestations,\n│   │                     # export/import, Better Auth (GitHub OAuth)\n│   ├── web/              # SvelteKit — dashboard, 20 proof pages, profile viewer\n│   └── proxy/            # CORS proxy Worker for browser verification\n├── bots/\n│   ├── discord/          # Discord attestation bot (Worker)\n│   └── telegram/         # Telegram attestation bot (Worker)\n├── dev/                  # Developer docs, specs, proposals\n│   └── spec/             # Ariadne specs + sigchain spec + APC proposals\n└── docs/                 # GitHub Pages site (wan0.net/trust0/)\n```\n\n## Getting Started\n\n```bash\ngit clone https://github.com/wan0net/trust0.git\ncd trust0\npnpm install\n\n# Run tests (88 tests)\npnpm --filter @trust0/identity test\n\n# Dev servers\npnpm --filter @trust0/api dev          # API on :8788\npnpm --filter @trust0/web dev          # Web on :5173\npnpm --filter @trust0/proxy dev        # Proxy on :8790\n```\n\n## Deploy Your Own\n\ntrust0 runs on Cloudflare's free tier. Total cost: ~$15/year (domain only).\n\n```bash\n# 1. Create D1 database\nwrangler d1 create trust0-db\n\n# 2. Update apps/api/wrangler.toml with your database_id\n\n# 3. Run migration\ncd apps/api \u0026\u0026 wrangler d1 migrations apply trust0-db --remote\n\n# 4. Set secrets\nwrangler secret put AUTH_SECRET\nwrangler secret put GITHUB_CLIENT_ID\nwrangler secret put GITHUB_CLIENT_SECRET\n\n# 5. Deploy\npnpm --filter @trust0/api deploy\npnpm --filter @trust0/proxy deploy\npnpm --filter @trust0/web deploy\n```\n\n## Resilience\n\n**If trust0.app disappears, your identity survives.**\n\nEvery piece of data in the database is a self-verifying signed file (JWS). Export your identity, host it anywhere. The proofs on platforms (GitHub gists, DNS records) still contain your fingerprint. Anyone can fork the code and deploy a new instance.\n\n| Scenario | Impact |\n|----------|--------|\n| Server goes down | Users with export: redeploy anywhere. Proofs on platforms still valid. |\n| User loses device | Restore from encrypted backup, BIP39 paper key, or git clone. |\n| Domain changes | Sigchain `profile_update` link migrates ASPE URI to new domain. |\n| Operator disappears | Fork repo → deploy to Cloudflare → restore from D1 backup. |\n\n## Spec Compliance\n\nBuilt on the [Ariadne Identity Specification](https://ariadne.id):\n\n- [Ariadne Core v0](dev/spec/ariadne-core-v0.md) — bidirectional proof protocol\n- [ASP / ASPE v0](dev/spec/ariadne-asp-v0.md) — Ed25519 signed profiles + exchange protocol\n- [Sigchain](dev/spec/sigchain.md) — trust0 extension (append-only identity history)\n- [Proposed Changes](dev/spec/proposed-changes.md) — 10 proposals (APC-001 to APC-010)\n\nAll spec deviations are marked in code with `SPEC DEVIATION (APC-NNN)` comments.\n\n## CI/CD\n\n- **Tests** — 88 unit tests + Ariadne interop tests\n- **Keyoxide interop** — live tests against [aspe-server-rs](https://codeberg.org/keyoxide/aspe-server-rs) in Docker\n- **Semgrep** — SAST (JS/TS + OWASP + security-audit), SARIF → GitHub Security tab\n- **Trivy** — vuln/secret/misconfig scanning, SARIF → GitHub Security tab\n\n## Project Stats\n\n| Metric | Value |\n|--------|-------|\n| Source files | ~130 |\n| Lines of code | ~20,000 |\n| Tests | 88 |\n| Proof providers | 20 (UI) + 31 (verify engine) |\n| Sigchain link types | 9 |\n| CI jobs | 4 (test, interop, semgrep, trivy) |\n\n## Contributing\n\ntrust0 is open source and welcomes contributions. See [CLAUDE.md](CLAUDE.md) for architecture, code style, and boundaries.\n\n## Roadmap\n\nSee [dev/persona-review.md](dev/persona-review.md) for the persona-driven feature plan.\n\n**Next:**\n- Onboarding wizard for non-technical users\n- Public profile redesign (link-in-bio style)\n- CLI tool (`trust0 init`, `trust0 prove`, `trust0 sign`)\n- OpenGraph/Twitter Card meta tags\n\n**Future:**\n- AT Protocol integration\n- Merkle tree for sigchain consistency\n- Matrix bot\n\n## License\n\n- **App** (apps/, bots/) — [AGPL-3.0](LICENSE)\n- **Libraries** (packages/identity, packages/verify) — [Apache-2.0](packages/verify/LICENSE)\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://wan0.net/trust0/\"\u003eWebsite\u003c/a\u003e •\n  \u003ca href=\"https://ariadne.id\"\u003eAriadne Spec\u003c/a\u003e •\n  \u003ca href=\"https://keyoxide.org\"\u003eKeyoxide\u003c/a\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwan0net%2Ftrust0","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwan0net%2Ftrust0","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwan0net%2Ftrust0/lists"}