Live status
Status
What the public relay is doing right now, what changed recently, and what we are still working on. Updated every deploy.
Live
The public /healthz endpoint returns the minimum a
monitor or beta user needs to confirm the relay is on the
expected build:
curl -s https://securechat.team/healthz
# {"status":"ok","uptimeSeconds":...,"version":"v0.1.0+<git-sha>"}
The response is intentionally minimal. The relay's internal
surface (store type, max packet bytes, auth-required flag, etc.)
is exposed only behind the operator-only
/healthz/internal endpoint, which requires an
X-Securechat-Ops-Token header.
Security posture
| Control | Status | Notes |
|---|---|---|
| End-to-end encryption (Curve25519 + AES-GCM) | shipped | On-device only, per Apple CryptoKit. |
| Zero-knowledge relay | shipped | Relay never sees plaintext, keys, or bodies. |
| Signed envelopes | shipped | Ed25519 over the canonical envelope. Signature is verified by the receiving client, not by the relay. The relay validates packet structure, TTL, size and policy constraints only. See ADR-002 for the canonical envelope and the trust model. |
| Replay protection (TTL + clock-skew window) | shipped | Default TTL 24h, clock-skew 5min, configurable. |
| HTTPS-only in production | shipped | Production fails to start without TLS termination upstream. |
| Per-IP rate limit | shipped | 120 req/min by default, configurable. |
| Storage cap (per-recipient + global) | shipped | 500 per recipient, 10 000 globally, configurable. |
| External security audit | planned | Recommended before high-assurance claims. See SECURITY.md. |
| On-device Privacy Sentinel (0–100) | shipped | Rule-based scoring of the device posture (runtime, settings, relay config, peer trust). Fully local, deterministic, no ML model, no telemetry. See ADR-004. |
Relay endpoints
| Path | Auth | Purpose |
|---|---|---|
GET /healthz |
none | Public healthcheck. {status, uptimeSeconds, version}. |
GET /healthz/internal |
X-Securechat-Ops-Token |
Operator-only healthcheck. Adds peers, packetCount, nodeEnv. |
GET /health |
X-Securechat-Ops-Token (operator-only) |
Detailed operator health (store type, auth-required, packet limits, etc.). Removed from public surface in Sprint 5. |
GET /v1/relay/security/policy |
none | Public security policy (encryption-only flag, max packet size, rate limit). |
GET /v1/relay/stats |
none | Public stats (counts only, no peer IDs, no payloads). |
POST /v1/relay/messages |
Bearer RELAY_AUTH_TOKEN |
Drop a sealed, signed packet for a recipient. |
GET /v1/relay/messages |
Bearer RELAY_AUTH_TOKEN |
Fetch pending packets for a recipient. |
POST /v1/admin/relay/... |
Bearer RELAY_ADMIN_TOKEN |
Operator-only admin endpoints (purge, detailed stats). |
Canonical source of truth: docs/CURRENT-ENDPOINTS.md.
Legacy hosts
The previous public hostname, chatsecure.ddns.net, was
decommissioned on 22 June 2026 during the cutover
to securechat.team. The DNS A record was removed at
the registrar; the Caddy block returns
308 Permanent Redirect to
https://securechat.team{uri} for every request as a
belt-and-braces measure for cached resolvers. Verified NXDOMAIN
on 22 June 2026 (8.8.8.8, the server's local resolver, the build
host). If you still see it resolve, that is resolver or
search-engine cache, not a live server.
What changed recently
See the project CHANGELOG.md for the full history. Public-beta changes are summarised in known-issues.html.