netherchat
Self-hostable, end-to-end encrypted coordination for incidents and sensitive operations — with signed, verifiable records of what was decided.
Self-hostable, end-to-end encrypted, real-time messaging. A blind-relay server that cannot read your messages — proven by the build graph, not a promise. Your server. Your keys. Your rules.
$ curl -fsSL https://netherchat.com/install | bash
macOS · Linux · Windows (WSL2) · or docker run -p 3000:3000 salkreiner/netherchat
The encryption lives in the client. The server is a blind relay — it routes ciphertext and sealed key blobs it has no key to open.
The crypto package lives under tui/internal; Go's rules make it physically unreachable from
the server binary. CI fails if that ever changes. It's a property of the import graph, not marketing.
Identities are generated and stored on each device. Room keys are wrapped per-recipient with
nacl/box and relayed as opaque blobs. No escrow, no recovery — by design.
No analytics, no phone-home, ever. By default nothing is written to disk — rooms evaporate when empty. A Wireshark capture shows ciphertext only.
Honest about limits: forward secrecy is per-epoch (not per-message), and the group key-distribution layer is custom over audited primitives — slated for external review before any paid tier, with MLS (RFC 9420) as the migration target. See encryption.md.
Designed to scale to everyone else without compromising the developer experience. Built for engineering teams; trusted for incident response and high-stakes coordination.
X25519 + XChaCha20-Poly1305 + Ed25519, audited pure-Go and WebCrypto-grade primitives. The same crypto in the terminal and the browser.
No runtime, no dependencies. A ~7 MB FROM scratch image, or a single binary per platform. curl … | bash and you're done.
A modern TUI for power users and this web client for everyone else — both speak one documented wire protocol to the same server.
nether, abyss, ember, ghost, sprinkles, dracula, gruvbox, solarized — switch with no reload. Try the picker above.
echo "deploy done" | netherchat send #ops. Every room gets an inbound webhook for CI and alerts. Any alert source can open a locked-down war room — a monitoring page, a CI failure, or a security tool posting a finding.
/vanish rotates the room key and clears history. Room TTLs, one-time invite tokens, invite-only rooms.
netherchat doctor --paranoid runs a live packet capture against the relay and proves it routes only ciphertext — no plaintext, ever. Not a claim. A test you run yourself.
netherchat report renders the sealed record as a standalone HTML timeline — human-readable for leadership, cryptographically verifiable by engineers. One file, no server, works forever.
netherchat pair --lan forms an encrypted war room with no server at all — same keys, same crypto, zero infrastructure. When even the relay is suspect, the conversation continues.
Every /decide, /action, and approval is Ed25519-signed by the person who said it, hash-chained to everything before it, and sealed into a record you can verify offline — forever, with no server and no account.
High-stakes actions — scuttle a room, run a runbook, approve an artifact — require N-of-M independent Ed25519 signatures before they fire. Not a policy. A protocol primitive.
An agent proposes an artifact (hash only — content never crosses). A named human approves under the two-person rule. The sealed record proves who drafted it, who approved it, and when — verifiable offline after the room is gone.
netherchat verify record.json checks the full hash chain and every signature offline, after the room is gone, on any machine. VALID or TAMPERED — no account, no relay, no trust required.
Scuttle a room and a co-signed receipt is written before the keys are zeroized — proof of what was destroyed and when. The one artifact that outlives the room, verifiable offline. Ephemerality you can prove, not just promise.
doctor --paranoid taps the live relay and shows only ciphertext crossing the wire, entropy-checked. Not a README claim — a capture you run yourself against the real server.
$ docker run -p 3000:3000 salkreiner/netherchat
$ curl -fsSL https://netherchat.com/install | bash
Share a one-time /break-glass link. Anyone clicks it, types a name, and they're in the room — no install, no account.