Security Threat Model
The relay is treated as untrusted infrastructure.
Xentrop is designed so messages, call signals, profiles, media, wakeups, and realtime transport paths move through infrastructure as opaque encrypted coordination events. The public claim is bounded: reduce infrastructure knowledge, do not pretend metadata disappears.
Protected By Design
Messages, call signals, profiles, media, recovery continuity, wakeups, and realtime transport paths move through untrusted infrastructure as opaque encrypted coordination events. The relay is not trusted with plaintext content, plaintext message type, a hosted coordination graph, private keys, or hosted recovery authority.
- - plaintext stays outside relay authority
- - message type is not exposed as a relay-readable protocol field
- - contacts and coordination context are not maintained as a production relay-side graph
- - recovery stays with user-owned .xbk continuity or old-device transfer
Residual Metadata Boundary
Server-blind does not mean metadata-free. Relay and network observers may still see IP connection timing, opaque mailbox access, blob size, traffic volume, push timing where push is used, and call transport timing or cadence.
- - Xentrop does not claim no metadata
- - Xentrop does not claim traffic-analysis immunity
- - dedicated relay changes operational control, not the laws of network metadata
Contact Graph Boundary
Xentrop avoids a production hosted contact graph. Contact establishment is intentional through controlled paths such as QR exchange, invite links, manual key or safety-code exchange, old-device transfer, and .xbk restore.
- - public-cloud phone OTP may be used as an abuse-control gate
- - OTP is not production contact discovery
- - OTP is not hosted identity recovery
Delivery Invariant
A send should end as delivered, durably queued for retry, or explicitly failed. It should not silently strand messages. This is a design invariant and evidence target, not a claim that every mobile OS, push provider, carrier, or OEM battery mode always wakes instantly.
Endpoint Boundary
Xentrop protects data before it leaves the device and minimizes what infrastructure can know. It cannot protect plaintext after a trusted endpoint is compromised, rooted, unlocked by an attacker, or maliciously controlled by the user.
Dedicated Relay Boundary
Dedicated relay deployments can improve operational isolation, jurisdiction choice, capacity control, stricter logging posture, and trust-boundary ownership. They do not by themselves create stronger cryptography or remove network metadata.