I'm sorry, but I would never use this because of two major dealbreakers (and I would encourage others to exercise serious caution as well):
1. Code is largely if not entirely written by AI
2. Author is completely anonymous, using a dedicated GitHub and HN account for this specific project
Both of these are really bad for security-sensitive software.
I’d also add the language to the mix. I know you can write good code with TS/JS, but the dependency surface is just so large, I’m not comfortable with security code written in it yet (maybe at some point). Add that the repositories were created in the past week, so we can’t see the actual dev practice (was it all vibe coded? What bugs were there?).
I hadn’t considered your second point, but even the authors GH account has an AI picture. I have no idea who this person is or what online/HN reputation they have.
Thanks for raising these concerns — totally fair in the context of security tools.
I’m not anonymous, just cautious. I’m a solo builder, and this is a focused identity for the project. In fact, that's why I implemented full supply chain transparency from day one: signed releases, SLSA attestations, SBOMs, and Rekor logs. You don't need to trust me you can see the code for your self.
Ultimately, you're right — if you can't verify it, you shouldn't trust it.
That’s the whole point of the system: zero trust and verifiable cryptographic guarantees.
Appreciate the scrutiny
A "focused identity" with no links to other identities is anonymous by definition.
More importantly, this project is not "zero trust" and calling it such is borderline deceptive.
I can verify the artifacts you're shipping contain the code in the repo (or I could just clone the repo myself), but I cannot automatically verify that your code is non-malicious and free of bugs. That is what I am trusting when using your software, and I have serious doubts about the "free of bugs" part for AI generated software.
I’m right there with you in mistrusting AI generated code but - you also can’t automatically verify that human-written code is non-malicious and bug free.
Cryptography/security is a trust business. Without some kind of personal (or even project) history, I know nothing about you or the project. And if I can’t verify you, I can’t trust you. The rest doesn’t matter much to me.
But maybe that’s just me.
I get it. An 'anonymous' author is a deal breaker for some. I respect that.
The repo is public. The releases are signed. The attestations are published. Nothing hidden.
If that’s not enough — totally fair and I am sure many others would agree. Appreciate your point of view and taking time to give feedback.
Would you please elaborate on how "the releases are signed" helps establish trust in the context of your anonymous developer account?
It means the releases are cryptographically signed using GitHub OIDC, with SLSA v1 provenance and entries in the Rekor transparency log.
That means:You can verify every artifact against its source code i.e I have not tampered with the code post deployment. for example part of the build is a dry-run on the worker build, this is stored as part of the build so you can see / confirm the exact code that was uploaded and this code is signed.
What people mean with "trust" here is whether they trust there are no subtle security issues. While I think "don't roll your crypto" has been somewhat overstated at times (someone has to write crypto), there is certainly some truth in that you need to be very careful writing this code and that mistakes are incredibly easy to make, even for competent developers.
If I were to release something like this then people can see that 1) this is a guy with >20 years of various contributions to open source and he seems like a basically competent guy we can trust (as much as you can ever trust a single person), but also that 2) he's not a crypto guy and there may very well be oversights. Maybe there are none, but you know...
If someone like, say, Filippo Valsorda would release someone like this, then people could see that 1) is basically the same as me, and 2) he's also a well known crypto guy with a good track record. This is not a guarantee there are no oversights, but I would certainly be surprised if there were major ones. I would certainly trust that more than anything I would write.
The whole signing stuff is kind of a red herring IMO. I mean, it's not bad to have I guess, but honestly I don't really care. If anything, focusing to strongly on "box ticking security" so early on seems like the wrong thing to focus on.
Thanks for your feedback 'I tried to use of the shelf stuff for the crypto and utilised what I believe to be battle tested.
CLI uses node.js built-in crypto module only -randomBytes - createDecipheriv - createCipheriv.
Web app uses Web Crypto API only.
I'll send Filippo a Postcard and see if he will review it :-P
Is this a bit?
I also now see that you're using em dashes in your replies - are even the HN comments AI generated???
The bigger tell is the self-contradictions. "No servers to trust" etc.
Some colleagues use LLMs to translate their messages to English. Same can ve applied here
Humans also use em dashes — like that. My browser for one automatically creates them on HN if you correctly type a space, two hyphens then another space. Maybe the dude just has good grammar.
Everyone please just stop with the em dash hysteria. You just tried to use one yourself — apparently you just don’t know how to type it.
We'll find out in an hour, but I bet openai trained em-dashes out of gpt-5 and that will confuse a lot of people. At least you'll be able to write the way you want to...
I use emdashes like this-- see the difference
Yes I do — and that’s not an em dash, it’s two hyphens. You’re not using a manual typewriter, you have Unicode. You don’t make an exclamation point from an apostrophe and a period, do you?