Updated: 2026-06-28
Security and Source Transparency
This page records what can be verified technically, which parts of Kasty are disclosed publicly, and where the boundary sits between transparency, security, and non-public operational logic.
2) What is verifiable now
- Transport: client-server channels are protected with TLS/WSS; the network layer can still expose connection metadata, but should not expose plaintext E2E payload content.
- Server boundary: our servers process routing, delivery, authorization, and metadata, but under the intended key model they should not have technical access to E2E plaintext.
- KSMP Whisper Ultra OOB message cryptography is based on Signal Protocol (Kasty-adapted implementation) with Double Ratchet semantics.
- Regular chats created via profile or token are not KSMP Whisper E2E mode; automated moderation applies to open content rather than plaintext E2E content.
- The message and call crypto model, including limitations, is described on our Security page.
- Detailed technical specifications are published in the Documentation section.
3) Public audit repositories
- whisper-chatstore: client-side KSMP Whisper Ultra OOB layer, including models, local storage, and related key-transparency logic. Repository: github.com/8dch4vtp24-boop/whisper-chatstore.
- ksmp-whisper-core: cryptographic and media layer for KSMP Whisper / WhisperStreamVoice, including call models, media stream, codecs, and related transport-adjacent logic. Repository: github.com/8dch4vtp24-boop/ksmp-whisper-core.
- ksmp-server-boundary: minimal public material for server trust-boundary review, including bootstrap public keys, hash-only room auth token, key transparency, and a call E2E boundary excerpt. Repository: github.com/8dch4vtp24-boop/ksmp-server-boundary.
- All repositories are published in a public technical-access mode for audit and interoperability review, not as a license for unrestricted code reuse in products.
- Each repository contains `MANIFEST.sha256`, `SNAPSHOT_METADATA.md`, `TEST_PLAN.md`, and sanity-check scripts for reproducible review.
- Current license restrictions: redistribution, resale, integration into third-party products (including open-source projects), and operational usage are prohibited without separate written permission from the rights holder Kasty Vladimir Usanov.
4) What remains closed
- We do not disclose anti-abuse mechanisms, anti-spam heuristics, or internal risk-scoring rules.
- We do not disclose operational secrets, environment key material, infrastructure-hardening details, or internal incident-response plans.
- We do not publish code or logic where publication would materially increase bypass risk without a comparable gain in cryptographic verifiability.
5) Audits and disclosure practice
- We plan independent audits focused on cryptographic invariants and correctness of critical protocol states.
- After each audit, we publish a public summary covering scope, methodology, critical findings, and remediation status.
- Vulnerability and suspicious-activity reports are accepted through support with the Security label.