Verifiable trust infrastructure · Apache 2.0 · open source

Ship your app — online, discoverable, blind.

HiveRelay keeps your peer-to-peer app online after you close your laptop, lets anyone discover it and reach its services, and never sees a byte of your plaintext. Privacy by construction. No vendor lock-in.

Build on Hyperswarm and your app shines — until you close your laptop. HiveRelay carries it from there: always on, reachable by anyone, and provable. Encrypted handoffs and archived data come with receipts, not promises.

Replicas are cryptographically verified. Custody handoffs come with quorum receipts. Expiry is enforced by the network and witnessed by independent attesters. Relays never see your plaintext.

Stays online after you leave Discoverable by anyone Services over pure P2P Cryptographically blind
How it works

Trust you can check, not trust you're asked to give.

Replicas you can trust without trusting anyone.

AutoHeal recruits diverse replicas across regions and operators automatically. A peer counts as live only when it produces a fresh Ed25519 anchor proof. Sybil clusters are bounded by an operator-fairshare cap. Buffer slots absorb churn. Diversity is enforced, not requested.

Encrypted handoff with cryptographic receipts.

Six signed message types — intent, receipt, commit, source-retired, proof, non-serving-proof — plus witness tombstones for post-expiry attestation. Ten plaintext field names hard-blocked at the validator. Relays process ciphertext only, never plaintext or keys. The privacy floor is code, not policy.

No HTTPS required.

Two new Protomux channels — anchor and custody — carry the trust pipeline directly over Hyperswarm. Works on pure-DHT and NAT'd fleets where HTTPS isn't reachable. Custody quorum convergence measured in milliseconds for connected peers, not log-replication seconds. Live dashboard /ws feed for every state change.

What's in the relay

One node, a whole trust stack.

A relay isn't a black box — it's a set of composable parts. Run the full stack, or just the pieces your app needs. Every one is supervised and fails closed.

Atomic blind custody

A six-message signed protocol — intent → receipt → commit → source-retired → proof → non-serving-proof. Ten plaintext field names are hard-blocked at sign time, so a relay only ever touches ciphertext, never keys.

AutoHeal

A background scheduler that recruits diverse replicas across regions and operators — counting only peers that produce a fresh Ed25519 anchor proof. A per-operator fairshare cap bounds sybil clusters; a buffer absorbs churn.

Witness tombstones

Storage-free attesters probe a relay's catalog, gateway, and swarm after expiry and sign what they observe — surfacing any relay still serving past its retention window. A third role beyond publisher and custodian.

Anchor proofs

On demand, a relay signs a fresh Ed25519 attestation over its anchored state. One code path serves both the HTTPS endpoint and the P2P channel, so an operator's config change applies to both automatically.

Pure-P2P trust channels

Two Protomux channels — hiverelay-anchor and hiverelay-custody — carry the whole trust pipeline over Hyperswarm. Works on pure-DHT and NAT'd fleets with no reachable HTTPS.

Services layer

Opt-in headless capabilities apps call over RPC: storage, identity, schemas, verifiable randomness, ZK proofs, SLA receipts, arbitration, a blind shard store, storage proofs, encrypted notify, and single-writer outboxlogs.

Services

Composable services — and exactly how ready each one is.

Everything past the custody kernel is an opt-in service your app calls over RPC. Each one is supervised and fails closed: a broken service drops out of discovery instead of pretending to work. Here's the whole catalog, grouped by how production-ready it is — no hand-waving.

Ready to plug in— production-ready today

Storage storage

Hyperdrive & Hypercore CRUD over RPC — create, read, write, and manage drives without touching low-level Hypercore. Writes are gated by PolicyGuard, so a blind app can't be tricked into storing plaintext.

Identity identity

Ed25519 sign, verify, and allowlist resolve, plus peer verification via sodium-universal. Portable cryptographic identity with no certificate authority in the loop.

Schema schema

Versioned JSON Schema registry with a built-in, zero-dependency validator — type checks, required fields, numeric/string bounds, enums, arrays. The interop layer for cross-app data.

VRF vrf

Verifiable randomness (ECVRF, RFC 9381) validated byte-exact against the spec's own test vectors. Powers verifiable committee sortition (uniform or weighted, integer-only) and an unbiasable, world-readable randomness beacon.

Opt-in & stabilizing— works today; API still settling

Storage proof storage-proof

A signed challenge-response proof that a relay genuinely holds your seeded drive. The caller verifies against the drive key alone — forged blocks are rejected by Hypercore's own Merkle root, so the relay is trusted for nothing.

Shard store shard-store

Content-addressed blind blob store for custody shards — the "public plaintext, blind custody" path. Disperse a secret k-of-n so no single operator, and no k-1 colluding, can reconstruct. HTTP surface wired in 0.24.0.

Outbox log outboxlog

Single-writer signed outbox with an append + token-gated sync bridge; entries stay opaque to the relay. Runs in production behind Peerit today; operator takedown and namespace registration landed across 0.24.x.

Experimental preview— behind explicit selection; not for production

ZK proofs zk

BLAKE2b commitments, Merkle membership, and range proofs today; snarkjs/circom circuit compilation is the planned Phase 2.

Arbitration arbitration

Peer-voted dispute resolution with optional VRF-drawn arbitrator panels, evidence verification, and reputation slashing.

SLA sla

Service-level contracts with automated violation detection, auto-slashing, and termination after repeated breach. The revenue seam between developers and operators.

AI ai

Model registry and inference routing to local (Ollama) or OpenAI-compatible endpoints, with a bounded concurrency queue.

Notify notify

Encrypted wake-only push: validates revocable capabilities and forwards ciphertext only. Production APNs/FCM/Web Push adapters and billing gates are still landing.

Poker substrate poker

Card-blind append-only signed-log substrate for hidden-information games. The reference consumer of VRF + arbitration + ZK; the bundle pulls all three.

Services are opt-in and secure by default. Relay-only profiles run none of them — just the availability + custody kernel. Turn on what an app needs, per relay, from the dashboard Services tab or config:

// config.json — or the dashboard Services tab
{ "enableServices": true, "plugins": ["storage", "identity", "schema", "vrf"] }

Enabling the poker bundle auto-pulls its vrf, arbitration, and zk dependencies — you can't half-enable it. Anonymous swarm peers get the anonymous role and can't reach admin routes unless you allowlist them. Also available: storage-proof (config or HIVERELAY_STORAGE_PROOF=1), plus the self-healing availability substrate — witnesslog (signed third-party availability observations) and repairticket (signed repair tickets, claims, and receipts).

Use cases

Concrete patterns the protocol enables today.

Every one of these is something a relay does today, on the shipping 0.24.2 line — not a generic "can be used for." The newest patterns lean on blind shard dispersal, proof-of-retrievability, and verifiable randomness.

01

Encrypted handoff with a TTL the network enforces

Send an encrypted blob to a quorum of relays and get signed receipts back. Recipients can prove the quorum took custody before they unseal. The TTL is enforced protocol state, not a config toggle — and if a relay keeps serving past expiry, witness tombstones surface it.

Best for: document escrow, time-bounded access grants, ephemeral sharing, key escrow with auditable expiry.
02

Public plaintext, blind custody

Encrypt content with a random key, store the ciphertext anywhere, then disperse the key as k-of-n self-verifying blind shards across independent relays. No single operator — and no k-1 colluding — can produce the plaintext; any k shards rebuild it at the reader's edge.

Best for: key escrow, secret custody, encrypt-and-forget archives, splitting trust across operators you don't control.
03

Provable archive durability

Mark a drive durable and AutoHeal recruits verified replicas across ≥4 regions and ≥5 operators, holding a +2 buffer over the SLO floor. Then challenge any relay with a random block — storage-proof returns a signed Merkle proof it holds your data, checked against the drive key alone. Durability you can audit, not assume.

Best for: package mirrors, public datasets, multi-region read replicas, anything that must stay provably available.
04

Unbiasable randomness & fair selection

Draw a lottery, elect a leader, seat a jury, or deal a deck with randomness anyone can verify and no operator can bias (RFC 9381). select draws a weighted committee without replacement; a chained beacon publishes world-readable rounds the operator can't grind or skip.

Best for: chain-free governance, fair queues and sortition, verifiable dispute panels, provably-fair games.
05

Privacy-preserving messaging & storage

Apps declare privacyTier: 'p2p-only' and the relay handles only opaque ciphertext — catalogs are redacted, the gateway returns 403, peers connect P2P with the data key out-of-band. The relay can prove it stores your data without ever decrypting it.

Best for: wallets, medical apps, encrypted messaging, identity storage — anything a user wouldn't want an operator reading.
06

Single-writer signed feeds for real P2P apps

The pattern behind Peerit: every author's posts are signed and opaque to the relay, appended to a single-writer outboxlog, and synced over a token-gated bridge. Operators get a takedown surface keyed on opaque (appId, key) ids — liability parity without ever reading content.

Best for: P2P social and forums, activity feeds, audit logs, any app that needs relay-assisted sync but keeps its own truth.
What's different

Most relays ask for trust. HiveRelay hands you the proof.

What other relays say

  • "Trust me, I have your content."
  • Encryption is your problem.
  • Expiry is a config option.
  • Diversity is a recommendation.
  • Sybils are an unsolved problem.
  • HTTPS required.

What HiveRelay does

  • Cryptographic anchor proof on demand.
  • Validator-enforced privacy invariants.
  • Expiry is enforced state with non-serving-proofs.
  • Diversity is enforced by a per-operator fairshare cap.
  • Sybils bounded by construction; witnesses catch violators.
  • Two new Protomux channels — a pure P2P trust pipeline.
For developers

5 lines of code, your app stays online forever.

import { HiveRelayClient } from 'p2p-hiverelay-client'

const app = new HiveRelayClient('./storage')
await app.start()
const drive = await app.publish('./my-app')
// Close your laptop. Your app stays online via the relay network.
For atomic custody
const intent = await app.publishCustodyIntent(relayUrl, {
  blindContentId: hashHex(payload),
  ciphertextRoot: yourCiphertextRoot,
  requiredReplicas: 3,
  retainUntil: Date.now() + 24 * 60 * 60_000
}, { apiKey })

// Wait for quorum, sign commit, retire authority.
// Recipients can verify the chain later, without trusting you.
For operators

Run a relay. Earn or contribute. Choose your role.

Three roles, mix and match. Run all three, run one, or run a witness-only node.

RoleWhat you doWhat you need
Custody RelayStore encrypted ciphertext, sign receipts and proofs.Storage
WitnessProbe other relays at expiry, sign tombstones.A small VPS — no storage
Persistent SeederHost archive replicas; AutoHeal manages diversity.Storage + uptime
Install
npm install -g p2p-hiverelay
p2p-hiverelay setup
Tested. Audited. Open.

Claims you can rerun yourself.

91 tests + E2E integration

The trust stack runs 91 unit tests plus a 19-assertion end-to-end integration test that spins up three real relays on a Hyperswarm testnet and exercises the full custody pipeline. All passing.

Two simulation harnesses

A Monte Carlo analytic model runs 5,000 trials per scenario across a 72-relay simulated network. A behavioral simulator drives the real AutoHeal class against an in-memory network with deterministic scenarios. Both rerun on every behavioral change.

Apache 2.0 open source

The protocol, SDK, and reference implementation are open. Alternative implementations are welcome — the protocol is independent of any specific implementation.

Honest about what we can't do

The whitepaper is explicit: on commodity hardware, cryptography cannot prove a relay erased bytes. The protocol delivers logical source retirement and observed non-serving state, not forensic erasure. That boundary is documented, not hidden.

Dashboard

Live state, not polled state.

Per-drive AutoHeal diversity scorecard, aggregate custody pipeline health, and immediate event push for every recruit, every receipt, every witness tombstone — reflecting what's actually happening across the network in near-real-time.