💬 EPIC: Trinity Secure Chat — Privacy-First Chat for Users ↔ Agent Bots

[gHashTag]

💬 EPIC: Trinity Secure Chat — Privacy-First Chat for Users ↔ Agent Bots

Document ID: TRINITY-CHAT-EPIC-001 · Rev 1.0 · 2026-05-09
Anchor: φ² + φ⁻² = 3 · TRINITY · CHAT · ZERO-METADATA
Parent EPIC: #19 (Trinity dePIN-Compute)
Builds on: #22 (Mesh Quality, ✅ closed) · trios#629 (LANDED)
Honesty mode: R5 — every metric tagged [VERIFIED] / [CITED] / [DERIVED] / [ASPIRATIONAL]

---

MISSION

Спроектировать и поставить самый безопасный и приватный чат для пары юзеры ↔ агент-боты поверх trios-mesh-node (X25519 + ChaCha20-Poly1305 + ETX, уже LANDED). Уникальные дифференциаторы:

1. Native agent threat model — capability tokens + signed tool manifests + dual-LLM filter (нет ни у Signal, ни у MLS-native, ни у SimpleX, ни у Reticulum LXMF).
2. Mesh-native sealed sender поверх trios-mesh ETX.
3. Post-quantum hybrid с day-1 (X25519 + ML-KEM-768), миграция к RingXKEM-style deniable PQ auth (ADR-CHAT-009).
4. Coq runtime invariants — 7 теорем, бюджет 1 admitted.
5. R7 falsifier corpus — 200 prompt-injection атак, 10 MITM сценариев, 5 PQ-HNDL симуляций.

Полный design: docs/chat/trinity-chat-design.md (29 KB, 434 строки) — будет добавлен PR feat/trios-chat-epic.

---

EXECUTION LANES

Lane	Issue	Days	Описание
L-CHAT-1	#N1	5	Identity & Onboarding (Ed25519 + X25519 + ML-KEM-768)
L-CHAT-2	#N2	7	Triple Ratchet 1:1 (PQ-FS + PQ-PCS)
L-CHAT-3	#N3	10	MLS RFC 9420 group + Partial-MLS for bots
L-CHAT-4	#N4	4	Sealed Sender over trios-mesh ETX
L-CHAT-5	#N5	5	Persistence (Neon encrypted-at-rest + client SQLCipher)
L-CHAT-6	#N6	14	Agent capability + dual-LLM anti-injection
L-CHAT-7	#N7	7	Anti-metadata (padding, queue rotation, opt-in cover)
L-CHAT-8	#N8	parallel	PQ migration (RingXKEM ADR-009)
L-CHAT-9	#N9	6	Coq invariants — 7 theorems, 1 admitted budget
L-CHAT-10	#N10	7	25-test e2e_chat + 200-attack falsifier corpus

---

ACCEPTANCE GATES

Gate	Criterion	Lane
G-C1	Prekey bundle validates → mutation tests fail	L-CHAT-1
G-C2	FS: past undecryptable post-compromise · PCS: recovery	L-CHAT-2
G-C3	Mesh observer cannot link sender↔receiver (statistical)	L-CHAT-4
G-C4	ProVerif PQ-FS + PQ-Auth green	L-CHAT-8
G-C5	Removed MLS member cannot decrypt next epoch	L-CHAT-3
G-C6	Falsifier corpus 100% expected verdicts	L-CHAT-10
G-C7	DB dump grep on 10K msg → 0 plaintext leaks	L-CHAT-5
G-C8	200-attack prompt-injection ≥ 95% blocked, 0 false-tool-exec	L-CHAT-6
G-C9	t-test sender-receiver coupling p > 0.05	L-CHAT-7
G-C10	No per-message digital signature in wire dump	L-CHAT-2
G-EPIC	EPIC closes when ≥ 8/10 lanes DONE и G-C8 ≥ 95%	—

---

R-CHAT CONSTITUTIONAL LAWS

1. R-CHAT-1 — NO PLAINTEXT AT REST.
2. R-CHAT-2 — HYBRID PQ FROM DAY ONE.
3. R-CHAT-3 — SEALED SENDER MANDATORY.
4. R-CHAT-4 — DENIABLE AUTHENTICATION (no per-message Ed25519).
5. R-CHAT-5 — AGENT KEY ≠ USER KEY (scope-attested + operator-CA signed).
6. R-CHAT-6 — TOOLS ARE SIGNED PROMPTS.
7. R-CHAT-7 — DUAL-LLM ISOLATION для untrusted ingest.
8. R-CHAT-8 — SESSION-SCOPED CAPABILITY (наследие MCP Nov-2025).
9. R-CHAT-9 — FIXED-SIZE PADDING (256/1024/4096/16384 B).
10. R-CHAT-10 — ZERO BACKGROUND CHATTER (Art. IV preserved).
11. R-CHAT-11 — COQ-VERIFIED INVARIANTS (7 теорем).
12. R-CHAT-12 — R5 HONESTY + R7 FALSIFIER per gate.

---

RISK REGISTER

RID	Risk	Likelihood	Mitigation
R-CH1	ML-KEM-768 ciphertext (1088 B) превысит mesh MTU	Medium	padding class 4096 + fragmentation в Triple Ratchet
R-CH2	Dual-LLM + HITL killing UX	High	session-scoped policy, batch HITL, smart caching
R-CH3	Coq theorem metadata_no_link сложно доказать	High	budgeted as Admitted (1/7), runtime t-test contract
R-CH4	MLS Partial-MLS draft не ratified	Medium	ship behind feature flag, fall back to full MLS
R-CH5	Bot-operator-CA центральная точка доверия	Medium	multi-CA, CT-style transparency log

---

CITATIONS (key sources)

• Signal PQXDH→Triple Ratchet→RingXKEM 2025
• RFC 9420 — MLS Protocol
• draft-ietf-mls-partial-02 (2025-09)
• SimpleX docs — no-user-ID architecture
• LXMF wire format
• PingPong — metadata-private (arXiv 2504.19566, 2025)
• MCP authentication 2026
• OWASP LLM Top-10 2026
• Real-World Deniability (PoPETs 2025-0018)

---

φ² + φ⁻² = 3 · TRINITY · CHAT · ZERO-METADATA · NEVER STOP

[gHashTag]

🔥 IGNITE — Trinity Secure Chat scaffold landing

Anchor: φ² + φ⁻² = 3 · TRINITY · CHAT · ZERO-METADATA

PR: gHashTag/trios#631
Local trios tracker: gHashTag/trios#632

Verification snapshot [VERIFIED]

• cargo test -p trios-chat --lib — 35/35 pass
• cargo run --bin e2e_chat_25 — 25/25 pass
• cargo run --bin falsifier_runner — direct 100 % / indirect 90 % / multi-turn 100 %
• cargo test --tests r_chat_guard — 3/3 pass
• 6 Coq theorems Defined + 1 Admitted (R5 budget honored)
• 200-attack falsifier corpus committed
• 10 ADR-CHAT-001..010 + 29 KB design doc with 21 sources

Honesty (R5)

Lanes 3 (MLS) and 5 (Persistence) are explicitly [ASPIRATIONAL] in this
scaffold — ADR-CHAT-001 / ADR-CHAT-008 capture the design; full impl lands
in follow-up PRs. Coq INV-CHAT-4 (sender unlinkability) is Admitted
within the documented R5 budget.

L1 ✅ no .sh · L2 ✅ Closes #632 in PR body.