8. Deployment and Supply Chain
This chapter is part of an initial draft specification. Enkrypted Chat has not been independently audited. Content may change.
8.1 Deployment model
Enkrypted Chat ships as static assets:
- HTML shell and federated remoteEntry.js files hosted on S3/CDN (or equivalent).
- Browsers download and execute JavaScript at runtime.
- No application server processes user messages.
Supported deployment targets today: browser and PWA. Tauri/Android builds exist in development but are outside this specification’s deployment claims.
8.2 Module federation topology
A complete deployment MUST publish:
| Remote | Typical role |
|---|---|
Chat shell (glitr-chat / chat) | Host application |
ui | Shared React components |
p2p | WebRTC + MLSProvider |
cryptography | MLS, Signal WASM, cascade, SFrame |
All remotes MUST be version-compatible. Mismatched versions MAY break encryption handshakes.
See Statics as a chat app infrastructure.
8.3 Signaling and TURN
Operators SHOULD deploy:
- PeerJS-compatible signaling over WSS
- STUN/TURN with credentials under operator control
Default public TURN endpoints are convenient but semi-trusted.
8.4 Supply-chain controls
Normative requirements (deployers)
| Control | Requirement |
|---|---|
| HTTPS | Static and signaling MUST be served over TLS in production |
| Self-host option | Deployers SHOULD offer self-hosted bundle mirrors for high-threat users |
| CSP | Deployments SHOULD use a strict Content-Security-Policy limiting script origins |
| SRI | Deployments SHOULD use Subresource Integrity on static scripts where federation allows |
| Update transparency | Product SHOULD provide explicit control to fetch or pin static versions (roadmap) |
Recommendations (users)
- Verify hosting origin before entering sensitive data.
- Prefer self-hosted or known-good mirrors.
- Clear browser data only after backing up recovery secrets (when at-rest encryption is enabled).
8.5 Service workers and offline statics
Investigation continues for service-worker-cached statics and offline use. Not normative in this draft.
8.6 Multicloud / redundancy
Architecture goal: multiple static mirrors (multicloud) so one CDN outage does not brick the app. Implementation is ongoing — see decentralized architecture.
8.7 JavaScript delivery concerns
Because security logic runs in the browser:
- Compromise of hosted JS equals full compromise of sessions.
- Obfuscation (used in some builds) is not a security control.
This is documented openly for professional reviewers evaluating browser-based E2EE.