> DEADDROP_

An experimental Tor-native PHP/SQLite Nano-Pub node for pull-based onion federation, signed public posts, peer trust, encrypted DM media, and paranoid inbox storage on low-resource darknet hosts.

ONION-NATIVE SIGNED OUTBOX KEY PINNING ENCRYPTED DM MEDIA PARANOID INBOX PHP + SQLITE EXPERIMENTAL / NOT AUDITED
[ DEPLOY_NODE ] [ READ_THREAT_MODEL ] [ VIEW_SOURCE ]

SYSTEM_TERMINOLOGY

DEADDROP NODE

The software you install on an onion-accessible host. It stores your local timeline, inbox, identity keys, and peer radar.

RADAR

Your local contact graph. Add onion endpoints, assign petnames, review key changes, moderate peers, and let the worker pull active outboxes.

OUTBOX.JSON

The static broadcast ledger exposed by each node. Peers read it without needing live accounts, feeds, or centralized APIs.

DROP

A public signal, encrypted private message, burner drop, reply, or tombstone event traveling through the pull-based network.

CORE_DARKNET_FEATURES

> ONION-ONLY FEDERATION

Production peers are expected to use Tor v3 onion endpoints. Clearnet peer discovery is intentionally out of scope.

> STATIC OUTBOX SYNC

Nodes publish a compact JSON ledger and pull peer ledgers asynchronously, reducing runtime pressure on tiny hosts.

> ZERO-JS TORMINAL UI

The interface is designed to remain usable in Tor Browser's safest-style environments without requiring frontend JavaScript.

> PRIVATE DROPS

Private payloads use libsodium-based envelopes and remain ciphertext-at-rest until the vault is unlocked.

> ENCRYPTED DM MEDIA

Private media is exported as ciphertext-only .ddm blobs. Media keys travel inside the encrypted private-drop payload.

> PARANOID INBOX

Outgoing DMs default to ciphertext-only local storage unless the operator explicitly saves a plaintext sender copy.

> PEER KEY PINNING

First-seen peer encryption and signing keys are pinned. Later key changes pause sync until Radar approval.

> SIGNED PUBLIC POSTS

Public outbox posts carry Ed25519 signatures. The worker verifies remote signatures before inserting posts.

> MODERATION QUEUE

Unknown pings wait for review. Peers can be active, quarantined, or blocked from Radar.

> REMOTE MEDIA DROP

Operators can discard remote media URLs per peer while still allowing signed text posts from active peers.

> BURNER SIGNALS

Burner drops can be destroyed by backend logic after reading, avoiding client-side timers or JavaScript self-destruct gimmicks.

> HASHCASH KNOCKS

Peer discovery can require proof-of-work pings so unsolicited radar entries are harder to flood at scale.

> CLI WORKER

Synchronization is handled by a command-line worker intended for cron, not by visitor-triggered frontend scripts.

> LOW-RESOURCE TARGET

Designed around PHP, SQLite, static JSON, and small-footprint hosting such as VPS, recycled boxes, or STB-style nodes.

PEER_TRUST_&_NETWORK_INTEGRITY

FIRST-SEEN PINNING

The worker stores the first observed peer encryption key and signing key. This is a practical trust-on-first-use boundary, not a replacement for out-of-band verification.

KEY_CHANGED REVIEW

If a peer advertises different keys later, sync pauses and Radar shows [ KEY CHANGED ] until the operator approves or rejects the pending key.

SIGNED FEED INSERTS

Signed public posts help verify feed authorship and integrity. They do not prove that content is safe, true, or trusted.

QUARANTINE FIRST

Unknown knocks can stay pending. Quarantined peers remain visible for review but are skipped by the worker.

NODE_CAPACITY_GUIDANCE

These are conservative operational guidelines, not formal benchmarks. Tor latency, disk speed, cron frequency, media usage, and peer outbox size will change real-world behavior.

GREEN ZONE
1 - 25 PEERS

Comfortable for small trusted circles. Sync cycles should remain lightweight on modest hardware.

YELLOW ZONE
25 - 75 PEERS

Expect slower worker cycles, more SQLite churn, and heavier Tor traffic during polling windows.

RED ZONE
75+ PEERS

Split nodes, prune radar entries, reduce media, or tune cron intervals before treating this as a public-scale network.

SECURITY_&_ARCHITECTURE

ENFORCED_DESIGN_CHOICES
> Zero-JS surface: primary UI flows avoid frontend JavaScript. > Pull-based federation: peers fetch published ledgers instead of relying on central push infrastructure. > Schema v2+ outbox: legacy schema-less feeds are skipped instead of guessed. > Signed public posts: remote post signatures are verified before insert. > Key-change review: changed peer keys pause sync until manual approval. > SQLite local state: node data stays on the operator's host. > Tor SOCKS worker: background sync is intended to route onion pulls through Tor. > Private drop envelope: private message payloads use libsodium-based encryption. > Encrypted DM media: private attachments are published as ciphertext-only .ddm blobs. > Paranoid inbox: private DMs default to ciphertext-at-rest with explicit plaintext-copy opt-in. > Off-webroot storage: hardened deployments move config, DB, sessions, and backups outside public web paths. > Encrypted backups: backup archives can be age-encrypted when the private age identity is kept off the live host.
threat_model.log [ - ] [ X ] 
> STATUS: EXPERIMENTAL
> AUDIT: NOT FORMALLY AUDITED
> ANONYMITY: TOR-DEPENDENT
> OPSEC: OPERATOR RESPONSIBILITY
> CLAIMS: NO ABSOLUTES
> KEY TRUST: FIRST-SEEN / MANUAL REVIEW
> POST SIGNING: AUTHORSHIP, NOT CONTENT SAFETY
> DM MEDIA: CONTENT ENCRYPTED, METADATA STILL EXISTS
> INBOX: CIPHERTEXT-AT-REST BY DEFAULT
> CLEARNET: OPTIONAL BRIDGES MUST BE REVIEWED
DeadDrop can reduce centralized dependency, but it cannot guarantee anonymity, endpoint security, safe operator behavior, or protection from compromised hosts.

PRIVATE_DATA_HARDENING

v13 hardens private data at rest. It reduces plaintext storage, but it is still experimental and not a formal security audit.
V13.1 / ENCRYPTED DM MEDIA

Private DM media is encrypted into .ddm blobs. The random media key, nonce, MIME type, and integrity hash are carried inside the encrypted private-drop payload.

V13.2 / PARANOID INBOX

Incoming private drops remain ciphertext-at-rest. Outgoing private drops no longer keep local plaintext by default.

UNLOCK-ONLY RENDERING

Private text and media are decrypted only during an active vault unlock session. Browser-visible plaintext is a live-session event, not a stored public asset.

HONEST LIMITS

Encrypted blobs hide content, not all metadata. File size, timing, access patterns, compromised hosts, and operator mistakes remain out of scope.

GENESIS_DEPLOYMENT

Deploy a private onion node, initialize SQLite, point nginx/PHP-FPM at the app, expose the hidden service through Tor, run health checks, then run the worker from cron.

minimum_stack.txt [ - ] [ X ] 
PHP 8.2+
SQLite / PDO SQLite
libsodium
cURL + mbstring
nginx or compatible web server
Tor hidden service
age + tar
util-linux / flock
/var/lib/deaddrop/private-media
/var/www/html/deaddrop/media/private
cron/systemd timer for worker.php
Torminal CSS assets
[ DOWNLOAD_SOURCE ] [ READ_INSTALL_GUIDE ]