2 comments

[ 1.7 ms ] story [ 18.9 ms ] thread
I built TrueLock to share content that opens only under rules, without cloud dependency or a central service.

A capsule is one .cfcaps file containing encrypted payload + an embedded unlock policy. The recipient gets one file, and the app checks rules locally before open.

Current rules:

time window

geo radius

password

visual key (up to 5 images)

AND/OR logic across rules

Windows geo can be confirmed via a phone relay (QR challenge/proof flow).

Capsules can contain text and attachments (including media). Current clients: Android + Windows.

Crypto in current build: AEAD (AES-GCM / ChaCha20-Poly1305) + Argon2id for passwords. Format: cross-platform capsule container.

Threat-model boundary: This is application-layer enforcement. A fully compromised endpoint/runtime can bypass local checks or exfiltrate plaintext after legitimate open. The goal is programmable disclosure in normal environments (reduce premature/accidental access).

I’d value technical feedback on:

threat-model clarity

most compelling real use case

which trust artifact is most useful next (format spec, vectors, reproducible builds, etc.)

Quick test: set a time window (e.g., unlock in 2 minutes), share the .cfcaps, try open before/after.

https://truelock.pro

(comment deleted)