This was a solo project, for about a few months of evenings. What it does not defend against, up front: an actively malicious server (the JS-delivery problem that basically every browser-E2E app shares), a compromised device, etc. Those are in the design doc.

I'd most like feedback on the threat model, and on the auth path: login still goes through a normal password-to-server handshake, and moving to a PAKE (OPAQUE/SRP) so the password never reaches the server is the obvious open item I have not done yet. Happy to get into the cryptography also, the no-bank-connection decision, or why it is bootstrapped and not VC scaled.