Quick Takeaways from the Dev Log
- The Big Tech Harvest: Why I hate the idea of centralized companies sitting on my private logs.
- BYOK: Bypassing the host model model entirely to avoid handling your plaintext keys.
- Scrambled Data: Slicing and encrypting vault snapshots before pushing them to a dumb Supabase backend.
- Zero Telemetry: No Google Analytics, no session replays, and no email signups.
- Immunized Against Banks: Going crypto-only to escape the constant payment processor bans that kill adult projects overnight.
- PWA & Relays: Connecting local LLMs from PC to mobile without spending three hours on ngrok configurations.
1. The Big Tech Harvest: Why Centralized AI Is Never Safe
Look, everyone knows ChatGPT, Gemini, and Claude are logging your chat history. It is not some hidden conspiracy; it is right there in the terms of service. They need the data to train their next model, and your chat logs are the fuel.
If I am asking a model for a quick python script or a butterscotch pie recipe, who cares? Let them log it.
But when it comes to AI roleplay—where your chats read like a deeply personal diary, raw creative writing, or intensely intimate fantasies—the idea of those plaintext transcripts sitting on an AWS bucket somewhere makes my skin crawl.
Most platforms try to hide this with slick corporate messaging and paragraphs of vague legal jargon. They promise "encryption in transit" (which just means the packet is safe on the way to their server, where they promptly decrypt it and read it anyway).
But as long as the model runs on their hardware, they hold the keys to the kingdom.
I wanted to build something different. I envisioned a system that rejected developer trust and corporate promises entirely. Privacy should be a mathematical certainty—never a marketing slogan.
That is why I built Abolitus.
2. BYOK: Bypassing the GPU Bill Liability
If you build an AI chat startup, the standard playbook is simple: host the models yourself, mark up the API costs, bill users per token, and act as the middleman.
But that setup has a massive structural flaw.
To run the model on my own servers, your chats have to hit my backend in plaintext. I have to process them, buffer them, and pay massive GPU hosting bills. That means I have to audit usage, monitor for "compliance," and constantly worry about getting shut down by my server hosts.
We decided to walk away from that headache. We chose BYOK (Bring Your Own Key).
We do not host the AI. We do not touch your plaintext prompts.
Instead, the Abolitus client talks directly from your browser to major API routers like OpenRouter, privacy-focused setups like NanoGPT, or a local GPU running on your machine via Ollama or LM Studio.
[ Your Browser ] --------( Direct Fetch )--------> [ LLM Provider ]
|
(No Plaintext Chats Ever Hit My Servers)
|
v
[ Abolitus Server ] (Only holds encrypted, scrambled blobs)
By keeping the interface client-side, the API keys stay in your browser. If someone breaches my database tomorrow, they will not find a single plaintext prompt or API key. There is literally nothing to steal.
3. E2EE Cloud Sync: The Zero-Knowledge Scrambler
Since we do not run a traditional database backend, syncing your chats across devices was a puzzle. I did not want your history on my server, but you still wanted to jump from your desktop to your phone.
So we built a zero-knowledge cloud sync system.
When you create an account, your master encryption key is derived directly inside your browser from your password using the Web Crypto API. That key stays on your local machine and never touches the internet.
Before any message or character card leaves your device:
- The browser encrypts the payload using AES-256-GCM.
- It slices the data into discrete, formless blobs.
- It strips away all identifying metadata.
- Your account identifier itself is stored as a secure, one-way hash.
To my backend, your account looks like a pile of randomized noise.
Plaintext Chat ---> [ Browser AES-256-GCM ] ---> Scrambled Blobs ---> [ Dumb Blob Store ]
If you lose your password, by the way, your data is gone forever. I cannot recover it for you. There is no "forgot password" button that emails you a magic link, because I literally do not have your decryption key. That is the price of actual privacy.
4. Zero Surveillance: Why We Don't Know Who You Are
Most modern websites are instrumented like surveillance cameras. They run Google Analytics, record session replays via Hotjar, track your IP on every click, and demand an email address before you can even see the landing page.
I hate this stuff. So I banned all of it.
- No Email Addresses: You do not register with an email. We do not want your email, because we do not want a bridge between your real-world identity and your chat files.
- Zero App-Level IP Mapping: While HTTP requests must naturally hit CDN edge servers (like Vercel or Supabase) to route network traffic, our application and database layers do not log, persist, or map your IP address to your vault slots. We keep our application logs strictly clean of any tracking metadata.
- No Google Analytics or Telemetry: No behavioral tracking, no cookies, no third-party scripts watching your mouse move.
I write minimal database uptime logs to make sure the sync services do not crash, but this operational metadata is mathematically isolated. It cannot touch your chat plaintext, your vault keys, or your LLM API tokens.
5. Under the Hood: The Cryptographic Details
I wanted the security model of Abolitus to be completely transparent. If you are interested in the raw mechanics, you can read the full details in our Security Model Whitepaper.
Here is a quick look at the tech behind the curtain:
Non-Extractable Local Key Custody
Your master vault key is derived from a BIP-39 mnemonic phrase and a local salt.
Once loaded in the browser, we import it as a non-extractable CryptoKey via the WebCrypto API. This means JavaScript can use the key to encrypt and decrypt data in memory, but the raw key bytes can never be extracted or read back out of the browser runtime by malicious scripts or shady browser extensions.
1 KB Boundary Padding
If you edit a character card, standard sync systems upload an object of that exact size. A packet sniffer watching your connection could look at the size of your ciphertext packets and correlate them to specific card sizes or typing rhythm.
To stop this metadata leak, Abolitus automatically pads all serialized vault data to strict 1 KB boundaries before encrypting. Whether you typed "Hi" or updated a massive 30KB character card, it looks identical to a network observer.
Storage Write Tokens
How does the server let you update your database sync slot if it does not know who you are?
We derive a secondary storage write token from the sync slot and the vault key. This acts as a cryptographic signature. The server verifies this token, allows the database write, and remains completely blind to the actual vault decryption key.
6. Defying the Credit Card Censors: Why We Went Crypto-Only
Privacy on the web is dying, and the executioners are payment processors.
If you have watched recent web history—like the massive DL-Site censorship waves—you know credit card networks actively police what adults do online. They threaten, freeze merchant accounts, and block payments to platforms that allow unfiltered self-expression.
This payment blockade is a massive source of anxiety for developers and users. Over the years, I have watched dozens of excellent NSFW-friendly services, character repositories, and developers suddenly get blacklisted by Visa or Mastercard. They are forced to shut down their servers, restrict access, or delete user creations overnight. You spend months building a personal creative workspace, only to watch it vanish because a bank executive got squeamish.
We wanted to build a fortress.
To bypass this threat entirely, we went crypto-only.
[ Traditional Setup ] -> Real Name -> Credit Card -> Bank Records -> Platform Identity
[ Abolitus Setup ] -> Anonymized Wallet -> Direct Blockchain Sync
Instead of forcing you onto a single chain, we support a compact, multi-chain engine with instant verification:
- USDC & USDT Networks: Solana, TRON (TRC-20), Base, Arbitrum, Polygon, Ethereum, and BSC.
- Native Gas Tokens: SOL (Solana), POL (Polygon), ETH (Base, Arbitrum, Ethereum), and BNB (BSC).
By going crypto-only, we protected your identity and immunized our infrastructure. We have zero reliance on credit card networks. They cannot threaten us, they cannot audit our transactions, and they can never force us to shut down or compromise our features. There is zero risk of Abolitus disappearing overnight due to payment processor crackdowns.
Yes, our conversion rates took a massive nosedive because we do not have a credit card button. Yes, we make way less money. But we do not care. We would rather build a tiny, fiercely private refuge for those who value their autonomy than compromise for a fiat gateway.
7. PC-to-Mobile Tunneling: Local LLMs in Your Pocket
Anyone who has run a massive 70B parameter local model on a powerful home gaming rig has wanted the same thing: to lie in bed and chat with that model on a smartphone.
Historically, setting this up was a nightmare. You had to fiddle with port forwarding on your router, sign up for dynamic DNS services, or run complex CLI tunneling tools like Cloudflare Tunnels or ngrok. It took hours of debugging terminal commands and exposed your home PC to the open internet.
I got tired of the friction, so I decided to fix it.
A common question is: “Wait, do I need to download a heavy native desktop client to do this?”
No. Abolitus runs entirely inside your browser. You can even install it as an offline-first PWA (Progressive Web App) on both your desktop and smartphone.
Because the client runs client-side in the browser sandbox, we built the tunneling layer to coordinate directly through the browser.
With zero configuration, you can pair your desktop PWA to your mobile phone in seconds. Under the hood, the session is coordinated and relayed through our central server. But just like our cloud sync, every byte of this traffic is end-to-end encrypted (E2EE). Our server acts as a dumb, blind proxy to bridge your devices—it possesses zero ability to decrypt or inspect the prompts and response tokens traveling between your desktop and phone.
You get to leverage the raw power of your local gaming PC’s LLM from your couch, phone, or tablet with zero setup, all while keeping your data strictly inside your personal encrypted envelope.
8. UI/UX: Power Without the Homework
Open-source local clients like SillyTavern are legendary projects. The community is brilliant, the feature set is vast, and they paved the way for local AI.
But getting them running feels like configuring a Linux system. You have to install Node, download extension systems, hunt for character card v2/v3 converters, and wire up third-party TTS servers. It is a lot of homework.
Abolitus was built for the user who wants power without the friction.
We built in everything natively:
- Character Card Portability: Native support for SillyTavern character cards out of the box.
- Intelligent Gestures: Swipe navigation to cycle model responses.
- Built-in TTS & Extensions: Integrated text-to-speech engines that work immediately.
- Brutalist Design System: No messy layouts, no cheap gradients, and no unnecessary bloat. A sharp, dark-themed, ultra-premium interface built for focus.
The Blunt Conclusion
We built Abolitus to prove that you do not have to trade your privacy for intelligence. You should never have to let big tech companies catalog your private thoughts to enjoy state-of-the-art AI—especially in an ecosystem flooded with generic chatbot wrappers.
We built a premium, fast, zero-knowledge sanctuary.
If you want an AI client that treats your thoughts as your property, welcome to the other side.
Ready to reclaim your private chats? Start running today at Abolitus.
Top comments (0)