Zero-Trust Encrypted Chat, seeking feedback

I’ve been working on a personal project called Dragon’s Vault, a web-based encrypted chat platform built from the ground up with zero-trust architecture. The core idea is simple but ambitious: even if the server or database is compromised, your messages should remain completely unreadable.

The system uses multi-layer client-side encryption: AES-256-GCM for the first layer, XChaCha20-Poly1305 for the second, and RSA/ECC for key exchange. Everything happens in the browser: the server only ever sees encrypted blobs. Even metadata like timestamps and usernames are encrypted, and encryption keys are stored securely in IndexedDB.

Some of the features currently implemented:

End-to-end encrypted one-on-one messaging

Friend-based system with requests and approvals

QR code sharing for profiles

Real-time notifications

Multiple UI themes (dark, light, ocean blue, neon)

Fully responsive design for desktop, tablet, and mobile

From a development perspective, the project is built with Next.js, a MongoDB backend, and client-side cryptography libraries. There are clear abstractions for encryption, key storage, and authentication, making it easy for contributors to pick up and extend features.

I’m sharing this here because I’m looking for:

Feedback – on the security model, UX, and overall architecture

Feature ideas – are there ways to make encrypted social chat more usable without compromising security?

Contributions – anyone who wants to help improve code, add features, or enhance security documentation

The repo is open source: https://github.com/dailker/dragons-vault

I’ve put a lot of thought into balancing strong encryption with usable social features, but this is very much a work in progress. I’d love to hear from anyone interested in privacy-first messaging or client-side encryption. Even small contributions, security reviews, or suggestions are incredibly valuable.

Thanks for reading.

⭐ Star it if you can on GitHub: See project at GitHub