DEV Community: Brad Pitt The latest articles on DEV Community by Brad Pitt (@brad_pitt_82c5b54eb64f9f5). https://dev.to/brad_pitt_82c5b54eb64f9f5 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3964297%2F3e5b40d7-cd46-46fb-9d56-aeea5e0f1e3a.jpg DEV Community: Brad Pitt https://dev.to/brad_pitt_82c5b54eb64f9f5 en How I built an E2EE chat in Go + React (with AI agent support) Brad Pitt Wed, 03 Jun 2026 09:37:08 +0000 https://dev.to/brad_pitt_82c5b54eb64f9f5/how-i-built-an-e2ee-chat-in-go-react-with-ai-agent-support-482d https://dev.to/brad_pitt_82c5b54eb64f9f5/how-i-built-an-e2ee-chat-in-go-react-with-ai-agent-support-482d <blockquote> <p>🚀 <strong>Try it now:</strong> <a href="https://arthas-blush.vercel.app/" rel="noopener noreferrer">Open the Arthas web app</a> — create a room, share the code, chat with E2EE. No signup needed.</p> </blockquote> <h2> TL;DR — Try It in 2 Minutes </h2> <p>No signup required. A free public server is running at <code>wss://arthas100-arthas-server.hf.space/ws</code>.</p> <h3> 1. Create an encrypted room (CLI) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Linux/macOS — download and make executable</span> curl <span class="nt">-L</span> <span class="nt">-o</span> arthas-cli https://github.com/michaelwang123/arthas/releases/latest/download/arthas-cli <span class="nb">chmod</span> +x arthas-cli <span class="c"># Windows (PowerShell) — download the .exe</span> <span class="c"># curl.exe -L -o arthas-cli.exe https://github.com/michaelwang123/arthas/releases/latest/download/arthas-cli-windows-amd64.exe</span> <span class="c"># Create a room — generates AES-256 key locally, outputs share code</span> ./arthas-cli create <span class="nt">--server</span> wss://arthas100-arthas-server.hf.space/ws <span class="nt">--name</span> <span class="s2">"Alice"</span> <span class="c"># Windows: .\arthas-cli.exe create --server wss://arthas100-arthas-server.hf.space/ws --name "Alice"</span> <span class="c"># Output:</span> <span class="c"># ✓ Room created! Share code:</span> <span class="c"># QYEq9uxfKP9h-KCUsPUay:NlZezXoUErYr92grhif3Y-Hy3FOOK1ocb3WocCJJrQM</span> <span class="c">#</span> <span class="c"># The encryption key never leaves your device.</span> </code></pre> </div> <blockquote> <p>⚠️ <strong>Keep this terminal open</strong> — the room exists only while at least one participant is connected.</p> </blockquote> <h3> 2. Join from another terminal (or send the code to a friend) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Linux/macOS</span> ./arthas-cli <span class="nb">join </span>QYEq9uxfKP9h-KCUsPUay:NlZezXoUErYr92grhif3Y-Hy3FOOK1ocb3WocCJJrQM <span class="se">\</span> <span class="nt">--server</span> wss://arthas100-arthas-server.hf.space/ws <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"Bob"</span> <span class="c"># Windows</span> <span class="c"># .\arthas-cli.exe join QYEq9uxfKP9h-KCUsPUay:NlZezXoUErYr92grhif3Y-Hy3FOOK1ocb3WocCJJrQM --server wss://arthas100-arthas-server.hf.space/ws --name "Bob"</span> </code></pre> </div> <p>That's it — you're chatting end-to-end encrypted. The server only sees ciphertext blobs; it cannot read, store, or parse anything.</p> <blockquote> <p>💡 Prefer a web UI? Open the <a href="https://arthas-blush.vercel.app/" rel="noopener noreferrer">Arthas web app</a>, create a room, and share the code.</p> </blockquote> <h2> Bonus: Connect an AI Agent to the Same Room </h2> <p>Every AI agent channel today (Telegram bots, Slack apps, Discord) transmits prompts in plaintext. With Arthas, your AI joins the encrypted room as a regular participant — the server can't tell human from bot (both are encrypted binary blobs).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @arthas-chat/openclaw-channel </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">ArthasChannelAdapter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@arthas-chat/openclaw-channel</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">adapter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArthasChannelAdapter</span><span class="p">();</span> <span class="nx">adapter</span><span class="p">.</span><span class="nf">onMessage</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">message</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// message.text is already decrypted — E2EE handled internally</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">yourLLM</span><span class="p">.</span><span class="nf">generate</span><span class="p">(</span><span class="nx">message</span><span class="p">.</span><span class="nx">text</span><span class="p">);</span> <span class="k">await</span> <span class="nx">adapter</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">(),</span> <span class="na">channelId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">arthas</span><span class="dl">'</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">response</span> <span class="p">});</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">adapter</span><span class="p">.</span><span class="nf">connect</span><span class="p">({</span> <span class="na">serverUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">wss://arthas100-arthas-server.hf.space/ws</span><span class="dl">'</span><span class="p">,</span> <span class="na">shareCode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">QYEq9uxfKP9h-KCUsPUay:NlZezXoUErYr92grhif3Y-Hy3FOOK1ocb3WocCJJrQM</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// from step 1</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AI Assistant</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>Now talk to the AI from the CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./arthas-cli <span class="nb">join </span>QYEq9uxfKP9h-KCUsPUay:NlZezXoUErYr92grhif3Y-Hy3FOOK1ocb3WocCJJrQM <span class="se">\</span> <span class="nt">--server</span> wss://arthas100-arthas-server.hf.space/ws <span class="nt">--name</span> <span class="s2">"Michael"</span> <span class="o">&gt;</span> Summarize GDPR Article 17 AI Assistant: Article 17 establishes the <span class="s2">"right to erasure"</span>... </code></pre> </div> <p><strong>What the server sees vs. reality:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Server's view</th> <th>Reality</th> </tr> </thead> <tbody> <tr> <td>Binary blob from User A</td> <td>"Summarize this contract for me"</td> </tr> <tr> <td>Binary blob from User B</td> <td>"Here's a summary of the key clauses..."</td> </tr> <tr> <td>Binary blob with file attachment</td> <td>Confidential PDF being analyzed</td> </tr> </tbody> </table></div> <p>The plugin (<a href="https://www.npmjs.com/package/@arthas-chat/openclaw-channel" rel="noopener noreferrer"><code>@arthas-chat/openclaw-channel</code></a>) handles WebSocket, MessagePack, AES-256-GCM, and exponential-backoff reconnection internally.</p> <h2> Motivation </h2> <p>I needed to share API keys and credentials with teammates but didn't trust Slack DMs. Existing tools like PrivNote or Yopass are one-shot — you paste a secret, someone reads it, gone. No real-time conversation.</p> <p>I wanted:</p> <ul> <li> <strong>Ephemeral</strong> — create a room, chat, leave, everything disappears</li> <li> <strong>End-to-end encrypted</strong> — the server can't read anything</li> <li> <strong>No signup</strong> — open a URL and start chatting</li> <li> <strong>Self-hostable</strong> — run it on your own infrastructure</li> </ul> <p>So I built <a href="https://github.com/michaelwang123/arthas" rel="noopener noreferrer">Arthas</a>. Here's how the crypto, relay server, and frontend fit together.</p> <h2> Architecture Overview </h2> <p>The architecture follows a simple principle: <strong>the server is a dumb pipe</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser A Go Server (Relay) Browser B │ │ │ │── Plain → AES Encrypt ──→ │── Forward ciphertext ──→ │ │ │ │→ AES Decrypt → Plain │ │ │ Server only ever sees ciphertext. Cannot decrypt. </code></pre> </div> <ol> <li> <strong>Room creator</strong> generates a 256-bit AES key locally (never sent to server)</li> <li> <strong>Share code</strong> = <code>roomId:base64url(key)</code> — one string, both address and key</li> <li> <strong>Joiner</strong> parses the share code, connects, decrypts</li> <li> <strong>Server</strong> broadcasts encrypted blobs — zero knowledge</li> </ol> <p>The encryption key travels through a <strong>side channel</strong> (copy-paste, QR code) — never through the server.</p> <p><strong>Tech stack:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Technology</th> </tr> </thead> <tbody> <tr> <td>Crypto</td> <td>Web Crypto API (browser) / <code>crypto/aes</code> (Go CLI)</td> </tr> <tr> <td>Frontend</td> <td>React 18 + TypeScript + Zustand</td> </tr> <tr> <td>Protocol</td> <td>WebSocket + MessagePack (binary)</td> </tr> <tr> <td>Backend</td> <td>Go 1.23 + gorilla/websocket</td> </tr> <tr> <td>Deploy</td> <td>Single binary or Docker Compose + Caddy</td> </tr> </tbody> </table></div> <h2> E2EE Implementation </h2> <h3> Key Generation </h3> <p><strong>TypeScript (Web Client):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">generateRoomKey</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CryptoKey</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">generateKey</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AES-GCM</span><span class="dl">"</span><span class="p">,</span> <span class="na">length</span><span class="p">:</span> <span class="mi">256</span> <span class="p">},</span> <span class="kc">true</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">encrypt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">decrypt</span><span class="dl">"</span><span class="p">]</span> <span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">exportRoomKey</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="nx">CryptoKey</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">raw</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">exportKey</span><span class="p">(</span><span class="dl">"</span><span class="s2">raw</span><span class="dl">"</span><span class="p">,</span> <span class="nx">key</span><span class="p">);</span> <span class="k">return</span> <span class="nf">toBase64Url</span><span class="p">(</span><span class="nx">raw</span><span class="p">);</span> <span class="c1">// 43-char string for 32 bytes</span> <span class="p">}</span> </code></pre> </div> <p><strong>Go (CLI Client):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">GenerateRoomKey</span><span class="p">()</span> <span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">key</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="m">32</span><span class="p">)</span> <span class="c">// AES-256</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">io</span><span class="o">.</span><span class="n">ReadFull</span><span class="p">(</span><span class="n">rand</span><span class="o">.</span><span class="n">Reader</span><span class="p">,</span> <span class="n">key</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"generate key: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">key</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">ExportKeyBase64URL</span><span class="p">(</span><span class="n">key</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">return</span> <span class="n">base64</span><span class="o">.</span><span class="n">RawURLEncoding</span><span class="o">.</span><span class="n">EncodeToString</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="c">// 43 chars</span> <span class="p">}</span> </code></pre> </div> <p>Both produce the same 43-character base64url string — Go CLI and web client are fully interoperable.</p> <h3> AES-256-GCM Encryption </h3> <p>Every message gets a unique random 12-byte IV. AES-GCM provides confidentiality + integrity in one operation.</p> <p><strong>TypeScript:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">encryptMessage</span><span class="p">(</span> <span class="nx">key</span><span class="p">:</span> <span class="nx">CryptoKey</span><span class="p">,</span> <span class="nx">plaintext</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">iv</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">ciphertext</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">iv</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">12</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">plaintextBytes</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ciphertextBuffer</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AES-GCM</span><span class="dl">"</span><span class="p">,</span> <span class="nx">iv</span> <span class="p">},</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">plaintextBytes</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">iv</span><span class="p">:</span> <span class="nf">toBase64Url</span><span class="p">(</span><span class="nx">iv</span><span class="p">.</span><span class="nx">buffer</span><span class="p">),</span> <span class="na">ciphertext</span><span class="p">:</span> <span class="nf">toBase64Url</span><span class="p">(</span><span class="nx">ciphertextBuffer</span><span class="p">),</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p><strong>Go:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">Encrypt</span><span class="p">(</span><span class="n">key</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">,</span> <span class="n">plaintext</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">(</span><span class="n">iv</span><span class="p">,</span> <span class="n">ciphertext</span> <span class="kt">string</span><span class="p">,</span> <span class="n">err</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">block</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">aes</span><span class="o">.</span><span class="n">NewCipher</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="n">gcm</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">cipher</span><span class="o">.</span><span class="n">NewGCM</span><span class="p">(</span><span class="n">block</span><span class="p">)</span> <span class="n">nonce</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="n">gcm</span><span class="o">.</span><span class="n">NonceSize</span><span class="p">())</span> <span class="c">// 12 bytes</span> <span class="n">io</span><span class="o">.</span><span class="n">ReadFull</span><span class="p">(</span><span class="n">rand</span><span class="o">.</span><span class="n">Reader</span><span class="p">,</span> <span class="n">nonce</span><span class="p">)</span> <span class="n">sealed</span> <span class="o">:=</span> <span class="n">gcm</span><span class="o">.</span><span class="n">Seal</span><span class="p">(</span><span class="no">nil</span><span class="p">,</span> <span class="n">nonce</span><span class="p">,</span> <span class="n">plaintext</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="k">return</span> <span class="n">base64</span><span class="o">.</span><span class="n">RawURLEncoding</span><span class="o">.</span><span class="n">EncodeToString</span><span class="p">(</span><span class="n">nonce</span><span class="p">),</span> <span class="n">base64</span><span class="o">.</span><span class="n">RawURLEncoding</span><span class="o">.</span><span class="n">EncodeToString</span><span class="p">(</span><span class="n">sealed</span><span class="p">),</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why AES-GCM?</strong> AEAD (no separate HMAC), hardware-accelerated (AES-NI), natively in Web Crypto API. Never reuse an IV with the same key — with random 12-byte IVs, collision probability is ~2⁻⁴⁸ after 2³² messages.</p> <h2> WebSocket Relay Design </h2> <p>The server is a Go program that accepts connections, manages rooms, and broadcasts ciphertext. It never decrypts.</p> <h3> Hub Pattern (CSP concurrency) </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Hub</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">roomManager</span> <span class="o">*</span><span class="n">room</span><span class="o">.</span><span class="n">RoomManager</span> <span class="n">clients</span> <span class="k">map</span><span class="p">[</span><span class="o">*</span><span class="n">Client</span><span class="p">]</span><span class="kt">bool</span> <span class="n">register</span> <span class="k">chan</span> <span class="o">*</span><span class="n">Client</span> <span class="n">unregister</span> <span class="k">chan</span> <span class="o">*</span><span class="n">Client</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="o">*</span><span class="n">Hub</span><span class="p">)</span> <span class="n">Run</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="p">{</span> <span class="k">select</span> <span class="p">{</span> <span class="k">case</span> <span class="n">client</span> <span class="o">:=</span> <span class="o">&lt;-</span><span class="n">h</span><span class="o">.</span><span class="n">register</span><span class="o">:</span> <span class="n">h</span><span class="o">.</span><span class="n">clients</span><span class="p">[</span><span class="n">client</span><span class="p">]</span> <span class="o">=</span> <span class="no">true</span> <span class="k">case</span> <span class="n">client</span> <span class="o">:=</span> <span class="o">&lt;-</span><span class="n">h</span><span class="o">.</span><span class="n">unregister</span><span class="o">:</span> <span class="nb">delete</span><span class="p">(</span><span class="n">h</span><span class="o">.</span><span class="n">clients</span><span class="p">,</span> <span class="n">client</span><span class="p">)</span> <span class="nb">close</span><span class="p">(</span><span class="n">client</span><span class="o">.</span><span class="n">send</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Zero-Knowledge Relay </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">h</span> <span class="o">*</span><span class="n">Hub</span><span class="p">)</span> <span class="n">handleSendMessage</span><span class="p">(</span><span class="n">client</span> <span class="o">*</span><span class="n">Client</span><span class="p">,</span> <span class="n">data</span> <span class="k">interface</span><span class="p">{})</span> <span class="p">{</span> <span class="n">dataMap</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">data</span><span class="o">.</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{})</span> <span class="n">iv</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">dataMap</span><span class="p">[</span><span class="s">"iv"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="n">ciphertext</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">dataMap</span><span class="p">[</span><span class="s">"ciphertext"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="k">if</span> <span class="n">iv</span> <span class="o">==</span> <span class="s">""</span> <span class="o">||</span> <span class="n">ciphertext</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">h</span><span class="o">.</span><span class="n">sendError</span><span class="p">(</span><span class="n">client</span><span class="p">,</span> <span class="n">ErrCodeInvalidMessage</span><span class="p">,</span> <span class="s">"iv and ciphertext required"</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="k">if</span> <span class="n">client</span><span class="o">.</span><span class="n">IsRateLimited</span><span class="p">()</span> <span class="p">{</span> <span class="n">h</span><span class="o">.</span><span class="n">sendError</span><span class="p">(</span><span class="n">client</span><span class="p">,</span> <span class="n">ErrCodeRateLimited</span><span class="p">,</span> <span class="s">"rate limited"</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Forward — server never decrypts</span> <span class="n">relayMsg</span> <span class="o">:=</span> <span class="n">Message</span><span class="p">{</span> <span class="n">Type</span><span class="o">:</span> <span class="n">MsgRelayMessage</span><span class="p">,</span> <span class="n">Data</span><span class="o">:</span> <span class="n">RelayMessageData</span><span class="p">{</span> <span class="n">SenderID</span><span class="o">:</span> <span class="n">client</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">SenderName</span><span class="o">:</span> <span class="n">client</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">IV</span><span class="o">:</span> <span class="n">iv</span><span class="p">,</span> <span class="n">Ciphertext</span><span class="o">:</span> <span class="n">ciphertext</span><span class="p">,</span> <span class="n">T</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">UnixMilli</span><span class="p">(),</span> <span class="p">},</span> <span class="p">}</span> <span class="n">broadcastData</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">msgpack</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="n">relayMsg</span><span class="p">)</span> <span class="n">room</span><span class="o">.</span><span class="n">Broadcast</span><span class="p">(</span><span class="n">client</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">broadcastData</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> MessagePack over JSON </h3> <p>30-50% smaller payloads, efficient binary, single-byte message type routing. Protocol envelope: <code>{ type: uint8, data: any }</code>.</p> <h2> Deployment </h2> <h3> Single Binary (dev/intranet) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./arthas-server <span class="nt">--port</span> 8080 <span class="c"># Serves WebSocket at /ws + frontend at / — one process, zero deps</span> </code></pre> </div> <h3> Docker (production) </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.23-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span><span class="nv">CGO_ENABLED</span><span class="o">=</span>0 go build <span class="nt">-ldflags</span> <span class="s2">"-s -w"</span> <span class="nt">-o</span> server ./cmd/server <span class="k">FROM</span><span class="s"> alpine:3.23</span> <span class="k">COPY</span><span class="s"> --from=builder /app/server .</span> <span class="k">USER</span><span class="s"> 1000</span> <span class="k">EXPOSE</span><span class="s"> 7860</span> <span class="k">CMD</span><span class="s"> ["./server"]</span> </code></pre> </div> <p>Under 30MB final image. Add Caddy for automatic HTTPS.</p> <h2> What I Learned </h2> <ol> <li> <strong>Web Crypto API is powerful</strong> — no third-party crypto libs needed in the browser</li> <li> <strong>Go's goroutine-per-connection model</strong> fits WebSocket servers perfectly</li> <li> <strong>MessagePack &gt; JSON</strong> for binary protocols (size + speed)</li> <li> <strong>Key distribution is the hard part</strong> — the crypto is straightforward, getting the key to the right people securely is the challenge</li> <li> <strong>Zero-knowledge simplifies everything</strong> — no GDPR concerns for message content, no database encryption needed</li> </ol> <h2> Links </h2> <ul> <li> <strong>Live Demo</strong>: <a href="https://arthas-blush.vercel.app/" rel="noopener noreferrer">arthas-blush.vercel.app</a> (no signup, try it now)</li> <li> <strong>Public Server</strong>: <code>wss://arthas100-arthas-server.hf.space/ws</code> (free, no signup)</li> <li> <strong>GitHub</strong>: <a href="https://github.com/michaelwang123/arthas" rel="noopener noreferrer">github.com/michaelwang123/arthas</a> </li> <li> <strong>AI Agent Plugin</strong>: <a href="https://www.npmjs.com/package/@arthas-chat/openclaw-channel" rel="noopener noreferrer"><code>@arthas-chat/openclaw-channel</code> on npm</a> </li> <li> <strong>Docs</strong>: <a href="https://michaelwang123.github.io/arthas/" rel="noopener noreferrer">michaelwang123.github.io/arthas</a> </li> </ul> <p>⭐ Star the repo if you find it useful. Feedback and PRs welcome!</p> go encryption security opensource