I'm upfront about it. I'm sure you can imagine how ai can help in software development. I can't be more transparent than it being open source.
xoron
joined 2 years ago
TLDR; I’ve been experimenting with react-like jsx-syntax with webcomponents to see if I could theoretically replace React in one of my projects. It is not ready for production use, but rather an exploration into CustomElements and modern browser capabilities.
https://github.com/positive-intentions/dim
The goal was to build functional Web Components that handle state management and DOM updates without the overhead of a massive JavaScript framework. By leveraging standard Web APIs and Proxy objects, I’ve managed to create a reactive programming model that feels familiar—using JSX—but stays much closer to the browser platform.
I wanted to see how far i could take web components before the architecture broke down. If you’re interested in frontend software engineering or web standards, you might find the logic behind the updates (which avoid a traditional virtual DOM) interesting.
Full technical tutorial and deep dive: https://positive-intentions.com/docs/research/Tutorials/dim/dim-functional-webcomponents
Disclaimer: This project is not ready for production use. In fact, this project may be getting deprecated soon, but I’m sharing it because the unique details into custom elements and modern JavaScript performance might be interesting or educational for others exploring the web platform.
TLDR; I’ve been experimenting with react-like jsx-syntax with webcomponents to see if I could theoretically replace React in one of my projects. It is not ready for production use, but rather an exploration into CustomElements and modern browser capabilities.
https://github.com/positive-intentions/dim
The goal was to build functional Web Components that handle state management and DOM updates without the overhead of a massive JavaScript framework. By leveraging standard Web APIs and Proxy objects, I’ve managed to create a reactive programming model that feels familiar—using JSX—but stays much closer to the browser platform.
I wanted to see how far i could take web components before the architecture broke down. If you’re interested in frontend software engineering or web standards, you might find the logic behind the updates (which avoid a traditional virtual DOM) interesting.
Full technical tutorial and deep dive: https://positive-intentions.com/docs/research/Tutorials/dim/dim-functional-webcomponents
Disclaimer: This project is not ready for production use. In fact, this project may be getting deprecated soon, but I’m sharing it because the unique details into custom elements and modern JavaScript performance might be interesting or educational for others exploring the web platform.
TLDR; I’ve been experimenting with react-like jsx-syntax with webcomponents to see if I could theoretically replace React in one of my projects. It is not ready for production use, but rather an exploration into CustomElements and modern browser capabilities.
https://github.com/positive-intentions/dim
The goal was to build functional Web Components that handle state management and DOM updates without the overhead of a massive JavaScript framework. By leveraging standard Web APIs and Proxy objects, I’ve managed to create a reactive programming model that feels familiar—using JSX—but stays much closer to the browser platform.
I wanted to see how far i could take web components before the architecture broke down. If you're interested in frontend software engineering or web standards, you might find the logic behind the updates (which avoid a traditional virtual DOM) interesting.
Full technical tutorial and deep dive: https://positive-intentions.com/docs/research/Tutorials/dim/dim-functional-webcomponents
Disclaimer: This project is not ready for production use. In fact, this project may be getting deprecated soon, but I’m sharing it because the unique details into custom elements and modern JavaScript performance might be interesting or educational for others exploring the web platform.
That's why it's kinda the first thing I mention on the post. How do you think I could make this more clear? It's also on the readme and terms and conditions in the app.
In my open source version, it's at the top of every page. It isn't a good look and I don't want to slap people on the face with words of caution.
Thanks for taking an interest.
I think the most stable version on my app is here: https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging&viewMode=story
I would suggest clearing all site-data before creating a new connection. I hope the UI is intuitive for which link needs to be copied and where it should be pasted on the peer side.
(If that doesn't work, try locally with different browsers or incognito)
Can you tell me the features you are interested in? They are all "coming soon" and a matter of more time and effort. I could spend all my time on a nice UI, but that takes away from working on the cryptography and documentation. It's important to be clear that it's testable, but far from finished.
i hope the latter. its provided as a testable demo. it isnt finished, but i see its working as i expect. i post about it to encourage feedback.
if you're interested, theres technical documentation here: https://positive-intentions.com/docs/technical . feel free to reach out for clarity on any details.
its provided as a demo and i try to be clear about it NOT being ready for your trust (there could be breaking changes, bugs)... but i hope its clear that gaining user trust is the general aim when i share open-source code and documentation.
having prefessionals review would be great... i think im being realistic that it isnt going to be an option anytime soon.
i have applied to some grants (some specific for security sudits for open source projects). so far, all rejections.
if youre asking for one, you must know a professional security audit is pretty expensive. best i can offer is open source transparency.
its important maintain the wording around "work-in-progress" because there may be breaking changes. ultimately, making it so its far from ready for an audit.
i think use it an appropriate amount. im not sure how to quantify that. i use different AI models on different tasks in the code as well as the documentation.
its worth repeating its far from finished and i hope with feedback i can make it better. i have put efforts towards directing it towards unit-tests, an audit and formal-proofs. none of that is good-enough, but i hope it can act as a starting point for verifying the implementation is correct.
i get the whole semantic versioning rhetoric and branching strategies, etc. this project is a while from being promoted as "perfect". this is still a work-in-progress.
im sure people have better things to do with their time than review unstable and unfinished code. as a solo dev on this, there isnt anyone reviewing my code. if i dont share it like this, no one with come across it. i hope you can understand i get pushback when i promote my messaging app is "secure", so this transparency is nessesary.
im not sure how easy it is to get LLM's to output near-verbatim. different models have understandably different results. i dont know if youre asking me to justify using AI?
considering how well documented and discussed the signal protocol might be, its understandable that the LLM would have a decent grasp of the concept from the onset and may well be able to get near-verbatim results. i dont want "using AI" to be used to undermine my efforts. what you see is the result of the typical software development process when i planned and iterated for improvements. im sure you can imagine how AI can help in the process.
im not an expert on licences. i chose that licence after a fairly brief consideration... you're the first to give any pushback on it. we can discuss further if you can share any insights on licences. i created the project. its not cloned and refactored from some other existing implementation. i cant be more transparent than it being on github with a commit history.
we then start leaning towards the questions of: if anyone authors any code they produce with AI?
my bad. i wrote the post, but im no shakespeare. the confusing messaging was meant to convey along the lines that im aware that people have better things to do than review my project, id like to put it out there if youre interested.
im mainly working on a messaging app as linked. several secure messaging apps exist and like anyone else working on a messaging app, i want mine to be secure. in the cybersec community there is emphesis on open source. the project is linked in the post to share (because otherwise people arent going to come across it).
ive done a good amount of testing and reviewing myself, but im sure i can spend more time. i try to make it clear in this post and the readme that its still a work in progress.
Id like to share my implementation of the signal protocol that i use in my messaging app. The implementation is in rust and compiles to WASM for browser-based usage.
- Github: https://github.com/positive-intentions/signal-protocol
- Demo: https://signal.positive-intentions.com/
Its far from finished and im not sure when its a good time to share it, but i think its reasonable now.
The aim is for it to align with the official implementation (https://github.com/signalapp/libsignal). That version was not used because my use case required client side browser-based functionality and i struggled to achieve that in the official one where javascript is used but is targeting nodejs.
There are other nuances to my approach like using module federation, which led to me moving away from the official version.
While i have made attempts to create things like audits and formal-proof verication, i am sharing it now if there is feedback about the implementation. Any outstanding issue i may be overlooking? Feel free to reach out for clarity on any details.
This signal implementation is for a p2p messaging app. See it in action here: https://p2p.positive-intentions.com/iframe.html?globals=&id=demo-p2p-messaging--p-2-p-messaging&viewMode=story
i agree. those (and many more) are better choices for a number of reasons. i work on this because its interesting. its open source for transparency.
What’s your motivation? Why are you doing this? Do you hope to make money out of it, or do you have more altruistic intentions?
i mentioned it in the post. 'Im aiming to create the “theoretically” most secure messaging app'... that is the goal. im not aiming for "more secure that whatsapp/signal"... but something fundamentally different in how it works. while things like webrtc and interest decentralized technology has been around for a long time, there wasnt something as general-purpose like what im aiming for.
it started as a sideproject and i kept building on it. i hope to make money out of it and have something that can support me (because ya know... bills to pay). i started off open source; naively thinking i would get open-source funding support if i demonstrated the concept to develop it further. i did several exhausting rounds of grant applications. it was an horrible experience on something outside my competence and towards the end i was dreading applying for grants knowing that they were going to reject my project. i also set up github sponsors, but nobody has donated... completely understandable for something that looks like a weekend project, but its clear that it isnt going to pay any bills.
Anyone you convince to use this will have their data and privacy at risk
you are fear-mongering again... its important for anyone reading this, the app works differently with user data. its all client-side. you dont need to add any personal info for it to work. ive linked how the data can be encrypted at rest. there are irresponsible ways to use any app, your data is not inherently at risk because of this implementation. if you are going to make such claims, you should make it against the code examples i've provided... or at least an example of what could go wrong.
i work hard on this project, so of course i promote the project on reddit and the fediverse, but you failed to mention that i also advise caution in all of my posts (including this). i hope its clear that such wording like "work-in-progress" works against marketing/promoting... i include it because its responsible to do on a project like this at its current stage.
acting as a middle man to ChatGPT
its 2026 and AI is very prominent. people are indeed vibcoding some serious stuff. there is clearly a new wave of "developers" that dont have a concept of unit-testing, let alone the appriciation for them. ive been a developer for 10+ years and know how to do this "old-school", but using AI is clearly a huge enhacement so it understandably looks very vibecoded. its important to study, test and review what is produced. when people get hung up on "OmG YoU'rE UsInG AI", that seems to be an indicator for me that im not really having a real discussion. especially when i have code examples and unit tests... that doesnt mean my approach is without issues, but the code is right there. your concerns are well placed so i have some questions for you.
- why arent you using an AI to review what ive created?
- what academic/professional hoops do i need to jump through for credability?
- perhaps you can identify something i overlooked?
while you have no obligation to do anything for me, my point is that the code has been openly discussed for a while and other people have reached out about issues and i addressed them to get the project to where it is now. i have a lot more to do on the project before i can remove wording like "work-in-progress" in my communication about the project. the project is working as expected and i expect it will continue to improve.
it seems clear that i dont have enough on the project to convince/inspire confidence in you, which is understandable and respectable. i dont want you to "trust me bro"... its why i keep the open-source versions separate, its useful to be able to point to open source examples when discussing details online as i refine the implementation. you should use what you are comfortable with and you clearly know your way around cybersecurity, so i expect your judgement in how you securely communicate is better than most.
So is it about convenience, or security?
it isnt about convenience or security. while security is clearly important, the "convienience" is important for helping users to get started. from experience, pointing to a github repo is simply not enough. it has to be easy for users to get started. convinience and security both need a great deal of attention. the quality of either is dependent how much time i put into them.
expect users to audit...
i dont expect users to audit the code. at this stage in the project when im still putting it together, i can confirm this code isnt good enough to audit... third-party audits are important to have, but they are prohibitively expensive so dont expect one any time soon.
There’s nothing the browser can do to protect its data if the OS falls into the hands of an attacker
thats just wrong. its possible to combine the filesystem api and the crypto api. a previous post on the matter: https://programming.dev/post/33435342 ... in this app i have a working version of passkey-encryption-at-rest. so a user has to register a passkey on their device and all the data is then encrypted at rest in indexedDB... users didnt like that every time they reload the page, the webapp was asking for a fingerprint to unlock... so that feature is disabled for now untill i make it so it can be disabled if the user wants. there is much more to think about there and that could be a whole separate discussion as we consider things like devices supporting passkeys PRF and how "recovery" could work.
censor your app
the frontend (this project), the backend (peerjs-server) and stun/turn servers can be selfhosted. but that moves away from what i can offer. id also like to investigate options for onion-style routing which the stray further from "minimal infrastructure" of p2p commmunication. https://programming.dev/post/41521230
low latency/high bandwidth the protocol was designed for
ive been working on this project for a while. it started off as a p2p messaging framework. i created a simple video calling app and the functionality naturally started leaning towards file transfer and messaging. the logical progression of the framework was to wrap it in a messaging app where you would want low latency/high bandwidth video calls and file transfer. these functionalities are in contrast to tasks like moving files between computers using some cloud service.
people need to stay fae away when security is involved
ive had this kind of fear-mongering/gatekeeping a lot in the cyber security community. its understandable to have high standard and expectation for things like security. but if kerhof's principles are worth anything, they would apply to this project. in the open source version the concept is resonably demonstrated and there is documentation about how it works on the website. spicier things like "how the crytography works" are actively discussed online (like this). its clear that the code is too complicated for anyone to use their spare time review, buts its at least an option. i have recieved good feedback and iterated over what you see.
For anyone reading this thread looking for a secure chat app, just use Delta Chat, or even Signal (which has some issues, but it’s better than nothing).
agreed. my project is far from finished.
view more: next ›
thanks for the tip. it seems nlnet seem to use radically open security. so i pinged them an email.