Events

What we've shippedchangelog.

Public timeline of every meaningful milestone — what shipped, what was built, what got designed. Specific enough to be falsifiable. Newest entries on top.

  1. May 22, 2026shipped

    On-chain anchoring live · GhostRegistry deployed on Base mainnet

    Every ghost commit can now be permanently timestamped on a trust-minimized chain. GhostRegistry — a 50-line append-only contract — is live on Base mainnet at 0x4dc8911fd65aa7cdcac410549ee80323bbcb2206. Each anchor records (commitSha, ringRoot, keyImage) and emits an indexable event. A sponsored relayer at /api/anchor pays gas after re-running full LSAG verification server-side, so users don't need a wallet. Why Base: Bitcoin/Ethereum-secured, ~$0.0001 per anchor, 1.6s end-to-end including signature verify.
    • Contract: GhostRegistry.sol on Base mainnet, MIT, source-verified on Basescan
    • Foundry test suite: 8 unit tests + 1 fuzz pass
    • Sponsored relayer: 5 anchors/hour per ip, 100/day global cap
    • First anchor proof: basescan.org/tx/0x6679bb94…811abc · block 46,337,919
    • CLI: gitghost commit -m … --anchor (auto-submit) or gitghost anchor <sha>
    • Verifier auto-surfaces 'ANCHORED · base block N' when commit has on-chain proof
  2. May 22, 2026shipped

    Playground · live activity feed · public ledger

    Shipped /playground — a 4-tab browser app that lets anyone generate a ghost identity, build a ring (by GitHub username or paste pubkey), sign a message with LSAG, and verify — all client-side, no install, secret never leaves the page. Plus /feed: a public timeline of every successful verification. Counters, 14-day histogram, per-ring breakdown, all auto-refreshing every 8 seconds. Privacy-conscious: ring metadata + key image only — no author email, no commit body.
    • /playground — 4 tabs (Identity, Build, Sign, Verify), full client-side crypto
    • /api/derive-pubkey — fetch GitHub keys, derive deterministic ghost pubkey
    • /feed — SSR snapshot + 8s client refresh, persistent activity ledger
    • Live ticker on landing: X verified today · Y total
    • Anchored events get an ⚓ badge with Basescan link
  3. May 22, 2026shipped

    @gitghost/cli published to npm

    First public CLI release. npm install -g @gitghost/cli or curl-pipe via gitghost.org/install.sh. Fully working init / ring / commit / verify path with privacy-safe defaults — secret keys auto-gitignored on init, message signing canonicalised to survive whitespace edits, robust trailer parsing that doesn't break on commit bodies that mention literal Ghost-Ring:.
    • Published as @gitghost/cli@0.1.1 (org-scoped on npm)
    • Audit fixes: identity.json auto-gitignore, --anchor flag wired, findAnchor collision-safe
    • Ring-size warnings: weak anonymity for N<5, performance note for N>200
    • Windows ACL hint when mode 0o600 doesn't apply
    • Dynamic version reads from package.json (no more hardcode drift)
  4. May 21, 2026shipped

    Browser verifier API live · public ring registry

    Shipped POST /api/verify end to end. Github mode fetches a commit + ring config straight from GitHub and runs the full LSAG check. Raw mode accepts pasted message + ring for offline / private repo verification. GET /api/rings and /api/rings/[slug] expose the public registry. Four reproducible rings seeded from real public SSH keys at github.com/<user>.keys.
    • POST /api/verify · github + raw mode
    • GET /api/rings · GET /api/rings/[slug]
    • Seeded rings: linux-kernel-core, node-runtime-historic, frontend-frameworks, privacy-engineering
    • Ring root validated against the live cryptography on every boot
    • 404 / 400 / 200 paths covered for malformed inputs
  5. May 20, 2026built

    Browser-safe LSAG port — CLI ↔ web cryptographic parity

    Ported the full LSAG / ringRoot / Ghost-* trailer logic into a browser-safe bundle so the verifier runs the exact same math as the CLI. Every signature signed by gitghost commit verifies via POST /api/verify, byte for byte. Cryptography uses @noble/curves + @noble/hashes — widely-audited primitives, zero rolled-our-own crypto.
    • secp256k1 LSAG sign + verify in TypeScript
    • Deterministic ring root (sha256 of canonical ring config)
    • Ghost-* commit trailer parser + emitter
    • Bit-identical results across CLI and web verifier
  6. May 19, 2026shipped

    First real ghost commit signed and verified

    Ran the full pipeline end-to-end. Initialised demo-ring with three members (the local identity plus two derived from real GitHub SSH keys), signed a commit anonymously, and verified it through both the CLI and the public API. The exact signature is now wired into the verifier as a load-live-example button — click it to watch real LSAG verification execute in front of you.
    • First real anonymous commit produced via the CLI
    • Ring: demo-ring (3 members, real-key-derived)
    • Verified path: trailers parsed → ring root matches → LSAG valid
    • Verifier returns ok: true on the live signature, deterministic
  7. May 15, 2026built

    CLI v0.1.0 — init / ring / commit / verify / anchor

    Shipped the TypeScript CLI. gitghost init bootstraps a per-repo identity and ring config. gitghost ring add <user> pulls SSH keys from GitHub and derives a deterministic ghost public key. gitghost commit signs with LSAG and writes Ghost-* trailers. gitghost verify reproduces the proof and flags key-image reuse.
    • Node 18+, ESM, Commander 12 + simple-git + ora
    • Trailers: Ghost-Ring · Ghost-Ring-Root · Ghost-Key-Image · Ghost-Signature
    • Local anchor log for key-image reuse detection
    • Anchor command stub (Phase 1: real on-chain Base anchoring)
  8. May 08, 2026plan

    Protocol design — LSAG over secp256k1 with linkable key image

    Locked the cryptographic primitives. LSAG (Liu/Wei/Wong 2004) over secp256k1, SHA-256 for hash-to-scalar, try-and-increment for hash-to-point. Same curve as Bitcoin/Ethereum so on-chain anchoring on Base reuses existing tooling. Key image binds to sha256("gitghost.v1.context|" + ringName) for cross-ring isolation.
    • secp256k1 + SHA-256 — Bitcoin / Ethereum-compatible
    • Key image: I = sk · H_p(pk ‖ ctx)
    • Context binding prevents cross-ring linkability
    • Ring root: deterministic SHA-256 of canonical ring config
  9. May 05, 2026plan

    Project kickoff — anonymous attribution, not anonymous code

    Defined scope and threat model. gitghost is for cryptographic attribution — proving a commit came from a trusted set without revealing the signer. It is not an identity service, not a network anonymizer, not a vulnerability disclosure platform. If you need network-layer anonymity (who pushed), compose with Tor; gitghost only handles the math.
    • Scope: cryptographic attribution only
    • Out-of-scope: network anonymity, key compromise, coercion
    • Target users: security researchers, OSS maintainers, sensitive infra
Stay updated

Updates land on @gitghost_ first, then on this page within a day. If something here is missing, ping us — public ledger is the point.