https://github.com/digital-grease/signet/compare/v0.3.4...v0.3.5/

Cryptographic multi-factor authentication for human relationships, not accounts. When someone who sounds like your mother calls in a panic asking for bail money, Signet lets you verify it's actually her. Each paired contact generates a rotating 4-word phrase that only the real person's phone can produce; you ask her to read her phrase aloud and type what you hear. Works over any channel — voice call, video call, text, email, in person. The threat: voice and video deepfakes targeting families for financial fraud; vishing attacks that use scraped biographical data to impersonate people you know. The defense: a shared secret that was seeded device-to-device in person, and that no amount of AI voice cloning can recover. How it works Two phones pair in person by exchanging QR codes containing ephemeral X25519 public keys. Each device derives the same shared secret via Diffie–Hellman. Both devices then display an identical 4-word confirmation phrase derived from that secret — a visual check that the pairing wasn't intercepted. Once confirmed, the shared secret lives in the Android Keystore (hardware-backed when available) and is used to generate a rotating 4 BIP-39 words every 30 seconds (HKDF-SHA-256, domain-separated from the pair-time phrase, ±1 window tolerance for clock drift). To verify a caller later: open Signet, tap the contact, ask them to read their 4 current words aloud. Type what you hear into the 4-slot input (BIP-39 autocomplete: two letters narrows to a chip you can tap). ✅ green banner = verified, ❌ red banner = not verified. On ❌ the input clears and you can retry immediately. Why words, not digits? The original design called for an 8-digit TOTP code, but 8 digits don't survive a stressed voice channel — "74" vs. "47" under a bad connection is how grandma gets scammed. BIP-39 was specifically designed to transfer high-entropy secrets cleanly over voice (4 words ≈ 44 bits vs. ~27 for 8 digits, and the words are phonetically distinct by construction). Using the same wordlist we already embed for pair-time verification gives Signet a coherent visual/verbal language and makes the ±1 window tolerance do real work via a binary ✅/❌ instead of eyeball-comparing two 8-digit strings. Why the two sides see different words A naïve rotating-code design would give both paired devices the same 4 words each window — but then an attacker can say "grandma, before we talk, read me your words so I know it's really you," parrot them back, and pass the verify. Signet binds each rotating code to a direction: at pair time each device independently derives a role (a or b) from the byte-lexicographic ordering of the two X25519 public keys. The HKDF info string is role-suffixed, so the A→B words and the B→A words for any given window are different. "Show my 4 words" renders your role; the verify input checks against the other role. Reflecting the verifier's own displayed words back fails immediately. See lib/core/crypto/pair_role.dart and the reflection-attack test in test/crypto/totp_words_test.dart. Properties - No server, no cloud, no account. The app literally has no INTERNET permission in its manifest. There is no backend to subpoena, compromise, or shut down. - No telemetry, no analytics, no ads. This is a trust product. Not now, not ever. - Hardware-backed secrets. Shared secrets are held in Android Keystore behind AES-GCM, StrongBox-backed on devices that support it. - Offline by construction. Airplane mode does not affect any flow. - Role-asymmetric rotating code. The two sides of a pair see different 4 words per window, bound to a per-device role derived at pair time. Reflecting the verifier's displayed words back fails by construction — see "Why the two sides see different words". - RFC-validated crypto. X25519 against RFC 7748 §6.1; HKDF-SHA-256 via the audited cryptography package. BIP-39 wordlist embedded in-tree. All reference vectors pass. The pure-Dart RFC-6238 TOTP implementation is retained in-tree as a reference (validated against RFC 6238 Appendix B SHA-256 vectors) but not on any live code path — the rotating verifier is 4-word, not 8-digit. License GNU Affero General Public License v3.0