Encryption Overview (High Level)

Threat model: protect the private key at‑rest in the browser against casual exfiltration while keeping the signing primitive standards‑compliant.

• Primitive: Ed25519 signatures via the browser’s WebCrypto (no custom curve math).
• At‑rest crypto: AES‑GCM‑256 with a key derived via PBKDF2‑SHA256(passphrase ⊕ Z‑Pepper).
• Z‑Pepper: deterministic secret derived from your Z‑Pattern string (e.g., “‑1,1,+1;0,‑0+0”), folded into the KDF salt and key material.
• Storage: IndexedDB (origin‑scoped); backup export is an encrypted JSON blob.
• No security by obscurity: The pepper derivation’s details can be public without reducing safety — security rests on your passphrase strength and standard AES‑GCM.
• Keys never leave: No server upload; no hidden sync.

Why this design? You get standard Ed25519 interoperability while layering TalkToAi research flavor in the pepper stage, avoiding custom signature schemes that would break compatibility.