ARTEM MOROZOV @dragekorn · senior full-stack engineer
← All projects
01 · GCHAT

GChat — a privacy-first E2E messenger

Founding engineer on my own product. Built solo: protocol, server, client, landing, infra.

Period
March 2026 — present
Role
Founding Engineer · every layer in one pair of hands
Stack
Python 3.12FastAPISQLAlchemy 2.0 asyncPostgreSQLRedisarqFlutterDartRiverpodIsarWebRTCAstro 5Tailwind 4WebGLX3DHDouble RatchetAES-GCM-256Ed25519Curve25519Argon2idPyNaClDockerCoolifyTraefikNginxGitHub Actions
gchat.online

GChat is a complete, privacy-first end-to-end encrypted messenger I designed and built alone — from the math of the cryptographic protocol to deployment on self-managed Linux.

Context

Goal: a messenger of Signal-class privacy, but without phone-number binding, with zero-trust architecture, and ready to operate in untrusted jurisdictions. I chose to build solo to control every layer.

Cryptography

  • X3DH handshake over Curve25519 / Ed25519 for session establishment.
  • Double Ratchet derives a unique symmetric key per message.
  • AES-GCM-256 for transport, Argon2id for local key-wrap, TLS 1.3 for the relay.
  • The server only sees opaque ciphertext and cannot decrypt messages even under legal compulsion.
  • Phone-number-free accounts — registration via a cryptographic recovery phrase.

Backend

  • FastAPI + SQLAlchemy 2.0 async + asyncpg on PostgreSQL.
  • Redis for pub/sub and sessions, arq for background jobs (TTL media sweep, push fan-out).
  • Stateless WebSocket transport, horizontally scalable behind a sticky-session router.
  • structlog + Prometheus instrumentation.

Mobile

  • Flutter + Dart, Riverpod for state, go_router for navigation.
  • Isar as the encrypted local store.
  • Native platform channels for APNs / PushKit, FCM, CallKit, ConnectionService.
  • Android FLAG_SECURE + iOS screenshot detection with peer notification.
  • flutter_webrtc for 1:1 voice/video, local_auth for biometric unlock.

Frontend / landing

  • Astro 5 + Tailwind 4, statically generated.
  • Bilingual EN / RU with parity enforced through TypeScript discriminated unions.
  • Custom WebGL background shader with DPR-aware rendering and prefers-reduced-motion handling.
  • SVG cryptographic flow diagrams animated via SMIL.
  • Automated Open Graph image generation through sharp.
  • Under 72 KB gzipped per page.

DevOps

  • Multi-stage Docker, Coolify-driven CI/CD on a self-managed Linux server.
  • Per-app GitHub watch-path filtering — pushing to landing never rebuilds the backend.
  • Traefik + Nginx with automatic Let's Encrypt.
  • Hardened CSP / HSTS / X-Frame-Options / Permissions-Policy headers.
  • Staged preview deployments with noindex gating.
  • RFC 9116 security.txt and a coordinated-disclosure flow.