Trust Model

On the web, you trust a site because your browser trusts a certificate authority, which trusts the site’s TLS certificate. This chain is invisible and out of your control.

In HAVI, trust is explicit. You decide which cryptographic keys can run JavaScript for each group/app combination. This decision is stored as a packet in your local repository—visible, auditable, and under your control.

The Problem

When you visit hppr://photos/viewer/index.html, how do you know the content is safe to execute?

Anyone can publish packets. Without trust decisions, HAVI would either run all JavaScript (dangerous) or none (useless). The trust model lets you say: “I trust content signed by Alice’s key for the photos/viewer app.”

Site-Trust Packet

A site-trust packet lists the keys you trust for a specific group/app.

Coordinate: //<group>/<app>/site-trust/|/seal/<your-admin-key>

Format:

Group: photos
App: viewer
Location: site-trust
Member: V.alice~key...H3
Member: V.bob~key...H3

When you visit hppr://photos/viewer/, HAVI resolves this membership list (using the MEMBERS command, which supports Member-Delegate: for delegation chains). If the page’s signature matches a trusted key, JavaScript runs. If not, the page loads but scripts are blocked.

Route Packet

Routes tell HAVI where to find content. They’re separate from trust—knowing where to fetch something doesn’t mean you trust what you’ll get.

Coordinate: //<group>/<app>/route/|/seal/<your-admin-key>

Headers:

Upstream-Address: photos.example.com:4777
Upstream-Verification-Key: V.server~key...H3

The verification key lets HAVI confirm it’s talking to the expected server, but the server key is not automatically trusted for content—only the site-trust packet controls that.

How Resolution Works

When you navigate to hppr://photos/viewer/gallery:

1. Find the route: Look up //photos/viewer/route/| in your local repository
2. Connect: Use Upstream-Address to reach the server
3. Resolve trust: Look up //photos/viewer/site-trust/| and expand members
4. Fetch content: If site-trust has members, request //photos/viewer/gallery/|/seal/<first-trusted-key>; otherwise request without a seal selector
5. Verify: Check the packet’s signature against trusted keys
6. Render: Allow JavaScript only if the signature is trusted

Initial Setup

The first time you visit a new server (via direct endpoint like hppr:[192.168.1.5:4777]//photos/viewer/), HAVI redirects to the setup flow:

1. Fetch the server’s HELLO greeting
2. Fetch the remote site-trust via MEMBERS
3. Show you the server details for review
4. If you accept: store the route and site-trust packets locally
5. Navigate to hppr://photos/viewer/

After setup, future visits use your local trust configuration. The server can’t change who you trust—only you can, by modifying your site-trust packet.

Security Boundaries

Each //<group>/<app>/ combination is its own security origin, like a separate domain on the web. Two apps signed by the same key are still cross-origin to each other. This prevents a compromised app from accessing another app’s data.

Revocation

To stop trusting a key:

• Remove from site-trust: Edit the packet to remove the key from the Member: list
• Detach entirely: Use DETACH to remove the site-trust packet (blocks all JS for that app)

Changes take effect on the next page load.