In scope — guarantees this product makes:

• Confidentiality of your vault contents (documents, notes, metadata) against a server operator with full database access.
• Plausible deniability via the decoy vault — a coercer who obtains the decoy password cannot prove the real vault exists.
• Recovery through secret-shared trusted contacts, without the server ever learning your recovery key.
• Sharing to non-Inktally recipients without leaking the shared resource to the server.
• Triggered release with server-assisted delivery: resources designated for release are held under our key between arming and delivery so recipients who have never used Inktally can still receive them. Every delivery is audit-logged; everything else in your vault stays end-to-end encrypted. (For fully server-blind delivery, the executor-assisted mode — coming soon — keeps our servers out of the loop entirely.)
• A tamper-evident audit log that detects server-side edits to your history.

Out of scope — what we do NOT defend against:

• An adversary who controls your device at the moment you unlock. If your endpoint is compromised, no server-side design can save the plaintext you just decrypted.
• Side-channel attacks against your hardware (cache timing, Spectre/Meltdown, fault injection).
• Quantum adversaries — XChaCha20-Poly1305 and X25519 are not post-quantum.
• Availability — we are a confidentiality and integrity product, not a high-availability one. DoS and outages are not in this model.
• Legal compulsion of the server to start logging new data going forward. Past data stays encrypted; future collection is a surface this product can’t close.

The decoy vault carries the highest-capability adversary, so it has the strictest invariants. Each is enforced in code and covered by tests:

• Constant-shape login. The login endpoint always returns exactly two vault blobs, in randomised order — whether or not the email is registered, whether or not a decoy was set up, and whether or not it was later disabled. Verifier comparison runs in constant time against both rows.
• No surface reveals the vault kind. No header, body field, status code, or URL differs between a real and a decoy session for the same operation. Cross-vault access collapses to a 404 (“not found”), never a 403 — a 403 would confirm the resource exists.
• One-transaction disable. Disabling the decoy deletes every decoy-scoped resource in a single database transaction and resets the decoy row to a deterministic placeholder.
• Manual-only triggers in a decoy session. A decoy session can’t configure automatic (dead-man’s-switch or scheduled) triggers — only owner-initiated ones — so the decoy can never auto-release and expose its own existence.
• Indistinguishable timing. We continuously measure how long the server takes on the real-password path vs the decoy-password path; the medians must stay within 1.5× or the release is blocked. In our benchmarks the ratio is ~1.06×.

• Recovery. Shamir secret sharing with a threshold you choose: any k of your n trusted contacts (k ≥ 2) can authorize a reset; fewer cannot, and neither can we. The server only ever stores ciphertext shares; the quorum coordinates out-of-band.
• Sharing. The claim link is single-use, time-bounded, and stored only as a hash. The actual file key never sits in plaintext on the server — your client re-wraps it to the recipient’s public key; their client unwraps it with their private key.
• Triggers. When a release fires, Inktally delivers a sealed envelope to the recipient — not plaintext. For owners who pre-armed escrow, the server briefly holds an encrypted copy of the resource key between arming and delivery, then re-seals it to the recipient's own key. After delivery only the recipient can decrypt; the server retains no useful key material. Manual shares from a living owner follow the same server-blind re-wrap pattern as ordinary sharing above.