Stats
Links
Categories
Auto-discovered marketplace from manojkgorle/ethmumbai-rok
npx claudepluginhub manojkgorle/ethmumbai-rokEncrypted decentralized memory with hierarchical access control, backed by Fileverse. Read, write, grant, and propose memories — all end-to-end encrypted with scoped key delegation.
A Rust cryptography library implementing a dual-key system with hierarchical read-key delegation, multi-recipient encryption, and post-quantum hybrid support.
The core idea: a spend key (Ed25519) acts as the root of trust—it signs data and derives read keys (X25519). Read keys are scope-bound and hierarchical, enabling fine-grained access delegation without exposing the spend key.
Spend Key (Ed25519)
└── Root Read Key (scope: /)
├── /finance
│ ├── /finance/q1
│ └── /finance/q2
└── /legal
└── /legal/contracts
A key at /finance can decrypt anything at /finance, /finance/q1, /finance/q2—but not /legal. Read keys can be delegated (exported) to third parties who can then derive child keys further, without ever gaining access to parent scopes.
ROK\x01 magic header) and Protocol Buffers.roks file; a /finance key decrypts only the finance section while a root key decrypts everythingzeroize crate┌─────────────────────────────────────────────────┐
│ rok-cli │ rok-mcp │
│ 12 commands, clap CLI │ MCP server for │
│ │ Claude Code │
├──────────────────┬─────────┴────────────────────┤
│ rok-sdk │ │
│ Vault, Pipeline,│ rok-pq │
│ Policy, Identity│ ML-KEM-768 hybrid │
├──────────────────┴──────────────────────────────┤
│ rok-core │
│ Keys, Derivation, Encryption, Envelope, Signing│
└─────────────────────────────────────────────────┘
| Crate | Description |
|---|---|
| rok-core | Cryptographic primitives: key types, HKDF derivation, encryption/decryption, envelope format, signing, Base58 encoding |
| rok-pq | Post-quantum module: ML-KEM-768 encapsulation, X25519+ML-KEM hybrid combiner, and end-to-end hybrid envelope encrypt/decrypt |
| rok-sdk | High-level abstractions: encrypted vault, data pipeline, access policy engine, selective disclosure credentials |
| rok-cli | Command-line interface with 12 commands for key management, encryption, signing, and delegation |
| rok-mcp | MCP server for Claude Code — encrypted memory backed by Fileverse with auto-sync, scoped access, and key delegation |
| Purpose | Algorithm | Details |
|---|---|---|
| Signing | Ed25519 | Spend key signs all envelopes |
| Key agreement | X25519 ECDH | Ephemeral-static for per-envelope shared secrets |
| Post-quantum KEM | ML-KEM-768 | NIST FIPS 203 lattice-based KEM |
| Data encryption | ChaCha20-Poly1305 | AEAD for payload encryption |
| Key wrapping | AES-256-GCM-SIV | Per-recipient data key wrapping |
| Key derivation | HKDF-SHA256 | Domain-separated derivation with unique tags |
| Key identifiers | SHA-256 truncated | First 8 bytes of SHA-256(public_key) |
| Key encoding | Base58Check | Tagged encoding with 4-byte checksums |
Each HKDF derivation uses a unique domain tag to prevent cross-protocol attacks:
| Tag | Purpose |
|---|---|
rok-v1-spend-to-root-read | Spend key to root read key |
rok-v1-read-child-derive | Parent read key to child (step-wise per path component) |
rok-v1-key-wrap | ECDH shared secret to wrapping key |
rok-v1-hybrid-combine | Combine X25519 + ML-KEM shared secrets |
rok-v1-pq-key-derive | Derive PQ key seed from read key secret + scope |
git clone https://github.com/manojkgorle/ethmumbai-rok.git
cd read-only-keys
cargo build --release
The binary is at target/release/rok.
protoc) for proto code generationGenerate a spend keypair and its root read key:
rok keygen --label mykey
Harness-native ECC skills, hooks, rules, MCP conventions, and operator workflows
Claude Code marketplace entries for the plugin-safe Antigravity Awesome Skills library and its compatible editorial bundles.
Production-ready workflow orchestration with 84 marketplace plugins, 192 local specialized agents, and 156 local skills - optimized for granular installation and minimal token usage