Identity Key (IK) ← tied to Gao Domain or Passkey └── Signed PreKey (SPK) ← rotated every 7 days └── One-Time PreKey (OPK) ← single use, batch of 100 └── Session Keys (DR) ← per conversation, forward secret

---

## Transport Layer

### WebRTC DataChannel (Primary)

When both parties are online, messages travel directly peer-to-peer via WebRTC DataChannel. No relay involved.

The signaling server exchanges SDP offers/answers and ICE candidates only — it never touches message content.

**TURN server is required** for production. Without it, ~30% of users behind symmetric NAT cannot establish P2P connections.

### Gao Relay (Fallback)

When a recipient is offline or P2P fails, messages route through Gao Relay nodes:

Relay stores only:

- **Routing tag** — opaque recipient identifier (not plaintext)
- **Ciphertext** — Signal-encrypted, relay cannot decrypt
- **TTL** — maximum 7 days

Relay does NOT store sender identity in plaintext, message content, or conversation history.

**Delete-on-delivery:** When recipient acknowledges receipt (ACK), relay deletes the envelope immediately — before returning the ACK response. TTL 7 days is a safety net only, not normal behavior.

-----

## Privacy Model

|What relay sees      |What relay cannot see         |
|---------------------|------------------------------|
|Routing tag (opaque) |Message content               |
|Ciphertext           |Sender identity (in plaintext)|
|TTL timestamp        |Conversation history          |
|Network metadata (IP)|Anything after ACK            |

> **Note on network metadata:** Relay does not receive sender identity inside envelope payloads. However, network-layer metadata (IP address, connection timing) may exist at the infrastructure level. Operators should implement IP anonymization logging.

-----

## Storage Options

Messages default to **zero storage** — they exist only in RAM during the session and are deleted from relay immediately on delivery.

|Mode            |Location                |Cost      |Who controls|
|----------------|------------------------|----------|------------|
|`none` (default)|RAM only — lost on close|Free      |—           |
|`local`         |Device encrypted storage|Free      |User        |
|`depin`         |GaoStorage (DePIN)      |Pay per GB|User        |

Users choose their storage mode explicitly. Gao Infrastructure cannot read encrypted content in any mode.

-----

## Spam Gating

Without a network-level spam filter, Meshii implements its own gating:

**A stranger cannot message you unless:**

- They have a **Contact Token** (one-time invite link you generated), or
- You already have each other as mutual contacts

Unknown senders are routed to a **Request Inbox** with a 48-hour TTL — shorter than the normal 7-day relay TTL.

-----

## Group Messaging

Group messages are fanned out as **N individual envelopes** — one per member — using Sender Keys encryption. The relay has zero knowledge of group membership.

Each member’s envelope is deleted independently when that member acknowledges receipt. No shared group history on the relay.

Key rotation triggers:

- New member joins → existing members re-key
- Member leaves → full group re-key
- Every 100 messages or 7 days (whichever first)

-----

## Developer Integration

Use `sdk.transport` from `@gao/system-sdk`:

```typescript
// Send a message
await sdk.transport.message.send({
  to: 'alice.gao',
  content: 'Hello!',
  encrypted: true,     // default true
})

// Receive messages
const unsub = sdk.transport.message.subscribe((msg) => {
  console.log(msg.decrypted.content)
})

// Agent sends as bot identity
await sdk.transport.message.sendAsAgent(agentId, recipientTag, content)