Security Architecture
Guff behaves like a city of locked rooms. Every room has a purpose. Every door has a boundary. Every private moment moves through the system with discipline: encrypted, routed blindly, viewed deliberately, and designed to vanish.
Private by architecture
This is the central engineering decision behind Guff. The app is not built as one giant bucket of messages, media, identity, and behavior. It is separated into clear zones so private content, viewing behavior, device protection, and delivery work do not casually leak into one another.
That separation is what makes Guff feel simple on the surface and strict underneath. You talk to one trusted Gufaadi. The architecture quietly enforces restraint in the background.
The four-zone model
Guff separates the product into four plain-language zones. Each zone does one job, and each boundary exists to reduce what any single part of the system can know.
Mask is the visible app: screens, buttons, navigation, and the calm experience you touch. It presents the conversation, but it does not become the place where private content secrets, raw keys, or deep security decisions casually live.
PAL works with the phone itself. It handles device-level protections such as secure storage, biometric convenience, screen-capture signals where supported, lifecycle events, permissions, notifications, and platform-specific safety behavior.
Face owns sensitive local lifecycle decisions. It handles the stricter side of encrypted local behavior, key lifecycle, media handling, and GhostLock-governed decisions so the ordinary interface does not become the keeper of private truth.
Courier moves encrypted packets, applies expiry rules, supports abuse resistance, and keeps lawful operational records under documented limits. Courier delivers the sealed packet, but it does not hold the private content keys. Guff’s server cannot read private message or media plaintext even if it wants to.
Engineering decision
A normal messaging product can become a giant searchable warehouse: messages, media, previews, logs, contacts, delivery state, user behavior, and product analytics all sitting too close together.
Guff goes the other way. It behaves like a city of locked rooms. The room that draws the interface does not need to hold the keys. The room that delivers packets does not need to read the message. The room that handles device behavior does not need to become a social graph. The room that protects content does not need to sell attention.
GhostLock Protocol
GhostLock is Guff’s ephemerality engine. It gives private content a strict journey: created with restraint, delivered as encrypted content, revealed deliberately, timed from the moment viewing begins, expired according to rule, and made unusable when its private life is over.
This matters because disappearing messages should not be theatre. A timer animation means little if the product quietly keeps usable copies, leaves careless residue, or lets viewing rules be bypassed by sloppy state handling. GhostLock turns vanishing into an engineering behavior that can be reviewed, tested, and enforced.
Messages and media are treated as temporary private objects from the beginning.
Private moments are viewed through controlled interactions such as touch-to-view or hold-to-reveal.
The private lifetime is governed by reveal and expiry discipline, not by a cosmetic timer.
When the private moment is over, the system is designed around purge, erasure, and residue reduction.
Watchman Shield
Watchman Shield is Guff’s protected-viewing discipline. It exists for the real world: crowded rooms, shoulder-snooping, screen recording attempts, unsafe viewing conditions, coercive pressure, and intimate content that can be abused if copied casually.
Guff treats viewing as a sensitive moment. Watchman helps make private media harder to expose by accident, harder to capture casually, and clearer to control under pressure. It supports the product’s fight against coercion, intimidation, sextortion, and careless private-content leakage.
Safety through restraint
Public discovery, groups, forwarding, feeds, and searchable profiles all increase the surface area for misuse. Guff removes those pressures from the product shape. One invite. One Gufaadi. One private connection. No audience.
That restraint matters in uncomfortable situations. A private product should not make it easy for someone to discover, pressure, capture, forward, or weaponize intimate content. Guff’s architecture makes private communication narrower, more deliberate, and harder to turn into public spectacle.
Content-blind routing
Guff’s backend behaves like a content-blind courier. It can help move encrypted packets, apply expiry rules, support reliability, and enforce abuse controls. But the server does not hold the private content keys. It cannot read private message or media plaintext even if it wants to.
What Guff refuses
Guff is not trying to become every app. Its power comes from saying no to features that make private one-to-one communication noisy, searchable, addictive, or exposed.
Simple outside. Strict underneath.
Architecture is not decoration here. It is the product boundary: one-to-one connection, content-blind delivery, GhostLock ephemerality, Watchman protected viewing, and deliberate refusal of the social-network machine.
Guff