MVP architecture
Trusted clients, desktop apps, and the CLI own Git transport, local diff and review rendering, device key storage, and repo content key unwrapping. They send encrypted chunks and signed events to an untrusted HushGit server that stores encrypted chunks, manifests, keyrings, and append-only signed event logs.
Current local remote layout
The incremental proof of concept and current Rust port still use a local filesystem remote while server-backed storage is being shaped. That remote has plaintext format and stable repo identity in config, plus encrypted signed refs, HEAD, pack manifests, and encrypted Git pack chunks.
Target server storage model
The target server stores encrypted manifests, encrypted ref logs, encrypted pack chunks, encrypted keyrings, and signed events. The server may index opaque identifiers, but plaintext names and Git metadata stay inside encrypted manifests unless explicitly accepted in the threat model.
Rust owns the security-critical path: git-remote-hushgit and hushgit-git for transport, hushgit-crypto for envelopes, hushgit-keys for key hierarchy, hushgit-events for signed events, hushgit-server plus OpenAPI for the server API, and hushgit-runner for self-custodied CI.