Decision Matrix — all candidates, one table¶
Validation status: [HYPOTHESIS] — scores are a working synthesis against MPowerUP's stated non-negotiables (see index). Architecture/license facts are sourced (2026) in the per-branch notes; the ratings are judgment calls, not pilot data.
Legend. Non-negotiables: ✅ meets · ⚠️ partial/conditional · ❌ fails. Zone axes (content confidentiality / metadata resistance / network-identity): Strong · Medium · Weak. "Off" = offline-first, "E2E" = E2E + local-only keys, "NoSrv" = no central server, "Circle" = keypair identity + private-group model, "Vuln" = vulnerable/low-literacy/budget-Android, "Batt" = battery-conscious, "Refurb" = refurb-hardware viable.
Apps¶
| Candidate | Shape | Off | E2E | NoSrv | Circle | Vuln | Batt | Refurb | Content | Meta | Net-ID | License | Verdict |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Briar ⭐ | P2P+Tor+mesh | ✅ | ✅ | ✅ | ⚠️ | ⚠️ | ⚠️ | ✅ | S | S | S | GPLv3 | Study/fork; interim referral — only true offline tier |
| SimpleX ⭐ | No-identifier | ⚠️ | ✅ | ✅ | ⚠️ | ⚠️ | ⚠️/❌ | ✅ | S | S | M | AGPLv3 | Design exemplar; interim referral — AGPL+Haskell block embedding |
| Cwtch ⭐ | Tor groups | ❌ | ✅ | ✅ | ✅ | ⚠️ | ⚠️/❌ | ⚠️ | S | S | S | MIT | Study libcwtch — best group-metadata; funding-fragile |
| Jami | P2P/DHT | ⚠️ | ✅ | ✅ | ✅ | ⚠️ | ❌ | ✅ | S | M | W | GPLv3 | Mature but IP-exposed + battery-heavy |
| Berty | P2P/BLE | ✅ | ⚠️ | ✅ | ✅ | ⚠️ | ❌ | ✅ | W | M | S/M | Apache/MIT | Study Wesh BLE-mesh — not hardened crypto |
| Delta Chat | Email/PGP | ⚠️ | ✅ | ⚠️ | ⚠️ | ✅ | ⚠️ | ✅ | S | M/S | M | MPL/GPL | No-new-infra exemplar; needs a mailbox |
| Quiet | Tor+libp2p | ❌ | ✅ | ✅ | ✅ | ⚠️ | ❌ | ⚠️ | S | M/S | S | GPLv3 | Closest prior-art to MPowerUP; not audited |
| Session | Oxen onion | ❌ | ⚠️ | ⚠️ | ⚠️ | ✅ | ✅ | ✅ | M | M/S | M | GPLv3+token | Best UX; no PFS + 2026 consensus attack |
| Conversations (XMPP) | Federated | ❌ | ⚠️ | ❌ | ❌ | ✅ | ⚠️ | ✅ | S/M | W | W | GPLv3 | Best budget-Android federated; server-bound |
| Element (Matrix) | Federated | ❌ | ⚠️ | ❌ | ❌ | ⚠️ | ❌ | ✅* | AGPL | — | — | AGPL | Server mandatory; mine matrix-sdk-crypto |
| Tox (aTox) | P2P/DHT | ❌ | ⚠️ | ✅ | ⚠️ | ❌ | ❌ | ✅ | M | M | W | GPLv3 | Reject — unaudited/alpha crypto + IP |
| Manyverse (SSB) | P2P gossip | ✅ | ⚠️ | ✅ | ⚠️ | ❌ | ⚠️ | ⚠️ | W | W | W | MPL/MIT | Reject — permanent logs + abandoning |
| Mastodon/AP | Federated | ❌ | ❌ | ❌ | ❌ | ⚠️ | ❌ | ✅* | W | W | W | AGPL | Reject — no E2E; public-social only |
| OnionShare | Tor ephemeral | ❌ | ✅ | ✅ | ❌ | ⚠️ | ✅ | ⚠️ | S | S | S | GPLv3 | Narrow — anonymous file/secret-drop primitive |
| Ricochet-Refresh | Tor 1:1 | ❌ | ✅ | ✅ | ❌ | ❌ | ⚠️ | ⚠️ | S | S | S | BSD | Reject — 1:1 only, no Android, no async |
| Matrix-P2P/Pinecone | P2P exp. | ⚠️ | ✅ | ✅ | ⚠️ | ❌ | ❌ | ❌ | S* | W | W | Apache | Reject — dormant 2022 + unpatched CVE |
* server-side / component only.
Substrate & primitives (reuse, not whole-app adoption)¶
| Primitive | Layer | RN/mobile path | License | Recommendation |
|---|---|---|---|---|
| Iroh | Transport (QUIC + relay) | Rust→FFI, official Android/iOS | Apache/MIT | Pilot-spike — best libp2p alternative |
| OpenMLS / MLS (RFC 9420) | Group encryption | Rust→FFI | MIT/Apache | Pilot-spike — PCS upgrade; gate = P2P delivery |
| Arti (client side) | Tor transport | Rust crate | MIT/Apache | Spike — adds network-identity axis |
| matrix-sdk-crypto | Group E2E (Olm/Megolm) | Rust + Kotlin/Swift/JS | Apache | Evaluate — network-free, hardened |
| VCs (SD-JWT-VC) | Identity (Phase 4) | JS | permissive | Adopt (Phase 4) on existing did:key |
| did:key (current) | Identity | already in RN | — | Keep |
| Yjs (current) | Sync engine | already in RN | MIT | Keep |
| WebRTC (current) | Transport | already in RN | — | Keep as baseline |
| Automerge / Loro | Sync engine | WASM-in-RN | MIT | Watch — only if history/payload-size needs arise |
| Veilid | Transport (private) | Flutter-first | MPL | Watch — demo-grade, no RN |
| Hypercore/Bare | Transport+sync | RN-UI on Bare runtime | Apache | Watch — re-platform, study Keet |
| nostr-tools | Public-broadcast layer | JS/TS, native | MIT | Watch — only for a future Z2/Z3 layer |
| go-libp2p/gomobile | Transport | unmaintained binding | MIT | Reject — Iroh dominates |
| libsignal | 1:1 encryption | no official RN | AGPL | Reject — AGPL + group mismatch |
| Meshtastic (LoRa) | Off-grid bearer | BLE bridge from RN | GPL (separate device) | Pilot — off-grid Z0; needs hardware |
| Reticulum | Off-grid stack | Python, no RN | MIT-ish | Watch — bus-factor |
| Ditto | Sync+mesh | SDK | proprietary | Reject for core — reference only |
Reading the matrix — the three patterns¶
- The offline column is almost empty. Only Briar (✅ mature), Berty (✅ alpha), and Manyverse (✅ but rejected on other grounds) genuinely work with no internet. This is the gap the field can't fill off-the-shelf — and the reason MPowerUP's own libp2p/Yjs mesh (or a Briar-pattern BLE tier) remains necessary.
- Strong-on-all-three-axes clusters in the Tor apps (Briar/Cwtch/OnionShare) — they pay in battery and (except Briar) offline capability.
- The reusable primitives are mostly permissive and Rust-core+FFI — exactly the integration path that doesn't repeat the js-libp2p failure. The build-vs-adopt answer is "build the app, adopt the primitive."
→ The synthesized decision is in the reconsideration verdict.