Subject 01
Investigative journalist
One stolen phone. One betrayed source. One assassination.
Work / AI · Agents / ShadowNotes
- Case
- SN / 022
- Class
- Field Intel
- Egress
- Zero
Some notes should never
exist anywhere but
your own device.
One stolen phone is a betrayed source. ShadowNotes runs the entire AI pipeline, voice capture, transcription, and structured extraction inside the browser. Nothing is sent. Nothing is logged. Nothing is shared. Built for journalists, auditors, doctors and incident responders.
0Bytes leave the device
231Tests across 18 files
600KPBKDF2 iterations
4Domain profiles
~810MBOn-device LLM, OPFS-cached
Act I · The Stakes
Cloud AI is fast.
It is also completely unacceptable.
Professionals handling classified, HIPAA-protected or legally privileged information face an impossible choice: cloud AI tools that exfiltrate every word, or offline tools with no intelligence at all.
Subject 02
Rural physician
No internet, no clinic system, but every word is HIPAA-class.
Subject 03
Legal practitioner
Deposition in real time. Attorney-client privilege at every word.
Subject 04
Security auditor
Vulnerabilities mid-engagement. Data must not leave the building.
Subject 05
Incident responder
Disaster site, no signal, classified intelligence streaming in.
Subject 06
You, three weeks from now
A note you will be glad nobody else ever saw.
Act II · The Promise
Voice in.
Structured intelligence out.
Network: never engaged.
$ init session --domain=security-audit --auth=webauthn
● vault unlocked. AES-256-GCM, per-case HKDF.
● model: qwen2.5-0.5b loaded from OPFS (810MB cached)
● whisper-tiny ready. silero-VAD ready. piper-lessac ready.
> [mic] subject describes findings...
● stt → "we found a sequel injection in the login form..."
● domain correction: "sequel injection" → SQL injection
● extracting → vulnerabilities, timeline, evidence, risk
● RAG context injected from 3 prior findings
$ network.egress.check
✗ network requests this session: 0
✗ tokens transmitted: 0
✗ cookies, localStorage, third-party calls: 0
$ vault.commit && session.encrypt
● session sealed. one tab close = total wipe.
● vault unlocked. AES-256-GCM, per-case HKDF.
● model: qwen2.5-0.5b loaded from OPFS (810MB cached)
● whisper-tiny ready. silero-VAD ready. piper-lessac ready.
> [mic] subject describes findings...
● stt → "we found a sequel injection in the login form..."
● domain correction: "sequel injection" → SQL injection
● extracting → vulnerabilities, timeline, evidence, risk
● RAG context injected from 3 prior findings
$ network.egress.check
✗ network requests this session: 0
✗ tokens transmitted: 0
✗ cookies, localStorage, third-party calls: 0
$ vault.commit && session.encrypt
● session sealed. one tab close = total wipe.
Act III · Why ShadowNotes Is Different
Pick one column.
Carefully.
| Cloud AI ChatGPT, Otter |
Encrypted Notes Standard Notes |
ShadowNotes | |
|---|---|---|---|
| AI extraction | Yes (cloud) | No | Yes (on-device) |
| Works offline | No | Yes | Yes |
| Zero data transmission | No | Partial | 100% |
| Domain-aware extraction | No | No | 4 specialised |
| Streaming AI feedback | Yes (cloud) | N/A | Yes (local WASM) |
| Ephemeral mode | No | No | Built-in |
Act IV · Four Domains, Four Hindi Names
Each profile carries a name from India's heritage.
Domain 01 · Medical
Sanjeevani · the life-giving herb
Symptoms, diagnoses, medications, vitals, follow-up. Speech-error correction tuned to Indian pharmacology.
"Tell me Satin" → Telmisartan · "parse atomol" → Paracetamol
Domain 02 · Security
Kavach · the divine shield
Vulnerabilities, timeline, evidence, affected systems, risk assessment. Clean exports for blue teams.
"sequel injection" → SQL injection · "cross site" → XSS
Domain 03 · Legal
Nyaaya · the path of justice
Key statements, timeline, parties involved, contradictions, exhibits. Privileged from line one.
"hay BS corpus" → habeas corpus
Domain 04 · Incident
Prahari · the vigilant sentinel
Incident timeline, witnesses, damage assessment, root cause, next steps. Disaster-site capable, fully offline.
Domain-aware context, structured per-finding output.
Act V · The Vault
Defence in depth, line one to last.
- AES-256-GCM with per-case HKDF-derived keys for compartmentalised storage.
- WebAuthn + PRF extension via Windows Hello, Touch ID or Face ID for key material.
- PBKDF2 600,000 iterations on passphrase fallback. Brute-force backoff: 5s, 15s, 30s, 60s.
- Schema validation on every decrypted payload before use, no silent corruption.
- CSP, HSTS, COOP, COEP, Permissions-Policy headers from line one.
- OPFS storage: models in the browser's private filesystem, isolated per origin.
- GPU crash recovery: WebGPU detected, automatic CPU fallback if it crashes.
- DESTROY mode: cinematic burn animation, total state wipe, zero-trace exit.
Act VI · Proof
It already works.
Live · shadownotes.dmj.one
Production deployment. Chrome 96+ or Edge 96+ recommended. PWA, installable, full offline support after first load.
231 tests · 18 files · zero mocking
Unit tests on extraction, crypto, auth, vault, domains, voice commands. Integration tests across all four domain lifecycles.
RunAnywhere Vibe Challenge
Built for the ThoughtWorks Technologies hackathon at GGSIPU Delhi. Twenty-plus load-bearing features across three RunAnywhere SDK packages.
WCAG 2.2 · 172+ ARIA attributes
Keyboard-navigable, screen-reader-friendly, reduced-motion respected. Three-step onboarding tutorial with full a11y.
The Stack
Three SDK packages. Two WASM backends. One device.
- React 19
- TypeScript 5.9 strict
- Vite 7
- RunAnywhere SDK
- Qwen2.5 0.5B
- Gemma 3 1B
- SmolLM2 135M
- Whisper Tiny
- Silero VAD
- Piper TTS
- llama.cpp WASM
- ONNX Runtime
- WebCrypto + AES-GCM
- WebAuthn + PRF
- Vitest 4 · 231 tests
- Electron 35 desktop
If a browser can keep a source safe, your product can too.
I build privacy-architected AI products that prove themselves with a network monitor open. If your domain has secrets, talk to me.