Secure Private Cloud NAS Operating System
RockZeroOS is a high-performance, secure cross-platform private cloud NAS operating system. The backend is built entirely in Rust using Actix-web with military-grade encryption including WPA3-SAE key exchange, EdDSA (Ed25519) JWT authentication, AES-256-GCM encryption, and BLAKE3 integrity verification. The frontend is a Flutter cross-platform client supporting Android, iOS, Windows, macOS, Linux, and Web, with Material Design 3 UI optimized for low-power ARM SoCs (Snapdragon 835 class).
- Dashboard — System overview with CPU, memory, disk, network monitoring, and chronograph-style speed test
- File Manager — Browse disks, navigate directories, upload/download files, LAN file transfer, WebDAV, network shares
- Video Playback — SAE-encrypted HLS streaming with session-based authentication and AES-256-GCM segment encryption (PMK → HKDF-BLAKE3 → AES-GCM), codec-aware adaptive timeouts (30s H.264/120s AV1), on-demand seek segment generation for VP9/AV1 transcode, PTS timestamp normalization (
-fflags +genpts+discardcorrupt -avoid_negative_ts make_zero) + client-side offset detection for MKV sources with non-zero start time - Game Center — Multi-platform gaming hub with Steam, Epic Games, WeGame, Ubisoft Connect, Xbox native store integration (no WebView), unified game library, daily Top 30 recommendations, and built-in SteamDB viewer
- WASM Runtime — Run WebAssembly applications and scripts via Wasmtime, including built-in SteamDB viewer (name + AppID dual search), M3U8 video downloader (custom save directory), and Steam P2P connection analyzer (with NAT type help docs)
- Storage Management — Smart formatting (ext4/XFS/Btrfs/exFAT), auto mount, partition management, SMART monitoring, secure erase
- Hardware Transcoding — Auto-detected FFmpeg hardware acceleration (VAAPI, V4L2 M2M, Rockchip MPP)
- Security — FIDO2/WebAuthn, wallpaper customization with glassmorphic blur (BackdropFilter high-contrast frost), dynamic color (80% wallpaper + 20% system), Reed-Solomon + CRC32 secure storage, Bulletproofs ZKP for authentication
- MD3 Expressive Components — Custom loading indicators (starburst spinner, wavy progress, pulsing dots, segmented spinner), secure connection shield animation for SAE handshake, buffering overlay with rotating dot ring
- Edge-to-Edge UI — Full-screen gesture navigation support on Android, transparent system bars, predictive back gestures
flowchart TB
subgraph Client["Flutter Client"]
A[User Login] --> B[EdDSA JWT Auth]
B --> C[SAE Handshake]
C --> D[Session Auth]
end
subgraph Server["Rust Backend"]
E[JWT Verification] --> F[SAE Key Exchange]
F --> G[PMK Derivation]
G --> H[AES-256-GCM Encryption]
end
B --> E
C --> F
D --> H
style Client fill:#e1f5fe
style Server fill:#fff3e0
| Feature | Technology | Description |
|---|---|---|
| JWT Authentication | EdDSA (Ed25519) | Private key derived from BLAKE3 hash of password |
| Key Exchange | WPA3-SAE (Dragonfly) | Secure key negotiation based on Curve25519 |
| Video Encryption | AES-256-GCM | HLS segments encrypted at rest, session-authenticated playback |
| Session Auth | 128-bit UUID + BLAKE3 HMAC | Direct mode session token per HLS stream |
| Replay Protection | Timestamp + Nonce + HMAC | Multi-layer protection mechanism |
| Zero-Knowledge Proof | Bulletproofs RangeProof | Prove password knowledge without revealing it (auth only) |
| Hardware Auth | FIDO2/WebAuthn | Support for YubiKey, TouchID, FaceID |
| Secure Storage | Reed-Solomon + CRC32 | Data integrity verification and error correction |
RockZeroOS uses SAE-encrypted HLS streaming for all video playback. The client performs an SAE handshake, creates a session with direct_mode: true, and accesses the playlist URL directly via media_kit without an intermediate proxy. Bulletproofs ZKP is not used for video playback; authentication is handled by session tokens.
sequenceDiagram
participant C as Client
participant S as Server
C->>S: 1. JWT Authentication (EdDSA)
S-->>C: Access Token
C->>S: 2. SAE Init
S-->>C: Temp Session ID
C->>S: 3. SAE Commit (Curve25519)
S-->>C: Server Commit
C->>S: 4. SAE Confirm
S-->>C: Server Confirm + PMK
C->>S: 5. Create HLS Session (direct_mode=true)
S-->>C: Session ID + Playlist URL
Note over C,S: No per-segment ZKP — session token authenticates all requests
C->>S: 6. GET playlist.m3u8 (via media_kit)
S-->>C: M3U8 playlist
loop Each Video Segment
C->>S: 7. GET segment_N.ts (session token in URL)
Note over S: Verify session token
Note over S: Stream copy ≤1080p / HW transcode >1080p
S-->>C: AES-256-GCM encrypted segment (at-rest)
Note over C: Decrypt and play via hardware decoder
end
The Flutter client uses media_kit (libmpv) with hardware decoding enabled by default. The Video() widget is wrapped in SizedBox.expand() to ensure proper sizing on all platforms. mpv is configured with:
hwdec=auto-safe— Automatically selects the best available hardware decoderrebase-start-time=yes— Rebases stream start time to zero (fixes MKV files with non-zero PTS offset showing e.g. 26:28:10 instead of 00:00:00)demuxer-lavf-o=fflags=+genpts+discardcorrupt— Regenerates presentation timestamps and discards corrupt framescache=yeswithdemuxer-max-bytes=50MiB/demuxer-max-back-bytes=25MiB— Reduces stallsstream-buffer-size=2MiB— Optimized for network streaming
| Platform | API | Configuration |
|---|---|---|
| Android | MediaCodec | hwdec=mediacodec via libmpv |
| iOS | VideoToolbox | hwdec=videotoolbox via libmpv |
| Windows/Linux/macOS | Auto-detect | hwdec=auto-safe via libmpv |
Audio uses just_audio with a triple-fallback source strategy:
LockCachingAudioSource— Progressive download with caching (20s timeout)AudioSource.uriwith Auth headers — Direct streaming (20s timeout)setUrl— Simple URL playback (20s timeout)
Unsupported audio codecs (wmav1/2, wmapro, wmalossless, pcm_bluray/dvd, cook, ra_288, atrac3/3p, ape, etc.) are automatically transcoded to AAC/MP3 on the server side before streaming.
The back button on the full-screen audio player minimizes playback to the background mini player (transferring position, volume, speed, and loop state to the global AudioPlayerService), rather than stopping audio. A dedicated stop button is provided in the app bar for explicit playback termination.
PMK (from SAE handshake)
→ HKDF-BLAKE3(salt="hls-session-salt:{session_id}", info="hls-master-key")
→ 256-bit AES-GCM encryption key
Each segment is encrypted as: nonce(12B) ‖ AES-256-GCM(plaintext, key, nonce) ‖ tag(16B)
- Smart Formatting — Auto-select optimal filesystem based on usage
- System boot: ext4
- Media library: XFS (large file optimization)
- Database: ext4 (journal optimization)
- Backup: Btrfs (snapshot support)
- Cross-platform: exFAT/NTFS
- Auto Mount — Smart mount point generation with UUID/Label recognition
- Partition Management — GPT/MBR partition table creation
- Disk Health — SMART data monitoring, temperature detection
- Secure Erase — Multi-pass overwrite for data destruction
The server auto-detects available hardware at startup and selects the optimal encoding pipeline. On ARM architectures, VAAPI is explicitly skipped (Mali/Panfrost GPUs expose /dev/dri/renderD128 but do not support video encoding), and the detection order is: Rockchip MPP → V4L2 M2M → Software fallback. A test encode is performed to verify each candidate actually works before committing to it.
| Platform | Detection Method | Encoder | Decoder | Notes |
|---|---|---|---|---|
| Intel | VAAPI device + vendor ID 0x8086 |
h264_vaapi | hwaccel vaapi | Verified via FFmpeg test encode |
| AMD | VAAPI device + vendor ID 0x1002 |
h264_vaapi | hwaccel vaapi | Verified via FFmpeg test encode |
| Rockchip (RK3588/RK3399) | /proc/cpuinfo, device tree |
h264_rkmpp | rkmpp | Requires MPP libraries; priority 1 on ARM |
| Amlogic (A311D/S905/S922) | /proc/cpuinfo, device tree, /dev/amvideo |
h264_v4l2m2m | meson_vdec | Falls back to software if V4L2 M2M fails |
| Generic ARM | /dev/video10, /dev/video11 |
h264_v4l2m2m | h264_v4l2m2m | Verified via encode test; priority 2 on ARM |
| Fallback | — | libx264 (ultrafast) | software | Used when no hardware is detected |
For ≤1080p content, the server uses stream copy (-c:v copy -c:a copy -map 0:v? -map 0:a?) which is near-instant. The -map 0:v? -map 0:a? flags ensure only video and audio streams are selected, avoiding mpegts muxer failures from subtitle or data tracks. All ffmpeg invocations include -fflags +genpts+discardcorrupt (input) and -avoid_negative_ts make_zero (output) to normalize PTS timestamps — this ensures MKV files with non-zero start times (e.g. 26:28:10) produce HLS segments starting from 00:00:00.
Codec-aware timeouts: Before spawning ffmpeg, the server probes the video codec via ffprobe. H.264/HEVC videos get a 30-second first-segment timeout (stream copy is fast). AV1/VP9/other codecs get 120 seconds since software transcode is slower.
On-demand seek: When a player seeks to a distant segment during transcode (>5 segments ahead of current progress), the server generates the requested segment on-demand using -ss + hardware/software encode, bypassing the need to wait for all preceding segments. The on-demand segment is encrypted at rest with the same AES-256-GCM storage key.
HLS cache defaults: Max 1 GB HLS cache, 1-day retention, 5-minute idle cleanup interval. Auto-cleanup triggers when total cache exceeds 1 GB threshold.
RockZeroOS uses an adaptive hybrid transport layer for secure media delivery. The runtime policy is now constrained to the following production bounds:
- Default ratio: UDP 70% + TCP 30%
- Maximum UDP ratio: 70% (therefore TCP minimum is 30%)
- Maximum TCP ratio: 90% (therefore UDP minimum is 10%)
- Adaptive trigger: UDP loss rate above threshold reduces UDP share and increases TCP reliability
The transport startup profile is tuned for high-throughput devices (including ARM NAS boards):
chunk_size: 128 KiBudp_window_size: 96send_buffer_size: 16 MiBtcp_max_retries: 5udp_loss_threshold: 3%
On Amlogic A311D class devices, hardware path preference remains:
- Stream copy when source codec/container is directly playable (fastest path, no quality loss)
- Hardware encode/transcode via
h264_v4l2m2mwhen re-encode is required - Software fallback (
libx264) only when hardware encoder validation fails
This design keeps startup latency low while retaining playback continuity under packet loss.
Multi-platform gaming hub with fully native UI integration (no WebView). Each platform tab fetches real-time data from official APIs with built-in catalog fallback:
| Platform | Official API Source | Features |
|---|---|---|
| Steam | Steam Web API (store.steampowered.com) |
Game library, play time stats, profile, API key binding, SteamDB viewer |
| Epic Games | Epic GraphQL API (graphql.epicgames.com) |
Live catalog, free game highlights, featured carousel, category browsing, search |
| WeGame | WeGame Internal API (wegame.com.cn/api/v1/) |
Live catalog, hot games ranking, featured carousel, search, save to library |
| Ubisoft Connect | Ubisoft Store API (store.ubisoft.com) + Ubisoft Services API |
Live catalog, featured carousel, category browsing, search, save to library |
| Xbox | Game Pass Catalog (catalog.gamepass.com) + Microsoft DisplayCatalog API |
Live catalog, Game Pass highlights, featured carousel, search, save to library |
- All platform tabs show a live data indicator (🔴 实时) when displaying API-fetched data
- Game cover images are loaded directly from official CDN URLs (Epic
cdn1.epicgames.com, Ubisoftstaticctf.ubisoft.com, Xboxstore-images.s-microsoft.com) - Built-in catalog images: 25+ hardcoded games use Steam CDN (
cdn.akamai.steamstatic.com/steam/apps/{appid}/header.jpg) for instant image display without API calls - 30-minute server-side cache with automatic refresh on pull-to-refresh
- Graceful degradation: if any API is unreachable, the tab seamlessly falls back to curated catalog data
The My Library tab provides a unified view of game accounts across all platforms with Steam full library integration (game count, total play time, recently played).
The Daily Top 30 tab shows curated recommendations with 30 games per platform (Steam, Epic, WASM) scored by recency, price, and availability.
| App | Description |
|---|---|
| SteamDB Viewer | Query Steam API for game details by name search (Steam Store storesearch + suggest fallback) or AppID: price, online players, reviews, DLC, system requirements |
| M3U8 Downloader | Parse M3U8 playlists, download TS segments, auto-merge with AES decryption support. Supports custom save directory (NAS default / Downloads / custom path) with path sanitization and security checks |
| Steam P2P Info | View Steam player profiles, friends list, recent games, and P2P connection details. Includes collapsible help documentation with NAT type explanations (Open/Moderate/Strict) and troubleshooting guide |
RockZeroOS supports advanced dynamic theming:
- Material You — Seed color from user preference or system accent color
- Custom Wallpaper — Set custom wallpaper from gallery; dominant color extracted for theme blending
- Dynamic Color Blending — 80% custom wallpaper color + 20% system accent color
- Glassmorphic Cards — When wallpaper is active, all cards use frosted glass effect with
BackdropFilterblur (sigma 20), semi-transparent backgrounds, and subtle border highlighting - Edge-to-Edge — Transparent status bar and navigation bar on Android with predictive back gesture support
graph LR
subgraph Backend["Rust Backend"]
A[rockzero-common] --> B[rockzero-crypto]
B --> C[rockzero-sae]
B --> D[rockzero-media]
B --> E[rockzero-db]
C --> F[rockzero-service]
D --> F
E --> F
end
subgraph Frontend["Flutter Frontend"]
G[RockZeroOS-UI]
end
F <--> G
style Backend fill:#ffebee
style Frontend fill:#e8f5e9
RockZeroOS-Service/
├── rockzero-common/ # Common library (error handling, config, types)
├── rockzero-crypto/ # Cryptography library
│ ├── src/
│ │ ├── jwt.rs # EdDSA JWT (Ed25519 + BLAKE3)
│ │ ├── ed25519.rs # Ed25519 signature operations
│ │ ├── bulletproofs_ffi.rs # Bulletproofs RangeProof FFI
│ │ ├── zkp.rs # ZKP authentication logic
│ │ ├── aes.rs # AES-256-GCM encryption/decryption
│ │ ├── hash.rs # BLAKE3, SHA3-256 hashing
│ │ ├── signature.rs # Digital signatures
│ │ ├── tls.rs # Rustls TLS configuration
│ │ └── utils.rs # Crypto utilities
├── rockzero-sae/ # WPA3-SAE key exchange
│ ├── src/
│ │ ├── client.rs # SAE client (Curve25519)
│ │ ├── server.rs # SAE server
│ │ ├── crypto.rs # Dragonfly key exchange
│ │ ├── key_derivation.rs # PMK derivation via HKDF
│ │ ├── protocol.rs # SAE protocol state machine
│ │ └── types.rs # SAE message types
├── rockzero-media/ # Media processing
│ ├── src/
│ │ ├── session.rs # HLS session management
│ │ ├── encryptor.rs # AES-256-GCM video segment encryption
│ │ ├── bulletproof_auth.rs # Per-segment authentication
│ │ ├── media_processor.rs # FFmpeg detection & HW capabilities
│ │ ├── chunk_manager.rs # Progressive chunk management
│ │ ├── playlist.rs # M3U8 playlist generation
│ │ ├── tcp_stream.rs # TCP streaming transport
│ │ ├── udp_stream.rs # UDP streaming transport
│ │ └── secure_transport.rs # Encrypted transport layer
├── rockzero-db/ # Database (SQLite + Reed-Solomon)
│ ├── src/
│ │ ├── secure_db.rs # Encrypted database operations
│ │ ├── operations.rs # CRUD operations
│ │ └── models.rs # Database models
├── rockzero-service/ # Main HTTP service (Actix-web)
│ ├── src/
│ │ ├── main.rs # Server startup, route configuration
│ │ ├── middleware.rs # JWT auth middleware
│ │ ├── storage_manager.rs # Disk & mount management
│ │ ├── fido.rs # FIDO2/WebAuthn handler
│ │ ├── handlers/
│ │ │ ├── auth.rs # User registration & login (EdDSA JWT)
│ │ │ ├── zkp_auth.rs # Bulletproofs ZKP authentication
│ │ │ ├── secure_hls.rs # SAE handshake + encrypted HLS streaming
│ │ │ ├── streaming.rs # Media info, thumbnails, HLS playlist, audio transcode
│ │ │ ├── filemanager.rs # File CRUD, upload, download
│ │ │ ├── storage.rs # Storage overview & disk info
│ │ │ ├── storage_management.rs # Format, mount, unmount, erase
│ │ │ ├── disk_manager.rs # Disk detail & SMART
│ │ │ ├── appstore.rs # WASM app registry
│ │ │ ├── wasm_store.rs # WASM app store & game APIs
│ │ │ ├── system.rs # System info (CPU, mem, temp)
│ │ │ ├── speedtest.rs # Network speed test
│ │ │ ├── lan_transfer.rs # LAN file transfer
│ │ │ ├── webdav.rs # WebDAV server
│ │ │ ├── widgets.rs # Dashboard widgets
│ │ │ └── health.rs # Health check endpoint
└── RockZeroOS-UI/ # Flutter cross-platform client
└── lib/
├── core/
│ ├── models/ # API models (DiskInfo, etc.)
│ ├── network/ # API service, Dio HTTP client
│ ├── services/ # Wallpaper, media_kit init, dynamic color
│ ├── theme/ # M3 theme, dynamic color, animation curves
│ └── widgets/ # ShellScaffold, WallpaperBackground, GlassmorphicBackground, DynamicColorCard
├── features/
│ ├── auth/ # Login, register pages (glassmorphic cards)
│ ├── dashboard/ # Dashboard, speed test
│ ├── files/ # File browser, video player
│ │ └── presentation/pages/
│ │ ├── files_page.dart # Disk grid + file listing
│ │ └── secure_hls_video_player.dart # SAE+HLS video player
│ ├── appstore/ # Game center
│ │ └── presentation/
│ │ ├── pages/
│ │ │ └── wasm_store_page.dart # Multi-platform game hub
│ │ └── widgets/
│ │ └── platform_game_tab.dart # Native game tabs (Epic/WeGame/Ubisoft/Xbox)
│ ├── device_discovery/ # mDNS device discovery
│ ├── disk/ # Disk formatting & management
│ ├── storage/ # Storage overview
│ ├── system/ # System monitoring
│ └── settings/ # App settings, wallpaper, blur
└── services/
├── sae_client_curve25519.dart # SAE Dragonfly client
└── sae_handshake_service.dart # SAE handshake orchestration
- Rust 1.75+ (edition 2021)
- FFmpeg 6.0+ (bundled for ARM64, or system-installed)
- SQLite 3.x
- Flutter 3.19+ with Dart 3.3+
git clone https://github.com/blueokanna/rockzero-service.git
cd rockzero-service
cargo build --workspace --release
cargo test --workspace
cargo run -p rockzero-service --releaseCreate .env file:
HOST=0.0.0.0
PORT=8080
RUST_LOG=info
DATA_DIR=./data
DATABASE_URL=./data/rockzero.db
JWT_SECRET=your-super-secret-jwt-key-change-this-in-production
JWT_EXPIRATION_HOURS=24
REFRESH_TOKEN_EXPIRATION_DAYS=7
STORAGE_ROOT=/mnt/storage
MAX_UPLOAD_SIZE=10737418240
HLS_CACHE_PATH=./data/hls_cachecd RockZeroOS-UI
flutter pub get
flutter runsequenceDiagram
participant C as Client
participant S as Server
C->>S: POST /api/v1/auth/register
Note right of S: Create user with<br/>EdDSA JWT + ZKP registration
S-->>C: {tokens, user}
C->>S: POST /api/v1/auth/login
Note right of S: Verify password<br/>Generate EdDSA JWT
S-->>C: {tokens, user}
C->>S: POST /api/v1/auth/zkp/login
Note right of S: Verify Bulletproofs<br/>RangeProof
S-->>C: {tokens, user}
POST /api/v1/secure-hls/sae/init
POST /api/v1/secure-hls/sae/commit
POST /api/v1/secure-hls/sae/confirm
POST /api/v1/secure-hls/session/create
GET /api/v1/secure-hls/{session_id}/playlist.m3u8
GET /api/v1/secure-hls/{session_id}/segment_{n}.tsGET /api/v1/streaming/formats # Supported media formats
GET /api/v1/streaming/library # List media library
GET /api/v1/streaming/info/{path} # Get media info (codecs, duration, resolution)
GET /api/v1/streaming/extended-info/{path} # Extended media info (EXIF, tracks)
GET /api/v1/streaming/hls/{path} # Generate HLS playlist
GET /api/v1/streaming/thumbnail/{path} # Get video thumbnail
GET /api/v1/streaming/transcode/{path} # Audio transcodingGET /api/v1/filemanager/list?path=...
POST /api/v1/filemanager/upload
GET /api/v1/filemanager/download?path=...
GET /api/v1/filemanager/media/info?path=...
GET /api/v1/filemanager/media/image?path=...
GET /api/v1/filemanager/media/thumbnail?path=...
DELETE /api/v1/filemanager/deletePOST /api/v1/zkp/search/token
POST /api/v1/zkp/search/execute
POST /api/v1/zkp/share/proof
POST /api/v1/zkp/share/verify
POST /api/v1/zkp/proof/generateGET /api/v1/wasm-store/overview # Store overview (stats, categories)
GET /api/v1/wasm-store/steam/featured # Steam featured games
GET /api/v1/wasm-store/steam/app/{app_id} # Steam app details
GET /api/v1/wasm-store/steam/library # User's Steam library
GET /api/v1/wasm-store/steam/player # Steam player summary
GET /api/v1/wasm-store/steam/search?q=... # Search Steam store
GET /api/v1/wasm-store/epic/free # Epic free games (GraphQL)
GET /api/v1/wasm-store/platform/games?platform=epic|wegame|ubisoft|xbox # Official platform API data
GET /api/v1/wasm-store/search?q=... # Search WASM apps
GET /api/v1/wasm-store/recommendations # Daily Top 30 recommendations
POST /api/v1/wasm-store/github/import # Import WASM from GitHub
POST /api/v1/wasm-store/wasm/run-script # Execute WASM script
GET /api/v1/wasm-store/wasm/apps # List installed WASM apps
GET /api/v1/wasm-store/wasm/apps/{app_id} # WASM app details
POST /api/v1/wasm-store/wasm/install # Install WASM app
POST /api/v1/wasm-store/wasm/{app_id}/run # Run installed WASM app
DELETE /api/v1/wasm-store/wasm/{app_id} # Uninstall WASM app
GET /api/v1/wasm-store/builtin/{app_id}/run # Run built-in app (SteamDB/M3U8/P2P)
POST /api/v1/wasm-store/builtin/m3u8-downloader/download # Download M3U8 video
GET /api/v1/wasm-store/builtin/downloads # List downloaded files
GET /api/v1/wasm-store/builtin/downloads/{filename} # Serve downloaded fileGET /api/v1/storage/disks
GET /api/v1/storage/disk/{name}
POST /api/v1/storage/format
POST /api/v1/storage/mount
POST /api/v1/storage/unmount
POST /api/v1/storage/file # Write file to storageGET /api/v1/storage-management/overview # Storage overview
POST /api/v1/storage-management/format # Format disk
POST /api/v1/storage-management/mount # Mount filesystem
POST /api/v1/storage-management/unmount # Unmount filesystem
POST /api/v1/storage-management/secure-erase # Secure erase disk
GET /api/v1/storage-management/smart/{device} # SMART health data
POST /api/v1/storage-management/partition # Create partition
POST /api/v1/storage-management/scan # Scan for new devicesGET /api/v1/system/info # System overview
GET /api/v1/system/cpu # CPU details
GET /api/v1/system/memory # Memory usage
GET /api/v1/system/disks # Disk info
GET /api/v1/system/usb # USB devices
GET /api/v1/system/hardware # Hardware info
GET /api/v1/system/all # All system info combinedGET /api/v1/speedtest/download # Download speed test
POST /api/v1/speedtest/upload # Upload speed test
GET /api/v1/speedtest/ping # Latency test
GET /api/v1/speedtest/info # Server infoPOST /api/v1/invite/create # Create invite code
GET /api/v1/invite/validate/{code} # Validate invite
POST /api/v1/invite/remaining # Check remaining time| Operation | Performance | Notes |
|---|---|---|
| EdDSA JWT Sign | ~0.1ms | Ed25519 via dalek |
| EdDSA JWT Verify | ~0.2ms | Ed25519 via dalek |
| SAE Handshake (full) | ~5-10ms | Curve25519 Dragonfly |
| Bulletproofs RangeProof | ~50ms | 64-bit range proof (auth only, not video playback) |
| AES-256-GCM Encrypt/Decrypt | ~500 MB/s | Per-segment encryption |
| BLAKE3 Hash | ~1 GB/s | Used for HKDF, HMAC, signatures |
| HLS Segment (stream copy) | <100ms | ≤1080p, no re-encoding |
| HLS Segment (hw transcode) | ~200-500ms | >1080p, VAAPI/V4L2 |
| HLS Segment (sw transcode) | ~1-3s | >1080p, libx264 ultrafast |
| On-demand seek (hw) | ~0.5-2s | Single segment via -ss + hw encode |
| On-demand seek (sw) | ~2-5s | Single segment via -ss + libx264 ultrafast |
- EdDSA (Ed25519) JWT authentication
- WPA3-SAE key exchange (Curve25519 Dragonfly)
- Bulletproofs RangeProof ZKP (authentication only)
- SAE session-authenticated HLS streaming with AES-256-GCM
- FIDO2/WebAuthn hardware authentication
- Professional storage management
- Hardware accelerated video transcoding (VAAPI / Rockchip MPP / V4L2 M2M)
- ARM architecture-aware encoder detection (skip VAAPI on Mali/Panfrost)
- Flutter cross-platform client with hardware-accelerated playback
- Multi-platform native game center with official API integration (Steam/Epic/WeGame/Ubisoft/Xbox)
- Triple-fallback audio playback with automatic server-side codec transcoding
- LAN file transfer
- WebDAV server
- WASM application runtime (with built-in SteamDB viewer, M3U8 downloader, Steam P2P info)
- Dynamic theming with wallpaper color extraction & glassmorphic UI
- Edge-to-edge UI with gesture navigation
- MD3 Expressive loading indicators (starburst spinner, wavy progress, secure shield animation)
- PTS timestamp normalization for MKV/non-zero start time sources
- Audio player back-minimizes to mini player (no audio interruption on back press)
- Network speed test (download/upload/ping with chronograph UI)
- Invite system with expiring codes
- RAID support
- Snapshot and backup
- Multi-user permission management
- SMB/NFS file sharing
- Remote access (DDNS, VPN)
- AI smart album
- Actix Web — High-performance async web framework
- Tokio — Async runtime
- SQLx — Async SQLite driver
- ed25519-dalek — Ed25519 signatures
- curve25519-dalek — Curve25519 operations
- bulletproofs — Zero-knowledge proofs
- blake3 — Fast cryptographic hashing
- aes-gcm — AES-256-GCM encryption
- Wasmtime — WebAssembly runtime
- Rustls — TLS implementation
- FFmpeg — Media transcoding (external binary)
- Riverpod — State management
- go_router — Navigation
- media_kit — Video playback (mpv)
- flutter_animate — Animations
- flutter_secure_storage — Secure credential storage
This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0).
See LICENSE for the full license text.
- Author: blueokanna
- Email: blueokanna@gmail.com
- GitHub: https://github.com/blueokanna/rockzero-service
Made with ❤️ by blueokanna
Powered by Rust 🦀 | Secured by EdDSA + SAE + AES-256-GCM 🔐 | Accelerated by Hardware 🚀