The thesis

A platform without people
has to earn trust differently.

Sakinah is designed around named agents, visible boundaries, and a zero-human-operator service flow. No Sakinah staff member should onboard, match, mediate, bill, or deliver the service. The current private build already enforces the encrypted messaging boundary; the identity, photo-gate, observer, and payment systems below are launch gates, not marketing promises.

The four agents

Each one named. Each one bounded.

Hafiz

Verification guardian

الحافظ

Collects intake context and proves identity before access widens.

Boundary
Raw ID evidence must become a verification result, then leave the app.
Status
Hafiz · provider pending · now

Watim

Match reasoner

الواطم

Builds small, explainable shortlists instead of a swipe feed.

Boundary
No match is shown without a visible reason and next consent step.
Status
Watim · design locked · now

Adil

Consent keeper

العادل

Turns interest into salaam, and salaam into a room only by consent.

Boundary
Family observers can witness; they cannot post or silently watch.
Status
Adil · message boundary live · now

Sabr

Pressure and safety guard

الصبر

Surfaces pressure, expiry, pause, and observer-boundary risks.

Boundary
Safety flags are visible as product states, not private staff notes.
Status
Sabr · design locked · now

The verification ladder

Five steps. Twelve minutes.

01

ID document

Government-issued ID. Hafiz must hash or discard evidence after verification.

by Hafiz~30s

02

Selfie liveness

Confirms the person is present today. The launch build must not retain the raw capture.

by Hafiz~10s

03

Phone + email

Two active channels for account recovery, salaam expiry, and family-link notices.

by Hafiz~1m

04

Voice intake

Watim listens for context and drafts the public layer for the seeker to approve.

by Watim~6m

05

Family link

Optional but encouraged. Observers witness; they do not approve or reply.

by You~3m

Five promises

What no one at Sakinah can do.

01

Read your messages.

02

See unblurred photos before mutual interest.

03

Override your family-link settings.

04

Route onboarding, matching, mediation, or payment to a human operator.

05

Sell, share, or train models on your data.

06

Pause your account without written consent.

Live in this build

What the code already defends.

Messages between people are end-to-end encrypted

The server stores ciphertext, nonce, sender, recipient-device key, and timestamps. It does not store plaintext bodies or a key that decrypts them.

lib/crypto/messaging.ts

The assistant surface is separate

The assistant can read only what you type into that assistant conversation. Tests fail if the agent route imports the messaging tables.

tests/agent-isolation.test.ts

No analytics, pixels, or replay scripts

The middleware applies a nonce-based CSP and keeps browser scripts limited to the app, Clerk, and challenge infrastructure.

middleware.ts

Device fingerprints are visible

Each device has a local keypair. Users can compare fingerprints out of band and rotate the active key if a device is suspect.

app/app/settings/page.tsx

Retention

Data has a lifespan.

Encrypted room content

Ciphertext only. Cannot be plaintext-deleted by the server because it never has keys.

Device keys

Public keys. Revoked on rotation or account deletion.

Profile layers

Public, gated, family JSON. Deleted or tombstoned with the account.

Voice intake

Temporary media. Launch contract: purge within 24h after Watim draft.

Photos

Private media object. Only signed after mutual interest and access token verification.

Agent actions

Product-state ledger. Exportable; stores hashes, not room plaintext.

Billing

Provider event IDs and entitlement. Kept only as needed for self-serve access and compliance.

Sabr safety signals

Repeated pending salaam requests
Expired waiting windows
Observer role changes
Pause or step-back actions
Report metadata and consent handoff state

Before public launch

These claims stay blocked until the implementation exists.

01

Persona or Stripe Identity wiring for Hafiz verification.

02

Photo storage and silhouette gate enforcement before any photo is visible.

03

Wali observer route with server-side read-only permissions.

04

Agent audit log with timestamped decisions and export.

05

Stripe Checkout plus billing portal: pay, pause, and manage service without a sales call.

06

Arabic copy pass and RTL visual QA.

Adil · العادل

This page is not allowed to outrun the product. If a future deploy says Hafiz verified ID, Sabr paused harm, or family observers are read-only, the backend must enforce it first.