A state-synchronization protocol for off-grid encrypted messaging. No servers. No internet. No fixed topology. Just people carrying drives between nodes — and the network converges.
The protocol works when nothing else does. Every design decision serves resilience, privacy, and independence from infrastructure.
Runners carry drives in any direction. No routing tables, no path discovery, no servers. State converges regardless of who carries what where.
Drives carry state, not messages. Every sync is a bidirectional merge. Duplicates, ordering, delivery tracking — all eliminated by design.
All content is ciphertext. Lost drives reveal nothing. Couriers carry state they cannot read, for people they cannot identify.
Designed for USB sneakernet but not bound to it. The same protocol works over LoRa, HF radio, TCP/IP, or any delay-tolerant channel.
Not bound to any application. Message bases, private mail, file bases, ledgers, and future types all replicate through the same engine.
Know what exists across the network before content arrives. Small metadata travels fast; large blobs follow on demand.
Traditional messaging networks require structure: servers, routing tables, hub-and-spoke hierarchies. FidoNet had zones, nets, and hubs. The internet has BGP and DNS. All of them assume that the topology is known, stable, and navigable.
Treadwell assumes none of that. Runners carry USB drives between nodes in whatever direction their day takes them. A drive might visit three homesteads in one direction today and a completely different set tomorrow. Five drives might be circulating simultaneously through overlapping subsets of the network. The protocol doesn't care.
Every sync pass is a bidirectional state merge. The drive and the node compare what they each know, exchange the differences, and part ways. No routing decision is made. No path is computed. No delivery receipt is expected. The network converges toward consistency through the simple, repeated act of drives visiting nodes.
The protocol does not deliver messages. It synchronizes state. Each node maintains a local view of the world. USB drives carry snapshots of that state. When a drive meets a node, both sides merge — what do I have that you don't? What do you have that I don't? — and both walk away with a more complete picture.
This is a conflict-free replicated data type (CRDT) model. The merge operation is deterministic and commutative: it doesn't matter what order drives arrive, or how many times you sync the same drive. The result is always the same converged state.
This eliminates entire categories of problems that plague store-and-forward networks: duplicate detection, delivery confirmation, retry logic, message ordering, and return-path routing. In a topology-free sneakernet, those problems are unsolvable. Treadwell sidesteps them by not trying to deliver anything.
Every blob enters the content-addressed store already encrypted. The sync engine and transport layer never see cleartext. A captured USB drive reveals only opaque ciphertext, opaque domain identifiers, and blinded metadata. The adversary can observe volume but not content, structure but not meaning.
Identity is rooted in Ed25519 keypairs. No usernames, no registration, no central authority. You generate a key, and you exist. Trust is built through a web-of-trust model: real people vouching for real people, with attestations that replicate across the network like any other state.
Each replication domain has its own encryption context:
The sync engine does not know or care what carries the payload. It operates on a serialized SyncPayload — a CBOR-encoded structure containing domain metadata, encrypted blobs, want lists, and vector clocks. That payload can travel on:
The protocol is designed for delay-tolerant, high-latency channels, but it works equally well when latency drops to milliseconds over TCP. The same merge logic runs regardless. Adding a new transport means writing a thin adapter that reads and writes SyncPayloads — no protocol changes.
USB drives are the primary design target because they offer enormous bandwidth (gigabytes per trip) at the cost of latency (hours or days). A single inexpensive key can carry more data than weeks of LoRa transmissions.
The protocol is not a messaging app. It is a general-purpose state synchronization engine that carries typed replication domains. Each domain is an independent CRDT with its own merge strategy, encryption context, and retention policy.
Nodes subscribe independently to whichever domains they care about. A node running at a medical clinic subscribes to the health base. A trading post subscribes to the barter base. A courier's drive carries whatever its route demands. Sync is scoped to the intersection of domains shared between a node and a drive.
Adding a new domain type in the future — a reputation system, a shared map, a voting protocol — requires only a new merge function. The transport and sync layers remain untouched. Unknown domain types can be carried opaquely as relay cargo.
Every sync has two phases. Phase 1 exchanges metadata — compact records (hash, author, timestamp, size, parent reference) that describe what exists. This is small and always runs. Phase 2 exchanges blobs — the actual encrypted content. This is large and runs selectively, driven by want lists and available capacity.
After a metadata-only sync, a node knows the full message graph for every subscribed domain: who posted, in reply to what, when, and how large the content is. It just doesn't have the content yet. Users see activity immediately — "5 new messages in local.general" — before a single blob has arrived.
Drives carry want lists: hashes of blobs that nodes along the route have requested. When a drive visits a node that holds a wanted blob, it picks it up. The drive is not just a replication medium — it's a courier with a shopping list.
The protocol's strength is in this separation. The transport layer is thin and replaceable. The replication layer is the stable core, written once. The application layer is where new domain types are added without touching anything below.
A USB drive is a serialized snapshot of the replication layer's state for whatever domains it carries. It is a passive data structure, not a node. It has no identity, runs no code, and makes no decisions. It is a letter, not a post office.
Treadwell is an open protocol. The design is evolving, the code is early, and the conversation is open.