6 releases 6 tags

RSS feed

• v1.0.0-beta.6 fbfa61043f

  Compare

  Morphit v1.0.0-beta.6 Stable

  agorise released this 2026-06-06 04:31:10 +00:00 | 0 commits to main since this release

  Signed by agorise

  GPG key ID: 53524E1F1017EB9C

  A round of operator-quality-of-life and front-end polish on top of
  beta.5, driven by a real first install and a careful pre-release
  review. Operators get a clearer status dashboard (including proof
  their backups are running), a safer recovery command, and a
  single-host deploy recipe that actually works the first time.
  Visitors get a simpler "Get Morphit" page, a friendlier language
  picker, shared links that no longer 404, and a new FAQ explaining
  why Morphit's code is mirrored so widely. This release is
  recommended for all operators.

  Added

  • Status dashboard now shows your recent backups. morphit-ops status (menu item #10, "Status dashboard") ends with a Backups
    section listing your last three database backups — newest
    first, with each file's age and size — plus the backup directory
    and a reminder of how to copy a file off the host. It's the quick
    "are my backups actually happening?" check, and it gives you the
    exact path to download a backup or hand it to a developer if you
    ever need help. It's read-only and reads only the backup directory
    — never your database password or any keys. --json includes the
    same data. See OPERATIONS.md §31 and RUN-A-MORPHIT-NODE.md §10.

  • A "Why so many mirrors?" link on the Get Morphit page, and a FAQ
    answer to match. Morphit's source code is mirrored across many
    independent code hosts on purpose — decentralization is the second
    design priority, right behind privacy. A project that lives in one
    place can be taken down in one place, so the AGPL source lives on
    our own Forgejo server (the canonical copy), on GitHub, on more git
    hosts as they come online, and as a content-addressed copy on IPFS
    that no single host controls. If any one of them blocks or drops
    Morphit, every other copy is still there and anyone can re-host it.
    The new FAQ ("Why is Morphit's source mirrored to so many code
    hosts?") explains the reasoning, and you can verify any running
    instance against the SHA-256 hashes published on the Blurt chain.

  Changed

  • fast-forward is now a recovery-only command, with a guard. A
    normal install never needs it — the indexer starts at the Morphit
    genesis block and resumes from where it left off on every restart —
    so it's been moved out of the morphit-ops menu to keep it from
    becoming a footgun. It's still available directly when you need it
    for recovery, and it now refuses to run if your indexer looks
    live (its cursor was touched in the last ~90 seconds) unless you
    pass --force.

  • The morphit-ops menu now catches your eye when it matters. The
    "Upgrade to the latest version" line turns bold yellow when a newer
    release is available, and the "Status dashboard" line turns yellow
    or red when your relay balance is getting low — so you notice
    before it becomes a problem.

  • The "Get Morphit" page is simpler and accurate. Morphit installs
    as a Progressive Web App straight from your browser on Android,
    iPhone/iPad, and desktop — there is no APK, app-store listing, or
    native package, by design. The page now leads with that, and adds a
    "Source code & mirrors" section pointing at every place the code
    lives.

  • A friendlier language picker. With ten languages the selector
    used to run off the bottom of the screen; it's now a compact grid
    that fits any screen and scrolls if needed.

  Fixed

  • Shared links with the language prefix stripped no longer 404. A
    link like /faq?q=... (missing the /en/ prefix) now detects your
    browser's language and redirects to the right page, preserving the
    query and anchor, instead of showing an error.

  • A single-host (one server) deploy now works the first time. The
    documented nginx recipe now serves the prerendered site correctly
    (it was returning a 403 on locale pages) and routes the indexer and
    relay APIs to the right place (signup and the orderbook were
    failing). Live updates (the orderbook, chat, and instances streams)
    and the RSS feeds now route correctly on a single host too, and the
    OPERATIONS.md reference config plus the bundled BunkerWeb config
    are aligned with it. If you run the indexer, relay, and web app on
    one box, re-check RUN-A-MORPHIT-NODE.md §8 (and §24/§32 of
    OPERATIONS.md if you front it with BunkerWeb).

  • Deploys can no longer leave the app showing a blank page. The
    service worker now rebuilds redirected responses on navigations, so
    a page cached during a brief deploy-time redirect window can't break
    loading afterward. (If you ever hit a blank page mid-upgrade, a hard
    reload clears it.)

  • The "Create an account" link from the post page no longer 404s,
    and the comparison/settings input fields now match the dark theme.

  Upgrading

  Use morphit-ops upgrade (or the Upgrade menu item). Your
  configuration, signing key, and per-network keys are carried forward
  automatically, and the services restart on the new code. Most of this
  release is front-end and documentation, but upgrading via a release is
  still the cleanest path. There are no database migrations and no
  configuration changes required.

  Downloads

  • morphit-v1.0.0-beta.6.tar.gz
    1 download · 2026-06-06 04:48:16 +00:00 · 8.7 MiB
  • morphit-v1.0.0-beta.6.tar.gz.sha256
    1 download · 2026-06-06 04:48:15 +00:00 · 95 B
• v1.0.0-beta.5 3a4d1af2ea

  Compare

  Morphit v1.0.0-beta.5 Stable

  agorise released this 2026-06-04 21:07:26 +00:00 | 4 commits to main since this release

  Signed by agorise

  GPG key ID: 53524E1F1017EB9C

  Two operator-facing improvements on top of beta.4. First, your
  instance is now far more resilient to flaky Blurt RPC nodes — a
  single dead or rate-limited node no longer stalls your sync, and
  you can check your endpoints before you rely on them. Second, you
  can now moderate your own instance: review the abuse signals the
  indexer already collects and hide a troublesome account's listings
  — without touching the chain, anyone's funds, or any other
  instance. This release is recommended for all operators.

  Added

  • Instance-local moderation — review flags and block accounts.
    Morphit's indexer already watches for two abuse patterns: accounts
    that review each other suspiciously often (reciprocity rings) and
    accounts that look like the same person behind several names.
    beta.5 turns those signals into something you can act on. Run
    morphit-ops moderation (or pick Moderation from the
    morphit-ops menu) to review the flagged accounts and block any of
    them right there; you can also block or unblock any account by name
    with morphit-ops block <account> [reason] and morphit-ops unblock <account>.

    A block is instance-local. It hides that account's listings
    everywhere your instance shows them — the public orderbook, the
    per-account view, featured slots, the RSS feeds, and the live
    stream — and nothing more. It does not broadcast anything to
    the chain, does not touch anyone's funds, keys, or identity,
    and has no effect on any other Morphit instance. It is fully
    reversible. A blocked person signed in on your instance sees a
    clear, non-alarming banner explaining that their posts are hidden
    on this instance only and remain visible on every other Morphit
    instance, with a link to reach you — which is the whole point of a
    federation: no single instance can censor anyone across it. See
    OPERATIONS.md §6a and RUN-A-MORPHIT-NODE.md §9.1.2.

  • RPC endpoint health — checked before, and visible during, a run.
    morphit-ops doctor and the setup wizard (morphit-ops init) now
    test each Blurt RPC endpoint you have configured — a real chain
    query, not just a DNS lookup — and tell you in plain English
    whether they are all reachable, some are down, or all are dead,
    before you depend on them. (Pass --no-rpc to doctor to skip
    it.) And /v1/health now reports how many of your RPC endpoints are
    currently healthy, with full per-endpoint detail in the verbose
    view, so you can tell at a glance whether a sync problem is an RPC
    problem.

  • The morphit-ops menu now shows your version and pending flags.
    The menu lists your installed version next to Upgrade (and the
    latest available release, when it can reach the release server),
    and the number of unresolved moderation flags next to
    Moderation, so both are visible the moment you open the menu.

  Fixed

  • A single dead or rate-limited RPC node no longer stalls your
    instance. Two related fixes. The indexer now ships with the same
    built-in list of working Blurt RPC nodes the relay already had:
    previously the indexer required you to configure endpoints with no
    fallback, so a node set up with a list that later went dead — while
    the relay quietly ran on its own good defaults — could freeze the
    indexer's sync. Both services now fall back to the same vetted
    four-node list when the setting is absent, and the setup wizard
    writes that same list to both. Separately, an RPC node that is up
    but rate-limiting you (HTTP 429) or briefly erroring (502/503/504)
    is now treated as a reason to rotate to the next node and back off,
    instead of surfacing as a hard failure — so a throttling or flaky
    node is routed around automatically.

  • Quieter, clearer RPC logs. The noisy Didn't failover… lines
    the underlying Blurt library printed on every transport hiccup are
    now suppressed. Your real endpoint health is on /v1/health
    instead.

  Everything from beta.4 still applies

  beta.4 added morphit-ops doctor (a read-only "will my node start?"
  check) and fixed an indexer boot crash that happened when a Matrix
  room was set for operator alerts, plus two settings the setup
  wizard was not writing. See RELEASE-NOTES-v1.0.0-beta.4.md for
  details.

  Upgrading

  • If you installed cleanly from a recent release and your node runs,
    just npx morphit-ops upgrade to pick this up (it carries your
    config and keys forward). After upgrading, it is worth running
    morphit-ops doctor once — it now checks your RPC endpoints too.
  • No configuration change is required on your side. If you had
    manually copied RPC endpoints into MORPHIT_INDEXER_RPC_ENDPOINTS
    as a workaround, you can keep them or remove them — the indexer now
    has a safe built-in default either way.

  Verify the download

  sha256sum -c morphit-v1.0.0-beta.5.tar.gz.sha256
  

  Output must say OK before you extract.

  Status

  Pre-launch beta. Not yet recommended for production traffic. The
  canonical public instance is morphit.io. Community operators
  welcome — start at docs/start-here/.

  Downloads

  • morphit-v1.0.0-beta.5.tar.gz
    1 download · 2026-06-04 21:44:00 +00:00 · 8.7 MiB
  • morphit-v1.0.0-beta.5.tar.gz.sha256
    1 download · 2026-06-04 21:43:59 +00:00 · 95 B
• v1.0.0-beta.4 ec6b1d5b29

  Compare

  Morphit v1.0.0-beta.4 Stable

  agorise released this 2026-06-03 06:05:32 +00:00 | 7 commits to main since this release

  Signed by agorise

  GPG key ID: 53524E1F1017EB9C

  A small but important fix on top of beta.3: the indexer could fail
  to start on instances that set a Matrix room for operator
  alerts. If you are on beta.3 (or earlier) and your indexer starts
  fine, this release is still recommended but not urgent. If your
  indexer crashes at boot with ReferenceError: require is not defined, this release fixes it.

  Added

  • morphit-ops doctor — a read-only "will my node start?" check.
    Run it from your install directory and it tells you, in plain
    English, whether the indexer and relay will start with the config
    you have on disk — before you start them. It reports exactly
    what is wrong (a missing required setting, a value in the wrong
    file, a key-file permission) and how to fix it, and it changes
    nothing on your system. If your node won't boot, run morphit-ops doctor first. It also runs a short security check: it tells
    you whether your relay's active key is encrypted or stored in
    plaintext (and how to encrypt it), and flags any secret file that
    other users on the box can read. (This security check is
    operator-only — it is deliberately not exposed on the public
    health endpoint.)

  Fixed

  • Indexer crashed at startup when MORPHIT_INDEXER_OPERATOR_MATRIX_ROOM
    was set. The config code validated the Matrix room alias using a
    CommonJS require() call, which is undefined in the indexer's
    ES-module runtime — so boot failed with ReferenceError: require is not defined the moment a non-empty room value was present.
    Instances that left the room unset were unaffected, which is why
    it surfaced late. The validator now uses a normal module import.
    Added a startup regression test (and a repo-wide guard against
    this whole class of CommonJS-in-ESM bug) so it cannot recur.

  • Setup wizard never wrote two settings the indexer requires.
    An instance configured with morphit-ops init (rather than the
    Ansible playbook) was missing MORPHIT_INDEXER_PUBLIC_ORIGIN and
    MORPHIT_INDEXER_OFFICIAL_POSTING_PUBKEY, so the indexer refused
    to start with config validation failed: ... Required. The wizard
    now writes both — the public origin (the same one it already asks
    you for) and the official @morphit posting key (a fixed value,
    the same for every instance). If you set up via the wizard and your
    indexer won't start citing these, re-run npx morphit-ops init on
    this release, or add both to your morphit.env by hand (see
    ops/env/indexer.env.example).

  Everything from beta.3 still applies

  beta.3 fixed the setup wizard writing two settings into the wrong
  file (which stopped the indexer from booting with an "operator
  allowlist" error), added the guided morphit-ops install, the
  docs/start-here/ navigation hub, the migrate-to-release-track
  guide, and made morphit-ops upgrade discover pre-release-flagged
  releases. See RELEASE-NOTES-v1.0.0-beta.4.md for details.

  Upgrading

  • If you installed cleanly from the beta.3 release and your indexer
    runs, just npx morphit-ops upgrade to pick this up (it carries
    your config and keys forward).
  • If your beta.3 indexer crashed at boot with the require error,
    upgrade to this release and start it again — no config change
    needed on your side.

  Verify the download

  sha256sum -c morphit-v1.0.0-beta.4.tar.gz.sha256
  

  Output must say OK before you extract.

  Status

  Pre-launch beta. Not yet recommended for production traffic. The
  canonical public instance is morphit.io. Community operators
  welcome — start at docs/start-here/.

  Downloads

  • morphit-v1.0.0-beta.4.tar.gz
    1 download · 2026-06-03 06:41:20 +00:00 · 8.6 MiB
  • morphit-v1.0.0-beta.4.tar.gz.sha256
    1 download · 2026-06-03 06:41:18 +00:00 · 95 B
• v1.0.0-beta.3 88a9b4393c

  Compare

  Morphit v1.0.0-beta.3 Stable

  agorise released this 2026-06-03 02:36:04 +00:00 | 12 commits to main since this release

  Signed by agorise

  GPG key ID: 53524E1F1017EB9C

  Third public beta. This release is focused on install and upgrade
  reliability — fixing a setup bug that could stop a fresh node from
  starting, and making the install/upgrade experience smoother for
  operators of every skill level.

  If you are running beta.1 or beta.2, see Upgrading below — the
  path is slightly different this time because of the boot fix.

  Fixed

  • Setup wizard wrote two settings into the wrong file, which
    stopped the indexer from starting. morphit-ops init placed
    MORPHIT_RELAY_SIGNUP_DAILY_CEILING and
    MORPHIT_RELAY_TRUSTED_PROXY_IPS into morphit.config.env, which
    is restricted to a small allowlist of operator-tunable values. The
    indexer correctly refuses to boot when it finds non-allowlisted
    keys there, so a freshly-configured node failed to start with
    [operator-config] ... contains keys not in the operator allowlist. These two settings now go into morphit.env (matching
    the relay's environment, the env templates, and the Ansible role),
    where the relay reads them as intended. New installs are
    unaffected by the old behavior; existing operators who hit this,
    see Upgrading.

  Added

  • morphit-ops install — a guided first-time install. Checks
    prerequisites (Node, PostgreSQL, git), runs the setup wizard,
    offers server hardening, and offers to put morphit-ops on your
    PATH so you can drop the npx prefix. On a fresh Ubuntu box, the
    Ansible playbook in ops/ansible/ still does the OS-level install
    (Node/PostgreSQL/services); morphit-ops install is the
    interactive, learn-as-you-go path.

  • docs/start-here/ — a plain-language navigation hub. Tells you
    exactly which document to open for what you want to do (install,
    upgrade, fix a problem, change settings, launch). New operators
    should start there.

  • docs/MIGRATE-TO-RELEASE-TRACK.md — a one-time procedure for
    nodes that were installed with git clone and therefore can't use
    morphit-ops upgrade yet (they lack the release-info.json that
    ships inside release tarballs).

  • A throwaway-VM install validator at
    scripts/validate-fresh-install.sh for operators helping certify
    the install path.

  Improved

  • morphit-ops upgrade now finds the newest release even when it
    is flagged as a pre-release. Previously it only looked at the
    latest stable release, so during the all-beta period it could
    report "already on the latest" and never upgrade. It now prefers a
    stable release when one exists and otherwise falls back to the
    newest release of any kind.

  Upgrading from beta.1 / beta.2

  The boot fix changes what the setup wizard writes; it does not
  change what an already-installed node has on disk. So:

  • If your morphit.config.env contains
    MORPHIT_RELAY_SIGNUP_DAILY_CEILING or
    MORPHIT_RELAY_TRUSTED_PROXY_IPS (any node configured by the
    beta.1/beta.2 wizard will), the cleanest path is a fresh install
    of this release followed by re-running npx morphit-ops init,
    which writes correct config. Back up your relay key
    (apps/relay/keystore.json or .wif) and apps/relay/altnet/
    first; your PostgreSQL database and on-chain registration are not
    affected. Full steps: docs/MIGRATE-TO-RELEASE-TRACK.md.

  • Or, to keep your existing config, remove those two lines from
    morphit.config.env (the relay reads them from morphit.env
    instead) and restart. If they aren't already in morphit.env, add
    MORPHIT_RELAY_SIGNUP_DAILY_CEILING=50 (or your chosen value)
    there.

  • From this release onward, npx morphit-ops upgrade carries your
    config and keys forward automatically.

  Verify the download

  sha256sum -c morphit-v1.0.0-beta.3.tar.gz.sha256
  

  Output must say OK before you extract.

  Status

  Pre-launch beta. Not yet recommended for production traffic. The
  canonical public instance is morphit.io. Community operators
  welcome — start at docs/start-here/.

  Downloads

  • morphit-v1.0.0-beta.3.tar.gz
    1 download · 2026-06-03 03:11:42 +00:00 · 8.6 MiB
  • morphit-v1.0.0-beta.3.tar.gz.sha256
    1 download · 2026-06-03 03:11:40 +00:00 · 95 B
• v1.0.0-beta.2 99f84580ea

  Compare

  Morphit v1.0.0-beta.2 Stable

  agorise released this 2026-06-01 22:17:56 +00:00 | 16 commits to main since this release

  Signed by agorise

  GPG key ID: 53524E1F1017EB9C

  Second public beta of Morphit — a federated, non-custodial, no-KYC peer-to-peer
  marketplace for fiat ↔ BTC, XMR, BLURT, USDT, USDC, DAI, BCH, LTC, DASH, DOGE,
  ZEC, ARRR, DCR, SOL, ETH, and XRP trades.

  This release builds on v1.0.0-beta.1 and is focused almost entirely on the
  operator experience — the part beta-testing surfaced as the roughest. If
  you ran a beta.1 node, the headline is that running and maintaining your
  instance is now a guided, menu-driven experience, and upgrades safely preserve
  your configuration and signing key.

  Install

  See docs/RUN-A-MORPHIT-NODE.md for the friendly walkthrough.
  Plan two evenings: the first to set up the server and install
  things, the second to troubleshoot whatever didn't work the
  first time. Runs comfortably on a $5/mo VPS or a Raspberry Pi 4.

  For the day-zero procedure (the morning-of and first-24-hour
  operator runbook) see docs/LAUNCH-DAY.md.

  For ongoing day-1-through-day-7 monitoring see
  docs/POST-LAUNCH-WEEK-ONE.md.

  Upgrading from beta.1

  Use the built-in upgrader — docs/UPGRADING.md has the full procedure:

  sudo -u morphit npx morphit-ops upgrade
  

  It downloads this release, verifies the SHA-256, backs up your current
  install, swaps in the new code, carries your config and signing key
  forward automatically, reinstalls dependencies, and restarts your
  services — rolling everything back if any step fails.

  One-time note for this specific upgrade. morphit-ops upgrade runs
  the carry-forward using the code of the version you're upgrading from.
  beta.1 predates that feature, so on this first jump your config is not
  auto-carried — it is not lost, it's in the timestamped backup. Before
  upgrading, copy morphit.config.env, morphit.env, apps/relay/keystore.*,
  and apps/relay/altnet/ somewhere safe; after the upgrade, confirm they're
  present in your install dir and, if any are missing, copy them back from
  /opt/morphit.bak-<timestamp>/ and restart morphit-indexer and
  morphit-relay. From beta.2 onward every upgrade preserves them for you.

  Your on-chain operator registration is unaffected by any upgrade — it lives
  on the Blurt chain, not in your install.

  Verify the download

  sha256sum -c morphit-v1.0.0-beta.2.tar.gz.sha256
  

  For belt-and-braces, see docs/UPGRADING.md "Belt-and-braces verification"
  — it walks you through cloning the repo separately, running
  git tag -v v1.0.0-beta.2, and re-deriving the manifest from a
  clean checkout to compare against the tarball you downloaded.

  What's new since beta.1

  Everything below is shipped, smoke-tested, and source-verifiable against the
  tagged commit.

  One command to run your instance

  • morphit-ops now opens a menu. Run it with no arguments on a
    terminal and you get a grouped, plain-English menu — set up and
    change the instance, check on it (status, signups, abuse alerts,
    pending transfers, moderation flags), or manage keys and payment
    methods — so you pick an action by what you want to do instead of
    memorizing subcommand names. Every action is still runnable
    directly (e.g. morphit-ops status), and scripts/cron are
    unaffected: non-interactive runs print help exactly as before.
  • morphit-ops edit for ongoing changes. Change your RPC
    endpoints, description/SEO, origin, listing fees, or operator tag
    without re-running the full setup. It writes atomically, preserves
    permissions, and tells you exactly which services to restart.
  • Safe re-run of the setup wizard. Running morphit-ops init on
    an instance that's already configured no longer risks clobbering it
    — it warns you, then offers to edit a few settings (recommended),
    overwrite everything (with a confirmation and a backup), or cancel.

  A dedicated hardening wizard

  • morphit-ops harden (also "Harden this server" in the menu)
    walks you through securing the host: it generates a personalized
    hardening checklist with your domain and your reverse-proxy choice
    baked in — leading with the SSH-lockout safety rule — and can walk
    you through BunkerWeb, daily database backups, and the full
    Ubuntu / SSH / firewall / fail2ban / TLS checklist, or point you at
    the fully-automated Ansible path. Nothing here is Morphit-specific;
    it's the baseline every internet-facing server needs, sequenced for
    you with copy-paste commands.

  Setup wizard improvements

  • BunkerWeb step. The setup wizard now asks whether BunkerWeb (an
    open-source reverse-proxy WAF, shipped turnkey at ops/bunkerweb/)
    will front your instance, and wires the trusted-proxy setting for
    you when you say yes — so your relay sees real client IPs.
  • Hardening step. The wizard finishes by offering to generate the
    same personalized hardening checklist described above.
  • Matrix alerting is on by default. The optional Matrix incident
    bot is now presented as a recommended default with clear setup
    steps for its own credentials, rather than an easy-to-miss opt-in.
  • Clearer prompts throughout — the wizard greeting reflects the
    real number of steps, the optional steps are clearly skippable with
    safe defaults, and the prompts spell out where each value appears
    publicly.

  Clearer on-chain registration

  • Honest, accurate output from morphit-ops register. The success
    screen no longer prints a confusing "Block: undefined" (Blurt
    confirms asynchronously — there's no block number at broadcast time)
    and no longer leaks internal RPC retry noise when your node
    transparently fails over to a healthy endpoint.
  • Specific failure guidance. When a broadcast fails, the tool now
    tells you exactly why (reserved tag, taken tag, wrong key, low Mana,
    all endpoints unreachable, …) and what to do — and on a low-Mana
    failure it offers to retry in place once you've powered up, with no
    wizard re-run.
  • Key verification made concrete. Prompts that ask you to confirm
    your relay's key now name the "Active Auth" field and give you
    the exact explorer URL — https://blocks.blurtwallet.com/#/@<your-account>
    — to check it against. morphit-ops show-key uses the same
    guidance.
  • Re-registration reminder. If you change your origin or operator
    tag with morphit-ops edit, the tool reminds you to re-run
    morphit-ops register so the rest of the federation sees the change
    (those two values live in your on-chain record; other settings are
    local-only).

  Safer upgrades

  • Your config and keys survive upgrades. morphit-ops upgrade now
    explicitly carries morphit.config.env, morphit.env, your relay
    keystore, your alt-network keys, and your hardening checklist forward
    into each new release — with their permissions intact — so a release
    upgrade brings your instance back up exactly as it was, on the new
    code, with no re-configuration. (See the one-time note above for the
    beta.1 → beta.2 jump specifically.)
  • docs/UPGRADING.md corrected and expanded to document the
    carry-forward step and the exact files preserved.

  Documentation and accuracy

  • docs/RUN-A-MORPHIT-NODE.md gained a "Managing your instance
    later" section covering the menu, the hardening wizard, and the
    re-registration rule.
  • README and operator docs were swept for accuracy against the
    actual code (app and config inventory, the relay's key type, the
    reverse-proxy configs that actually ship, and more).

  Reach

  Morphit instances are reachable over the public web, Tor .onion
  hidden services, I2P .b32 addresses, Lokinet, and Nostr. The
  federation directory at /instances on any node shows the other
  known instances and their alt-network addresses.

  Reporting issues

  Bug reports: open a New Issue on Forgejo
  (git.agorise.net/agorise/morphit) — the bug-report template
  auto-loads with the fields needed.

  Security disclosures go to the operator's Matrix DM channel
  listed in §16 of the bug-report template (or in
  docs/SECURITY.md). Do NOT post security issues as public
  Forgejo issues or in the community Matrix room.

  Acknowledgements

  Built on Blurt for the chain layer. The audit campaign is
  publicly readable in this repo, and so are the design tradeoffs
  — we made arguable calls, especially around chat-crypto
  primitives, and the reasoning is in the ADRs for you to push
  back on.

  ---

  Tag: v1.0.0-beta.2
  Built by: Forgejo Actions from a signed annotated tag (see
  .forgejo/workflows/release.yml)
  License: AGPL-3.0-only

  Downloads

  • morphit-v1.0.0-beta.2.tar.gz
    2 downloads · 2026-06-01 22:46:23 +00:00 · 8.5 MiB
  • morphit-v1.0.0-beta.2.tar.gz.sha256
    0 downloads · 2026-06-01 22:46:22 +00:00 · 95 B
• v1.0.0-beta.1 83ca7837d0

  Compare

  Morphit v1.0.0-beta.1 Stable

  agorise released this 2026-05-25 22:08:21 +00:00 | 44 commits to main since this release

  Signed by agorise

  GPG key ID: 53524E1F1017EB9C

  Morphit v1.0.0-beta.1

  First public beta of Morphit — a federated, non-custodial, no-KYC peer-to-peer
  marketplace for fiat ↔ BTC, XMR, BLURT, USDT, USDC, DAI, BCH, LTC, DASH, DOGE,
  ZEC, ARRR, DCR, SOL, ETH, and XRP trades.

  This release is for community operators who want to stand up an early
  instance and for beta testers to try real trades on morphit.io.

  Install

  See docs/RUN-A-MORPHIT-NODE.md for the friendly walkthrough.
  Plan two evenings: the first to set up the server and install
  things, the second to troubleshoot whatever didn't work the
  first time. Runs comfortably on a $5/mo VPS or a Raspberry Pi 4.

  For the day-zero procedure (the morning-of and first-24-hour
  operator runbook) see docs/LAUNCH-DAY.md.

  For ongoing day-1-through-day-7 monitoring see
  docs/POST-LAUNCH-WEEK-ONE.md.

  Verify the download

  sha256sum -c morphit-v1.0.0-beta.1.tar.gz.sha256
  

  For belt-and-braces, see docs/UPGRADING.md "Belt-and-braces verification"
  — it walks you through cloning the repo separately, running
  git tag -v v1.0.0-beta.1, and re-deriving the manifest from a
  clean checkout to compare against the tarball you downloaded.

  What's in the beta

  This is the first public release. Everything listed below is
  shipped, smoke-tested, and source-verifiable against the tagged
  commit. For the exhaustive claim-by-claim breakdown, read
  MORPHIT-BRAG-LIST.md.

  Trading

  • Sixteen tradable assets out of the box: BTC, XMR, BLURT, USDT, USDC,
    DAI, BCH, LTC, DASH, DOGE, ZEC, ARRR, DCR, SOL, ETH, XRP. Three —
    BTC, XMR, BLURT — are the original core; listing fees can be paid in
    any of them. The other thirteen are trade-only (peer-to-peer trading
    supported; listing fees still settle in BTC/XMR/BLURT). Each is enabled
    by default at the operator's instance and can be turned off per-ticker via
    MORPHIT_INDEXER_DISABLED_ASSETS or interactively at install time via the
    setup wizard's trade-only-policy step.
    • EVM-multi-network stablecoins (USDT, USDC, DAI) span four
      networks each, with a no-default-network rule so users can't
      accidentally cross-send. USDT covers Ethereum / ERC-20, Tron /
      TRC-20, Solana / SPL, and BNB Smart Chain / BEP-20. USDC covers
      Ethereum / ERC-20, Solana / SPL, Base, and Polygon. DAI covers
      Ethereum / ERC-20, Polygon, Base, and Arbitrum. Amount-jitter
      at 6-decimal precision applies (cp30 reversal of the earlier
      USDT pass-through decision — Circle/Tether/MakerDAO governance
      powers are documented per-asset as separate, independently-real
      threats).
    • UTXO chains (BCH, LTC, DASH, DOGE) accept their canonical address
      families: LTC accepts all four forms (legacy P2PKH L…, modern P2SH
      M…, deprecated P2SH 3…, bech32/bech32m ltc1…); DASH accepts both
      base58 forms (P2PKH X…, P2SH 7…); BCH covers CashAddr and legacy;
      DOGE base58 (D…). DASH ships with optional PrivateSend awareness
      — a chain-level masternode-coordinated CoinJoin variant — surfaced in
      the per-asset privacy guide; users pre-mix in their Dash wallet before
      sharing the address.
    • Shielded chains (ZEC, ARRR). ZEC supports both transparent (t1/
      t3) and shielded (zs1 Sapling, u1 Unified Address) — pick per
      trade. ARRR is shielded-by-construction (Sapling only; no transparent
      option exists at the chain layer).
    • Hybrid PoW/PoS chain (DCR — Decred) with Politeia-anchored
      governance documented in the per-asset guide.
    • High-throughput / smart-contract chains (SOL, ETH, XRP). ETH
      addresses are EIP-55 mixed-case-checksum-validated; XRP supports
      destination tags and respects the 1-XRP base reserve. Block-explorer
      health-probed at install time and re-probed on every address-share.
  • Listing fees in BLURT, BTC, or XMR — choice belongs to the
    poster. Default operator-treasury target is $0.25 USD per
    order; BLURT-paying posters get an automatic 50% discount
    (so a BLURT fee on the canonical instance currently rounds to
    ~60 BLURT ≈ $0.12).
  • First buy of BLURT is fee-waived — new users can post their
    first order without holding any BLURT.
  • Featured-slot auction with a minimum-hours floor (prevents
    micro-bid sniping), per-bidder bid history, outbid push
    notifications (cp17), and anti-snipe soft-close
    (cp18 — expiring top-5 bids extend by 5 minutes when a new
    bid arrives within the snipe window, capped at 6 extensions /
    30 minutes total).

  Identity, signup, and chat

  • No KYC, no email, no phone, no IP logging. Signup is a
    posting public key plus a chosen username.
  • Account creation is free to the user. The operator's relay
    pre-mints Account Creation Tokens (ACTs) in a weekly batch
    ceremony at ~100 BLURT each and consumes one ACT per signup
    via fee-free create_claimed_account. The user pays nothing.
  • End-to-end encrypted chat with per-message ECIES (X25519 +
    ChaCha20-Poly1305-IETF, libsodium). Sender ephemerals are
    wiped after one use. Ciphertext is stored on-chain;
    the indexer cannot decrypt. See docs/adr/0015-chat-crypto.md
    for the threat-model rationale (why no Double Ratchet).
  • Opt-in 8-word out-of-band fingerprint verification for
    belt-and-suspenders MITM protection beyond the chain-anchored
    TOFU pin. PGP word list, never BIP39 — deliberately distinct
    from seed phrases.
  • Desktop QR pairing (ADR-0022) — paired-readonly desktop
    session, posting key stays on phone, all writes route through
    phone for signing. WhatsApp-Web mental model.

  Notifications

  • Web Push subscriptions (cp13–cp16, hardened cp131) for
    chat / feedback / outbid events. VAPID-protected; subscribe
    AND unsubscribe both require a valid posting-key signature
    over a canonical message binding account-name + endpoint +
    timestamp. The canonical message ACTION keyword
    (subscribe vs unsubscribe) is part of the signed payload,
    so a captured subscribe signature cannot be replayed as an
    unsubscribe (and vice-versa). Captured signatures expire
    after 5 minutes and cannot be replayed across accounts or
    devices. Operators set
    MORPHIT_RELAY_PUSH_REQUIRE_SIGNED=true to require
    signatures (the default for new deployments); permissive
    mode is available for legacy clients during roll-forward.
  • In-tab ambient channels (title-bar badge, favicon dot,
    audio cue, vibration) work even without VAPID keys configured.

  Operator setup

  • Setup wizard (npx morphit-ops init, ~18 prompts) covers
    treasury addresses (BTC + XMR), explorer URLs with live health
    probes, listing-fee USD target with live price recompute, VAPID
    keys for Web Push, operator-tag for federation cost attribution,
    and the trade-only asset policy (per-ticker enable/disable for
    every Category-B asset: USDT, USDC, DAI, BCH, LTC, DASH, DOGE,
    ZEC, ARRR, DCR, SOL, ETH, XRP).
  • Federated cost attribution — each operator's relay pays only
    for ops that route through their own instance (operator tag
    registered on-chain via morphit_operator_register_v1).
  • Operator kill-switch for compromise scenarios — relay-side
    flag disables signups and posts a banner pointing users at
    other instances. See docs/BETA-INCIDENT-RUNBOOK.md.
  • Reproducible builds — every tarball is rebuildable
    byte-for-byte from its tagged commit; bundle hashes are
    broadcast on-chain via morphit_release_v1.

  Privacy

  • No cookies, no analytics, no third-party CDN, no Cloudflare.
  • No IP logging. The relay extracts client IP as an in-memory
    rate-limit bucket key and discards it when the window passes.
    The code carries this as a binding contract — adding IP logging
    would require an ADR and a security advisory.
  • XMR view-key privacy — the operator's private view key is
    strictly env-only on their box, never published on-chain, in
    APIs, in logs, or in release ops. Per-payment proofs are
    user-supplied at trade time.
  • Transparent-chain privacy framework (cp26 + cp30). Registry-driven
    per-asset privacy practices surface in the address-share modal
    and at /[lang]/privacy/{asset}:
    • Amount-jitter on every transparent asset (BTC, BCH, LTC, DASH,
      DOGE, ZEC transparent, DCR, BLURT — XMR has been jittered since cp3,
      and stablecoins USDT/USDC/DAI jitter at 6-decimal precision per cp30):
      default ON; adds a small random extra (≤999 sat for UTXO chains, ≤99
      milliblurt for BLURT, scaled per-asset for the others) to defeat
      amount-correlation between the orderbook post and the on-chain
      transfer.
    • Client-side address-reuse warning: localStorage-only,
      never transmitted to any Morphit server; surfaces an amber
      chip when the user is about to share an address they've
      shared from this device before.
    • Optional PayJoin (BIP-78) endpoint for BTC: when both
      seller and buyer wallets support BIP-78, the seller pastes
      their PayJoin endpoint URL into the BTC address-share modal
      and Morphit relays it via pj= in the bitcoin: URI.
      Wallets without PayJoin support fall back to a normal
      payment — zero footgun.
    • Per-asset privacy guides at /[lang]/privacy/{asset} for every
      tradable ticker, covering fresh-address practice, opt-in privacy
      tech (MWEB for LTC, CashFusion for BCH, PrivateSend for DASH,
      CoinJoin + PayJoin for BTC, Sapling/Orchard shielded sends for
      ZEC, shielded-by-default for ARRR, CoinShuffle++ for DCR),
      universal practices, and asset-specific caveats. Registry-driven:
      the next asset Morphit adds gets a privacy guide automatically by
      populating one struct field.
    • No wallet recommendations. Even reputable wallets have
      been compromised — Morphit names protocol standards, not
      wallet software.
  • DASH PrivateSend awareness (cp27). Dash's masternode-
    coordinated CoinJoin variant is documented in the per-asset
    privacy guide at /privacy/dash. Pre-mixing happens
    entirely wallet-side BEFORE the address is shared on Morphit
    — Morphit does not coordinate the mix, hold the funds, or
    expose users to masternode-trust trade-offs beyond what their
    wallet already does. The privacy guide explains the
    trade-offs honestly: anonymity set depends on simultaneous
    participants, and for the strongest privacy on Morphit XMR
    is still the right tool.

  Internationalization

  • 10 languages, fully translated: English, Spanish, French,
    German, Italian, Polish, Russian, Persian, Simplified Chinese,
    Traditional Chinese.
  • Per-locale prerendering — 170 static HTML files (17 routes
    × 10 locales) so non-English speakers never see a flash of
    English content.

  Audit and integrity

  • Several thousand self-checking smoke scenarios ship with
    the source — the exact count grows release-over-release as
    defenses are added. Run them yourself: bash scripts/run-smokes.sh.
    Triple-pulse them (three times back-to-back) to filter flakes.
  • Audit log in docs/AUDIT-2026-05.md (~25,400 lines), public
    in the repo, with every finding, every fix, every accepted
    risk documented.
  • 42 architecture decision records in docs/adr/0001-…
    through 0043-… (the 0016 slot is reserved-but-unused; its
    planned work shipped as ADR-0022).
  • AGPL-3.0-only. Operators running modified instances must
    make their source available to their users.

  Reach

  Morphit instances are reachable over the public web, Tor .onion
  hidden services, I2P .b32 addresses, Lokinet, and Nostr. The
  federation directory at /instances on any node shows the other
  known instances and their alt-network addresses.

  Reporting issues

  Bug reports: open a New Issue on Forgejo
  (git.agorise.net/agorise/morphit) — the bug-report template
  auto-loads with the fields needed.

  Security disclosures go to the operator's Matrix DM channel
  listed in §16 of the bug-report template (or in
  docs/SECURITY.md). Do NOT post security issues as public
  Forgejo issues or in the community Matrix room.

  Acknowledgements

  Built on Blurt for the chain layer. The audit campaign is
  publicly readable in this repo, and so are the design tradeoffs
  — we made arguable calls, especially around chat-crypto
  primitives, and the reasoning is in the ADRs for you to push
  back on.

  ---

  Tag: v1.0.0-beta.1
  Built by: Forgejo Actions from a signed annotated tag (see
  .forgejo/workflows/release.yml)
  License: AGPL-3.0-only

  Downloads

  • morphit-v1.0.0-beta.1.tar.gz
    0 downloads · 2026-05-25 22:31:08 +00:00 · 8 MiB
  • morphit-v1.0.0-beta.1.tar.gz.sha256
    0 downloads · 2026-05-25 22:31:27 +00:00 · 95 B