Hi C,
Fair points, and I appreciate the technical scrutiny. Let me address each honestly.
On the zero-knowledge claim:
You're right that I should be more precise. The JWE/JWK payload encryption is our application-layer design, not a NextGenPSD2 feature. The transport security (mTLS via QWAC) comes from the spec. The additional JWE envelope is something we layer on top for the beancount importer — so transaction data is encrypted at the application layer within the mTLS channel. But this does not make it "zero-knowledge" in the cryptographic sense — the server does handle decryption. I should not have used that term, and I'll update the README to reflect the actual security model accurately.
On server source / audit:
Correct — the server is not open-source and has not been independently audited. The client (
github.com/open-banking-io/clients) is MIT licensed and fully reviewable. For the encryption claim to be independently verifiable, either the server source or a third-party audit would be needed. Neither is available today, so the claim is currently unverifiable from the outside. I accept that.
On the data structures:
The client models do follow the Berlin Group transaction schema — the fields map to the relevant sections (bookingDate, transactionAmount, remittanceInformationUnstructured, etc.). If there are specific fields that don't align with §14.25 or other sections, point them out and I'll fix them. Genuine feedback on schema alignment is welcome.
On AI-assisted commits:
Yes, I use Claude (AI) as a development tool, and commits are transparently tagged with Co-Authored-By. AI-assisted development is increasingly common in software engineering. The code is reviewable regardless of authorship method — what matters is whether the code is correct, not how it was written.
On the website:
Thanks for the bug reports — the Kubernetes docs under the TypeScript section and the footer scroll issue are both real bugs. I'll fix them.
On the recommendation:
Your caution is reasonable for a project this young. The client-side code is open and reviewable, the PSD2 transport follows the Berlin Group spec, and users can inspect exactly what data flows between their bank and their local machine. Whether that is sufficient trust for sensitive financial data is a judgment call each person should make for themselves. I agree it is not equivalent to a fully audited, server-source-available product, and I should not present it as such.
I appreciate you holding the project to a high bar. That is what early-stage projects need.
John