For those paranoid about their keys, (which is a good thing) their is a variety methods to check what happens to the keys without the source code. Tools such as packet analyzer (ex. wire-shark) allows you to see what is being transmitted to the server from your computer. Also you can just simply put the browser on debugger mode and see what happens to your keys on instruction at a time. Currently the private key is only encrypted and then store in your local-storage, and then hashed and sent to the sever, and then discard by the same java-script. As this is all done in java-script, you can see what is executed by your machine step by step using a debugger.
We do have plans for open source, but it will need to be after Build#2 full release, as we need time to cleanup the repo. We plan to formally release portion of the source code, but in the mean time if you are truly worried about the keys then run wire-shark and do a packet analysis on what is truly sent to the server.
Remember for those that do not know much about HTML and JavaScript:
- All JavaScript code when executed will be available to the browser, and the user.
- You can know what is being sent to the server, and such information can never be hidden from the user.