> Has this solution been audited?

Only insofar as everybody that I’ve asked over the years has failed to find anything wrong with it. But no formal verification has been done.

> In particular, is it safe to replay attacks by actors listening in to the network traffic?

Yes, it is safe, since we make sure to only use TLS with PFS.

> Also from the diagram it looks like the secret key is stored unencrypted on the server, or do I read it wrong?

No, the secret is stored encrypted on the server, encrypted with a key which only the client ever has.

For more information, see the introduction and FAQ: <https://www.recompile.se/mandos/man/intro.8mandos>