I'm worried about their federation strategy: even assuming users A@provider1 and B@provider2 don't have their communications compromised, I have a feeling that Here There Be Dragons around this area, in every fashion I can imagine and many that I can't. At the moment, though, their crypto is academic in that it is like a bank vault door securing a vault where one wall is actually open air and passerby on the street could walk in and take the money. It may or may not be a good door, I don't know, but it is not a good vault.
The Rails bits, yeah, those should be solvable if anyone wants to solve them. I really like Rails for a lot of reasons, and my experience has been that I do less damage with it than I used to do with Java.