feat: add protocol comparison docs, P2P crate, production audit, and design fixes

Add comprehensive documentation comparing quicnprotochat against classical
chat protocols (IRC+SSL, XMPP, Telegram) with diagrams and attack scenarios.
Promote comparison pages to top-level sidebar section. Include P2P transport
crate (iroh), production readiness audit, CI workflows, dependency policy,
and continued architecture improvements across all crates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

crates/quicnprotochat-core/src/group.rs

@@ -185,7 +185,7 @@ impl GroupMember {
     /// group exists, or openmls fails.
     pub fn add_member(
         &mut self,
-        key_package_bytes: &[u8],
+        mut key_package_bytes: &[u8],
     ) -> Result<(Vec<u8>, Vec<u8>), CoreError> {
         let group = self
             .group
@@ -196,7 +196,7 @@ impl GroupMember {
         // TlsSerialize; KeyPackageIn derives TlsDeserialize and provides validate()
         // which verifies the signature and returns a trusted KeyPackage.
         let key_package: KeyPackage =
-            KeyPackageIn::tls_deserialize(&mut key_package_bytes.as_ref())
+            KeyPackageIn::tls_deserialize(&mut key_package_bytes)
                 .map_err(|e| CoreError::Mls(format!("KeyPackage deserialise: {e:?}")))?
                 .validate(self.backend.crypto(), ProtocolVersion::Mls10)
                 .map_err(|e| CoreError::Mls(format!("KeyPackage validate: {e:?}")))?;
@@ -234,9 +234,9 @@ impl GroupMember {
     /// KeyPackage, or openmls validation fails.
     ///
     /// [`generate_key_package`]: Self::generate_key_package
-    pub fn join_group(&mut self, welcome_bytes: &[u8]) -> Result<(), CoreError> {
+    pub fn join_group(&mut self, mut welcome_bytes: &[u8]) -> Result<(), CoreError> {
         // Deserialise MlsMessageIn, then extract the inner Welcome.
-        let msg_in = openmls::prelude::MlsMessageIn::tls_deserialize(&mut welcome_bytes.as_ref())
+        let msg_in = openmls::prelude::MlsMessageIn::tls_deserialize(&mut welcome_bytes)
             .map_err(|e| CoreError::Mls(format!("Welcome deserialise: {e:?}")))?;
 
         // into_welcome() is feature-gated in openmls 0.5; extract() is public.
@@ -291,13 +291,13 @@ impl GroupMember {
     ///
     /// Returns [`CoreError::Mls`] if the message is malformed, fails
     /// authentication, or the group state is inconsistent.
-    pub fn receive_message(&mut self, bytes: &[u8]) -> Result<Option<Vec<u8>>, CoreError> {
+    pub fn receive_message(&mut self, mut bytes: &[u8]) -> Result<Option<Vec<u8>>, CoreError> {
         let group = self
             .group
             .as_mut()
             .ok_or_else(|| CoreError::Mls("no active group".into()))?;
 
-        let msg_in = openmls::prelude::MlsMessageIn::tls_deserialize(&mut bytes.as_ref())
+        let msg_in = openmls::prelude::MlsMessageIn::tls_deserialize(&mut bytes)
             .map_err(|e| CoreError::Mls(format!("message deserialise: {e:?}")))?;
 
         // into_protocol_message() is feature-gated; extract() + manual construction is not.

crates/quicnprotochat-core/src/hybrid_kem.rs

@@ -236,10 +236,7 @@ pub fn hybrid_encrypt(
 }
 
 /// Decrypt a hybrid envelope using the recipient's private key.
-pub fn hybrid_decrypt(
-    keypair: &HybridKeypair,
-    envelope: &[u8],
-) -> Result<Vec<u8>, HybridKemError> {
+pub fn hybrid_decrypt(keypair: &HybridKeypair, envelope: &[u8]) -> Result<Vec<u8>, HybridKemError> {
     if envelope.len() < HEADER_LEN + 16 {
         // 16 = minimum AEAD tag
         return Err(HybridKemError::TooShort(envelope.len()));
@@ -274,8 +271,8 @@ pub fn hybrid_decrypt(
 
     // 2. ML-KEM decapsulation — convert bytes to the ciphertext array type
     //    that `DecapsulationKey::decapsulate` expects.
-    let mlkem_ct_arr = Array::try_from(mlkem_ct_bytes)
-        .map_err(|_| HybridKemError::MlKemDecapsFailed)?;
+    let mlkem_ct_arr =
+        Array::try_from(mlkem_ct_bytes).map_err(|_| HybridKemError::MlKemDecapsFailed)?;
     let mlkem_ss = keypair
         .mlkem_dk
         .decapsulate(&mlkem_ct_arr)
@@ -419,10 +416,7 @@ mod tests {
         let restored = HybridKeypair::from_bytes(&bytes).unwrap();
 
         assert_eq!(kp.x25519_pk.to_bytes(), restored.x25519_pk.to_bytes());
-        assert_eq!(
-            kp.public_key().mlkem_ek,
-            restored.public_key().mlkem_ek
-        );
+        assert_eq!(kp.public_key().mlkem_ek, restored.public_key().mlkem_ek);
 
         // Verify restored keypair can decrypt
         let pk = kp.public_key();

crates/quicnprotochat-core/src/keypackage.rs

@@ -18,15 +18,44 @@
 
 use openmls::prelude::{
     Ciphersuite, Credential, CredentialType, CredentialWithKey, CryptoConfig, KeyPackage,
-    TlsSerializeTrait,
+    KeyPackageIn, TlsDeserializeTrait, TlsSerializeTrait,
 };
 use openmls_rust_crypto::OpenMlsRustCrypto;
 use sha2::{Digest, Sha256};
 
 use crate::{error::CoreError, identity::IdentityKeypair};
 
-/// The MLS ciphersuite used throughout quicnprotochat.
-const CIPHERSUITE: Ciphersuite = Ciphersuite::MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519;
+/// The MLS ciphersuite used throughout quicnprotochat (RFC 9420 §17.1).
+pub const ALLOWED_CIPHERSUITE: Ciphersuite =
+    Ciphersuite::MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519;
+
+/// Wire value of the allowed ciphersuite (KeyPackage TLS encoding: version 2B, ciphersuite 2B).
+const ALLOWED_CIPHERSUITE_WIRE: u16 = 0x0001;
+
+const CIPHERSUITE: Ciphersuite = ALLOWED_CIPHERSUITE;
+
+/// Validates that the KeyPackage bytes use an allowed ciphersuite (Phase 2: ciphersuite allowlist).
+///
+/// Parses the TLS-encoded KeyPackage and rejects if the ciphersuite is not
+/// `MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519`. Does not verify signatures;
+/// the server uses this only to enforce policy before storing.
+pub fn validate_keypackage_ciphersuite(bytes: &[u8]) -> Result<(), CoreError> {
+    if bytes.len() < 4 {
+        return Err(CoreError::Mls("KeyPackage too short for version+ciphersuite".into()));
+    }
+    let cs_wire = u16::from_be_bytes([bytes[2], bytes[3]]);
+    if cs_wire != ALLOWED_CIPHERSUITE_WIRE {
+        return Err(CoreError::Mls(format!(
+            "KeyPackage ciphersuite {:#06x} not in allowlist (only {:#06x} allowed)",
+            cs_wire, ALLOWED_CIPHERSUITE_WIRE
+        )));
+    }
+    // Optionally confirm full parse so we don't accept garbage that happens to have 0x0001 at offset 2.
+    let mut cursor = bytes;
+    let _kp = KeyPackageIn::tls_deserialize(&mut cursor)
+        .map_err(|e| CoreError::Mls(format!("KeyPackage parse: {e:?}")))?;
+    Ok(())
+}
 
 /// Generate a fresh MLS KeyPackage for `identity` and serialise it.
 ///

crates/quicnprotochat-core/src/lib.rs

@@ -25,9 +25,9 @@ pub mod opaque_auth;
 pub use error::CoreError;
 pub use group::GroupMember;
 pub use hybrid_kem::{
-    hybrid_decrypt, hybrid_encrypt, HybridKeypair, HybridKeypairBytes, HybridKemError,
+    hybrid_decrypt, hybrid_encrypt, HybridKemError, HybridKeypair, HybridKeypairBytes,
     HybridPublicKey,
 };
 pub use identity::IdentityKeypair;
-pub use keypackage::generate_key_package;
+pub use keypackage::{generate_key_package, validate_keypackage_ciphersuite};
 pub use keystore::DiskKeyStore;

crates/quicnprotochat-core/src/opaque_auth.rs

@@ -14,9 +14,7 @@ pub struct OpaqueSuite;
 
 impl CipherSuite for OpaqueSuite {
     type OprfCs = opaque_ke::Ristretto255;
-    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDh<
-        opaque_ke::Ristretto255,
-        sha2::Sha512,
-    >;
+    type KeyExchange =
+        opaque_ke::key_exchange::tripledh::TripleDh<opaque_ke::Ristretto255, sha2::Sha512>;
     type Ksf = argon2::Argon2<'static>;
 }