c/quicproquo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: security hardening — 40 findings from full codebase review

Browse Source 
Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.

Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)

Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
  returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
  conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB

Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
  invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction

Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns

Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)
This commit is contained in:
Christian Nennemann
2026-03-04 07:52:12 +01:00
parent 4694a3098b
commit 394199b19b
58 changed files with 3893 additions and 414 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
playbooks/README.md Normal file
View File

@@ -0,0 +1,107 @@
# quicproquo Playbooks
YAML-based scripted command sequences for the qpq client.
## Running a playbook
```bash
# Build with playbook support
cargo build -p quicproquo-client --features playbook
# Run a playbook
cargo run -p quicproquo-client --features playbook -- \
run playbooks/smoke-test.yaml \
--server 127.0.0.1:7000 \
--username alice --password hunter2 \
--danger-accept-invalid-certs
# Override variables
cargo run -p quicproquo-client --features playbook -- \
run playbooks/smoke-test.yaml \
-V recipient=charlie -V server=remote.example.com:7000
```
## YAML format
```yaml
name: "My playbook"
description: "Optional description"
variables:
key: "value" # available as $key in args
steps:
- command: dm # any slash command name (without /)
args:
username: "$key" # variable substitution
- command: send
args:
text: "Hello!"
- command: assert
condition: message_count # connected, logged_in, in_conversation, message_count, member_count
op: gte # eq, ne, gt, lt, gte, lte (or ==, !=, >, <, >=, <=)
value: 1
```
## Variable substitution
- `$varname` — replaced with the variable value
- `${VAR:-default}` — replaced with VAR, falling back to env var, then default
- Variables from `--var KEY=VALUE` override playbook defaults
- `_server` and `_username` are auto-injected
## Step options
| Field | Type | Description |
|-------|------|-------------|
| `command` | string | Command name (required) |
| `args` | map | Command arguments |
| `condition` | string | For `assert` steps |
| `op` | string | Comparison operator for asserts |
| `value` | any | Expected value for asserts |
| `capture` | string | Store output in this variable |
| `on_error` | string | `fail` (default), `skip`, `continue` |
| `loop` | object | Repeat with `{var, from, to}` |
## Loop syntax
```yaml
- command: send
args:
text: "Message $i"
loop:
var: i
from: 1
to: 10
```
## Available commands
All REPL slash commands (without the `/`): `help`, `quit`, `whoami`, `list`, `switch`, `dm`, `create-group`, `invite`, `remove`, `leave`, `join`, `members`, `group-info`, `rename`, `history`, `verify`, `update-key`, `typing`, `react`, `edit`, `delete`, `send-file`, `download`, `delete-account`, `disappear`, `privacy`, `verify-fs`, `rotate-all-keys`, `devices`, `register-device`, `revoke-device`, `mesh-peers`, `mesh-send`, `mesh-broadcast`, `mesh-subscribe`, `mesh-route`, `mesh-identity`, `mesh-store`.
Plus lifecycle commands: `send` (send a chat message), `wait` (pause), `assert` (check condition), `set-var` (set variable).
## Programmatic Rust API
```rust
use quicproquo_client::{PlaybookRunner, Command, CommandRegistry, CommandResult};
// From YAML file
let mut runner = PlaybookRunner::from_file(Path::new("playbook.yaml"))?;
runner.set_var("recipient", "bob");
let report = runner.run(&mut session, &client).await;
println!("{report}");
// Single command execution
let cmd = Command::Dm { username: "alice".into() };
let result = CommandRegistry::execute(&cmd, &mut session, &client).await;
assert!(result.success);
```
## Example playbooks
| File | Description |
|------|-------------|
| `health-check.yaml` | Verify server connectivity |
| `smoke-test.yaml` | Quick E2E: DM + send + history |
| `register-and-dm.yaml` | DM exchange between two users |
| `group-lifecycle.yaml` | Create/invite/send/leave group |
| `stress-send.yaml` | Send 100 messages in a loop |

39
playbooks/group-lifecycle.yaml Normal file
View File

@@ -0,0 +1,39 @@
name: "Group Lifecycle"
description: "Create a group, invite a member, send messages, inspect, leave"
variables:
group_name: "test-group"
member: "bob"
steps:
- command: create-group
args:
name: "$group_name"
- command: invite
args:
target: "$member"
on_error: continue
- command: members
- command: group-info
- command: send
args:
text: "First group message"
- command: send
args:
text: "Second group message"
- command: history
args:
count: 10
- command: assert
condition: message_count
op: gte
value: 2
- command: leave
on_error: continue

10
playbooks/health-check.yaml Normal file
View File

@@ -0,0 +1,10 @@
name: "Health Check"
description: "Verify server connectivity and basic identity"
steps:
- command: assert
condition: connected
- command: whoami
- command: list

33
playbooks/register-and-dm.yaml Normal file
View File

@@ -0,0 +1,33 @@
name: "Register and DM"
description: "Register two users, create a DM channel, exchange messages"
variables:
user_a: "alice"
user_b: "bob"
server: "127.0.0.1:7000"
steps:
# Note: registration and login are lifecycle commands handled
# externally via CLI flags (--username/--password). This playbook
# assumes the user is already authenticated.
- command: dm
args:
username: "$user_b"
- command: send
args:
text: "Hey $user_b, this is $user_a!"
- command: wait
args:
duration_ms: 1000
- command: history
args:
count: 10
- command: assert
condition: in_conversation
args:
name: "$user_b"
value: "$user_b"

26
playbooks/smoke-test.yaml Normal file
View File

@@ -0,0 +1,26 @@
name: "Smoke Test"
description: "Quick E2E: connect, DM a user, send a message, check history"
variables:
recipient: "bob"
steps:
- command: dm
args:
username: "$recipient"
- command: send
args:
text: "Hello from playbook smoke test!"
- command: wait
args:
duration_ms: 500
- command: history
args:
count: 5
- command: assert
condition: message_count
op: gte
value: 1

22
playbooks/stress-send.yaml Normal file
View File

@@ -0,0 +1,22 @@
name: "Stress Send"
description: "Send 100 messages in a loop to measure throughput"
variables:
recipient: "bob"
steps:
- command: dm
args:
username: "$recipient"
- command: send
args:
text: "Stress message #$i"
loop:
var: i
from: 1
to: 100
on_error: continue
- command: history
args:
count: 5