feat: add delivery sequence numbers + major server/client refactor

Delivery sequence numbers (MLS epoch ordering fix): - schemas/node.capnp: add Envelope{seq,data} struct; enqueue returns seq:UInt64; fetch/fetchWait return List(Envelope) instead of List(Data) - storage.rs: Store trait enqueue returns u64; fetch/fetch_limited return Vec<(u64, Vec<u8>)>; FileBackedStore gains QueueMapV3 with per-inbox seq counters and V2→V3 on-disk migration - migrations/002_add_seq.sql: seq column, delivery_seq_counters table, index - sql_store.rs: atomic UPSERT counter via RETURNING, ORDER BY seq, SCHEMA_VERSION→3 - node_service/delivery.rs: builds Envelope list; returns seq from enqueue - client/rpc.rs: enqueue→u64, fetch_all/fetch_wait→Vec<(u64,Vec<u8>)> - client/commands.rs: sort-by-seq before MLS processing; retry loop in cmd_recv and receive_pending_plaintexts for correct epoch ordering Server refactor: - Split monolithic main.rs into node_service/{mod,delivery,auth_ops,key_ops,p2p_ops} - Add auth.rs (token validation, rate limiting), config.rs, metrics.rs, tls.rs - Add SQL migrations runner (001_initial.sql, 002_add_seq.sql) - OPAQUE PAKE login/registration, sealed-sender mode, queue depth limit (1000) Client refactor: - Split lib.rs into client/{commands,rpc,state,retry,hex,mod} - Add cmd_whoami, cmd_health, cmd_check_key, cmd_ping subcommands - Add cmd_register_user, cmd_login (OPAQUE), cmd_refresh_keypackage - Hybrid PQ envelope (X25519 + ML-KEM-768) on all send/recv paths - E2E test suite expanded Other: - quicnprotochat-gui: Tauri 2 desktop GUI skeleton (backend + HTML UI) - quicnprotochat-p2p: iroh-based P2P transport stub - quicnprotochat-core: app_message, hybrid_crypto modules; GroupMember API updates - .github/workflows/size-lint.yml: binary size regression check - docs: protocol comparison, roadmap updates, fully-operational checklist
2026-02-22 20:40:12 +01:00
parent b5b361e2ff
commit 6b8b61c6ae
56 changed files with 10693 additions and 3024 deletions
--- a/crates/quicnprotochat-server/src/tls.rs
+++ b/crates/quicnprotochat-server/src/tls.rs
@@ -0,0 +1,72 @@
+use std::path::PathBuf;
+
+use anyhow::Context;
+use quinn::ServerConfig;
+use quinn_proto::crypto::rustls::QuicServerConfig;
+use rcgen::generate_simple_self_signed;
+use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rustls::version::TLS13;
+
+/// Ensure a self-signed certificate exists on disk and return a QUIC server config.
+/// When `production` is true, cert and key must already exist (no auto-generation).
+pub fn build_server_config(
+    cert_path: &PathBuf,
+    key_path: &PathBuf,
+    production: bool,
+) -> anyhow::Result<ServerConfig> {
+    if !cert_path.exists() || !key_path.exists() {
+        if production {
+            anyhow::bail!(
+                "TLS cert or key missing at {:?} / {:?}; production mode forbids auto-generation",
+                cert_path,
+                key_path
+            );
+        }
+        generate_self_signed_cert(cert_path, key_path)?;
+    }
+
+    let cert_bytes = std::fs::read(cert_path).context("read cert")?;
+    let key_bytes = std::fs::read(key_path).context("read key")?;
+
+    let cert_chain = vec![CertificateDer::from(cert_bytes)];
+    let key = PrivateKeyDer::try_from(key_bytes).map_err(|_| anyhow::anyhow!("invalid key"))?;
+
+    let mut tls = rustls::ServerConfig::builder_with_protocol_versions(&[&TLS13])
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, key)?;
+    tls.alpn_protocols = vec![b"capnp".to_vec()];
+
+    let crypto = QuicServerConfig::try_from(tls)
+        .map_err(|e| anyhow::anyhow!("invalid server TLS config: {e}"))?;
+
+    Ok(ServerConfig::with_crypto(std::sync::Arc::new(crypto)))
+}
+
+fn generate_self_signed_cert(cert_path: &PathBuf, key_path: &PathBuf) -> anyhow::Result<()> {
+    if let Some(parent) = cert_path.parent() {
+        std::fs::create_dir_all(parent).context("create cert dir")?;
+    }
+    if let Some(parent) = key_path.parent() {
+        std::fs::create_dir_all(parent).context("create key dir")?;
+    }
+
+    let subject_alt_names = vec![
+        "localhost".to_string(),
+        "127.0.0.1".to_string(),
+        "::1".to_string(),
+    ];
+
+    let issued = generate_simple_self_signed(subject_alt_names)?;
+    let key_der = issued.key_pair.serialize_der();
+
+    std::fs::write(cert_path, issued.cert.der()).context("write cert")?;
+    std::fs::write(key_path, &key_der).context("write key")?;
+
+    tracing::info!(
+        cert = %cert_path.display(),
+        key = %key_path.display(),
+        "generated self-signed TLS certificate"
+    );
+
+    Ok(())
+}