DM channels (createChannel), channel authz, security/docs, future improvements

- Add createChannel RPC (node.capnp @18): create 1:1 channel, returns 16-byte channelId - Store: create_channel(member_a, member_b), get_channel_members(channel_id) - FileBackedStore: channels.bin; SqlStore: migration 003_channels, schema v4 - channel_ops: handle_create_channel (auth + identity, peerKey 32 bytes) - Delivery authz: when channel_id.len() == 16, require caller and recipient are channel members (E022/E023) - Error codes E022 CHANNEL_ACCESS_DENIED, E023 CHANNEL_NOT_FOUND - SUMMARY: link Certificate lifecycle; security audit, future improvements, multi-agent plan docs - Certificate lifecycle doc, SECURITY-AUDIT, FUTURE-IMPROVEMENTS, MULTI-AGENT-WORK-PLAN - Client/core/tls/auth/server main: assorted fixes and updates from review and audit Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-23 22:54:28 +01:00
parent 6b8b61c6ae
commit 750b794342
40 changed files with 4715 additions and 152 deletions
--- a/crates/quicnprotochat-server/src/node_service/mod.rs
+++ b/crates/quicnprotochat-server/src/node_service/mod.rs
@@ -15,7 +15,11 @@ use crate::auth::{
 };
 use crate::storage::Store;

+/// Cap'n Proto traversal limit (words). 4 Mi words = 32 MiB; bounds DoS from deeply nested or large messages.
+const CAPNP_TRAVERSAL_LIMIT_WORDS: usize = 4 * 1024 * 1024;
+
 mod auth_ops;
+mod channel_ops;
 mod delivery;
 mod key_ops;
 mod p2p_ops;
@@ -132,6 +136,46 @@ impl node_service::Server for NodeServiceImpl {
    ) -> capnp::capability::Promise<(), capnp::Error> {
        self.handle_resolve_endpoint(params, results)
    }
+
+    fn peek(
+        &mut self,
+        params: node_service::PeekParams,
+        results: node_service::PeekResults,
+    ) -> capnp::capability::Promise<(), capnp::Error> {
+        self.handle_peek(params, results)
+    }
+
+    fn ack(
+        &mut self,
+        params: node_service::AckParams,
+        results: node_service::AckResults,
+    ) -> capnp::capability::Promise<(), capnp::Error> {
+        self.handle_ack(params, results)
+    }
+
+    fn fetch_hybrid_keys(
+        &mut self,
+        params: node_service::FetchHybridKeysParams,
+        results: node_service::FetchHybridKeysResults,
+    ) -> capnp::capability::Promise<(), capnp::Error> {
+        self.handle_fetch_hybrid_keys(params, results)
+    }
+
+    fn batch_enqueue(
+        &mut self,
+        params: node_service::BatchEnqueueParams,
+        results: node_service::BatchEnqueueResults,
+    ) -> capnp::capability::Promise<(), capnp::Error> {
+        self.handle_batch_enqueue(params, results)
+    }
+
+    fn create_channel(
+        &mut self,
+        params: node_service::CreateChannelParams,
+        results: node_service::CreateChannelResults,
+    ) -> capnp::capability::Promise<(), capnp::Error> {
+        self.handle_create_channel(params, results)
+    }
 }

 pub const CURRENT_WIRE_VERSION: u16 = 1;
@@ -193,11 +237,13 @@ pub async fn handle_node_connection(
        .map_err(|e| anyhow::anyhow!("failed to accept bi stream: {e}"))?;
    let (reader, writer) = (recv.compat(), send.compat_write());

+    let mut reader_opts = capnp::message::ReaderOptions::new();
+    reader_opts.traversal_limit_in_words(Some(CAPNP_TRAVERSAL_LIMIT_WORDS));
    let network = capnp_rpc::twoparty::VatNetwork::new(
        reader,
        writer,
        capnp_rpc::rpc_twoparty_capnp::Side::Server,
-        Default::default(),
+        reader_opts,
    );

    let service: node_service::Client = capnp_rpc::new_client(NodeServiceImpl::new(
@@ -223,6 +269,7 @@ pub fn spawn_cleanup_task(
    pending_logins: Arc<DashMap<String, PendingLogin>>,
    rate_limits: Arc<DashMap<Vec<u8>, RateEntry>>,
    store: Arc<dyn Store>,
+    waiters: Arc<DashMap<Vec<u8>, Arc<Notify>>>,
 ) {
    tokio::spawn(async move {
        let mut interval = tokio::time::interval(Duration::from_secs(60));
@@ -234,6 +281,29 @@ pub fn spawn_cleanup_task(
            pending_logins.retain(|_, pl| now - pl.created_at < PENDING_LOGIN_TTL_SECS);
            rate_limits.retain(|_, entry| now - entry.window_start < RATE_LIMIT_WINDOW_SECS * 2);

+            // Bound map sizes to prevent unbounded growth from malicious clients.
+            const MAX_SESSIONS: usize = 100_000;
+            const MAX_WAITERS: usize = 100_000;
+            if sessions.len() > MAX_SESSIONS {
+                let overflow = sessions.len() - MAX_SESSIONS;
+                let mut entries: Vec<_> = sessions
+                    .iter()
+                    .map(|e| (e.key().clone(), e.expires_at))
+                    .collect();
+                entries.sort_by_key(|(_, exp)| *exp);
+                for (key, _) in entries.into_iter().take(overflow) {
+                    sessions.remove(&key);
+                }
+            }
+            if waiters.len() > MAX_WAITERS {
+                let overflow = waiters.len() - MAX_WAITERS;
+                let keys: Vec<_> =
+                    waiters.iter().take(overflow).map(|e| e.key().clone()).collect();
+                for key in keys {
+                    waiters.remove(&key);
+                }
+            }
+
            match store.gc_expired_messages(MESSAGE_TTL_SECS) {
                Ok(n) if n > 0 => {
                    tracing::debug!(expired = n, "garbage collected expired messages")