Remove Noise protocol references from wiki docs and tests

Delete 8 Noise-specific documentation pages (noise-xx.md, transport-keys.md, adr-001/003/006, framing-codec.md) and update ~30 remaining wiki pages to reflect QUIC+TLS as the sole transport. Remove obsolete Noise-based integration tests (auth_service.rs, mls_group.rs). Code-side Noise removal was done in f334ed3. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-22 08:25:23 +01:00
parent f334ed3d43
commit 9fdb37876a
36 changed files with 125 additions and 2201 deletions
--- a/docs/src/cryptography/key-lifecycle.md
+++ b/docs/src/cryptography/key-lifecycle.md
@@ -13,9 +13,6 @@ Key Type              Creation            Distribution         Use
 Ed25519 Identity      Once per client     AS registration      MLS signing,           Zeroizing<[u8;32]>
                      (OsRng)             + MLS credential     credential binding     on struct drop

-X25519 Noise          Per server process  Noise_XX handshake   DH key exchange        ZeroizeOnDrop
-                      or per client conn  (in-band)            (transport session)    on struct drop
-
 HPKE Init Key         Per KeyPackage      Uploaded to AS       Decrypt Welcome        Consumed by openmls;
                      (openmls backend)   in KeyPackage        (join_group)           deleted from keystore

@@ -93,73 +90,6 @@ The fingerprint (`SHA-256(public_key_bytes)`) is derived from the public key and
 is used as a compact identifier in logs. It is not secret and does not require
 zeroization.

-## X25519 Noise Key
-
-**Source:** `crates/quicnprotochat-core/src/keypair.rs`
-
-The X25519 Noise key provides mutual authentication during the Noise\_XX
-handshake. It is shorter-lived than the identity key and is not currently
-persisted.
-
-### Lifecycle
-
-```text
-                    +-----------------+
-                    |    OsRng        |
-                    |  (getrandom)    |
-                    +--------+--------+
-                             |
-                    generate()
-                             |
-                    +--------v--------+
-                    |  NoiseKeypair   |
-                    | private: Secret |  <-- StaticSecret (ZeroizeOnDrop)
-                    | public: PubKey  |  <-- 32-byte public key
-                    +--------+--------+
-                             |
-              +--------------+--------------+
-              |                             |
-         private_bytes()              public_bytes()
-         -> Zeroizing<[u8;32]>        -> [u8; 32]
-              |                             |
-         Passed to snow::Builder      Exchanged during
-         local_private_key()          Noise_XX handshake
-              |                             |
-         Zeroizing copy drops         Stored by peer
-         immediately after use        (not secret)
-              |                             |
-              +-------------+---------------+
-                            |
-                   Noise handshake completes
-                            |
-              +-------------v--------------+
-              | Transport session holds    |
-              | derived symmetric keys     |
-              | (managed by snow)          |
-              +-------------+--------------+
-                            |
-                   Connection closes
-                            |
-              +-------------v--------------+
-              | NoiseKeypair dropped       |
-              | StaticSecret::drop()       |
-              | overwrites scalar with 0   |
-              +----------------------------+
-```
-
-### Key Properties
-
- **Generation:** `StaticSecret::random_from_rng(OsRng)` generates a 32-byte
-  Curve25519 scalar.
- **Dual zeroization:** The `StaticSecret` itself implements `ZeroizeOnDrop`,
-  and `private_bytes()` returns a `Zeroizing<[u8; 32]>` wrapper.
- **Debug redaction:** The `Debug` impl shows only the first 4 bytes of the
-  public key and prints `[redacted]` for the private key.
- **No serialization:** `NoiseKeypair` does not implement `Serialize`. Persistence
-  is deferred to M6.
- **Current lifetime:** Per server process start (server) or per connection
-  attempt (client). After M6, keys may be persisted with passphrase encryption.
-
 ## HPKE Init Keys

 **Source:** `crates/quicnprotochat-core/src/keystore.rs` and
@@ -364,8 +294,6 @@ attacks.
 |----------|----------------------|------|
 | Ed25519 seed | `Zeroizing<[u8; 32]>` | `IdentityKeypair` drop |
 | Ed25519 seed (accessor) | Plain `[u8; 32]` copy | Caller responsibility |
-| X25519 private | `ZeroizeOnDrop` (x25519-dalek) | `NoiseKeypair` drop |
-| X25519 private (accessor) | `Zeroizing<[u8; 32]>` | Accessor drop |
 | HPKE init private | Managed by openmls/`DiskKeyStore` | After Welcome processing |
 | MLS epoch keys | Managed by openmls internally | After Commit processing |
 | Hybrid IKM | `Zeroizing<Vec<u8>>` | After HKDF derivation |
@@ -396,7 +324,6 @@ attacks.

 - [Cryptography Overview](overview.md) -- algorithm inventory
 - [Ed25519 Identity Keys](identity-keys.md) -- identity key details
- [X25519 Transport Keys](transport-keys.md) -- transport key details
 - [Forward Secrecy](forward-secrecy.md) -- how key deletion enables FS
 - [Post-Compromise Security](post-compromise-security.md) -- epoch advancement
 - [Post-Quantum Readiness](post-quantum-readiness.md) -- hybrid KEM integration