feat: upgrade OpenMLS 0.5 → 0.8 for security patches and GREASE support

Migrates all MLS code in quicprochat-core from OpenMLS 0.5 to 0.8:
- StorageProvider replaces OpenMlsKeyStore (keystore.rs full rewrite)
- HybridCryptoProvider updated for new OpenMlsProvider trait
- Group operations updated for new API signatures
- MLS state persistence via MemoryStorage serialization
- tls_codec 0.3 → 0.4, openmls_traits/rust_crypto 0.2 → 0.5

crates/quicprochat-client/src/client/state.rs

@@ -27,18 +27,31 @@ pub struct StoredState {
     /// Cached member public keys for group participants.
     #[serde(default)]
     pub member_keys: Vec<Vec<u8>>,
+    /// MLS group ID bytes, needed to reload the group from StorageProvider state.
+    #[serde(default)]
+    pub group_id: Option<Vec<u8>>,
 }
 
 impl StoredState {
     pub fn into_parts(self, state_path: &Path) -> anyhow::Result<(GroupMember, Option<HybridKeypair>)> {
         let identity = Arc::new(IdentityKeypair::from_seed(self.identity_seed));
-        let group = self
-            .group
-            .map(|bytes| bincode::deserialize(&bytes).context("decode group"))
-            .transpose()?;
-        let key_store = DiskKeyStore::persistent(keystore_path(state_path))?;
         let hybrid = self.hybrid_key.is_some();
-        let member = GroupMember::new_with_state(identity, key_store, group, hybrid);
+
+        let member = match (self.group.as_ref(), self.group_id.as_ref()) {
+            (Some(storage_bytes), Some(gid)) => {
+                GroupMember::new_from_storage_bytes(
+                    identity,
+                    storage_bytes,
+                    gid,
+                    hybrid,
+                )
+                .context("restore MLS state from stored state")?
+            }
+            _ => {
+                let key_store = DiskKeyStore::persistent(keystore_path(state_path))?;
+                GroupMember::new_with_state(identity, key_store, None, hybrid)
+            }
+        };
 
         let hybrid_kp = self
             .hybrid_key
@@ -50,15 +63,15 @@ impl StoredState {
 
     pub fn from_parts(member: &GroupMember, hybrid_kp: Option<&HybridKeypair>) -> anyhow::Result<Self> {
         let group = member
-            .group_ref()
-            .map(|g| bincode::serialize(g).context("serialize group"))
-            .transpose()?;
+            .serialize_mls_state()
+            .context("serialize MLS state")?;
 
         Ok(Self {
             identity_seed: *member.identity_seed(),
             group,
             hybrid_key: hybrid_kp.map(|kp| kp.to_bytes()),
             member_keys: Vec::new(),
+            group_id: member.group_id(),
         })
     }
 }
@@ -245,6 +258,7 @@ mod tests {
             hybrid_key: None,
             group: None,
             member_keys: Vec::new(),
+            group_id: None,
         };
         let password = "test-password";
         let plaintext = bincode::serialize(&state).unwrap();
@@ -268,6 +282,7 @@ mod tests {
             }),
             group: None,
             member_keys: Vec::new(),
+            group_id: None,
         };
         let password = "another-password";
         let plaintext = bincode::serialize(&state).unwrap();
@@ -285,6 +300,7 @@ mod tests {
             hybrid_key: None,
             group: None,
             member_keys: Vec::new(),
+            group_id: None,
         };
         let plaintext = bincode::serialize(&state).unwrap();
         let encrypted = encrypt_state("correct", &plaintext).unwrap();