diff --git a/ROADMAP.md b/ROADMAP.md index d1408cd..806d3fd 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -11,29 +11,29 @@ Eliminate all crash paths, enforce secure defaults, fix deployment blockers. -- [ ] **1.1 Remove `.unwrap()` / `.expect()` from production paths** +- [x] **1.1 Remove `.unwrap()` / `.expect()` from production paths** - Replace `AUTH_CONTEXT.read().expect()` in client RPC with proper `Result` - Replace `"0.0.0.0:0".parse().unwrap()` in client with fallible parse - Replace `Mutex::lock().unwrap()` in server storage with `.map_err()` - Audit: `grep -rn 'unwrap()\|expect(' crates/` outside `#[cfg(test)]` -- [ ] **1.2 Enforce secure defaults in production mode** +- [x] **1.2 Enforce secure defaults in production mode** - Reject startup if `QPQ_PRODUCTION=true` and `auth_token` is empty or `"devtoken"` - Require non-empty `db_key` when using SQL backend in production - Refuse to auto-generate TLS certs in production mode (require existing cert+key) - Already partially implemented — verify and harden the validation in `config.rs` -- [ ] **1.3 Fix `.gitignore`** +- [x] **1.3 Fix `.gitignore`** - Add `data/`, `*.der`, `*.pem`, `*.db`, `*.bin` (state files), `*.ks` (keystores) - Verify no secrets are already tracked: `git ls-files data/ *.der *.db` -- [ ] **1.4 Fix Dockerfile** +- [x] **1.4 Fix Dockerfile** - Sync workspace members (handle excluded `p2p` crate) - Create dedicated user/group instead of `nobody` - Set writable `QPQ_DATA_DIR` with correct permissions - Test: `docker build . && docker run --rm -it qpq-server --help` -- [ ] **1.5 TLS certificate lifecycle** +- [x] **1.5 TLS certificate lifecycle** - Document CA-signed cert setup (Let's Encrypt / custom CA) - Add `--tls-required` flag that refuses to start without valid cert - Log clear warning when using self-signed certs @@ -45,7 +45,7 @@ Eliminate all crash paths, enforce secure defaults, fix deployment blockers. Build confidence before adding features. -- [ ] **2.1 Expand E2E test coverage** +- [x] **2.1 Expand E2E test coverage** - Auth failure scenarios (wrong password, expired token, invalid token) - Message ordering verification (send N messages, verify seq numbers) - Concurrent clients (3+ members in group, simultaneous send/recv) @@ -55,21 +55,21 @@ Build confidence before adding features. - Reconnection after server restart - KeyPackage exhaustion (fetch when none available) -- [ ] **2.2 Add unit tests for untested paths** +- [x] **2.2 Add unit tests for untested paths** - Client retry logic (exponential backoff, jitter, retriable classification) - REPL input parsing edge cases (empty input, special characters, `/` commands) - State file encryption/decryption round-trip with bad password - Token cache expiry - Conversation store migrations -- [ ] **2.3 CI hardening** +- [x] **2.3 CI hardening** - Add `.github/CODEOWNERS` (crypto, auth, wire-format require 2 reviewers) - Ensure `cargo deny check` runs on every PR (already in CI — verify) - Add `cargo audit` as blocking check (already in CI — verify) - Add coverage reporting (tarpaulin or llvm-cov) - Add CI job for Docker build validation -- [ ] **2.4 Clean up build warnings** +- [x] **2.4 Clean up build warnings** - Fix Cap'n Proto generated `unused_parens` warnings - Remove dead code / unused imports - Address `openmls` future-incompat warnings @@ -191,7 +191,7 @@ Address the security gaps required for real-world deployment. - `sender_prefix` tracking in enqueue/batch_enqueue RPCs - Sender identity derived from authenticated session -- [ ] **4.4 M7 — Post-quantum MLS integration** +- [x] **4.4 M7 — Post-quantum MLS integration** - Integrate hybrid KEM (X25519 + ML-KEM-768) into the OpenMLS crypto provider - Group key material gets post-quantum confidentiality - Full test suite with PQ ciphersuite