docs: mark Phases 1, 2, and 4.4 complete in ROADMAP
Phase 1 (production hardening): all 5 items done Phase 2 (test & CI maturity): all 4 items done Phase 4.4 (PQ-MLS): already implemented — hybrid KEM in OpenMLS provider
This commit is contained in:
20
ROADMAP.md
20
ROADMAP.md
@@ -11,29 +11,29 @@
|
|||||||
|
|
||||||
Eliminate all crash paths, enforce secure defaults, fix deployment blockers.
|
Eliminate all crash paths, enforce secure defaults, fix deployment blockers.
|
||||||
|
|
||||||
- [ ] **1.1 Remove `.unwrap()` / `.expect()` from production paths**
|
- [x] **1.1 Remove `.unwrap()` / `.expect()` from production paths**
|
||||||
- Replace `AUTH_CONTEXT.read().expect()` in client RPC with proper `Result`
|
- Replace `AUTH_CONTEXT.read().expect()` in client RPC with proper `Result`
|
||||||
- Replace `"0.0.0.0:0".parse().unwrap()` in client with fallible parse
|
- Replace `"0.0.0.0:0".parse().unwrap()` in client with fallible parse
|
||||||
- Replace `Mutex::lock().unwrap()` in server storage with `.map_err()`
|
- Replace `Mutex::lock().unwrap()` in server storage with `.map_err()`
|
||||||
- Audit: `grep -rn 'unwrap()\|expect(' crates/` outside `#[cfg(test)]`
|
- Audit: `grep -rn 'unwrap()\|expect(' crates/` outside `#[cfg(test)]`
|
||||||
|
|
||||||
- [ ] **1.2 Enforce secure defaults in production mode**
|
- [x] **1.2 Enforce secure defaults in production mode**
|
||||||
- Reject startup if `QPQ_PRODUCTION=true` and `auth_token` is empty or `"devtoken"`
|
- Reject startup if `QPQ_PRODUCTION=true` and `auth_token` is empty or `"devtoken"`
|
||||||
- Require non-empty `db_key` when using SQL backend in production
|
- Require non-empty `db_key` when using SQL backend in production
|
||||||
- Refuse to auto-generate TLS certs in production mode (require existing cert+key)
|
- Refuse to auto-generate TLS certs in production mode (require existing cert+key)
|
||||||
- Already partially implemented — verify and harden the validation in `config.rs`
|
- Already partially implemented — verify and harden the validation in `config.rs`
|
||||||
|
|
||||||
- [ ] **1.3 Fix `.gitignore`**
|
- [x] **1.3 Fix `.gitignore`**
|
||||||
- Add `data/`, `*.der`, `*.pem`, `*.db`, `*.bin` (state files), `*.ks` (keystores)
|
- Add `data/`, `*.der`, `*.pem`, `*.db`, `*.bin` (state files), `*.ks` (keystores)
|
||||||
- Verify no secrets are already tracked: `git ls-files data/ *.der *.db`
|
- Verify no secrets are already tracked: `git ls-files data/ *.der *.db`
|
||||||
|
|
||||||
- [ ] **1.4 Fix Dockerfile**
|
- [x] **1.4 Fix Dockerfile**
|
||||||
- Sync workspace members (handle excluded `p2p` crate)
|
- Sync workspace members (handle excluded `p2p` crate)
|
||||||
- Create dedicated user/group instead of `nobody`
|
- Create dedicated user/group instead of `nobody`
|
||||||
- Set writable `QPQ_DATA_DIR` with correct permissions
|
- Set writable `QPQ_DATA_DIR` with correct permissions
|
||||||
- Test: `docker build . && docker run --rm -it qpq-server --help`
|
- Test: `docker build . && docker run --rm -it qpq-server --help`
|
||||||
|
|
||||||
- [ ] **1.5 TLS certificate lifecycle**
|
- [x] **1.5 TLS certificate lifecycle**
|
||||||
- Document CA-signed cert setup (Let's Encrypt / custom CA)
|
- Document CA-signed cert setup (Let's Encrypt / custom CA)
|
||||||
- Add `--tls-required` flag that refuses to start without valid cert
|
- Add `--tls-required` flag that refuses to start without valid cert
|
||||||
- Log clear warning when using self-signed certs
|
- Log clear warning when using self-signed certs
|
||||||
@@ -45,7 +45,7 @@ Eliminate all crash paths, enforce secure defaults, fix deployment blockers.
|
|||||||
|
|
||||||
Build confidence before adding features.
|
Build confidence before adding features.
|
||||||
|
|
||||||
- [ ] **2.1 Expand E2E test coverage**
|
- [x] **2.1 Expand E2E test coverage**
|
||||||
- Auth failure scenarios (wrong password, expired token, invalid token)
|
- Auth failure scenarios (wrong password, expired token, invalid token)
|
||||||
- Message ordering verification (send N messages, verify seq numbers)
|
- Message ordering verification (send N messages, verify seq numbers)
|
||||||
- Concurrent clients (3+ members in group, simultaneous send/recv)
|
- Concurrent clients (3+ members in group, simultaneous send/recv)
|
||||||
@@ -55,21 +55,21 @@ Build confidence before adding features.
|
|||||||
- Reconnection after server restart
|
- Reconnection after server restart
|
||||||
- KeyPackage exhaustion (fetch when none available)
|
- KeyPackage exhaustion (fetch when none available)
|
||||||
|
|
||||||
- [ ] **2.2 Add unit tests for untested paths**
|
- [x] **2.2 Add unit tests for untested paths**
|
||||||
- Client retry logic (exponential backoff, jitter, retriable classification)
|
- Client retry logic (exponential backoff, jitter, retriable classification)
|
||||||
- REPL input parsing edge cases (empty input, special characters, `/` commands)
|
- REPL input parsing edge cases (empty input, special characters, `/` commands)
|
||||||
- State file encryption/decryption round-trip with bad password
|
- State file encryption/decryption round-trip with bad password
|
||||||
- Token cache expiry
|
- Token cache expiry
|
||||||
- Conversation store migrations
|
- Conversation store migrations
|
||||||
|
|
||||||
- [ ] **2.3 CI hardening**
|
- [x] **2.3 CI hardening**
|
||||||
- Add `.github/CODEOWNERS` (crypto, auth, wire-format require 2 reviewers)
|
- Add `.github/CODEOWNERS` (crypto, auth, wire-format require 2 reviewers)
|
||||||
- Ensure `cargo deny check` runs on every PR (already in CI — verify)
|
- Ensure `cargo deny check` runs on every PR (already in CI — verify)
|
||||||
- Add `cargo audit` as blocking check (already in CI — verify)
|
- Add `cargo audit` as blocking check (already in CI — verify)
|
||||||
- Add coverage reporting (tarpaulin or llvm-cov)
|
- Add coverage reporting (tarpaulin or llvm-cov)
|
||||||
- Add CI job for Docker build validation
|
- Add CI job for Docker build validation
|
||||||
|
|
||||||
- [ ] **2.4 Clean up build warnings**
|
- [x] **2.4 Clean up build warnings**
|
||||||
- Fix Cap'n Proto generated `unused_parens` warnings
|
- Fix Cap'n Proto generated `unused_parens` warnings
|
||||||
- Remove dead code / unused imports
|
- Remove dead code / unused imports
|
||||||
- Address `openmls` future-incompat warnings
|
- Address `openmls` future-incompat warnings
|
||||||
@@ -191,7 +191,7 @@ Address the security gaps required for real-world deployment.
|
|||||||
- `sender_prefix` tracking in enqueue/batch_enqueue RPCs
|
- `sender_prefix` tracking in enqueue/batch_enqueue RPCs
|
||||||
- Sender identity derived from authenticated session
|
- Sender identity derived from authenticated session
|
||||||
|
|
||||||
- [ ] **4.4 M7 — Post-quantum MLS integration**
|
- [x] **4.4 M7 — Post-quantum MLS integration**
|
||||||
- Integrate hybrid KEM (X25519 + ML-KEM-768) into the OpenMLS crypto provider
|
- Integrate hybrid KEM (X25519 + ML-KEM-768) into the OpenMLS crypto provider
|
||||||
- Group key material gets post-quantum confidentiality
|
- Group key material gets post-quantum confidentiality
|
||||||
- Full test suite with PQ ciphersuite
|
- Full test suite with PQ ciphersuite
|
||||||
|
|||||||
Reference in New Issue
Block a user