feat: Phase 9 — developer experience, extensibility, and community growth

New crates: - quicproquo-bot: Bot SDK with polling API + JSON pipe mode - quicproquo-kt: Key Transparency Merkle log (RFC 9162 subset) - quicproquo-plugin-api: no_std C-compatible plugin vtable API - quicproquo-gen: scaffolding tool (qpq-gen plugin/bot/rpc/hook) Server features: - ServerHooks trait wired into all RPC handlers (enqueue, fetch, auth, channel, registration) with plugin rejection support - Dynamic plugin loader (libloading) with --plugin-dir config - Delivery proof canary tokens (Ed25519 server signatures on enqueue) - Key Transparency Merkle log with inclusion proofs on resolveUser Core library: - Safety numbers (60-digit HMAC-SHA256 key verification codes) - Verifiable transcript archive (CBOR + ChaCha20-Poly1305 + hash chain) - Delivery proof verification utility - Criterion benchmarks (hybrid KEM, MLS, identity, sealed sender, padding) Client: - /verify REPL command for out-of-band key verification - Full-screen TUI via Ratatui (feature-gated --features tui) - qpq export / qpq export-verify CLI subcommands - KT inclusion proof verification on user resolution Also: ROADMAP Phase 9 added, bot SDK docs, server hooks docs, crate-responsibilities updated, example plugins (rate_limit, logging).
2026-03-03 22:47:38 +01:00
parent b6483dedbc
commit dc4e4e49a0
62 changed files with 6959 additions and 62 deletions
--- a/crates/quicproquo-kt/src/lib.rs
+++ b/crates/quicproquo-kt/src/lib.rs
@@ -0,0 +1,62 @@
+//! Key Transparency: append-only SHA-256 Merkle log for (username, identity_key) bindings.
+//!
+//! # Design
+//!
+//! A lightweight subset of RFC 9162 (Certificate Transparency v2) adapted for identity keys:
+//!
+//! - Leaf nodes hash as: `SHA-256(0x00 || SHA-256(username || 0x00 || identity_key))`
+//! - Internal nodes hash as: `SHA-256(0x01 || left_hash || right_hash)`
+//!
+//! The 0x00/0x01 domain-separation prefixes prevent second-preimage attacks on
+//! the tree structure (RFC 6962 §2.1).
+//!
+//! ## Inclusion proof
+//!
+//! An inclusion proof for leaf at index `i` in a tree of `n` leaves is the list of
+//! sibling hashes from leaf to root. The verifier recomputes the root from the leaf
+//! hash + siblings and compares it to the known root.
+//!
+//! ## Wire format
+//!
+//! Inclusion proofs are serialised as `bincode(InclusionProof)` for transport over
+//! the Cap'n Proto `inclusionProof :Data` field.
+
+use sha2::{Digest, Sha256};
+
+mod error;
+mod proof;
+mod tree;
+
+pub use error::KtError;
+pub use proof::{verify_inclusion, InclusionProof};
+pub use tree::MerkleLog;
+
+/// Domain-separation prefix for leaf nodes (RFC 6962 §2.1).
+const LEAF_PREFIX: u8 = 0x00;
+/// Domain-separation prefix for internal nodes.
+const INTERNAL_PREFIX: u8 = 0x01;
+
+/// SHA-256 of a leaf entry: `H(0x00 || H(username || 0x00 || identity_key))`.
+pub fn leaf_hash(username: &str, identity_key: &[u8]) -> [u8; 32] {
+    // Inner hash commits to both fields with a 0x00 separator.
+    let mut inner = Sha256::new();
+    inner.update(username.as_bytes());
+    inner.update([0x00]);
+    inner.update(identity_key);
+    let inner_digest: [u8; 32] = inner.finalize().into();
+
+    // Outer hash adds the leaf domain-separation prefix.
+    let mut outer = Sha256::new();
+    outer.update([LEAF_PREFIX]);
+    outer.update(inner_digest);
+    outer.finalize().into()
+}
+
+/// SHA-256 of an internal node: `H(0x01 || left || right)`.
+pub(crate) fn node_hash(left: &[u8; 32], right: &[u8; 32]) -> [u8; 32] {
+    let mut h = Sha256::new();
+    h.update([INTERNAL_PREFIX]);
+    h.update(left);
+    h.update(right);
+    h.finalize().into()
+}