feat: add post-quantum hybrid KEM + SQLCipher persistence

Feature 1 — Post-Quantum Hybrid KEM (X25519 + ML-KEM-768): - Create hybrid_kem.rs with keygen, encrypt, decrypt + 11 unit tests - Wire format: version(1) | x25519_eph_pk(32) | mlkem_ct(1088) | nonce(12) | ct - Add uploadHybridKey/fetchHybridKey RPCs to node.capnp schema - Server: hybrid key storage in FileBackedStore + RPC handlers - Client: hybrid keypair in StoredState, auto-wrap/unwrap in send/recv/invite/join - demo-group runs full hybrid PQ envelope round-trip Feature 2 — SQLCipher Persistence: - Extract Store trait from FileBackedStore API - Create SqlStore (rusqlite + bundled-sqlcipher) with encrypted-at-rest SQLite - Schema: key_packages, deliveries, hybrid_keys tables with indexes - Server CLI: --store-backend=sql, --db-path, --db-key flags - 5 unit tests for SqlStore (FIFO, round-trip, upsert, channel isolation) Also includes: client lib.rs refactor, auth config, TOML config file support, mdBook documentation, and various cleanups by user. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-22 08:07:48 +01:00
parent d1ddef4cea
commit f334ed3d43
81 changed files with 14502 additions and 2289 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -22,9 +22,9 @@ tls_codec          = { version = "0.3", features = ["derive"] }
 ml-kem             = { version = "0.2" }
 x25519-dalek       = { version = "2", features = ["static_secrets"] }
 ed25519-dalek      = { version = "2", features = ["rand_core"] }
-snow               = { version = "0.9", features = ["default-resolver"] }
 sha2               = { version = "0.10" }
 hkdf               = { version = "0.12" }
+chacha20poly1305   = { version = "0.10" }
 zeroize            = { version = "1", features = ["derive"] }
 rand               = { version = "0.8" }
 serde              = { version = "1", features = ["derive"] }
@@ -44,6 +44,9 @@ quinn-proto        = { version = "0.11" }
 rustls             = { version = "0.23", default-features = false, features = ["std"] }
 rcgen              = { version = "0.13" }

+# ── Database ─────────────────────────────────────────────────────────────
+rusqlite           = { version = "0.31", features = ["bundled-sqlcipher"] }
+
 # ── Server utilities ──────────────────────────────────────────────────────────
 dashmap            = { version = "5" }
 tracing            = { version = "0.1" }