feat: add post-quantum hybrid KEM + SQLCipher persistence

Feature 1 — Post-Quantum Hybrid KEM (X25519 + ML-KEM-768): - Create hybrid_kem.rs with keygen, encrypt, decrypt + 11 unit tests - Wire format: version(1) | x25519_eph_pk(32) | mlkem_ct(1088) | nonce(12) | ct - Add uploadHybridKey/fetchHybridKey RPCs to node.capnp schema - Server: hybrid key storage in FileBackedStore + RPC handlers - Client: hybrid keypair in StoredState, auto-wrap/unwrap in send/recv/invite/join - demo-group runs full hybrid PQ envelope round-trip Feature 2 — SQLCipher Persistence: - Extract Store trait from FileBackedStore API - Create SqlStore (rusqlite + bundled-sqlcipher) with encrypted-at-rest SQLite - Schema: key_packages, deliveries, hybrid_keys tables with indexes - Server CLI: --store-backend=sql, --db-path, --db-key flags - 5 unit tests for SqlStore (FIFO, round-trip, upsert, channel isolation) Also includes: client lib.rs refactor, auth config, TOML config file support, mdBook documentation, and various cleanups by user. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-22 08:07:48 +01:00
parent d1ddef4cea
commit f334ed3d43
81 changed files with 14502 additions and 2289 deletions
--- a/crates/quicnprotochat-core/src/lib.rs
+++ b/crates/quicnprotochat-core/src/lib.rs
@@ -1,34 +1,32 @@
-//! Core cryptographic primitives, Noise_XX transport, MLS group state machine,
-//! and frame codec for quicnprotochat.
+//! Core cryptographic primitives, MLS group state machine, and hybrid
+//! post-quantum KEM for quicnprotochat.
 //!
 //! # Module layout
 //!
 //! | Module       | Responsibility                                                   |
 //! |--------------|------------------------------------------------------------------|
-//! | `error`      | [`CoreError`] and [`CodecError`] types                           |
-//! | `keypair`    | [`NoiseKeypair`] — static X25519 key, zeroize-on-drop            |
-//! | `codec`      | [`LengthPrefixedCodec`] — Tokio Encoder + Decoder                |
-//! | `noise`      | [`handshake_initiator`], [`handshake_responder`], [`NoiseTransport`] |
+//! | `error`      | [`CoreError`] type                                               |
 //! | `identity`   | [`IdentityKeypair`] — Ed25519 identity key for MLS credentials   |
 //! | `keypackage` | [`generate_key_package`] — standalone KeyPackage generation      |
 //! | `group`      | [`GroupMember`] — MLS group lifecycle (create/join/send/recv)    |
+//! | `hybrid_kem` | Hybrid X25519 + ML-KEM-768 key encapsulation                    |
+//! | `keystore`   | [`DiskKeyStore`] — OpenMLS key store with optional persistence   |

-mod codec;
 mod error;
 mod group;
+pub mod hybrid_kem;
 mod identity;
 mod keypackage;
-mod keypair;
 mod keystore;
-mod noise;

 // ── Public API ────────────────────────────────────────────────────────────────

-pub use codec::{LengthPrefixedCodec, NOISE_MAX_MSG};
-pub use error::{CodecError, CoreError, MAX_PLAINTEXT_LEN};
+pub use error::CoreError;
 pub use group::GroupMember;
+pub use hybrid_kem::{
+    hybrid_decrypt, hybrid_encrypt, HybridKeypair, HybridKeypairBytes, HybridKemError,
+    HybridPublicKey,
+};
 pub use identity::IdentityKeypair;
 pub use keypackage::generate_key_package;
-pub use keypair::NoiseKeypair;
 pub use keystore::DiskKeyStore;
-pub use noise::{handshake_initiator, handshake_responder, NoiseTransport};