quicproquo

c/quicproquo

Fork 0

Commit Graph

Author	SHA1	Message	Date
Christian Nennemann	394199b19b	fix: security hardening — 40 findings from full codebase review Full codebase review by 4 independent agents (security, architecture, code quality, correctness) identified ~80 findings. This commit fixes 40 of them across all workspace crates. Critical fixes: - Federation service: validate origin against mTLS cert CN/SAN (C1) - WS bridge: add DM channel auth, size limits, rate limiting (C2) - hpke_seal: panic on error instead of silent empty ciphertext (C3) - hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7) Security fixes: - Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes() returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password, conversation hex_key all wrapped in Zeroizing - Keystore: 0o600 file permissions on Unix - MeshIdentity: 0o600 file permissions on Unix - Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor - Mobile: TLS verification gated behind insecure-dev feature flag - Proto: from_bytes default limit tightened from 64 MiB to 8 MiB Correctness fixes: - fetch_wait: register waiter before fetch to close TOCTOU window - MeshEnvelope: exclude hop_count from signature (forwarding no longer invalidates sender signature) - BroadcastChannel: encrypt returns Result instead of panicking - transcript: rename verify_transcript_chain → validate_transcript_structure - group.rs: extract shared process_incoming() for receive_message variants - auth_ops: remove spurious RegistrationRequest deserialization - MeshStore.seen: bounded to 100K with FIFO eviction Quality fixes: - FFI error classification: typed downcast instead of string matching - Plugin HookVTable: SAFETY documentation for unsafe Send+Sync - clippy::unwrap_used: warn → deny workspace-wide - Various .unwrap_or("") → proper error returns Review report: docs/REVIEW-2026-03-04.md 152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)	2026-03-04 07:52:12 +01:00
Chris Nennemann	dc4e4e49a0	feat: Phase 9 — developer experience, extensibility, and community growth New crates: - quicproquo-bot: Bot SDK with polling API + JSON pipe mode - quicproquo-kt: Key Transparency Merkle log (RFC 9162 subset) - quicproquo-plugin-api: no_std C-compatible plugin vtable API - quicproquo-gen: scaffolding tool (qpq-gen plugin/bot/rpc/hook) Server features: - ServerHooks trait wired into all RPC handlers (enqueue, fetch, auth, channel, registration) with plugin rejection support - Dynamic plugin loader (libloading) with --plugin-dir config - Delivery proof canary tokens (Ed25519 server signatures on enqueue) - Key Transparency Merkle log with inclusion proofs on resolveUser Core library: - Safety numbers (60-digit HMAC-SHA256 key verification codes) - Verifiable transcript archive (CBOR + ChaCha20-Poly1305 + hash chain) - Delivery proof verification utility - Criterion benchmarks (hybrid KEM, MLS, identity, sealed sender, padding) Client: - /verify REPL command for out-of-band key verification - Full-screen TUI via Ratatui (feature-gated --features tui) - qpq export / qpq export-verify CLI subcommands - KT inclusion proof verification on user resolution Also: ROADMAP Phase 9 added, bot SDK docs, server hooks docs, crate-responsibilities updated, example plugins (rate_limit, logging).	2026-03-03 22:47:38 +01:00
Chris Nennemann	853ca4fec0	chore: rename project quicnprotochat -> quicproquo (binaries: qpq) Rename the entire workspace: - Crate packages: quicnprotochat-{core,proto,server,client,gui,p2p,mobile} -> quicproquo-* - Binary names: quicnprotochat -> qpq, quicnprotochat-server -> qpq-server, quicnprotochat-gui -> qpq-gui - Default files: -state.bin -> qpq-state.bin, -server.toml -> qpq-server.toml, .db -> qpq.db - Environment variable prefix: QUICNPROTOCHAT_ -> QPQ_* - App identifier: chat.quicnproto.gui -> chat.quicproquo.gui - Proto package: quicnprotochat.bench -> quicproquo.bench - All documentation, Docker, CI, and script references updated HKDF domain-separation strings and P2P ALPN remain unchanged for backward compatibility with existing encrypted state and wire protocol. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-01 20:11:51 +01:00

Author

SHA1

Message

Date

Christian Nennemann

394199b19b

fix: security hardening — 40 findings from full codebase review

Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.

Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)

Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
  returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
  conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB

Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
  invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction

Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns

Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)

2026-03-04 07:52:12 +01:00

Chris Nennemann

dc4e4e49a0

feat: Phase 9 — developer experience, extensibility, and community growth

New crates:
- quicproquo-bot: Bot SDK with polling API + JSON pipe mode
- quicproquo-kt: Key Transparency Merkle log (RFC 9162 subset)
- quicproquo-plugin-api: no_std C-compatible plugin vtable API
- quicproquo-gen: scaffolding tool (qpq-gen plugin/bot/rpc/hook)

Server features:
- ServerHooks trait wired into all RPC handlers (enqueue, fetch, auth,
  channel, registration) with plugin rejection support
- Dynamic plugin loader (libloading) with --plugin-dir config
- Delivery proof canary tokens (Ed25519 server signatures on enqueue)
- Key Transparency Merkle log with inclusion proofs on resolveUser

Core library:
- Safety numbers (60-digit HMAC-SHA256 key verification codes)
- Verifiable transcript archive (CBOR + ChaCha20-Poly1305 + hash chain)
- Delivery proof verification utility
- Criterion benchmarks (hybrid KEM, MLS, identity, sealed sender, padding)

Client:
- /verify REPL command for out-of-band key verification
- Full-screen TUI via Ratatui (feature-gated --features tui)
- qpq export / qpq export-verify CLI subcommands
- KT inclusion proof verification on user resolution

Also: ROADMAP Phase 9 added, bot SDK docs, server hooks docs,
crate-responsibilities updated, example plugins (rate_limit, logging).

2026-03-03 22:47:38 +01:00

Chris Nennemann

853ca4fec0

chore: rename project quicnprotochat -> quicproquo (binaries: qpq)

Rename the entire workspace:
- Crate packages: quicnprotochat-{core,proto,server,client,gui,p2p,mobile} -> quicproquo-*
- Binary names: quicnprotochat -> qpq, quicnprotochat-server -> qpq-server,
  quicnprotochat-gui -> qpq-gui
- Default files: *-state.bin -> qpq-state.bin, *-server.toml -> qpq-server.toml,
  *.db -> qpq.db
- Environment variable prefix: QUICNPROTOCHAT_* -> QPQ_*
- App identifier: chat.quicnproto.gui -> chat.quicproquo.gui
- Proto package: quicnprotochat.bench -> quicproquo.bench
- All documentation, Docker, CI, and script references updated

HKDF domain-separation strings and P2P ALPN remain unchanged for
backward compatibility with existing encrypted state and wire protocol.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-01 20:11:51 +01:00

3 Commits