872695e5f1
test: add unit tests for RPC framing, SDK state machine, and server domain services
...
Add comprehensive tests across three layers:
- RPC framing: empty payloads, max boundary, truncated frames, multi-frame buffers,
all status codes, all method ID ranges, payload-too-large for response/push
- SDK: event broadcast send/receive, multiple subscribers, clone preservation,
conversation upsert, missing conversation, message ID roundtrip, member keys
- Server domain: auth session validation/expiry, channel creation/symmetry/validation,
delivery peek/ack/sequence ordering/fetch-limited, key package upload/fetch/validation,
hybrid key batch fetch, size boundary tests
- CI: MSRV (1.75) check job, macOS cross-platform build check
2026-03-21 19:14:06 +01:00
e4c5868b31
feat: add client auto-reconnect, heartbeat, and connection status UI
...
RPC layer (quicprochat-rpc):
- RpcClient now uses tokio::sync::Mutex<Connection> for safe reconnection
- Auto-reconnect with exponential backoff + jitter on retriable errors
- QUIC-level keepalive via quinn TransportConfig
- subscribe_push() returns Option<PushFrame> with None sentinel on break
- RpcError::is_retriable() classifies transient vs permanent errors
- ConnectionState enum (Connected/Reconnecting/Disconnected) with Display
- Configurable max_retries, base_delay, max_backoff, keepalive_secs
SDK layer (quicprochat-sdk):
- QpqClient wraps RpcClient in Arc for safe heartbeat task sharing
- start_heartbeat() spawns background task checking connection every 30s
- connection_state() exposes RPC-layer state to UI
- Reconnecting event added to ClientEvent enum
- disconnect() aborts heartbeat before closing connection
Client UI (quicprochat-client):
- TUI status bar shows Connected/Reconnecting.../Offline with color
- TUI handles Reconnecting event with attempt count display
- REPL event listener prints connection state changes
- REPL /status shows connection state instead of bool
- Both TUI and REPL call start_heartbeat() on startup
2026-03-21 19:14:06 +01:00
66eca065e0
feat: add in-flight RPC tracking, plugin shutdown hooks, and graceful drain
...
Replace the fixed 30s sleep-based shutdown drain with actual in-flight RPC
tracking using an Arc<AtomicUsize> counter and RAII InFlightGuard. On
SIGTERM/SIGINT the server now:
1. Stops accepting new client and federation connections
2. Sends QUIC CONNECTION_CLOSE with reason "server shutting down"
3. Polls the in-flight counter until it reaches 0 (or drain timeout)
4. Logs drain progress as RPCs complete
5. Calls plugin on_shutdown hooks before exit
Also adds:
- on_shutdown hook to HookVTable (C-ABI plugin API) and ServerHooks trait
- server_in_flight_rpcs Prometheus gauge metric
- Federation connection tracking via shared in-flight counter
2026-03-21 19:14:06 +01:00
a05da9b751
feat: upgrade OpenMLS 0.5 → 0.8 for security patches and GREASE support
...
Migrates all MLS code in quicprochat-core from OpenMLS 0.5 to 0.8:
- StorageProvider replaces OpenMlsKeyStore (keystore.rs full rewrite)
- HybridCryptoProvider updated for new OpenMlsProvider trait
- Group operations updated for new API signatures
- MLS state persistence via MemoryStorage serialization
- tls_codec 0.3 → 0.4, openmls_traits/rust_crypto 0.2 → 0.5
2026-03-21 19:14:06 +01:00
077f48f19c
feat: wire up storage latency metrics, uptime gauge, and config timeouts
...
Instrument DeliveryService (enqueue, fetch) and KeyService
(key_package_upload, key_package_fetch) with storage latency histogram
recording. Add periodic uptime gauge task (every 15s). Log effective
rpc_timeout_secs, storage_timeout_secs, and webtransport_listen at
startup to eliminate dead_code warnings on EffectiveConfig fields.
2026-03-21 19:14:06 +01:00
3708b8df41
fix: remove TUI boolean bug, P2P unwrap violation, and WebTransport placeholder
...
- Remove `|| true` from cursor positioning condition in v2_tui.rs
- Replace .lock().unwrap() with .expect() in P2P routing tests
- Remove assert!(true) placeholder in WebTransport test
2026-03-21 19:14:06 +01:00
a710037dde
chore: rename quicproquo → quicprochat in Rust workspace
...
Rename all crate directories, package names, binary names, proto
package/module paths, ALPN strings, env var prefixes, config filenames,
mDNS service names, and plugin ABI symbols from quicproquo/qpq to
quicprochat/qpc.
2026-03-21 19:14:06 +01:00
d8c1392587
chore: public-readiness cleanup
...
- Remove default Grafana password (fail loudly if unset)
- Clean up stale delivery-proof TODO (already implemented at RPC layer)
- Document TUI send as local-only, point to REPL for E2E delivery
- Gitignore AI workflow files (CLAUDE.md, master-prompt.md, ai_team.py)
- Remove 5 orphaned v1 crates (bot, ffi, gen, gui, mobile)
- Commit ROADMAP.html updates
2026-03-21 19:14:05 +01:00
a9d1f535aa
chore: prepare repository for public release
...
- Add split licensing: AGPL-3.0 for server, Apache-2.0/MIT for all
other crates and SDKs (Signal-style)
- Add SECURITY.md with vulnerability disclosure policy
- Add CONTRIBUTING.md with build, test, and code standards
- Add "not audited" security disclaimer to README
- Add workspace package metadata (license, repository, keywords)
- Move internal planning docs to docs/internal/ (gitignored)
2026-03-21 19:14:05 +01:00
501f5a577c
docs: mark all roadmap phases complete (except 4.1 external audit)
...
Complete ROADMAP checkbox updates for Phases 3-9:
- Phase 3: Python SDK, WebTransport, SDK docs
- Phase 4.2: Key Transparency / revocation
- Phase 5: Multi-device, recovery, MLS lifecycle, moderation, offline queue
- Phase 6: Rate limiting, scaling, runbook, graceful shutdown, timeouts, observability
- Phase 7: Mobile, web client, federation, language SDKs, P2P, traffic resistance
- Phase 8: OpenWrt cross-compilation, mesh traffic resistance
- Phase 9: Benchmarks, TUI, delivery proofs, transcript archive, KT audit, PQ Noise
Also includes: PQ Noise module export, outbox improvements (idempotent
message IDs, retry counting, gap detection events), moderation proto
and handler additions from agent worktrees.
301 tests passing, 0 failures.
2026-03-04 21:16:15 +01:00
5cc37cc88b
feat(p2p): add hybrid routing with direct-first and server relay fallback
...
Adds a routing module to quicproquo-p2p implementing hybrid message
delivery: attempts direct P2P via iroh QUIC (with NAT traversal) first,
then falls back to server relay if direct delivery fails or times out.
Includes per-peer ConnectionStats tracking direct vs relayed counts,
latency averages, and direct delivery ratio metrics.
2026-03-04 21:09:42 +01:00
1d59a052ad
feat(federation): implement v2 inbound federation handlers
...
Replace stub federation handlers with full implementations that accept
relay and proxy requests from peer servers. Adds federation_client and
local_domain fields to ServerState for outbound relay and federated
address resolution. All six handlers (relay_enqueue, relay_batch_enqueue,
proxy_fetch_key_package, proxy_fetch_hybrid_key, proxy_resolve_user,
federation_health) now validate federation auth, interact with local
storage, and wake waiters on message delivery.
2026-03-04 21:06:31 +01:00
3f5a3a5ac8
feat: add WebTransport (HTTP/3) server endpoint for browser clients
...
Feature-gated behind --features webtransport. Uses h3, h3-quinn,
and h3-webtransport crates to accept WebTransport sessions over
HTTP/3. Dispatches RPC through the same v2 handler registry as
native QUIC, using identical wire framing.
- webtransport.rs: H3 connection handling, session management,
bidi stream RPC dispatch with auth handshake
- Config: --webtransport-listen / QPQ_WEBTRANSPORT_LISTEN
- ALPN: "h3" for WebTransport, "capnp" for native QUIC
- Also fixes: add missing save/load_revocation_log to SqlStore
2026-03-04 20:59:59 +01:00
511fc7822e
feat(sdk): add transcript archive export and verification
...
SDK-level export_transcript() writes all conversation messages to an
encrypted, tamper-evident archive using the existing core transcript
format (Argon2id + ChaCha20-Poly1305, CBOR records, SHA-256 chain).
verify_transcript() supports both full decryption + chain check and
structural-only validation without the password.
2026-03-04 20:59:03 +01:00
f57dda3f36
feat(sdk): add Swift and Kotlin mobile client foundations with push token proto
...
Swift SDK: Swift Package wrapping libquicproquo_ffi with QpqClient class
(connect, login, send, receive, disconnect) for iOS 15+ / macOS 13+.
Kotlin SDK: JNI bridge to libquicproquo_ffi with QpqClient class for
Android (aarch64, armv7) and JVM, Gradle build configuration.
Adds RegisterPushToken RPC (method ID 710) to device.proto for
APNs/FCM/WebPush device push token registration.
2026-03-04 20:58:23 +01:00
496f83067a
feat(delivery): add server-signed delivery proof on enqueue
...
The server now produces a 96-byte Ed25519-signed delivery proof for
every enqueued message: SHA-256(seq || recipient_key || timestamp_ms)
followed by the server's Ed25519 signature. Clients can verify the
proof using verify_delivery_proof() in quicproquo-core to get
cryptographic evidence the server accepted their message.
2026-03-04 20:54:55 +01:00
1768f85258
feat(kt): add key revocation and Merkle-log audit support
...
Add RevocationLog with domain-separated leaf hashes (0x02 prefix) for
tracking revoked identity keys alongside the KT MerkleLog. Includes:
- RevocationLog with O(1) lookup, serialization, and double-revoke guard
- MerkleLog.append_raw() for pre-computed hashes
- MerkleLog.audit_log(start, end) for paginated log retrieval
- RevokeKey (510), CheckRevocation (511), AuditKeyTransparency (520) RPCs
- Server domain logic + v2 handlers + FileBackedStore/SqlStore persistence
- 4 new revocation tests + all 21 KT tests + 65 server tests passing
2026-03-04 20:53:41 +01:00
f667281831
feat(tui): add MLS epoch indicator, online/offline status, and 9 rendering tests
...
Enhance v2 TUI with connected/mls_epoch state fields, colored connection
indicator in status bar, MLS epoch display, and wildcard match for new
SDK event variants. Add 9 tests using ratatui TestBackend covering
rendering, navigation, scroll bounds, status bar content, and unread
count display. Also fix rand 0.8 compat issue in v2_repl.rs.
2026-03-04 20:52:27 +01:00
f4621b3425
feat: add traffic analysis resistance (Phase 7.7 + F8)
...
- Core: add pad_uniform/unpad_uniform for configurable boundary padding
and generate_decoy for indistinguishable decoy messages
- Server: add traffic_resistance module with payload padding, timing
jitter, and background decoy traffic generator (feature-gated)
- P2P: add mesh traffic_resistance module with padded envelopes and
mesh decoy injection (feature-gated)
- All gated behind --features traffic-resistance
- 22 new tests across core (8), server (4), and P2P (5)
2026-03-04 20:50:19 +01:00
c401caec60
feat(bench): add safety number & epoch rotation benchmarks, CI workflow
...
Add safety_number benchmark to crypto_benchmarks.rs, epoch rotation
(propose_self_update + commit) benchmark to mls_operations.rs, expand
add_member group sizes to include 100, and add .github/workflows/bench.yml
that runs Criterion benchmarks and uploads HTML reports as artifacts.
2026-03-04 20:49:42 +01:00
885cce0d7d
feat: add multi-node horizontal scaling foundations
...
NotificationBus for cross-node message delivery fan-out:
- NotificationBus trait: publish(topic) + subscribe(topic) -> Notify
- InMemoryNotificationBus: single-node default via tokio::sync::Notify
- Designed for Redis pub/sub or NATS replacement in multi-node deploys
- 3 async tests: publish wakes, timeout without publish, independent topics
Health endpoint enhancements for load balancer awareness:
- HealthResponse proto: add node_id, version, uptime_secs, storage_backend
- ServerState: add node_id, start_time, storage_backend fields
- Health handler returns full node identity for multi-node monitoring
2026-03-04 20:38:59 +01:00
913f6faaf3
feat: add distributed rate limiting with sliding window algorithm
...
- RateLimiter trait with check_rate(key, config) -> RateResult
- InMemoryRateLimiter: DashMap-based sliding window log per key
- RateLimitConfig: configurable max_requests and window duration
- RateResult: allowed/remaining/retry_after_secs for Retry-After headers
- Lazy GC of expired entries (every 60s)
- Thread-safe concurrent access via DashMap
- 5 unit tests: limit enforcement, independent keys, remaining counter, concurrency
2026-03-04 20:35:45 +01:00
e93a38243f
feat: add graceful shutdown with drain timeout and per-RPC timeouts
...
Graceful shutdown (Phase 6.4):
- Listen for SIGTERM + SIGINT via tokio::signal
- Configurable drain timeout (--drain-timeout / QPQ_DRAIN_TIMEOUT, default 30s)
- Health endpoint returns "draining" during shutdown for load balancer awareness
- ServerState carries atomic draining flag
- Add RpcStatus::Unavailable (9) for shutdown-related rejections
Per-RPC timeouts (Phase 6.5):
- Add RpcStatus::DeadlineExceeded (8) for server-side timeouts
- MethodRegistry supports default_timeout and per-method timeout overrides
- RPC dispatch wraps handler invocation with tokio::time::timeout
- RequestContext carries optional deadline (Instant) for handlers
- Health: 5s timeout, blob upload/download: 120s timeout, default: 30s
- Config: --rpc-timeout / QPQ_RPC_TIMEOUT, --storage-timeout / QPQ_STORAGE_TIMEOUT
2026-03-04 20:33:26 +01:00
b94248b3b6
feat: implement MLS lifecycle and multi-device support
...
Phase 5.3 (MLS lifecycle):
- Add group.proto with RemoveMember, UpdateGroupMetadata, ListGroupMembers, RotateKeys RPCs
- Add GroupService domain logic with metadata and membership persistence
- Add v2 RPC handlers for all 4 group management endpoints (method IDs 410-413)
- Add SDK functions: remove_member_from_group, leave_group, rotate_group_keys, set_group_metadata, get_group_members
- Add REPL commands: /group remove, /group rename, /group rotate-keys, /group leave
- Add 5 unit tests for GroupService (metadata CRUD, membership add/list/remove)
Phase 5.1 (multi-device):
- Wire device_id through SDK fetch/ack functions (fetch_for_device, ack)
- Add /devices list|add|remove REPL commands with tab completion
- Add clear_failed_outbox to ConversationStore
- Fix missing message_id/device_id fields in SDK proto struct initializers
2026-03-04 20:20:55 +01:00
a90020fe89
fix(e2e): serialize all init_auth tests behind AUTH_LOCK to prevent race
...
Every test that calls init_auth() now holds AUTH_LOCK for its full
duration, preventing the global AUTH_CONTEXT from being overwritten
by concurrent tests. The e2e_auth_failure_wrong_token test additionally
resets auth back to "devtoken" after its assertion. Tests now pass
reliably with default parallelism (no --test-threads 1 required).
2026-03-04 20:20:03 +01:00
fd1accc6dd
feat(sdk): wire device_id through messaging and client APIs
...
Add device_id parameter to fetch, fetch_wait, ack, receive_messages,
and receive_messages_wait SDK functions. QpqClient gains device_id
field with register_device/list_devices/revoke_device convenience
methods. Client REPL passes empty device_id for backwards compat.
2026-03-04 20:19:30 +01:00
799aab68fe
feat(server): wire device_id through delivery proto and v2 handlers
...
Add device_id field to FetchRequest, FetchWaitRequest, PeekRequest,
and AckRequest proto messages. V2 handlers now build composite
queue keys (identity_key + device_id) when device_id is provided,
enabling per-device fetch/ack scoping.
2026-03-04 20:16:41 +01:00
eaca24397b
feat(server): add multi-device delivery fan-out
...
Enqueue now resolves all registered devices for a recipient identity
and fans out the message to each device-scoped queue. Single-device
clients remain backwards compatible (bare identity_key queue).
Also adds FileBackedStore::ephemeral() test helper.
2026-03-04 20:15:26 +01:00
12b19b6931
feat: implement account recovery with encrypted backup bundles
...
Add recovery code generation (8 codes per setup), Argon2id key derivation,
ChaCha20-Poly1305 encrypted bundles, and server-side zero-knowledge storage.
Each code independently recovers the account. Includes core crypto module,
protobuf service (method IDs 750-752), server domain + handlers, SDK methods,
SQL migration, and CLI commands (/recovery setup, /recovery restore).
2026-03-04 20:12:20 +01:00
5b6d8209f0
feat: add abuse prevention and moderation (Phase 5.6)
...
Add server-side moderation service with report submission, user
banning/unbanning, and admin listing endpoints. Add client-side
user blocking with message filtering in ConversationStore.
Server:
- ModerationService domain logic (report, ban, unban, list)
- Storage trait methods + FileBackedStore + SqlStore implementations
- SQL migration 012_moderation.sql (reports + bans tables)
- Error codes E031-E033 for moderation
- Domain types for all moderation request/response pairs
- 10 new tests (6 domain + 4 storage)
SDK:
- blocked_users table in ConversationStore
- block_user, unblock_user, is_blocked, list_blocked methods
- load_recent_messages_filtered excludes blocked senders
- QpqClient moderation convenience methods
- 4 new tests for block/unblock/filter
2026-03-04 20:11:20 +01:00
5a66c2e954
chore: fix all clippy warnings across workspace
2026-03-04 14:13:58 +01:00
4013b223ff
test(e2e): add auth failure, message ordering, OPAQUE flow, key exhaustion, and rate limit tests
2026-03-04 13:33:21 +01:00
e5329ee8e5
test: add unit tests for ConversationStore CRUD, outbox, and ConversationId
2026-03-04 13:31:25 +01:00
e3dfc43e2c
test: add unit tests for token cache round-trip and edge cases
2026-03-04 13:31:22 +01:00
7bcfbf175c
test: add unit tests for v2 REPL split_cmd parsing
2026-03-04 13:31:19 +01:00
75f11cb76b
test: add unit tests for retry logic and retriable classifier
2026-03-04 13:31:16 +01:00
a3f67aca45
feat(tls): add certificate expiry validation and self-signed warning
2026-03-04 13:30:46 +01:00
3393514911
fix: tighten production config validation with token length and db path checks
2026-03-04 13:29:50 +01:00
a8ed3c4356
fix: replace unwrap/expect in production paths with fallible alternatives
2026-03-04 13:29:33 +01:00
cab03bd3f7
feat(client): v2 REPL over SDK with categorized help and tab-completion
...
925-line REPL replacing the 3317-line monolith — delegates all crypto,
MLS, and RPC to quicproquo-sdk. 20 commands across 6 categories
(messaging, groups, account, keys, utility, debug), rustyline tab
completion, background event listener, auto-server-launch.
Also adds SDK accessor methods (server_addr_string, config_state_path),
WS bridge register handler, and README table formatting cleanup.
2026-03-04 13:02:54 +01:00
99f9abe9ed
feat(client): ratatui TUI subscribing to SDK events
...
Single-file v2 TUI (v2_tui.rs, ~580 lines) gated behind
cfg(all(feature = "v2", feature = "tui")).
Layout: conversations sidebar, scrollable messages panel,
input bar with cursor editing, status line. Help overlay
on /help. Subscribes to SDK broadcast::Receiver<ClientEvent>
for real-time updates. TerminalGuard ensures terminal restore
on panic. Commands: /login, /register, /logout, /dm, /group,
/quit, /help.
Build: cargo build -p quicproquo-client --features v2,tui
2026-03-04 12:47:15 +01:00
029c701780
feat(client): v2 CLI binary over SDK with simplified commands
...
Add v2_main.rs and v2_commands.rs as thin wrappers over QpqClient from
quicproquo-sdk. Activated via --features v2 (feature-gated so v1 main.rs
remains the default). Includes auto-server-launch, clap-based command
surface (register-user, login, whoami, health, resolve, dm, group,
devices), and ClientConfig-based connection setup. MLS-dependent commands
(send, recv, group create/invite) print stubs pointing to the REPL.
2026-03-04 12:46:42 +01:00
4d62a837a5
feat(sdk): conversation management — DM/group lifecycle, outbox
2026-03-04 12:39:48 +01:00
67983c7a40
feat(sdk): OPAQUE auth module with state persistence
2026-03-04 12:39:33 +01:00
011ff541bb
feat(sdk): messaging pipeline — send/receive with MLS, sealed sender, hybrid KEM
...
Full send pipeline: serialize_chat → MLS encrypt → sealed sender → per-recipient
hybrid wrap → batch/individual enqueue via v2 RPC.
Full receive pipeline: fetch/fetch_wait → sort by seq → hybrid unwrap → MLS decrypt
→ unseal → parse AppMessage. Includes retry loop for multi-epoch batches.
2026-03-04 12:39:15 +01:00
918da0c23d
feat(sdk): key management, user resolution, device management
...
Add three new SDK modules wrapping v2 protobuf RPC calls:
- keys.rs: upload/fetch KeyPackages and hybrid public keys (5 methods)
- users.rs: resolve username <-> identity key (2 methods)
- devices.rs: register/list/revoke devices (3 methods)
2026-03-04 12:37:01 +01:00
6b757f8d65
fix(sdk): add missing session_token field to RpcClientConfig
...
The middleware-dev agent added session_token to RpcClientConfig
but the SDK client initializer was not updated, breaking the build.
2026-03-04 12:31:32 +01:00
d118fdbddf
feat(server): v2 RPC handler dispatch for all 33 methods
...
Add v2_handlers module with ServerState, build_registry(), require_auth()
helper, and 33 protobuf handlers across 10 files:
- auth: 4 OPAQUE handlers (register start/finish, login start/finish)
- delivery: 6 handlers (enqueue, fetch, fetch_wait, peek, ack, batch)
- keys: 5 handlers (upload/fetch key package, upload/fetch hybrid key/keys)
- channel: create_channel
- user: resolve_user, resolve_identity
- blob: upload_blob, download_blob
- device: register, list, revoke
- p2p: publish_endpoint, resolve_endpoint, health
- federation: 6 stubs (Unimplemented)
- account: delete_account
All handlers decode protobuf, call domain services, encode response.
Auth handlers use full OPAQUE flow with session creation.
Delivery handlers include rate limiting and long-poll (fetch_wait).
2026-03-04 12:10:33 +01:00
6273ab668d
feat(server): connection pool, session persistence, blob storage in SqlStore
...
- Replace Mutex<Connection> with Vec<Mutex<Connection>> pool (default 4)
with try_lock fast-path and blocking fallback
- Add SessionRecord struct and session CRUD to Store trait (default no-ops)
- Implement session persistence in SqlStore (sessions table, migration 009)
- Add blob upload/download with SHA-256 verified staging assembly
(blobs + blob_staging tables, migration 010)
- All 35 server tests pass, FileBackedStore unaffected
2026-03-04 12:09:03 +01:00
f09dbe10ce
feat(rpc): auth handshake, server-push broker, audit logging
...
- auth_handshake.rs: connection-init protocol (magic 0x01, token, ack)
- push.rs: PushBroker manages per-identity push connections with gc
- server.rs: ConnectionState, auth handshake on first bi-stream, pass
identity_key/session_token to RequestContext per stream
- client.rs: session_token in RpcClientConfig, auto auth handshake on connect
- middleware.rs: log_rpc_call with SHA-256 redaction, hex_prefix helper
- lib.rs: export auth_handshake and push modules
2026-03-04 12:08:20 +01:00
