quicproquo

c/quicproquo

Fork 0

Commit Graph

Author	SHA1	Message	Date
Christian Nennemann	394199b19b	fix: security hardening — 40 findings from full codebase review Full codebase review by 4 independent agents (security, architecture, code quality, correctness) identified ~80 findings. This commit fixes 40 of them across all workspace crates. Critical fixes: - Federation service: validate origin against mTLS cert CN/SAN (C1) - WS bridge: add DM channel auth, size limits, rate limiting (C2) - hpke_seal: panic on error instead of silent empty ciphertext (C3) - hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7) Security fixes: - Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes() returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password, conversation hex_key all wrapped in Zeroizing - Keystore: 0o600 file permissions on Unix - MeshIdentity: 0o600 file permissions on Unix - Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor - Mobile: TLS verification gated behind insecure-dev feature flag - Proto: from_bytes default limit tightened from 64 MiB to 8 MiB Correctness fixes: - fetch_wait: register waiter before fetch to close TOCTOU window - MeshEnvelope: exclude hop_count from signature (forwarding no longer invalidates sender signature) - BroadcastChannel: encrypt returns Result instead of panicking - transcript: rename verify_transcript_chain → validate_transcript_structure - group.rs: extract shared process_incoming() for receive_message variants - auth_ops: remove spurious RegistrationRequest deserialization - MeshStore.seen: bounded to 100K with FIFO eviction Quality fixes: - FFI error classification: typed downcast instead of string matching - Plugin HookVTable: SAFETY documentation for unsafe Send+Sync - clippy::unwrap_used: warn → deny workspace-wide - Various .unwrap_or("") → proper error returns Review report: docs/REVIEW-2026-03-04.md 152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)	2026-03-04 07:52:12 +01:00
Christian Nennemann	4454458e38	docs: expand sprint candidates to 24 features (A-X) Added 12 more feature candidates: M) message threading, N) cross-signing, O) offline queue priorities, P) audit log/compliance, Q) bot framework, R) Tor/I2P transport, S) plugin marketplace, T) stress testing, U) view-once media, V) emoji presence, W) rich text, X) invite links. Updated selection guide with 6 priority tracks.	2026-03-04 02:07:28 +01:00
Christian Nennemann	5a6d9ae7f4	docs: next sprint planning — 12 feature candidates for selection Sprint plan for cycles 12-19. Pick 8 of 12 features: A) Federation wiring, B) Contacts/blocking, C) Voice/video signaling, D) Encrypted backup, E) Group roles, F) KT audit client, G) Message search, H) Server clustering, I) Protocol compliance, J) User profiles, K) Notification framework, L) Mobile app shell.	2026-03-04 02:02:01 +01:00

Author

SHA1

Message

Date

Christian Nennemann

394199b19b

fix: security hardening — 40 findings from full codebase review

Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.

Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)

Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
  returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
  conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB

Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
  invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction

Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns

Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)

2026-03-04 07:52:12 +01:00

Christian Nennemann

4454458e38

docs: expand sprint candidates to 24 features (A-X)

Added 12 more feature candidates: M) message threading, N) cross-signing,
O) offline queue priorities, P) audit log/compliance, Q) bot framework,
R) Tor/I2P transport, S) plugin marketplace, T) stress testing,
U) view-once media, V) emoji presence, W) rich text, X) invite links.
Updated selection guide with 6 priority tracks.

2026-03-04 02:07:28 +01:00

Christian Nennemann

5a6d9ae7f4

docs: next sprint planning — 12 feature candidates for selection

Sprint plan for cycles 12-19. Pick 8 of 12 features:
A) Federation wiring, B) Contacts/blocking, C) Voice/video signaling,
D) Encrypted backup, E) Group roles, F) KT audit client, G) Message
search, H) Server clustering, I) Protocol compliance, J) User profiles,
K) Notification framework, L) Mobile app shell.

2026-03-04 02:02:01 +01:00

3 Commits