d8c1392587
chore: public-readiness cleanup
...
- Remove default Grafana password (fail loudly if unset)
- Clean up stale delivery-proof TODO (already implemented at RPC layer)
- Document TUI send as local-only, point to REPL for E2E delivery
- Gitignore AI workflow files (CLAUDE.md, master-prompt.md, ai_team.py)
- Remove 5 orphaned v1 crates (bot, ffi, gen, gui, mobile)
- Commit ROADMAP.html updates
2026-03-21 19:14:05 +01:00
a9d1f535aa
chore: prepare repository for public release
...
- Add split licensing: AGPL-3.0 for server, Apache-2.0/MIT for all
other crates and SDKs (Signal-style)
- Add SECURITY.md with vulnerability disclosure policy
- Add CONTRIBUTING.md with build, test, and code standards
- Add "not audited" security disclaimer to README
- Add workspace package metadata (license, repository, keywords)
- Move internal planning docs to docs/internal/ (gitignored)
2026-03-21 19:14:05 +01:00
f667281831
feat(tui): add MLS epoch indicator, online/offline status, and 9 rendering tests
...
Enhance v2 TUI with connected/mls_epoch state fields, colored connection
indicator in status bar, MLS epoch display, and wildcard match for new
SDK event variants. Add 9 tests using ratatui TestBackend covering
rendering, navigation, scroll bounds, status bar content, and unread
count display. Also fix rand 0.8 compat issue in v2_repl.rs.
2026-03-04 20:52:27 +01:00
b94248b3b6
feat: implement MLS lifecycle and multi-device support
...
Phase 5.3 (MLS lifecycle):
- Add group.proto with RemoveMember, UpdateGroupMetadata, ListGroupMembers, RotateKeys RPCs
- Add GroupService domain logic with metadata and membership persistence
- Add v2 RPC handlers for all 4 group management endpoints (method IDs 410-413)
- Add SDK functions: remove_member_from_group, leave_group, rotate_group_keys, set_group_metadata, get_group_members
- Add REPL commands: /group remove, /group rename, /group rotate-keys, /group leave
- Add 5 unit tests for GroupService (metadata CRUD, membership add/list/remove)
Phase 5.1 (multi-device):
- Wire device_id through SDK fetch/ack functions (fetch_for_device, ack)
- Add /devices list|add|remove REPL commands with tab completion
- Add clear_failed_outbox to ConversationStore
- Fix missing message_id/device_id fields in SDK proto struct initializers
2026-03-04 20:20:55 +01:00
a90020fe89
fix(e2e): serialize all init_auth tests behind AUTH_LOCK to prevent race
...
Every test that calls init_auth() now holds AUTH_LOCK for its full
duration, preventing the global AUTH_CONTEXT from being overwritten
by concurrent tests. The e2e_auth_failure_wrong_token test additionally
resets auth back to "devtoken" after its assertion. Tests now pass
reliably with default parallelism (no --test-threads 1 required).
2026-03-04 20:20:03 +01:00
fd1accc6dd
feat(sdk): wire device_id through messaging and client APIs
...
Add device_id parameter to fetch, fetch_wait, ack, receive_messages,
and receive_messages_wait SDK functions. QpqClient gains device_id
field with register_device/list_devices/revoke_device convenience
methods. Client REPL passes empty device_id for backwards compat.
2026-03-04 20:19:30 +01:00
12b19b6931
feat: implement account recovery with encrypted backup bundles
...
Add recovery code generation (8 codes per setup), Argon2id key derivation,
ChaCha20-Poly1305 encrypted bundles, and server-side zero-knowledge storage.
Each code independently recovers the account. Includes core crypto module,
protobuf service (method IDs 750-752), server domain + handlers, SDK methods,
SQL migration, and CLI commands (/recovery setup, /recovery restore).
2026-03-04 20:12:20 +01:00
5a66c2e954
chore: fix all clippy warnings across workspace
2026-03-04 14:13:58 +01:00
4013b223ff
test(e2e): add auth failure, message ordering, OPAQUE flow, key exhaustion, and rate limit tests
2026-03-04 13:33:21 +01:00
e3dfc43e2c
test: add unit tests for token cache round-trip and edge cases
2026-03-04 13:31:22 +01:00
7bcfbf175c
test: add unit tests for v2 REPL split_cmd parsing
2026-03-04 13:31:19 +01:00
75f11cb76b
test: add unit tests for retry logic and retriable classifier
2026-03-04 13:31:16 +01:00
a8ed3c4356
fix: replace unwrap/expect in production paths with fallible alternatives
2026-03-04 13:29:33 +01:00
cab03bd3f7
feat(client): v2 REPL over SDK with categorized help and tab-completion
...
925-line REPL replacing the 3317-line monolith — delegates all crypto,
MLS, and RPC to quicproquo-sdk. 20 commands across 6 categories
(messaging, groups, account, keys, utility, debug), rustyline tab
completion, background event listener, auto-server-launch.
Also adds SDK accessor methods (server_addr_string, config_state_path),
WS bridge register handler, and README table formatting cleanup.
2026-03-04 13:02:54 +01:00
99f9abe9ed
feat(client): ratatui TUI subscribing to SDK events
...
Single-file v2 TUI (v2_tui.rs, ~580 lines) gated behind
cfg(all(feature = "v2", feature = "tui")).
Layout: conversations sidebar, scrollable messages panel,
input bar with cursor editing, status line. Help overlay
on /help. Subscribes to SDK broadcast::Receiver<ClientEvent>
for real-time updates. TerminalGuard ensures terminal restore
on panic. Commands: /login, /register, /logout, /dm, /group,
/quit, /help.
Build: cargo build -p quicproquo-client --features v2,tui
2026-03-04 12:47:15 +01:00
029c701780
feat(client): v2 CLI binary over SDK with simplified commands
...
Add v2_main.rs and v2_commands.rs as thin wrappers over QpqClient from
quicproquo-sdk. Activated via --features v2 (feature-gated so v1 main.rs
remains the default). Includes auto-server-launch, clap-based command
surface (register-user, login, whoami, health, resolve, dm, group,
devices), and ClientConfig-based connection setup. MLS-dependent commands
(send, recv, group create/invite) print stubs pointing to the REPL.
2026-03-04 12:46:42 +01:00
394199b19b
fix: security hardening — 40 findings from full codebase review
...
Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.
Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)
Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB
Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction
Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns
Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)
2026-03-04 07:52:12 +01:00
9244e80ec7
feat: Sprint 10+11 — privacy hardening and multi-device support
...
Privacy Hardening (Sprint 10):
- Server --redact-logs flag: SHA-256 hashed identity prefixes in audit
logs, payload_len omitted when enabled
- Client /privacy command suite: redact-keys on|off, auto-clear with
duration parsing, padding on|off for traffic analysis resistance
- Forward secrecy: /verify-fs checks MLS epoch advancement,
/rotate-all-keys rotates MLS leaf + hybrid KEM keypair
- Dummy message type (0x09): constant-rate traffic padding every 30s,
silently discarded by recipients, serialize_dummy() + parse support
- delete_messages_before() for auto-clear in ConversationStore
Multi-Device Support (Sprint 11):
- Device registry: registerDevice @24, listDevices @25, revokeDevice @26
RPCs with Device struct (deviceId, deviceName, registeredAt)
- Server storage: devices table (migration 008), max 5 per identity,
E029_DEVICE_LIMIT and E030_DEVICE_NOT_FOUND error codes
- Device cleanup integrated into deleteAccount transaction
- Client REPL: /devices, /register-device <name>, /revoke-device <id>
72 core + 35 server tests pass.
2026-03-04 01:55:23 +01:00
1b61b7ee8f
feat: Sprint 9 — mesh identity, store-and-forward, broadcast channels
...
Self-sovereign mesh networking for offline-capable Freifunk deployments.
- MeshIdentity: Ed25519 keypair-based identity without AS registration,
JSON-persisted seed + known peers directory, sign/verify
- MeshEnvelope: signed store-and-forward envelope with TTL, hop_count,
max_hops, SHA-256 dedup ID, Ed25519 signature verification
- MeshStore: in-memory message queue with dedup, per-recipient capacity
limits, TTL-based garbage collection
- BroadcastChannel: symmetric ChaCha20-Poly1305 encrypted topic-based
pub/sub for mesh announcements, no MLS overhead
- BroadcastManager: subscribe/unsubscribe/create channels by topic
- P2pNode integration: send_mesh(), receive_mesh(), forward_stored(),
subscribe(), create_broadcast(), broadcast()
- Extended mesh REPL: /mesh send, /mesh broadcast, /mesh subscribe,
/mesh route, /mesh identity, /mesh store (feature-gated)
28 P2P tests pass (21 existing + 7 broadcast). All builds clean.
2026-03-04 01:42:09 +01:00
fd21ea625c
feat: Sprint 6 — disappearing messages, group info, account deletion
...
- Disappearing messages: ttlSecs param on enqueue/batchEnqueue RPCs,
expires_at column (migration 007), server GC deletes expired messages,
/disappear command with human-friendly duration parsing (30m, 1h, 1d)
- Group info: /group-info shows type, members, MLS epoch; /rename
renames conversations; /members resolves usernames via resolveIdentity
- Account deletion: deleteAccount @23 RPC with transactional purge of
all user data (deliveries, keys, channels), session invalidation,
KT log preserved for auditability; /delete-account with confirmation
- Added epoch() accessor to GroupMember, enqueue_with_ttl client helper
All 35 server + 71 core + 14 E2E tests pass.
2026-03-04 00:39:05 +01:00
3350d765e5
feat: Sprint 5 — encrypted file transfer with chunked upload/download
...
- Add uploadBlob (@21) and downloadBlob (@22) RPCs to Cap'n Proto
schema with SHA-256 content addressing and chunked transfer
- Server blob handler: 256KB chunks, SHA-256 verification on finalize,
.meta JSON sidecar, 50MB size limit, content-addressable storage
- Add FileRef (0x08) AppMessage variant with blob_id, filename,
file_size, mime_type
- /send-file command: read file, compute hash, upload in chunks with
progress display, send FileRef via MLS, MIME auto-detection
- /download command: fetch blob in chunks with progress, verify hash,
save to disk with collision avoidance
- 2 new E2E tests: upload/download round-trip with partial reads,
hash mismatch rejection (14 E2E tests total)
- New error codes: E024-E027 for blob operations
2026-03-04 00:27:18 +01:00
81d5e2e590
feat: Sprint 4 — rich messaging: receipts, typing, reactions, edit/delete
...
- Auto-send read receipts on Chat/Reply receive, display "✓ read"
notification (loop-safe: only Chat/Reply trigger receipts)
- Typing indicators with /typing command, 10s timeout expiry,
/typing-notify toggle, ephemeral (not stored in DB)
- /react <emoji> [index] command for message reactions, display
inline with sender name
- Add Edit (0x06) and Delete (0x07) AppMessage variants with
serialize/parse, /edit and /delete REPL commands (own messages
only), incoming edit/delete handling with DB updates
- 3 new roundtrip tests for Edit/Delete serialization (70 core tests)
2026-03-04 00:12:06 +01:00
9ab306d891
feat: Sprint 2 — security hardening, MLS key rotation, E2E tests
...
- DS sender identity binding (Phase 4.3): explicit audit logging of
sender_prefix in enqueue/batch_enqueue, documenting that sender
identity is always derived from authenticated session
- Username enumeration mitigation (Phase 4.5): 5ms timing floor on
resolveUser responses + rate limiting to prevent bulk enumeration
- Add /update-key REPL command for MLS leaf key rotation via
propose_self_update + auto-commit + fan-out to group members
- Add 4 new E2E tests: message delivery round-trip, key rotation
update path, oversized payload rejection, multi-party group (12 total)
2026-03-03 23:37:24 +01:00
612b06aa8e
feat: Sprint 1 — production hardening, TLS lifecycle, CI coverage, lint cleanup
...
- Fix 3 client panics: replace .unwrap()/.expect() with proper error
handling in rpc.rs (AUTH_CONTEXT lock), repl.rs (pending_member),
and retry.rs (last_err)
- Add --danger-accept-invalid-certs flag with InsecureServerCertVerifier
for development TLS bypass, plus mdBook TLS documentation
- Add CI coverage job (cargo-tarpaulin) and Docker build validation
to GitHub Actions workflow, plus README CI badge
- Add [workspace.lints] config, fix 46 clippy warnings across 8 crates,
zero warnings on all buildable crates
- Update Dockerfile for all 11 workspace members
2026-03-03 23:19:11 +01:00
dc4e4e49a0
feat: Phase 9 — developer experience, extensibility, and community growth
...
New crates:
- quicproquo-bot: Bot SDK with polling API + JSON pipe mode
- quicproquo-kt: Key Transparency Merkle log (RFC 9162 subset)
- quicproquo-plugin-api: no_std C-compatible plugin vtable API
- quicproquo-gen: scaffolding tool (qpq-gen plugin/bot/rpc/hook)
Server features:
- ServerHooks trait wired into all RPC handlers (enqueue, fetch, auth,
channel, registration) with plugin rejection support
- Dynamic plugin loader (libloading) with --plugin-dir config
- Delivery proof canary tokens (Ed25519 server signatures on enqueue)
- Key Transparency Merkle log with inclusion proofs on resolveUser
Core library:
- Safety numbers (60-digit HMAC-SHA256 key verification codes)
- Verifiable transcript archive (CBOR + ChaCha20-Poly1305 + hash chain)
- Delivery proof verification utility
- Criterion benchmarks (hybrid KEM, MLS, identity, sealed sender, padding)
Client:
- /verify REPL command for out-of-band key verification
- Full-screen TUI via Ratatui (feature-gated --features tui)
- qpq export / qpq export-verify CLI subcommands
- KT inclusion proof verification on user resolution
Also: ROADMAP Phase 9 added, bot SDK docs, server hooks docs,
crate-responsibilities updated, example plugins (rate_limit, logging).
2026-03-03 22:47:38 +01:00
d7e530435f
fix: auto-derive state file path from --username
...
qpq --username alice now automatically uses qpq-alice.bin instead of the
shared qpq-state.bin default, preventing identity collisions in multi-user
local test setups without requiring an explicit --state flag.
2026-03-03 14:42:11 +01:00
c8398d6cb7
feat: DM epoch fix, federation relay, and mDNS mesh discovery
...
- schema: createChannel returns wasNew :Bool to elect the MLS initiator
unambiguously; prevents duplicate group creation on concurrent /dm calls
- core: group helpers for epoch tracking and key-package lifecycle
- server: federation subsystem — mTLS QUIC server-to-server relay with
Cap'n Proto RPC; enqueue/batchEnqueue relay unknown recipients to their
home domain via FederationClient
- server: mDNS _quicproquo._udp.local. service announcement on startup
- server: storage + sql_store — identity_exists, peek/ack, federation
home-server lookup helpers
- client: /mesh peers REPL command (mDNS discovery, feature = "mesh")
- client: MeshDiscovery — background mDNS browse with ServiceDaemon
- client: was_new=false path in cmd_dm waits for peer Welcome instead of
creating a duplicate initiator group
- p2p: fix ALPN from quicnprotochat/p2p/1 → quicproquo/p2p/1
- workspace: re-include quicproquo-p2p in members
2026-03-03 14:41:56 +01:00
e24497bf90
feat: auto-start local server from REPL
...
When no server is reachable, the REPL now automatically spawns a
qpq-server child process with dev defaults (--allow-insecure-auth,
matching TLS cert paths). The server is killed on REPL exit via a
Drop guard. Use --no-server to opt out (e.g. for remote servers).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-01 23:03:31 +01:00
5b9df61194
feat: make repl the default subcommand
...
Running `qpq --username alice --password secretA` now launches the
REPL directly instead of requiring `qpq repl ...`. The explicit
`repl` subcommand still works for backwards compatibility.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-01 22:06:57 +01:00
853ca4fec0
chore: rename project quicnprotochat -> quicproquo (binaries: qpq)
...
Rename the entire workspace:
- Crate packages: quicnprotochat-{core,proto,server,client,gui,p2p,mobile} -> quicproquo-*
- Binary names: quicnprotochat -> qpq, quicnprotochat-server -> qpq-server,
quicnprotochat-gui -> qpq-gui
- Default files: *-state.bin -> qpq-state.bin, *-server.toml -> qpq-server.toml,
*.db -> qpq.db
- Environment variable prefix: QUICNPROTOCHAT_* -> QPQ_*
- App identifier: chat.quicnproto.gui -> chat.quicproquo.gui
- Proto package: quicnprotochat.bench -> quicproquo.bench
- All documentation, Docker, CI, and script references updated
HKDF domain-separation strings and P2P ALPN remain unchanged for
backward compatibility with existing encrypted state and wire protocol.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-03-01 20:11:51 +01:00
