quicproquo

Author	SHA1	Message	Date
Chris Nennemann	b6483dedbc	chore: ROADMAP Phase 8, parallel AI team script, docker and infra updates - ROADMAP.md: add Phase 8 — Freifunk / Community Mesh Networking with F0-F8 checkboxes; F0-F2 marked complete - scripts/ai_team.py: rewrite to support asyncio.gather parallel agent runs; add --sprint flag with predefined work packages (audit, phase1-hardening, phase2-tests, phase1-infra, status); add --parallel for ad-hoc concurrent agent invocations; output written to logs/ai_team/<sprint>_<timestamp>/<agent>.md - scripts/dev-shell.sh: convenience development shell helper - docker: update Dockerfiles for quicproquo rename and new server flags - .gitignore: add qpq-state artifacts (.bin, .session, .pending.ks, .convdb*)	2026-03-03 14:42:21 +01:00
Chris Nennemann	d7e530435f	fix: auto-derive state file path from --username qpq --username alice now automatically uses qpq-alice.bin instead of the shared qpq-state.bin default, preventing identity collisions in multi-user local test setups without requiring an explicit --state flag.	2026-03-03 14:42:11 +01:00
Chris Nennemann	c8398d6cb7	feat: DM epoch fix, federation relay, and mDNS mesh discovery - schema: createChannel returns wasNew :Bool to elect the MLS initiator unambiguously; prevents duplicate group creation on concurrent /dm calls - core: group helpers for epoch tracking and key-package lifecycle - server: federation subsystem — mTLS QUIC server-to-server relay with Cap'n Proto RPC; enqueue/batchEnqueue relay unknown recipients to their home domain via FederationClient - server: mDNS _quicproquo._udp.local. service announcement on startup - server: storage + sql_store — identity_exists, peek/ack, federation home-server lookup helpers - client: /mesh peers REPL command (mDNS discovery, feature = "mesh") - client: MeshDiscovery — background mDNS browse with ServiceDaemon - client: was_new=false path in cmd_dm waits for peer Welcome instead of creating a duplicate initiator group - p2p: fix ALPN from quicnprotochat/p2p/1 → quicproquo/p2p/1 - workspace: re-include quicproquo-p2p in members	2026-03-03 14:41:56 +01:00
Chris Nennemann	e24497bf90	feat: auto-start local server from REPL When no server is reachable, the REPL now automatically spawns a qpq-server child process with dev defaults (--allow-insecure-auth, matching TLS cert paths). The server is killed on REPL exit via a Drop guard. Use --no-server to opt out (e.g. for remote servers). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-01 23:03:31 +01:00
Chris Nennemann	c2762f93f6	chore: fix compiler warnings in quicproquo-core Remove unused LeafNodeIndex import and dead StoreCrypto struct. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-01 22:19:30 +01:00
Chris Nennemann	5b9df61194	feat: make repl the default subcommand Running `qpq --username alice --password secretA` now launches the REPL directly instead of requiring `qpq repl ...`. The explicit `repl` subcommand still works for backwards compatibility. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-01 22:06:57 +01:00
Chris Nennemann	9525a3c565	docs: add project logo to README Move logo.png into assets/ and display it centered at the top of the README. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-01 21:40:13 +01:00
Chris Nennemann	853ca4fec0	chore: rename project quicnprotochat -> quicproquo (binaries: qpq) Rename the entire workspace: - Crate packages: quicnprotochat-{core,proto,server,client,gui,p2p,mobile} -> quicproquo-* - Binary names: quicnprotochat -> qpq, quicnprotochat-server -> qpq-server, quicnprotochat-gui -> qpq-gui - Default files: -state.bin -> qpq-state.bin, -server.toml -> qpq-server.toml, .db -> qpq.db - Environment variable prefix: QUICNPROTOCHAT_ -> QPQ_* - App identifier: chat.quicnproto.gui -> chat.quicproquo.gui - Proto package: quicnprotochat.bench -> quicproquo.bench - All documentation, Docker, CI, and script references updated HKDF domain-separation strings and P2P ALPN remain unchanged for backward compatibility with existing encrypted state and wire protocol. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-01 20:11:51 +01:00
Christian Nennemann	553de3a2b7	feat: interactive REPL with auto-setup, auto-join, encrypted local storage REPL auto-setup (zero-friction startup): - OnceLock → RwLock for CLIENT_AUTH to allow delayed init after OPAQUE login - Extract opaque_register/opaque_login helpers from one-shot commands - Token cache (.session file) with QPCE encryption when password provided - Add --username/--password/--state-password to repl subcommand - resolve_access_token: auto-register + login, cache token, prompt interactively - rpassword for secure password input (no echo) Interactive REPL (multi-conversation): - SessionState: identity, hybrid key, ConversationStore, per-conversation GroupMembers - ConversationStore: SQLite-backed conversations + messages with full CRUD - Slash commands: /dm, /group, /invite, /join, /switch, /list, /members, /history, /whoami - Background polling (1s interval) with auto-join from MLS Welcome messages - pending_member pattern: persistent keystore for HPKE init key, replenish after join - Self-DM handled as local-only notepad (no MLS/server channel) - ANSI display module for colored prompts, incoming messages, status/error output Username resolution: - resolveIdentity RPC (@20 in node.capnp): look up username by identity key - Server: resolve_identity_key in Store trait, FileBackedStore, SqlStore - Client: resolve_identity in rpc.rs, used in auto-join for peer display names - resolveUser: bidirectional lookup (username → identity key) Encrypted local storage (nothing in cleartext): - ConversationStore uses SQLCipher when --state-password is provided - Argon2id key derivation with per-database random salt (.convdb-salt, mode 0600) - Transparent migration of existing unencrypted databases via sqlcipher_export - Token cache encrypted with QPCE format (Argon2id + ChaCha20Poly1305) Server changes: - resolveIdentity + resolveUser RPC handlers with auth + validation - Auth: sealed-sender identity binding on enqueue, channel member authorization - Delivery: hybrid decrypt attempts, identity key validation on enqueue - Config: --allow-sealed-sender flag for anonymous delivery mode - zeroize added to server dependencies Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-26 22:45:34 +01:00
Christian Nennemann	4c1e4683e3	chore: exclude p2p crate from workspace, slim tokio features Move quicnprotochat-p2p to workspace.exclude so ~90 iroh-only dependencies are not compiled in the default build. Narrow tokio features from "full" to the subset actually used. The p2p crate now pins its own dependency versions since it is outside the workspace. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 23:10:23 +01:00
Christian Nennemann	750b794342	DM channels (createChannel), channel authz, security/docs, future improvements - Add createChannel RPC (node.capnp @18): create 1:1 channel, returns 16-byte channelId - Store: create_channel(member_a, member_b), get_channel_members(channel_id) - FileBackedStore: channels.bin; SqlStore: migration 003_channels, schema v4 - channel_ops: handle_create_channel (auth + identity, peerKey 32 bytes) - Delivery authz: when channel_id.len() == 16, require caller and recipient are channel members (E022/E023) - Error codes E022 CHANNEL_ACCESS_DENIED, E023 CHANNEL_NOT_FOUND - SUMMARY: link Certificate lifecycle; security audit, future improvements, multi-agent plan docs - Certificate lifecycle doc, SECURITY-AUDIT, FUTURE-IMPROVEMENTS, MULTI-AGENT-WORK-PLAN - Client/core/tls/auth/server main: assorted fixes and updates from review and audit Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-23 22:54:28 +01:00
Christian Nennemann	6b8b61c6ae	feat: add delivery sequence numbers + major server/client refactor Delivery sequence numbers (MLS epoch ordering fix): - schemas/node.capnp: add Envelope{seq,data} struct; enqueue returns seq:UInt64; fetch/fetchWait return List(Envelope) instead of List(Data) - storage.rs: Store trait enqueue returns u64; fetch/fetch_limited return Vec<(u64, Vec<u8>)>; FileBackedStore gains QueueMapV3 with per-inbox seq counters and V2→V3 on-disk migration - migrations/002_add_seq.sql: seq column, delivery_seq_counters table, index - sql_store.rs: atomic UPSERT counter via RETURNING, ORDER BY seq, SCHEMA_VERSION→3 - node_service/delivery.rs: builds Envelope list; returns seq from enqueue - client/rpc.rs: enqueue→u64, fetch_all/fetch_wait→Vec<(u64,Vec<u8>)> - client/commands.rs: sort-by-seq before MLS processing; retry loop in cmd_recv and receive_pending_plaintexts for correct epoch ordering Server refactor: - Split monolithic main.rs into node_service/{mod,delivery,auth_ops,key_ops,p2p_ops} - Add auth.rs (token validation, rate limiting), config.rs, metrics.rs, tls.rs - Add SQL migrations runner (001_initial.sql, 002_add_seq.sql) - OPAQUE PAKE login/registration, sealed-sender mode, queue depth limit (1000) Client refactor: - Split lib.rs into client/{commands,rpc,state,retry,hex,mod} - Add cmd_whoami, cmd_health, cmd_check_key, cmd_ping subcommands - Add cmd_register_user, cmd_login (OPAQUE), cmd_refresh_keypackage - Hybrid PQ envelope (X25519 + ML-KEM-768) on all send/recv paths - E2E test suite expanded Other: - quicnprotochat-gui: Tauri 2 desktop GUI skeleton (backend + HTML UI) - quicnprotochat-p2p: iroh-based P2P transport stub - quicnprotochat-core: app_message, hybrid_crypto modules; GroupMember API updates - .github/workflows/size-lint.yml: binary size regression check - docs: protocol comparison, roadmap updates, fully-operational checklist	2026-02-22 20:40:12 +01:00
Christian Nennemann	b5b361e2ff	chore: move Python/Ruby/bindings crates to quicnprotochat-lang-clients repo The three crates (quicnprotochat-bindings, quicnprotochat-python, quicnprotochat-ruby) are developed in a separate feature repository at git.xorwell.de:c/quicnprotochat-lang-clients.	2026-02-22 18:58:45 +01:00
Christian Nennemann	96f4128b32	fix: remove stale Noise_XX reference and --ds-server flag from README Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 12:51:51 +01:00
Christian Nennemann	230205a152	feat: add whoami, health, and check-key CLI subcommands Three new subcommands for M4 CLI groundwork: - whoami: show local identity key, fingerprint, hybrid key and group status - health: check server connectivity via health RPC - check-key: non-consuming lookup of a peer hybrid public key Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 12:50:40 +01:00
Christian Nennemann	00b0aa92a1	feat: add protocol comparison docs, P2P crate, production audit, and design fixes Add comprehensive documentation comparing quicnprotochat against classical chat protocols (IRC+SSL, XMPP, Telegram) with diagrams and attack scenarios. Promote comparison pages to top-level sidebar section. Include P2P transport crate (iroh), production readiness audit, CI workflows, dependency policy, and continued architecture improvements across all crates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 12:15:44 +01:00
Christian Nennemann	0bdc222724	fix: address 16 architecture design flaws across all crates Phase 1 — Foundation: - Constant-time token comparison via subtle::ConstantTimeEq (Fix 11) - Structured error codes E001–E020 in new error_codes.rs (Fix 15) - Remove dead envelope.capnp code and related types (Fix 16) Phase 2 — Auth Hardening: - Registration collision check via has_user_record() (Fix 5) - Auth required on uploadHybridKey/fetchHybridKey RPCs (Fix 1) - Identity-token binding at registration and login (Fix 2) - Session token expiry with 24h TTL and background reaper (Fix 3) - Bounded pending logins with 5-minute timeout (Fix 4) Phase 3 — Resource Limits: - Rate limiting: 100 enqueues/60s per token (Fix 6) - Queue depth cap at 1000 + 7-day message TTL/GC (Fix 7) - Partial queue drain via limit param on fetch/fetchWait (Fix 8) Phase 4 — Crypto Fixes: - OPAQUE KSF switched from Identity to Argon2id (Fix 10) - Random AEAD nonce in hybrid KEM instead of HKDF-derived (Fix 12) - Zeroize secret fields in HybridKeypairBytes (Fix 13) - Encrypted client state files via QPCE format (Fix 9) Phase 5 — Protocol: - Commit fan-out to all existing members on invite (Fix 14) - Add member_identities() to GroupMember Breaking: existing OPAQUE registrations invalidated (Argon2 KSF). Schema: added auth to hybrid key ops, identityKey to OPAQUE finish RPCs, limit to fetch/fetchWait. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 10:51:09 +01:00
Christian Nennemann	8d5c1b3b9b	WIP: add OPAQUE password-authenticated key exchange Add opaque-ke (v4, ristretto255) for password-based registration and login. Extend NodeService schema with opaqueRegisterStart/Finish and opaqueLoginStart/Finish RPCs. Add Store trait methods for OPAQUE server setup and user records. Initial e2e integration test scaffolding. Note: FileBackedStore does not yet implement the new Store trait methods — server compilation is temporarily broken. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 08:25:34 +01:00
Christian Nennemann	9fdb37876a	Remove Noise protocol references from wiki docs and tests Delete 8 Noise-specific documentation pages (noise-xx.md, transport-keys.md, adr-001/003/006, framing-codec.md) and update ~30 remaining wiki pages to reflect QUIC+TLS as the sole transport. Remove obsolete Noise-based integration tests (auth_service.rs, mls_group.rs). Code-side Noise removal was done in `f334ed3`. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 08:25:23 +01:00
Christian Nennemann	f334ed3d43	feat: add post-quantum hybrid KEM + SQLCipher persistence Feature 1 — Post-Quantum Hybrid KEM (X25519 + ML-KEM-768): - Create hybrid_kem.rs with keygen, encrypt, decrypt + 11 unit tests - Wire format: version(1) \| x25519_eph_pk(32) \| mlkem_ct(1088) \| nonce(12) \| ct - Add uploadHybridKey/fetchHybridKey RPCs to node.capnp schema - Server: hybrid key storage in FileBackedStore + RPC handlers - Client: hybrid keypair in StoredState, auto-wrap/unwrap in send/recv/invite/join - demo-group runs full hybrid PQ envelope round-trip Feature 2 — SQLCipher Persistence: - Extract Store trait from FileBackedStore API - Create SqlStore (rusqlite + bundled-sqlcipher) with encrypted-at-rest SQLite - Schema: key_packages, deliveries, hybrid_keys tables with indexes - Server CLI: --store-backend=sql, --db-path, --db-key flags - 5 unit tests for SqlStore (FIFO, round-trip, upsert, channel isolation) Also includes: client lib.rs refactor, auth config, TOML config file support, mdBook documentation, and various cleanups by user. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 08:07:48 +01:00
Christian Nennemann	d1ddef4cea	Add channel-aware delivery and update roadmap	2026-02-22 06:31:16 +01:00
Christian Nennemann	9a3fa94858	Remove secret gitea config and ignore file	2026-02-21 23:44:00 +01:00
Christian Nennemann	01b0d8db24	Add gitea-mcp config	2026-02-21 23:43:00 +01:00
Christian Nennemann	3bf3ab23e2	Rename project to quicnprotochat	2026-02-21 23:37:40 +01:00
Christian Nennemann	c9d295c510	docs: add README with protocol stack, architecture, and milestone table	2026-02-19 23:44:04 +01:00
Christian Nennemann	9a0b02a012	feat: M2 + M3 — AuthService, MLS group lifecycle, Delivery Service M2: - schemas/auth.capnp: AuthenticationService (upload/fetch KeyPackage) - noiseml-core: IdentityKeypair (Ed25519), generate_key_package, NoiseTransport with send_envelope/recv_envelope, Noise_XX handshake (initiator + responder) - noiseml-proto: auth_capnp module, ParsedEnvelope helpers - noiseml-server: AuthServiceImpl backed by DashMap queue (single-use KPs) - noiseml-client: register + fetch-key subcommands, ping over Noise_XX - tests: auth_service integration test (upload → fetch round-trip) M3: - schemas/delivery.capnp: DeliveryService (enqueue/fetch opaque payloads) - noiseml-core/group.rs: GroupMember — MLS group lifecycle create_group, add_member (→ Commit+Welcome), join_group, send_message, receive_message; uses openmls 0.5 public API (extract() not into_welcome, KeyPackageIn::validate() not From<KeyPackageIn>) - noiseml-server: DeliveryServiceImpl on port 7001 alongside AS on 7000 - noiseml-proto: delivery_capnp module TODO (see M3_STATUS.md): - noiseml-client: group subcommands (create-group, invite, join, send, recv) - noiseml-client/tests/mls_group.rs: full MLS round-trip integration test	2026-02-19 23:39:49 +01:00
Christian Nennemann	9fa3873bd7	feat: M1 — Noise transport, Cap'n Proto framing, Ping/Pong Establishes the foundational transport layer for noiseml: - Noise_XX_25519_ChaChaPoly_BLAKE2s handshake (initiator + responder) via `snow`; mutual authentication of static X25519 keys guaranteed before any application data flows. - Length-prefixed frame codec (4-byte LE u32, max 65 535 B per Noise spec) implemented as a Tokio Encoder/Decoder pair. - Cap'n Proto Envelope schema with MsgType enum (Ping, Pong, and future MLS message types defined but not yet dispatched). - Server: TCP listener, one Tokio task per connection, Ping→Pong handler, fresh X25519 keypair logged at startup. - Client: `ping` subcommand — handshake, send Ping, receive Pong, print RTT, exit 0. - Integration tests: bidirectional Ping/Pong with mutual-auth verification; server keypair reuse across sequential connections. - Docker multi-stage build (rust:bookworm → debian:bookworm-slim, non-root) and docker-compose with TCP healthcheck. No MLS group state, no AS/DS, no persistence — out of scope for M1.	2026-02-19 21:58:51 +01:00

1 2

77 Commits