Christian Nennemann
0bdc222724
Phase 1 — Foundation: - Constant-time token comparison via subtle::ConstantTimeEq (Fix 11) - Structured error codes E001–E020 in new error_codes.rs (Fix 15) - Remove dead envelope.capnp code and related types (Fix 16) Phase 2 — Auth Hardening: - Registration collision check via has_user_record() (Fix 5) - Auth required on uploadHybridKey/fetchHybridKey RPCs (Fix 1) - Identity-token binding at registration and login (Fix 2) - Session token expiry with 24h TTL and background reaper (Fix 3) - Bounded pending logins with 5-minute timeout (Fix 4) Phase 3 — Resource Limits: - Rate limiting: 100 enqueues/60s per token (Fix 6) - Queue depth cap at 1000 + 7-day message TTL/GC (Fix 7) - Partial queue drain via limit param on fetch/fetchWait (Fix 8) Phase 4 — Crypto Fixes: - OPAQUE KSF switched from Identity to Argon2id (Fix 10) - Random AEAD nonce in hybrid KEM instead of HKDF-derived (Fix 12) - Zeroize secret fields in HybridKeypairBytes (Fix 13) - Encrypted client state files via QPCE format (Fix 9) Phase 5 — Protocol: - Commit fan-out to all existing members on invite (Fix 14) - Add member_identities() to GroupMember Breaking: existing OPAQUE registrations invalidated (Argon2 KSF). Schema: added auth to hybrid key ops, identityKey to OPAQUE finish RPCs, limit to fetch/fetchWait. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
55 lines
1.7 KiB
Rust
55 lines
1.7 KiB
Rust
//! Build script for quicnprotochat-proto.
|
|
//!
|
|
//! Invokes the `capnp` compiler to generate Rust types from `.capnp` schemas
|
|
//! located in the workspace-root `schemas/` directory.
|
|
//!
|
|
//! # Prerequisites
|
|
//!
|
|
//! The `capnp` CLI must be installed and on `PATH`.
|
|
//!
|
|
//! Debian/Ubuntu: apt-get install capnproto
|
|
//! macOS: brew install capnp
|
|
//! Docker: see docker/Dockerfile
|
|
|
|
use std::{env, path::PathBuf};
|
|
|
|
fn main() {
|
|
let manifest_dir =
|
|
PathBuf::from(env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set by Cargo"));
|
|
|
|
// Workspace root is two levels above this crate (quicnprotochat/crates/quicnprotochat-proto).
|
|
let workspace_root = manifest_dir
|
|
.join("../..")
|
|
.canonicalize()
|
|
.expect("could not canonicalize workspace root path");
|
|
|
|
let schemas_dir = workspace_root.join("schemas");
|
|
|
|
// Re-run this build script whenever any schema file changes.
|
|
println!(
|
|
"cargo:rerun-if-changed={}",
|
|
schemas_dir.join("auth.capnp").display()
|
|
);
|
|
println!(
|
|
"cargo:rerun-if-changed={}",
|
|
schemas_dir.join("delivery.capnp").display()
|
|
);
|
|
println!(
|
|
"cargo:rerun-if-changed={}",
|
|
schemas_dir.join("node.capnp").display()
|
|
);
|
|
|
|
capnpc::CompilerCommand::new()
|
|
// Treat `schemas/` as the include root so that inter-schema imports
|
|
// resolve correctly.
|
|
.src_prefix(&schemas_dir)
|
|
.file(schemas_dir.join("auth.capnp"))
|
|
.file(schemas_dir.join("delivery.capnp"))
|
|
.file(schemas_dir.join("node.capnp"))
|
|
.run()
|
|
.expect(
|
|
"Cap'n Proto schema compilation failed. \
|
|
Is `capnp` installed? (apt-get install capnproto / brew install capnp)",
|
|
);
|
|
}
|