Christian Nennemann
394199b19b
Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.
Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)
Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB
Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction
Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns
Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)
102 lines
5.3 KiB
TOML
102 lines
5.3 KiB
TOML
[workspace]
|
|
resolver = "2"
|
|
members = [
|
|
"crates/quicproquo-core",
|
|
"crates/quicproquo-proto",
|
|
"crates/quicproquo-plugin-api",
|
|
"crates/quicproquo-kt",
|
|
"crates/quicproquo-server",
|
|
"crates/quicproquo-client",
|
|
"crates/quicproquo-bot",
|
|
"crates/quicproquo-gen",
|
|
"crates/quicproquo-gui",
|
|
"crates/quicproquo-mobile",
|
|
"crates/quicproquo-ffi",
|
|
# P2P crate uses iroh (~90 extra deps). Kept in the workspace so it can be
|
|
# referenced as an optional dependency; only compiled when the `mesh` feature
|
|
# is enabled on quicproquo-client.
|
|
"crates/quicproquo-p2p",
|
|
]
|
|
|
|
# Shared dependency versions — bump here to affect the whole workspace.
|
|
[workspace.dependencies]
|
|
|
|
# ── Crypto ────────────────────────────────────────────────────────────────────
|
|
openmls = { version = "0.5", default-features = false, features = ["crypto-subtle"] }
|
|
openmls_rust_crypto = { version = "0.2" }
|
|
openmls_traits = { version = "0.2" }
|
|
# tls_codec must match the version used by openmls 0.5 (which uses 0.3) to avoid
|
|
# duplicate Serialize trait versions in the dependency graph.
|
|
tls_codec = { version = "0.3", features = ["derive"] }
|
|
# ml-kem 0.2 is the current stable release (FIPS 203, ML-KEM-768).
|
|
# All three parameter sets (512/768/1024) are compiled in by default — no feature flag needed.
|
|
ml-kem = { version = "0.2" }
|
|
x25519-dalek = { version = "2", features = ["static_secrets"] }
|
|
ed25519-dalek = { version = "2", features = ["rand_core"] }
|
|
sha2 = { version = "0.10" }
|
|
hmac = { version = "0.12" }
|
|
hkdf = { version = "0.12" }
|
|
ciborium = { version = "0.2" }
|
|
chacha20poly1305 = { version = "0.10" }
|
|
opaque-ke = { version = "4", features = ["ristretto255", "argon2"] }
|
|
zeroize = { version = "1", features = ["derive", "serde"] }
|
|
subtle = { version = "2" }
|
|
argon2 = { version = "0.5" }
|
|
rand = { version = "0.8" }
|
|
serde = { version = "1", features = ["derive"] }
|
|
serde_json = { version = "1" }
|
|
bincode = { version = "1" }
|
|
|
|
# ── Serialisation + RPC ───────────────────────────────────────────────────────
|
|
capnp = { version = "0.19" }
|
|
capnp-rpc = { version = "0.19" }
|
|
|
|
# ── Async / networking ────────────────────────────────────────────────────────
|
|
tokio = { version = "1", features = ["macros", "rt-multi-thread", "time", "sync", "signal", "io-util", "io-std"] }
|
|
tokio-util = { version = "0.7", features = ["codec", "compat"] }
|
|
futures = { version = "0.3" }
|
|
quinn = { version = "0.11" }
|
|
quinn-proto = { version = "0.11" }
|
|
rustls = { version = "0.23", default-features = false, features = ["std", "ring"] }
|
|
rcgen = { version = "0.13" }
|
|
|
|
# ── Database ─────────────────────────────────────────────────────────────
|
|
rusqlite = { version = "0.31", features = ["bundled-sqlcipher"] }
|
|
|
|
# ── Encoding ─────────────────────────────────────────────────────────────────
|
|
hex = { version = "0.4" }
|
|
|
|
# ── Server utilities ──────────────────────────────────────────────────────────
|
|
dashmap = { version = "5" }
|
|
tracing = { version = "0.1" }
|
|
tracing-subscriber = { version = "0.3", features = ["env-filter"] }
|
|
|
|
# ── Error handling ────────────────────────────────────────────────────────────
|
|
anyhow = { version = "1" }
|
|
thiserror = { version = "1" }
|
|
|
|
# ── CLI ───────────────────────────────────────────────────────────────────────
|
|
clap = { version = "4", features = ["derive", "env"] }
|
|
|
|
# ── Certificate parsing ──────────────────────────────────────────────────────
|
|
x509-parser = { version = "0.16", default-features = false }
|
|
|
|
# ── Build-time ────────────────────────────────────────────────────────────────
|
|
capnpc = { version = "0.19" }
|
|
|
|
[workspace.lints.rust]
|
|
unsafe_code = "warn"
|
|
|
|
[workspace.lints.clippy]
|
|
unwrap_used = "deny"
|
|
|
|
[profile.release]
|
|
opt-level = 3
|
|
lto = "thin"
|
|
codegen-units = 1
|
|
strip = "symbols"
|
|
|
|
[profile.dev]
|
|
opt-level = 0
|
|
debug = true
|