Christian Nennemann
553de3a2b7
REPL auto-setup (zero-friction startup): - OnceLock → RwLock for CLIENT_AUTH to allow delayed init after OPAQUE login - Extract opaque_register/opaque_login helpers from one-shot commands - Token cache (.session file) with QPCE encryption when password provided - Add --username/--password/--state-password to repl subcommand - resolve_access_token: auto-register + login, cache token, prompt interactively - rpassword for secure password input (no echo) Interactive REPL (multi-conversation): - SessionState: identity, hybrid key, ConversationStore, per-conversation GroupMembers - ConversationStore: SQLite-backed conversations + messages with full CRUD - Slash commands: /dm, /group, /invite, /join, /switch, /list, /members, /history, /whoami - Background polling (1s interval) with auto-join from MLS Welcome messages - pending_member pattern: persistent keystore for HPKE init key, replenish after join - Self-DM handled as local-only notepad (no MLS/server channel) - ANSI display module for colored prompts, incoming messages, status/error output Username resolution: - resolveIdentity RPC (@20 in node.capnp): look up username by identity key - Server: resolve_identity_key in Store trait, FileBackedStore, SqlStore - Client: resolve_identity in rpc.rs, used in auto-join for peer display names - resolveUser: bidirectional lookup (username → identity key) Encrypted local storage (nothing in cleartext): - ConversationStore uses SQLCipher when --state-password is provided - Argon2id key derivation with per-database random salt (.convdb-salt, mode 0600) - Transparent migration of existing unencrypted databases via sqlcipher_export - Token cache encrypted with QPCE format (Argon2id + ChaCha20Poly1305) Server changes: - resolveIdentity + resolveUser RPC handlers with auth + validation - Auth: sealed-sender identity binding on enqueue, channel member authorization - Delivery: hybrid decrypt attempts, identity key validation on enqueue - Config: --allow-sealed-sender flag for anonymous delivery mode - zeroize added to server dependencies Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
quicnprotochat
End-to-end encrypted group messaging over QUIC + TLS 1.3 + MLS (RFC 9420), written in Rust.
Every byte on the wire is protected by a QUIC transport secured with TLS 1.3
(quinn + rustls). The inner MLS layer provides post-compromise security
and ratcheted group key agreement across any number of participants. Messages
are framed with Cap'n Proto, keeping serialisation zero-copy and
schema-versioned.
┌─────────────────────────────────────────────┐
│ Application / MLS ciphertext │ <- group key ratchet (RFC 9420)
├─────────────────────────────────────────────┤
│ Cap'n Proto RPC │ <- typed, schema-versioned framing
├─────────────────────────────────────────────┤
│ QUIC + TLS 1.3 (quinn/rustls) │ <- mutual auth + transport secrecy
└─────────────────────────────────────────────┘
| Property | Mechanism |
|---|---|
| Transport confidentiality | TLS 1.3 over QUIC (rustls) |
| Transport authentication | TLS 1.3 server cert (self-signed by default) |
| Group key agreement | MLS MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519 |
| Post-compromise security | MLS epoch ratchet |
| Identity | Ed25519 (MLS credential + leaf node signature) |
| Message framing | Cap'n Proto (unpacked wire format) |
Documentation
Full documentation is available as an mdBook wiki in docs/:
# Install mdBook (once)
cargo install mdbook
# Build and serve locally
mdbook serve docs
# Open http://localhost:3000
Highlights
- Architecture Overview — Two-service model, dual-key design, crate layout
- Protocol Deep Dives — QUIC/TLS 1.3, Cap'n Proto, MLS, Hybrid KEM
- Cryptographic Properties — Forward secrecy, post-compromise security, PQ readiness, threat model
- Design Rationale — Why MLS over Signal/Matrix, ADRs for all key decisions
- Wire Format Reference — Annotated Cap'n Proto schemas
- Getting Started — Build, run, demo walkthrough
- Roadmap — Milestones, production readiness, future research
- Future Improvements — Prioritised list of security, ops, reliability, and feature improvements
Quick start
# Prerequisites: Rust 1.77+, capnp CLI
brew install capnp # macOS
# apt-get install capnproto # Debian/Ubuntu
# GUI prerequisites (Linux only) — WebKitGTK + GTK3 for Tauri 2
# sudo apt install -y libwebkit2gtk-4.1-dev libgtk-3-dev libglib2.0-dev libssl-dev libayatana-appindicator3-dev librsvg2-dev patchelf
# Build and test
cargo build --workspace
cargo test --workspace
# Start the server (port 7000 by default)
cargo run -p quicnprotochat-server
# Or via a config file (TOML)
# Note: auth_token = "devtoken" and db_key = "" are for development only.
# Production: set QUICNPROTOCHAT_AUTH_TOKEN to a strong secret and (when store_backend = "sql")
# set QUICNPROTOCHAT_DB_KEY so the database is encrypted. Empty db_key = plaintext DB (insecure).
cat > quicnprotochat-server.toml <<'EOF'
listen = "0.0.0.0:7000"
data_dir = "data"
tls_cert = "data/server-cert.der"
tls_key = "data/server-key.der"
auth_token = "devtoken"
store_backend = "file" # or "sql"
db_path = "data/quicnprotochat.db"
db_key = ""
EOF
cargo run -p quicnprotochat-server -- --config quicnprotochat-server.toml
# Run the two-party demo
cargo run -p quicnprotochat-client -- demo-group \
--server 127.0.0.1:7000
# Interactive 1:1 chat (after creating a group and inviting a peer)
# Terminal 1: quicnprotochat chat --peer-key <other_identity_hex>
# Terminal 2: quicnprotochat chat --peer-key <first_identity_hex>
# Type messages and press Enter; incoming messages appear as [peer] <msg>. Ctrl+D to exit.
See the full demo walkthrough for a step-by-step guide.
Milestones
| # | Name | Status | What it adds |
|---|---|---|---|
| M1 | QUIC/TLS transport | Done | QUIC + TLS 1.3 endpoint, length-prefixed framing, Ping/Pong |
| M2 | Authentication Service | Done | Ed25519 identity, KeyPackage generation, AS upload/fetch |
| M3 | Delivery Service + MLS groups | Done | DS relay, GroupMember create/join/add/send/recv |
| M4 | Group CLI subcommands | Done | Persistent CLI (create-group, invite, join, send, recv), OPAQUE login |
| M5 | Multi-party groups | Done | N > 2 members, Commit fan-out, send --all, epoch sync |
| M6 | Persistence | Done | SQLite/SQLCipher, migrations, durable server + client state |
| M7 | Post-quantum | Next | PQ hybrid for MLS/HPKE (X25519 + ML-KEM-768) |
Building without the GUI
To build only the server and CLI client (faster, no Tauri/WebKit):
cargo build -p quicnprotochat-server -p quicnprotochat-client
Core and proto crates are built as dependencies. Omit quicnprotochat-gui and quicnprotochat-p2p if you don't need them.
Security notes
This is a proof-of-concept research project. It has not undergone a formal third-party audit. See the threat model for what is and isn't protected, and the security audit for an internal review of authentication, crypto, transport, and authorization.
- Dependency checks: Run
cargo install cargo-audit && cargo auditto check for known vulnerabilities. - Certificate pinning: Use the server's certificate as
--ca-cert(e.g. copyserver-cert.derfrom the server) so the client only trusts that server; see Certificate pinning in the security audit.
Production deployment: Set QUICNPROTOCHAT_PRODUCTION=1 and provide a strong QUICNPROTOCHAT_AUTH_TOKEN (not devtoken). When using store_backend = "sql", set QUICNPROTOCHAT_DB_KEY; an empty key leaves the database unencrypted on disk.
License
MIT