Christian Nennemann
f334ed3d43
Feature 1 — Post-Quantum Hybrid KEM (X25519 + ML-KEM-768): - Create hybrid_kem.rs with keygen, encrypt, decrypt + 11 unit tests - Wire format: version(1) | x25519_eph_pk(32) | mlkem_ct(1088) | nonce(12) | ct - Add uploadHybridKey/fetchHybridKey RPCs to node.capnp schema - Server: hybrid key storage in FileBackedStore + RPC handlers - Client: hybrid keypair in StoredState, auto-wrap/unwrap in send/recv/invite/join - demo-group runs full hybrid PQ envelope round-trip Feature 2 — SQLCipher Persistence: - Extract Store trait from FileBackedStore API - Create SqlStore (rusqlite + bundled-sqlcipher) with encrypted-at-rest SQLite - Schema: key_packages, deliveries, hybrid_keys tables with indexes - Server CLI: --store-backend=sql, --db-path, --db-key flags - 5 unit tests for SqlStore (FIFO, round-trip, upsert, channel isolation) Also includes: client lib.rs refactor, auth config, TOML config file support, mdBook documentation, and various cleanups by user. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
47 lines
2.1 KiB
Cap'n Proto
47 lines
2.1 KiB
Cap'n Proto
# node.capnp — Unified quicnprotochat node RPC interface.
|
|
#
|
|
# Combines Authentication and Delivery operations into a single service.
|
|
#
|
|
# ID generated with: capnp id
|
|
@0xd5ca5648a9cc1c28;
|
|
|
|
interface NodeService {
|
|
# Upload a single-use KeyPackage for later retrieval by peers.
|
|
# identityKey : Ed25519 public key bytes (32 bytes)
|
|
# package : TLS-encoded openmls KeyPackage
|
|
# auth : Auth context (versioned). For legacy clients, pass an empty
|
|
# struct or version=0.
|
|
uploadKeyPackage @0 (identityKey :Data, package :Data, auth :Auth) -> (fingerprint :Data);
|
|
|
|
# Fetch and atomically remove one KeyPackage for a given identity key.
|
|
# Returns empty Data if none are stored.
|
|
fetchKeyPackage @1 (identityKey :Data, auth :Auth) -> (package :Data);
|
|
|
|
# Enqueue an opaque payload for delivery to a recipient.
|
|
# channelId : Optional channel identifier (empty for legacy). A 16-byte UUID
|
|
# is recommended for 1:1 channels.
|
|
# version : Schema/wire version. Must be 0 (legacy) or 1 (this spec).
|
|
enqueue @2 (recipientKey :Data, payload :Data, channelId :Data, version :UInt16, auth :Auth) -> ();
|
|
|
|
# Fetch and drain all queued payloads for the recipient.
|
|
fetch @3 (recipientKey :Data, channelId :Data, version :UInt16, auth :Auth) -> (payloads :List(Data));
|
|
|
|
# Long-poll: wait up to timeoutMs for new payloads, then drain queue.
|
|
fetchWait @4 (recipientKey :Data, channelId :Data, version :UInt16, timeoutMs :UInt64, auth :Auth) -> (payloads :List(Data));
|
|
|
|
# Health probe for readiness/liveness.
|
|
health @5 () -> (status :Text);
|
|
|
|
# Upload the hybrid (X25519 + ML-KEM-768) public key for sealed envelope encryption.
|
|
uploadHybridKey @6 (identityKey :Data, hybridPublicKey :Data) -> ();
|
|
|
|
# Fetch a peer's hybrid public key (for post-quantum envelope encryption).
|
|
fetchHybridKey @7 (identityKey :Data) -> (hybridPublicKey :Data);
|
|
}
|
|
|
|
struct Auth {
|
|
version @0 :UInt16; # 0 = legacy/none, 1 = token-based auth
|
|
accessToken @1 :Data; # opaque bearer token issued at login
|
|
deviceId @2 :Data; # optional UUID bytes for auditing/rate limiting
|
|
}
|