Jason Tudisco
c8370ffdf0
A multi-day batch covering: a security review punch list (Day 1-3),
the visual-encryption profile-picture feature, a fast deploy
infrastructure, ack resilience + UX polish, several nostr ecosystem
alignment changes, and a key server-independence fix.
Security review (Day 1)
- Envelope v2 (ephemeral x25519 per message; AAD-bound AES-GCM;
no plaintext from/to). Big metadata-leak fix flagged by reviews.
Forward secrecy at the per-message level; v1 decrypt kept for
a one-week migration window.
- Routing tag rename h → q (NIP-29 collision fix).
- Web Push payload now empty (was leaking recipient handle to FCM).
- Log demotion + process-instance salt-hash of handles so debug
logs don't permanently encode the social graph.
Security review (Day 2)
- Replay protection: SEEN_CAP 500 → 10_000 ids; reject events with
impossibly old/future created_at; openMessage enforces ±7d/+5min
freshness on plaintext sent_at.
- Reveal Recovery Phrase now requires a fresh passphrase prompt.
Verifies via the same unlockIdentity that the initial unlock
uses. Bonus: works for biometric-only sessions (recovers the
phrase that wasn't in memory before).
- POST /v1/messages per-IP rate limit (60/min, capacity 60, with
a periodic idle-bucket sweep). New rate_limit.rs module + tests.
Security review (Day 3 Option A)
- Unforgeable acks: kind-4244 events now carry a `kez-sig` tag,
the recipient's ed25519 signature over the acked event id.
Sender verifies against the conversation peer's KEZ primary.
Unsigned acks still accepted during the migration window.
- Default `since=` lookback shortened 7d → 48h (matches relay
retention).
- Bounded concurrency on push fanout: tokio::sync::Semaphore(32).
Security review (Day 3 Option B — nostr ecosystem alignment)
- NIP-65 (kind:10002): publish our relay list so other clients
can discover where to find us.
- NIP-42 AUTH: attachSigner / detachSigner wires the user's seed
into the relay pool so AUTH-gated relays (damus.io DMs) deliver.
- Minimal kind:0 baseline on first session unlock (unblocks
writes on relays that reject unknown pubkeys).
- Acks now include ["p", senderNostrPubkey] for NIP-25 / NIP-10
routing convention.
Web Push end-to-end
- Server-side nostr listener (nostr_listener.rs): the chat-server
subscribes to relays for every registered handle's addr, so
Web Push fires even when chat goes over nostr (the live default).
- Push fanout from messages.rs spawned with bounded concurrency.
- Empty payload (no recipient handle leaked to FCM).
- Self-heal endpoint GET /v1/push/subscriptions/:handle —
auto-re-registers a subscription if server lost it.
- Auto-enable push on first unlock (was opt-in toggle hunt).
- In-chat nudge banner + iOS PWA install hint.
Persistent sessions
- persistent-session.ts: AES-GCM encrypt seed under a
non-extractable IDB key, 30-day sliding-window TTL, restore on
every boot.
- Auto-fetch own kind:0 from nostr on a fresh device so the user
sees their own avatar without re-setting it.
Profile pictures + visual encryption
- Avatar component accepts a `picture` prop (data URL); falls
back to the deterministic identicon when absent.
- profile-store.ts: pick → resize to 256×256 JPEG → save locally
+ publish as NIP-01 kind:0.
- Visual encryption (visual-crypto.ts): keyed Fisher-Yates pixel
permutation + xoshiro256** PRNG. Output is a valid PNG with
scrambled content. Salt embedded as a #kez-visual-v1:<hex>
URL fragment.
- Default ON for new pictures. Strangers see colored noise on
public nostr; contacts see the real face.
- Per-recipient AES wraps embedded in kind:0 content
(kez_visual_keys map). The picture's symmetric key is wrapped
via the same SealedEnvelope crypto our DMs use.
- Self-wrap (sender wraps to their own primary too) so a fresh
device of the same user can descramble its own picture.
- Stranger-view preview thumbnail in Settings (the badge tucked
into the avatar's bottom-right corner — "this is what the
world sees").
- Tap-to-zoom: header avatar in a thread opens a fullscreen
overlay.
Peer-profile resolution
- peer-profile-store.ts: IDB-cached one-shot kind:0 fetch +
descramble.
- peer-profile-cell.svelte.ts: reactive mirror for UI.
- 6h bulk-scan staleness + force-refresh on thread open.
- Avatar usages in Messages.svelte pass peer.picture through.
Local-echo + delivery receipts
- Outbound messages render instantly with status="sending"; flip
to "sent" when ≥1 relay accepts; "delivered" (check-in-circle)
when recipient's client publishes an ack.
- SVG status icons inside the bubble; "via X" footer on outbound.
- Persistent pending-ack queue with retry on next session start.
- Catch-up scan (fetchAcksForEventIds) self-heals delivered
state on conversation open.
- markDeliveredByEventId verifies the ack signature.
Active-relay tracking + reply preference
- SimplePool.trackRelays = true. Capture first-to-accept on send
via Promise.any over per-relay publish promises.
- InboxMessage.via_relay set from pool.seenOn on receive.
- Conversation.peer_via_relay persisted on every inbound DM.
- sendMessage takes `preferRelay` and orders publish targets
accordingly. Acks bias the same way.
- "via relay.X" footer renders on outbound bubbles.
Conversation list polish
- Per-conversation `unread_count` on the Conversation type.
- Bumped on every genuinely-new inbound; reset on thread open.
- Accent-color pill badge in the sidebar (rounds at "99+").
Server-independence fix
- sendMessage skips the /v1/u/:handle lookup when the caller
passes recipientPrimary (which Messages.svelte does, from the
cached peer_primary on the conversation row). Chat over nostr
no longer breaks when the chat-server is down — only brand-new
conversations still need the directory lookup.
Relay set
- Added wss://relay.snort.social and wss://nostr.wine to the
default pool (was 3, now 5).
Fast-deploy infrastructure (new in this batch)
- Dockerfile gains an `export` scratch stage (extracts binary +
web/dist only).
- Dockerfile.runtime: tiny runtime image that COPYs prebuilt
artifacts — no rust/npm on the remote.
- docker-compose.fast.yml: compose override pointing chat-server
build at Dockerfile.runtime.
- .dockerignore: excludes target/, node_modules/, prebuilt/,
.buildx-cache/, .git, *.db. Critical: without this, an earlier
bug had the buildx cache nested under the build context and
blew up to 17GB by feeding itself into itself.
- Old: ~10 min remote build. New: 3–5 min local + 5s remote
runtime swap. Cache lives at ~/.cache/kez-chat-buildx
(outside any project tree).
UI polish (margins, layout, banners)
- Authenticated routes (Welcome / Settings / Identity / Dashboard
/ Claims / AddClaim) wrapped in max-w-2xl mx-auto px-4 py-6.
- WhatsApp-style chat bubbles: shrink-wrap to content, asymmetric
rounded corners, inline bottom-right timestamp.
- Push-notification nudge banner at top of /chats with iOS
install hint.
- Relay state popover off the "● live (N)" indicator.
WebAuthn biometric fix
- user.id now uses the raw 32-byte ed25519 pubkey (was the
72-byte "ed25519:<hex>" identity string, which exceeded
WebAuthn's 64-byte limit — Android Chrome rejected it with
"user handle exceeds 64 bytes").
Documentation
- kez-chat/TODO.md tracks every reviewer finding with status,
file:line references, and a phased plan. All Day 1-3 items
marked DONE; remaining roadmap items (Double Ratchet,
WebAuthn-gated rehydrate, addr rotation, NIP-65 peer-relay
fetch on send) documented for future sprints.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
kez-chat-server
Home server for the kez-chat application. One Rust binary that hosts:
- Handle registry (
POST /v1/register,GET /v1/u/:handle) - WebFinger discovery (
GET /.well-known/webfinger) - NATS auth callout endpoint (
POST /internal/nats/auth) — stub in v0.1 - Static SPA serving (
GET /) — placeholder until the Svelte build lands - Healthz (
GET /v1/healthz)
Designed in document.md. Spec for the underlying KEZ
identity layer in ../SPEC.md.
What's in v0.1 (this is the scaffold)
✅ HTTP API end-to-end
✅ Ed25519-signed handle registration with replay protection
✅ SQLite-backed registry with uniqueness on both handle and primary key
✅ WebFinger endpoint
✅ Placeholder SPA at /
✅ docker-compose for full stack (chat + nats + sig-server)
✅ Multi-stage Dockerfiles
✅ 13 integration tests against a live router
⚠️ NATS auth callout returns 501 — wired up in v0.2 ⚠️ Svelte SPA build pipeline not yet in place — placeholder HTML for now ⚠️ TLS terminated upstream (no cert handling in this binary)
Quick start (local development)
# Run from source
cargo run -- --bind 127.0.0.1:6969 --db ./kez-chat.db --server kez.lat
# Or install once
cargo install --path .
kez-chat-server --bind 127.0.0.1:6969 --server kez.lat
Configuration via flags or env vars:
| Flag | Env | Default |
|---|---|---|
--bind |
KEZ_CHAT_BIND |
0.0.0.0:6969 |
--db |
KEZ_CHAT_DB |
kez-chat.db |
--server |
KEZ_CHAT_SERVER |
kez.lat |
--sig-server-url |
KEZ_CHAT_SIG_SERVER_URL |
http://localhost:7878 |
--web-dir |
KEZ_CHAT_WEB_DIR |
(unset → placeholder page) |
Logging: RUST_LOG=debug,hyper=info etc.
Quick start (Docker compose, full stack)
cd deploy
docker compose up -d --build
Brings up three services:
| Service | Port(s) | What it does |
|---|---|---|
chat-server |
6969 | HTTP API + SPA |
nats |
4222 (native), 8443 (WebSocket), 8222 (monitoring) | Dumb broker, JetStream enabled |
sig-server |
7878 | Sigchain storage (the existing rust-sig-server) |
Then point a reverse proxy / Cloudflare tunnel at localhost:6969.
Testing
cargo test # 13 integration tests (real server, real HTTP)
The tests stand up the router on a random local port and exercise it
via reqwest. No mocks. They cover: healthz, lookup, registration
(success + duplicate + wrong-server + reserved-name + tampered-sig +
stale-timestamp), WebFinger, the placeholder SPA, and the NATS auth
callout stub.
Endpoints in detail
GET /v1/healthz
{ "status": "ok", "server": "kez.lat", "version": "0.1.0" }
GET /v1/u/:handle
Returns:
{
"handle": "tudisco",
"fqhn": "tudisco@kez.lat",
"primary": "ed25519:2152f8d19b...",
"sigchain_url": "https://sig.kez.lat/v1/sigchains/ed25519/2152f8d19b...",
"registered_at": "2026-05-25T03:00:00Z"
}
Returns 404 if the handle isn't registered.
POST /v1/register
Request body — a signed registration envelope:
{
"kez": "handle_registration",
"payload": {
"type": "kez.chat.handle_registration",
"version": 1,
"handle": "tudisco",
"primary": "ed25519:2152f8d19b...",
"server": "kez.lat",
"created_at": "2026-05-25T03:00:00Z"
},
"signature": {
"alg": "ed25519-sha512-jcs",
"key": "ed25519:2152f8d19b...",
"sig": "<128-char-hex>"
}
}
Server validates:
- Envelope tag is
"handle_registration" - Payload type is
"kez.chat.handle_registration", version 1 signature.keyequalspayload.primary- Signature verifies against the primary key (Ed25519 only for chat)
payload.servermatches this server's configured domainpayload.handlepasses validation (length 3-32,a-z0-9_-, starts with letter/digit, not in reserved list)payload.created_atis within 5 minutes of server time
On success: 201 Created with the same body as GET /v1/u/:handle.
GET /.well-known/webfinger?resource=acct:user@server
Standard fediverse-style discovery. Returns the user's KEZ identity info as a WebFinger JRD. Used by other servers (federated lookup, future) and by tools like fediverse browsers.
POST /internal/nats/auth
NATS auth callout endpoint. Stub in v0.1 — returns 501. The real
implementation (v0.2) will: parse the NATS auth request JWT, extract
the connecting client's nkey, look up the corresponding handle, sign
a response permitting kez.inbox.<pubkey>.> subjects.
Deployment notes
- The
chat-serverDocker image is built from the repo root as context (so it can copyrust/crates/kez-corefor the path dep).docker-compose.ymlsets this correctly. - The
sig-serveris the existing../rust-sig-serverbinary, built into a separate image viaDockerfile.sig-server. - NATS config (
nats.conf) has WebSocket enabled on port 8443 so the browser SPA can connect vianats.ws. Theissuerfield inauth_calloutis a placeholder — generate a real nkey and replace before going to production. - TLS is not handled by this binary. Put a reverse proxy (Caddy, nginx, Cloudflare tunnel) in front for HTTPS.
License
Dual-licensed under MIT or Apache-2.0.