2026-02-17 15:03:34 +00:00
|
|
|
//! Node-to-node messaging over Tor.
|
|
|
|
|
//! Sends messages to peer .onion addresses via SOCKS5 proxy.
|
2026-03-20 08:26:40 +00:00
|
|
|
//! Messages are persisted to disk and survive restarts.
|
2026-02-17 15:03:34 +00:00
|
|
|
|
|
|
|
|
use anyhow::{Context, Result};
|
|
|
|
|
use serde::{Deserialize, Serialize};
|
2026-03-20 08:26:40 +00:00
|
|
|
use std::path::{Path, PathBuf};
|
2026-02-17 15:03:34 +00:00
|
|
|
use std::sync::{Mutex, OnceLock};
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
const MAX_STORED: usize = 200;
|
2026-02-17 15:03:34 +00:00
|
|
|
|
|
|
|
|
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
|
|
|
pub struct IncomingMessage {
|
|
|
|
|
pub from_pubkey: String,
|
2026-03-20 08:26:40 +00:00
|
|
|
#[serde(default)]
|
2026-02-17 15:03:34 +00:00
|
|
|
pub from_onion: Option<String>,
|
2026-04-12 12:11:00 -04:00
|
|
|
/// Sender's node name (for display in group chat).
|
|
|
|
|
#[serde(default)]
|
|
|
|
|
pub from_name: Option<String>,
|
2026-02-17 15:03:34 +00:00
|
|
|
pub message: String,
|
|
|
|
|
pub timestamp: String,
|
2026-03-20 08:26:40 +00:00
|
|
|
/// "sent" or "received"
|
|
|
|
|
#[serde(default = "default_received")]
|
|
|
|
|
pub direction: String,
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
fn default_received() -> String {
|
|
|
|
|
"received".to_string()
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
#[derive(Debug, Default, Serialize, Deserialize)]
|
|
|
|
|
struct MessageStore {
|
|
|
|
|
messages: Vec<IncomingMessage>,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn store() -> &'static Mutex<MessageStore> {
|
|
|
|
|
static STORE: OnceLock<Mutex<MessageStore>> = OnceLock::new();
|
|
|
|
|
STORE.get_or_init(|| Mutex::new(MessageStore::default()))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn data_path() -> &'static Mutex<Option<PathBuf>> {
|
|
|
|
|
static PATH: OnceLock<Mutex<Option<PathBuf>>> = OnceLock::new();
|
|
|
|
|
PATH.get_or_init(|| Mutex::new(None))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Initialize message store — load from disk. Call once at startup.
|
|
|
|
|
pub async fn init(data_dir: &Path) {
|
|
|
|
|
let path = data_dir.join("messages.json");
|
|
|
|
|
*data_path().lock().unwrap_or_else(|e| e.into_inner()) = Some(path.clone());
|
|
|
|
|
|
|
|
|
|
if let Ok(content) = tokio::fs::read_to_string(&path).await {
|
|
|
|
|
if let Ok(loaded) = serde_json::from_str::<MessageStore>(&content) {
|
|
|
|
|
let mut guard = store().lock().unwrap_or_else(|e| e.into_inner());
|
|
|
|
|
*guard = loaded;
|
|
|
|
|
tracing::info!("Loaded {} messages from disk", guard.messages.len());
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Persist current messages to disk.
|
2026-03-21 01:21:08 +00:00
|
|
|
/// Serializes under the lock, then writes asynchronously via spawn_blocking
|
|
|
|
|
/// to avoid blocking the tokio runtime.
|
2026-03-20 08:26:40 +00:00
|
|
|
fn persist() {
|
|
|
|
|
let guard = store().lock().unwrap_or_else(|e| e.into_inner());
|
|
|
|
|
let path_guard = data_path().lock().unwrap_or_else(|e| e.into_inner());
|
|
|
|
|
if let Some(ref path) = *path_guard {
|
|
|
|
|
if let Ok(content) = serde_json::to_string(&*guard) {
|
2026-03-21 01:21:08 +00:00
|
|
|
let path = path.clone();
|
|
|
|
|
drop(path_guard);
|
|
|
|
|
drop(guard);
|
|
|
|
|
tokio::task::spawn(async move {
|
|
|
|
|
let _ = tokio::fs::write(&path, content).await;
|
|
|
|
|
});
|
2026-03-20 08:26:40 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2026-02-17 15:03:34 +00:00
|
|
|
|
|
|
|
|
/// Store a received message (called from HTTP handler).
|
2026-04-12 12:11:00 -04:00
|
|
|
pub fn store_received_sync(from_pubkey: &str, message: &str, from_name: Option<&str>) {
|
2026-03-20 08:26:40 +00:00
|
|
|
let ts = chrono::Utc::now().to_rfc3339();
|
|
|
|
|
let mut guard = store().lock().unwrap_or_else(|e| e.into_inner());
|
|
|
|
|
|
|
|
|
|
// Deduplication: skip if same pubkey + message within last 30 seconds
|
|
|
|
|
let dominated = guard.messages.iter().rev().take(20).any(|m| {
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
m.from_pubkey == from_pubkey
|
|
|
|
|
&& m.message == message
|
|
|
|
|
&& m.direction == "received"
|
2026-03-20 08:26:40 +00:00
|
|
|
&& within_seconds(&m.timestamp, &ts, 30)
|
|
|
|
|
});
|
|
|
|
|
if dominated {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
guard.messages.push(IncomingMessage {
|
2026-02-17 15:03:34 +00:00
|
|
|
from_pubkey: from_pubkey.to_string(),
|
|
|
|
|
from_onion: None,
|
2026-04-12 12:11:00 -04:00
|
|
|
from_name: from_name.map(|s| s.to_string()),
|
2026-02-17 15:03:34 +00:00
|
|
|
message: message.to_string(),
|
2026-03-20 08:26:40 +00:00
|
|
|
timestamp: ts,
|
|
|
|
|
direction: "received".to_string(),
|
2026-02-17 15:03:34 +00:00
|
|
|
});
|
2026-03-20 08:26:40 +00:00
|
|
|
trim_messages(&mut guard);
|
|
|
|
|
drop(guard);
|
|
|
|
|
persist();
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
|
|
|
|
|
2026-04-12 12:11:00 -04:00
|
|
|
pub async fn store_received(from_pubkey: &str, message: &str, from_name: Option<&str>) {
|
|
|
|
|
store_received_sync(from_pubkey, message, from_name);
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
/// Store a sent message (for display in Archipelago channel).
|
|
|
|
|
pub fn store_sent(message: &str) {
|
|
|
|
|
let mut guard = store().lock().unwrap_or_else(|e| e.into_inner());
|
|
|
|
|
guard.messages.push(IncomingMessage {
|
|
|
|
|
from_pubkey: "me".to_string(),
|
|
|
|
|
from_onion: None,
|
2026-04-13 08:01:10 -04:00
|
|
|
from_name: None,
|
2026-03-20 08:26:40 +00:00
|
|
|
message: message.to_string(),
|
|
|
|
|
timestamp: chrono::Utc::now().to_rfc3339(),
|
|
|
|
|
direction: "sent".to_string(),
|
|
|
|
|
});
|
|
|
|
|
trim_messages(&mut guard);
|
|
|
|
|
drop(guard);
|
|
|
|
|
persist();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Get all messages (sent + received) for UI display.
|
2026-02-17 15:03:34 +00:00
|
|
|
pub fn get_received() -> Vec<IncomingMessage> {
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
store()
|
|
|
|
|
.lock()
|
|
|
|
|
.unwrap_or_else(|e| e.into_inner())
|
|
|
|
|
.messages
|
|
|
|
|
.clone()
|
2026-02-17 15:03:34 +00:00
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
fn trim_messages(store: &mut MessageStore) {
|
|
|
|
|
if store.messages.len() > MAX_STORED {
|
|
|
|
|
let drain = store.messages.len() - MAX_STORED;
|
|
|
|
|
store.messages.drain(0..drain);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Check if two ISO8601 timestamps are within N seconds of each other.
|
|
|
|
|
fn within_seconds(ts1: &str, ts2: &str, secs: i64) -> bool {
|
|
|
|
|
use chrono::DateTime;
|
|
|
|
|
let a = DateTime::parse_from_rfc3339(ts1).ok();
|
|
|
|
|
let b = DateTime::parse_from_rfc3339(ts2).ok();
|
|
|
|
|
match (a, b) {
|
|
|
|
|
(Some(a), Some(b)) => (a - b).num_seconds().unsigned_abs() < secs as u64,
|
|
|
|
|
_ => false,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-20 09:04:43 +00:00
|
|
|
// ─── E2E Encryption ─────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
use crate::mesh::crypto;
|
|
|
|
|
use base64::Engine;
|
|
|
|
|
|
|
|
|
|
/// Encrypt a message for a recipient using X25519 ECDH + ChaCha20-Poly1305.
|
|
|
|
|
/// Returns base64-encoded ciphertext (nonce + encrypted data).
|
|
|
|
|
fn encrypt_for_peer(
|
|
|
|
|
our_signing_key: &ed25519_dalek::SigningKey,
|
|
|
|
|
their_pubkey_hex: &str,
|
|
|
|
|
plaintext: &str,
|
|
|
|
|
) -> Result<String> {
|
|
|
|
|
let their_pubkey_bytes: [u8; 32] = hex::decode(their_pubkey_hex)
|
|
|
|
|
.context("Invalid peer pubkey hex")?
|
|
|
|
|
.try_into()
|
|
|
|
|
.map_err(|_| anyhow::anyhow!("Invalid peer pubkey length"))?;
|
|
|
|
|
|
|
|
|
|
let their_x25519 = crypto::ed25519_pubkey_to_x25519(&their_pubkey_bytes)?;
|
|
|
|
|
let our_x25519 = crypto::ed25519_secret_to_x25519(our_signing_key);
|
|
|
|
|
let shared = crypto::x25519_shared_secret(&our_x25519, &their_x25519);
|
|
|
|
|
|
|
|
|
|
// HKDF to derive message key (domain separation for Tor messages)
|
|
|
|
|
let msg_key_bytes = crypto::hkdf_sha256(
|
|
|
|
|
b"archipelago-tor-msg-v1",
|
|
|
|
|
&shared,
|
|
|
|
|
b"message-encryption",
|
|
|
|
|
32,
|
|
|
|
|
)?;
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
let msg_key: [u8; 32] = msg_key_bytes
|
|
|
|
|
.try_into()
|
2026-03-20 09:04:43 +00:00
|
|
|
.map_err(|_| anyhow::anyhow!("HKDF key length mismatch"))?;
|
|
|
|
|
|
|
|
|
|
let encrypted = crypto::encrypt(&msg_key, plaintext.as_bytes())?;
|
|
|
|
|
Ok(base64::engine::general_purpose::STANDARD.encode(&encrypted))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Decrypt a message from a sender using X25519 ECDH + ChaCha20-Poly1305.
|
|
|
|
|
pub fn decrypt_from_peer(
|
|
|
|
|
our_signing_key: &ed25519_dalek::SigningKey,
|
|
|
|
|
sender_pubkey_hex: &str,
|
|
|
|
|
encrypted_b64: &str,
|
|
|
|
|
) -> Result<String> {
|
|
|
|
|
let sender_pubkey_bytes: [u8; 32] = hex::decode(sender_pubkey_hex)
|
|
|
|
|
.context("Invalid sender pubkey hex")?
|
|
|
|
|
.try_into()
|
|
|
|
|
.map_err(|_| anyhow::anyhow!("Invalid sender pubkey length"))?;
|
|
|
|
|
|
|
|
|
|
let sender_x25519 = crypto::ed25519_pubkey_to_x25519(&sender_pubkey_bytes)?;
|
|
|
|
|
let our_x25519 = crypto::ed25519_secret_to_x25519(our_signing_key);
|
|
|
|
|
let shared = crypto::x25519_shared_secret(&our_x25519, &sender_x25519);
|
|
|
|
|
|
|
|
|
|
let msg_key_bytes = crypto::hkdf_sha256(
|
|
|
|
|
b"archipelago-tor-msg-v1",
|
|
|
|
|
&shared,
|
|
|
|
|
b"message-encryption",
|
|
|
|
|
32,
|
|
|
|
|
)?;
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
let msg_key: [u8; 32] = msg_key_bytes
|
|
|
|
|
.try_into()
|
2026-03-20 09:04:43 +00:00
|
|
|
.map_err(|_| anyhow::anyhow!("HKDF key length mismatch"))?;
|
|
|
|
|
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
let encrypted = base64::engine::general_purpose::STANDARD
|
|
|
|
|
.decode(encrypted_b64)
|
|
|
|
|
.context("Invalid base64 ciphertext")?;
|
2026-03-20 09:04:43 +00:00
|
|
|
let plaintext_bytes = crypto::decrypt(&msg_key, &encrypted)?;
|
|
|
|
|
String::from_utf8(plaintext_bytes).context("Decrypted message is not valid UTF-8")
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-20 08:26:40 +00:00
|
|
|
// ─── Tor Messaging ──────────────────────────────────────────────
|
|
|
|
|
|
2026-02-17 15:03:34 +00:00
|
|
|
/// Tor v3 onion hostname is 56 base32 chars (a-z, 2-7). Reject invalid formats.
|
|
|
|
|
fn validate_onion(onion: &str) -> Result<()> {
|
|
|
|
|
let host = onion.trim_end_matches(".onion");
|
|
|
|
|
if host.len() != 56 {
|
|
|
|
|
anyhow::bail!(
|
|
|
|
|
"Invalid onion address (expected 56 chars, got {}). The peer may have wrong data - try removing and re-adding via Discover.",
|
|
|
|
|
host.len()
|
|
|
|
|
);
|
|
|
|
|
}
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
let valid = host
|
|
|
|
|
.chars()
|
|
|
|
|
.all(|c| c.is_ascii_lowercase() || ('2'..='7').contains(&c));
|
2026-02-17 15:03:34 +00:00
|
|
|
if !valid {
|
|
|
|
|
anyhow::bail!("Invalid onion address: must be 56 base32 chars (a-z, 2-7)");
|
|
|
|
|
}
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2026-03-20 09:04:43 +00:00
|
|
|
/// Send an encrypted message to a peer over Tor.
|
|
|
|
|
/// The message is encrypted with ChaCha20-Poly1305 using an X25519 shared secret
|
|
|
|
|
/// derived from both nodes' ed25519 keys.
|
|
|
|
|
pub async fn send_to_peer(
|
|
|
|
|
onion: &str,
|
2026-04-19 01:36:04 -04:00
|
|
|
fips_npub: Option<&str>,
|
2026-03-20 09:04:43 +00:00
|
|
|
from_pubkey: &str,
|
|
|
|
|
message: &str,
|
|
|
|
|
signing_key: Option<&ed25519_dalek::SigningKey>,
|
|
|
|
|
recipient_pubkey: Option<&str>,
|
2026-04-12 12:11:00 -04:00
|
|
|
from_name: Option<&str>,
|
2026-03-20 09:04:43 +00:00
|
|
|
) -> Result<()> {
|
2026-02-17 15:03:34 +00:00
|
|
|
validate_onion(onion)?;
|
|
|
|
|
|
2026-03-20 09:04:43 +00:00
|
|
|
// Encrypt message if we have both keys
|
|
|
|
|
let (payload_message, encrypted) = match (signing_key, recipient_pubkey) {
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
(Some(sk), Some(rpk)) => match encrypt_for_peer(sk, rpk, message) {
|
|
|
|
|
Ok(enc) => (enc, true),
|
|
|
|
|
Err(e) => {
|
|
|
|
|
tracing::warn!("Encryption failed, sending plaintext: {}", e);
|
|
|
|
|
(message.to_string(), false)
|
2026-03-20 09:04:43 +00:00
|
|
|
}
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
},
|
2026-03-20 09:04:43 +00:00
|
|
|
_ => (message.to_string(), false),
|
|
|
|
|
};
|
|
|
|
|
|
2026-04-12 12:11:00 -04:00
|
|
|
let mut body = serde_json::json!({
|
2026-02-17 15:03:34 +00:00
|
|
|
"from_pubkey": from_pubkey,
|
2026-03-20 09:04:43 +00:00
|
|
|
"message": payload_message,
|
2026-02-17 15:03:34 +00:00
|
|
|
"timestamp": chrono::Utc::now().to_rfc3339(),
|
2026-03-20 09:04:43 +00:00
|
|
|
"encrypted": encrypted,
|
2026-02-17 15:03:34 +00:00
|
|
|
});
|
2026-04-12 12:11:00 -04:00
|
|
|
if let Some(name) = from_name {
|
|
|
|
|
body["from_name"] = serde_json::Value::String(name.to_string());
|
|
|
|
|
}
|
2026-02-17 15:03:34 +00:00
|
|
|
|
2026-04-19 01:36:04 -04:00
|
|
|
let (resp, transport) = crate::fips::dial::PeerRequest::new(
|
|
|
|
|
fips_npub,
|
|
|
|
|
onion,
|
|
|
|
|
"/archipelago/node-message",
|
|
|
|
|
)
|
2026-04-19 01:44:41 -04:00
|
|
|
.service(crate::settings::transport::PeerService::Messaging)
|
2026-04-19 01:36:04 -04:00
|
|
|
.timeout(std::time::Duration::from_secs(60))
|
|
|
|
|
.send_json(&body)
|
|
|
|
|
.await
|
|
|
|
|
.map_err(|e| {
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
let msg = e.to_string();
|
|
|
|
|
if msg.contains("connection refused") || msg.contains("Connection refused") {
|
2026-04-19 01:36:04 -04:00
|
|
|
anyhow::anyhow!("Peer unreachable. Check Tor (127.0.0.1:9050) and FIPS daemon status.")
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
} else if msg.contains("timeout") || msg.contains("timed out") {
|
2026-04-19 01:36:04 -04:00
|
|
|
anyhow::anyhow!("Connection timed out. The peer may be offline.")
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
} else {
|
2026-04-19 01:36:04 -04:00
|
|
|
anyhow::anyhow!("Failed to send: {}", msg)
|
chore(ci): rustfmt + clippy clean-up to unblock the Rust CI job
The .github/workflows/ci.yml Rust job runs cargo fmt --check, clippy
with -D warnings, and tests. All three were failing. This commit:
- Applies rustfmt across the tree (the bulk of the diff — untouched
since the last toolchain bump, so a wide sweep was unavoidable).
- Fixes the correctness-level clippy errors:
container/bitcoin_simulator.rs wildcard-in-or-pattern
container/manifest.rs from_str rename to parse (reserved name)
container/podman_client.rs .get(0) -> .first()
container/runtime.rs manual += collapse
archipelago/src/constants.rs doc-comment → module-doc
api/rpc/package/install.rs stray /// comment above a non-item
container/docker_packages.rs redundant field init
streaming/advertisement.rs missing Metric import in tests
tests/orchestration_tests.rs `vec!` in non-Vec contexts
mesh/listener/dispatch.rs unused store_plain_message import
api/rpc/tor/mod.rs and mesh/steganography.rs: push-after-new → vec!
- Quiets wide legacy surfaces with crate-level allows in main.rs for
stylistic lints (too_many_arguments, type_complexity, doc indent,
enum variant prefix, wildcard-in-or, assertions-on-constants,
drop_non_drop, unused_io_amount, ptr_arg) — these fired in dozens
of places with no correctness payoff and have been churning every
toolchain bump.
- Tags intentional-dead-code helpers: wallet/ and streaming/ modules
are WIP, mesh::send_chunked_payload and DM_V1_MARKER are kept for
rollback compatibility, vpn::get_nostr_vpn_status is surface-area
for a not-yet-landed RPC.
cargo fmt --check, cargo clippy --all-targets --all-features
-- -D warnings, and cargo test --all-features now all pass locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 17:23:46 -04:00
|
|
|
}
|
|
|
|
|
})?;
|
2026-02-17 15:03:34 +00:00
|
|
|
|
|
|
|
|
if !resp.status().is_success() {
|
|
|
|
|
anyhow::bail!(
|
2026-04-19 01:36:04 -04:00
|
|
|
"Peer returned {} {} (via {}). The peer may need /archipelago/ in its nginx config.",
|
2026-02-17 15:03:34 +00:00
|
|
|
resp.status().as_u16(),
|
2026-04-19 01:36:04 -04:00
|
|
|
resp.status().canonical_reason().unwrap_or(""),
|
|
|
|
|
transport,
|
2026-02-17 15:03:34 +00:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
2026-04-19 01:36:04 -04:00
|
|
|
/// Check if a peer is reachable (ping). FIPS is preferred when an npub
|
|
|
|
|
/// is known, Tor is the fallback.
|
|
|
|
|
pub async fn check_peer_reachable(onion: &str, fips_npub: Option<&str>) -> Result<bool> {
|
2026-03-06 03:26:56 +00:00
|
|
|
validate_onion(onion)?;
|
2026-04-19 01:36:04 -04:00
|
|
|
match crate::fips::dial::PeerRequest::new(fips_npub, onion, "/health")
|
2026-04-19 01:44:41 -04:00
|
|
|
.service(crate::settings::transport::PeerService::Messaging)
|
2026-02-17 15:03:34 +00:00
|
|
|
.timeout(std::time::Duration::from_secs(30))
|
2026-04-19 01:36:04 -04:00
|
|
|
.send_get()
|
|
|
|
|
.await
|
|
|
|
|
{
|
|
|
|
|
Ok((resp, _)) => Ok(resp.status().is_success()),
|
2026-02-17 15:03:34 +00:00
|
|
|
Err(_) => Ok(false),
|
|
|
|
|
}
|
|
|
|
|
}
|