Commit Graph

38 Commits

Author SHA1 Message Date
dependabot[bot] b51361c4d4
chore(deps): bump starlette
Bumps [starlette](https://github.com/Kludex/starlette) from 0.50.0 to 1.0.1.
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/starlette/compare/0.50.0...1.0.1)

---
updated-dependencies:
- dependency-name: starlette
  dependency-version: 1.0.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-04 17:09:29 +00:00
dependabot[bot] 6d3e01c6cf
chore(deps): bump aiohttp
---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.14.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-03 23:42:42 +00:00
dependabot[bot] 86128cd1a1
chore(deps-dev): bump vitest
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 2.1.9 to 4.1.0.
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.0/packages/vitest)

---
updated-dependencies:
- dependency-name: vitest
  dependency-version: 4.1.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-02 11:15:51 +00:00
dependabot[bot] 1e44bf6384
chore(deps): bump idna in /PROJECTS/advanced/encrypted-p2p-chat/backend
Bumps [idna](https://github.com/kjd/idna) from 3.11 to 3.15.
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md)
- [Commits](https://github.com/kjd/idna/compare/v3.11...v3.15)

---
updated-dependencies:
- dependency-name: idna
  dependency-version: '3.15'
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-19 16:30:52 +00:00
Carter Perez fb33c8e810
Merge pull request #220 from CarterPerez-dev/dependabot/uv/PROJECTS/advanced/encrypted-p2p-chat/backend/mako-1.3.12
chore(deps): bump mako from 1.3.10 to 1.3.12 in /PROJECTS/advanced/encrypted-p2p-chat/backend
2026-05-13 02:40:47 -04:00
Carter Perez db3cf3d2f1
Merge pull request #219 from CarterPerez-dev/dependabot/uv/PROJECTS/advanced/encrypted-p2p-chat/backend/python-multipart-0.0.27
chore(deps): bump python-multipart from 0.0.26 to 0.0.27 in /PROJECTS/advanced/encrypted-p2p-chat/backend
2026-05-13 02:40:39 -04:00
dependabot[bot] 373c7ba487
chore(deps): bump urllib3
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.2 to 2.7.0.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/2.6.2...2.7.0)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-11 16:00:17 +00:00
dependabot[bot] a3f438d786
chore(deps): bump mako in /PROJECTS/advanced/encrypted-p2p-chat/backend
Bumps [mako](https://github.com/sqlalchemy/mako) from 1.3.10 to 1.3.12.
- [Release notes](https://github.com/sqlalchemy/mako/releases)
- [Changelog](https://github.com/sqlalchemy/mako/blob/main/CHANGES)
- [Commits](https://github.com/sqlalchemy/mako/commits)

---
updated-dependencies:
- dependency-name: mako
  dependency-version: 1.3.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-08 11:57:37 +00:00
dependabot[bot] 8e8e2ab987
chore(deps): bump python-multipart
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.26 to 0.0.27.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](https://github.com/Kludex/python-multipart/compare/0.0.26...0.0.27)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.27
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-08 11:47:03 +00:00
CarterPerez-dev 5863be7dac fix: pin pnpm to v10 in CI and add .npmrc to all frontend projects
pnpm latest on Node 22 resolves to pnpm 11 which rejects lockfileVersion
9.0 lockfiles with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH. Pinning to pnpm 10
keeps compatibility with existing lockfiles. .npmrc sets
strict-dep-builds=false so build-script warnings don't hard-fail the
frozen install.
2026-05-08 05:46:38 -04:00
dependabot[bot] 1529ad7cdc
chore(deps): bump vite in /PROJECTS/advanced/encrypted-p2p-chat/frontend
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.4.21 to 7.3.2.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 7.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-29 07:15:53 +00:00
Carter Perez 4e6084694c
Merge pull request #200 from CarterPerez-dev/worktree-encrypted-p2p-chat-audit-fixes
Worktree encrypted p2p chat audit fixes
2026-04-29 03:13:21 -04:00
CarterPerez-dev 5adb079e76 docs(encrypted-p2p-chat): refresh learn/ for the audit-fixed architecture
Update all five learn documents to match the post-audit codebase:

- Replace references to the deleted server-side X3DH/Double Ratchet (`backend/app/core/encryption/`) with their client-side TypeScript counterparts (`frontend/src/crypto/{x3dh,double-ratchet}.ts`).
- Drop mentions of the removed `RatchetState` and `SkippedMessageKey` PostgreSQL models, the server-generated key paths, and the deprecated `send_encrypted_message` server-encryption method. Add an explicit "why we deleted server-side crypto" rationale in 02-ARCHITECTURE.
- Update API endpoint listings: drop `/encryption/initialize-keys`, `/encryption/rotate-signed-prekey`, `/encryption/opk-count`; add `/auth/me`, `/auth/logout`. Note that all non-auth routes require the session cookie.
- Reflect the new schema: `IdentityKey`, `SignedPrekey`, and `OneTimePrekey` now hold only public material; `User` carries a 64-byte `webauthn_user_handle`.
- Replace the `/ws?user_id=...` example with cookie-authenticated WebSocket usage.
- Remove all line-number references throughout (per the no-line-numbers feedback) — ~300 stripped via regex pass plus targeted prose rewrites.
- Update WebAuthn copy to reflect `UserVerificationRequirement.REQUIRED`, the per-credential-backup-eligibility flag, and challenge-bytes-keyed authentication storage.
- Refresh the file index and project tree to match the trimmed module layout.
2026-04-29 02:57:17 -04:00
Carter Perez 09542d3a83
Merge pull request #199 from CarterPerez-dev/chore/haskell-reverse-proxy-finish
Chore/haskell reverse proxy finish
2026-04-29 02:55:51 -04:00
CarterPerez-dev 6fd5f3d393 fix(encrypted-p2p-chat): apply audit findings — true E2EE, session auth, spec-correct crypto
This commit applies the actionable plan from docs/plans/2026-04-29-encrypted-p2p-chat-audit-fixes.md.

Backend
- Delete server-side X3DH/Double Ratchet (`app/core/encryption/*`); the server is now an opaque relay for client-encrypted messages.
- Drop `private_key` columns from IdentityKey/SignedPrekey/OneTimePrekey; prekey-bundle endpoint serves only public material.
- Remove RatchetState and SkippedMessageKey models and the deprecated server-encryption code path in message_service.
- Fix the broken `not OneTimePrekey.is_used` SQL filter (`Column.is_(False)` instead of Python `not`); repair the silent OPK-replenish amplification by deleting the server-generated path entirely.
- Stop calling `prekey_service.initialize_user_keys` from registration/login. Server never holds private key material again.
- Add session-cookie auth: opaque token issued in Redis on register/auth complete, `current_user` dependency on every protected route, `/auth/me`, `/auth/logout`. WebSocket authenticates via the same cookie.
- Add room membership checks to WS encrypted_message + typing handlers, GET/DELETE /rooms/{id}, GET /rooms/{id}/messages. broadcast_to_room now filters by participants, not presence.
- Add slowapi rate limits to register/auth/search; per-user sliding-window cap on WS messages.
- WebAuthn: replace username with a 64-byte random `webauthn_user_handle` for `user.id`; fix `backup_eligible` to read `credential_backup_eligible`; switch UserVerificationRequirement to REQUIRED; key authentication challenges by challenge bytes (no more "discoverable" collision).
- Implement GET /rooms/{id} and DELETE /rooms/{id} (cascade delete with ownership check) and fix the N+1 in list_rooms by batching User lookups.
- Remove broken/obsolete tests; add regression tests for the OPK filter bug and session-protected endpoints (401 without cookie).
- Sanitize WebSocket error responses; correlation IDs replace stack-trace leaks.

Frontend
- X3DH: prepend the 32-byte 0xff F prefix to the HKDF input per spec section 2.2.
- Double Ratchet: switch KDF_RK to spec form (HKDF salt=root_key, IKM=dh_output) and use 0x01/0x02 byte tags for KDF_CK.
- Replace base64 helpers in `crypto/primitives.ts` with the URL-safe codec from `lib/base64.ts` (single source of truth, no spread-stack hazard).
- Update auth.service to issue a session via cookies (no more dead token store), call `/auth/me` on app boot, clear crypto state on logout. Delete unused `session.store.ts`.
- Update room.service / Chat page to drop client-supplied user_id arguments; the cookie now identifies the caller.
- Better forward-secrecy UX text for messages predating the device.
- Add Vitest with X3DH and Double Ratchet round-trip + tamper-detection tests.

Tooling
- Add `slowapi>=0.1.9` to backend deps; add `vitest` to frontend devDeps with `pnpm test` script.
- justfile: `test-frontend`, `dev-reset`.
- Adjust `.gitignore` so the Python `lib/` rules no longer hide `frontend/src/lib`.

Migration: existing dev volumes hold private-key columns and KDF-incompatible ratchet states; run `just dev-reset` and re-register before hitting the new code path.
2026-04-29 02:30:10 -04:00
Carter Perez 3f9bb07096
Update DEMO.md 2026-04-29 01:56:31 -04:00
CarterPerez-dev d3dd5f2dcb fix(encrypted-p2p-chat): repair dev-up after surrealdb 3.x and pnpm migration
- Switch frontend Dockerfiles to pnpm via corepack (project uses pnpm-lock.yaml)
- Pin SurrealDB to v3.0.5 and switch datastore URL from `file:` to `rocksdb:`
- Add idempotent SurrealDB schema bootstrap on connect to prevent NotFoundError on first SELECT against schemaless tables in 3.x
2026-04-29 01:46:36 -04:00
CarterPerez-dev f156941cd8 docs(encrypted-p2p-chat): add DEMO.md with UI screenshots
Walks through the full flow — passkey registration, passkey login,
new conversation lookup, empty thread, first message, end-to-end
chat, and mobile view — matching the format used by the bug-bounty
and SIEM project demos.
2026-04-29 01:42:05 -04:00
dependabot[bot] 9bfb93e161
chore(deps): bump python-dotenv
Bumps [python-dotenv](https://github.com/theskumar/python-dotenv) from 1.2.1 to 1.2.2.
- [Release notes](https://github.com/theskumar/python-dotenv/releases)
- [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md)
- [Commits](https://github.com/theskumar/python-dotenv/compare/v1.2.1...v1.2.2)

---
updated-dependencies:
- dependency-name: python-dotenv
  dependency-version: 1.2.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-21 22:39:46 +00:00
dependabot[bot] 467e5c88ac
chore(deps): bump python-multipart
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.22 to 0.0.26.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Kludex/python-multipart/compare/0.0.22...0.0.26)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.26
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-15 21:19:02 +00:00
dependabot[bot] 5b6457797c
chore(deps): bump cryptography
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5 to 46.0.7.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/46.0.5...46.0.7)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.7
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-08 20:16:02 +00:00
dependabot[bot] dae8c4c56d
chore(deps-dev): bump vite
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.3.1 to 7.3.2.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 7.3.2
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-06 23:28:45 +00:00
dependabot[bot] cc00b5e37d
chore(deps): bump aiohttp
---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.13.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-01 21:49:04 +00:00
dependabot[bot] 17b08987c9
chore(deps): bump cbor2 in /PROJECTS/advanced/encrypted-p2p-chat/backend
Bumps [cbor2](https://github.com/agronholm/cbor2) from 5.8.0 to 5.9.0.
- [Release notes](https://github.com/agronholm/cbor2/releases)
- [Commits](https://github.com/agronholm/cbor2/compare/5.8.0...5.9.0)

---
updated-dependencies:
- dependency-name: cbor2
  dependency-version: 5.9.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-23 20:27:41 +00:00
dependabot[bot] 48ae423b17
chore(deps): bump pyopenssl
Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 25.3.0 to 26.0.0.
- [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/pyopenssl/compare/25.3.0...26.0.0)

---
updated-dependencies:
- dependency-name: pyopenssl
  dependency-version: 26.0.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-16 16:45:25 +00:00
dependabot[bot] e9549623a1
chore(deps): bump orjson
Bumps [orjson](https://github.com/ijl/orjson) from 3.11.5 to 3.11.6.
- [Release notes](https://github.com/ijl/orjson/releases)
- [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ijl/orjson/compare/3.11.5...3.11.6)

---
updated-dependencies:
- dependency-name: orjson
  dependency-version: 3.11.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-12 21:37:59 +00:00
Carter Perez 9745d0006a
Merge pull request #100 from CarterPerez-dev/dependabot/uv/PROJECTS/advanced/encrypted-p2p-chat/backend/cryptography-46.0.5
Bump cryptography from 46.0.3 to 46.0.5 in /PROJECTS/advanced/encrypted-p2p-chat/backend
2026-02-22 19:59:45 -05:00
Carter Perez 3655ed9c58
Merge pull request #101 from CarterPerez-dev/dependabot/uv/PROJECTS/advanced/encrypted-p2p-chat/backend/virtualenv-20.36.1
Bump virtualenv from 20.35.4 to 20.36.1 in /PROJECTS/advanced/encrypted-p2p-chat/backend
2026-02-22 19:59:34 -05:00
dependabot[bot] e079f4eb35
Bump virtualenv in /PROJECTS/advanced/encrypted-p2p-chat/backend
Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.35.4 to 20.36.1.
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst)
- [Commits](https://github.com/pypa/virtualenv/compare/20.35.4...20.36.1)

---
updated-dependencies:
- dependency-name: virtualenv
  dependency-version: 20.36.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-23 00:52:07 +00:00
dependabot[bot] f14b939807
Bump cryptography in /PROJECTS/advanced/encrypted-p2p-chat/backend
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.3 to 46.0.5.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/46.0.3...46.0.5)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-23 00:51:13 +00:00
dependabot[bot] c6ca0efc45
Bump python-multipart in /PROJECTS/advanced/encrypted-p2p-chat/backend
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.21 to 0.0.22.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Kludex/python-multipart/compare/0.0.21...0.0.22)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.22
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-23 00:51:12 +00:00
CarterPerez-dev e7d0fae144 issue 77 pt3 final lints 2026-02-18 20:15:21 -05:00
CarterPerez-dev 47432c8ce4 issue 77 pt2 ruff 2026-02-18 19:47:47 -05:00
CarterPerez-dev 95cc222302 issue 77 2026-02-18 18:53:15 -05:00
CarterPerez-dev eceb7cdd58 Add learn folder for encrypted-p2p-chat (phase 3.4)
Complete 5-file learn documentation for the advanced encrypted P2P chat
project covering Signal Protocol (X3DH + Double Ratchet), WebAuthn/Passkeys,
and the fullstack architecture.

Ref #51
2026-02-11 09:29:54 -05:00
CarterPerez-dev f83f92545c - Standardize READMEs and add justfiles across all 14 projects
- Add headers, badges, learn module pointers, just command runner tips, and AGPLv3 licenses etc. etc.
- Add missing Justfiles in some projects
- Update pre commit hook and add TODO
2026-02-11 07:01:25 -05:00
CarterPerez-dev a33423aa16 feat: complete network-traffic-analyzer 2026-02-01 20:26:28 -05:00
CarterPerez-dev a7cae3aa0f Phase 1.1: Organize PROJECTS by difficulty level
- Create beginner/, intermediate/, advanced/ folders in PROJECTS/
- Move all existing projects to appropriate difficulty folders
- Update all README.md links to reflect new structure
- Update contributor links
- Fix pyrightconfig.json trailing comma

Projects organized:
Beginner (6): simple-port-scanner, keylogger, caesar-cipher, dns-lookup, metadata-scrubber-tool, simple-vulnerability-scanner
Intermediate (2): api-security-scanner, docker-security-audit
Advanced (4): api-rate-limiter, encrypted-p2p-chat, bug-bounty-platform, Aenebris
2026-01-29 02:41:15 -05:00