Scaffold Rust workspace: warzone-protocol, server, client, mule

4 crates, all compile. 16/17 tests pass.

warzone-protocol (core crypto):
- Seed-based identity (Ed25519 + X25519 from 32-byte seed via HKDF)
- BIP39 mnemonic encode/decode (24 words)
- Fingerprint type (SHA-256 truncated, displayed as xxxx:xxxx:xxxx:xxxx)
- ChaCha20-Poly1305 AEAD encrypt/decrypt with random nonce
- HKDF-SHA256 key derivation
- Pre-key bundle generation with Ed25519 signatures
- X3DH key exchange (simplified, needs X25519 identity key in bundle)
- Double Ratchet: full implementation with DH ratchet, chain ratchet,
  out-of-order message handling via skipped keys cache
- Message format (WarzoneMessage envelope + RatchetHeader)
- Session type with ratchet state
- Storage trait definitions (PreKeyStore, SessionStore, MessageQueue)

warzone-server (axum):
- sled database (keys, messages, one-time pre-keys)
- Routes: /v1/health, /v1/keys/register, /v1/keys/{fp},
  /v1/messages/send, /v1/messages/poll/{fp}, /v1/messages/{id}/ack

warzone-client (CLI):
- `warzone init` — generate seed, show mnemonic, save to ~/.warzone/
- `warzone recover <words>` — restore from mnemonic
- `warzone info` — show fingerprint and keys
- Seed storage at ~/.warzone/identity.seed (600 perms)
- Stubs for send, recv, chat commands

warzone-mule: Phase 4 placeholder

Known issue: X3DH test fails (initiate/respond use different DH ops
due to missing X25519 identity key in bundle). Fix in next step.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

warzone/crates/warzone-server/src/routes/health.rs

@@ -0,0 +1,12 @@
+use axum::{routing::get, Json, Router};
+use serde_json::json;
+
+use crate::state::AppState;
+
+pub fn routes() -> Router<AppState> {
+    Router::new().route("/health", get(health))
+}
+
+async fn health() -> Json<serde_json::Value> {
+    Json(json!({ "status": "ok", "version": env!("CARGO_PKG_VERSION") }))
+}

warzone/crates/warzone-server/src/routes/keys.rs

@@ -0,0 +1,46 @@
+use axum::{
+    extract::{Path, State},
+    routing::{get, post},
+    Json, Router,
+};
+use serde::{Deserialize, Serialize};
+
+use crate::state::AppState;
+
+pub fn routes() -> Router<AppState> {
+    Router::new()
+        .route("/keys/register", post(register_keys))
+        .route("/keys/{fingerprint}", get(get_bundle))
+}
+
+#[derive(Deserialize)]
+struct RegisterRequest {
+    fingerprint: String,
+    bundle: Vec<u8>, // bincode-serialized PreKeyBundle
+}
+
+#[derive(Serialize)]
+struct RegisterResponse {
+    ok: bool,
+}
+
+async fn register_keys(
+    State(state): State<AppState>,
+    Json(req): Json<RegisterRequest>,
+) -> Json<RegisterResponse> {
+    let _ = state.db.keys.insert(req.fingerprint.as_bytes(), req.bundle);
+    Json(RegisterResponse { ok: true })
+}
+
+async fn get_bundle(
+    State(state): State<AppState>,
+    Path(fingerprint): Path<String>,
+) -> Result<Json<serde_json::Value>, axum::http::StatusCode> {
+    match state.db.keys.get(fingerprint.as_bytes()) {
+        Ok(Some(data)) => Ok(Json(serde_json::json!({
+            "fingerprint": fingerprint,
+            "bundle": base64::Engine::encode(&base64::engine::general_purpose::STANDARD, &data),
+        }))),
+        _ => Err(axum::http::StatusCode::NOT_FOUND),
+    }
+}

warzone/crates/warzone-server/src/routes/messages.rs

@@ -0,0 +1,61 @@
+use axum::{
+    extract::{Path, State},
+    routing::{delete, get, post},
+    Json, Router,
+};
+use serde::Deserialize;
+
+use crate::state::AppState;
+
+pub fn routes() -> Router<AppState> {
+    Router::new()
+        .route("/messages/send", post(send_message))
+        .route("/messages/poll/{fingerprint}", get(poll_messages))
+        .route("/messages/{id}/ack", delete(ack_message))
+}
+
+#[derive(Deserialize)]
+struct SendRequest {
+    to: String,
+    message: Vec<u8>, // bincode-serialized WarzoneMessage
+}
+
+async fn send_message(
+    State(state): State<AppState>,
+    Json(req): Json<SendRequest>,
+) -> Json<serde_json::Value> {
+    // Append to recipient's queue
+    let key = format!("queue:{}", req.to);
+    let _ = state.db.messages.insert(
+        format!("{}:{}", key, uuid::Uuid::new_v4()).as_bytes(),
+        req.message,
+    );
+    Json(serde_json::json!({ "ok": true }))
+}
+
+async fn poll_messages(
+    State(state): State<AppState>,
+    Path(fingerprint): Path<String>,
+) -> Json<Vec<String>> {
+    let prefix = format!("queue:{}", fingerprint);
+    let mut messages = Vec::new();
+    for item in state.db.messages.scan_prefix(prefix.as_bytes()) {
+        if let Ok((_, value)) = item {
+            messages.push(base64::Engine::encode(
+                &base64::engine::general_purpose::STANDARD,
+                &value,
+            ));
+        }
+    }
+    Json(messages)
+}
+
+async fn ack_message(
+    State(state): State<AppState>,
+    Path(id): Path<String>,
+) -> Json<serde_json::Value> {
+    // Scan for and remove the message with this ID
+    // In a real implementation, we'd have a proper index
+    let _ = state.db.messages.remove(id.as_bytes());
+    Json(serde_json::json!({ "ok": true }))
+}

warzone/crates/warzone-server/src/routes/mod.rs

@@ -0,0 +1,14 @@
+mod health;
+mod keys;
+mod messages;
+
+use axum::Router;
+
+use crate::state::AppState;
+
+pub fn router() -> Router<AppState> {
+    Router::new()
+        .merge(health::routes())
+        .merge(keys::routes())
+        .merge(messages::routes())
+}