fix: WASM double-X3DH bug, federated aliases, deploy tooling

WASM fix (critical): - encrypt_key_exchange_with_id was calling x3dh::initiate a second time, generating a new ephemeral key that didn't match the ratchet — receiver always failed to decrypt. Now stores X3DH result from initiate() and reuses it. Added 2 protocol tests confirming the fix + the bug. - Bumped service worker cache to wz-v2 to force browsers to re-fetch. - Disabled wasm-opt for Hetzner builds (libc compat issue). Federation — alias support: - resolve_alias falls back to federation peer if not found locally - register_alias checks peer server before allowing — globally unique aliases - Added resolve_remote_alias() and is_alias_taken_remote() to FederationHandle Federation — key proxy fix: - Remote bundles no longer cached locally (stale cache caused decrypt failures) - Local vs remote determined by device: prefix in keys DB Client fixes: - Self-messaging blocked ("Cannot send messages to yourself") - /peer <self> blocked - last_dm_peer never set to self - /r <message> sends reply inline (switches peer + sends in one command) Deploy tooling: - scripts/build-linux.sh with --ship (build + deploy + destroy) - --update-all, --status, --logs commands - WASM rebuilt on Hetzner VM before server binary - deploy/ directory: systemd service, federation configs, setup script - Journald log cap (50MB, 7-day retention) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 22:59:19 +04:00
parent f8eaf30bb4
commit dbf5d136cf
16 changed files with 1026 additions and 24 deletions
--- a/warzone/deploy/federation-kh3rad3ree.json
+++ b/warzone/deploy/federation-kh3rad3ree.json
@@ -0,0 +1,8 @@
+{
+  "server_id": "kh3rad3ree",
+  "shared_secret": "7cfe41395062d939a36d9debe7d70f528ccd2efaccddca139c19603fe40df8f4",
+  "peer": {
+    "id": "mequ",
+    "url": "http://10.66.66.129:7700"
+  }
+}
--- a/warzone/deploy/federation-mequ.json
+++ b/warzone/deploy/federation-mequ.json
@@ -0,0 +1,8 @@
+{
+  "server_id": "mequ",
+  "shared_secret": "7cfe41395062d939a36d9debe7d70f528ccd2efaccddca139c19603fe40df8f4",
+  "peer": {
+    "id": "kh3rad3ree",
+    "url": "http://10.66.66.253:7700"
+  }
+}
--- a/warzone/deploy/journald-warzone.conf
+++ b/warzone/deploy/journald-warzone.conf
@@ -0,0 +1,6 @@
+# /etc/systemd/journald.conf.d/warzone.conf
+# Cap journal storage to avoid filling disk on mequ
+[Journal]
+SystemMaxUse=50M
+SystemMaxFileSize=10M
+MaxRetentionSec=7day
--- a/warzone/deploy/setup.sh
+++ b/warzone/deploy/setup.sh
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Setup script — run as root on each server.
+# Usage: ./setup.sh <mequ|kh3rad3ree>
+
+HOSTNAME="${1:-}"
+if [ -z "$HOSTNAME" ] || { [ "$HOSTNAME" != "mequ" ] && [ "$HOSTNAME" != "kh3rad3ree" ]; }; then
+  echo "Usage: $0 <mequ|kh3rad3ree>"
+  exit 1
+fi
+
+echo "=== Setting up featherChat on $HOSTNAME ==="
+
+# Create warzone user if it doesn't exist
+if ! id warzone &>/dev/null; then
+  echo "[1/4] Creating warzone user..."
+  useradd -r -m -s /bin/bash warzone
+else
+  echo "[1/4] User warzone already exists"
+fi
+
+# Create data directory
+echo "[2/4] Creating directories..."
+mkdir -p /home/warzone/data
+chown -R warzone:warzone /home/warzone
+
+# Copy binaries
+echo "[3/4] Installing binaries..."
+cp warzone-server warzone-client /home/warzone/
+chmod +x /home/warzone/warzone-server /home/warzone/warzone-client
+cp "federation-${HOSTNAME}.json" /home/warzone/federation.json
+chown warzone:warzone /home/warzone/warzone-server /home/warzone/warzone-client /home/warzone/federation.json
+
+# Install systemd service + journald log cap
+echo "[4/5] Installing systemd service..."
+cp warzone-server.service /etc/systemd/system/
+systemctl daemon-reload
+systemctl enable warzone-server
+
+echo "[5/5] Capping journal logs (50MB max, 7 day retention)..."
+mkdir -p /etc/systemd/journald.conf.d
+cp journald-warzone.conf /etc/systemd/journald.conf.d/warzone.conf
+systemctl restart systemd-journald
+# Vacuum existing logs
+journalctl --vacuum-size=50M 2>/dev/null || true
+
+echo ""
+echo "=== Done ==="
+echo "Start:   systemctl start warzone-server"
+echo "Status:  systemctl status warzone-server"
+echo "Logs:    journalctl -u warzone-server -f"
+echo "Stop:    systemctl stop warzone-server"
--- a/warzone/deploy/warzone-server.service
+++ b/warzone/deploy/warzone-server.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=Warzone Messenger Server (featherChat)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=warzone
+Group=warzone
+WorkingDirectory=/home/warzone
+ExecStart=/home/warzone/warzone-server --bind 0.0.0.0:7700 --data-dir /home/warzone/data --federation /home/warzone/federation.json
+Restart=always
+RestartSec=3
+LimitNOFILE=65536
+
+# Security hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=/home/warzone/data
+PrivateTmp=yes
+
+# Environment — warn-only to minimize disk usage (set to info for debugging)
+Environment=RUST_LOG=warn,warzone_server::federation=info
+
+[Install]
+WantedBy=multi-user.target