JKamsker · JKamsker · Feb 26, 2026 · Feb 25, 2026 · Feb 25, 2026 · Feb 25, 2026
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -0,0 +1,5 @@
+<Project>
+  <PropertyGroup>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+  </PropertyGroup>
+</Project>
diff --git a/ZTSharp.Tests/ActiveTaskSetTests.cs b/ZTSharp.Tests/ActiveTaskSetTests.cs
@@ -0,0 +1,28 @@
+using ZTSharp.Internal;
+
+namespace ZTSharp.Tests;
+
+public sealed class ActiveTaskSetTests
+{
+    [Fact]
+    public async Task WaitAsync_WaitsForTasksTrackedDuringWait()
+    {
+        var set = new ActiveTaskSet();
+
+        var first = new TaskCompletionSource<bool>(TaskCreationOptions.RunContinuationsAsynchronously);
+        var second = new TaskCompletionSource<bool>(TaskCreationOptions.RunContinuationsAsynchronously);
+
+        set.Track(first.Task);
+        var waitTask = set.WaitAsync();
+
+        set.Track(second.Task);
+        first.TrySetResult(true);
+
+        await Task.Delay(10);
+        Assert.False(waitTask.IsCompleted);
+
+        second.TrySetResult(true);
+        await waitTask.WaitAsync(TimeSpan.FromSeconds(1));
+    }
+}
+
diff --git a/ZTSharp.Tests/CodecValidationTests.cs b/ZTSharp.Tests/CodecValidationTests.cs
@@ -0,0 +1,55 @@
+using System.Buffers.Binary;
+using System.Net;
+
+namespace ZTSharp.Tests;
+
+public sealed class CodecValidationTests
+{
+    [Fact]
+    public void NetworkAddressCodec_TryDecode_RejectsInvalidV4Prefix()
+    {
+        Span<byte> encoded = stackalloc byte[11];
+        encoded[0] = 1; // version
+        BinaryPrimitives.WriteInt32LittleEndian(encoded.Slice(1, 4), 1); // count
+        encoded[5] = 4; // tag v4
+        encoded[6] = 33; // invalid prefix
+        encoded[7] = 1;
+        encoded[8] = 2;
+        encoded[9] = 3;
+        encoded[10] = 4;
+
+        Assert.False(NetworkAddressCodec.TryDecode(encoded, out _));
+    }
+
+    [Fact]
+    public void NetworkAddressCodec_TryDecode_RejectsInvalidV6Prefix()
+    {
+        var encoded = new byte[31];
+        encoded[0] = 1; // version
+        BinaryPrimitives.WriteInt32LittleEndian(encoded.AsSpan(1, 4), 1); // count
+        encoded[5] = 6; // tag v6
+        encoded[6] = 129; // invalid prefix
+
+        var address = IPAddress.Parse("fd00::1").GetAddressBytes();
+        Assert.Equal(16, address.Length);
+        address.CopyTo(encoded.AsSpan(7, 16));
+
+        Assert.False(NetworkAddressCodec.TryDecode(encoded, out _));
+    }
+
+    [Fact]
+    public void PeerEndpointCodec_TryDecode_RejectsPortZero()
+    {
+        Span<byte> encoded = stackalloc byte[8];
+        encoded[0] = 1; // version
+        encoded[1] = 4; // tag v4
+        BinaryPrimitives.WriteUInt16BigEndian(encoded.Slice(2, 2), 0);
+        encoded[4] = 1;
+        encoded[5] = 2;
+        encoded[6] = 3;
+        encoded[7] = 4;
+
+        Assert.False(PeerEndpointCodec.TryDecode(encoded, out _));
+    }
+}
+
diff --git a/ZTSharp.Tests/ExternalZtNetTests.cs b/ZTSharp.Tests/ExternalZtNetTests.cs
@@ -61,14 +61,14 @@ public async Task net_NetworkCreate_SpawnTwoClients_And_Communicate_E2E()
 
             await using var node1 = new Node(new NodeOptions
             {
-                StateRootPath = Path.Combine(Path.GetTempPath(), "zt-e2e-node-" + Guid.NewGuid()),
+                StateRootPath = TestTempPaths.CreateGuidSuffixed("zt-e2e-node-"),
                 StateStore = node1Store,
                 TransportMode = TransportMode.OsUdp
             });
 
             await using var node2 = new Node(new NodeOptions
             {
-                StateRootPath = Path.Combine(Path.GetTempPath(), "zt-e2e-node-" + Guid.NewGuid()),
+                StateRootPath = TestTempPaths.CreateGuidSuffixed("zt-e2e-node-"),
                 StateStore = node2Store,
                 TransportMode = TransportMode.OsUdp
             });
@@ -81,8 +81,8 @@ public async Task net_NetworkCreate_SpawnTwoClients_And_Communicate_E2E()
 
             var node1Identity = await node1.GetIdentityAsync();
             var node2Identity = await node2.GetIdentityAsync();
-            var node1Id = node1Identity.NodeId.Value.ToString("x10", CultureInfo.InvariantCulture);
-            var node2Id = node2Identity.NodeId.Value.ToString("x10", CultureInfo.InvariantCulture);
+            var node1Id = node1Identity.NodeId.ToHexString();
+            var node2Id = node2Identity.NodeId.ToHexString();
 
             var node1Endpoint = node1.LocalTransportEndpoint;
             var node2Endpoint = node2.LocalTransportEndpoint;
@@ -134,13 +134,13 @@ public async Task net_NetworkCreate_SpawnTwoClients_And_Communicate_E2E()
 
             await clientStream.WriteAsync(ping);
             var serverBuffer = new byte[ping.Length];
-            var serverRead = await ReadExactAsync(serverStream, serverBuffer, ping.Length, CancellationToken.None);
+            var serverRead = await StreamTestHelpers.ReadExactAsync(serverStream, serverBuffer, ping.Length, CancellationToken.None);
             Assert.Equal(ping.Length, serverRead);
             Assert.True(serverBuffer.AsSpan().SequenceEqual(ping));
 
             await serverStream.WriteAsync(pong);
             var clientBuffer = new byte[pong.Length];
-            var clientRead = await ReadExactAsync(clientStream, clientBuffer, pong.Length, CancellationToken.None);
+            var clientRead = await StreamTestHelpers.ReadExactAsync(clientStream, clientBuffer, pong.Length, CancellationToken.None);
             Assert.Equal(pong.Length, clientRead);
             Assert.True(clientBuffer.AsSpan().SequenceEqual(pong));
         }
@@ -151,29 +151,6 @@ public async Task net_NetworkCreate_SpawnTwoClients_And_Communicate_E2E()
         }
     }
 
-    private static async Task<int> ReadExactAsync(
-        Stream stream,
-        byte[] buffer,
-        int length,
-        CancellationToken cancellationToken)
-    {
-        var readTotal = 0;
-        while (readTotal < length)
-        {
-            var read = await stream.ReadAsync(
-                buffer.AsMemory(readTotal, length - readTotal),
-                cancellationToken).ConfigureAwait(false);
-            if (read == 0)
-            {
-                return readTotal;
-            }
-
-            readTotal += read;
-        }
-
-        return readTotal;
-    }
-
     private static string? ParseNetworkId(string output)
     {
         var match = Regex.Match(output, @"(?im)^[\s:]*nwid:\s*([0-9a-f]+)\s*$");

diff --git a/ZTSharp.Tests/FileStateStoreSecurityTests.cs b/ZTSharp.Tests/FileStateStoreSecurityTests.cs
@@ -0,0 +1,148 @@
+using System.IO;
+
+namespace ZTSharp.Tests;
+
+public sealed class FileStateStoreSecurityTests
+{
+    [WindowsFact]
+    public async Task WriteAsync_Rejects_WindowsDriveRootedPaths()
+    {
+        var path = TestTempPaths.CreateGuidSuffixed("zt-store-sec-");
+        try
+        {
+            var store = new FileStateStore(path);
+
+            await Assert.ThrowsAsync<ArgumentException>(() => store.WriteAsync("C:/Windows/Temp/pwn", new byte[] { 1, 2, 3 }));
+
+            Assert.Empty(Directory.EnumerateFileSystemEntries(path, "*", SearchOption.AllDirectories));
+        }
+        finally
+        {
+            Directory.Delete(path, recursive: true);
+        }
+    }
+
+    [WindowsFact]
+    public async Task WriteAsync_Rejects_NtfsAds()
+    {
+        var path = TestTempPaths.CreateGuidSuffixed("zt-store-sec-");
+        try
+        {
+            var store = new FileStateStore(path);
+
+            await Assert.ThrowsAsync<ArgumentException>(() => store.WriteAsync("planet:ads", new byte[] { 1, 2, 3 }));
+
+            Assert.Empty(Directory.EnumerateFileSystemEntries(path, "*", SearchOption.AllDirectories));
+        }
+        finally
+        {
+            Directory.Delete(path, recursive: true);
+        }
+    }
+
+    [Fact]
+    public async Task WriteAsync_Rejects_RootedPaths()
+    {
+        var path = TestTempPaths.CreateGuidSuffixed("zt-store-sec-");
+        try
+        {
+            var store = new FileStateStore(path);
+
+            await Assert.ThrowsAsync<ArgumentException>(() => store.WriteAsync("/etc/passwd", new byte[] { 1, 2, 3 }));
+
+            Assert.Empty(Directory.EnumerateFileSystemEntries(path, "*", SearchOption.AllDirectories));
+        }
+        finally
+        {
+            Directory.Delete(path, recursive: true);
+        }
+    }
+
+    [Fact]
+    public async Task ReadAsync_PlanetFallsBackToRoots_AndRootListContainsBothAliases()
+    {
+        var path = TestTempPaths.CreateGuidSuffixed("zt-store-alias-");
+        try
+        {
+            var store = new FileStateStore(path);
+
+            File.WriteAllBytes(Path.Combine(path, "roots"), new byte[] { 1, 2, 3, 4 });
+
+            var readViaPlanet = await store.ReadAsync("planet");
+            var listed = await store.ListAsync();
+
+            Assert.NotNull(readViaPlanet);
+            Assert.True(readViaPlanet!.Value.Span.SequenceEqual(new byte[] { 1, 2, 3, 4 }));
+            Assert.Contains("planet", listed);
+            Assert.Contains("roots", listed);
+        }
+        finally
+        {
+            Directory.Delete(path, recursive: true);
+        }
+    }
+
+    [WindowsFact]
+    public async Task ListAsync_Rejects_WindowsDriveRootedPrefixes()
+    {
+        var path = TestTempPaths.CreateGuidSuffixed("zt-store-sec-");
+        try
+        {
+            var store = new FileStateStore(path);
+
+            await Assert.ThrowsAsync<ArgumentException>(() => store.ListAsync("C:/"));
+        }
+        finally
+        {
+            Directory.Delete(path, recursive: true);
+        }
+    }
+
+    [Fact]
+    public async Task WriteAsync_IsAtomicReplace_BestEffort()
+    {
+        var path = TestTempPaths.CreateGuidSuffixed("zt-store-atomic-");
+        try
+        {
+            var store = new FileStateStore(path);
+
+            var oldBytes = Enumerable.Repeat((byte)0xAA, 256 * 1024).ToArray();
+            var newBytes = Enumerable.Repeat((byte)0x55, 256 * 1024).ToArray();
+            await store.WriteAsync("foo", oldBytes);
+
+            using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
+            var writer = Task.Run(async () =>
+            {
+                for (var i = 0; i < 50; i++)
+                {
+                    var bytes = i % 2 == 0 ? newBytes : oldBytes;
+                    await store.WriteAsync("foo", bytes, cts.Token);
+                }
+            }, cts.Token);
+
+            var reader = Task.Run(async () =>
+            {
+                for (var i = 0; i < 250; i++)
+                {
+                    var read = await store.ReadAsync("foo", cts.Token);
+                    if (read is null)
+                    {
+                        continue;
+                    }
+
+                    var span = read.Value.Span;
+                    var matchesOld = span.SequenceEqual(oldBytes);
+                    var matchesNew = span.SequenceEqual(newBytes);
+                    Assert.True(matchesOld || matchesNew);
+                }
+            }, cts.Token);
+
+            await Task.WhenAll(writer, reader);
+        }
+        finally
+        {
+            Directory.Delete(path, recursive: true);
+        }
+    }
+}
+
diff --git a/ZTSharp.Tests/NetworkAddressTests.cs b/ZTSharp.Tests/NetworkAddressTests.cs
@@ -11,7 +11,7 @@ public async Task NetworkAddresses_RoundTrip()
 
         await using var node = new Node(new NodeOptions
         {
-            StateRootPath = Path.Combine(Path.GetTempPath(), "zt-node-" + Guid.NewGuid()),
+            StateRootPath = TestTempPaths.CreateGuidSuffixed("zt-node-"),
             StateStore = new MemoryStateStore()
         });
 
@@ -32,4 +32,3 @@ public async Task NetworkAddresses_RoundTrip()
         Assert.Equal(expected[1], actual[1]);
     }
 }
-