test(vault-api): live X25519MLKEM768 handshake gate (v0.1 gate #2)#43
Open
UnbreakableMJ wants to merge 1 commit into
Open
test(vault-api): live X25519MLKEM768 handshake gate (v0.1 gate #2)#43UnbreakableMJ wants to merge 1 commit into
UnbreakableMJ wants to merge 1 commit into
Conversation
The pqc unit tests only exercise our own half of the exchange. This adds
live_handshake_negotiates_x25519mlkem768 — an #[ignore]d interop test that
drives a real TLS 1.3 handshake with client_config() against Cloudflare's
PQC host (pq.cloudflareresearch.com) and asserts the *negotiated* key-
exchange group is X25519MLKEM768, proving the hand-rolled hybrid wire layout
interoperates with an independent server. Confirmed passing:
cargo test -p vault-api --features pqc -- --ignored live_handshake
Needs network, so it's #[ignore]d like login_sync and never runs in CI.
- docs/pqc.md: a "Live handshake test" section + status reconcile (this gate
and the fuzz soak are done; only the daily-driver attestation remains).
- RELEASING.md: tick gate #2, cite the run.
- CHANGELOG.md: [Unreleased] note.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the live PQC handshake interop test — RELEASING.md operational gate #2 for the
v0.1.0tag — and the surrounding bookkeeping.The existing
pqcunit tests only exercise our half of the exchange (KEM round-trip, share/secret byte layout, config ordering). They can't catch a wire-format mismatch with a real server. The newlive_handshake_negotiates_x25519mlkem768test closes that gap: it drives a real TLS 1.3 handshake withclient_config()against Cloudflare's PQC research host (pq.cloudflareresearch.com) and asserts the negotiated key-exchange group isNamedGroup::X25519MLKEM768— i.e. the hand-rolled hybrid (ring X25519 + RustCrypto ML-KEM-768) interoperates end-to-end, not a silent classical fallback.Confirmed passing locally:
Changes
crates/vault-api/src/pqc.rs— the#[ignore]d live test (network-gated, likelogin_sync; never runs in CI).docs/pqc.md— a "Live handshake test" section + status reconcile (this gate and the fuzz soak are done; only the §11.2 daily-driver attestation remains).RELEASING.md— gate feat(vault): M5 slice 3 — TUI search, generator overlay, command line #2 ticked, citing the run.CHANGELOG.md—[Unreleased]note.Verification
-D warnings) — clean.RUSTFLAGS="-D warnings" cargo test --workspace --all-targets— clean.#[ignore]d and behind--features pqc, so it doesn't run in CI (the test job passes no--features pqc; clippy lints it under--all-features).🤖 Generated with Claude Code