huddle-protocol 2.0.4

The Huddle wire protocol and pure cryptographic constructions — the runtime-free core that both the huddle client and relay speak.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

//! The relay control protocol: the JSON messages a huddle client and a
//! `huddle-server` relay exchange over the WebSocket door.
//!
//! Extracted here so the client (`huddle-core::network::server`) and the relay
//! (`huddle-server`) share ONE definition instead of the two hand-kept-in-sync
//! copies they carried before. [`ClientMsg`] is what the client sends and the
//! relay receives; [`ServerMsg`] is the reverse. Both derive `Serialize` +
//! `Deserialize` so each side uses whichever direction it needs.
//!
//! Wire-compat note: the field-level `#[serde(default)]` / `skip_serializing_if`
//! attributes match the relay's historical (authoritative) serialization, so
//! these unified types are byte-identical to both prior copies — old clients
//! and relays interoperate unchanged.

use serde::{Deserialize, Serialize};

/// Client → relay. The client serializes these; the relay deserializes them,
/// tolerating absent optional fields from older clients via `serde(default)`.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "snake_case")]
pub enum ClientMsg {
    /// Announce identity and (re)assert room memberships, then drain the
    /// mailbox. Must be the first message. huddle 1.1.4: it authenticates —
    /// `pubkey_b64` is the client's Ed25519 pubkey and `signature_b64` is a
    /// signature over `RELAY_AUTH_DOMAIN || nonce` for the nonce the relay sent
    /// in the opening `Challenge`. The relay verifies both before registering.
    Hello {
        fingerprint: String,
        #[serde(default)]
        pubkey_b64: String,
        #[serde(default)]
        signature_b64: String,
        #[serde(default)]
        rooms: Vec<String>,
        /// huddle 2.0: capability bit — the client implements at-least-once
        /// mailbox ACKs (it answers each queued `Message` with `ClientMsg::Ack`
        /// carrying the row's `mailbox_id`). When `true` the relay tags each
        /// mailbox delivery with its row id and keeps the row until the matching
        /// `Ack` arrives; when `false` (pre-2.0 clients — the serde default) the
        /// relay falls back to classical delete-on-deliver.
        #[serde(default)]
        acks: bool,
    },
    Subscribe {
        room: String,
    },
    Unsubscribe {
        room: String,
    },
    /// Send an opaque payload to every other member of `room`.
    Publish {
        room: String,
        id: String,
        payload_b64: String,
    },
    /// huddle 1.2: deliver an opaque payload to a SPECIFIC recipient
    /// fingerprint, independent of room membership — how 1:1 DMs and friend
    /// requests route reliably. `room` is an opaque tag the recipient's client
    /// uses to file the message; the relay never interprets it.
    SendDirect {
        to: String,
        room: String,
        id: String,
        payload_b64: String,
    },
    /// huddle 1.2.1: mint a short-lived connect code bound to this
    /// authenticated identity. The relay replies with `ConnectToken`.
    CreateConnectToken,
    /// huddle 1.2.1: resolve a connect code to its owner's fingerprint+pubkey.
    /// The relay replies with `ConnectTokenResolved` (fingerprint = None when
    /// unknown/expired).
    RedeemConnectToken {
        token: String,
    },
    /// Re-drain the mailbox on demand.
    Fetch,
    /// huddle 2.0: acknowledge durable receipt of a relay-delivered mailbox
    /// message. The relay deletes the row only after this ACK (at-least-once
    /// delivery). Scoped to the authenticated fingerprint.
    Ack {
        mailbox_id: i64,
    },
    Ping,
}

/// Relay → client. The relay serializes these; the client deserializes them.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "snake_case")]
pub enum ServerMsg {
    /// huddle 1.1.4: sent immediately on connect. The client signs the nonce to
    /// prove control of its identity key before it can do anything.
    Challenge {
        nonce_b64: String,
    },
    /// Sent after a successful `Hello`. Carries the authenticated fingerprint
    /// (the client already knows its own identity, so it ignores the field).
    Ready {
        fingerprint: String,
    },
    /// A room message delivered live or from the offline mailbox. huddle 2.0:
    /// `mailbox_id` is `Some(row_id)` when the message came from the relay's
    /// on-disk queue AND the recipient advertised ACK support in its `Hello`;
    /// `None` for live fan-out and pre-2.0 clients. `skip_serializing_if` keeps
    /// the field off the wire for live/legacy messages so old clients see
    /// exactly the bytes they expect.
    Message {
        room: String,
        id: String,
        payload_b64: String,
        #[serde(default, skip_serializing_if = "Option::is_none")]
        mailbox_id: Option<i64>,
    },
    Sent {
        id: String,
        delivered: usize,
        queued: usize,
    },
    /// huddle 1.2.1: a freshly minted connect code + its lifetime (seconds).
    ConnectToken {
        token: String,
        ttl_secs: u64,
    },
    /// huddle 1.2.1: result of redeeming a connect code. `fingerprint` /
    /// `pubkey_b64` are `None` when the code is unknown or expired. The relay
    /// echoes the `token`; the client ignores it.
    ConnectTokenResolved {
        token: String,
        #[serde(default)]
        fingerprint: Option<String>,
        #[serde(default)]
        pubkey_b64: Option<String>,
    },
    Pong,
    Error {
        message: String,
    },
}