Alan-Jowett / sonde / 26697001756
82%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 124
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 82.134% (+0.1%) from 82.001%
26697001756

push

github

web-flow 
Simplify KDF: deterministic master_key_id, client-side-only salt/KDF (#1110)

* Simplify KDF: deterministic `master_key_id`, client-side-only salt/KDF

Remove salt and KDF parameters from gateway storage, wire protocol
(ACTUAL/DESIRED STATE CBOR keys 21/22), rotation payload (CBOR keys
3/4/5), and Azure Tables. KDF is now a client-side-only concern:

- `master_key_id` = `SHA-256(master_key)` (32 bytes, deterministic)
  instead of random 16 bytes. Eliminates transmitting it in rotation
  payloads; gateway derives it locally after decryption.

- KDF v1 (Argon2id m=65536 t=3 p=1) is hardcoded in client tools
  (admin CLI, web SPA). No KDF parameters are stored or transmitted.

- Salt is derived deterministically from a deployment label:
  `SHA-256("sonde-kdf-v1:" || utf8(label))[0..16]`.
  The label is stored only in the SPA environment config.

- Rotation payload plaintext simplified to `{1: new_master_key,
  2: rotation_code}`. Keys 3-5 are RESERVED (not reused).

- CBOR keys 21/22 in ACTUAL/DESIRED STATE are RESERVED (retired).

- Cross-gateway linkability (same passphrase+label produces the same
  `master_key_id` visible to Azure) is accepted and documented in
  `security.md`.

- Fix: use post-recovery master key (not stale pre-recovery capture)
  when deriving `master_key_id` during gateway startup.

- `master_key_epoch` is unchanged (crash recovery, dual-key processing).

This is a clean-break change — no migration needed (no production
gateways exist).

Spec: GW-2001, GW-2003, GW-2004, GW-2005, GW-2006, GW-2008 (RETIRE),
GW-2020 (NEW), GW-2021 (NEW), AZH-0600, AZH-0604 (RETIRE), AZH-0605,
WEB-1001-1004, WEB-1009.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: refresh cached_master_key_id after rotation completes

After key rotation, 	ry_recovery_auth was filtering
pending_recovery candidates against the stale pre-rotation
cached_master_key_id.  Nodes needing declarative recovery
after rotation could be invisible to t... (continued)

125 of 176 new or added lines in 7 files covered. (71.02%)

21 existing lines in 4 files now uncovered.

37857 of 46092 relevant lines covered (82.13%)

251.49 hits per line

Uncovered Changes

Lines Coverage File
19
36.47
 -2.51% crates/sonde-admin/src/main.rs
13
67.93
 0.36% crates/sonde-gateway/src/bin/gateway.rs
10
83.27
 -0.66% crates/sonde-gateway/src/engine.rs
7
83.47
 0.75% crates/sonde-gateway/src/sqlite_storage.rs
2
84.13
 1.44% crates/sonde-gateway/src/connector.rs

Coverage Regressions

Lines Coverage File
12
83.47
 0.75% crates/sonde-gateway/src/sqlite_storage.rs
7
81.27
 -0.27% crates/sonde-azure-companion/src/main.rs
1
36.47
 -2.51% crates/sonde-admin/src/main.rs
1
84.14
 -3.56% crates/sonde-gateway/src/rotation_engine.rs
Jobs
ID Job ID Ran Files Coverage
1 26697001756.1 124
82.13
 GitHub Action Run
Source Files on build 26697001756