RFC-006/007 implementation roadmap (A–D): confidentiality + Nostr binding

[laulpogan]

Tracking issue for the work implied by RFC-006 (confidentiality sequencing) and RFC-007 (Nostr transport binding), merged in #221. Reviewed + approved by @WILLARDKLEIN; open questions answered by slate-lotus.

Legend: ✅ delivered · 🔜 ready now · ⏳ deferred (v0.2/v0.3 impl)

A. v0.15 schema-doc cut (cheap insurance — land before the v0.15 freeze)

• A1 ✅ Reserve enc body container — PROTOCOL.md §2.4 (stays schema major v3, path-A)
• A2 ✅ Reserve dh_pubkey X25519 card field — PROTOCOL.md §1
• A3 ✅ Document enc events stay major v3 — signing.rs / PROTOCOL.md §2.4
• A4 ✅ Group-confidentiality threat entry (T15) — THREAT_MODEL.md (closes the DM/group parity gap)
• A5 ✅ session_source on wire whoami --json + MCP wire_whoami (RFC-008 §A ask)

B. Verification (lock the decisions)

• B1 ✅ Path-A fixture — enc-bearing event signs/verifies additively, integrity holds (proposed by slate-lotus)
• B2 ✅ No-second-break: plaintext reader ignores enc, schema stays v3 (covered by B1's encryption-unaware verify path)
• B3 ⏳ wireup.net-stays-anchor property test — deferred to D3 (vacuous until the Nostr binding exists; RFC-007 AC-2)

C. Curve gate (RFC-007 Q1)

• C1 ✅ Ed25519↔secp256k1 derivation survey → Option 1 (dual-key, transport-only, cross-signed). Spike: docs/rfc/0007-spike-curve-derivation.md. Unblocks D3.

D. Deferred implementation (v0.2 / v0.3 — scoped, not in the schema cut)

• D1 ⏳ NIP-44 v2 body encryption, additive per path-A (BACKLOG.md:22) — consumes the enc reservation
• D2 ⏳ vodozemac swap of seal_bootstrap/open_bootstrap → FS/PCS per-pair channel, ~300 LOC (BACKLOG.md:70)
• D3 ⏳ Nostr WS transport binding: Transport trait + NostrWs, ~250 LOC (BACKLOG.md:17); wireup.net dual-protocol (wss://); NIP-W1/W2/W3; nostr_pubkey transport field + Ed25519 cross-sig (per C1 Option 1). Carries B3.
• D4 ⏳ MLS (OpenMLS) group rooms — gated on group rooms becoming real (BACKLOG.md:71, closes T15)

A + B1/B2 + C1 delivered in the follow-up PR to #221. D items are the post-v0.15 impl line.

[laulpogan]

Update 2026-06-06 — RFC-006 open questions closed; D-line direction locked.

• Path-A → resolved A (proven by feat(v0.15): RFC-006/007 schema reservations + session_source + curve spike #228 fixture). No v4 bump.
• Q2 (ratchet vs DH-on-card) → resolved NIP-44, vodozemac (D2) deferred. Spike (docs/rfc/0006-spike-vodozemac-vs-nip44.md) found the backlog's "vodozemac seal swap from the pairing secret, ~300 LOC" premise is a category error: vodozemac runs its own Curve25519 X3DH (can't key from SPAKE2), real cost ~800–1500 LOC + stateful persistence + migration, and its Double-Ratchet PCS only partially delivers under store-and-forward/passive-replier traffic. NIP-44 fits wire's shape and composes with the Nostr binding.

Revised D-line

• D1 🔜 NIP-44 v2 body encryption (X25519 dh_pubkey + seal/open over the reserved enc body) — the DM-encryption route. Reservations already shipped (feat(v0.15): RFC-006/007 schema reservations + session_source + curve spike #228).
• D2 ⛔ vodozemac — deferred with rationale, not "todo." Revisit only on a concrete per-message-FS threat model for bidirectionally-active high-value pairs. (BACKLOG.md:70 corrected.)
• D3 ⏳ Nostr binding (curve gate resolved → Option 1, feat(v0.15): RFC-006/007 schema reservations + session_source + curve spike #228 spike).
• D4 ⏳ MLS groups (gated on group rooms becoming real).

Net: every RFC-006/007 open question is now resolved with a spike behind it. The next implementation step is D1 (NIP-44).

[laulpogan]

Roadmap status correction: D1 (NIP-44 DM body encryption) is SHIPPED, not deferred. seal_event_body/open_event_body are wired into the send path (comms.rs, mcp.rs), cards carry dh_pubkey, and the read surfaces (wire tail, wire_tail MCP, wire://inbox) decrypt + flag undecryptable bodies (#281/#285/#287). D2 = deferred-with-rationale (correct). D3 (Nostr binding) = not started (no nostr code) — that's the real next step on the confidentiality/binding track. D4 (MLS) stays gated on real group rooms. Please re-tick D1 done.

[laulpogan]

D3.1 landed — PR #312 (the dual-key identity foundation, RFC-007 / curve spike Option 1).

What shipped (fully offline, additive):

• wire enroll nostr [--rotate] mints a transport-only secp256k1 key, cross-signed by the Ed25519 identity, carried as an additive nostr_pubkey card field.
• Mutual binding over wire-nostr-binding-v1|<session_did>|<npub_hex>: identity vouches (Ed25519) + secp proves possession (schnorr) → no npub-squatting.
• ONE-NAME invariant preserved (npub is transport, never identity). wire whoami surfaces the npub only when the binding verifies.
• New dep: secp256k1 0.31 (schnorr/x-only). Unit-tested core + tests/it/110-nostr-binding.sh.

This unblocks the rest of D3, which remain open as the follow-up slices:

• D3.2 — Transport trait + NostrWs (NIP-01 EVENT/REQ/EOSE WebSocket).
• D3.3 — NIP-44 v2 DM (consumes the RFC-006 enc reservation; ties into D1).
• D3.4 — NIP-W1 pairing + live third-party-relay e2e (RFC-007 AC-1/AC-3 + KILL criterion).