Identity edge hardening: handle TTL/unclaim, dial fingerprint warning, per-nick intro rate-limit, Windows collision detection

[laulpogan]

Lower-severity identity-at-the-edges findings from the v0.15 audit (relay/session). Grouped; each is independently small.

1. Handle squatting — no TTL, no unclaim (audit Finding 3) — MED

HandleRecord has no expiry and there's no unclaim endpoint. An abandoned handle is squatted forever on a relay; an attacker first to a fresh relay permanently blocks the real user.
Fix: optional expires_at (relay-operator TTL) + a bearer-auth DELETE /v1/handle/claim/:nick.

2. wire dial trusts the relay's answer with no fingerprint prompt (audit Finding 4) — MED

First-contact discovery resolves a card from .well-known/phonebook and pairs without surfacing the DID+fingerprint. A malicious/compromised relay can serve a poisoned card pre-pair (the relay-is-a-dumb-pipe posture covers post-pair events, not the discovery surface).
Fix: wire dial/wire whois print resolved DID+fingerprint and warn "relay is trusted for discovery; verify out-of-band" on first contact.

3. Per-nick intro flood → slot exhaustion (audit Finding 7) — MED

POST /v1/handle/intro/:nick (unauthenticated, kind=1100 only) has no per-nick rate limit — only a global governor. An attacker can fill a target's 64 MB slot quota in ~25s, making them unreachable until wire rotate-slot.
Fix: per-nick rate bucket (e.g. >5 intros/nick/5min → 429).

4. Windows identity-collision detection is silent (audit Finding 5 / issue #30) — MED

warn_on_identity_collision no-ops on Windows (pgrep/read_wire_home_from_pid are POSIX-only), so two same-cwd sessions silently share an identity (signing keys + inbox cursor) there.
Fix: Windows adapter via PowerShell Get-CimInstance Win32_Process CommandLine + env parse.

5. MCP ghost identity — no self-detected version drift (audit Finding 6) — LOW

wire upgrade without --restart-mcp leaves the old wire mcp server serving its startup identity snapshot; it never self-detects that the on-disk binary moved.
Fix: tool_whoami compares baked SERVER_VERSION vs on-disk daemon version; append stale_binary: true + NOTE on mismatch.

[laulpogan]

Relay-code audit confirms findings 1 & 3 (cites in current src/relay_server.rs):

• Finding 4 (dial fingerprint warning) — DONE in feat(pairing): surface DID+fingerprint + refuse poisoned cards on discovery (part of #247) #289: wire whois/dial/add now print the resolved key fingerprint + out-of-band-verify reminder, expose fingerprint/fingerprint_matches_did in JSON, and hard-refuse a card whose key ≠ its claimed DID.
• Finding 3 (per-nick intro rate-limit) — CONFIRMED ABSENT. handle_intro is on the main router, NOT under the governor (hot_writes), and unauthenticated. Its doc comment wrongly claimed governor coverage — corrected in fix(relay): validate claim relay_url + responder-health slot_id; fix false rate-limit comment (security audit) #290. The only backpressure is the shared 64MB per-slot quota, so a flood to a known nick fills the victim's slot and 413s their own inbound. Real fix (per-nick/per-source intro limit + a separate intro-byte budget so a flood can't evict the owner) still open here.
• Finding 1 (handle TTL/unclaim) — CONFIRMED. HandleRecord has no expires_at; the only sweeper is evict_expired_pair_slots (pair-slots only); no unclaim/DELETE route. FCFS-permanent. (Blunted by the ONE-NAME rule → only the key-derived nick is claimable per DID, not arbitrary vanity names.) Still open.
• Findings 4-Windows-collision (sub 4) + MCP version-drift (sub 5) not yet addressed.

Broader relay DoS findings (global governor, unbounded allocation, ungoverned read endpoints) split out to #291.