chore: archive v1.1 milestone — Security Hardening & Code Review Fixes

5 phases, 9 plans, 11/11 requirements satisfied.
Archived roadmap, requirements, and audit to milestones/.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: johnzilla

.planning/MILESTONES.md

@@ -25,3 +25,28 @@
 
 ---
 
+## v1.1 Security Hardening & Code Review Fixes (Shipped: 2026-02-22)
+
+**Phases:** 6-10 (9 plans) | **Rust LOC:** 2,633 (src) + 590 (tests) | **Timeline:** 1 day
+
+**Delivered:** Comprehensive security hardening: signed metadata envelopes, key permission enforcement, PIN-protected handoffs, structured error handling, and migration from homeserver to direct PKARR Mainline DHT transport with full metadata encryption.
+
+**Key accomplishments:**
+- Ed25519-signed burn and recipient fields with tamper detection (clean break from v1.0)
+- Key file permission enforcement (0600) at load and write time
+- PIN-protected handoffs with Argon2id+HKDF-SHA256 key derivation
+- Structured error handling (CclinkError::RecordNotFound, dead variant cleanup)
+- Replaced homeserver transport with PKARR Mainline DHT (no accounts, no tokens, no signup)
+- Encrypted all sensitive metadata (hostname, project path, session ID) into blob -- zero cleartext metadata on DHT
+
+**Git range:** `49c9586` → `d2b65d3` (97 files, 6,140 insertions, 11,880 deletions)
+
+**Known tech debt:**
+- LatestPointer struct is dead code after DHT migration
+- Age ciphertext size non-deterministic (budget relies on skip_serializing_if)
+- QR code content wrong when `--share` + `--qr` combined
+
+**Archive:** `milestones/v1.1-ROADMAP.md`, `milestones/v1.1-REQUIREMENTS.md`
+
+---
+

.planning/PROJECT.md

@@ -2,7 +2,7 @@
 
 ## What This Is
 
-A single Rust CLI binary (`cclink`) that publishes cryptographically signed, encrypted Claude Code session handoff links via the Pubky protocol. Run `cclink` on one machine to publish your session, `cclink pickup` on another to resume it — no central relay, no accounts, your PKARR key is your identity.
+A single Rust CLI binary (`cclink`) that publishes cryptographically signed, encrypted Claude Code session handoff records directly to the PKARR Mainline DHT. Run `cclink` on one machine to publish your session, `cclink pickup` on another to resume it -- no central relay, no accounts, no signup tokens. Your PKARR key is your identity.
 
 ## Core Value
 
@@ -12,102 +12,91 @@ Effortless, secure session handoff between devices: `cclink` on one machine, `cc
 
 ### Validated
 
-- ✓ Generate and manage PKARR/Ed25519 keypairs (`cclink init`, `cclink whoami`) — v1.0
-- ✓ Discover Claude Code session IDs from `~/.claude/projects/` with cwd scoping — v1.0
-- ✓ Build and sign handoff payload (session ID, hostname, project, timestamps) — v1.0
-- ✓ Encrypt session ID with age (self-encrypt via Ed25519-to-X25519 derivation) — v1.0
-- ✓ Publish encrypted handoff record to Pubky homeserver — v1.0
-- ✓ Retrieve and decrypt own handoff (`cclink pickup`) — v1.0
-- ✓ Share-mode encryption to a specific recipient's public key (`--share`) — v1.0
-- ✓ Burn-after-read mode (`--burn`) — delete record after first retrieval — v1.0
-- ✓ TTL-based expiry (`--ttl`, default 24h) — v1.0
-- ✓ Terminal QR code rendering after publish and on pickup — v1.0
-- ✓ `cclink list` — show active handoff records with comfy-table — v1.0
-- ✓ `cclink revoke` — delete specific or all handoff records — v1.0
-- ✓ Auto-execute `claude --resume <id>` after pickup (default behavior) — v1.0
-- ✓ Colored terminal output with status indicators — v1.0
-- ✓ Ed25519 signature verification on all retrieved records — v1.0
-- ✓ Atomic key write (write-to-temp + rename) — v1.0
-- ✓ CI/CD with 4-platform release builds and curl installer — v1.0
-- ✓ Round-trip encryption tests and plaintext leak detection in CI — v1.0
+- ✓ Generate and manage PKARR/Ed25519 keypairs (`cclink init`, `cclink whoami`) -- v1.0
+- ✓ Discover Claude Code session IDs from `~/.claude/projects/` with cwd scoping -- v1.0
+- ✓ Build and sign handoff payload (session ID, hostname, project, timestamps) -- v1.0
+- ✓ Encrypt session ID with age (self-encrypt via Ed25519-to-X25519 derivation) -- v1.0
+- ✓ Publish encrypted handoff record to DHT -- v1.0 (homeserver), v1.1 (direct DHT)
+- ✓ Retrieve and decrypt own handoff (`cclink pickup`) -- v1.0
+- ✓ Share-mode encryption to a specific recipient's public key (`--share`) -- v1.0
+- ✓ Burn-after-read mode (`--burn`) -- delete record after first retrieval -- v1.0
+- ✓ TTL-based expiry (`--ttl`, default 24h) -- v1.0
+- ✓ Terminal QR code rendering after publish and on pickup -- v1.0
+- ✓ `cclink list` -- show active handoff records with comfy-table -- v1.0
+- ✓ `cclink revoke` -- delete/revoke handoff records -- v1.0
+- ✓ Auto-execute `claude --resume <id>` after pickup (default behavior) -- v1.0
+- ✓ Colored terminal output with status indicators -- v1.0
+- ✓ Ed25519 signature verification on all retrieved records -- v1.0
+- ✓ Atomic key write (write-to-temp + rename) -- v1.0
+- ✓ CI/CD with 4-platform release builds and curl installer -- v1.0
+- ✓ Round-trip encryption tests and plaintext leak detection in CI -- v1.0
+- ✓ Sign burn + recipient fields in handoff payload (clean break from v1.0 format) -- v1.1
+- ✓ Enforce key file permissions (0600) explicitly in cclink code -- v1.1
+- ✓ PIN-protected handoffs (`--pin`) with Argon2id+HKDF-derived key -- v1.1
+- ✓ Make `--burn` + `--share` mutually exclusive -- v1.1
+- ✓ Fix pickup CLI help text -- v1.1
+- ✓ Structured error handling (CclinkError variants) -- v1.1
+- ✓ Remove dead CclinkError variants -- v1.1
+- ✓ Optimize list command -- v1.1
+- ✓ Lazy signin / session reuse -- v1.1 (superseded by DHT)
+- ✓ Update PRD stale path references -- v1.1
+- ✓ Encrypt all sensitive metadata into blob (no cleartext hostname/project on DHT) -- v1.1
+- ✓ Direct PKARR Mainline DHT transport (no homeserver dependency) -- v1.1
 
 ### Active
 
-- [ ] Sign burn + recipient fields in handoff payload (clean break from v1.0 format)
-- [ ] Enforce key file permissions (0600) explicitly in cclink code
-- [ ] PIN-protected handoffs (`--pin`) with Argon2id+HKDF-derived key
-- [ ] Make `--burn` + `--share` mutually exclusive
-- [ ] Fix pickup CLI help text (self-publish suggests wrong command)
-- [ ] Lazy signin / session reuse in HomeserverClient
-- [ ] Deduplicate `human_duration` into shared utility
-- [ ] Structured error handling (replace string matching with CclinkError variants)
-- [ ] Remove dead CclinkError variants
-- [ ] Optimize list command (reduce N+1 HTTP requests)
-- [ ] Update PRD stale path references (~/.cclink → ~/.pubky)
+(None -- next milestone will define new requirements)
 
 ### Out of Scope
 
-- Team/shared namespace handoffs — v2, not needed for single-user flow
-- Web UI at cclink.dev — optional polish, CLI-first
-- Claude Code hook/plugin integration — future consideration
-- Mobile app — terminal-only
-- Notifications/push — out of scope entirely
-- Session preview/summary — would require accessing session content
-- 3GS integration — future consideration
-- Override inferred project label via `--project` — deferred, not in code review scope
-- Burn-after-read for shared records — homeserver can't support delegated delete; --burn + --share now mutually exclusive
-
-## Current Milestone: v1.1 Security Hardening & Code Review Fixes
-
-**Goal:** Address all findings from external code review — fix security gaps, resolve functional discrepancies, and improve code quality.
-
-**Target features:**
-- Signed metadata (burn + recipient in payload)
-- Key file permission enforcement
-- PIN-protected handoffs
-- Lazy authentication
-- Structured error handling
-- List command optimization
+- Team/shared namespace handoffs -- v2, not needed for single-user flow
+- Web UI at cclink.dev -- optional polish, CLI-first
+- Claude Code hook/plugin integration -- future consideration
+- Mobile app -- terminal-only
+- Session preview/summary -- would require accessing session content
+- Override inferred project label via `--project` -- deferred, not in code review scope
+- Burn-after-read for shared records -- DHT can only be revoked by key owner
 
 ## Context
 
-Shipped v1.0 with 2,851 LOC Rust.
-Tech stack: Rust, pkarr 5.0.3, age (x25519), reqwest (rustls), clap, owo-colors, comfy-table, qr2term.
+Shipped v1.1 with 2,633 LOC Rust (src) + 590 LOC tests.
+Tech stack: Rust, pkarr 5.0.3 (Mainline DHT), age (X25519), clap, owo-colors, comfy-table, qr2term, argon2.
 
 - Claude Code stores sessions in `~/.claude/projects/` as directories with JSONL progress records
 - `claude --resume <sessionID>` resumes a session from any device with filesystem access
-- Pubky is a decentralized protocol using PKARR (Public Key Addressable Resource Records) for identity
+- Records published directly to PKARR Mainline DHT as DNS TXT records inside Ed25519-signed packets
+- One handoff per identity (DHT stores one SignedPacket per public key)
 - Ed25519 keys birationally map to X25519, enabling age encryption with the same keypair
-- The pickup device still needs filesystem access to the session data (SSH, Tailscale, etc.) — cclink only transfers the session ID reference, not session content
-- Handoff records are published to `/pub/cclink/<token>` on the homeserver
-- A `latest` pointer tracks the most recent handoff
-- Key storage at `~/.pubky/secret_key` with 0600 permissions (reuses Pubky ecosystem path)
+- All sensitive metadata (hostname, project path, session ID) encrypted into blob -- DHT nodes see only ciphertext
+- Key storage at `~/.pubky/secret_key` with 0600 permissions
+- The pickup device still needs filesystem access to session data (SSH, Tailscale, etc.) -- cclink only transfers the session ID reference
 
 ## Constraints
 
-- **Language**: Rust — single binary distribution, pubky crate available
-- **Identity**: PKARR/Ed25519 — reuse existing Pubky identity ecosystem
-- **Transport**: Pubky protocol (homeserver + DHT) — no custom relay
-- **Encryption**: age with x25519 — lightweight, Ed25519-compatible
+- **Language**: Rust -- single binary distribution, pkarr crate available
+- **Identity**: PKARR/Ed25519 -- reuse existing Pubky identity ecosystem
+- **Transport**: PKARR Mainline DHT -- no custom relay, no accounts, no homeserver
+- **Encryption**: age with X25519 -- lightweight, Ed25519-compatible
 - **Key storage**: `~/.pubky/secret_key` with 0600 permissions
 - **No session content transit**: Only encrypted session ID and metadata cross the network
+- **SignedPacket budget**: 912 bytes max JSON in DHT records (1000-byte DNS payload limit)
 
 ## Key Decisions
 
 | Decision | Rationale | Outcome |
 |----------|-----------|---------|
-| Rust single binary | Performance, pubky crate available, easy distribution | ✓ Good — 2,851 LOC, compiles clean |
-| age encryption over NaCl box | Simpler API, well-audited, maps cleanly from Ed25519 | ✓ Good — round-trip verified, no plaintext leaks |
-| Pubky homeserver transport | No custom relay needed, censorship-resistant, reuses existing infra | ✓ Good — PUT/GET/DELETE all working |
-| Latest pointer pattern | Simple way to find most recent handoff without listing all records | ✓ Good — clean single-lookup pickup path |
-| ~/.pubky/ key storage | Reuse Pubky ecosystem directory instead of ~/.cclink/ | ✓ Good — consistent with pubky tooling |
-| 24h default TTL (not 8h) | More forgiving for cross-timezone handoffs | ✓ Good — context decision in Phase 3 |
-| Exec as default behavior | Pickup always runs claude --resume after confirm (not opt-in --exec) | ✓ Good — fewer flags, natural flow |
-| burn/recipient as unsigned metadata | Preserve Phase 3 signature compatibility | ✓ Good — backwards-compatible record format |
-| httpmock for sync integration tests | Works with reqwest::blocking without tokio runtime conflicts | ✓ Good — 7 integration tests, all #[test] |
-| PIN mode deferred to v2 | Low entropy (4 digits); --share provides real access control | — Deferred |
-| Sign burn+recipient (clean break) | Old v1.0 records expire via TTL, no migration needed | — Pending |
-| --burn + --share mutually exclusive | Recipient can't DELETE owner's record; silent skip is worse | — Pending |
+| Rust single binary | Performance, pkarr crate available, easy distribution | ✓ Good |
+| age encryption over NaCl box | Simpler API, well-audited, maps cleanly from Ed25519 | ✓ Good |
+| PKARR Mainline DHT transport | No accounts, no tokens, no homeserver -- true decentralization | ✓ Good |
+| ~/.pubky/ key storage | Reuse Pubky ecosystem directory | ✓ Good |
+| 24h default TTL | More forgiving for cross-timezone handoffs | ✓ Good |
+| Exec as default behavior | Pickup always runs claude --resume | ✓ Good |
+| Signed burn+recipient (clean break) | Old v1.0 records expire via TTL, no migration needed | ✓ Good |
+| --burn + --share mutually exclusive | Recipient can't revoke owner's record | ✓ Good |
+| PIN mode with Argon2id+HKDF | Real security feature, not just 4-digit PIN | ✓ Good |
+| Replace homeserver with DHT | Eliminates signup tokens, accounts, authentication sessions | ✓ Good |
+| Encrypt metadata into blob | No hostname/project leakage on DHT | ✓ Good |
+| skip_serializing_if on defaults | Saves ~71 bytes in common case for SignedPacket budget | ✓ Good |
 
 ---
-*Last updated: 2026-02-22 after v1.1 milestone start*
+*Last updated: 2026-02-22 after v1.1 milestone*