docs: flip FoF section 20a badges to v0.7.0 + sessions.md release entry

design.html section 20a (Friend-of-Friend Visibility): - Section header badge: planned → v0.7.0 complete - FoFClosed PostVisibility table row: planned → v0.7.0 - All 5 layer rows in the implementation table: planned → v0.7.0 - Custom-subset row retained as v2 (genuinely deferred per spec) sessions.md: full session entry for the Layer 1-5 implementation arc. 34 commits, ~24 new fof:: integration tests, key design decisions preserved (slot_binder_nonce circularity fix, per-post pub_x/priv_x, multi-epoch receiver-chain V_me storage, retroactive cascade delete, key-burn semantics). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 20:57:25 -06:00 · 2026-05-14 20:57:25 -06:00 · ad9282f24a
commit ad9282f24a
parent d46fcb4ef4
2 changed files with 75 additions and 7 deletions
--- a/sessions.md
+++ b/sessions.md
@ -6,6 +6,74 @@ See `CONTRIBUTING.md` for the protocol. See `AGENTS.md` for the Claude-specific

 ---

+## 2026-05-13 to 2026-05-15 — primary Claude (Lead) — `docs/fof-spec-layer1-bio-grants` → master
+
+**Started**: May 13 UTC. Released v0.7.0 stable on May 15 UTC.
+**Instance**: Scott's primary Claude (Lead)
+**Issue**: implement FoF spec Layers 1–5 end-to-end
+**Branch**: `docs/fof-spec-layer1-bio-grants` (continued from prior spec-drafting session; merged to master at d46fcb4 on May 15)
+**Scope**: Friend-of-Friend post gating: per-persona vouch keys, anonymous bio-post wrapper distribution, FoF-gated comments with CDN verification, FoF-closed encrypted bodies, V_me lifecycle (rotation/cascade/key-burn), unlock cache + retry sweep. Pre-deploy hardening pass. Version bump to 0.7.0 stable.
+
+**Commits landed on master** (34 total, `1fdf9a9..d46fcb4`):
+
+Layer 1 (vouch primitive):
+- `8a53d83` schema + storage API + HPKE-sealed vouch-grant crypto + 3 tests
+- `bc008c5` wire types (VouchGrantBatch) + V_me auto-gen on persona create
+- `3ee5c30` publish path: bucketed-padding VouchGrantBatch in bio posts
+- `d1afcec` receive-path scan + follow-gating + scan cache (2 e2e tests)
+- `34c5b60` Tauri commands + Settings UI for vouching
+
+Layer 2 (Mode 2 + CDN verify + revocation + access-grant):
+- `74fec3b` wrap-slot dual-derivation seal/open primitives + 4 tests
+- `0f5147a` wire types: WrapSlot, FoFCommentGating, CommentPermission::FriendsOfFriends, RevocationEntry
+- `bdcd214` fof.rs: build_fof_comment_gating with bucketed padding
+- `673f9e2` wired FoF gating into post-create path
+- `00522f4` reader unlock + commenter authoring + sig verify (1 roundtrip test)
+- `63ff5ad` CDN four-check verification on AddComment receive
+- `583033e` persist FoF fields + fof_revocations table
+- `6a76ade` FoFRevocation diff + sign/verify/apply + retroactive cascade-delete (2 tests)
+- `96118d7` FoFAccessGrant diff + retroactive read widening (1 test)
+- `10de3f6` Tauri commands + frontend compose-picker for Mode 2
+
+Layer 3 (Mode 1 FoFClosed):
+- `856f386` PostVisibility::FoFClosed variant + body encrypt/decrypt + body-size bucket padding (3 tests)
+- `66b7804` create_post_fof_closed + read_fof_closed_body + frontend hooks for locked/unlocked posts (1 e2e test)
+
+Layer 4 (V_me lifecycle + cascade + key-burn):
+- `c0de21d` own_post_slot_provenance + Node::rotate_v_me + cascade_revoke_v_me_epoch (1 test)
+- `c2f2203` FoFKeyBurn primitive (1 test)
+- `fdbf97f` supersedes_post_id field for re-issue path
+- `ce710a6` Tauri commands + Settings "Rotate my vouch key" UI
+
+Layer 5 (perf):
+- `12a3058` unlock cache + unreadable-posts queue + author-direct fast path + sweep on V_x arrival (2 tests)
+
+Pre-deploy hardening (audit pass):
+- `aa190db` wire-shape validation on incoming FoF posts; unreadable-queue per-persona cap of 4096 (7 tests)
+- `4ec3a80` key-burn replay rejection (monotonic timestamps); MAX_SWEEP_PER_CALL=256 (1 test)
+
+Release prep:
+- `d46fcb4` version bump 0.6.2 → 0.7.0; download page updated with FoF release notes
+
+**Test count**: 158 passing on master (added ~24 new fof:: integration tests across Layers 1–5 + hardening).
+
+**Build state**: full-pipeline deploy initiated on May 15 (`./deploy.sh` from this Linux host: CLI + AppImage + APK in parallel, sign APK, sequential SCP uploads, anchor swap with signed release announcement). Windows installer separate (uploaded by Windows host team).
+
+**Key design decisions worth knowing**:
+- `slot_binder_nonce` (32B random per post) replaces the spec's "post_id in HKDF info" — PostId = BLAKE3(post) was circular here. Same anti-replay property.
+- Per-V_x signing keypair (`pub_x`/`priv_x`) generated per-post (not per-V_x-genesis). Comment signing is asymmetric Ed25519; PQ-migration deferred. Body + comment-payload encryption is symmetric ChaCha20-Poly1305 (PQ-safe).
+- `vouch_keys_received` keyed by `(holder, owner, epoch)` — multi-epoch retention is the receiver-chain mechanism. New V_me from a voucher appends; old key isn't deleted.
+- Revocation is per-post per-pub_x with retroactive cascade-delete. V_me rotation is grandfather-by-default; cascade is opt-in via `cascade_revoke_v_me_epoch`. Key-burn swaps slots in-place for leaked-key scenarios.
+
+**Pending after deploy succeeds**:
+- Live shakedown on real devices (Scott has been looking forward to this).
+- Per-post Revoke / Grant Access UI surfaces (Tauri commands exist; only Rotate has a Settings button so far).
+- Update `MEMORY.md` "Current Status" to v0.7.0 once anchor swap confirms healthy.
+
+**Stopping point**: deploy script running in background; master at `d46fcb4`. Awaiting deploy completion notification.
+
+---
+
 ## 2026-04-24 — primary Claude (Lead) — `docs/fof-spec-layer1-bio-grants`

 **Started**: April 24 UTC
--- a/website/design.html
+++ b/website/design.html
@ -1305,7 +1305,7 @@ END</code></pre>
                <tr><td><code>Public</code></td><td>None</td><td>Unlimited</td></tr>
                <tr><td><code>Encrypted { recipients }</code></td><td>~60 bytes per recipient</td><td>~500 (256KB cap)</td></tr>
                <tr><td><code>GroupEncrypted { group_id, epoch, wrapped_cek }</code></td><td>~100 bytes total</td><td>Unlimited (one CEK wrap for the group)</td></tr>
-                <tr><td><code>FoFClosed { pub_post_set, wrap_slots }</code> <span class="badge badge-planned">Planned</span></td><td>~154 bytes per admitted V_x, padded</td><td>Bucketed (8/16/32/64/128/256, then +128 steps)</td></tr>
+                <tr><td><code>FoFClosed</code> <span class="badge badge-complete">v0.7.0</span></td><td>~154 bytes per admitted V_x, padded</td><td>Bucketed (8/16/32/64/128/256, then +128 steps)</td></tr>
            </table>

            <h3>PostId integrity</h3>
@ -1354,7 +1354,7 @@ END</code></pre>

        <!-- 20a. Friend-of-Friend Visibility -->
        <section id="fof">
-            <h2>20a. Friend-of-Friend Visibility <span class="badge badge-planned">Planned</span></h2>
+            <h2>20a. Friend-of-Friend Visibility <span class="badge badge-complete">v0.7.0</span></h2>

            <div class="note">
                <strong>Distinct from directory vouches.</strong> The "FoF vouch" described here is a <em>cryptographic</em> primitive for post readership and comment gating (per-persona symmetric key <code>V_me</code>). It is unrelated to the <em>directory vouch</em> system in <a href="#directory">section 27</a>, which governs discovery-layer trust and bot-ring resistance. The two share vocabulary but operate at different layers.
@ -1443,11 +1443,11 @@ END</code></pre>
            <p>Full crypto-level byte layouts, data models, wire-format additions, ship criteria, and integration tests are specified in <code>docs/fof-spec/</code>. The implementation is layered for bottom-up shipping:</p>
            <table>
                <tr><th>Layer</th><th>Scope</th><th>Status</th></tr>
-                <tr><td>1</td><td>Vouch primitive (V_x keys, keyring, bio-post HPKE wrappers, scan policy)</td><td><span class="badge badge-planned">Planned</span></td></tr>
-                <tr><td>2</td><td>Mode 2: public posts with FoF-gated comments, CDN-level verification</td><td><span class="badge badge-planned">Planned</span></td></tr>
-                <tr><td>3</td><td>Mode 1: <code>FoFClosed</code> body + wrap slots + anonymous prefilter</td><td><span class="badge badge-planned">Planned</span></td></tr>
-                <tr><td>4</td><td>Rotation, revocation, key lifecycle (grandfather + cascade + key-burn)</td><td><span class="badge badge-planned">Planned</span></td></tr>
-                <tr><td>5</td><td>Unlock cache + prefilter optimization (perf-critical at scale)</td><td><span class="badge badge-planned">Planned</span></td></tr>
+                <tr><td>1</td><td>Vouch primitive (V_x keys, keyring, bio-post HPKE wrappers, scan policy)</td><td><span class="badge badge-complete">v0.7.0</span></td></tr>
+                <tr><td>2</td><td>Mode 2: public posts with FoF-gated comments, CDN-level verification</td><td><span class="badge badge-complete">v0.7.0</span></td></tr>
+                <tr><td>3</td><td>Mode 1: <code>FoFClosed</code> body + wrap slots + anonymous prefilter</td><td><span class="badge badge-complete">v0.7.0</span></td></tr>
+                <tr><td>4</td><td>Rotation, revocation, key lifecycle (grandfather + cascade + key-burn)</td><td><span class="badge badge-complete">v0.7.0</span></td></tr>
+                <tr><td>5</td><td>Unlock cache + prefilter optimization (perf-critical at scale)</td><td><span class="badge badge-complete">v0.7.0</span></td></tr>
            </table>
        </section>