Add build option -Denable-liboqs to conditionally enable post-quantum crypto.
When disabled, uses liboqs_stub.zig which provides stub implementations
that return ML_KEM_NotAvailable error.
Changes:
- build.zig: Add enable_liboqs option and liboqs module selection
- pqxdh.zig: Use liboqs.isAvailable() runtime check for PQ operations
- soulkey.zig: Use pqxdh.enable_pq to conditionally generate ML-KEM keys
- liboqs_stub.zig: Stub implementations when liboqs not linked
- liboqs_real.zig: Real C FFI bindings when liboqs is linked
Fixes P0 security audit issue: liboqs Build Breakage
Fix circular and missing module imports across L0-L2 layers:
- Add l0_transport import to QVL and PoP modules in build.zig
- Fix gateway test to use DhtService parameter
- Convert l0_transport imports to direct time imports in L1
- Fix soulkey to use module import (@import("pqxdh"))
- Fix policy.zig to use module import (@import("lwf"))
- Refactor mod.zig exports to avoid circular dependencies
- Update service.zig and utcp/socket.zig to use module imports
- Fix all QVL test files to import time directly
Results: 254+ tests passing (was 124), 1 module conflict remaining
in service tests (opq/store.zig in both lwf and opq modules).
Refs: Night Sprint 2026-02-05
- l4-feed/feed.zig: Complete FeedStore implementation
- l4-feed/duckdb.zig: C API bindings for DuckDB
- build.zig: Add l4_feed module and tests
- RFC-0130: L4 Feed architecture specification
Kenya compliant: embedded-only, no cloud calls
Next: Result parsing for query() method
- toRiskGraph now properly adds all nodes before edges
- addEdge now registers from/to nodes automatically
- Fixes betrayal detection test by ensuring nodes exist in graph
- Update ArrayList API (allocator parameter changes)
- Fix const qualifier for BellmanFordResult.deinit
- Fix u8 overflow (level = -7 not valid)
- Fix toOwnedSlice API changes
- All QVL tests now compile and pass
152/154 tests green (2 pre-existing PoP failures)
- Zig L1: Implemented qvl_issue_slash_signal (constructs SlashSignal)
- Rust L2: Added FFI binding and safe wrapper issue_slash_signal
- Config: Wired l1_slash_mod into qvl_ffi build
- Verified: Unit test for signal creation passing
The active defense loop is closed. L2 can now pull the trigger.
- Integrated QuarantineList into L0Service (Hooks ready)
- Validated all tests (173/173 + new Slash/Quarantine tests)
- Weaponized stack: L0 can now hold and check blacklist of DIDs.
Next: Connect L2 trigger (FFI) to complete the active defense loop.
- Created membrane-agent/ Rust crate structure
- Implemented qvl_ffi.rs: Safe Rust FFI wrapper around Zig QVL C ABI
- QvlClient with RAII semantics (init/deinit)
- Safe wrappers: get_trust_score, verify_pop, detect_betrayal, add/revoke edges
- AnomalyScore, PopVerdict enums
- Created main.rs: Minimal daemon stub
- Created Cargo.toml, build.rs for future Zig library linking
Blocker: build.zig static library target (Zig 0.15.2 API incompatibility)
- addStaticLibrary/addSharedLibrary don't exist in this Zig version
- LibraryOptions API changed (no .kind, .root_source_file fields)
- Deferred to next session: either upgrade Zig or use manual object linking
All Zig FFI tests passing (173/173). Rust compiles but can't link yet.
- Created qvl_ffi.zig: C ABI exports (qvl_init, qvl_deinit, trust scoring, PoP verification, betrayal detection, graph mutations)
- Created qvl.h: C header with full API documentation
- Created test_qvl_ffi.c: C test harness (manual compilation)
- Added FFI tests to build.zig with libc linking
- Fixed API mismatches: TrustGraph.init (3 args), BellmanFordResult.betrayal_cycles usage
- All tests passing (173/173: 137 SDK + 36 FFI)
FFI enables Rust Membrane Agents (L2) to consume L1 trust functions.
- l1-identity/crypto.zig: Export pqxdh module for SDK consumption
- build.zig: Define proper modules for PQXDH library and tests
- Link liboqs to l1_pqxdh_mod and propagate dependency to l1_mod
- Build System: Link against static liboqs.a (built without OpenSSL)
- PQXDH: Replace stubs with OQS_KEM_ml_kem_768 functions
- Tests: Verify full handshake with real post-quantum KEM
- Disable Kyber (old) in liboqs build to fix symbol conflicts
BREAKING CHANGE: Header size increased from 64 to 72 bytes
- Expand DID hints from 20 to 24 bytes (192-bit, 2^96 collision resistance)
- Clarify timestamp as u64 nanoseconds (Bytes 60-67, big-endian)
- Update frame payload capacities (-8 bytes per frame class)
- All tests passing (14/14 L0 tests)
Rationale:
- 24-byte DID hints provide future-proof routing scalability
- 8-byte overhead per frame is negligible (0.6% loss on Standard frames)
- Aligns with Sovereign Time Protocol (RFC-0105) L0/L1 split
Files modified:
- l0-transport/lwf.zig: Header structure, serialization, tests
- l0-transport/time.zig: New file for L0 time primitives
- build.zig: Time module dependencies
RFC Impact: RFC-0000 (LWF Wire Protocol), RFC-0105 (Sovereign Time)
Markus Maiwald
