docs: post-release hygiene + round-3 reviewer delta

Four trailing-doc updates following the 0.1.0-alpha.5 + 0.2.0-alpha.1
+ 0.2.0-alpha.2 releases:

- README.md: `cargo add` snippet bumped alpha.1 → alpha.2; spec
  pointer refreshed draft-01 → draft-03; note that 0.1.x alphas
  are wire-incompatible at the signed-consent-body layer.
- FOLLOW_UPS.md: "stay at 0.1.0-alpha.x until review" policy
  replaced with post-Phase-B reality ("stay at 0.2.0-alpha.x
  until round-3 review"); Ricardian-binding entry draft-02 →
  draft-03; new Closed-items section capturing #1–#5 resolutions.
- plans/OPEN_ISSUES_PLAN.md: top-of-file status flipped from
  "Phase B deferred" to "CLOSED"; release table gains the
  alpha.2 hardening row.
- plans/REVIEW_DELTA_DRAFT_03.md (new): scoped round-3 reviewer
  document. ~650 words. §1 deltas since draft-02r1 (receiver-
  local draft-02r2, breaking draft-03, no-wire alpha.2
  hardening). §2 six targeted questions ranked by cryptographic
  weight (fingerprint info composition; BE request_id choice;
  timing side-channel in verify_fingerprint_either_epoch;
  transition-table corner case for LegacyBypass; Response vs
  Revocation timestamp asymmetry; overall §12.8 / §12.10
  coherence). §3 source-file pointers. Intent: the reviewer
  reads ~10 minutes, answers six scoped questions, we close the
  round-3 cycle without requiring a full spec re-read.

docs.rs verified: status:true on 0.1.0-alpha.5, 0.2.0-alpha.1,
and 0.2.0-alpha.2 (no silent feature-matrix failures).

Author: Tristan-Stoltz-ERC

FOLLOW_UPS.md

@@ -93,7 +93,7 @@ dependency.
 ### v1.1 — Ricardian causal-binding on ConsentRequest
 
 - **Placeholder**: `causal_binding: Option<CausalPredicate>` field
-  already in the draft-02 wire format.
+  already in the draft-03 wire format (MUST be `None` in draft-03).
 - **What**: authority binding ("valid while ticket #1234 is
   In-Progress") evaluated against an external truth source.
 - **Blocker**: decentralized-identity layer on Holochain must have
@@ -157,18 +157,21 @@ dependency.
 
 ## Decisions being deferred
 
-### When to bump to 0.1.0 stable
+### When to bump to 0.2.0 stable
 
-The original Track A plan targeted `0.1.0` at Week 6. We are at
-Week 6 without external crypto review. Bumping stable now would be
-a discipline failure — the spec is unreviewed, the wire format is
-still subject to change, and the consent ceremony has seven days of
-in-repo history.
+**Updated 2026-04-18 (post-Phase-B).** The 0.1.0 target became a
+0.2.0 target once draft-03 added mandatory `session_fingerprint` (a
+breaking wire change at the signed-consent-body layer). Published
+state: `0.2.0-alpha.2`, SPEC draft-03, all four round-2 review
+issues closed.
 
-**Current policy**: stay at `0.1.0-alpha.x` until at least one
-independent cryptographer has signed off on SPEC §3 + §5 + §12.
-If review finds issues, iterate alpha.4+. If review is clean, bump
-to `0.1.0-rc.1` as a test run before `0.1.0` stable.
+**Current policy**: stay at `0.2.0-alpha.x` until a round-3
+independent cryptographer review signs off on the draft-03-specific
+additions — specifically SPEC §12.3.1 (session_fingerprint HKDF
+construction), §12.6.1 (normative transition table), and §12.8
+(timing-channel assumption). A scoped delta doc for the reviewer
+is at `plans/REVIEW_DELTA_DRAFT_03.md`. If review finds issues,
+iterate alpha.3+. If review is clean, bump to `0.2.0-rc.1`.
 
 ### Whether to host a live demo
 
@@ -188,8 +191,18 @@ main track.
 
 ## Closed items
 
-*(None yet — this file was created at Week 6 launch. Closed items
-move here with a one-line note.)*
+- **Round-2 review issues #1-#4** (2026-04-18). All four items
+  flagged by the round-2 cryptographic review are now closed. #2
+  split `Pending` + #4 configurable replay window shipped as
+  `0.1.0-alpha.5` (SPEC draft-02r2, receiver-local). #1 mandatory
+  `session_fingerprint` + #3 normative transition table shipped as
+  `0.2.0-alpha.1` (SPEC draft-03, breaking at the signed-body
+  layer). Receiver hardening (rekey-aware verify, timing-channel
+  note, violation vectors, fuzz harness, MIGRATION.md) shipped as
+  `0.2.0-alpha.2`.
+- **Per-key-epoch replay bug** (#5) (2026-04-18). Closed in
+  `0.1.0-alpha.4`. `ReplayWindow` keyed by `(source_id, pld_type,
+  key_epoch)` per SPEC §5.3.
 
 ---
 

README.md

@@ -65,14 +65,17 @@ caller's), and no opinion about handshake. Those live at higher layers.
 
 ## Install
 
-Because `0.1.0-alpha.1` is a pre-release, add it with the `@` form —
+Because `0.2.0-alpha.2` is a pre-release, add it with the `@` form —
 `cargo add --version ...` rejects pre-release specifiers:
 
 ```console
-$ cargo add 'xenia-wire@0.1.0-alpha.1'
+$ cargo add 'xenia-wire@0.2.0-alpha.2'
 ```
 
-Once a stable `0.1.0` ships, `cargo add xenia-wire` will just work.
+Once a stable `0.2.0` ships, `cargo add xenia-wire` will just work.
+Earlier `0.1.x` alphas are still on crates.io but are wire-incompatible
+at the signed-consent-body layer (see SPEC Appendix B for the draft
+matrix); new integrations should start on `0.2.x`.
 
 ## Quick start
 
@@ -186,7 +189,7 @@ exposition; [`SPEC.md`](SPEC.md) is the normative reference.
 
 ## Specification
 
-Reading [`SPEC.md`](SPEC.md) (**draft-01**) should be sufficient to
+Reading [`SPEC.md`](SPEC.md) (**draft-03**, current) should be sufficient to
 write an interoperable implementation in any language. Reading the
 source of this crate should NOT be necessary. If you find gaps in
 the spec, please file an issue — the spec is the normative reference,

plans/OPEN_ISSUES_PLAN.md

@@ -1,8 +1,8 @@
-# Open-issues plan (post-alpha.4)
+# Open-issues plan (post-alpha.4) — CLOSED
 
-**Status**: Phase A **SHIPPED** as `0.1.0-alpha.5` on 2026-04-18 (commit `4a337a7`, tag `v0.1.0-alpha.5`). Phase B deferred — needs user sign-off on design questions enumerated in issues [#1](https://github.com/Luminous-Dynamics/xenia-wire/issues/1) and [#3](https://github.com/Luminous-Dynamics/xenia-wire/issues/3).
+**Status**: Phase A + Phase B both **SHIPPED**; all four round-2 review issues resolved. This document is retained as the design-decision provenance for the shipped work; nothing in it is still pending execution. Further hardening ([`0.2.0-alpha.2`](https://github.com/Luminous-Dynamics/xenia-wire/releases/tag/v0.2.0-alpha.2)) is captured in the CHANGELOG, not here.
 **Scope**: all 4 GitHub issues left open after `xenia-wire 0.1.0-alpha.4`.
-**Last updated**: 2026-04-18 — Phase A closeout.
+**Last updated**: 2026-04-18 — Phase B closeout.
 
 This document collapsed issues #1–#4 into an executable plan. Each issue
 got a concrete design (API shape, state transitions, file list, test
@@ -11,7 +11,8 @@ plan). The four were batched into two releases by wire-format compatibility:
 | Release | Wire change? | Issues | Status |
 |---------|--------------|--------|--------|
 | **`0.1.0-alpha.5`** (SPEC draft-02r2) | No | [#2](https://github.com/Luminous-Dynamics/xenia-wire/issues/2) split `Pending`, [#4](https://github.com/Luminous-Dynamics/xenia-wire/issues/4) configurable replay window | ✅ **shipped 2026-04-18** |
-| **`0.2.0-alpha.1`** (SPEC draft-03) | Yes (breaking) | [#1](https://github.com/Luminous-Dynamics/xenia-wire/issues/1) `session_binding`, [#3](https://github.com/Luminous-Dynamics/xenia-wire/issues/3) duplicate/conflict transition table | ⏸️ deferred pending sign-off |
+| **`0.2.0-alpha.1`** (SPEC draft-03) | Yes (breaking) | [#1](https://github.com/Luminous-Dynamics/xenia-wire/issues/1) `session_binding`, [#3](https://github.com/Luminous-Dynamics/xenia-wire/issues/3) duplicate/conflict transition table | ✅ **shipped 2026-04-18** |
+| **`0.2.0-alpha.2`** (draft-03 hardening) | No | Rekey-aware verify; timing-channel assumption; violation vectors; fuzz target; MIGRATION.md | ✅ **shipped 2026-04-18** |
 
 The batching matters: draft-03 breaks the canonical bytes of signed
 `ConsentRequestCore`, so anyone consuming consent test vectors or

plans/REVIEW_DELTA_DRAFT_03.md

@@ -0,0 +1,248 @@
+# Round-3 review — delta since draft-02r1
+
+**Target version**: `xenia-wire 0.2.0-alpha.2` / SPEC **draft-03**.
+**Assumed prior context**: you last reviewed **draft-02r1**
+(`xenia-wire 0.1.0-alpha.3` / `alpha.4`, April 2026), which flagged
+four open design items: session-binding (loose), split-Pending,
+duplicate/conflict consent semantics, configurable replay window.
+
+This document is the scoped follow-up. It is deliberately short:
+
+- **§1** is the deltas since draft-02r1 — nothing you haven't seen
+  before if you tracked Appendix B, but collected here for quick
+  orientation.
+- **§2** is six targeted questions ranked by cryptographic weight.
+  Questions 1-3 are where we genuinely would like an independent
+  opinion; 4-6 are lower-risk "any concerns?" items.
+
+Section-number references (e.g., §12.3.1) are to SPEC.md at
+`v0.2.0-alpha.2`. Source-file references are to the reference
+implementation at the same tag.
+
+---
+
+## 1. Deltas since draft-02r1
+
+### draft-02r2 (shipped `0.1.0-alpha.5`, no wire change)
+
+- Split `ConsentState::Pending` into **`LegacyBypass`** (default,
+  sticky) and **`AwaitingRequest`** (opt-in via
+  `SessionBuilder::require_consent(true)`). Pure receiver-local;
+  no envelope bytes change.
+- Replay window parameterized: `W ∈ {64, 128, 256, 512, 1024}`
+  bits, default 64. Multi-word bitmap shift internal to
+  `ReplayWindow`. Peers agree on `W` out-of-band.
+
+These are bookkeeping; we don't expect review input unless you see
+a hazard.
+
+### draft-03 (shipped `0.2.0-alpha.1`, **breaking** at signed-body layer)
+
+- **Mandatory `session_fingerprint: [u8; 32]`** on all three signed
+  cores (`ConsentRequestCore`, `ConsentResponseCore`,
+  `ConsentRevocationCore`). Canonical field order pinned in §12.3
+  and is normative. Derivation specified in §12.3.1:
+
+  ```
+  salt = b"xenia-session-fingerprint-v1"       (28 bytes ASCII)
+  ikm  = current AEAD session_key               (32 bytes)
+  info = source_id || epoch || request_id_be    (8 + 1 + 8 = 17 bytes)
+  L    = 32
+  HKDF-SHA-256(salt, ikm).expand(info, L) -> fingerprint
+  ```
+
+- **Normative transition table for the consent state machine**
+  (§12.6.1). Covers every (state, event, `request_id`-predicate)
+  tuple. Three defined protocol violations surface as
+  `WireError::ConsentProtocolViolation(ConsentViolation)`:
+
+  - `RevocationBeforeApproval { request_id }`
+  - `ContradictoryResponse { request_id, prior_approved, new_approved }`
+  - `StaleResponseForUnknownRequest { request_id }`
+
+  `ConsentEvent` variants now carry `{ request_id }`.
+  `Session::observe_consent` returns `Result<ConsentState,
+  ConsentViolation>`. On violation, state is NOT mutated; the wire
+  does not tear down the transport.
+
+- **UI-guidance subsection §12.6.2** — "change of mind after
+  approval" MUST be expressed as a fresh `ConsentRevocation`, never
+  as a contradictory `ConsentResponse`. This was the contentious
+  decision during internal review: we considered "later-wins" on
+  contradictory `ConsentResponse`, rejected it because (a) the
+  `ConsentResponseCore` body carries no timestamp, and (b) a
+  captured late-Denied from a prior session could force teardown
+  on a new Approved one if the fingerprint ever reused across
+  ceremonies. Rejection aligns with the decision to make
+  fingerprint mandatory.
+
+- **Security-properties rewrite §12.8**: the "LOOSE binding"
+  bullet from draft-02r1 becomes "TIGHT binding". New
+  protocol-violation-detection bullet for the transition table.
+
+### draft-03 hardening (shipped `0.2.0-alpha.2`, no wire or API change)
+
+- **Rekey-aware fingerprint verify.**
+  `Session::verify_consent_{request,response,revocation}` now
+  probe **both** the current and (if present) the previous session
+  keys when comparing the embedded fingerprint. A consent message
+  AEAD-verified under the previous key during the grace window
+  now also passes the fingerprint check. §12.3.1 rekey
+  interaction spells this out.
+- **Timing-channel assumption (§12.8)** — new paragraph. Asserts
+  the verify pipeline (bincode deserialize, Ed25519 verify,
+  fingerprint compare) MUST NOT branch on secret-dependent bytes.
+  Reference impl ships an inline constant-time 32-byte compare
+  (`src/session.rs::ct_eq_32`); alternate-language implementers
+  are on the hook for auditing bincode-equivalents and Ed25519
+  libs.
+- **Test vectors 10/11/12** for the three `ConsentViolation`
+  variants (event-sequence format; grammar in
+  `test-vectors/10_revocation_before_approval.txt`).
+- **`cargo-fuzz` target `fuzz_observe_consent`** asserting four
+  invariants per step: no panic, state always valid, seal-gate
+  matches state, violations never mutate state.
+
+Not in this review cycle: the paper draft (no crypto changes), the
+reference LZ4 path (unchanged since draft-02), the replay window
+parameterization (mechanical generalization of the draft-02 fixed
+64).
+
+---
+
+## 2. Questions ranked by weight
+
+### 2.1 `session_fingerprint` `info` composition (§12.3.1)
+
+**The question.** Is `info = source_id || epoch || request_id_be`
+the right input set?
+
+**Alternatives considered:**
+
+| Variant | Property |
+|---|---|
+| `info = []` | Session-key-only binding. Per-ceremony replay opens up inside a single session. |
+| `source_id ‖ epoch` | Session-identity binding. A `ConsentResponse` signed for `request_id=7` is replayable as one for `request_id=8` — undesirable. |
+| **`source_id ‖ epoch ‖ request_id_be` (chosen)** | Per-ceremony binding. What's shipped. |
+| `source_id ‖ epoch ‖ request_id_be ‖ pld_type` | Per-message-type per-ceremony binding. Would give a distinct fingerprint per message kind. Avoids a hypothetical attack where a captured Response is replayed as a Revocation; we don't currently see that attack, but it's not impossible. |
+
+**Specific ask.** Is the chosen set sufficient for a signed-consent
+replay threat model, or should `pld_type` be mixed into `info`?
+
+### 2.2 Big-endian `request_id` in `info`
+
+**The question.** SPEC §12.3.1 specifies `request_id_be` — the u64
+in big-endian. Every other integer on the Xenia wire is
+little-endian (per bincode v1 default; nonce sequence bytes are
+explicitly LE per §3). The mixed convention is intentional — we
+wanted the `info` byte-order to differ from the ambient wire so
+that an implementation reaching for a "byte-encode this u64 the
+usual way" path would produce the wrong fingerprint and fail
+loudly rather than silently.
+
+**Specific ask.** Is this mistake-reduction smart, or is it a
+footgun that buys nothing because the endianness is already
+specified normatively either way?
+
+### 2.3 Timing side-channel in `verify_fingerprint_either_epoch`
+
+**The question.** On the receive path, `verify_consent_*` derives
+the fingerprint against the **current** key, compares, and — only
+if that fails — derives again against the **previous** key.
+That's one HKDF call on match, two on mismatch. Relevant source:
+`src/session.rs::verify_fingerprint_either_epoch` (around line
+340-360 in the 0.2.0-alpha.2 tree).
+
+An attacker observing verify-path timing could distinguish
+"accepted under current key" from "accepted under prev key" from
+"rejected". The latency delta is ~one HKDF-SHA-256 derivation
+(~a few microseconds on commodity hardware). Is this exploitable?
+
+**Mitigation considered.** Always derive both fingerprints
+regardless of first-match outcome; compare each; OR the
+constant-time compare results. Constant-time verify path at the
+cost of one extra HKDF call per verify. Open to your opinion on
+whether this is worth the complexity.
+
+### 2.4 Transition-table completeness (§12.6.1)
+
+**The question.** The table enumerates (state × event ×
+`request_id`-predicate). One corner case I want to probe:
+`LegacyBypass` + any event → sticky no-op, including a perfectly
+valid `ConsentRequest` whose fingerprint matches a local
+derivation.
+
+Is sticky the right rule, or should there be a documented
+"upgrade from LegacyBypass to ceremony mode" path for deployments
+that start permissive and later want to enforce? Currently the
+only upgrade path is constructing a new `Session` via
+`SessionBuilder::require_consent(true)`.
+
+### 2.5 `ConsentResponse` / `ConsentRevocation` timestamp asymmetry
+
+**The question.** `ConsentRevocationCore` has `issued_at: u64`
+(Unix epoch seconds). `ConsentResponseCore` does NOT. This was
+intentional in draft-02 and carried forward; we want to confirm
+it's still OK given the draft-03 `session_fingerprint`.
+
+Argument for leaving the asymmetry: within a single ceremony, the
+state machine forbids a replayed Response (idempotent same-value
+Response is a no-op; differing-value is `ContradictoryResponse`
+hard-error). Across ceremonies, the fingerprint's `request_id_be`
+distinguishes them. So no replay window exists.
+
+Argument for adding `issued_at` to ConsentResponse anyway: the
+audit-trail use case (§12.8 third-party-verifiable signed consent)
+benefits from knowing *when* the user signed the approval, not
+just *that* they did. Currently a replayed (same-value)
+`ConsentResponse` would be indistinguishable from the original in
+a frozen transcript.
+
+### 2.6 General coherence of §12.8 security properties + §12.10 out-of-scope
+
+**The question.** §12.8 now enumerates: third-party-verifiable
+signed consent, TIGHT session binding, protocol-violation
+detection, no human-identity binding, and the timing-channel
+assumption. §12.10 lists the explicit out-of-scope items (coerced
+consent, human-identity fraud, clock-skew attacks).
+
+Is there a property draft-03 implicitly offers that §12.8 should
+claim explicitly? Or a threat draft-03 implicitly tolerates that
+§12.10 should flag? Open-ended reality-check question.
+
+---
+
+## 3. Pointers
+
+- **SPEC**: `SPEC.md` at tag `v0.2.0-alpha.2` on
+  `Luminous-Dynamics/xenia-wire`. §12.3, §12.3.1, §12.6.1, §12.6.2,
+  §12.8 are the draft-03 deltas. Appendix B row for draft-03
+  records the changelog.
+- **Reference implementation**: `src/consent.rs` (all three Core
+  types + ConsentViolation + ConsentEvent), `src/session.rs`
+  (`session_fingerprint`, `session_fingerprint_from_key`,
+  `verify_fingerprint_either_epoch`, `observe_consent` with the
+  draft-03 transition table, `ct_eq_32`), `src/error.rs`
+  (`WireError::ConsentProtocolViolation`).
+- **Test vectors**: `test-vectors/07_consent_request.*`,
+  `08_consent_response.*`, `09_consent_revocation.*` for the
+  happy-path signed bodies; `10_revocation_before_approval.txt`,
+  `11_contradictory_response.txt`, `12_stale_response.txt` for the
+  violation event-sequence DSL (grammar documented in file 10).
+- **Fuzz target**: `fuzz/fuzz_targets/fuzz_observe_consent.rs`
+  with the four invariants.
+- **Migration**: `MIGRATION.md` (0.1.x → 0.2.0-alpha.1, plus
+  alpha.1 → alpha.2). Paired with `CHANGELOG.md` per-release
+  entries.
+
+## 4. Feedback logistics
+
+Any form works. If you prefer structured feedback: a per-section
+reply keyed to the six questions above is the highest-bandwidth
+format. If you'd rather leave comments inline in a PR against the
+`SPEC.md` tree, that's also fine — we'll open a draft `spec-review`
+PR on request.
+
+Thank you for taking the time. Rounds 1 and 2 caught real issues;
+this round is targeted at confirming the close-out rather than a
+full re-read.