Security Review Finding — MEDIUM Priority
Source: Krillnotes Security Review v1.0.1 (April 2026)
Description
Multiple HKDF info/context strings are scattered throughout the codebase as magic strings:
krillnotes-swarm-key-wrapkrillnotes-attachment-v1krillnotes-file-v1krillnotes-contacts-v1krillnotes-relay-v1krillnotes-device-key-v1krillnotes-db-password-v1
Impact
Scattered magic strings risk:
- Typos causing silent key derivation mismatches (different strings → different keys)
- Accidental collision if two subsystems use the same string
- Difficulty auditing which derivation contexts exist
Recommendation
Create a crypto_constants.rs (or similar) module that centralizes all HKDF info strings as named constants:
pub mod hkdf_info {
pub const SWARM_KEY_WRAP: &[u8] = b"krillnotes-swarm-key-wrap";
pub const ATTACHMENT_V1: &[u8] = b"krillnotes-attachment-v1";
pub const FILE_V1: &[u8] = b"krillnotes-file-v1";
pub const CONTACTS_V1: &[u8] = b"krillnotes-contacts-v1";
pub const RELAY_V1: &[u8] = b"krillnotes-relay-v1";
pub const DEVICE_KEY_V1: &[u8] = b"krillnotes-device-key-v1";
pub const DB_PASSWORD_V1: &[u8] = b"krillnotes-db-password-v1";
}Acceptance Criteria
Security Review Finding — MEDIUM Priority
Source: Krillnotes Security Review v1.0.1 (April 2026)
Description
Multiple HKDF info/context strings are scattered throughout the codebase as magic strings:
krillnotes-swarm-key-wrapkrillnotes-attachment-v1krillnotes-file-v1krillnotes-contacts-v1krillnotes-relay-v1krillnotes-device-key-v1krillnotes-db-password-v1Impact
Scattered magic strings risk:
Recommendation
Create a
crypto_constants.rs(or similar) module that centralizes all HKDF info strings as named constants:Acceptance Criteria