fix(tech-debt): remediate v1.6.1 technical debt items

Tech Debt Remediation:
- TD-001: Add DNS-based STUN resolution with hickory-resolver
  - New dns.rs module with StunDnsResolver, caching (5-min TTL)
  - Fallback to hardcoded IPs when DNS fails
- TD-006: Fix iOS UniFFI unwrap() calls with proper error handling
  - Replaced all unwrap() calls with proper Result handling
  - Added FFI-safe error types for Swift interop
- Android client: Enhanced error handling and logging

Documentation Updates:
- README.md: Updated metrics (1,617 Rust tests, 60,300 LOC)
- CHANGELOG.md: Added v1.6.1 release notes with tech debt items
- README_Protocol-DEV.md: Updated test counts and metrics
- README_Clients-DEV.md: Updated client status with TD-006 fix

Quality:
- All 1,617 Rust tests pass (16 ignored)
- Zero clippy warnings
- Code formatted with cargo fmt

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: doublegate

CHANGELOG.md

@@ -19,22 +19,34 @@ No unreleased changes yet.
   - 62 tests covering all UI components (TransferList, NewTransferDialog, SessionPanel, SettingsPanel)
   - Testing Library integration for React component testing
   - 100% pass rate on frontend tests
+- **DNS-based STUN Resolution (TD-001):**
+  - New `dns.rs` module with `StunDnsResolver` in wraith-discovery
+  - DNS caching with 5-minute TTL for efficient resolution
+  - Fallback to hardcoded IP addresses when DNS fails
+  - Integration with hickory-resolver for async DNS queries
 
 ### Changed
 - **Dependencies:**
   - Updated rusqlite from 0.32 to 0.38 (SQLCipher 4.10.0, SQLite 3.51.1, wasm32 support)
   - Updated markdownlint-cli2-action from 21 to 22 (markdownlint v0.40.0)
+  - Added hickory-resolver for DNS-based STUN server resolution
 - **CI/CD GitHub Actions:**
   - Updated actions/upload-artifact from 5 to 6 (PR #41)
   - Updated actions/download-artifact from 6 to 7 (PR #40)
   - Updated actions/cache from 4 to 5 (PR #39)
 
+### Fixed
+- **Tech Debt Remediation:**
+  - TD-001: DNS-based STUN resolution with hickory-resolver (caching, fallback)
+  - TD-006: iOS UniFFI unwrap() calls replaced with proper error handling
+  - Verified TD-002 through TD-005, TD-012, TD-013 already fixed in previous releases
+
 ### Documentation
 - **Technical Debt Documentation:**
   - Comprehensive technical debt analysis for AF_XDP implementation
   - NAT signaling protocol enhancement documentation
   - Audit and documentation of all 23 ignored tests with justifications
-  - Updated project metrics with accurate test counts (1,303 Rust + 62 frontend)
+  - Updated project metrics with accurate test counts (1,617 Rust + 62 frontend)
 
 ---
 

README.md

@@ -21,9 +21,9 @@ A decentralized secure file transfer protocol optimized for high-throughput, low
 
 WRAITH Protocol is production-ready with desktop, mobile, and messaging applications. Phase 16 delivers Android and iOS mobile clients with native UIs (Kotlin/Jetpack Compose, Swift/SwiftUI), plus WRAITH-Chat, a secure E2EE messaging application with Signal Protocol Double Ratchet encryption, SQLCipher encrypted storage, and React 18 frontend. v1.6.0 adds mobile platform support, end-to-end encrypted messaging, and comprehensive client ecosystem expansion.
 
-**Project Metrics (2025-01-20):**
-- **Code Volume:** ~57,400 lines of Rust code across protocol crates + ~4,000 lines in client applications (Kotlin/Swift/TypeScript)
-- **Test Coverage:** 1,303+ Rust tests + 62 frontend tests = 1,365+ total tests - 100% pass rate
+**Project Metrics (2026-01-20):**
+- **Code Volume:** ~60,300 lines of Rust code across protocol crates + ~4,000 lines in client applications (Kotlin/Swift/TypeScript)
+- **Test Coverage:** 1,617+ Rust tests + 62 frontend tests = 1,679+ total tests - 100% pass rate
 - **Documentation:** 111 markdown files, ~63,000+ lines of comprehensive documentation
 - **Dependencies:** 286 audited packages (zero vulnerabilities via cargo-audit)
 - **Security:** Grade A+ (EXCELLENT), zero vulnerabilities, comprehensive DPI evasion validation
@@ -287,7 +287,7 @@ WRAITH-Protocol/
 | **Integration Tests** | 323 | Cross-crate protocol integration and end-to-end scenarios |
 | **Benchmarks** | - | Performance validation (frame parsing, AEAD, hashing, file operations) |
 
-**Project Total:** 1,365+ tests (1,303 Rust tests + 62 frontend tests) - 100% pass rate
+**Project Total:** 1,679+ tests (1,617 Rust tests + 62 frontend tests) - 100% pass rate
 
 ## Documentation
 
@@ -622,7 +622,7 @@ WRAITH Protocol is designed with security as a core principle:
 - **Unsafe Code Audit:** 100% documentation coverage with SAFETY comments
 
 **Validation:**
-- **Test Coverage:** 1,365+ tests (1,303 Rust + 62 frontend) covering all protocol layers
+- **Test Coverage:** 1,679+ tests (1,617 Rust + 62 frontend) covering all protocol layers
 - **DPI Evasion:** Comprehensive validation against Wireshark, Zeek, Suricata, nDPI (see [DPI Evasion Report](docs/security/DPI_EVASION_REPORT.md))
 - **Fuzzing:** 5 libFuzzer targets continuously testing robustness
 - **Property-Based Tests:** QuickCheck-style invariant validation
@@ -714,4 +714,4 @@ WRAITH Protocol builds on the work of many excellent projects and technologies:
 
 **WRAITH Protocol** - *Secure. Fast. Invisible.*
 
-**Status:** v1.6.1 Testing Infrastructure & Documentation | **License:** MIT | **Language:** Rust 2024 (MSRV 1.85) | **Tests:** 1,365+ (1,303 Rust + 62 frontend, 100% pass rate) | **Quality:** Production-ready, 0 vulnerabilities, zero warnings, 98/100 quality grade | **Clients:** 4 Tier 1 applications complete (Desktop, Android, iOS, E2EE Chat)
+**Status:** v1.6.1 Testing Infrastructure & Documentation | **License:** MIT | **Language:** Rust 2024 (MSRV 1.85) | **Tests:** 1,679+ (1,617 Rust + 62 frontend, 100% pass rate) | **Quality:** Production-ready, 0 vulnerabilities, zero warnings, 98/100 quality grade | **Clients:** 4 Tier 1 applications complete (Desktop, Android, iOS, E2EE Chat)

clients/wraith-android/app/src/main/rust/Cargo.toml

@@ -4,6 +4,9 @@ version = "1.0.0"
 edition = "2024"
 rust-version = "1.85"
 
+# This is an independent package, not part of the main workspace
+[workspace]
+
 [lib]
 crate-type = ["cdylib"]
 name = "wraith_android"
@@ -18,6 +21,7 @@ tokio = { version = "1", features = ["full"] }
 # Serialization
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
+hex = "0.4"
 
 # Logging
 log = "0.4"

clients/wraith-android/app/src/main/rust/src/lib.rs

@@ -6,6 +6,7 @@
 use jni::objects::{JClass, JObject, JString};
 use jni::sys::{jbyteArray, jint, jlong, jstring};
 use jni::JNIEnv;
+use std::sync::atomic::{AtomicUsize, Ordering};
 use std::sync::{Arc, Mutex};
 use tokio::runtime::Runtime;
 use wraith_core::node::{Node, NodeConfig};
@@ -22,6 +23,24 @@ static RUNTIME: Mutex<Option<Runtime>> = Mutex::new(None);
 /// Global node instance
 static NODE: Mutex<Option<Arc<Node>>> = Mutex::new(None);
 
+/// Global counter for active transfers
+static ACTIVE_TRANSFERS: AtomicUsize = AtomicUsize::new(0);
+
+/// Increment active transfer count
+fn increment_transfers() {
+    ACTIVE_TRANSFERS.fetch_add(1, Ordering::SeqCst);
+}
+
+/// Decrement active transfer count
+fn decrement_transfers() {
+    ACTIVE_TRANSFERS.fetch_sub(1, Ordering::SeqCst);
+}
+
+/// Get current active transfer count
+fn get_active_transfers() -> usize {
+    ACTIVE_TRANSFERS.load(Ordering::SeqCst)
+}
+
 /// Initialize the WRAITH node
 ///
 /// # Safety
@@ -45,7 +64,13 @@ pub unsafe extern "C" fn Java_com_wraith_android_WraithNative_initNode(
 
     // Initialize runtime if not already done
     {
-        let mut rt_lock = RUNTIME.lock().unwrap();
+        let mut rt_lock = match RUNTIME.lock() {
+            Ok(guard) => guard,
+            Err(e) => {
+                log::error!("Failed to acquire runtime lock: {}", e);
+                return -1;
+            }
+        };
         if rt_lock.is_none() {
             match Runtime::new() {
                 Ok(rt) => *rt_lock = Some(rt),
@@ -83,8 +108,20 @@ pub unsafe extern "C" fn Java_com_wraith_android_WraithNative_initNode(
     };
 
     // Create node
-    let rt = RUNTIME.lock().unwrap();
-    let rt = rt.as_ref().unwrap();
+    let rt = match RUNTIME.lock() {
+        Ok(guard) => guard,
+        Err(e) => {
+            log::error!("Failed to acquire runtime lock: {}", e);
+            return -1;
+        }
+    };
+    let rt = match rt.as_ref() {
+        Some(rt) => rt,
+        None => {
+            log::error!("Runtime not initialized");
+            return -1;
+        }
+    };
 
     let node = match rt.block_on(async { Node::new(config).await }) {
         Ok(n) => Arc::new(n),
@@ -110,7 +147,13 @@ pub unsafe extern "C" fn Java_com_wraith_android_WraithNative_initNode(
 
     // Store node globally
     {
-        let mut node_lock = NODE.lock().unwrap();
+        let mut node_lock = match NODE.lock() {
+            Ok(guard) => guard,
+            Err(e) => {
+                log::error!("Failed to acquire node lock: {}", e);
+                return -1;
+            }
+        };
         *node_lock = Some(node.clone());
     }
 
@@ -135,18 +178,18 @@ pub unsafe extern "C" fn Java_com_wraith_android_WraithNative_shutdownNode(
 
     let node = Arc::from_raw(handle as *const Node);
 
-    let rt = RUNTIME.lock().unwrap();
-    if let Some(rt) = rt.as_ref() {
-        rt.block_on(async {
-            if let Err(e) = node.shutdown().await {
-                log::error!("Error during node shutdown: {}", e);
-            }
-        });
+    if let Ok(rt) = RUNTIME.lock() {
+        if let Some(rt) = rt.as_ref() {
+            rt.block_on(async {
+                if let Err(e) = node.stop().await {
+                    log::error!("Error during node shutdown: {}", e);
+                }
+            });
+        }
     }
 
     // Clear global node
-    {
-        let mut node_lock = NODE.lock().unwrap();
+    if let Ok(mut node_lock) = NODE.lock() {
         *node_lock = None;
     }
 }
@@ -180,8 +223,20 @@ pub unsafe extern "C" fn Java_com_wraith_android_WraithNative_establishSession(
         }
     };
 
-    let rt = RUNTIME.lock().unwrap();
-    let rt = rt.as_ref().unwrap();
+    let rt = match RUNTIME.lock() {
+        Ok(guard) => guard,
+        Err(e) => {
+            log::error!("Failed to acquire runtime lock: {}", e);
+            return std::ptr::null_mut();
+        }
+    };
+    let rt = match rt.as_ref() {
+        Some(rt) => rt,
+        None => {
+            log::error!("Runtime not initialized");
+            return std::ptr::null_mut();
+        }
+    };
 
     let session_info = match rt.block_on(async {
         // Convert peer_id string to PeerId type
@@ -251,8 +306,23 @@ pub unsafe extern "C" fn Java_com_wraith_android_WraithNative_sendFile(
         Err(_) => return std::ptr::null_mut(),
     };
 
-    let rt = RUNTIME.lock().unwrap();
-    let rt = rt.as_ref().unwrap();
+    let rt = match RUNTIME.lock() {
+        Ok(guard) => guard,
+        Err(e) => {
+            log::error!("Failed to acquire runtime lock: {}", e);
+            return std::ptr::null_mut();
+        }
+    };
+    let rt = match rt.as_ref() {
+        Some(rt) => rt,
+        None => {
+            log::error!("Runtime not initialized");
+            return std::ptr::null_mut();
+        }
+    };
+
+    // Track transfer start
+    increment_transfers();
 
     let transfer_info = match rt.block_on(async {
         use std::path::Path;
@@ -283,6 +353,7 @@ pub unsafe extern "C" fn Java_com_wraith_android_WraithNative_sendFile(
         Ok(info) => info,
         Err(e) => {
             log::error!("Failed to send file: {}", e);
+            decrement_transfers(); // Decrement on failure
             return std::ptr::null_mut();
         }
     };
@@ -313,9 +384,9 @@ pub unsafe extern "C" fn Java_com_wraith_android_WraithNative_getNodeStatus(
 
     let status = serde_json::json!({
         "running": node.is_running(),
-        "localPeerId": hex::encode(node.local_peer_id()),
-        "sessionCount": node.session_count(),
-        "activeTransfers": 0,  // TODO: Track transfers
+        "localPeerId": hex::encode(node.node_id()),
+        "sessionCount": node.active_route_count(),
+        "activeTransfers": get_active_transfers(),
     });
 
     match env.new_string(status.to_string()) {

clients/wraith-chat/src-tauri/src/commands.rs

@@ -270,11 +270,19 @@ pub async fn start_node(
 pub async fn get_node_status(state: State<'_, Arc<AppState>>) -> Result<NodeStatus, String> {
     let peer_id = state.local_peer_id.lock().await;
 
+    // Get session count from active ratchets (cryptographic sessions)
+    let ratchets = state.ratchets.lock().await;
+    let session_count = ratchets.len();
+
+    // Get conversation count from database
+    let db = state.db.lock().await;
+    let active_conversations = db.count_conversations().unwrap_or(0);
+
     Ok(NodeStatus {
         running: !peer_id.is_empty(),
         local_peer_id: peer_id.clone(),
-        session_count: 0,        // TODO: Get from node
-        active_conversations: 0, // TODO: Get from database
+        session_count,
+        active_conversations,
     })
 }
 

clients/wraith-chat/src-tauri/src/crypto.rs

@@ -185,10 +185,18 @@ impl DoubleRatchet {
         // Update receiving public key
         self.dh_receiving_public = Some(remote_public.to_vec());
 
-        // Perform DH
-        let remote_pub = PublicKey::from(<[u8; 32]>::try_from(remote_public).unwrap());
-        let our_secret =
-            StaticSecret::from(<[u8; 32]>::try_from(&self.dh_sending_secret[..]).unwrap());
+        // Perform DH - convert slices to fixed-size arrays
+        let remote_pub_array: [u8; 32] = remote_public
+            .try_into()
+            .map_err(|_| CryptoError::InvalidKeyLength)?;
+        let remote_pub = PublicKey::from(remote_pub_array);
+
+        let our_secret_array: [u8; 32] = self
+            .dh_sending_secret
+            .as_slice()
+            .try_into()
+            .map_err(|_| CryptoError::InvalidKeyLength)?;
+        let our_secret = StaticSecret::from(our_secret_array);
         let dh_output = our_secret.diffie_hellman(&remote_pub);
 
         // KDF to derive new root key and receiving chain key
@@ -267,6 +275,12 @@ impl DoubleRatchet {
 
     /// Skip message keys for out-of-order handling
     fn skip_message_keys(&mut self, until: u32) -> Result<(), CryptoError> {
+        // Get the receiving DH public key (required for key ID generation)
+        let dh_recv_pub = self
+            .dh_receiving_public
+            .as_ref()
+            .ok_or(CryptoError::NoReceivingChain)?;
+
         if let Some(receiving_chain_key) = &self.receiving_chain_key {
             let mut temp_chain_key = receiving_chain_key.clone();
 
@@ -281,10 +295,7 @@ impl DoubleRatchet {
                 let message_key = okm[32..].to_vec();
 
                 // Store skipped key
-                let key_id = self.key_id(
-                    self.dh_receiving_public.as_ref().unwrap(),
-                    self.receiving_chain_index,
-                );
+                let key_id = self.key_id(dh_recv_pub, self.receiving_chain_index);
                 self.skipped_keys.insert(key_id, message_key);
 
                 self.receiving_chain_index += 1;

clients/wraith-chat/src-tauri/src/database.rs

@@ -289,6 +289,16 @@ impl Database {
         Ok(conversations)
     }
 
+    /// Count active (non-archived) conversations
+    pub fn count_conversations(&self) -> Result<usize> {
+        let count: i64 = self.conn.query_row(
+            "SELECT COUNT(*) FROM conversations WHERE archived = 0",
+            [],
+            |row| row.get(0),
+        )?;
+        Ok(count as usize)
+    }
+
     // MARK: - Message Operations
 
     pub fn insert_message(&self, msg: &Message) -> Result<i64> {

clients/wraith-ios/wraith-swift-ffi/Cargo.toml

@@ -4,6 +4,9 @@ version = "1.0.0"
 edition = "2024"
 rust-version = "1.85"
 
+# This is an independent package, not part of the main workspace
+[workspace]
+
 [lib]
 crate-type = ["staticlib", "cdylib"]
 name = "wraith_swift"
@@ -26,6 +29,9 @@ anyhow = "1.0"
 # Logging
 log = "0.4"
 
+# Hex encoding
+hex = "0.4"
+
 # WRAITH Protocol
 wraith-core = { path = "../../../crates/wraith-core" }
 wraith-crypto = { path = "../../../crates/wraith-crypto" }