SECURITY
-----------------------

what is solid:

- safe_path() enforces no .., no //, no :, no \, no control chars, prefix
  check against g_root. strong foundation against path traversal.
- MAX_PAYLOAD (8 MB) cap on incoming packet size in server: no heap bomb
  from client.
- per-connection file handle table (MAX_FH=64): client cannot exhaust global
  fd space by opening many files.
- SIGPIPE ignored in server and fizz-mount: dropped peer does not kill
  the process.
- protocol handshake (magic + version): stray connections rejected early.
- h_readdir: path overflow fixed; bounds check before stat, skip on overflow.
  Names containing protocol-invalid characters (':', '\', control bytes)
  are also skipped, so clients never receive a name they cannot address.

configuration / deployment risks (not code bugs):

- use --interface / INTERFACE to bind to a specific address: 127.0.0.1
  for localhost-only access, or an internal NIC address on multi-homed
  hosts. this alone eliminates remote exposure without a firewall.
- NO AUTHENTICATION: any host that can reach the port has full read/write
  access to the exported directory. use a firewall; do not expose to the
  internet or untrusted LANs.
- symlink escape: if g_root contains symlinks pointing outside g_root,
  safe_path does not follow or check them. a client can read/write files
  outside the intended share via such symlinks.
- share root choice: exporting / or a home directory directly is dangerous.
  export a dedicated, purpose-built directory only.

missing / not implemented:

- amiga-client do_rpc: response sequence number is not validated against
  the sent seq. safe because the connection is synchronous (one RPC at a
  time), but a server bug or stale data from a previous connection could
  silently produce a wrong result. drain_async_writes() has the same gap
  and would need a small queue of in-flight seqs to fix properly.
- chown/utimens: no-ops in fizz-mount (return 0, do nothing). chmod is
  forwarded via OP_CHMOD; chown and timestamp changes are silently discarded.
- no symlinks, no hard links: attempts return ENOSYS/EPERM.
- file locking: the Amiga client enforces full AmigaDOS lock conflict
  semantics locally when mounted with LOCKING/S (compile-time option).
  no enforcement exists between separate clients or connections: two
  remote clients locking the same path independently do not conflict.
  concurrent writers from multiple clients can still corrupt.
- Amiga file offsets: amiga-client.c uses 32-bit ULONG for file positions
  and sizes. files > 4 GB will wrap. this matches AmigaOS limits anyway,
  but the server is 64-bit clean.
- readdir response size: a directory with very many entries produces a
  single large response packet. server caps at MAX_PAYLOAD (8 MB).
  Amiga client caps at AvailMem/4 (largest contiguous free block at
  the time of the listing). FUSE client receives into a malloc'd
  buffer, bounded by the server-side cap.

verdict:

safe to use on a trusted home LAN for day-to-day Amiga file transfer.
be clear about the no-auth model. do not export sensitive or system
directories. not suitable for internet exposure or untrusted networks.
