When the routing table drops to zero peers, the daemon now re-joins bootstrap nodes every 60s, unbanning their addresses first so replies are not silently discarded. Both tp and tpd accept -v for debug-level output without needing RUST_LOG environment variable.

- Rewrite README with features, usage, and links - Bump tesseras-dht dependency from 0.1.0 to 0.1.1 - Add CODE_OF_CONDUCT.md and SECURITY.md

- tp: limit stdin to 64 KiB + 1 byte to reject oversized pastes early without unbounded memory allocation - daemon: bound the oversized-line drain to MAX_LINE_SIZE so a client without newlines cannot block beyond the read timeout - tpd: document intentional Arc::into_raw leak in signal handler

- Write identity.key with mode 0600 to prevent other users from reading the Ed25519 private seed - Use destination filename in atomic_write temp path to avoid collisions between concurrent writes to different files - Reject HTTP methods other than GET/HEAD with 405 - Return "Hello Tesseras World" on GET /

Add reference to pledgereq[] in /usr/src/sys/kern/kern_pledge.c and include drm and prot_exec that were missing from the list.

Warn when set_nonblocking or set_read_timeout fails instead of silently disconnecting the client.

A slow connection or DHT lookup (up to 30s) no longer blocks the entire HTTP accept loop. Connections beyond the limit get a 503 response.

Report the actual error instead of silently ignoring it and failing later with a confusing message in PasteStore::open.

- Atomic writes in store (write-to-temp + rename) to prevent corruption on crash - Validate DHT results against requested content hash to reject forged data from malicious nodes - Limit protocol line size to 128 KiB on Unix socket to prevent memory exhaustion - Use saturating_add for TTL expiry to prevent u64 overflow

tpd: unveil data dir (rwc), resolv.conf (r) when DNS needed, then pledge stdio rpath wpath cpath fattr inet unix dns. tp: unveil socket path (rw), then pledge stdio unix rpath.

tpd now queries _tesseras._udp.tesseras.net SRV records to discover bootstrap peers when no -b flag is given. Add -n flag to disable this automatic discovery for seed/isolated nodes.

DHT-backed encrypted pastebin with two binaries (tp/tpd), XChaCha20-Poly1305 encryption, content-addressed storage, and Unix socket + HTTP interfaces.