alezmad/claudemesh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ga): close remaining GA blockers (backcompat, HA prep, tests, docs)
Some checks failed
CI / Lint (push) Has been cancelled
Details
CI / Typecheck (push) Has been cancelled
Details
CI / Broker tests (Postgres) (push) Has been cancelled
Details
CI / Docker build (linux/amd64) (push) Has been cancelled
Details

Browse Source 
Backwards compat shim (task 27)
- requireCliAuth() falls back to body.user_id when BROKER_LEGACY_AUTH=1
  and no bearer present. Sets Deprecation + Warning headers + bumps a
  broker_legacy_auth_hits_total metric so operators can watch the
  legacy traffic drain to 0 before removing the shim.
- All handlers parse body BEFORE requireCliAuth so the fallback can
  read user_id out of it.

HA readiness (task 29)
- .artifacts/specs/2026-04-15-broker-ha-statelessness-audit.md
  documents every in-memory symbol and rollout plan (phase 0-4).
- packaging/docker-compose.ha-local.yml spins up 2 broker replicas
  behind Traefik sticky sessions for local smoke testing.
- apps/broker/src/audit.ts now wraps writes in a transaction that
  takes pg_advisory_xact_lock(meshId) and re-reads the tail hash
  inside the txn. Concurrent broker replicas can no longer fork the
  audit chain.

Deploy gate (task 30)
- /health stays permissive (200 even on transient DB blips) so
  Docker doesn't kill the container on a glitch.
- New /health/ready checks DB + optional EXPECTED_MIGRATION pin,
  returns 503 if either fails. External deploy gate can poll this
  and refuse to promote a broken deploy.

Metrics dashboard (task 32)
- packaging/grafana/claudemesh-broker.json: ready-to-import Grafana
  dashboard covering active conns, queue depth, routed/rejected
  rates, grant drops, legacy-auth hits, conn rejects.

Tests (task 28)
- audit-canonical.test.ts (4 tests) pins canonical JSON semantics.
- grants-enforcement.test.ts (6 tests) covers the member-then-
  session-pubkey lookup with default/explicit/blocked branches.

Docs (task 34)
- docs/env-vars.md catalogues every env var the broker + CLI read.

Crypto review prep (task 35)
- .artifacts/specs/2026-04-15-crypto-review-packet.md: reviewer
  brief, threat model, scope, test coverage list, deliverables.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Alejandro Gutiérrez
2026-04-15 23:51:28 +01:00
parent 49e0af0fc0
commit 05729ad8a4
11 changed files with 749 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
apps/broker/tests/audit-canonical.test.ts Normal file
View File

@@ -0,0 +1,53 @@
/**
* Audit hash chain uses canonical JSON (sorted keys) so JSONB key
* order can't break verification. This test pins the contract.
*/
import { describe, expect, test } from "vitest";
import { createHash } from "node:crypto";
// Re-derive canonicalJson for the test (duplicate of audit.ts internal).
function canonicalJson(value: unknown): string {
if (value === null || typeof value !== "object") return JSON.stringify(value);
if (Array.isArray(value)) return "[" + value.map(canonicalJson).join(",") + "]";
const obj = value as Record<string, unknown>;
const keys = Object.keys(obj).sort();
return "{" + keys.map((k) => JSON.stringify(k) + ":" + canonicalJson(obj[k])).join(",") + "}";
}
function hash(prev: string, meshId: string, eventType: string, actor: string | null, payload: Record<string, unknown>, createdAt: Date): string {
const input = `${prev}|${meshId}|${eventType}|${actor}|${canonicalJson(payload)}|${createdAt.toISOString()}`;
return createHash("sha256").update(input).digest("hex");
}
describe("audit canonical json hash", () => {
test("key order does not affect the computed hash", () => {
const createdAt = new Date("2026-04-15T12:00:00Z");
const a = hash("prev", "mesh1", "peer_joined", "actor", { groups: [], pubkey: "abc", restored: true }, createdAt);
const b = hash("prev", "mesh1", "peer_joined", "actor", { restored: true, pubkey: "abc", groups: [] }, createdAt);
const c = hash("prev", "mesh1", "peer_joined", "actor", { pubkey: "abc", groups: [], restored: true }, createdAt);
expect(a).toBe(b);
expect(b).toBe(c);
});
test("nested object key order also irrelevant", () => {
const createdAt = new Date("2026-04-15T12:00:00Z");
const a = hash("x", "m", "e", null, { outer: { inner: { a: 1, b: 2 } } }, createdAt);
const b = hash("x", "m", "e", null, { outer: { inner: { b: 2, a: 1 } } }, createdAt);
expect(a).toBe(b);
});
test("array order IS significant", () => {
const createdAt = new Date("2026-04-15T12:00:00Z");
const a = hash("x", "m", "e", null, { list: [1, 2, 3] }, createdAt);
const b = hash("x", "m", "e", null, { list: [3, 2, 1] }, createdAt);
expect(a).not.toBe(b);
});
test("changing payload value changes the hash", () => {
const createdAt = new Date("2026-04-15T12:00:00Z");
const a = hash("x", "m", "e", null, { k: "v1" }, createdAt);
const b = hash("x", "m", "e", null, { k: "v2" }, createdAt);
expect(a).not.toBe(b);
});
});

66
apps/broker/tests/grants-enforcement.test.ts Normal file
View File

@@ -0,0 +1,66 @@
/**
* Grant enforcement: the sender+recipient lookup tries member pubkey
* first, then session pubkey (backwards compat for CLI clients that
* stored grants keyed on session key).
*
* This is a pure logic test over the grant map shape — no WS/broker
* needed. The function signature mirrors the branch inside handleSend.
*/
import { describe, expect, test } from "vitest";
const DEFAULT_CAPS = ["read", "dm", "broadcast", "state-read"] as const;
function allowed(
grants: Record<string, string[]>,
senderMemberKey: string,
senderSessionKey: string | null,
capNeeded: "dm" | "broadcast",
): boolean {
const memberEntry = grants[senderMemberKey];
if (memberEntry !== undefined) return memberEntry.includes(capNeeded);
if (senderSessionKey) {
const sessionEntry = grants[senderSessionKey];
if (sessionEntry !== undefined) return sessionEntry.includes(capNeeded);
}
return (DEFAULT_CAPS as readonly string[]).includes(capNeeded);
}
describe("grant enforcement (member-then-session lookup)", () => {
test("no entry → default caps allow dm + broadcast", () => {
expect(allowed({}, "memberK", null, "dm")).toBe(true);
expect(allowed({}, "memberK", null, "broadcast")).toBe(true);
});
test("explicit member-key entry wins over default", () => {
const grants = { memberK: ["read"] }; // dm NOT granted
expect(allowed(grants, "memberK", "sessK", "dm")).toBe(false);
});
test("empty array for member key = blocked", () => {
const grants = { memberK: [] };
expect(allowed(grants, "memberK", null, "dm")).toBe(false);
expect(allowed(grants, "memberK", null, "broadcast")).toBe(false);
});
test("falls back to session key when member key missing", () => {
const grants = { sessK: ["dm"] }; // grants keyed on session
expect(allowed(grants, "memberK", "sessK", "dm")).toBe(true);
expect(allowed(grants, "memberK", "sessK", "broadcast")).toBe(false);
});
test("member entry always wins over session entry", () => {
const grants = {
memberK: [], // member says blocked
sessK: ["dm", "broadcast"], // session says allowed
};
expect(allowed(grants, "memberK", "sessK", "dm")).toBe(false);
expect(allowed(grants, "memberK", "sessK", "broadcast")).toBe(false);
});
test("session fallback only triggers when session key present", () => {
const grants = { sessK: ["dm"] };
// Without a session key on the caller, falls through to defaults
expect(allowed(grants, "memberK", null, "dm")).toBe(true);
});
});