alezmad/claudemesh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ga): close remaining GA blockers (backcompat, HA prep, tests, docs)
Some checks failed
CI / Lint (push) Has been cancelled
Details
CI / Typecheck (push) Has been cancelled
Details
CI / Broker tests (Postgres) (push) Has been cancelled
Details
CI / Docker build (linux/amd64) (push) Has been cancelled
Details

Browse Source 
Backwards compat shim (task 27)
- requireCliAuth() falls back to body.user_id when BROKER_LEGACY_AUTH=1
  and no bearer present. Sets Deprecation + Warning headers + bumps a
  broker_legacy_auth_hits_total metric so operators can watch the
  legacy traffic drain to 0 before removing the shim.
- All handlers parse body BEFORE requireCliAuth so the fallback can
  read user_id out of it.

HA readiness (task 29)
- .artifacts/specs/2026-04-15-broker-ha-statelessness-audit.md
  documents every in-memory symbol and rollout plan (phase 0-4).
- packaging/docker-compose.ha-local.yml spins up 2 broker replicas
  behind Traefik sticky sessions for local smoke testing.
- apps/broker/src/audit.ts now wraps writes in a transaction that
  takes pg_advisory_xact_lock(meshId) and re-reads the tail hash
  inside the txn. Concurrent broker replicas can no longer fork the
  audit chain.

Deploy gate (task 30)
- /health stays permissive (200 even on transient DB blips) so
  Docker doesn't kill the container on a glitch.
- New /health/ready checks DB + optional EXPECTED_MIGRATION pin,
  returns 503 if either fails. External deploy gate can poll this
  and refuse to promote a broken deploy.

Metrics dashboard (task 32)
- packaging/grafana/claudemesh-broker.json: ready-to-import Grafana
  dashboard covering active conns, queue depth, routed/rejected
  rates, grant drops, legacy-auth hits, conn rejects.

Tests (task 28)
- audit-canonical.test.ts (4 tests) pins canonical JSON semantics.
- grants-enforcement.test.ts (6 tests) covers the member-then-
  session-pubkey lookup with default/explicit/blocked branches.

Docs (task 34)
- docs/env-vars.md catalogues every env var the broker + CLI read.

Crypto review prep (task 35)
- .artifacts/specs/2026-04-15-crypto-review-packet.md: reviewer
  brief, threat model, scope, test coverage list, deliverables.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Alejandro Gutiérrez
2026-04-15 23:51:28 +01:00
parent 49e0af0fc0
commit 05729ad8a4
11 changed files with 749 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
apps/broker/tests/grants-enforcement.test.ts Normal file
View File

@@ -0,0 +1,66 @@
/**
* Grant enforcement: the sender+recipient lookup tries member pubkey
* first, then session pubkey (backwards compat for CLI clients that
* stored grants keyed on session key).
*
* This is a pure logic test over the grant map shape — no WS/broker
* needed. The function signature mirrors the branch inside handleSend.
*/
import { describe, expect, test } from "vitest";
const DEFAULT_CAPS = ["read", "dm", "broadcast", "state-read"] as const;
function allowed(
grants: Record<string, string[]>,
senderMemberKey: string,
senderSessionKey: string | null,
capNeeded: "dm" | "broadcast",
): boolean {
const memberEntry = grants[senderMemberKey];
if (memberEntry !== undefined) return memberEntry.includes(capNeeded);
if (senderSessionKey) {
const sessionEntry = grants[senderSessionKey];
if (sessionEntry !== undefined) return sessionEntry.includes(capNeeded);
}
return (DEFAULT_CAPS as readonly string[]).includes(capNeeded);
}
describe("grant enforcement (member-then-session lookup)", () => {
test("no entry → default caps allow dm + broadcast", () => {
expect(allowed({}, "memberK", null, "dm")).toBe(true);
expect(allowed({}, "memberK", null, "broadcast")).toBe(true);
});
test("explicit member-key entry wins over default", () => {
const grants = { memberK: ["read"] }; // dm NOT granted
expect(allowed(grants, "memberK", "sessK", "dm")).toBe(false);
});
test("empty array for member key = blocked", () => {
const grants = { memberK: [] };
expect(allowed(grants, "memberK", null, "dm")).toBe(false);
expect(allowed(grants, "memberK", null, "broadcast")).toBe(false);
});
test("falls back to session key when member key missing", () => {
const grants = { sessK: ["dm"] }; // grants keyed on session
expect(allowed(grants, "memberK", "sessK", "dm")).toBe(true);
expect(allowed(grants, "memberK", "sessK", "broadcast")).toBe(false);
});
test("member entry always wins over session entry", () => {
const grants = {
memberK: [], // member says blocked
sessK: ["dm", "broadcast"], // session says allowed
};
expect(allowed(grants, "memberK", "sessK", "dm")).toBe(false);
expect(allowed(grants, "memberK", "sessK", "broadcast")).toBe(false);
});
test("session fallback only triggers when session key present", () => {
const grants = { sessK: ["dm"] };
// Without a session key on the caller, falls through to defaults
expect(allowed(grants, "memberK", null, "dm")).toBe(true);
});
});