feat(cli): sessionbrokerclient + registry hooks (flag-gated)

daemon-side half of 1.30.0 per-session broker presence. behind CLAUDEMESH_SESSION_PRESENCE=1 (default OFF this cycle so the broker side bakes before the flag flips). - SessionBrokerClient (apps/cli/src/daemon/session-broker.ts) — slim WS that opens with session_hello, presence-only, no outbox drain. - session-hello-sig.ts — signParentAttestation (12h TTL, ≤24h cap) and signSessionHello, mirroring the broker canonical formats. - session-registry: optional presence field on SessionInfo; setRegistryHooks for onRegister/onDeregister callbacks. Hook errors are caught so they can never throttle registry mutations. - IPC POST /v1/sessions/register accepts the presence material under body.presence (session_pubkey, session_secret_key, parent_attestation). Older callers without it stay scoped + supported. - run.ts wires the registry hooks: on register, opens a SessionBrokerClient for the matching mesh; on deregister (explicit or reaper), closes it. Shutdown closes any remaining session WSes before the IPC server. 8 new unit tests cover registry lifecycle (replace/throw/presence roundtrip) and signature canonical-bytes verification against libsodium. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 13:05:33 +01:00
parent e688f66791
commit d62b3f45d2
7 changed files with 662 additions and 4 deletions
--- a/apps/cli/tests/unit/session-hello-sig.test.ts
+++ b/apps/cli/tests/unit/session-hello-sig.test.ts
@@ -0,0 +1,88 @@
+/**
+ * CLI-side session-hello signing.
+ *
+ * Roundtrip: the signatures we mint with the CLI helpers must match the
+ * canonical bytes the broker recomputes from the same fields. Drift here
+ * shows up as `bad_signature` on the broker — easier to catch in unit
+ * tests than in end-to-end flow.
+ */
+
+import { describe, expect, test } from "vitest";
+import sodium from "libsodium-wrappers";
+import {
+  signParentAttestation,
+  signSessionHello,
+  DEFAULT_ATTESTATION_TTL_MS,
+} from "../../src/services/broker/session-hello-sig.js";
+
+async function makeKeypair(): Promise<{ publicKey: string; secretKey: string }> {
+  await sodium.ready;
+  const kp = sodium.crypto_sign_keypair();
+  return {
+    publicKey: sodium.to_hex(kp.publicKey),
+    secretKey: sodium.to_hex(kp.privateKey),
+  };
+}
+
+describe("signParentAttestation", () => {
+  test("produces canonical bytes that verify against parent pubkey", async () => {
+    await sodium.ready;
+    const parent = await makeKeypair();
+    const session = await makeKeypair();
+
+    const att = await signParentAttestation({
+      parentMemberPubkey: parent.publicKey,
+      parentSecretKey: parent.secretKey,
+      sessionPubkey: session.publicKey,
+    });
+    expect(att.parentMemberPubkey).toBe(parent.publicKey);
+    expect(att.sessionPubkey).toBe(session.publicKey);
+    expect(att.signature).toMatch(/^[0-9a-f]{128}$/);
+
+    const canonical =
+      `claudemesh-session-attest|${parent.publicKey}|${session.publicKey}|${att.expiresAt}`;
+    const ok = sodium.crypto_sign_verify_detached(
+      sodium.from_hex(att.signature),
+      sodium.from_string(canonical),
+      sodium.from_hex(parent.publicKey),
+    );
+    expect(ok).toBe(true);
+  });
+
+  test("default TTL ≤24h cap", async () => {
+    const parent = await makeKeypair();
+    const session = await makeKeypair();
+    const now = 1_700_000_000_000;
+    const att = await signParentAttestation({
+      parentMemberPubkey: parent.publicKey,
+      parentSecretKey: parent.secretKey,
+      sessionPubkey: session.publicKey,
+      now,
+    });
+    expect(att.expiresAt).toBe(now + DEFAULT_ATTESTATION_TTL_MS);
+    expect(att.expiresAt - now).toBeLessThanOrEqual(24 * 60 * 60 * 1000);
+  });
+});
+
+describe("signSessionHello", () => {
+  test("signature verifies against session pubkey", async () => {
+    await sodium.ready;
+    const session = await makeKeypair();
+    const result = await signSessionHello({
+      meshId: "mesh-x",
+      parentMemberPubkey: "c".repeat(64),
+      sessionPubkey: session.publicKey,
+      sessionSecretKey: session.secretKey,
+    });
+    expect(result.signature).toMatch(/^[0-9a-f]{128}$/);
+
+    const canonical =
+      `claudemesh-session-hello|mesh-x|${"c".repeat(64)}|${session.publicKey}|${result.timestamp}`;
+    const ok = sodium.crypto_sign_verify_detached(
+      sodium.from_hex(result.signature),
+      sodium.from_string(canonical),
+      sodium.from_hex(session.publicKey),
+    );
+    expect(ok).toBe(true);
+  });
+});