feat(cli): sessionbrokerclient + registry hooks (flag-gated)

daemon-side half of 1.30.0 per-session broker presence. behind
CLAUDEMESH_SESSION_PRESENCE=1 (default OFF this cycle so the broker
side bakes before the flag flips).

- SessionBrokerClient (apps/cli/src/daemon/session-broker.ts) — slim
  WS that opens with session_hello, presence-only, no outbox drain.
- session-hello-sig.ts — signParentAttestation (12h TTL, ≤24h cap) and
  signSessionHello, mirroring the broker canonical formats.
- session-registry: optional presence field on SessionInfo;
  setRegistryHooks for onRegister/onDeregister callbacks. Hook errors
  are caught so they can never throttle registry mutations.
- IPC POST /v1/sessions/register accepts the presence material under
  body.presence (session_pubkey, session_secret_key, parent_attestation).
  Older callers without it stay scoped + supported.
- run.ts wires the registry hooks: on register, opens a SessionBrokerClient
  for the matching mesh; on deregister (explicit or reaper), closes it.
  Shutdown closes any remaining session WSes before the IPC server.

8 new unit tests cover registry lifecycle (replace/throw/presence
roundtrip) and signature canonical-bytes verification against libsodium.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/cli/tests/unit/session-registry-hooks.test.ts

@@ -0,0 +1,135 @@
+/**
+ * Session-registry lifecycle hooks (1.30.0+).
+ *
+ * The daemon's session-broker subsystem subscribes to register/deregister
+ * events to open and close per-session WSes. Verifies:
+ *   - hooks fire on register + deregister
+ *   - replacing an entry under the same sessionId fires deregister(prior)
+ *     followed by register(new)
+ *   - reaper-triggered deregister fires the hook for dead pids
+ *   - presence material round-trips through the registry
+ */
+
+import { afterEach, describe, expect, test, vi } from "vitest";
+import {
+  _resetRegistry,
+  deregisterByToken,
+  registerSession,
+  resolveToken,
+  setRegistryHooks,
+  type SessionInfo,
+} from "../../src/daemon/session-registry.js";
+
+const PRESENCE = {
+  sessionPubkey: "a".repeat(64),
+  sessionSecretKey: "b".repeat(128),
+  parentAttestation: {
+    sessionPubkey: "a".repeat(64),
+    parentMemberPubkey: "c".repeat(64),
+    expiresAt: Date.now() + 60 * 60 * 1000,
+    signature: "d".repeat(128),
+  },
+};
+
+afterEach(() => {
+  _resetRegistry();
+});
+
+describe("session-registry hooks", () => {
+  test("onRegister fires on register", () => {
+    const onRegister = vi.fn();
+    const onDeregister = vi.fn();
+    setRegistryHooks({ onRegister, onDeregister });
+
+    registerSession({
+      token: "t".repeat(64),
+      sessionId: "sess-1",
+      mesh: "alpha",
+      displayName: "Alex",
+      pid: 12345,
+      presence: PRESENCE,
+    });
+
+    expect(onRegister).toHaveBeenCalledTimes(1);
+    expect(onDeregister).not.toHaveBeenCalled();
+    const arg = onRegister.mock.calls[0]![0] as SessionInfo;
+    expect(arg.sessionId).toBe("sess-1");
+    expect(arg.presence).toEqual(PRESENCE);
+  });
+
+  test("onDeregister fires on explicit deregister", () => {
+    const onRegister = vi.fn();
+    const onDeregister = vi.fn();
+    setRegistryHooks({ onRegister, onDeregister });
+
+    const token = "e".repeat(64);
+    registerSession({
+      token, sessionId: "sess-2", mesh: "alpha", displayName: "Alex",
+      pid: 12345,
+    });
+    onRegister.mockClear();
+
+    const ok = deregisterByToken(token);
+    expect(ok).toBe(true);
+    expect(onDeregister).toHaveBeenCalledTimes(1);
+    const arg = onDeregister.mock.calls[0]![0] as SessionInfo;
+    expect(arg.sessionId).toBe("sess-2");
+  });
+
+  test("re-registering same sessionId deregisters prior entry first", () => {
+    const onRegister = vi.fn();
+    const onDeregister = vi.fn();
+    setRegistryHooks({ onRegister, onDeregister });
+
+    const oldToken = "1".repeat(64);
+    const newToken = "2".repeat(64);
+    registerSession({
+      token: oldToken, sessionId: "sess-3", mesh: "alpha",
+      displayName: "Alex", pid: 12345,
+    });
+    expect(onRegister).toHaveBeenCalledTimes(1);
+
+    // Replace under same sessionId — prior must be torn down before new one.
+    registerSession({
+      token: newToken, sessionId: "sess-3", mesh: "alpha",
+      displayName: "Alex", pid: 12345,
+    });
+
+    expect(onDeregister).toHaveBeenCalledTimes(1);
+    expect(onRegister).toHaveBeenCalledTimes(2);
+    expect((onDeregister.mock.calls[0]![0] as SessionInfo).token).toBe(oldToken);
+    expect((onRegister.mock.calls[1]![0] as SessionInfo).token).toBe(newToken);
+    // Old token is unresolvable now.
+    expect(resolveToken(oldToken)).toBeNull();
+    expect(resolveToken(newToken)).toBeTruthy();
+  });
+
+  test("hooks tolerate throws (registry mutation still succeeds)", () => {
+    setRegistryHooks({
+      onRegister: () => { throw new Error("boom"); },
+      onDeregister: () => { throw new Error("boom"); },
+    });
+    const token = "f".repeat(64);
+    expect(() =>
+      registerSession({
+        token, sessionId: "sess-4", mesh: "alpha",
+        displayName: "Alex", pid: 12345,
+      }),
+    ).not.toThrow();
+    expect(resolveToken(token)).toBeTruthy();
+    expect(() => deregisterByToken(token)).not.toThrow();
+    expect(resolveToken(token)).toBeNull();
+  });
+
+  test("presence is preserved through resolveToken", () => {
+    setRegistryHooks({});
+    const token = "9".repeat(64);
+    registerSession({
+      token, sessionId: "sess-5", mesh: "alpha",
+      displayName: "Alex", pid: 12345, presence: PRESENCE,
+    });
+    const got = resolveToken(token);
+    expect(got).not.toBeNull();
+    expect(got!.presence).toEqual(PRESENCE);
+  });
+});