claudemesh

alezmad/claudemesh

Fork 0

Commit Graph

Author	SHA1	Message	Date
Alejandro Gutiérrez	0c4a9591fa	feat(broker): invite signature verification + atomic one-time-use Completes the v0.1.0 security model. Every /join is now gated by a signed invite that the broker re-verifies against the mesh owner's ed25519 pubkey, plus an atomic single-use counter. schema (migrations/0001_demonic_karnak.sql): - mesh.mesh.owner_pubkey: ed25519 hex of the invite signer - mesh.invite.token_bytes: canonical signed bytes (for re-verification) Both nullable; required for new meshes going forward. canonical invite format (signed bytes): `${v}\|${mesh_id}\|${mesh_slug}\|${broker_url}\|${expires_at}\| ${mesh_root_key}\|${role}\|${owner_pubkey}` wire format — invite payload in ic://join/<base64url(JSON)> now has: owner_pubkey: "<64 hex>" signature: "<128 hex>" broker joinMesh() (apps/broker/src/broker.ts): 1. verify ed25519 signature over canonical bytes using payload's owner_pubkey → else invite_bad_signature 2. load mesh, ensure mesh.owner_pubkey matches payload's owner_pubkey → else invite_owner_mismatch (prevents a malicious admin from substituting their own owner key) 3. load invite row by token, verify mesh_id matches → else invite_mesh_mismatch 4. expiry check → else invite_expired 5. revoked check → else invite_revoked 6. idempotency: if pubkey is already a member, return existing id WITHOUT burning an invite use 7. atomic CAS: UPDATE used_count = used_count + 1 WHERE used_count < max_uses → if 0 rows affected, return invite_exhausted 8. insert member with role from payload cli side: - apps/cli/src/invite/parse.ts: zod-validated owner_pubkey + signature fields; client verifies signature immediately and rejects tampered links (fail-fast before even touching the broker) - buildSignedInvite() helper: owners sign invites client-side - enrollWithBroker sends {invite_token, invite_payload, peer_pubkey, display_name} (was: {mesh_id, peer_pubkey, display_name, role}) - parseInviteLink is now async (libsodium ready + verify) seed-test-mesh.ts generates an owner keypair, sets mesh.owner_pubkey, builds + signs an invite, stores the invite row, emits ownerPubkey + ownerSecretKey + inviteToken + inviteLink in the output JSON. tests — invite-signature.test.ts (9 new): - valid signed invite → join succeeds - tampered payload → invite_bad_signature - signer not the mesh owner → invite_owner_mismatch - expired invite → invite_expired - revoked invite → invite_revoked - exhausted (maxUses=2, 3rd join) → invite_exhausted - idempotent re-join doesn't burn a use - atomic single-use: 5 concurrent joins → exactly 1 success, 4 exhausted - mesh_id payload vs DB row mismatch → invite_mesh_mismatch verified live: tampered link blocked client-side with a clear error. Unmodified link joins cleanly end-to-end (roundtrip.ts + join-roundtrip.ts both pass). 64/64 tests green. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 23:02:12 +01:00
Alejandro Gutiérrez	758ea0e42c	feat(cli): invite-link parsing + join flow + keypair generation End-to-end join: user runs `claudemesh join ic://join/<base64>` and walks away with a signed member record + persistent keypair. new modules: - src/crypto/keypair.ts: libsodium ed25519 keypair generation. Format is crypto_sign_keypair raw bytes, hex-encoded (32-byte pub, 64-byte secret = seed \|\| pub). Same format libsodium will need in Step 18 for sign/verify. - src/invite/parse.ts: ic://join/<base64url(JSON)> parser with Zod shape validation + expiry check. encodeInviteLink helper for tests. - src/invite/enroll.ts: POST /join to broker, converts ws:// to http:// transparently. rewritten join command wires them together: 1. parse invite → 2. generate keypair → 3. POST /join → 4. persist config → 5. print success. state/config.ts: saveConfig now chmods the file to 0600 after write, since it holds ed25519 secret keys. No-op on Windows. signature verification (step 18) + invite-token one-time-use tracking are deferred. For now the invite link is a plain bearer token; any client with the link can join. verified end-to-end via apps/cli/scripts/join-roundtrip.ts: build invite → run join subprocess → load new config → connect as new member → send A→B → receive push. Flow passes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 22:36:32 +01:00
Alejandro Gutiérrez	8931296e82	feat(cli): scaffold @claudemesh/cli MCP client package (stubs) The user-facing tool. Two invocation modes: - `claudemesh mcp` → MCP server (stdio), consumed by Claude Code - `claudemesh <subcommand>` → human CLI Layout: apps/cli/ ├── package.json bin: { claudemesh: ./src/index.ts } ├── README.md install + usage └── src/ ├── index.ts dispatcher (mcp \| install \| join \| list \| leave \| --help) ├── env.ts CLAUDEMESH_BROKER_URL, CONFIG_DIR, DEBUG ├── mcp/ │ ├── server.ts MCP stdio server with 5 tools │ ├── tools.ts tool schemas (send_message, list_peers, │ │ check_messages, set_summary, set_status) │ └── types.ts ├── ws/client.ts broker connection (stub for 15b) ├── state/config.ts ~/.claudemesh/config.json (joined meshes + keys) └── commands/ ├── install.ts print `claude mcp add ...` instruction ├── join.ts parse ic://join/... (stub, Step 17) ├── list.ts show joined meshes └── leave.ts remove mesh from local config Tool stubs return "not connected, run `claudemesh join <invite-link>`" errors until 15b wires the WS client. Verified: - `bun src/index.ts --help` → prints usage - `bun src/index.ts install` → prints MCP add command with resolved path - `bun src/index.ts list` → "No meshes joined yet" - `bun src/index.ts mcp` (via stdin) → returns tools/list with all 5 tools Deps: @modelcontextprotocol/sdk, ws, libsodium-wrappers, zod. Lockfile regenerated in the same commit per claudemesh-3's flag — avoids breaking Coolify's --frozen-lockfile deploys. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 22:23:12 +01:00

Author

SHA1

Message

Date

Alejandro Gutiérrez

0c4a9591fa

feat(broker): invite signature verification + atomic one-time-use

Completes the v0.1.0 security model. Every /join is now gated by a
signed invite that the broker re-verifies against the mesh owner's
ed25519 pubkey, plus an atomic single-use counter.

schema (migrations/0001_demonic_karnak.sql):
- mesh.mesh.owner_pubkey: ed25519 hex of the invite signer
- mesh.invite.token_bytes: canonical signed bytes (for re-verification)
Both nullable; required for new meshes going forward.

canonical invite format (signed bytes):
  `${v}|${mesh_id}|${mesh_slug}|${broker_url}|${expires_at}|
   ${mesh_root_key}|${role}|${owner_pubkey}`

wire format — invite payload in ic://join/<base64url(JSON)> now has:
  owner_pubkey: "<64 hex>"
  signature:    "<128 hex>"

broker joinMesh() (apps/broker/src/broker.ts):
1. verify ed25519 signature over canonical bytes using payload's
   owner_pubkey → else invite_bad_signature
2. load mesh, ensure mesh.owner_pubkey matches payload's owner_pubkey
   → else invite_owner_mismatch (prevents a malicious admin from
   substituting their own owner key)
3. load invite row by token, verify mesh_id matches → else
   invite_mesh_mismatch
4. expiry check → else invite_expired
5. revoked check → else invite_revoked
6. idempotency: if pubkey is already a member, return existing id
   WITHOUT burning an invite use
7. atomic CAS: UPDATE used_count = used_count + 1 WHERE used_count <
   max_uses → if 0 rows affected, return invite_exhausted
8. insert member with role from payload

cli side:
- apps/cli/src/invite/parse.ts: zod-validated owner_pubkey + signature
  fields; client verifies signature immediately and rejects tampered
  links (fail-fast before even touching the broker)
- buildSignedInvite() helper: owners sign invites client-side
- enrollWithBroker sends {invite_token, invite_payload, peer_pubkey,
  display_name} (was: {mesh_id, peer_pubkey, display_name, role})
- parseInviteLink is now async (libsodium ready + verify)

seed-test-mesh.ts generates an owner keypair, sets mesh.owner_pubkey,
builds + signs an invite, stores the invite row, emits ownerPubkey +
ownerSecretKey + inviteToken + inviteLink in the output JSON.

tests — invite-signature.test.ts (9 new):
- valid signed invite → join succeeds
- tampered payload → invite_bad_signature
- signer not the mesh owner → invite_owner_mismatch
- expired invite → invite_expired
- revoked invite → invite_revoked
- exhausted (maxUses=2, 3rd join) → invite_exhausted
- idempotent re-join doesn't burn a use
- atomic single-use: 5 concurrent joins → exactly 1 success, 4 exhausted
- mesh_id payload vs DB row mismatch → invite_mesh_mismatch

verified live: tampered link blocked client-side with a clear error.
Unmodified link joins cleanly end-to-end (roundtrip.ts + join-roundtrip.ts
both pass). 64/64 tests green.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 23:02:12 +01:00

Alejandro Gutiérrez

758ea0e42c

feat(cli): invite-link parsing + join flow + keypair generation

End-to-end join: user runs `claudemesh join ic://join/<base64>` and
walks away with a signed member record + persistent keypair.

new modules:
- src/crypto/keypair.ts: libsodium ed25519 keypair generation. Format
  is crypto_sign_keypair raw bytes, hex-encoded (32-byte pub, 64-byte
  secret = seed || pub). Same format libsodium will need in Step 18
  for sign/verify.
- src/invite/parse.ts: ic://join/<base64url(JSON)> parser with Zod
  shape validation + expiry check. encodeInviteLink helper for tests.
- src/invite/enroll.ts: POST /join to broker, converts ws:// to http://
  transparently.

rewritten join command wires them together:
  1. parse invite → 2. generate keypair → 3. POST /join → 4. persist
  config → 5. print success.

state/config.ts: saveConfig now chmods the file to 0600 after write,
since it holds ed25519 secret keys. No-op on Windows.

signature verification (step 18) + invite-token one-time-use tracking
are deferred. For now the invite link is a plain bearer token; any
client with the link can join.

verified end-to-end via apps/cli/scripts/join-roundtrip.ts:
  build invite → run join subprocess → load new config → connect as
  new member → send A→B → receive push. Flow passes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 22:36:32 +01:00

Alejandro Gutiérrez

8931296e82

feat(cli): scaffold @claudemesh/cli MCP client package (stubs)

The user-facing tool. Two invocation modes:
  - `claudemesh mcp`           → MCP server (stdio), consumed by Claude Code
  - `claudemesh <subcommand>`  → human CLI

Layout:
  apps/cli/
  ├── package.json       bin: { claudemesh: ./src/index.ts }
  ├── README.md          install + usage
  └── src/
      ├── index.ts       dispatcher (mcp | install | join | list | leave | --help)
      ├── env.ts         CLAUDEMESH_BROKER_URL, CONFIG_DIR, DEBUG
      ├── mcp/
      │   ├── server.ts  MCP stdio server with 5 tools
      │   ├── tools.ts   tool schemas (send_message, list_peers,
      │   │              check_messages, set_summary, set_status)
      │   └── types.ts
      ├── ws/client.ts   broker connection (stub for 15b)
      ├── state/config.ts ~/.claudemesh/config.json (joined meshes + keys)
      └── commands/
          ├── install.ts print `claude mcp add ...` instruction
          ├── join.ts    parse ic://join/... (stub, Step 17)
          ├── list.ts    show joined meshes
          └── leave.ts   remove mesh from local config

Tool stubs return "not connected, run `claudemesh join <invite-link>`"
errors until 15b wires the WS client.

Verified:
- `bun src/index.ts --help` → prints usage
- `bun src/index.ts install` → prints MCP add command with resolved path
- `bun src/index.ts list` → "No meshes joined yet"
- `bun src/index.ts mcp` (via stdin) → returns tools/list with all 5 tools

Deps: @modelcontextprotocol/sdk, ws, libsodium-wrappers, zod.
Lockfile regenerated in the same commit per claudemesh-3's flag —
avoids breaking Coolify's --frozen-lockfile deploys.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 22:23:12 +01:00

3 Commits