claudemesh

alezmad/claudemesh

Fork 0

Commit Graph

Author	SHA1	Message	Date
Alejandro Gutiérrez	0c4a9591fa	feat(broker): invite signature verification + atomic one-time-use Completes the v0.1.0 security model. Every /join is now gated by a signed invite that the broker re-verifies against the mesh owner's ed25519 pubkey, plus an atomic single-use counter. schema (migrations/0001_demonic_karnak.sql): - mesh.mesh.owner_pubkey: ed25519 hex of the invite signer - mesh.invite.token_bytes: canonical signed bytes (for re-verification) Both nullable; required for new meshes going forward. canonical invite format (signed bytes): `${v}\|${mesh_id}\|${mesh_slug}\|${broker_url}\|${expires_at}\| ${mesh_root_key}\|${role}\|${owner_pubkey}` wire format — invite payload in ic://join/<base64url(JSON)> now has: owner_pubkey: "<64 hex>" signature: "<128 hex>" broker joinMesh() (apps/broker/src/broker.ts): 1. verify ed25519 signature over canonical bytes using payload's owner_pubkey → else invite_bad_signature 2. load mesh, ensure mesh.owner_pubkey matches payload's owner_pubkey → else invite_owner_mismatch (prevents a malicious admin from substituting their own owner key) 3. load invite row by token, verify mesh_id matches → else invite_mesh_mismatch 4. expiry check → else invite_expired 5. revoked check → else invite_revoked 6. idempotency: if pubkey is already a member, return existing id WITHOUT burning an invite use 7. atomic CAS: UPDATE used_count = used_count + 1 WHERE used_count < max_uses → if 0 rows affected, return invite_exhausted 8. insert member with role from payload cli side: - apps/cli/src/invite/parse.ts: zod-validated owner_pubkey + signature fields; client verifies signature immediately and rejects tampered links (fail-fast before even touching the broker) - buildSignedInvite() helper: owners sign invites client-side - enrollWithBroker sends {invite_token, invite_payload, peer_pubkey, display_name} (was: {mesh_id, peer_pubkey, display_name, role}) - parseInviteLink is now async (libsodium ready + verify) seed-test-mesh.ts generates an owner keypair, sets mesh.owner_pubkey, builds + signs an invite, stores the invite row, emits ownerPubkey + ownerSecretKey + inviteToken + inviteLink in the output JSON. tests — invite-signature.test.ts (9 new): - valid signed invite → join succeeds - tampered payload → invite_bad_signature - signer not the mesh owner → invite_owner_mismatch - expired invite → invite_expired - revoked invite → invite_revoked - exhausted (maxUses=2, 3rd join) → invite_exhausted - idempotent re-join doesn't burn a use - atomic single-use: 5 concurrent joins → exactly 1 success, 4 exhausted - mesh_id payload vs DB row mismatch → invite_mesh_mismatch verified live: tampered link blocked client-side with a clear error. Unmodified link joins cleanly end-to-end (roundtrip.ts + join-roundtrip.ts both pass). 64/64 tests green. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 23:02:12 +01:00
Alejandro Gutiérrez	8ce8b04e75	fix(db): rename pgSchema exports to prevent barrel collision chat/image/mesh modules all exported a generic `const schema` binding. When packages/db/src/schema/index.ts did `export * from "./chat"` + `export * from "./image"` + `export * from "./mesh"`, TypeScript's ambiguous-re-export rule silently dropped the colliding bindings — drizzle-kit's introspection could not find the pgSchema instances, so CREATE SCHEMA statements were never emitted. The migration worked on the prior dev DB only because chat/image already existed from an earlier turbostarter run; a fresh clone would fail. pdf.ts already used `pdfSchema` (unique name). Applied the same pattern everywhere: - chat.ts: `export const chatSchema = pgSchema("chat")` - image.ts: `export const imageSchema = pgSchema("image")` - mesh.ts: `export const meshSchema = pgSchema("mesh")` Also added `CREATE EXTENSION IF NOT EXISTS vector` at the top of the migration (pgvector is used by pdf.embedding — the generated migration assumed it was pre-enabled). Verified end-to-end against a fresh pgvector/pgvector:pg17 container: `pnpm drizzle-kit migrate` applies cleanly from scratch, all 7 mesh.* tables + chat/image/pdf/mesh schemas created correctly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 22:02:09 +01:00
Alejandro Gutiérrez	beeaa3b3c6	fix(db): rename mesh.member export to meshMember to avoid collision with auth.member The schema/index.ts barrel does `export * from "./mesh"` + `export * from "./auth"`. Both modules exported a symbol named `member`, which caused TypeScript to silently exclude the ambiguous re-export and drizzle-kit's introspection couldn't see mesh.member — its generated migration was missing that table entirely. Fix: rename the TypeScript binding only. The DB table name stays "member" inside pgSchema "mesh" (still mesh.member in SQL): - `export const member = schema.table("member", ...)` → `export const meshMember = schema.table("member", ...)` - Internal references in mesh.ts updated (FK lambdas, relations, Zod schemas, inferred TS types) - apps/broker/src/broker.ts import updated to meshMember as memberTable - migrations/0000_sloppy_stryfe.sql regenerated — now includes all 7 mesh.* tables (audit_log, invite, member, mesh, message_queue, pending_status, presence) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-04 21:47:02 +01:00

Author

SHA1

Message

Date

Alejandro Gutiérrez

0c4a9591fa

feat(broker): invite signature verification + atomic one-time-use

Completes the v0.1.0 security model. Every /join is now gated by a
signed invite that the broker re-verifies against the mesh owner's
ed25519 pubkey, plus an atomic single-use counter.

schema (migrations/0001_demonic_karnak.sql):
- mesh.mesh.owner_pubkey: ed25519 hex of the invite signer
- mesh.invite.token_bytes: canonical signed bytes (for re-verification)
Both nullable; required for new meshes going forward.

canonical invite format (signed bytes):
  `${v}|${mesh_id}|${mesh_slug}|${broker_url}|${expires_at}|
   ${mesh_root_key}|${role}|${owner_pubkey}`

wire format — invite payload in ic://join/<base64url(JSON)> now has:
  owner_pubkey: "<64 hex>"
  signature:    "<128 hex>"

broker joinMesh() (apps/broker/src/broker.ts):
1. verify ed25519 signature over canonical bytes using payload's
   owner_pubkey → else invite_bad_signature
2. load mesh, ensure mesh.owner_pubkey matches payload's owner_pubkey
   → else invite_owner_mismatch (prevents a malicious admin from
   substituting their own owner key)
3. load invite row by token, verify mesh_id matches → else
   invite_mesh_mismatch
4. expiry check → else invite_expired
5. revoked check → else invite_revoked
6. idempotency: if pubkey is already a member, return existing id
   WITHOUT burning an invite use
7. atomic CAS: UPDATE used_count = used_count + 1 WHERE used_count <
   max_uses → if 0 rows affected, return invite_exhausted
8. insert member with role from payload

cli side:
- apps/cli/src/invite/parse.ts: zod-validated owner_pubkey + signature
  fields; client verifies signature immediately and rejects tampered
  links (fail-fast before even touching the broker)
- buildSignedInvite() helper: owners sign invites client-side
- enrollWithBroker sends {invite_token, invite_payload, peer_pubkey,
  display_name} (was: {mesh_id, peer_pubkey, display_name, role})
- parseInviteLink is now async (libsodium ready + verify)

seed-test-mesh.ts generates an owner keypair, sets mesh.owner_pubkey,
builds + signs an invite, stores the invite row, emits ownerPubkey +
ownerSecretKey + inviteToken + inviteLink in the output JSON.

tests — invite-signature.test.ts (9 new):
- valid signed invite → join succeeds
- tampered payload → invite_bad_signature
- signer not the mesh owner → invite_owner_mismatch
- expired invite → invite_expired
- revoked invite → invite_revoked
- exhausted (maxUses=2, 3rd join) → invite_exhausted
- idempotent re-join doesn't burn a use
- atomic single-use: 5 concurrent joins → exactly 1 success, 4 exhausted
- mesh_id payload vs DB row mismatch → invite_mesh_mismatch

verified live: tampered link blocked client-side with a clear error.
Unmodified link joins cleanly end-to-end (roundtrip.ts + join-roundtrip.ts
both pass). 64/64 tests green.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 23:02:12 +01:00

Alejandro Gutiérrez

8ce8b04e75

fix(db): rename pgSchema exports to prevent barrel collision

chat/image/mesh modules all exported a generic `const schema`
binding. When packages/db/src/schema/index.ts did `export * from
"./chat"` + `export * from "./image"` + `export * from "./mesh"`,
TypeScript's ambiguous-re-export rule silently dropped the colliding
bindings — drizzle-kit's introspection could not find the pgSchema
instances, so CREATE SCHEMA statements were never emitted. The
migration worked on the prior dev DB only because chat/image already
existed from an earlier turbostarter run; a fresh clone would fail.

pdf.ts already used `pdfSchema` (unique name). Applied the same
pattern everywhere:
- chat.ts:  `export const chatSchema = pgSchema("chat")`
- image.ts: `export const imageSchema = pgSchema("image")`
- mesh.ts:  `export const meshSchema = pgSchema("mesh")`

Also added `CREATE EXTENSION IF NOT EXISTS vector` at the top of the
migration (pgvector is used by pdf.embedding — the generated
migration assumed it was pre-enabled).

Verified end-to-end against a fresh pgvector/pgvector:pg17 container:
`pnpm drizzle-kit migrate` applies cleanly from scratch, all 7 mesh.*
tables + chat/image/pdf/mesh schemas created correctly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 22:02:09 +01:00

Alejandro Gutiérrez

beeaa3b3c6

fix(db): rename mesh.member export to meshMember to avoid collision with auth.member

The schema/index.ts barrel does `export * from "./mesh"` + `export *
from "./auth"`. Both modules exported a symbol named `member`, which
caused TypeScript to silently exclude the ambiguous re-export and
drizzle-kit's introspection couldn't see mesh.member — its generated
migration was missing that table entirely.

Fix: rename the TypeScript binding only. The DB table name stays
"member" inside pgSchema "mesh" (still mesh.member in SQL):
- `export const member = schema.table("member", ...)` →
  `export const meshMember = schema.table("member", ...)`
- Internal references in mesh.ts updated (FK lambdas, relations,
  Zod schemas, inferred TS types)
- apps/broker/src/broker.ts import updated to meshMember as memberTable
- migrations/0000_sloppy_stryfe.sql regenerated — now includes all 7
  mesh.* tables (audit_log, invite, member, mesh, message_queue,
  pending_status, presence)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 21:47:02 +01:00

3 Commits