alezmad/claudemesh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: alezmad:v0.1.8
Branches Tags
alezmad:main
alezmad:v0.5.9 alezmad:v0.5.8 alezmad:v0.5.7 alezmad:v0.5.6 alezmad:v0.5.5 alezmad:v0.5.4 alezmad:v0.5.3 alezmad:v0.5.2 alezmad:v0.5.1 alezmad:v0.5.0 alezmad:v0.4.0 alezmad:v0.3.0 alezmad:v0.2.0 alezmad:v0.1.16 alezmad:v0.1.15 alezmad:v0.1.14 alezmad:v0.1.13 alezmad:v0.1.12 alezmad:v0.1.11 alezmad:v0.1.10 alezmad:v0.1.9 alezmad:v0.1.8 alezmad:v0.1.7 alezmad:v0.1.6 alezmad:v0.1.5 alezmad:cli-v0.1.4 alezmad:cli-v0.1.3 alezmad:cli-v0.1.2
..
compare: alezmad:v0.1.11
Branches Tags
alezmad:main
alezmad:v0.5.9 alezmad:v0.5.8 alezmad:v0.5.7 alezmad:v0.5.6 alezmad:v0.5.5 alezmad:v0.5.4 alezmad:v0.5.3 alezmad:v0.5.2 alezmad:v0.5.1 alezmad:v0.5.0 alezmad:v0.4.0 alezmad:v0.3.0 alezmad:v0.2.0 alezmad:v0.1.16 alezmad:v0.1.15 alezmad:v0.1.14 alezmad:v0.1.13 alezmad:v0.1.12 alezmad:v0.1.11 alezmad:v0.1.10 alezmad:v0.1.9 alezmad:v0.1.8 alezmad:v0.1.7 alezmad:v0.1.6 alezmad:v0.1.5 alezmad:cli-v0.1.4 alezmad:cli-v0.1.3 alezmad:cli-v0.1.2

3 Commits
v0.1.8 ... v0.1.11

Author SHA1 Message Date
Alejandro Gutiérrez
92bb276a3e fix: v0.1.11 — fix crypto_box decryption with session pubkeys
Some checks failed
CI / Lint (push) Has been cancelled
Details
CI / Typecheck (push) Has been cancelled
Details
CI / Broker tests (Postgres) (push) Has been cancelled
Details
CI / Docker build (linux/amd64) (push) Has been cancelled
Details
Release / Publish multi-arch images (push) Has been cancelled
Details 
Store sender's sessionPubkey on message_queue at send time.
drainForMember returns COALESCE(sender_session_pubkey, peer_pubkey)
so the recipient gets the correct sender key for decryption.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-06 11:23:42 +01:00
Alejandro Gutiérrez
af8f8ed1f9 feat: v0.1.10 — per-session ephemeral keypairs
Some checks failed
CI / Lint (push) Has been cancelled
Details
CI / Typecheck (push) Has been cancelled
Details
CI / Broker tests (Postgres) (push) Has been cancelled
Details
CI / Docker build (linux/amd64) (push) Has been cancelled
Details
Release / Publish multi-arch images (push) Has been cancelled
Details 
Each WS connection generates its own ed25519 keypair (sessionPubkey)
sent in the hello handshake. The broker stores it on the presence
row and uses it for message routing + list_peers. This gives every
`claudemesh launch` a unique crypto identity without burning invite
uses — member auth stays permanent, session identity is ephemeral.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-06 11:14:33 +01:00
Alejandro Gutiérrez
c8682dd700 fix(cli): deduplicate --dangerously-load-development-channels flag
Some checks failed
CI / Lint (push) Has been cancelled
Details
CI / Typecheck (push) Has been cancelled
Details
CI / Broker tests (Postgres) (push) Has been cancelled
Details
CI / Docker build (linux/amd64) (push) Has been cancelled
Details
Release / Publish multi-arch images (push) Has been cancelled
Details 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-06 10:56:30 +01:00
10 changed files with 66 additions and 19 deletions
Expand all files Collapse all files

16
apps/broker/src/broker.ts
View File

@@ -307,6 +307,7 @@ export async function refreshStatusFromJsonl(
export interface ConnectParams {
memberId: string;
sessionId: string;
sessionPubkey?: string;
displayName?: string;
pid: number;
cwd: string;
@@ -322,6 +323,7 @@ export async function connectPresence(
.values({
memberId: params.memberId,
sessionId: params.sessionId,
sessionPubkey: params.sessionPubkey ?? null,
displayName: params.displayName ?? null,
pid: params.pid,
cwd: params.cwd,
@@ -371,7 +373,8 @@ export async function listPeersInMesh(
> {
const rows = await db
.select({
pubkey: memberTable.peerPubkey,
memberPubkey: memberTable.peerPubkey,
sessionPubkey: presence.sessionPubkey,
memberDisplayName: memberTable.displayName,
presenceDisplayName: presence.displayName,
status: presence.status,
@@ -388,9 +391,9 @@ export async function listPeersInMesh(
),
)
.orderBy(asc(presence.connectedAt));
// Prefer per-session displayName over member-level displayName.
// Prefer session pubkey for routing, session displayName for display.
return rows.map((r) => ({
pubkey: r.pubkey,
pubkey: r.sessionPubkey || r.memberPubkey,
displayName: r.presenceDisplayName || r.memberDisplayName,
status: r.status,
summary: r.summary,
@@ -415,6 +418,7 @@ export async function setSummary(
export interface QueueParams {
meshId: string;
senderMemberId: string;
senderSessionPubkey?: string;
targetSpec: string;
priority: Priority;
nonce: string;
@@ -429,6 +433,7 @@ export async function queueMessage(params: QueueParams): Promise<string> {
.values({
meshId: params.meshId,
senderMemberId: params.senderMemberId,
senderSessionPubkey: params.senderSessionPubkey ?? null,
targetSpec: params.targetSpec,
priority: params.priority,
nonce: params.nonce,
@@ -469,6 +474,7 @@ export async function drainForMember(
_memberId: string,
memberPubkey: string,
status: PeerStatus,
sessionPubkey?: string,
): Promise<
Array<{
id: string;
@@ -509,14 +515,14 @@ export async function drainForMember(
WHERE mesh_id = ${meshId}
AND delivered_at IS NULL
AND priority::text IN (${priorityList})
AND (target_spec = ${memberPubkey} OR target_spec = '*')
AND (target_spec = ${memberPubkey} OR target_spec = '*'${sessionPubkey ? sql` OR target_spec = ${sessionPubkey}` : sql``})
ORDER BY created_at ASC, id ASC
FOR UPDATE SKIP LOCKED
)
AND m.id = mq.sender_member_id
RETURNING mq.id, mq.priority, mq.nonce, mq.ciphertext,
mq.created_at, mq.sender_member_id,
m.peer_pubkey AS sender_pubkey
COALESCE(mq.sender_session_pubkey, m.peer_pubkey) AS sender_pubkey
)
SELECT * FROM claimed ORDER BY created_at ASC, id ASC
`);

9
apps/broker/src/index.ts
View File

@@ -56,6 +56,7 @@ interface PeerConn {
meshId: string;
memberId: string;
memberPubkey: string;
sessionPubkey: string | null;
cwd: string;
}
@@ -93,6 +94,7 @@ async function maybePushQueuedMessages(presenceId: string): Promise<void> {
conn.memberId,
conn.memberPubkey,
status,
conn.sessionPubkey ?? undefined,
);
for (const m of messages) {
const push: WSPushMessage = {
@@ -400,6 +402,7 @@ async function handleHello(
const presenceId = await connectPresence({
memberId: member.id,
sessionId: hello.sessionId,
sessionPubkey: hello.sessionPubkey,
displayName: hello.displayName,
pid: hello.pid,
cwd: hello.cwd,
@@ -409,6 +412,7 @@ async function handleHello(
meshId: hello.meshId,
memberId: member.id,
memberPubkey: hello.pubkey,
sessionPubkey: hello.sessionPubkey ?? null,
cwd: hello.cwd,
});
incMeshCount(hello.meshId);
@@ -434,6 +438,7 @@ async function handleSend(
const messageId = await queueMessage({
meshId: conn.meshId,
senderMemberId: conn.memberId,
senderSessionPubkey: conn.sessionPubkey ?? undefined,
targetSpec: msg.targetSpec,
priority: msg.priority,
nonce: msg.nonce,
@@ -450,7 +455,9 @@ async function handleSend(
// Fan-out over connected peers in the same mesh.
for (const [pid, peer] of connections) {
if (peer.meshId !== conn.meshId) continue;
if (msg.targetSpec !== "*" && peer.memberPubkey !== msg.targetSpec)
if (msg.targetSpec !== "*"
&& peer.memberPubkey !== msg.targetSpec
&& peer.sessionPubkey !== msg.targetSpec)
continue;
void maybePushQueuedMessages(pid);
}

1
apps/broker/src/types.ts
View File

@@ -52,6 +52,7 @@ export interface WSHelloMessage {
meshId: string;
memberId: string;
pubkey: string; // must match mesh.member.peerPubkey
sessionPubkey?: string; // ephemeral per-launch pubkey for message routing
displayName?: string; // optional override for this session
sessionId: string;
pid: number;

2
apps/cli/package.json
View File

@@ -1,6 +1,6 @@
{
"name": "claudemesh-cli",
"version": "0.1.8",
"version": "0.1.11",
"description": "Claude Code MCP client for claudemesh — peer mesh messaging between Claude sessions.",
"keywords": [
"claude-code",

15
apps/cli/src/commands/join.ts
View File

@@ -14,7 +14,10 @@ import { parseInviteLink } from "../invite/parse";
import { enrollWithBroker } from "../invite/enroll";
import { generateKeypair } from "../crypto/keypair";
import { loadConfig, saveConfig, getConfigPath } from "../state/config";
import { hostname } from "node:os";
import { writeFileSync, mkdirSync } from "node:fs";
import { join, dirname } from "node:path";
import { homedir, hostname } from "node:os";
import { env } from "../env";
export async function runJoin(args: string[]): Promise<void> {
const link = args[0];
@@ -78,6 +81,16 @@ export async function runJoin(args: string[]): Promise<void> {
});
saveConfig(config);
// 4b. Store invite token for per-session re-enrollment (launch --name).
const configDir = env.CLAUDEMESH_CONFIG_DIR ?? join(homedir(), ".claudemesh");
const inviteFile = join(configDir, `invite-${payload.mesh_slug}.txt`);
try {
mkdirSync(dirname(inviteFile), { recursive: true });
writeFileSync(inviteFile, link, "utf-8");
} catch {
// Non-fatal — launch will fall back to shared identity.
}
// 5. Report.
console.log("");
console.log(

23
apps/cli/src/commands/launch.ts
View File

@@ -17,9 +17,6 @@ import { join } from "node:path";
import { createInterface } from "node:readline";
import { loadConfig, getConfigPath } from "../state/config";
import type { Config, JoinedMesh } from "../state/config";
import { generateKeypair } from "../crypto/keypair";
import { enrollWithBroker } from "../invite/enroll";
import { parseInviteLink } from "../invite/parse";
// --- Arg parsing ---
@@ -174,12 +171,12 @@ export async function runLaunch(extraArgs: string[]): Promise<void> {
mesh = await pickMesh(config.meshes);
}
// 3. Set display name. Uses existing member identity — the broker
// creates a separate presence row per session (sessionId + pid)
// and stores the per-session displayName override.
// 3. Session identity. The WS client auto-generates a per-session
// ephemeral keypair on connect (sent in hello as sessionPubkey).
// We just set the display name via env var.
const displayName = args.name ?? `${hostname()}-${process.pid}`;
// 4. Write session config to tmpdir (same mesh, same keypair).
// 4. Write session config to tmpdir (isolates mesh selection).
const tmpDir = mkdtempSync(join(tmpdir(), "claudemesh-"));
const sessionConfig: Config = {
version: 1,
@@ -195,10 +192,20 @@ export async function runLaunch(extraArgs: string[]): Promise<void> {
if (!args.quiet) printBanner(displayName, mesh.slug);
// 6. Spawn claude with ephemeral config + dev channel + display name.
// Strip any user-supplied --dangerously-load-development-channels
// to avoid duplicates — we always inject our own.
const filtered: string[] = [];
for (let i = 0; i < args.claudeArgs.length; i++) {
if (args.claudeArgs[i] === "--dangerously-load-development-channels") {
i++; // skip the next arg (the channel value) too
continue;
}
filtered.push(args.claudeArgs[i]!);
}
const claudeArgs = [
"--dangerously-load-development-channels",
"server:claudemesh",
...args.claudeArgs,
...filtered,
];
const isWindows = process.platform === "win32";

15
apps/cli/src/ws/client.ts
View File

@@ -21,6 +21,7 @@ import {
isDirectTarget,
} from "../crypto/envelope";
import { signHello } from "../crypto/hello-sig";
import { generateKeypair } from "../crypto/keypair";
export type Priority = "now" | "next" | "low";
export type ConnStatus = "connecting" | "open" | "closed" | "reconnecting";
@@ -74,6 +75,8 @@ export class BrokerClient {
private pushHandlers = new Set<PushHandler>();
private pushBuffer: InboundPush[] = [];
private listPeersResolvers: Array<(peers: PeerInfo[]) => void> = [];
private sessionPubkey: string | null = null;
private sessionSecretKey: string | null = null;
private closed = false;
private reconnectAttempt = 0;
private helloTimer: NodeJS.Timeout | null = null;
@@ -109,8 +112,13 @@ export class BrokerClient {
return new Promise<void>((resolve, reject) => {
const onOpen = async (): Promise<void> => {
this.debug("ws open → signing + sending hello");
this.debug("ws open → generating session keypair + signing hello");
try {
// Generate per-session ephemeral keypair for message routing.
const sessionKP = await generateKeypair();
this.sessionPubkey = sessionKP.publicKey;
this.sessionSecretKey = sessionKP.secretKey;
const { timestamp, signature } = await signHello(
this.mesh.meshId,
this.mesh.memberId,
@@ -123,6 +131,7 @@ export class BrokerClient {
meshId: this.mesh.meshId,
memberId: this.mesh.memberId,
pubkey: this.mesh.pubkey,
sessionPubkey: this.sessionPubkey,
displayName: process.env.CLAUDEMESH_DISPLAY_NAME || undefined,
sessionId: `${process.pid}-${Date.now()}`,
pid: process.pid,
@@ -203,7 +212,7 @@ export class BrokerClient {
const env = await encryptDirect(
message,
targetSpec,
this.mesh.secretKey,
this.sessionSecretKey ?? this.mesh.secretKey,
);
nonce = env.nonce;
ciphertext = env.ciphertext;
@@ -349,7 +358,7 @@ export class BrokerClient {
plaintext = await decryptDirect(
{ nonce, ciphertext },
senderPubkey,
this.mesh.secretKey,
this.sessionSecretKey ?? this.mesh.secretKey,
);
}
// Legacy/broadcast path: no senderPubkey means the message

1
packages/db/migrations/0005_add-presence-session-pubkey.sql Normal file
View File

@@ -0,0 +1 @@
ALTER TABLE "mesh"."presence" ADD COLUMN "session_pubkey" text;

1
packages/db/migrations/0006_add-sender-session-pubkey.sql Normal file
View File

@@ -0,0 +1 @@
ALTER TABLE "mesh"."message_queue" ADD COLUMN "sender_session_pubkey" text;

2
packages/db/src/schema/mesh.ts
View File

@@ -192,6 +192,7 @@ export const presence = meshSchema.table("presence", {
.references(() => meshMember.id, { onDelete: "cascade", onUpdate: "cascade" })
.notNull(),
sessionId: text().notNull(),
sessionPubkey: text(),
displayName: text(),
pid: integer().notNull(),
cwd: text().notNull(),
@@ -221,6 +222,7 @@ export const messageQueue = meshSchema.table("message_queue", {
senderMemberId: text()
.references(() => meshMember.id, { onDelete: "cascade", onUpdate: "cascade" })
.notNull(),
senderSessionPubkey: text(),
targetSpec: text().notNull(),
priority: messagePriorityEnum().notNull().default("next"),
nonce: text().notNull(),