alezmad/claudemesh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cef246a34aa8a3ea6023a0b7ccd93cedb67b666b
claudemesh/apps/cli/tests/unit/session-hello-sig.test.ts
Alejandro Gutiérrez d62b3f45d2 feat(cli): sessionbrokerclient + registry hooks (flag-gated) 
daemon-side half of 1.30.0 per-session broker presence. behind
CLAUDEMESH_SESSION_PRESENCE=1 (default OFF this cycle so the broker
side bakes before the flag flips).

- SessionBrokerClient (apps/cli/src/daemon/session-broker.ts) — slim
  WS that opens with session_hello, presence-only, no outbox drain.
- session-hello-sig.ts — signParentAttestation (12h TTL, ≤24h cap) and
  signSessionHello, mirroring the broker canonical formats.
- session-registry: optional presence field on SessionInfo;
  setRegistryHooks for onRegister/onDeregister callbacks. Hook errors
  are caught so they can never throttle registry mutations.
- IPC POST /v1/sessions/register accepts the presence material under
  body.presence (session_pubkey, session_secret_key, parent_attestation).
  Older callers without it stay scoped + supported.
- run.ts wires the registry hooks: on register, opens a SessionBrokerClient
  for the matching mesh; on deregister (explicit or reaper), closes it.
  Shutdown closes any remaining session WSes before the IPC server.

8 new unit tests cover registry lifecycle (replace/throw/presence
roundtrip) and signature canonical-bytes verification against libsodium.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 13:05:33 +01:00

89 lines
2.9 KiB
TypeScript
Raw Blame History

/**
* CLI-side session-hello signing.
*
* Roundtrip: the signatures we mint with the CLI helpers must match the
* canonical bytes the broker recomputes from the same fields. Drift here
* shows up as `bad_signature` on the broker — easier to catch in unit
* tests than in end-to-end flow.
*/
import { describe, expect, test } from "vitest";
import sodium from "libsodium-wrappers";
import {
signParentAttestation,
signSessionHello,
DEFAULT_ATTESTATION_TTL_MS,
} from "../../src/services/broker/session-hello-sig.js";
async function makeKeypair(): Promise<{ publicKey: string; secretKey: string }> {
await sodium.ready;
const kp = sodium.crypto_sign_keypair();
return {
publicKey: sodium.to_hex(kp.publicKey),
secretKey: sodium.to_hex(kp.privateKey),
};
}
describe("signParentAttestation", () => {
test("produces canonical bytes that verify against parent pubkey", async () => {
await sodium.ready;
const parent = await makeKeypair();
const session = await makeKeypair();
const att = await signParentAttestation({
parentMemberPubkey: parent.publicKey,
parentSecretKey: parent.secretKey,
sessionPubkey: session.publicKey,
});
expect(att.parentMemberPubkey).toBe(parent.publicKey);
expect(att.sessionPubkey).toBe(session.publicKey);
expect(att.signature).toMatch(/^[0-9a-f]{128}$/);
const canonical =
`claudemesh-session-attest|${parent.publicKey}|${session.publicKey}|${att.expiresAt}`;
const ok = sodium.crypto_sign_verify_detached(
sodium.from_hex(att.signature),
sodium.from_string(canonical),
sodium.from_hex(parent.publicKey),
);
expect(ok).toBe(true);
});
test("default TTL ≤24h cap", async () => {
const parent = await makeKeypair();
const session = await makeKeypair();
const now = 1_700_000_000_000;
const att = await signParentAttestation({
parentMemberPubkey: parent.publicKey,
parentSecretKey: parent.secretKey,
sessionPubkey: session.publicKey,
now,
});
expect(att.expiresAt).toBe(now + DEFAULT_ATTESTATION_TTL_MS);
expect(att.expiresAt - now).toBeLessThanOrEqual(24 * 60 * 60 * 1000);
});
});
describe("signSessionHello", () => {
test("signature verifies against session pubkey", async () => {
await sodium.ready;
const session = await makeKeypair();
const result = await signSessionHello({
meshId: "mesh-x",
parentMemberPubkey: "c".repeat(64),
sessionPubkey: session.publicKey,
sessionSecretKey: session.secretKey,
});
expect(result.signature).toMatch(/^[0-9a-f]{128}$/);
const canonical =
`claudemesh-session-hello|mesh-x|${"c".repeat(64)}|${session.publicKey}|${result.timestamp}`;
const ok = sodium.crypto_sign_verify_detached(
sodium.from_hex(result.signature),
sodium.from_string(canonical),
sodium.from_hex(session.publicKey),
);
expect(ok).toBe(true);
});
});
Reference in New Issue View Git Blame Copy Permalink