This commit is contained in:
Dobromir Popov
2026-07-04 23:02:54 +02:00
parent de52ad7aa0
commit 69b0e726b8
13 changed files with 66 additions and 39 deletions

View File

@@ -14,7 +14,7 @@ Add authenticated peer identity to all tracker gossip mutation endpoints. Today
- `packages/tracker/meshnet_tracker/billing.py``apply_events` (~301311)
- `packages/tracker/meshnet_tracker/accounts.py``apply_events` (~220226)
Implement per ADR-0017 §3: shared hive HMAC (body + timestamp) or mutual TLS between configured tracker peers. Reject unauthenticated gossip with 401.
Implement per ADR-0017 §3 using the auth helper/config from issue 02: shared hive HMAC (body + timestamp) or mutual TLS between configured tracker peers. Reject unauthenticated gossip with 401.
**Note:** `/v1/gossip` (node throughput fan-out, `server.py` ~1331) is **not** in scope for this issue — see ADR-0017 §3 out-of-scope note.
@@ -22,7 +22,7 @@ Implement per ADR-0017 §3: shared hive HMAC (body + timestamp) or mutual TLS be
1. Red: unauthenticated POST to `/v1/billing/gossip` applies a credit event today — test must fail after fix.
2. Red: authenticated peer with valid HMAC applies events; invalid/missing auth returns 401 and `applied: 0`.
3. Green: implement verifier + config (`--hive-secret` or peer cert paths).
3. Green: wire the issue-02 verifier/config (`--hive-secret` or peer cert paths) into the three hive mutation endpoints.
## Acceptance criteria
@@ -38,4 +38,4 @@ Implement per ADR-0017 §3: shared hive HMAC (body + timestamp) or mutual TLS be
## Blocked by
None — implement alongside or immediately before `02-a2-unified-auth-boundary.md`.
- `02-a2-unified-auth-boundary.md` — owns shared auth middleware/config. Implement in the same PR if simpler.