Files
neuron-tai/.scratch/alpha-hardening/issues/01-c1-gossip-auth.md
D.Popov 68e057209c Add alpha-hardening ADRs and issue plan from pre-release audit.
Lock alpha scope, tracker auth, TOPLOC fraud verification, and deferred multi-tracker money-path work; supersede legacy fraud issues with ADR-0018.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-07-04 23:12:09 +03:00

1.9 KiB
Raw Blame History

Status: ready-for-agent

01 — C1: Authenticate hive gossip endpoints

What to build

Add authenticated peer identity to all tracker gossip mutation endpoints. Today any caller can push billing, account, and stats events without verification.

Code refs:

  • packages/tracker/meshnet_tracker/server.py_handle_billing_gossip (~24142427)
  • packages/tracker/meshnet_tracker/server.py_handle_accounts_gossip (~26102623)
  • packages/tracker/meshnet_tracker/server.py_handle_stats_gossip (~23552364)
  • packages/tracker/meshnet_tracker/billing.pyapply_events (~301311)
  • packages/tracker/meshnet_tracker/accounts.pyapply_events (~220226)

Implement per ADR-0017 §3: shared hive HMAC (body + timestamp) or mutual TLS between configured tracker peers. Reject unauthenticated gossip with 401.

Note: /v1/gossip (node throughput fan-out, server.py ~1331) is not in scope for this issue — see ADR-0017 §3 out-of-scope note.

Test-first

  1. Red: unauthenticated POST to /v1/billing/gossip applies a credit event today — test must fail after fix.
  2. Red: authenticated peer with valid HMAC applies events; invalid/missing auth returns 401 and applied: 0.
  3. Green: implement verifier + config (--hive-secret or peer cert paths).

Acceptance criteria

  • /v1/billing/gossip, /v1/accounts/gossip, /v1/stats/gossip reject requests without valid hive auth
  • Authenticated peers replicate events as today (id-dedup preserved)
  • Config documented for multi-tracker dev setups
  • Tests cover reject + accept paths without live network

Blocked by

None — implement alongside or immediately before 02-a2-unified-auth-boundary.md.