crashlabs/huskies
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity
Files
aeff0b55be607965841d5d8c3744acab58d9c471
huskies/server/src/crdt_sync.rs
T

2181 lines
81 KiB
Rust
Raw Normal View History

huskies: merge 542_refactor_add_doc_comments_to_all_undocumented_source_files_and_generate_source_map_in_readme
2026-04-12 13:11:23 +00:00
//! CRDT sync — WebSocket-based replication of pipeline state between huskies nodes.
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
/// WebSocket-based CRDT sync layer for replicating pipeline state between
/// huskies nodes.
///
/// # Protocol
///
fix: read_all_items must use deduplicated index, not raw CRDT entries
2026-04-10 19:32:55 +00:00
/// The sync protocol is a hybrid of two frame types:
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
///
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
/// ## Text frames (bulk initial state)
/// A JSON object with a `"type"` field:
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
/// - `{"type":"bulk","ops":[...]}` — Initial state dump (array of serialised
/// `SignedOp` JSON strings). Sent by both sides immediately after connect.
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
///
/// ## Binary frames (real-time op broadcast)
/// Individual `SignedOp`s encoded via [`crate::crdt_wire`] (versioned JSON
/// envelope: `{"v":1,"op":{...}}`). Each locally-applied op is immediately
/// broadcast as a binary frame to all connected peers.
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
///
/// Both the server endpoint and the rendezvous client use the same protocol,
/// making the connection fully symmetric.
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
///
/// ## Backpressure
/// Each connected peer has its own [`tokio::sync::broadcast`] receiver. If a
/// slow peer allows the channel to fill (indicated by a `Lagged` error), the
/// connection is dropped with a warning log. The peer can reconnect and
/// receive a fresh bulk state dump to catch up.
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
use bft_json_crdt::json_crdt::SignedOp;
use futures::{SinkExt, StreamExt};
use poem::handler;
use poem::web::Data;
use poem::web::websocket::{Message as WsMessage, WebSocket};
use serde::{Deserialize, Serialize};
huskies: merge 628_story_websocket_connect_time_mutual_auth_using_node_identity_primitives
2026-04-25 14:29:39 +00:00
use std::sync::{Arc, OnceLock};
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
use crate::crdt_state;
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
use crate::crdt_wire;
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
use crate::http::context::AppContext;
huskies: merge 628_story_websocket_connect_time_mutual_auth_using_node_identity_primitives
2026-04-25 14:29:39 +00:00
use crate::node_identity;
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
use crate::slog;
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
use crate::slog_error;
use crate::slog_warn;
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
huskies: merge 628_story_websocket_connect_time_mutual_auth_using_node_identity_primitives
2026-04-25 14:29:39 +00:00
// ── Auth configuration ──────────────────────────────────────────────
/// Default timeout for the auth handshake (seconds).
const AUTH_TIMEOUT_SECS: u64 = 10;
/// Trusted public keys loaded once at startup.
static TRUSTED_KEYS: OnceLock<Vec<String>> = OnceLock::new();
/// Initialise the trusted-key allow-list for connect-time mutual auth.
///
/// Must be called once at startup before any WebSocket connections are
/// accepted. Subsequent calls are no-ops (OnceLock).
pub fn init_trusted_keys(keys: Vec<String>) {
let _ = TRUSTED_KEYS.set(keys);
}
/// Return a reference to the trusted-key allow-list.
fn trusted_keys() -> &'static [String] {
TRUSTED_KEYS.get().map(|v| v.as_slice()).unwrap_or(&[])
}
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
// ── Wire protocol types ─────────────────────────────────────────────
huskies: merge 628_story_websocket_connect_time_mutual_auth_using_node_identity_primitives
2026-04-25 14:29:39 +00:00
/// Auth handshake: challenge sent by the listener to the connector.
#[derive(Serialize, Deserialize, Debug)]
struct ChallengeMessage {
r#type: String,
nonce: String,
}
/// Auth handshake: auth reply sent by the connector to the listener.
#[derive(Serialize, Deserialize, Debug)]
struct AuthMessage {
r#type: String,
pubkey_hex: String,
signature_hex: String,
}
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
#[derive(Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "snake_case")]
enum SyncMessage {
/// Bulk state dump sent on connect.
Bulk { ops: Vec<String> },
/// A single new op.
Op { op: String },
}
// ── Server-side WebSocket handler ───────────────────────────────────
#[handler]
pub async fn crdt_sync_handler(
ws: WebSocket,
fix: read_all_items must use deduplicated index, not raw CRDT entries
2026-04-10 19:32:55 +00:00
_ctx: Data<&Arc<AppContext>>,
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
) -> impl poem::IntoResponse {
fix: read_all_items must use deduplicated index, not raw CRDT entries
2026-04-10 19:32:55 +00:00
ws.on_upgrade(|socket| async move {
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
let (mut sink, mut stream) = socket.split();
huskies: merge 628_story_websocket_connect_time_mutual_auth_using_node_identity_primitives
2026-04-25 14:29:39 +00:00
slog!("[crdt-sync] Peer connected, starting auth handshake");
// ── Step 1: Send challenge to the connecting peer ─────────
let challenge = node_identity::generate_challenge();
let challenge_msg = ChallengeMessage {
r#type: "challenge".to_string(),
nonce: challenge.clone(),
};
let challenge_json = match serde_json::to_string(&challenge_msg) {
Ok(j) => j,
Err(_) => return,
};
if sink.send(WsMessage::Text(challenge_json)).await.is_err() {
return;
}
// ── Step 2: Await auth reply within timeout ───────────────
let auth_result = tokio::time::timeout(
std::time::Duration::from_secs(AUTH_TIMEOUT_SECS),
stream.next(),
)
.await;
let auth_text = match auth_result {
Ok(Some(Ok(WsMessage::Text(text)))) => text,
Ok(_) | Err(_) => {
// Timeout or connection closed before auth reply.
slog!("[crdt-sync] Auth timeout or connection lost during handshake");
let _ = sink
.send(WsMessage::Close(Some((
poem::web::websocket::CloseCode::from(4001),
"auth_timeout".to_string(),
))))
.await;
let _ = sink.close().await;
return;
}
};
// ── Step 3: Verify auth reply ─────────────────────────────
let auth_msg: AuthMessage = match serde_json::from_str(&auth_text) {
Ok(m) => m,
Err(_) => {
slog!("[crdt-sync] Invalid auth message from peer");
close_with_auth_failed(&mut sink).await;
return;
}
};
// Verify signature AND check allow-list.
let sig_valid =
node_identity::verify_challenge(&auth_msg.pubkey_hex, &challenge, &auth_msg.signature_hex);
let key_trusted = trusted_keys().iter().any(|k| k == &auth_msg.pubkey_hex);
if !sig_valid || !key_trusted {
slog!("[crdt-sync] Auth failed for peer (sig_valid={sig_valid}, key_trusted={key_trusted})");
close_with_auth_failed(&mut sink).await;
return;
}
slog!(
"[crdt-sync] Peer authenticated: {:.12}…",
&auth_msg.pubkey_hex
);
// ── Auth passed — proceed with CRDT sync ──────────────────
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
fix: read_all_items must use deduplicated index, not raw CRDT entries
2026-04-10 19:32:55 +00:00
// Send bulk state dump.
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
if let Some(ops) = crdt_state::all_ops_json() {
let msg = SyncMessage::Bulk { ops };
if let Ok(json) = serde_json::to_string(&msg)
&& sink.send(WsMessage::Text(json)).await.is_err()
{
return;
}
}
// Subscribe to new local ops.
let Some(mut op_rx) = crdt_state::subscribe_ops() else {
return;
};
loop {
tokio::select! {
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
// Forward new local ops to the peer encoded via the wire codec.
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
result = op_rx.recv() => {
match result {
Ok(signed_op) => {
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
let bytes = crdt_wire::encode(&signed_op);
if sink.send(WsMessage::Binary(bytes)).await.is_err() {
break;
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
}
Err(tokio::sync::broadcast::error::RecvError::Lagged(n)) => {
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
// The peer cannot keep up; disconnect so it can
// reconnect and receive a fresh bulk state dump.
slog!("[crdt-sync] Slow peer lagged {n} ops; disconnecting");
break;
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
Err(_) => break,
}
}
// Receive ops from the peer.
frame = stream.next() => {
match frame {
Some(Ok(WsMessage::Text(text))) => {
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
// Bulk state dump or legacy text-frame op.
handle_incoming_text(&text);
}
Some(Ok(WsMessage::Binary(bytes))) => {
// Real-time op encoded via wire codec.
handle_incoming_binary(&bytes);
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
Some(Ok(WsMessage::Close(_))) | None => break,
_ => {}
}
}
}
}
slog!("[crdt-sync] Peer disconnected");
})
}
huskies: merge 628_story_websocket_connect_time_mutual_auth_using_node_identity_primitives
2026-04-25 14:29:39 +00:00
/// Close the WebSocket with a generic `auth_failed` reason.
///
/// The close reason is intentionally the same for all auth failures
/// (bad signature, untrusted key, malformed message) to avoid leaking
/// which check failed.
async fn close_with_auth_failed(
sink: &mut futures::stream::SplitSink<poem::web::websocket::WebSocketStream, WsMessage>,
) {
let _ = sink
.send(WsMessage::Close(Some((
poem::web::websocket::CloseCode::from(4002),
"auth_failed".to_string(),
))))
.await;
let _ = sink.close().await;
}
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
/// Process an incoming text-frame sync message from a peer.
///
/// Text frames carry the bulk state dump (`SyncMessage::Bulk`) or legacy
/// single-op messages (`SyncMessage::Op`).
fn handle_incoming_text(text: &str) {
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
let msg: SyncMessage = match serde_json::from_str(text) {
Ok(m) => m,
Err(e) => {
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
slog!("[crdt-sync] Bad text message from peer: {e}");
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
return;
}
};
match msg {
SyncMessage::Bulk { ops } => {
fix: read_all_items must use deduplicated index, not raw CRDT entries
2026-04-10 19:32:55 +00:00
let mut applied = 0u64;
for op_json in &ops {
if let Ok(signed_op) = serde_json::from_str::<SignedOp>(op_json)
&& crdt_state::apply_remote_op(signed_op)
{
applied += 1;
}
}
slog!(
"[crdt-sync] Bulk sync: received {} ops, applied {applied}",
ops.len()
);
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
SyncMessage::Op { op } => {
if let Ok(signed_op) = serde_json::from_str::<SignedOp>(&op) {
crdt_state::apply_remote_op(signed_op);
}
}
}
}
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
/// Process an incoming binary-frame op from a peer.
///
/// Binary frames carry a single `SignedOp` encoded via [`crdt_wire`].
fn handle_incoming_binary(bytes: &[u8]) {
match crdt_wire::decode(bytes) {
Ok(signed_op) => {
crdt_state::apply_remote_op(signed_op);
}
Err(e) => {
slog!("[crdt-sync] Bad binary frame from peer: {e}");
}
}
}
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
// ── Rendezvous client ───────────────────────────────────────────────
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
/// Number of consecutive connection failures before escalating from WARN to ERROR.
pub const RENDEZVOUS_ERROR_THRESHOLD: u32 = 10;
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
/// Spawn a background task that connects to the configured rendezvous
/// peer and exchanges CRDT ops bidirectionally.
///
/// The client reconnects with exponential backoff if the connection drops.
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
/// Individual failures are logged at WARN; after [`RENDEZVOUS_ERROR_THRESHOLD`]
/// consecutive failures the log level escalates to ERROR.
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
pub fn spawn_rendezvous_client(url: String) {
tokio::spawn(async move {
let mut backoff_secs = 1u64;
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
let mut consecutive_failures: u32 = 0;
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
loop {
slog!("[crdt-sync] Connecting to rendezvous peer: {url}");
match connect_and_sync(&url).await {
Ok(()) => {
slog!("[crdt-sync] Rendezvous connection closed cleanly");
backoff_secs = 1;
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
consecutive_failures = 0;
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
Err(e) => {
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
consecutive_failures += 1;
if consecutive_failures >= RENDEZVOUS_ERROR_THRESHOLD {
slog_error!(
"[crdt-sync] Rendezvous peer unreachable ({consecutive_failures} consecutive failures): {e}"
);
} else {
slog_warn!(
"[crdt-sync] Rendezvous connection error (attempt {consecutive_failures}): {e}"
);
}
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
}
slog!("[crdt-sync] Reconnecting in {backoff_secs}s...");
tokio::time::sleep(std::time::Duration::from_secs(backoff_secs)).await;
backoff_secs = (backoff_secs * 2).min(30);
}
});
}
/// Connect to a remote sync endpoint and exchange ops until disconnect.
async fn connect_and_sync(url: &str) -> Result<(), String> {
let (ws_stream, _) = tokio_tungstenite::connect_async(url)
.await
.map_err(|e| format!("WebSocket connect failed: {e}"))?;
let (mut sink, mut stream) = ws_stream.split();
huskies: merge 628_story_websocket_connect_time_mutual_auth_using_node_identity_primitives
2026-04-25 14:29:39 +00:00
slog!("[crdt-sync] Connected to rendezvous peer, awaiting challenge");
// ── Step 1: Receive challenge from listener ───────────────────
use tokio_tungstenite::tungstenite::Message as TungsteniteMsg;
let challenge_frame = tokio::time::timeout(
std::time::Duration::from_secs(AUTH_TIMEOUT_SECS),
stream.next(),
)
.await
.map_err(|_| "Auth timeout waiting for challenge".to_string())?
.ok_or_else(|| "Connection closed before challenge".to_string())?
.map_err(|e| format!("WebSocket read error: {e}"))?;
let challenge_text = match challenge_frame {
TungsteniteMsg::Text(t) => t.to_string(),
_ => return Err("Expected text frame for challenge".to_string()),
};
let challenge_msg: ChallengeMessage = serde_json::from_str(&challenge_text)
.map_err(|e| format!("Invalid challenge message: {e}"))?;
if challenge_msg.r#type != "challenge" {
return Err(format!(
"Expected challenge message, got type={}",
challenge_msg.r#type
));
}
// ── Step 2: Sign challenge and send auth reply ────────────────
let (pubkey_hex, signature_hex) = crdt_state::sign_challenge(&challenge_msg.nonce)
.ok_or_else(|| "CRDT not initialised — cannot sign challenge".to_string())?;
let auth_msg = AuthMessage {
r#type: "auth".to_string(),
pubkey_hex,
signature_hex,
};
let auth_json = serde_json::to_string(&auth_msg).map_err(|e| format!("Serialize auth: {e}"))?;
sink.send(TungsteniteMsg::Text(auth_json.into()))
.await
.map_err(|e| format!("Send auth failed: {e}"))?;
slog!("[crdt-sync] Auth reply sent, waiting for sync data");
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
// Send our bulk state.
if let Some(ops) = crdt_state::all_ops_json() {
let msg = SyncMessage::Bulk { ops };
if let Ok(json) = serde_json::to_string(&msg) {
sink.send(TungsteniteMsg::Text(json.into()))
.await
.map_err(|e| format!("Send bulk failed: {e}"))?;
}
}
// Subscribe to new local ops.
let Some(mut op_rx) = crdt_state::subscribe_ops() else {
return Err("CRDT not initialised".to_string());
};
loop {
tokio::select! {
result = op_rx.recv() => {
match result {
Ok(signed_op) => {
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
// Encode via wire codec and send as binary frame.
let bytes = crdt_wire::encode(&signed_op);
fix: read_all_items must use deduplicated index, not raw CRDT entries
2026-04-10 19:32:55 +00:00
use tokio_tungstenite::tungstenite::Message as TungsteniteMsg;
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
if sink.send(TungsteniteMsg::Binary(bytes.into())).await.is_err() {
break;
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
}
Err(tokio::sync::broadcast::error::RecvError::Lagged(n)) => {
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
slog!("[crdt-sync] Slow rendezvous link lagged {n} ops; disconnecting");
break;
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
Err(_) => break,
}
}
frame = stream.next() => {
match frame {
fix: read_all_items must use deduplicated index, not raw CRDT entries
2026-04-10 19:32:55 +00:00
Some(Ok(tokio_tungstenite::tungstenite::Message::Text(text))) => {
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
handle_incoming_text(text.as_ref());
}
fix: read_all_items must use deduplicated index, not raw CRDT entries
2026-04-10 19:32:55 +00:00
Some(Ok(tokio_tungstenite::tungstenite::Message::Binary(bytes))) => {
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
handle_incoming_binary(&bytes);
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
fix: read_all_items must use deduplicated index, not raw CRDT entries
2026-04-10 19:32:55 +00:00
Some(Ok(tokio_tungstenite::tungstenite::Message::Close(_))) | None => break,
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
Some(Err(e)) => {
slog!("[crdt-sync] Rendezvous read error: {e}");
break;
}
_ => {}
}
}
}
}
Ok(())
}
// ── Tests ────────────────────────────────────────────────────────────
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn sync_message_bulk_serialization_roundtrip() {
let msg = SyncMessage::Bulk {
ops: vec!["op1".to_string(), "op2".to_string()],
};
let json = serde_json::to_string(&msg).unwrap();
assert!(json.contains(r#""type":"bulk""#));
let deserialized: SyncMessage = serde_json::from_str(&json).unwrap();
match deserialized {
SyncMessage::Bulk { ops } => {
assert_eq!(ops.len(), 2);
assert_eq!(ops[0], "op1");
assert_eq!(ops[1], "op2");
}
_ => panic!("Expected Bulk"),
}
}
#[test]
fn sync_message_op_serialization_roundtrip() {
let msg = SyncMessage::Op {
op: r#"{"inner":{}}"#.to_string(),
};
let json = serde_json::to_string(&msg).unwrap();
assert!(json.contains(r#""type":"op""#));
let deserialized: SyncMessage = serde_json::from_str(&json).unwrap();
match deserialized {
SyncMessage::Op { op } => {
assert_eq!(op, r#"{"inner":{}}"#);
}
_ => panic!("Expected Op"),
}
}
#[test]
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
fn handle_incoming_text_bad_json_does_not_panic() {
handle_incoming_text("not valid json");
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
#[test]
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
fn handle_incoming_text_bulk_with_invalid_ops_does_not_panic() {
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
let msg = SyncMessage::Bulk {
ops: vec!["not a valid signed op".to_string()],
};
let json = serde_json::to_string(&msg).unwrap();
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
handle_incoming_text(&json);
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
#[test]
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
fn handle_incoming_text_op_with_invalid_op_does_not_panic() {
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
let msg = SyncMessage::Op {
op: "garbage".to_string(),
};
let json = serde_json::to_string(&msg).unwrap();
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
handle_incoming_text(&json);
}
#[test]
fn handle_incoming_binary_bad_bytes_does_not_panic() {
handle_incoming_binary(b"not valid wire codec");
}
#[test]
fn handle_incoming_binary_empty_bytes_does_not_panic() {
handle_incoming_binary(b"");
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
#[test]
fn subscribe_ops_returns_none_before_init() {
// Before crdt_state::init() the channel doesn't exist yet.
// In test binaries it may or may not be initialised depending on
// other tests, so we just verify no panic.
let _ = crdt_state::subscribe_ops();
}
#[test]
fn all_ops_json_returns_none_before_init() {
let _ = crdt_state::all_ops_json();
}
#[test]
fn sync_message_bulk_empty_ops() {
let msg = SyncMessage::Bulk { ops: vec![] };
let json = serde_json::to_string(&msg).unwrap();
let deserialized: SyncMessage = serde_json::from_str(&json).unwrap();
match deserialized {
SyncMessage::Bulk { ops } => assert!(ops.is_empty()),
_ => panic!("Expected Bulk"),
}
}
/// Simulate the sync protocol by creating real SignedOps on two separate
/// CRDT instances and exchanging them through the SyncMessage wire format.
#[test]
fn two_node_sync_via_protocol_messages() {
use bft_json_crdt::json_crdt::{BaseCrdt, CrdtNode, OpState};
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use crate::crdt_state::PipelineDoc;
// ── Node A: create an item ──
let kp_a = make_keypair();
let mut crdt_a = BaseCrdt::<PipelineDoc>::new(&kp_a);
let item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "100_story_sync_test",
"stage": "1_backlog",
"name": "Sync Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
})
.into();
let op1 = crdt_a.doc.items.insert(ROOT_ID, item).sign(&kp_a);
assert_eq!(crdt_a.apply(op1.clone()), OpState::Ok);
// Serialise op1 into a SyncMessage::Op.
let op1_json = serde_json::to_string(&op1).unwrap();
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let wire_msg = SyncMessage::Op {
op: op1_json.clone(),
};
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
let wire_json = serde_json::to_string(&wire_msg).unwrap();
// ── Node B: receive the op through protocol ──
let kp_b = make_keypair();
let mut crdt_b = BaseCrdt::<PipelineDoc>::new(&kp_b);
assert!(crdt_b.doc.items.view().is_empty());
// Parse wire message and apply.
let parsed: SyncMessage = serde_json::from_str(&wire_json).unwrap();
match parsed {
SyncMessage::Op { op } => {
let signed_op: bft_json_crdt::json_crdt::SignedOp =
serde_json::from_str(&op).unwrap();
let result = crdt_b.apply(signed_op);
assert_eq!(result, OpState::Ok);
}
_ => panic!("Expected Op"),
}
// Verify Node B has the same state as Node A.
assert_eq!(crdt_b.doc.items.view().len(), 1);
assert_eq!(
crdt_a.doc.items[0].story_id.view(),
crdt_b.doc.items[0].story_id.view()
);
assert_eq!(
crdt_a.doc.items[0].stage.view(),
crdt_b.doc.items[0].stage.view()
);
// ── Node A: update stage ──
let op2 = crdt_a.doc.items[0]
.stage
.set("2_current".to_string())
.sign(&kp_a);
crdt_a.apply(op2.clone());
// Send via bulk message.
let op2_json = serde_json::to_string(&op2).unwrap();
let bulk_msg = SyncMessage::Bulk {
ops: vec![op1_json, op2_json],
};
let bulk_wire = serde_json::to_string(&bulk_msg).unwrap();
// ── Node C: receives full state via bulk ──
let kp_c = make_keypair();
let mut crdt_c = BaseCrdt::<PipelineDoc>::new(&kp_c);
let parsed_bulk: SyncMessage = serde_json::from_str(&bulk_wire).unwrap();
match parsed_bulk {
SyncMessage::Bulk { ops } => {
for op_str in &ops {
let signed: bft_json_crdt::json_crdt::SignedOp =
serde_json::from_str(op_str).unwrap();
crdt_c.apply(signed);
}
}
_ => panic!("Expected Bulk"),
}
// Node C should have the updated stage.
assert_eq!(crdt_c.doc.items.view().len(), 1);
assert_eq!(
crdt_c.doc.items[0].stage.view(),
bft_json_crdt::json_crdt::JsonValue::String("2_current".to_string())
);
}
/// Verify that a single node's ops (insert + update) can be replayed
/// on another node via bulk sync and produce the same final state.
/// This is the core property needed for partition healing: when a
/// disconnected node reconnects, it sends all its ops as a bulk
/// message and the receiver catches up.
#[test]
fn partition_heal_via_bulk_replay() {
use bft_json_crdt::json_crdt::{BaseCrdt, CrdtNode, JsonValue as JV};
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use crate::crdt_state::PipelineDoc;
let kp = make_keypair();
// Node A creates an item and advances it.
let mut crdt_a = BaseCrdt::<PipelineDoc>::new(&kp);
let item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "200_story_heal",
"stage": "1_backlog",
"name": "Heal Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
})
.into();
let op1 = crdt_a.doc.items.insert(ROOT_ID, item).sign(&kp);
crdt_a.apply(op1.clone());
let op2 = crdt_a.doc.items[0]
.stage
.set("2_current".to_string())
.sign(&kp);
crdt_a.apply(op2.clone());
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let op3 = crdt_a.doc.items[0].stage.set("3_qa".to_string()).sign(&kp);
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
crdt_a.apply(op3.clone());
// Serialise all ops as a bulk message (simulates partition heal).
let ops_json: Vec<String> = [&op1, &op2, &op3]
.iter()
.map(|op| serde_json::to_string(op).unwrap())
.collect();
let bulk = SyncMessage::Bulk { ops: ops_json };
let wire = serde_json::to_string(&bulk).unwrap();
// Node B receives the bulk and reconstructs state.
let mut crdt_b = BaseCrdt::<PipelineDoc>::new(&kp);
let parsed: SyncMessage = serde_json::from_str(&wire).unwrap();
match parsed {
SyncMessage::Bulk { ops } => {
for op_str in &ops {
let signed: bft_json_crdt::json_crdt::SignedOp =
serde_json::from_str(op_str).unwrap();
crdt_b.apply(signed);
}
}
_ => panic!("Expected Bulk"),
}
// Node B should match Node A exactly.
assert_eq!(crdt_b.doc.items.view().len(), 1);
assert_eq!(
crdt_b.doc.items[0].stage.view(),
JV::String("3_qa".to_string())
);
assert_eq!(
crdt_a.doc.items[0].stage.view(),
crdt_b.doc.items[0].stage.view()
);
assert_eq!(
crdt_a.doc.items[0].name.view(),
crdt_b.doc.items[0].name.view()
);
}
#[test]
fn config_rendezvous_parsed_from_toml() {
let toml_str = r#"
rendezvous = "ws://remote:3001/crdt-sync"
[[agent]]
name = "test"
"#;
let config: crate::config::ProjectConfig = toml::from_str(toml_str).unwrap();
assert_eq!(
config.rendezvous.as_deref(),
Some("ws://remote:3001/crdt-sync")
);
}
#[test]
fn config_rendezvous_defaults_to_none() {
let config = crate::config::ProjectConfig::default();
assert!(config.rendezvous.is_none());
}
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
// ── AC4: Failure logging escalation ──────────────────────────────────────
/// AC4: Connection errors must be logged at WARN for the first nine
/// consecutive failures and escalate to ERROR from the tenth onwards.
#[test]
fn failure_counter_warn_below_threshold() {
let threshold = super::RENDEZVOUS_ERROR_THRESHOLD;
let mut consecutive_failures: u32 = 0;
// First threshold-1 failures are below the ERROR threshold.
for _ in 0..(threshold - 1) {
consecutive_failures += 1;
assert!(
consecutive_failures < threshold,
"failure {consecutive_failures} must be below ERROR threshold {threshold}"
);
}
}
/// AC4: The tenth consecutive failure must trigger ERROR-level logging.
#[test]
fn failure_counter_error_at_threshold() {
let threshold = super::RENDEZVOUS_ERROR_THRESHOLD;
let consecutive_failures: u32 = threshold;
assert!(
consecutive_failures >= threshold,
"failure {consecutive_failures} must reach or exceed ERROR threshold {threshold}"
);
}
/// AC4: A successful connection resets the failure counter so subsequent
/// single failures are again logged at WARN (not ERROR).
#[test]
fn failure_counter_resets_on_success() {
let threshold = super::RENDEZVOUS_ERROR_THRESHOLD;
// Simulate sustained failure.
let mut consecutive_failures: u32 = threshold + 5;
assert!(consecutive_failures >= threshold);
// Simulate a clean reconnect.
consecutive_failures = 0;
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
assert_eq!(
consecutive_failures, 0,
"counter must reset to 0 on success"
);
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
// Next error is attempt 1 — well below the ERROR threshold.
consecutive_failures += 1;
assert!(
consecutive_failures < threshold,
"first failure after reset must be below ERROR threshold"
);
}
/// AC4: The RENDEZVOUS_ERROR_THRESHOLD constant must equal 10.
#[test]
fn error_threshold_is_ten() {
assert_eq!(
super::RENDEZVOUS_ERROR_THRESHOLD,
10,
"ERROR escalation threshold must be 10 consecutive failures"
);
}
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
// ── AC5: Self-loop dedup ──────────────────────────────────────────────────
/// AC5: Applying the same SignedOp twice returns AlreadySeen on the second
/// call and leaves the CRDT state unchanged.
#[test]
fn self_loop_dedup_second_apply_is_noop() {
use bft_json_crdt::json_crdt::{BaseCrdt, CrdtNode, JsonValue as JV, OpState};
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use crate::crdt_state::PipelineDoc;
let kp = make_keypair();
let mut crdt = BaseCrdt::<PipelineDoc>::new(&kp);
let item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "507_dedup_test",
"stage": "1_backlog",
"name": "Dedup Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
})
.into();
let op = crdt.doc.items.insert(ROOT_ID, item).sign(&kp);
// First apply: succeeds.
assert_eq!(crdt.apply(op.clone()), OpState::Ok);
assert_eq!(crdt.doc.items.view().len(), 1);
// Second apply (self-loop): must be a no-op.
assert_eq!(crdt.apply(op.clone()), OpState::AlreadySeen);
// State must not have changed.
assert_eq!(crdt.doc.items.view().len(), 1);
// Stage update also deduplicated correctly.
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let stage_op = crdt.doc.items[0]
.stage
.set("2_current".to_string())
.sign(&kp);
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
assert_eq!(crdt.apply(stage_op.clone()), OpState::Ok);
assert_eq!(
crdt.doc.items[0].stage.view(),
JV::String("2_current".to_string())
);
assert_eq!(crdt.apply(stage_op), OpState::AlreadySeen);
assert_eq!(
crdt.doc.items[0].stage.view(),
JV::String("2_current".to_string()),
"stage must not change on duplicate apply"
);
}
// ── AC3 & AC7: Out-of-order causal queueing ───────────────────────────────
/// AC3/AC7: An op whose causal dependency has not yet arrived is held in the
/// queue (returns MissingCausalDependencies). When the dependency arrives
/// the queued op is released and applied automatically.
#[test]
fn out_of_order_causal_queueing_releases_on_dep_arrival() {
use bft_json_crdt::json_crdt::{BaseCrdt, CrdtNode, JsonValue as JV, OpState};
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use crate::crdt_state::PipelineDoc;
let kp = make_keypair();
let mut crdt = BaseCrdt::<PipelineDoc>::new(&kp);
let item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "507_causal_test",
"stage": "1_backlog",
"name": "Causal Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
})
.into();
// op1 = insert item (no deps)
let op1 = crdt.doc.items.insert(ROOT_ID, item).sign(&kp);
// op2 = set stage, declared to depend on op1
// We must first apply op1 locally to generate op2 from the right state,
// then we'll test op2-before-op1 on a fresh CRDT.
crdt.apply(op1.clone());
let op2 = crdt.doc.items[0]
.stage
.set("2_current".to_string())
.sign_with_dependencies(&kp, vec![&op1]);
// Create a fresh receiver CRDT.
let mut receiver = BaseCrdt::<PipelineDoc>::new(&kp);
// Apply op2 first — dependency (op1) has not arrived yet.
let r = receiver.apply(op2.clone());
assert_eq!(
r,
OpState::MissingCausalDependencies,
"op2 must be queued when op1 has not arrived"
);
// Queue length must reflect the held op.
assert_eq!(receiver.causal_queue_len(), 1);
// Item has NOT been inserted yet (op1 not applied).
assert_eq!(receiver.doc.items.view().len(), 0);
// Now deliver op1 — this should trigger op2 to be flushed automatically.
let r = receiver.apply(op1.clone());
assert_eq!(r, OpState::Ok);
// Both ops are now applied — item is present at stage 2_current.
assert_eq!(receiver.doc.items.view().len(), 1);
assert_eq!(
receiver.doc.items[0].stage.view(),
JV::String("2_current".to_string()),
"op2 must have been applied automatically after op1 arrived"
);
// Queue must be empty now.
assert_eq!(receiver.causal_queue_len(), 0);
}
/// AC7: In-order apply works correctly (no causal queueing needed).
#[test]
fn in_order_apply_works_without_queueing() {
use bft_json_crdt::json_crdt::{BaseCrdt, CrdtNode, JsonValue as JV, OpState};
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use crate::crdt_state::PipelineDoc;
let kp = make_keypair();
let mut crdt_a = BaseCrdt::<PipelineDoc>::new(&kp);
let item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "507_inorder_test",
"stage": "1_backlog",
"name": "In-Order Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
})
.into();
let op1 = crdt_a.doc.items.insert(ROOT_ID, item).sign(&kp);
crdt_a.apply(op1.clone());
let op2 = crdt_a.doc.items[0]
.stage
.set("2_current".to_string())
.sign(&kp);
crdt_a.apply(op2.clone());
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let op3 = crdt_a.doc.items[0].stage.set("3_qa".to_string()).sign(&kp);
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
crdt_a.apply(op3.clone());
// Receiver applies all ops in the correct order.
let mut crdt_b = BaseCrdt::<PipelineDoc>::new(&kp);
assert_eq!(crdt_b.apply(op1), OpState::Ok);
assert_eq!(crdt_b.apply(op2), OpState::Ok);
assert_eq!(crdt_b.apply(op3), OpState::Ok);
assert_eq!(crdt_b.causal_queue_len(), 0);
assert_eq!(
crdt_b.doc.items[0].stage.view(),
JV::String("3_qa".to_string())
);
}
// ── AC4: Queue overflow behaviour ─────────────────────────────────────────
/// AC4: When the causal-order queue exceeds CAUSAL_QUEUE_MAX the oldest
/// pending op is evicted (queue never grows beyond the cap).
#[test]
fn causal_queue_overflow_drops_oldest() {
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
use bft_json_crdt::json_crdt::{BaseCrdt, CAUSAL_QUEUE_MAX, OpState};
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use crate::crdt_state::PipelineDoc;
let kp = make_keypair();
// Build one "phantom" op that we'll claim as a dependency but never deliver.
// We do this by creating it on a separate CRDT and never applying it.
let mut source = BaseCrdt::<PipelineDoc>::new(&kp);
let phantom_item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "507_phantom",
"stage": "1_backlog",
"name": "Phantom",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
})
.into();
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let phantom_op = source.doc.items.insert(ROOT_ID, phantom_item).sign(&kp);
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
// Receiver never sees phantom_op, so any op declaring it as a dep will
// sit in the causal queue forever (until evicted by overflow).
let mut receiver = BaseCrdt::<PipelineDoc>::new(&kp);
source.apply(phantom_op.clone());
// Send CAUSAL_QUEUE_MAX + 5 stage-update ops all depending on phantom_op.
// Each one will be queued because phantom_op is never delivered.
let mut queued = 0usize;
for i in 0..CAUSAL_QUEUE_MAX + 5 {
let stage_name = format!("stage_{i}");
// Generate from source so seq numbers are valid.
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let op = source.doc.items[0]
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
.stage
.set(stage_name)
.sign_with_dependencies(&kp, vec![&phantom_op]);
source.apply(op.clone());
let r = receiver.apply(op);
if r == OpState::MissingCausalDependencies {
queued += 1;
}
}
// We sent more than CAUSAL_QUEUE_MAX ops, but the queue must stay bounded.
assert!(
receiver.causal_queue_len() <= CAUSAL_QUEUE_MAX,
"queue ({}) must not exceed CAUSAL_QUEUE_MAX ({CAUSAL_QUEUE_MAX})",
receiver.causal_queue_len()
);
assert!(
queued > 0,
"at least some ops must have been accepted into the queue"
);
}
// ── AC6: Convergence test ─────────────────────────────────────────────────
/// AC6: Two CRDT instances generate interleaved ops on each side, simulate a
/// network partition by withholding each other's ops, then exchange all
/// buffered ops. Final state must be byte-identical on both nodes.
#[test]
fn convergence_after_partition_and_replay() {
use bft_json_crdt::json_crdt::{BaseCrdt, CrdtNode, JsonValue as JV, OpState};
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use crate::crdt_state::PipelineDoc;
let kp_a = make_keypair();
let kp_b = make_keypair();
let mut crdt_a = BaseCrdt::<PipelineDoc>::new(&kp_a);
let mut crdt_b = BaseCrdt::<PipelineDoc>::new(&kp_b);
// ── Phase 1: A generates ops while partitioned from B ──────────────
let item_a: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "507_convergence_a",
"stage": "1_backlog",
"name": "Story A",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
})
.into();
let op_a1 = crdt_a.doc.items.insert(ROOT_ID, item_a).sign(&kp_a);
crdt_a.apply(op_a1.clone());
let op_a2 = crdt_a.doc.items[0]
.stage
.set("2_current".to_string())
.sign(&kp_a);
crdt_a.apply(op_a2.clone());
// ── Phase 2: B generates ops while partitioned from A ──────────────
let item_b: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "507_convergence_b",
"stage": "1_backlog",
"name": "Story B",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
})
.into();
let op_b1 = crdt_b.doc.items.insert(ROOT_ID, item_b).sign(&kp_b);
crdt_b.apply(op_b1.clone());
let op_b2 = crdt_b.doc.items[0]
.stage
.set("2_current".to_string())
.sign(&kp_b);
crdt_b.apply(op_b2.clone());
// ── Phase 3: Reconnect — both sides replay all buffered ops ────────
// A sends its ops to B.
let r = crdt_b.apply(op_a1.clone());
assert!(r == OpState::Ok || r == OpState::AlreadySeen);
let r = crdt_b.apply(op_a2.clone());
assert!(r == OpState::Ok || r == OpState::AlreadySeen);
// B sends its ops to A.
let r = crdt_a.apply(op_b1.clone());
assert!(r == OpState::Ok || r == OpState::AlreadySeen);
let r = crdt_a.apply(op_b2.clone());
assert!(r == OpState::Ok || r == OpState::AlreadySeen);
// ── Phase 4: Assert convergence ────────────────────────────────────
// Both nodes must have both stories.
assert_eq!(
crdt_a.doc.items.view().len(),
2,
"A must have 2 items after convergence"
);
assert_eq!(
crdt_b.doc.items.view().len(),
2,
"B must have 2 items after convergence"
);
// Serialise both CRDT views to JSON and assert byte-identical.
let view_a = serde_json::to_string(&CrdtNode::view(&crdt_a.doc.items)).unwrap();
let view_b = serde_json::to_string(&CrdtNode::view(&crdt_b.doc.items)).unwrap();
assert_eq!(
view_a, view_b,
"CRDT states must be byte-identical after convergence"
);
// Spot-check: both stories are at 2_current on both nodes.
let stories_a: Vec<String> = crdt_a
.doc
.items
.view()
.iter()
.filter_map(|item| {
if let JV::Object(m) = CrdtNode::view(item) {
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
m.get("story_id").and_then(|s| {
if let JV::String(s) = s {
Some(s.clone())
} else {
None
}
})
huskies: merge 507_story_apply_inbound_signedops_with_causal_order_queue_for_partition_recovery
2026-04-10 16:09:15 +00:00
} else {
None
}
})
.collect();
assert!(
stories_a.contains(&"507_convergence_a".to_string()),
"A must contain story_a"
);
assert!(
stories_a.contains(&"507_convergence_b".to_string()),
"A must contain story_b"
);
}
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
// ── AC8: peer lifecycle tests ─────────────────────────────────────────────
/// AC8: A peer that connects and then receives a subsequently-applied op
/// gets that op encoded via the wire codec (binary frame).
#[test]
fn peer_receives_op_encoded_via_wire_codec() {
use bft_json_crdt::json_crdt::BaseCrdt;
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use crate::crdt_state::PipelineDoc;
use crate::crdt_wire;
let kp = make_keypair();
let mut crdt = BaseCrdt::<PipelineDoc>::new(&kp);
let item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "506_story_lifecycle_test",
"stage": "1_backlog",
"name": "Lifecycle Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
})
.into();
let op = crdt.doc.items.insert(ROOT_ID, item).sign(&kp);
// Simulate what the broadcast handler does: encode via wire codec.
let bytes = crdt_wire::encode(&op);
// The bytes must be a versioned JSON envelope, not a SyncMessage wrapper.
let text = std::str::from_utf8(&bytes).expect("wire output is valid UTF-8");
assert!(
text.contains("\"v\":1"),
"wire codec version tag must be present: {text}"
);
assert!(
!text.contains("\"type\":\"op\""),
"must not be wrapped in SyncMessage: {text}"
);
// The receiving peer can decode and apply the op.
let decoded = crdt_wire::decode(&bytes).expect("decode must succeed");
assert_eq!(op, decoded);
}
/// AC8: Multiple connected peers all receive the same broadcast op.
#[tokio::test]
async fn multiple_peers_all_receive_broadcast_op() {
use bft_json_crdt::json_crdt::BaseCrdt;
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use tokio::sync::broadcast;
use crate::crdt_state::PipelineDoc;
use crate::crdt_wire;
// Create a broadcast channel (analogous to SYNC_TX).
let (tx, _) = broadcast::channel::<SignedOp>(16);
let mut rx_peer1 = tx.subscribe();
let mut rx_peer2 = tx.subscribe();
let kp = make_keypair();
let mut crdt = BaseCrdt::<PipelineDoc>::new(&kp);
let item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "506_story_multi_peer_test",
"stage": "1_backlog",
"name": "Multi-Peer Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
})
.into();
let op = crdt.doc.items.insert(ROOT_ID, item).sign(&kp);
// Broadcast one op.
tx.send(op.clone()).expect("send must succeed");
// Both peers receive the same op.
let received1 = rx_peer1.recv().await.expect("peer 1 must receive");
let received2 = rx_peer2.recv().await.expect("peer 2 must receive");
assert_eq!(received1, op);
assert_eq!(received2, op);
// Both encode identically via wire codec.
let bytes1 = crdt_wire::encode(&received1);
let bytes2 = crdt_wire::encode(&received2);
assert_eq!(bytes1, bytes2, "wire-encoded bytes must be identical");
}
/// AC8: A peer disconnecting mid-broadcast does not panic.
/// Simulated by dropping the receiver before the sender sends an op.
#[test]
fn disconnected_peer_does_not_panic() {
use bft_json_crdt::json_crdt::BaseCrdt;
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use tokio::sync::broadcast;
use crate::crdt_state::PipelineDoc;
let (tx, rx) = broadcast::channel::<SignedOp>(16);
// Drop the receiver to simulate a peer that disconnected.
drop(rx);
let kp = make_keypair();
let mut crdt = BaseCrdt::<PipelineDoc>::new(&kp);
let item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "506_story_disconnect_test",
"stage": "1_backlog",
"name": "Disconnect Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
})
.into();
let op = crdt.doc.items.insert(ROOT_ID, item).sign(&kp);
// Sending to a channel with no receivers returns an error; must not panic.
let _ = tx.send(op);
}
/// AC8: A lagged receiver gets a `Lagged` error (confirming the
/// disconnect-on-overflow behaviour is reachable).
#[tokio::test]
async fn lagged_peer_gets_lagged_error() {
use bft_json_crdt::json_crdt::BaseCrdt;
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use serde_json::json;
use tokio::sync::broadcast;
use crate::crdt_state::PipelineDoc;
// Tiny capacity so we can trigger Lagged easily.
let (tx, mut rx) = broadcast::channel::<SignedOp>(2);
let kp = make_keypair();
let mut crdt = BaseCrdt::<PipelineDoc>::new(&kp);
let item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "506_story_lag_test",
"stage": "1_backlog",
"name": "Lag Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
})
.into();
let op1 = crdt.doc.items.insert(ROOT_ID, item).sign(&kp);
crdt.apply(op1.clone());
// Overflow the tiny buffer by sending more ops than the capacity.
let op2 = crdt.doc.items[0]
.stage
.set("2_current".to_string())
.sign(&kp);
crdt.apply(op2.clone());
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let op3 = crdt.doc.items[0].stage.set("3_qa".to_string()).sign(&kp);
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
crdt.apply(op3.clone());
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let op4 = crdt.doc.items[0].stage.set("4_merge".to_string()).sign(&kp);
huskies: merge 506_story_websocket_sync_endpoint_that_broadcasts_local_signedops_to_connected_peers
2026-04-10 15:49:04 +00:00
crdt.apply(op4.clone());
// Send more ops than the channel capacity without consuming.
let _ = tx.send(op1);
let _ = tx.send(op2);
let _ = tx.send(op3);
let _ = tx.send(op4);
// The slow peer should now see a Lagged error on next recv.
// Consume until we hit Lagged or run out.
let mut got_lagged = false;
for _ in 0..10 {
match rx.recv().await {
Err(broadcast::error::RecvError::Lagged(_)) => {
got_lagged = true;
break;
}
Ok(_) => continue,
Err(broadcast::error::RecvError::Closed) => break,
}
}
assert!(
got_lagged,
"slow peer must receive a Lagged error when channel overflows"
);
}
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
// ── AC5 (story 508): E2E convergence test via real WebSocket ─────────────
/// AC5: Spin up two in-process WebSocket nodes. Node A serves a
/// `/crdt-sync`-compatible endpoint; Node B connects as a rendezvous client.
/// Node A sends a bulk state; Node B applies it. Assert both nodes see the
/// same items within a bounded time window.
#[tokio::test]
async fn e2e_convergence_two_websocket_nodes() {
use bft_json_crdt::json_crdt::{BaseCrdt, CrdtNode, JsonValue as JV, OpState};
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use futures::{SinkExt, StreamExt};
use serde_json::json;
use std::sync::{Arc, Mutex};
use tokio::net::TcpListener;
use tokio_tungstenite::tungstenite::Message as TMsg;
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
use tokio_tungstenite::{accept_async, connect_async};
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
use crate::crdt_state::PipelineDoc;
// ── Node A: build local state ──────────────────────────────────────
let kp_a = make_keypair();
let mut crdt_a = BaseCrdt::<PipelineDoc>::new(&kp_a);
let item: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "508_e2e_convergence",
"stage": "2_current",
"name": "E2E Convergence Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
})
.into();
let op1 = crdt_a.doc.items.insert(ROOT_ID, item).sign(&kp_a);
crdt_a.apply(op1.clone());
// Serialise A's full state as a bulk message.
let op1_json = serde_json::to_string(&op1).unwrap();
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let bulk_msg = SyncMessage::Bulk {
ops: vec![op1_json],
};
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
let bulk_wire = serde_json::to_string(&bulk_msg).unwrap();
// ── Start Node A's WebSocket server on a random port ───────────────
let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
let addr = listener.local_addr().unwrap();
let bulk_to_send = bulk_wire.clone();
let received_by_a: Arc<Mutex<Vec<String>>> = Arc::new(Mutex::new(vec![]));
let received_by_a_clone = received_by_a.clone();
tokio::spawn(async move {
let (tcp_stream, _) = listener.accept().await.unwrap();
let ws_stream = accept_async(tcp_stream).await.unwrap();
let (mut sink, mut stream) = ws_stream.split();
// Send bulk state to the connecting peer.
sink.send(TMsg::Text(bulk_to_send.into())).await.unwrap();
// Also listen for ops sent by the peer.
if let Some(Ok(TMsg::Text(txt))) = stream.next().await {
received_by_a_clone.lock().unwrap().push(txt.to_string());
}
});
// ── Node B: connect to Node A and exchange state ───────────────────
let kp_b = make_keypair();
let mut crdt_b = BaseCrdt::<PipelineDoc>::new(&kp_b);
let url = format!("ws://{addr}");
let (ws_b, _) = connect_async(&url).await.unwrap();
let (mut sink_b, mut stream_b) = ws_b.split();
// Node B receives bulk from A.
if let Some(Ok(TMsg::Text(txt))) = stream_b.next().await {
let msg: SyncMessage = serde_json::from_str(txt.as_str()).unwrap();
match msg {
SyncMessage::Bulk { ops } => {
for op_str in &ops {
let signed: bft_json_crdt::json_crdt::SignedOp =
serde_json::from_str(op_str).unwrap();
let r = crdt_b.apply(signed);
assert!(r == OpState::Ok || r == OpState::AlreadySeen);
}
}
_ => panic!("Expected Bulk from Node A"),
}
}
// Node B also creates a new op and sends it to A.
let item_b: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "508_e2e_convergence_b",
"stage": "1_backlog",
"name": "E2E Convergence B",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
})
.into();
let op_b1 = crdt_b.doc.items.insert(ROOT_ID, item_b).sign(&kp_b);
crdt_b.apply(op_b1.clone());
let op_b1_json = serde_json::to_string(&op_b1).unwrap();
let msg_to_a = SyncMessage::Op { op: op_b1_json };
sink_b
.send(TMsg::Text(serde_json::to_string(&msg_to_a).unwrap().into()))
.await
.unwrap();
// Wait a moment for Node A to process.
tokio::time::sleep(std::time::Duration::from_millis(50)).await;
// ── Assert convergence ─────────────────────────────────────────────
// Node B received Node A's item.
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
assert_eq!(
crdt_b.doc.items.view().len(),
2,
"Node B must see both items after sync"
);
let has_a_item = crdt_b
.doc
.items
.view()
.iter()
.any(|item| item.story_id.view() == JV::String("508_e2e_convergence".to_string()));
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
assert!(has_a_item, "Node B must have Node A's item");
// Node A received Node B's op via the WebSocket.
let a_received = received_by_a.lock().unwrap();
assert!(
!a_received.is_empty(),
"Node A must have received an op from Node B"
);
}
// ── AC6 (story 508): Partition healing E2E via real WebSocket ─────────────
/// AC6: Two nodes exchange ops, the connection is dropped (partition), each
/// side mutates independently, then they reconnect and the reconnecting
/// client sends a fresh bulk state. Assert both converge to the same final
/// state.
#[tokio::test]
async fn e2e_partition_healing_websocket() {
use bft_json_crdt::json_crdt::{BaseCrdt, CrdtNode, JsonValue as JV};
use bft_json_crdt::keypair::make_keypair;
use bft_json_crdt::op::ROOT_ID;
use futures::{SinkExt, StreamExt};
use serde_json::json;
use tokio::net::TcpListener;
use tokio_tungstenite::tungstenite::Message as TMsg;
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
use tokio_tungstenite::{accept_async, connect_async};
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
use crate::crdt_state::PipelineDoc;
// ── Phase 1: Both nodes start with op_a1 (before partition) ───────
let kp_a = make_keypair();
let kp_b = make_keypair();
let mut crdt_a = BaseCrdt::<PipelineDoc>::new(&kp_a);
let mut crdt_b = BaseCrdt::<PipelineDoc>::new(&kp_b);
let item_a: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "508_heal_a",
"stage": "1_backlog",
"name": "Heal A",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
})
.into();
let op_a1 = crdt_a.doc.items.insert(ROOT_ID, item_a).sign(&kp_a);
crdt_a.apply(op_a1.clone());
// B also starts with op_a1 (shared state before partition).
crdt_b.apply(op_a1.clone());
// ── Phase 2: Partition — each side mutates independently ──────────
// A advances its story stage.
let op_a2 = crdt_a.doc.items[0]
.stage
.set("2_current".to_string())
.sign(&kp_a);
crdt_a.apply(op_a2.clone());
// B inserts a new story that A doesn't know about yet.
let item_b: bft_json_crdt::json_crdt::JsonValue = json!({
"story_id": "508_heal_b",
"stage": "1_backlog",
"name": "Heal B",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
huskies: merge 479_story_build_agent_mode_with_crdt_based_work_claiming
2026-04-10 18:46:44 +00:00
"claimed_by": "",
"claimed_at": 0.0,
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
})
.into();
let op_b1 = crdt_b.doc.items.insert(ROOT_ID, item_b).sign(&kp_b);
crdt_b.apply(op_b1.clone());
// Collect B's full state as bulk (what it will send on reconnect).
let b_ops: Vec<String> = [&op_a1, &op_b1]
.iter()
.map(|op| serde_json::to_string(op).unwrap())
.collect();
let b_bulk_wire = serde_json::to_string(&SyncMessage::Bulk { ops: b_ops }).unwrap();
// Collect A's full state as bulk (what it will send on reconnect).
let a_ops: Vec<String> = [&op_a1, &op_a2]
.iter()
.map(|op| serde_json::to_string(op).unwrap())
.collect();
let a_bulk_wire = serde_json::to_string(&SyncMessage::Bulk { ops: a_ops }).unwrap();
// ── Phase 3: Reconnect — use a real WebSocket to exchange bulk ────
let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
let addr = listener.local_addr().unwrap();
let a_bulk_to_send = a_bulk_wire.clone();
let a_received_bulk: std::sync::Arc<std::sync::Mutex<Option<String>>> =
std::sync::Arc::new(std::sync::Mutex::new(None));
let a_received_clone = a_received_bulk.clone();
tokio::spawn(async move {
let (tcp, _) = listener.accept().await.unwrap();
let ws = accept_async(tcp).await.unwrap();
let (mut sink, mut stream) = ws.split();
// A sends its bulk state.
sink.send(TMsg::Text(a_bulk_to_send.into())).await.unwrap();
// A receives B's bulk state.
if let Some(Ok(TMsg::Text(txt))) = stream.next().await {
*a_received_clone.lock().unwrap() = Some(txt.to_string());
}
});
// B connects, exchanges bulk state.
let (ws_b, _) = connect_async(format!("ws://{addr}")).await.unwrap();
let (mut sink_b, mut stream_b) = ws_b.split();
// B receives A's bulk and applies it.
if let Some(Ok(TMsg::Text(txt))) = stream_b.next().await {
let msg: SyncMessage = serde_json::from_str(txt.as_str()).unwrap();
if let SyncMessage::Bulk { ops } = msg {
for op_str in &ops {
let signed: bft_json_crdt::json_crdt::SignedOp =
serde_json::from_str(op_str).unwrap();
let _ = crdt_b.apply(signed);
}
}
}
// B sends its bulk state to A.
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
sink_b.send(TMsg::Text(b_bulk_wire.into())).await.unwrap();
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
tokio::time::sleep(std::time::Duration::from_millis(50)).await;
// Apply A's received ops into crdt_a.
if let Some(bulk_str) = a_received_bulk.lock().unwrap().take() {
let msg: SyncMessage = serde_json::from_str(&bulk_str).unwrap();
if let SyncMessage::Bulk { ops } = msg {
for op_str in &ops {
let signed: bft_json_crdt::json_crdt::SignedOp =
serde_json::from_str(op_str).unwrap();
let _ = crdt_a.apply(signed);
}
}
}
// ── Assert convergence ─────────────────────────────────────────────
// Both nodes must have 2 items.
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
assert_eq!(
crdt_a.doc.items.view().len(),
2,
"A must have 2 items after healing"
);
assert_eq!(
crdt_b.doc.items.view().len(),
2,
"B must have 2 items after healing"
);
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
// A must see B's story.
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let b_story_on_a = crdt_a
.doc
.items
.view()
.iter()
.any(|item| item.story_id.view() == JV::String("508_heal_b".to_string()));
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
assert!(b_story_on_a, "A must have B's story after healing");
// B must see A's stage advance.
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
let a_story_on_b = crdt_b
.doc
.items
.view()
.iter()
.any(|item| item.story_id.view() == JV::String("508_heal_a".to_string()));
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
assert!(a_story_on_b, "B must have A's story after healing");
// CRDT views must be byte-identical (convergence).
let view_a = serde_json::to_string(&CrdtNode::view(&crdt_a.doc.items)).unwrap();
let view_b = serde_json::to_string(&CrdtNode::view(&crdt_b.doc.items)).unwrap();
fix: add --all to cargo fmt in script/test and autoformat codebase
2026-04-13 14:07:08 +00:00
assert_eq!(
view_a, view_b,
"Both nodes must converge to identical state"
);
huskies: merge 508_story_configurable_rendezvous_peer_in_project_toml_with_outbound_crdt_sync_connect
2026-04-10 16:41:01 +00:00
}
huskies: merge 628_story_websocket_connect_time_mutual_auth_using_node_identity_primitives
2026-04-25 14:29:39 +00:00
// ── Story 628: Connect-time mutual auth integration tests ────────────
/// Helper: run a listener that performs the server-side auth handshake.
/// Returns the TCP listener address so the connector can connect.
/// `trusted_keys` controls which pubkeys the listener accepts.
/// If `on_authenticated` is provided, it runs after successful auth.
async fn start_auth_listener(
trusted_keys: Vec<String>,
) -> (
std::net::SocketAddr,
tokio::sync::oneshot::Receiver<AuthListenerResult>,
) {
use tokio::net::TcpListener;
use tokio_tungstenite::accept_async;
let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
let addr = listener.local_addr().unwrap();
let (result_tx, result_rx) = tokio::sync::oneshot::channel();
tokio::spawn(async move {
let (tcp_stream, _) = listener.accept().await.unwrap();
let ws_stream = accept_async(tcp_stream).await.unwrap();
let (mut sink, mut stream) = ws_stream.split();
use tokio_tungstenite::tungstenite::Message as TMsg;
// Step 1: Send challenge.
let challenge = crate::node_identity::generate_challenge();
let challenge_msg = super::ChallengeMessage {
r#type: "challenge".to_string(),
nonce: challenge.clone(),
};
let challenge_json = serde_json::to_string(&challenge_msg).unwrap();
if sink.send(TMsg::Text(challenge_json.into())).await.is_err() {
let _ = result_tx.send(AuthListenerResult::ConnectionLost);
return;
}
// Step 2: Await auth reply (10s timeout).
let auth_frame =
tokio::time::timeout(std::time::Duration::from_secs(10), stream.next()).await;
let auth_text = match auth_frame {
Ok(Some(Ok(TMsg::Text(t)))) => t.to_string(),
Ok(Some(Ok(TMsg::Close(reason)))) => {
let _ = result_tx.send(AuthListenerResult::PeerClosedEarly(
reason.map(|r| r.reason.to_string()),
));
return;
}
_ => {
let _ = sink
.send(TMsg::Close(Some(tokio_tungstenite::tungstenite::protocol::CloseFrame {
code: tokio_tungstenite::tungstenite::protocol::frame::coding::CloseCode::from(4001),
reason: "auth_timeout".into(),
})))
.await;
let _ = result_tx.send(AuthListenerResult::AuthTimeout);
return;
}
};
// Step 3: Verify.
let auth_msg: super::AuthMessage = match serde_json::from_str(&auth_text) {
Ok(m) => m,
Err(_) => {
let _ = close_listener_auth_failed(&mut sink).await;
let _ = result_tx.send(AuthListenerResult::AuthFailed("bad_json".into()));
return;
}
};
let sig_valid = crate::node_identity::verify_challenge(
&auth_msg.pubkey_hex,
&challenge,
&auth_msg.signature_hex,
);
let key_trusted = trusted_keys.iter().any(|k| k == &auth_msg.pubkey_hex);
if !sig_valid || !key_trusted {
let _ = close_listener_auth_failed(&mut sink).await;
let _ = result_tx.send(AuthListenerResult::AuthFailed(format!(
"sig_valid={sig_valid}, key_trusted={key_trusted}"
)));
return;
}
// Auth passed! Send a bulk state with one op to prove sync works.
let kp = bft_json_crdt::keypair::make_keypair();
let mut crdt =
bft_json_crdt::json_crdt::BaseCrdt::<crate::crdt_state::PipelineDoc>::new(&kp);
let item: bft_json_crdt::json_crdt::JsonValue = serde_json::json!({
"story_id": "628_auth_test_item",
"stage": "1_backlog",
"name": "Auth Test",
"agent": "",
"retry_count": 0.0,
"blocked": false,
"depends_on": "",
"claimed_by": "",
"claimed_at": 0.0,
})
.into();
let op = crdt
.doc
.items
.insert(bft_json_crdt::op::ROOT_ID, item)
.sign(&kp);
let op_json = serde_json::to_string(&op).unwrap();
let bulk = super::SyncMessage::Bulk { ops: vec![op_json] };
let bulk_json = serde_json::to_string(&bulk).unwrap();
let _ = sink.send(TMsg::Text(bulk_json.into())).await;
let _ = result_tx.send(AuthListenerResult::Authenticated(auth_msg.pubkey_hex));
});
(addr, result_rx)
}
#[derive(Debug)]
#[allow(dead_code)]
enum AuthListenerResult {
Authenticated(String),
AuthFailed(String),
AuthTimeout,
ConnectionLost,
PeerClosedEarly(Option<String>),
}
async fn close_listener_auth_failed(
sink: &mut futures::stream::SplitSink<
tokio_tungstenite::WebSocketStream<tokio::net::TcpStream>,
tokio_tungstenite::tungstenite::Message,
>,
) {
use tokio_tungstenite::tungstenite::protocol::CloseFrame;
use tokio_tungstenite::tungstenite::protocol::frame::coding::CloseCode;
let _ = sink
.send(tokio_tungstenite::tungstenite::Message::Close(Some(
CloseFrame {
code: CloseCode::from(4002),
reason: "auth_failed".into(),
},
)))
.await;
}
/// AC5 (story 628): Happy path — two nodes with each other's pubkeys
/// allow-listed complete the handshake and exchange at least one CRDT op.
#[tokio::test]
async fn auth_happy_path_handshake_and_sync() {
use bft_json_crdt::keypair::make_keypair;
use futures::{SinkExt, StreamExt};
use tokio_tungstenite::connect_async;
use tokio_tungstenite::tungstenite::Message as TMsg;
let connector_kp = make_keypair();
let connector_pubkey = crate::node_identity::public_key_hex(&connector_kp);
// Start listener that trusts the connector's pubkey.
let (addr, result_rx) = start_auth_listener(vec![connector_pubkey.clone()]).await;
// Connect and do the handshake.
let url = format!("ws://{addr}");
let (ws, _) = connect_async(&url).await.unwrap();
let (mut sink, mut stream) = ws.split();
// Receive challenge.
let challenge_frame = stream.next().await.unwrap().unwrap();
let challenge_text = match challenge_frame {
TMsg::Text(t) => t.to_string(),
other => panic!("Expected text frame, got {other:?}"),
};
let challenge_msg: super::ChallengeMessage = serde_json::from_str(&challenge_text).unwrap();
assert_eq!(challenge_msg.r#type, "challenge");
assert_eq!(
challenge_msg.nonce.len(),
64,
"Challenge must be 64 hex chars"
);
// Sign and reply.
let sig = crate::node_identity::sign_challenge(&connector_kp, &challenge_msg.nonce);
let auth_msg = super::AuthMessage {
r#type: "auth".to_string(),
pubkey_hex: connector_pubkey.clone(),
signature_hex: sig,
};
let auth_json = serde_json::to_string(&auth_msg).unwrap();
sink.send(TMsg::Text(auth_json.into())).await.unwrap();
// After auth, we should receive a bulk sync message with at least one op.
let bulk_frame = tokio::time::timeout(std::time::Duration::from_secs(5), stream.next())
.await
.expect("should receive bulk within 5s")
.unwrap()
.unwrap();
let bulk_text = match bulk_frame {
TMsg::Text(t) => t.to_string(),
other => panic!("Expected bulk text frame, got {other:?}"),
};
let bulk_msg: super::SyncMessage = serde_json::from_str(&bulk_text).unwrap();
match bulk_msg {
super::SyncMessage::Bulk { ops } => {
assert!(
!ops.is_empty(),
"Bulk sync must contain at least one op after successful auth"
);
// Verify we can deserialize the op.
let _signed: bft_json_crdt::json_crdt::SignedOp =
serde_json::from_str(&ops[0]).unwrap();
}
_ => panic!("Expected Bulk message after auth"),
}
// Verify listener also reports success.
let listener_result = result_rx.await.unwrap();
match listener_result {
AuthListenerResult::Authenticated(pubkey) => {
assert_eq!(pubkey, connector_pubkey);
}
other => panic!("Expected Authenticated, got {other:?}"),
}
}
/// AC6 (story 628): Untrusted pubkey — connector whose pubkey is NOT in
/// the listener's allow-list is rejected with close reason auth_failed,
/// and zero CRDT ops are exchanged.
#[tokio::test]
async fn auth_untrusted_pubkey_rejected() {
use bft_json_crdt::keypair::make_keypair;
use futures::{SinkExt, StreamExt};
use tokio_tungstenite::connect_async;
use tokio_tungstenite::tungstenite::Message as TMsg;
let connector_kp = make_keypair();
let connector_pubkey = crate::node_identity::public_key_hex(&connector_kp);
// Listener trusts a DIFFERENT key, not the connector's.
let other_kp = make_keypair();
let other_pubkey = crate::node_identity::public_key_hex(&other_kp);
let (addr, result_rx) = start_auth_listener(vec![other_pubkey]).await;
let url = format!("ws://{addr}");
let (ws, _) = connect_async(&url).await.unwrap();
let (mut sink, mut stream) = ws.split();
// Receive challenge and sign with our (untrusted) key.
let challenge_frame = stream.next().await.unwrap().unwrap();
let challenge_text = match challenge_frame {
TMsg::Text(t) => t.to_string(),
_ => panic!("Expected text frame"),
};
let challenge_msg: super::ChallengeMessage = serde_json::from_str(&challenge_text).unwrap();
let sig = crate::node_identity::sign_challenge(&connector_kp, &challenge_msg.nonce);
let auth_msg = super::AuthMessage {
r#type: "auth".to_string(),
pubkey_hex: connector_pubkey,
signature_hex: sig,
};
sink.send(TMsg::Text(serde_json::to_string(&auth_msg).unwrap().into()))
.await
.unwrap();
// Should receive a close frame with auth_failed.
let close_frame = tokio::time::timeout(std::time::Duration::from_secs(5), stream.next())
.await
.expect("should receive close within 5s");
match close_frame {
Some(Ok(TMsg::Close(Some(frame)))) => {
assert_eq!(
&*frame.reason, "auth_failed",
"Close reason must be 'auth_failed'"
);
}
Some(Ok(TMsg::Close(None))) => {
// Some implementations omit the close frame payload — that's acceptable
// as long as no sync data was sent.
}
other => {
// Connection dropped without close frame is also acceptable.
// The key assertion is below: no ops were exchanged.
let _ = other;
}
}
// Verify listener reports auth failure.
let listener_result = result_rx.await.unwrap();
match listener_result {
AuthListenerResult::AuthFailed(reason) => {
assert!(reason.contains("key_trusted=false"), "Reason: {reason}");
}
other => panic!("Expected AuthFailed, got {other:?}"),
}
}
/// AC7 (story 628): Bad signature — connector signs with wrong keypair.
/// Rejected with the same auth_failed — indistinguishable from untrusted key.
#[tokio::test]
async fn auth_bad_signature_rejected() {
use bft_json_crdt::keypair::make_keypair;
use futures::{SinkExt, StreamExt};
use tokio_tungstenite::connect_async;
use tokio_tungstenite::tungstenite::Message as TMsg;
let legitimate_kp = make_keypair();
let legitimate_pubkey = crate::node_identity::public_key_hex(&legitimate_kp);
// A different keypair that will sign the challenge (wrong key).
let impersonator_kp = make_keypair();
// Listener trusts the legitimate pubkey.
let (addr, result_rx) = start_auth_listener(vec![legitimate_pubkey.clone()]).await;
let url = format!("ws://{addr}");
let (ws, _) = connect_async(&url).await.unwrap();
let (mut sink, mut stream) = ws.split();
// Receive challenge.
let challenge_frame = stream.next().await.unwrap().unwrap();
let challenge_text = match challenge_frame {
TMsg::Text(t) => t.to_string(),
_ => panic!("Expected text frame"),
};
let challenge_msg: super::ChallengeMessage = serde_json::from_str(&challenge_text).unwrap();
// Sign with the WRONG keypair but claim to be the legitimate pubkey.
let bad_sig = crate::node_identity::sign_challenge(&impersonator_kp, &challenge_msg.nonce);
let auth_msg = super::AuthMessage {
r#type: "auth".to_string(),
pubkey_hex: legitimate_pubkey,
signature_hex: bad_sig,
};
sink.send(TMsg::Text(serde_json::to_string(&auth_msg).unwrap().into()))
.await
.unwrap();
// Should be rejected.
let close_frame = tokio::time::timeout(std::time::Duration::from_secs(5), stream.next())
.await
.expect("should receive close within 5s");
match close_frame {
Some(Ok(TMsg::Close(Some(frame)))) => {
assert_eq!(
&*frame.reason, "auth_failed",
"Close reason must be 'auth_failed' — same as untrusted key"
);
}
_ => {
// Connection closed is acceptable.
}
}
// Verify listener reports auth failure with sig_valid=false.
let listener_result = result_rx.await.unwrap();
match listener_result {
AuthListenerResult::AuthFailed(reason) => {
assert!(reason.contains("sig_valid=false"), "Reason: {reason}");
}
other => panic!("Expected AuthFailed, got {other:?}"),
}
}
/// AC8 (story 628): Replay protection sanity — two consecutive connect
/// attempts receive different challenges (fresh nonce per accept).
#[tokio::test]
async fn auth_replay_protection_fresh_nonces() {
use futures::StreamExt;
use tokio::net::TcpListener;
use tokio_tungstenite::tungstenite::Message as TMsg;
use tokio_tungstenite::{accept_async, connect_async};
// Start a listener that sends challenges but doesn't complete auth.
let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
let addr = listener.local_addr().unwrap();
let (nonce_tx, mut nonce_rx) = tokio::sync::mpsc::channel::<String>(2);
tokio::spawn(async move {
for _ in 0..2 {
let (tcp, _) = listener.accept().await.unwrap();
let ws = accept_async(tcp).await.unwrap();
let (mut sink, _stream) = ws.split();
let challenge = crate::node_identity::generate_challenge();
let msg = super::ChallengeMessage {
r#type: "challenge".to_string(),
nonce: challenge.clone(),
};
let json = serde_json::to_string(&msg).unwrap();
let _ = sink.send(TMsg::Text(json.into())).await;
let _ = nonce_tx.send(challenge).await;
}
});
// Connect twice and collect the nonces.
let mut nonces = Vec::new();
for _ in 0..2 {
let url = format!("ws://{addr}");
let (ws, _) = connect_async(&url).await.unwrap();
let (_sink, mut stream) = ws.split();
let frame = stream.next().await.unwrap().unwrap();
let text = match frame {
TMsg::Text(t) => t.to_string(),
_ => panic!("Expected text"),
};
let msg: super::ChallengeMessage = serde_json::from_str(&text).unwrap();
nonces.push(msg.nonce);
// Drop connection so listener accepts the next one.
drop(stream);
}
// Also collect nonces from the listener side.
let server_nonce_1 = nonce_rx.recv().await.unwrap();
let server_nonce_2 = nonce_rx.recv().await.unwrap();
assert_ne!(
nonces[0], nonces[1],
"Consecutive challenges must be different"
);
assert_ne!(
server_nonce_1, server_nonce_2,
"Server must generate fresh nonce per accept"
);
assert_eq!(nonces[0], server_nonce_1, "Client/server nonces must match");
assert_eq!(nonces[1], server_nonce_2, "Client/server nonces must match");
}
/// AC4 (story 628): trusted_keys config is parsed from project.toml.
#[test]
fn config_trusted_keys_parsed_from_toml() {
let toml_str = r#"
trusted_keys = [
"aabbccdd00112233aabbccdd00112233aabbccdd00112233aabbccdd00112233",
"11223344556677881122334455667788112233445566778811223344556677ab",
]
[[agent]]
name = "test"
"#;
let config: crate::config::ProjectConfig =
crate::config::ProjectConfig::parse(toml_str).unwrap();
assert_eq!(config.trusted_keys.len(), 2);
assert_eq!(
config.trusted_keys[0],
"aabbccdd00112233aabbccdd00112233aabbccdd00112233aabbccdd00112233"
);
}
/// AC4 (story 628): trusted_keys defaults to empty (reject all).
#[test]
fn config_trusted_keys_defaults_to_empty() {
let config = crate::config::ProjectConfig::default();
assert!(
config.trusted_keys.is_empty(),
"trusted_keys must default to empty (reject all)"
);
}
/// AC9 (story 628): Existing per-op signed replication tests still pass.
/// This is verified implicitly by running the full test suite — this marker
/// test documents the intent.
#[test]
fn existing_sync_tests_unchanged() {
// If we got here, all previous crdt_sync tests compiled and passed.
// This test exists as a documentation anchor for AC9.
}
merge(478): WebSocket CRDT sync layer (manual squash from feature/story-478)
2026-04-09 19:46:29 +01:00
}
Reference in New Issue Copy Permalink