huskies: merge 633_story_crdt_sync_bearer_token_connection_auth

2026-04-25 22:09:31 +00:00
parent d826daaf41
commit 7548486a53
4 changed files with 370 additions and 14 deletions
@@ -419,10 +419,19 @@ async fn main() -> Result<(), std::io::Error> {

    // (CRDT state layer is initialised above alongside the legacy pipeline.db.)

-    // Load trusted keys and start the CRDT sync rendezvous client if configured.
-    // In agent mode, the --rendezvous flag overrides project.toml.
+    // Load trusted keys, token auth config, and start the CRDT sync rendezvous
+    // client if configured.  In agent mode, the --rendezvous flag overrides
+    // project.toml.  The --join-token / HUSKIES_JOIN_TOKEN is appended to the
+    // rendezvous URL as ?token=... so the server's bearer-token check passes.
+    let crdt_join_token = cli
+        .join_token
+        .clone()
+        .or_else(|| std::env::var("HUSKIES_JOIN_TOKEN").ok());
+
    let sync_config = if is_agent {
-        agent_rendezvous.clone().map(|url| (url, Vec::new()))
+        agent_rendezvous
+            .clone()
+            .map(|url| (url, Vec::new(), false, Vec::new()))
    } else {
        app_state
            .project_root
@@ -430,22 +439,34 @@ async fn main() -> Result<(), std::io::Error> {
            .unwrap()
            .as_ref()
            .and_then(|root| config::ProjectConfig::load(root).ok())
-            .and_then(|cfg| cfg.rendezvous.map(|url| (url, cfg.trusted_keys)))
+            .and_then(|cfg| {
+                cfg.rendezvous.map(|url| {
+                    (
+                        url,
+                        cfg.trusted_keys,
+                        cfg.crdt_require_token,
+                        cfg.crdt_tokens,
+                    )
+                })
+            })
    };
-    if let Some((rendezvous_url, trusted_keys)) = sync_config {
+    if let Some((rendezvous_url, trusted_keys, require_token, crdt_tokens)) = sync_config {
        crdt_sync::init_trusted_keys(trusted_keys);
-        crdt_sync::spawn_rendezvous_client(rendezvous_url);
+        crdt_sync::init_token_auth(require_token, crdt_tokens);
+        crdt_sync::spawn_rendezvous_client(rendezvous_url, crdt_join_token);
    } else {
-        // Even without rendezvous, initialise trusted keys for incoming connections.
-        let keys = app_state
+        // Even without rendezvous, initialise trusted keys and token auth for
+        // incoming connections.
+        let (keys, require_token, crdt_tokens) = app_state
            .project_root
            .lock()
            .unwrap()
            .as_ref()
            .and_then(|root| config::ProjectConfig::load(root).ok())
-            .map(|cfg| cfg.trusted_keys)
+            .map(|cfg| (cfg.trusted_keys, cfg.crdt_require_token, cfg.crdt_tokens))
            .unwrap_or_default();
        crdt_sync::init_trusted_keys(keys);
+        crdt_sync::init_token_auth(require_token, crdt_tokens);
    }

    // ── Agent mode: headless build agent ────────────────────────────────