huskies: merge 628_story_websocket_connect_time_mutual_auth_using_node_identity_primitives

server/src/config.rs

@@ -54,6 +54,11 @@ pub struct ProjectConfig {
     /// so both machines see the same pipeline state in real-time.
     #[serde(default)]
     pub rendezvous: Option<String>,
+    /// Hex-encoded Ed25519 public keys of trusted peers for WebSocket mutual auth.
+    /// When present, only peers whose pubkey is in this list are allowed to connect.
+    /// When empty or missing, all peers are rejected (closed-by-default).
+    #[serde(default)]
+    pub trusted_keys: Vec<String>,
 }
 
 /// Configuration for the filesystem watcher's sweep behaviour.
@@ -228,6 +233,7 @@ impl Default for ProjectConfig {
             rate_limit_notifications: default_rate_limit_notifications(),
             timezone: None,
             rendezvous: None,
+            trusted_keys: Vec::new(),
         }
     }
 }
@@ -305,6 +311,7 @@ impl ProjectConfig {
                         rate_limit_notifications: legacy.rate_limit_notifications,
                         timezone: legacy.timezone,
                         rendezvous: None,
+                        trusted_keys: Vec::new(),
                     };
                     validate_agents(&config.agent)?;
                     return Ok(config);
@@ -333,6 +340,7 @@ impl ProjectConfig {
                         rate_limit_notifications: legacy.rate_limit_notifications,
                         timezone: legacy.timezone,
                         rendezvous: None,
+                        trusted_keys: Vec::new(),
                     };
                     validate_agents(&config.agent)?;
                     Ok(config)
@@ -349,6 +357,7 @@ impl ProjectConfig {
                         rate_limit_notifications: legacy.rate_limit_notifications,
                         timezone: legacy.timezone,
                         rendezvous: None,
+                        trusted_keys: Vec::new(),
                     })
                 }
             }