huskies: merge 977

server/src/node_identity.rs

@@ -41,8 +41,6 @@
 //!    `verify_challenge` primitive but leaves the allow-list to story 480.
 
 use bft_json_crdt::keypair::{Ed25519KeyPair, Ed25519Signature, sign};
-use ed25519_dalek::SigningKey;
-use fastcrypto::traits::{KeyPair, ToFromBytes};
 use rand::RngCore;
 use std::sync::OnceLock;
 
@@ -84,7 +82,7 @@ pub fn generate_challenge() -> ChallengeHex {
 /// encoding steps.
 pub fn sign_challenge(keypair: &Ed25519KeyPair, challenge: &str) -> SignatureHex {
     let sig: Ed25519Signature = sign(keypair, challenge.as_bytes());
-    hex_encode(sig.as_bytes())
+    hex_encode(&sig.to_bytes())
 }
 
 // ── Verification ──────────────────────────────────────────────────────
@@ -143,7 +141,7 @@ pub fn verify_message_strict(pubkey_hex: &str, message: &[u8], signature_hex: &s
 /// This is the same value written to the CRDT `claimed_by` and `node_id`
 /// registers, so it is the canonical node identity across all subsystems.
 pub fn public_key_hex(keypair: &Ed25519KeyPair) -> String {
-    hex_encode(keypair.public().as_bytes())
+    hex_encode(&keypair.verifying_key().to_bytes())
 }
 
 // ── File-based keypair persistence (ed25519-dalek) ────────────────────────
@@ -181,12 +179,12 @@ pub fn load_or_create_keypair_file(path: &std::path::Path) -> std::io::Result<No
                 "node identity key file must contain exactly 32 bytes",
             )
         })?;
-        SigningKey::from_bytes(&seed)
+        Ed25519KeyPair::from_bytes(&seed)
     } else {
         // Generate a fresh keypair and persist the seed.
         let mut seed = [0u8; 32];
         rand::rng().fill_bytes(&mut seed);
-        let sk = SigningKey::from_bytes(&seed);
+        let sk = Ed25519KeyPair::from_bytes(&seed);
 
         // Create the file with mode 0600 at creation time (Unix) so the seed
         // is never visible to other users even transiently.