Adds shared-secret HMAC-SHA256 authentication to peer sync endpoints.
Sync requests now include X-Clare-Timestamp + X-Clare-Signature headers
covering ts/method/path/body. Server validates against local sync_secret
and rejects with 401 on mismatch, missing headers, or >300s skew.
- config.py: new sync_secret field (auto-generated on first run) and
PeerConfig list (back-compat: plain-string peers still parse)
- sync.py: signs outbound peer + loopback requests; sync_peer takes
PeerConfig and local_secret
- web/api.py: require_sync_auth dependency on /sync/* routes; /health
remains unauthenticated; when sync_secret is unset, sync stays open
for back-compat with fresh installs
- tests: 10 new auth tests cover valid/tampered/expired/missing/no-secret
paths plus full two-Clare convergence with matched secrets
Push A (single-machine):
- HLC + event-sourced SQLite (events table is source of truth, projections rebuildable)
- Pydantic v2 domain models (Project, Task, Assignment, Session, Group, Update)
- rclaude subprocess wrapper (local_sessions via _claude-projects --sessions)
- Typer CLI: init, project, task, assign, pull, status, broadcast, serve, sync
- FastAPI + Jinja2 + HTMX dashboard
- 26 unit tests passing
Push B (HTTP API + sync substrate):
- /api/v1/* JSON routes (projects, tasks, assignments, sessions, status, broadcast, sync)
- CLI refactored as thin httpx client over the API — single business-logic codepath
- web/service.py: every business op defined once; HTML routes + API routes both call into it
- sync.py: peer-to-peer sync via /api/v1/sync/events with HLC + uuid-based dedup
- 32 tests passing including two-Clare convergence test
Push C (cross-host deployment):
- apricot install via uv (Python 3.12.12)
- systemd --user unit for clare-serve on apricot
- Cross-host sync demoed plum (10.9.0.3) ↔ apricot (10.9.0.2) over wg
- .local → .lan rename for forge URLs
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
