Adds shared-secret HMAC-SHA256 authentication to peer sync endpoints.
Sync requests now include X-Clare-Timestamp + X-Clare-Signature headers
covering ts/method/path/body. Server validates against local sync_secret
and rejects with 401 on mismatch, missing headers, or >300s skew.
- config.py: new sync_secret field (auto-generated on first run) and
PeerConfig list (back-compat: plain-string peers still parse)
- sync.py: signs outbound peer + loopback requests; sync_peer takes
PeerConfig and local_secret
- web/api.py: require_sync_auth dependency on /sync/* routes; /health
remains unauthenticated; when sync_secret is unset, sync stays open
for back-compat with fresh installs
- tests: 10 new auth tests cover valid/tampered/expired/missing/no-secret
paths plus full two-Clare convergence with matched secrets
