Adds shared-secret HMAC-SHA256 authentication to peer sync endpoints. Sync requests now include X-Clare-Timestamp + X-Clare-Signature headers covering ts/method/path/body. Server validates against local sync_secret and rejects with 401 on mismatch, missing headers, or >300s skew. - config.py: new sync_secret field (auto-generated on first run) and PeerConfig list (back-compat: plain-string peers still parse) - sync.py: signs outbound peer + loopback requests; sync_peer takes PeerConfig and local_secret - web/api.py: require_sync_auth dependency on /sync/* routes; /health remains unauthenticated; when sync_secret is unset, sync stays open for back-compat with fresh installs - tests: 10 new auth tests cover valid/tampered/expired/missing/no-secret paths plus full two-Clare convergence with matched secrets |
||
|---|---|---|
| .. | ||
| conftest.py | ||
| test_api.py | ||
| test_cli_smoke.py | ||
| test_config.py | ||
| test_db.py | ||
| test_events.py | ||
| test_hlc.py | ||
| test_rclaude_wrapper.py | ||
| test_scheduler.py | ||
| test_sync_auth.py | ||
| test_sync_convergence.py | ||