feat: per-operation signature verification and transitive vouching#163
Merged
feat: per-operation signature verification and transitive vouching#163
Conversation
Add schema column and migration for per-operation verification tracking. The column stores the base64 public key of the identity that verified (authored or validated) each operation. Defaults to empty string for backward compatibility with existing operations.
OperationLog now carries the identity pubkey and stamps it into verified_by on every INSERT. Both workspace constructors (create/open) pass the identity's base64 public key to OperationLog::new, so all locally-authored operations are immediately marked as verified.
Introduce DeltaOperation struct wrapping Operation with an optional verified_by field for per-op verification. Rename operations -> delta_operations throughout DeltaParams, ParsedDelta, and all callers in swarm/sync.rs, sync/mod.rs, and receive_poll.rs. Ops are wrapped with verified_by: None for now (Task 6 adds real vouching logic).
Add per-operation verification to apply_incoming_operation: - Sender-authored ops: verify Ed25519 signature against sender identity - Relayed ops with vouch: accept if verified_by matches sender identity - Relayed ops without vouch: reject - RetractOperation (empty author_key): accept only if vouched by sender Update all callers (swarm/sync, folder sync, relay poll) to pass delta_op.verified_by and sender_public_key through to verification. Update INSERT to persist resolved verified_by. Add 7 new tests covering valid signatures, tampered ops, vouched relays, unvouched relays, vouch mismatches, and retract op vouching.
Simulates multi-hop delta propagation: A creates and signs an op, sends to B without vouch; B verifies A's signature and re-sends to C with verified_by set, proving the vouch chain round-trips correctly through the delta bundle codec. Also applies cargo fmt to sync.rs.
Add verified_by column to OperationSummary, resolve pubkeys to display names in the Tauri command layer, and show the value in both the operations list/detail views and the note metadata panel. Includes new get_note_verified_by Tauri command and i18n keys for all 7 locales.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements #150 — per-operation Ed25519 signature verification and transitive vouching for delta sync.
verified_by TEXT NOT NULL DEFAULT ''column tooperationstable (with migration for existing DBs)verified_byis populated with the workspace identity pubkey on INSERTDeltaOperationwrapper struct aroundOperationcarrying optionalverified_bymetadataapply_incoming_operationnow verifies Ed25519 signatures for sender-authored ops and validates vouches for relayed ops. Unvouched relayed ops are rejected.generate_deltaqueriesverified_byfrom the DB and wraps ops with appropriate vouching metadata: self-authored ops getNone(receiver verifies directly), previously-verified ops get re-vouched with sender's keyCloses #150
Test plan
cargo test -p krillnotes-core)npx tsc --noEmit)cargo fmt --check)