Skip to content

fix(auth): bind delete state in versioned op signatures#157

Open
marcus-pousette wants to merge 1 commit into
fix/sqlite-storage-known-statefrom
auth/op-authored-at-claims
Open

fix(auth): bind delete state in versioned op signatures#157
marcus-pousette wants to merge 1 commit into
fix/sqlite-storage-known-statefrom
auth/op-authored-at-claims

Conversation

@marcus-pousette

@marcus-pousette marcus-pousette commented May 21, 2026

Copy link
Copy Markdown
Collaborator

Problem

Defensive deletes use meta.knownState to decide which unseen descendant changes restore a subtree. Signature v1 does not cover those bytes, so an untrusted relay could change or remove them without invalidating the signature.

What changes

  • Ordinary operations continue using the unchanged v1 signature.
  • Delete and tombstone operations automatically use v2; the operation kind selects the version, so a relay cannot remove a version flag.
  • V2 signs an explicit presence tag, byte length, and exact knownState bytes.
  • Deletes require non-empty canonical version-vector JSON.
  • Tombstones use v2's explicit absent-state form.
  • Non-delete operations reject non-empty knownState.
  • Deprecated public v1 sign/verify helpers fail closed for delete and tombstone operations.
  • The raw v1 input encoder remains available for vectors and migration tooling.

Upgraded verifiers intentionally reject historical v1 delete/tombstone signatures because their causal state was never authenticated. Ordinary v1 operations remain compatible.

Fast paths

  • Ordinary operations use exactly the existing v1 bytes and verification path.
  • Only defensive-delete operations parse and validate canonical knownState.
  • Generic signTreecrdtOp and verifyTreecrdtOp select the correct version automatically.

Scope and debloating

This rewrite removes the unrelated authored-time claims, protobuf changes, and proof-store schema changes from the original PR. The focused diff is 7 files, +372/-10.

Tests

  • stable v1 and v2 signature vectors
  • add/remove/mutate knownState invalidates signatures
  • non-canonical persistent encodings are rejected
  • delete/tombstone cannot use v1
  • ordinary v1 signing and authenticated sync remain compatible

Stack

Stacked on #200, which preserves the exact defensive-delete state through SQLite persistence and reopen.

@marcus-pousette marcus-pousette force-pushed the auth/op-authored-at-claims branch from 451ff04 to 523a530 Compare May 21, 2026 15:26
@marcus-pousette marcus-pousette changed the base branch from auth/session-options-cleanup to main May 21, 2026 15:26
@marcus-pousette marcus-pousette marked this pull request as ready for review May 21, 2026 15:31
@marcus-pousette marcus-pousette force-pushed the auth/op-authored-at-claims branch from 0a731d9 to 7ac06a4 Compare July 11, 2026 20:14
@marcus-pousette marcus-pousette changed the title Add signed op auth authoredAt claims fix(auth): bind delete state in versioned op signatures Jul 11, 2026
@marcus-pousette marcus-pousette force-pushed the auth/op-authored-at-claims branch 2 times, most recently from 87b2ba2 to ac53060 Compare July 11, 2026 20:38
@marcus-pousette marcus-pousette added bug Something isn't working area:auth Authorization, capabilities, proofs, signatures, crypto, and privacy area:sync Sync protocol, reconciliation, transport, discovery, and sync servers labels Jul 12, 2026
@marcus-pousette marcus-pousette force-pushed the auth/op-authored-at-claims branch from ac53060 to 879801d Compare July 12, 2026 12:18
@marcus-pousette marcus-pousette changed the base branch from main to fix/sqlite-storage-known-state July 12, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:auth Authorization, capabilities, proofs, signatures, crypto, and privacy area:sync Sync protocol, reconciliation, transport, discovery, and sync servers bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant