feat: Phase 5b — local network sync (mDNS + SPAKE2 + WebSocket transport)

Adds local network device sync with privacy-first design:
- SPAKE2 password-authenticated key exchange for device pairing
- mDNS service discovery (_aurus-sync._tcp.local.)
- WebSocket transport with encrypted sync loop
- Encrypted device info exchange after pairing
- Transport wired into SyncManager with auto-discovery
- New commands: sync_update_transcript, sync_update_agent_result
- Frontend: sync-disconnected/sync-error event handling

32 Rust tests + 53 frontend tests passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Oliver Baer

.memory/letter_20260206_0005.md

@@ -0,0 +1,54 @@
+# Letter to Myself (Session Handoff)
+
+**Date:** 2026-02-06 ~08:20 UTC
+
+## 1. Executive Summary
+* **Goal:** Implement Phase 5b — local network sync (mDNS + SPAKE2+ + WebSocket transport) for privacy-first ephemeral device sync
+* **Current Status:** Phase 5b fully complete and compiling. 32 Rust tests + 53 frontend tests all passing. Ready to commit, then start Phase 5d (security hardening).
+
+## 2. The "Done" List (Context Anchor)
+* Created `src-tauri/src/sync/pairing.rs` — SPAKE2 key exchange (PairingCreator/PairingJoiner, 3 tests)
+* Created `src-tauri/src/sync/discovery.rs` — mDNS announcement/browsing via mdns-sd 0.17 (1 test)
+* Created `src-tauri/src/sync/transport.rs` — WebSocket transport with SPAKE2 handshake, encrypted device info exchange, sync loop (4 tests)
+* Rewrote `src-tauri/src/sync/mod.rs` — wired transport+discovery into SyncManager:
+  - `SyncState.doc` → `Arc<Mutex<SyncDocument>>` for sharing with transport tasks
+  - Added `transport: Option<TransportHandle>`, `discovery: Option<SyncDiscovery>`
+  - `create_sync_session` starts WS server + mDNS announcement
+  - `join_sync_session` spawns mDNS discovery → auto-connect with 30s timeout
+  - `leave_sync_session` drops transport (triggers goodbye) + unannounces mDNS
+  - New commands: `sync_update_transcript`, `sync_update_agent_result`
+* Updated `src-tauri/src/lib.rs` — registered 2 new sync commands
+* Updated `app/hooks/useSync.ts` — added `sync-disconnected`/`sync-error` listeners, `syncTranscript()` and `syncAgentResult()` actions
+* Updated MEMORY.md with mdns-sd 0.17, SPAKE2, async-tungstenite gotchas
+
+## 3. The "Pain" Log (CRITICAL)
+* **Tried:** `accept_async(TokioAdapter::new(stream))` in transport.rs
+* **Failed:** Double-wrap error — `async_tungstenite::tokio::accept_async` already wraps in TokioAdapter internally
+* **Workaround:** Pass `stream` directly to `accept_async(stream)`
+
+* **Tried:** `peer_from_service_info(info: &ServiceInfo)` for mDNS resolved services
+* **Failed:** mdns-sd 0.17 `ServiceEvent::ServiceResolved` wraps `Box<ResolvedService>` NOT `ServiceInfo`
+* **Workaround:** Renamed to `peer_from_resolved_service(info: &ResolvedService)`, use public fields directly (`info.port`, `info.addresses`, `info.txt_properties`)
+
+* **Tried:** `daemon.shutdown()` expecting `Result<(), _>`
+* **Failed:** Returns `Result<Receiver<DaemonStatus>, _>` not `Result<(), _>`
+* **Workaround:** Add `?; Ok(())` to discard the receiver
+
+* **Tried:** Calling `creator.finish(&joiner.outbound_msg)` then `joiner.finish(&creator.outbound_msg)` in tests
+* **Failed:** `finish()` consumes `self`, so `creator.outbound_msg` is moved
+* **Workaround:** Save `outbound_msg.clone()` before calling `finish()`
+
+## 4. Active Variable State
+* Cargo deps: yrs 0.21, ring 0.17, rand 0.8, spake2 0.4, mdns-sd 0.17, uuid 1 (v4+serde)
+* Git: Phase 5a committed as `031c7df` on main. Phase 5b changes unstaged.
+* Test counts: 32 Rust, 53 frontend = 85 total
+* Sync modules: mod.rs, document.rs, encryption.rs, pairing.rs, discovery.rs, transport.rs
+
+## 5. Immediate Next Steps
+1. [ ] Commit Phase 5b changes
+2. [ ] Start Phase 5d: security hardening
+   - [ ] Heartbeat every 5s, disconnect after 15s missing
+   - [ ] Session timeout (4h max, warning at 3h45m)
+   - [ ] Forward secrecy: HKDF key ratchet every 30 minutes
+   - [ ] Mobile background survival (foreground service / audio mode)
+3. [ ] After 5d: Phase 5c (cross-network WebRTC with signaling relay)

app/hooks/useSync.ts

@@ -116,6 +116,28 @@ export function useSync() {
           }
         );
         listeners.push(unlistenSnapshot);
+
+        // Listen for unexpected disconnects
+        const unlistenDisconnect = await listen<void>(
+          'sync-disconnected',
+          () => {
+            setSyncStatus('disconnected');
+            setPairingCode(null);
+            setPairedDeviceName(null);
+            setSyncPeer(null);
+          }
+        );
+        listeners.push(unlistenDisconnect);
+
+        // Listen for sync errors
+        const unlistenError = await listen<string>(
+          'sync-error',
+          (event) => {
+            console.error('Sync error:', event.payload);
+            setSyncStatus('disconnected');
+          }
+        );
+        listeners.push(unlistenError);
       } catch (error) {
         console.log('Sync events not available:', error);
       }
@@ -176,5 +198,23 @@ export function useSync() {
     }
   }, []);
 
-  return { createSession, joinSession, leaveSession };
+  const syncTranscript = useCallback(async (transcript: string): Promise<void> => {
+    try {
+      const { invoke } = await import('@tauri-apps/api/core');
+      await invoke('sync_update_transcript', { transcript });
+    } catch {
+      // Silently ignore — sync may not be connected
+    }
+  }, []);
+
+  const syncAgentResult = useCallback(async (agent: string, result: string): Promise<void> => {
+    try {
+      const { invoke } = await import('@tauri-apps/api/core');
+      await invoke('sync_update_agent_result', { agent, result });
+    } catch {
+      // Silently ignore
+    }
+  }, []);
+
+  return { createSession, joinSession, leaveSession, syncTranscript, syncAgentResult };
 }

src-tauri/Cargo.lock

@@ -42,6 +42,12 @@ yrs = "0.21"
 ring = "0.17"
 rand = "0.8"
 
+# Pairing (SPAKE2 password-authenticated key exchange)
+spake2 = "0.4"
+
+# Local network discovery
+mdns-sd = "0.17"
+
 # Identifiers
 uuid = { version = "1", features = ["v4", "serde"] }
 

src-tauri/Cargo.toml

@@ -154,6 +154,8 @@ pub fn run() {
             sync::leave_sync_session,
             sync::get_sync_status,
             sync::get_pairing_code,
+            sync::sync_update_transcript,
+            sync::sync_update_agent_result,
         ])
         .run(tauri::generate_context!())
         .expect("error while running tauri application");