Skip to content

SB-992: add auth_challenge/auth_response protocol messages#19

Merged
rbonestell merged 3 commits into
mainfrom
fix/SB-992-prove-peer-key-possession
Jun 17, 2026
Merged

SB-992: add auth_challenge/auth_response protocol messages#19
rbonestell merged 3 commits into
mainfrom
fix/SB-992-prove-peer-key-possession

Conversation

@rbonestell

Copy link
Copy Markdown
Contributor

Summary

Resolves SB-992 (security finding A4) — shared protocol piece.

Adds the two wire-protocol messages for the connect-time key-possession handshake used by the agent and mobile app.

Changes

  • AuthChallengeEvent { type: 'auth_challenge', nonce: string } (host → mobile).
  • AuthResponseRequest { type: 'auth_response', mac: string } (mobile → host).
  • nonce and mac are base64 strings, bounded by MAX_AUTH_BLOB_LENGTH (128) and validated in decode.
  • Note documents the deliberate isRequest asymmetry: the security gate lives on the agent (Go IsRequest excludes auth_response); the mobile never decodes or re-sends it.

Test Plan

  • npm test — round-trip + validation tests pass (incl. new auth_challenge/auth_response cases).

Cross-repo

Consumed by pocketmux-mobile; mirrored manually in pmux-agent.

@snyk-io

snyk-io Bot commented Jun 17, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codecov-commenter

Copy link
Copy Markdown

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

@rbonestell rbonestell merged commit 780573f into main Jun 17, 2026
6 checks passed
@rbonestell rbonestell deleted the fix/SB-992-prove-peer-key-possession branch June 17, 2026 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants