@cryptiklemur/lattice 1.32.1 → 1.33.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cryptiklemur/lattice",
-  "version": "1.32.1",
+  "version": "1.33.0",
   "description": "Multi-machine agentic dashboard for Claude Code. Monitor sessions, manage MCP servers and skills, orchestrate across mesh-networked nodes.",
   "license": "MIT",
   "author": "Aaron Scherer <me@aaronscherer.me>",

package/server/src/handlers/mesh.ts

@@ -111,6 +111,7 @@ registerHandler("mesh", function (clientId: string, message: ClientMessage) {
         type: "mesh:hello",
         nodeId: identity.id,
         name: pairConfig.name,
+        publicKey: identity.publicKey,
         token: parsed!.token,
         port: pairConfig.port,
         addresses: getAllAddresses().map(function (a) { return a.address + ":" + pairConfig.port; }),
@@ -120,7 +121,7 @@ registerHandler("mesh", function (clientId: string, message: ClientMessage) {
 
     pairWs.addEventListener("message", function (event: MessageEvent) {
       try {
-        var data = JSON.parse(event.data as string) as { type: string; nodeId?: string; name?: string; error?: string };
+        var data = JSON.parse(event.data as string) as { type: string; nodeId?: string; name?: string; publicKey?: string; error?: string };
 
         if (data.type === "mesh:hello_rejected") {
           clearTimeout(pairTimeout);
@@ -136,7 +137,7 @@ registerHandler("mesh", function (clientId: string, message: ClientMessage) {
             id: data.nodeId,
             name: data.name,
             addresses: [peerAddr],
-            publicKey: "",
+            publicKey: data.publicKey ?? "",
             pairedAt: Date.now(),
           };
           addPeer(peer);
@@ -170,16 +171,21 @@ registerHandler("mesh", function (clientId: string, message: ClientMessage) {
   }
 
   if ((message as any).type === "mesh:hello") {
-    var hello = message as any as { type: "mesh:hello"; nodeId: string; name: string; token?: string; port?: number; addresses?: string[]; projects: Array<{ slug: string; title: string }> };
+    var hello = message as any as { type: "mesh:hello"; nodeId: string; name: string; publicKey?: string; token?: string; port?: number; addresses?: string[]; projects: Array<{ slug: string; title: string }> };
 
     var knownPeer = hello.nodeId ? getPeer(hello.nodeId) : undefined;
 
     if (knownPeer) {
+      if (knownPeer.publicKey && hello.publicKey && knownPeer.publicKey !== hello.publicKey) {
+        sendTo(clientId, { type: "mesh:hello_rejected" as any, error: "Public key mismatch — possible impersonation" });
+        return;
+      }
       var identity = loadOrCreateIdentity();
       sendTo(clientId, {
         type: "mesh:hello" as any,
         nodeId: identity.id,
         name: loadConfig().name,
+        publicKey: identity.publicKey,
         projects: [],
       });
       broadcast({ type: "mesh:nodes", nodes: buildNodesMessage() });
@@ -198,7 +204,7 @@ registerHandler("mesh", function (clientId: string, message: ClientMessage) {
       id: hello.nodeId,
       name: hello.name,
       addresses: peerAddresses,
-      publicKey: "",
+      publicKey: hello.publicKey ?? "",
       pairedAt: Date.now(),
     };
     addPeer(peer);
@@ -212,6 +218,7 @@ registerHandler("mesh", function (clientId: string, message: ClientMessage) {
       type: "mesh:hello" as any,
       nodeId: identity2.id,
       name: loadConfig().name,
+      publicKey: identity2.publicKey,
       projects: [],
     });
 

package/server/src/identity.ts

@@ -1,10 +1,12 @@
 import { existsSync, readFileSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
-import { randomUUID } from "node:crypto";
+import { randomUUID, generateKeyPairSync } from "node:crypto";
 import { getLatticeHome } from "./config";
 
 interface NodeIdentity {
   id: string;
+  publicKey: string;
+  privateKey: string;
   createdAt: number;
 }
 
@@ -15,12 +17,38 @@ export function getIdentityPath(): string {
 export function loadOrCreateIdentity(): NodeIdentity {
   var path = getIdentityPath();
   if (existsSync(path)) {
-    return JSON.parse(readFileSync(path, "utf-8")) as NodeIdentity;
+    var stored = JSON.parse(readFileSync(path, "utf-8")) as NodeIdentity;
+    if (stored.publicKey && stored.privateKey) {
+      return stored;
+    }
+    var keys = generateEd25519Keypair();
+    stored.publicKey = keys.publicKey;
+    stored.privateKey = keys.privateKey;
+    writeFileSync(path, JSON.stringify(stored, null, 2), "utf-8");
+    return stored;
   }
+  var keys = generateEd25519Keypair();
   var identity: NodeIdentity = {
     id: randomUUID(),
+    publicKey: keys.publicKey,
+    privateKey: keys.privateKey,
     createdAt: Date.now(),
   };
   writeFileSync(path, JSON.stringify(identity, null, 2), "utf-8");
   return identity;
 }
+
+function generateEd25519Keypair(): { publicKey: string; privateKey: string } {
+  var pair = generateKeyPairSync("ed25519", {
+    publicKeyEncoding: { type: "spki", format: "der" },
+    privateKeyEncoding: { type: "pkcs8", format: "der" },
+  });
+  return {
+    publicKey: Buffer.from(pair.publicKey).toString("base64"),
+    privateKey: Buffer.from(pair.privateKey).toString("base64"),
+  };
+}
+
+export function getPublicKey(): string {
+  return loadOrCreateIdentity().publicKey;
+}

package/server/src/mesh/connector.ts

@@ -138,10 +138,11 @@ function openConnection(conn: PeerConnection, url: string): void {
     var config = loadConfig();
     var projects = listProjects(identity.id);
 
-    var hello: MeshHelloMessage = {
+    var hello: MeshHelloMessage & { publicKey?: string } = {
       type: "mesh:hello",
       nodeId: identity.id,
       name: config.name,
+      publicKey: identity.publicKey,
       projects: projects.map(function (p) {
         return { slug: p.slug, title: p.title };
       }),

package/server/src/mesh/crypto.ts

@@ -0,0 +1,106 @@
+import { createSign, createVerify, randomBytes, createCipheriv, createDecipheriv, createHash, diffieHellman, generateKeyPairSync, createPublicKey, createPrivateKey } from "node:crypto";
+
+export function sign(privateKeyBase64: string, data: Buffer): string {
+  var privateKeyDer = Buffer.from(privateKeyBase64, "base64");
+  var key = createPrivateKey({ key: privateKeyDer, format: "der", type: "pkcs8" });
+  var signer = createSign("ed25519");
+  signer.update(data);
+  return signer.sign(key).toString("base64");
+}
+
+export function verify(publicKeyBase64: string, data: Buffer, signatureBase64: string): boolean {
+  try {
+    var publicKeyDer = Buffer.from(publicKeyBase64, "base64");
+    var key = createPublicKey({ key: publicKeyDer, format: "der", type: "spki" });
+    var verifier = createVerify("ed25519");
+    verifier.update(data);
+    return verifier.verify(key, Buffer.from(signatureBase64, "base64"));
+  } catch {
+    return false;
+  }
+}
+
+export function generateChallenge(): string {
+  return randomBytes(32).toString("base64");
+}
+
+export interface EphemeralKeys {
+  publicKey: string;
+  privateKey: Buffer;
+}
+
+export function generateEphemeralKeys(): EphemeralKeys {
+  var pair = generateKeyPairSync("x25519", {
+    publicKeyEncoding: { type: "spki", format: "der" },
+    privateKeyEncoding: { type: "pkcs8", format: "der" },
+  });
+  return {
+    publicKey: Buffer.from(pair.publicKey).toString("base64"),
+    privateKey: Buffer.from(pair.privateKey),
+  };
+}
+
+export function deriveSharedSecret(myPrivateKeyDer: Buffer, theirPublicKeyBase64: string, nodeIdA: string, nodeIdB: string): Buffer {
+  var myKey = createPrivateKey({ key: myPrivateKeyDer, format: "der", type: "pkcs8" });
+  var theirKey = createPublicKey({ key: Buffer.from(theirPublicKeyBase64, "base64"), format: "der", type: "spki" });
+
+  var shared = diffieHellman({ privateKey: myKey, publicKey: theirKey });
+
+  var sortedIds = [nodeIdA, nodeIdB].sort().join(":");
+  var hash = createHash("sha256");
+  hash.update(shared);
+  hash.update(Buffer.from("lattice-mesh-v1:" + sortedIds));
+  return hash.digest();
+}
+
+export function encrypt(key: Buffer, nonce: number, plaintext: string): { ciphertext: string; tag: string } {
+  var iv = Buffer.alloc(12);
+  iv.writeBigUInt64BE(BigInt(nonce), 4);
+  var cipher = createCipheriv("aes-256-gcm", key, iv);
+  var encrypted = Buffer.concat([cipher.update(plaintext, "utf-8"), cipher.final()]);
+  return {
+    ciphertext: encrypted.toString("base64"),
+    tag: cipher.getAuthTag().toString("base64"),
+  };
+}
+
+export function decrypt(key: Buffer, nonce: number, ciphertext: string, tag: string): string | null {
+  try {
+    var iv = Buffer.alloc(12);
+    iv.writeBigUInt64BE(BigInt(nonce), 4);
+    var decipher = createDecipheriv("aes-256-gcm", key, iv);
+    decipher.setAuthTag(Buffer.from(tag, "base64"));
+    var decrypted = Buffer.concat([decipher.update(Buffer.from(ciphertext, "base64")), decipher.final()]);
+    return decrypted.toString("utf-8");
+  } catch {
+    return null;
+  }
+}
+
+export interface SecureSession {
+  sharedKey: Buffer;
+  sendNonce: number;
+  recvNonce: number;
+}
+
+export function createSecureSession(sharedKey: Buffer): SecureSession {
+  return { sharedKey, sendNonce: 0, recvNonce: 0 };
+}
+
+export function encryptMessage(session: SecureSession, message: object): { type: "mesh:encrypted"; nonce: number; ciphertext: string; tag: string } {
+  session.sendNonce++;
+  var result = encrypt(session.sharedKey, session.sendNonce, JSON.stringify(message));
+  return { type: "mesh:encrypted", nonce: session.sendNonce, ...result };
+}
+
+export function decryptMessage(session: SecureSession, nonce: number, ciphertext: string, tag: string): object | null {
+  if (nonce <= session.recvNonce) return null;
+  var plaintext = decrypt(session.sharedKey, nonce, ciphertext, tag);
+  if (!plaintext) return null;
+  session.recvNonce = nonce;
+  try {
+    return JSON.parse(plaintext);
+  } catch {
+    return null;
+  }
+}