npm - gitspace - Versions diffs - 0.2.0-rc.2 → 0.2.0-rc.21 - Mend

gitspace 0.2.0-rc.2 → 0.2.0-rc.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (316) hide show

package/README.md +68 -38
package/package.json +36 -25
package/.claude/settings.local.json +0 -21
package/.gitspace/bundle.json +0 -50
package/.gitspace/select/01-status.sh +0 -40
package/.gitspace/setup/01-install-deps.sh +0 -12
package/.gitspace/setup/02-typecheck.sh +0 -16
package/AGENTS.md +0 -439
package/CLAUDE.md +0 -1
package/bun.lock +0 -647
package/docs/CONNECTION.md +0 -623
package/docs/GATEWAY-WORKER.md +0 -319
package/docs/GETTING-STARTED.md +0 -448
package/docs/GITSPACE-PLATFORM.md +0 -1819
package/docs/INFRASTRUCTURE.md +0 -1347
package/docs/PROTOCOL.md +0 -619
package/docs/QUICKSTART.md +0 -174
package/docs/RELAY.md +0 -327
package/docs/REMOTE-DESIGN.md +0 -549
package/docs/ROADMAP.md +0 -564
package/docs/SITE_DOCS_FIGMA_MAKE.md +0 -1167
package/docs/STACK-DESIGN.md +0 -588
package/docs/UNIFIED_ARCHITECTURE.md +0 -292
package/experiments/pty-benchmark.ts +0 -148
package/experiments/pty-latency.ts +0 -100
package/experiments/router/client.ts +0 -199
package/experiments/router/protocol.ts +0 -74
package/experiments/router/router.ts +0 -217
package/experiments/router/session.ts +0 -180
package/experiments/router/test.ts +0 -133
package/experiments/socket-bandwidth.ts +0 -77
package/homebrew/gitspace.rb +0 -45
package/landing-page/ATTRIBUTIONS.md +0 -3
package/landing-page/README.md +0 -11
package/landing-page/bun.lock +0 -801
package/landing-page/guidelines/Guidelines.md +0 -61
package/landing-page/index.html +0 -37
package/landing-page/package.json +0 -90
package/landing-page/postcss.config.mjs +0 -15
package/landing-page/public/_redirects +0 -1
package/landing-page/public/favicon.png +0 -0
package/landing-page/src/app/App.tsx +0 -53
package/landing-page/src/app/components/figma/ImageWithFallback.tsx +0 -27
package/landing-page/src/app/components/ui/accordion.tsx +0 -66
package/landing-page/src/app/components/ui/alert-dialog.tsx +0 -157
package/landing-page/src/app/components/ui/alert.tsx +0 -66
package/landing-page/src/app/components/ui/aspect-ratio.tsx +0 -11
package/landing-page/src/app/components/ui/avatar.tsx +0 -53
package/landing-page/src/app/components/ui/badge.tsx +0 -46
package/landing-page/src/app/components/ui/breadcrumb.tsx +0 -109
package/landing-page/src/app/components/ui/button.tsx +0 -57
package/landing-page/src/app/components/ui/calendar.tsx +0 -75
package/landing-page/src/app/components/ui/card.tsx +0 -92
package/landing-page/src/app/components/ui/carousel.tsx +0 -241
package/landing-page/src/app/components/ui/chart.tsx +0 -353
package/landing-page/src/app/components/ui/checkbox.tsx +0 -32
package/landing-page/src/app/components/ui/collapsible.tsx +0 -33
package/landing-page/src/app/components/ui/command.tsx +0 -177
package/landing-page/src/app/components/ui/context-menu.tsx +0 -252
package/landing-page/src/app/components/ui/dialog.tsx +0 -135
package/landing-page/src/app/components/ui/drawer.tsx +0 -132
package/landing-page/src/app/components/ui/dropdown-menu.tsx +0 -257
package/landing-page/src/app/components/ui/form.tsx +0 -168
package/landing-page/src/app/components/ui/hover-card.tsx +0 -44
package/landing-page/src/app/components/ui/input-otp.tsx +0 -77
package/landing-page/src/app/components/ui/input.tsx +0 -21
package/landing-page/src/app/components/ui/label.tsx +0 -24
package/landing-page/src/app/components/ui/menubar.tsx +0 -276
package/landing-page/src/app/components/ui/navigation-menu.tsx +0 -168
package/landing-page/src/app/components/ui/pagination.tsx +0 -127
package/landing-page/src/app/components/ui/popover.tsx +0 -48
package/landing-page/src/app/components/ui/progress.tsx +0 -31
package/landing-page/src/app/components/ui/radio-group.tsx +0 -45
package/landing-page/src/app/components/ui/resizable.tsx +0 -56
package/landing-page/src/app/components/ui/scroll-area.tsx +0 -58
package/landing-page/src/app/components/ui/select.tsx +0 -189
package/landing-page/src/app/components/ui/separator.tsx +0 -28
package/landing-page/src/app/components/ui/sheet.tsx +0 -139
package/landing-page/src/app/components/ui/sidebar.tsx +0 -726
package/landing-page/src/app/components/ui/skeleton.tsx +0 -13
package/landing-page/src/app/components/ui/slider.tsx +0 -63
package/landing-page/src/app/components/ui/sonner.tsx +0 -25
package/landing-page/src/app/components/ui/switch.tsx +0 -31
package/landing-page/src/app/components/ui/table.tsx +0 -116
package/landing-page/src/app/components/ui/tabs.tsx +0 -66
package/landing-page/src/app/components/ui/textarea.tsx +0 -18
package/landing-page/src/app/components/ui/toggle-group.tsx +0 -73
package/landing-page/src/app/components/ui/toggle.tsx +0 -47
package/landing-page/src/app/components/ui/tooltip.tsx +0 -61
package/landing-page/src/app/components/ui/use-mobile.ts +0 -21
package/landing-page/src/app/components/ui/utils.ts +0 -6
package/landing-page/src/components/docs/DocsContent.tsx +0 -718
package/landing-page/src/components/docs/DocsSidebar.tsx +0 -84
package/landing-page/src/components/landing/CTA.tsx +0 -59
package/landing-page/src/components/landing/Comparison.tsx +0 -84
package/landing-page/src/components/landing/FaultyTerminal.tsx +0 -424
package/landing-page/src/components/landing/Features.tsx +0 -201
package/landing-page/src/components/landing/Hero.tsx +0 -142
package/landing-page/src/components/landing/Pricing.tsx +0 -140
package/landing-page/src/components/landing/Roadmap.tsx +0 -86
package/landing-page/src/components/landing/Security.tsx +0 -81
package/landing-page/src/components/landing/TerminalWindow.tsx +0 -27
package/landing-page/src/components/landing/UseCases.tsx +0 -55
package/landing-page/src/components/landing/Workflow.tsx +0 -101
package/landing-page/src/components/layout/DashboardNavbar.tsx +0 -37
package/landing-page/src/components/layout/Footer.tsx +0 -55
package/landing-page/src/components/layout/LandingNavbar.tsx +0 -82
package/landing-page/src/components/ui/badge.tsx +0 -39
package/landing-page/src/components/ui/breadcrumb.tsx +0 -115
package/landing-page/src/components/ui/button.tsx +0 -57
package/landing-page/src/components/ui/card.tsx +0 -79
package/landing-page/src/components/ui/mock-terminal.tsx +0 -68
package/landing-page/src/components/ui/separator.tsx +0 -28
package/landing-page/src/lib/utils.ts +0 -6
package/landing-page/src/main.tsx +0 -10
package/landing-page/src/pages/Dashboard.tsx +0 -133
package/landing-page/src/pages/DocsPage.tsx +0 -79
package/landing-page/src/pages/LandingPage.tsx +0 -31
package/landing-page/src/pages/TerminalView.tsx +0 -106
package/landing-page/src/styles/fonts.css +0 -0
package/landing-page/src/styles/index.css +0 -3
package/landing-page/src/styles/tailwind.css +0 -4
package/landing-page/src/styles/theme.css +0 -181
package/landing-page/vite.config.ts +0 -19
package/npm/darwin-arm64/bin/gssh +0 -0
package/npm/darwin-arm64/package.json +0 -20
package/scripts/build.ts +0 -298
package/scripts/release.ts +0 -140
package/src/__tests__/test-utils.ts +0 -298
package/src/commands/__tests__/serve-messages.test.ts +0 -190
package/src/commands/access.ts +0 -298
package/src/commands/add.ts +0 -452
package/src/commands/auth.ts +0 -364
package/src/commands/connect.ts +0 -287
package/src/commands/directory.ts +0 -16
package/src/commands/host.ts +0 -396
package/src/commands/identity.ts +0 -184
package/src/commands/list.ts +0 -200
package/src/commands/relay.ts +0 -315
package/src/commands/remove.ts +0 -241
package/src/commands/serve.ts +0 -1493
package/src/commands/share.ts +0 -456
package/src/commands/status.ts +0 -125
package/src/commands/switch.ts +0 -353
package/src/commands/tmux.ts +0 -317
package/src/core/__tests__/access.test.ts +0 -240
package/src/core/access.ts +0 -277
package/src/core/bundle.ts +0 -342
package/src/core/config.ts +0 -510
package/src/core/git.ts +0 -317
package/src/core/github.ts +0 -151
package/src/core/identity.ts +0 -631
package/src/core/linear.ts +0 -225
package/src/core/shell.ts +0 -161
package/src/core/trusted-relays.ts +0 -315
package/src/index.ts +0 -810
package/src/lib/remote-session/index.ts +0 -7
package/src/lib/remote-session/protocol.ts +0 -267
package/src/lib/remote-session/session-handler.ts +0 -581
package/src/lib/remote-session/workspace-scanner.ts +0 -167
package/src/lib/tmux-lite/README.md +0 -81
package/src/lib/tmux-lite/cli.ts +0 -796
package/src/lib/tmux-lite/crypto/__tests__/helpers/handshake-runner.ts +0 -349
package/src/lib/tmux-lite/crypto/__tests__/helpers/mock-relay.ts +0 -291
package/src/lib/tmux-lite/crypto/__tests__/helpers/test-identities.ts +0 -142
package/src/lib/tmux-lite/crypto/__tests__/integration/authorization.integration.test.ts +0 -339
package/src/lib/tmux-lite/crypto/__tests__/integration/e2e-communication.integration.test.ts +0 -477
package/src/lib/tmux-lite/crypto/__tests__/integration/error-handling.integration.test.ts +0 -499
package/src/lib/tmux-lite/crypto/__tests__/integration/handshake.integration.test.ts +0 -371
package/src/lib/tmux-lite/crypto/__tests__/integration/security.integration.test.ts +0 -573
package/src/lib/tmux-lite/crypto/access-control.test.ts +0 -512
package/src/lib/tmux-lite/crypto/access-control.ts +0 -320
package/src/lib/tmux-lite/crypto/frames.test.ts +0 -262
package/src/lib/tmux-lite/crypto/frames.ts +0 -141
package/src/lib/tmux-lite/crypto/handshake.ts +0 -894
package/src/lib/tmux-lite/crypto/identity.test.ts +0 -220
package/src/lib/tmux-lite/crypto/identity.ts +0 -286
package/src/lib/tmux-lite/crypto/index.ts +0 -51
package/src/lib/tmux-lite/crypto/invites.test.ts +0 -381
package/src/lib/tmux-lite/crypto/invites.ts +0 -215
package/src/lib/tmux-lite/crypto/keyexchange.ts +0 -435
package/src/lib/tmux-lite/crypto/keys.test.ts +0 -58
package/src/lib/tmux-lite/crypto/keys.ts +0 -47
package/src/lib/tmux-lite/crypto/secretbox.test.ts +0 -169
package/src/lib/tmux-lite/crypto/secretbox.ts +0 -124
package/src/lib/tmux-lite/handshake-handler.ts +0 -451
package/src/lib/tmux-lite/protocol.test.ts +0 -307
package/src/lib/tmux-lite/protocol.ts +0 -266
package/src/lib/tmux-lite/relay-client.ts +0 -506
package/src/lib/tmux-lite/server.ts +0 -1250
package/src/lib/tmux-lite/shell-integration.sh +0 -37
package/src/lib/tmux-lite/terminal-queries.test.ts +0 -54
package/src/lib/tmux-lite/terminal-queries.ts +0 -49
package/src/relay/__tests__/e2e-flow.test.ts +0 -1284
package/src/relay/__tests__/helpers/auth.ts +0 -354
package/src/relay/__tests__/helpers/ports.ts +0 -51
package/src/relay/__tests__/protocol-validation.test.ts +0 -265
package/src/relay/authorization.ts +0 -303
package/src/relay/embedded-assets.generated.d.ts +0 -15
package/src/relay/identity.ts +0 -352
package/src/relay/index.ts +0 -57
package/src/relay/pipes.test.ts +0 -427
package/src/relay/pipes.ts +0 -195
package/src/relay/protocol.ts +0 -804
package/src/relay/registries.test.ts +0 -437
package/src/relay/registries.ts +0 -593
package/src/relay/server.test.ts +0 -1323
package/src/relay/server.ts +0 -1092
package/src/relay/signing.ts +0 -238
package/src/relay/types.ts +0 -69
package/src/serve/client-session-manager.ts +0 -622
package/src/serve/daemon.ts +0 -497
package/src/serve/pty-session.ts +0 -236
package/src/serve/types.ts +0 -169
package/src/shared/components/Flow.tsx +0 -453
package/src/shared/components/Flow.tui.tsx +0 -343
package/src/shared/components/Flow.web.tsx +0 -442
package/src/shared/components/Inbox.tsx +0 -446
package/src/shared/components/Inbox.tui.tsx +0 -262
package/src/shared/components/Inbox.web.tsx +0 -329
package/src/shared/components/MachineList.tsx +0 -187
package/src/shared/components/MachineList.tui.tsx +0 -161
package/src/shared/components/MachineList.web.tsx +0 -210
package/src/shared/components/ProjectList.tsx +0 -176
package/src/shared/components/ProjectList.tui.tsx +0 -109
package/src/shared/components/ProjectList.web.tsx +0 -143
package/src/shared/components/SpacesBrowser.tsx +0 -332
package/src/shared/components/SpacesBrowser.tui.tsx +0 -163
package/src/shared/components/SpacesBrowser.web.tsx +0 -221
package/src/shared/components/index.ts +0 -103
package/src/shared/hooks/index.ts +0 -16
package/src/shared/hooks/useNavigation.ts +0 -226
package/src/shared/index.ts +0 -122
package/src/shared/providers/LocalMachineProvider.ts +0 -425
package/src/shared/providers/MachineProvider.ts +0 -165
package/src/shared/providers/RemoteMachineProvider.ts +0 -444
package/src/shared/providers/index.ts +0 -26
package/src/shared/types.ts +0 -145
package/src/tui/adapters.ts +0 -120
package/src/tui/app.tsx +0 -1816
package/src/tui/components/Terminal.tsx +0 -580
package/src/tui/hooks/index.ts +0 -35
package/src/tui/hooks/useAppState.ts +0 -314
package/src/tui/hooks/useDaemonStatus.ts +0 -174
package/src/tui/hooks/useInboxTUI.ts +0 -113
package/src/tui/hooks/useRemoteMachines.ts +0 -209
package/src/tui/index.ts +0 -24
package/src/tui/state.ts +0 -299
package/src/tui/terminal-bracketed-paste.test.ts +0 -45
package/src/tui/terminal-bracketed-paste.ts +0 -47
package/src/types/bundle.ts +0 -112
package/src/types/config.ts +0 -89
package/src/types/errors.ts +0 -206
package/src/types/identity.ts +0 -284
package/src/types/workspace-fuzzy.ts +0 -49
package/src/types/workspace.ts +0 -151
package/src/utils/bun-socket-writer.ts +0 -80
package/src/utils/deps.ts +0 -127
package/src/utils/fuzzy-match.ts +0 -125
package/src/utils/logger.ts +0 -127
package/src/utils/markdown.ts +0 -254
package/src/utils/onboarding.ts +0 -229
package/src/utils/prompts.ts +0 -114
package/src/utils/run-commands.ts +0 -112
package/src/utils/run-scripts.ts +0 -142
package/src/utils/sanitize.ts +0 -98
package/src/utils/secrets.ts +0 -122
package/src/utils/shell-escape.ts +0 -40
package/src/utils/utf8.ts +0 -79
package/src/utils/workspace-state.ts +0 -47
package/src/web/README.md +0 -73
package/src/web/bun.lock +0 -575
package/src/web/eslint.config.js +0 -23
package/src/web/index.html +0 -16
package/src/web/package.json +0 -37
package/src/web/public/vite.svg +0 -1
package/src/web/src/App.tsx +0 -604
package/src/web/src/assets/react.svg +0 -1
package/src/web/src/components/Terminal.tsx +0 -207
package/src/web/src/hooks/useRelayConnection.ts +0 -224
package/src/web/src/hooks/useTerminal.ts +0 -699
package/src/web/src/index.css +0 -55
package/src/web/src/lib/crypto/__tests__/web-terminal.test.ts +0 -1158
package/src/web/src/lib/crypto/frames.ts +0 -205
package/src/web/src/lib/crypto/handshake.ts +0 -396
package/src/web/src/lib/crypto/identity.ts +0 -128
package/src/web/src/lib/crypto/keyexchange.ts +0 -246
package/src/web/src/lib/crypto/relay-signing.ts +0 -53
package/src/web/src/lib/invite.ts +0 -58
package/src/web/src/lib/storage/identity-store.ts +0 -94
package/src/web/src/main.tsx +0 -10
package/src/web/src/types/identity.ts +0 -45
package/src/web/tsconfig.app.json +0 -28
package/src/web/tsconfig.json +0 -7
package/src/web/tsconfig.node.json +0 -26
package/src/web/vite.config.ts +0 -31
package/todo-security.md +0 -92
package/tsconfig.json +0 -23
package/worker/.wrangler/state/v3/d1/miniflare-D1DatabaseObject/12b7107e435bf1b9a8713a7f320472a63e543104d633d89a26f8d21f4e4ef182.sqlite +0 -0
package/worker/.wrangler/state/v3/d1/miniflare-D1DatabaseObject/12b7107e435bf1b9a8713a7f320472a63e543104d633d89a26f8d21f4e4ef182.sqlite-shm +0 -0
package/worker/.wrangler/state/v3/d1/miniflare-D1DatabaseObject/12b7107e435bf1b9a8713a7f320472a63e543104d633d89a26f8d21f4e4ef182.sqlite-wal +0 -0
package/worker/.wrangler/state/v3/d1/miniflare-D1DatabaseObject/1a1ac3db1ab86ecf712f90322868a9aabc2c7dc9fe2dfbe94f9b075096276b0f.sqlite +0 -0
package/worker/.wrangler/state/v3/d1/miniflare-D1DatabaseObject/1a1ac3db1ab86ecf712f90322868a9aabc2c7dc9fe2dfbe94f9b075096276b0f.sqlite-shm +0 -0
package/worker/.wrangler/state/v3/d1/miniflare-D1DatabaseObject/1a1ac3db1ab86ecf712f90322868a9aabc2c7dc9fe2dfbe94f9b075096276b0f.sqlite-wal +0 -0
package/worker/bun.lock +0 -237
package/worker/package.json +0 -22
package/worker/schema.sql +0 -96
package/worker/src/handlers/auth.ts +0 -451
package/worker/src/handlers/subdomains.ts +0 -376
package/worker/src/handlers/user.ts +0 -98
package/worker/src/index.ts +0 -70
package/worker/src/middleware/auth.ts +0 -152
package/worker/src/services/cloudflare.ts +0 -609
package/worker/src/types.ts +0 -96
package/worker/tsconfig.json +0 -15
package/worker/wrangler.toml +0 -26

package/src/lib/tmux-lite/crypto/__tests__/integration/security.integration.test.ts DELETED Viewed

@@ -1,573 +0,0 @@
-/**
- * Security Integration Tests
- *
- * Tests for security fixes addressing the vulnerabilities in SECURITY_REVIEW.md:
- * 1. Identity signature proof (Issue 1)
- * 2. Permission enforcement (Issue 2)
- * 3. Machine takeover prevention (Issue 3)
- * 4. Single-use invite enforcement (Issue 4)
- */
-import { describe, it, expect, beforeEach } from "bun:test";
-import {
-  createClientHello,
-  processServerHello,
-  createClientAuth,
-  processClientAuth,
-  createServerState,
-  processClientHello,
-  createServerHello,
-} from "../../handshake.js";
-import { HandshakeHandler, type HandshakeMessage } from "../../../handshake-handler.js";
-import { AccessControlList } from "../../access-control.js";
-import { createInviteToken } from "../../invites.js";
-import { sign } from "../../identity.js";
-import {
-  createTestIdentity,
-  createTestIdentityPair,
-  toPublicIdentity,
-} from "../helpers/test-identities.js";
-import { runCompleteHandshake } from "../helpers/handshake-runner.js";
-import {
-  registerMachine,
-  clearAllRegistries,
-} from "../../../../../relay/registries.js";
-import type { Identity, X3DHAuthMessage, X3DHResponseMessage } from "../../../../../types/identity.js";
-import {
-  createMockWebSocket,
-  asMockWs,
-  omit,
-  isReplyResult,
-  getReplyData,
-} from "../../../../../__tests__/test-utils.js";
-import type { ServerWebSocket } from "bun";
-import type { WebSocketData } from "../../../../../relay/types.js";
-// ============================================================================
-// Issue 1: Identity Signature Proof Tests
-// ============================================================================
-describe("Issue 1: Identity Signature Proof", () => {
-  let client: Identity;
-  let machine: Identity;
-  let accessList: AccessControlList;
-  beforeEach(() => {
-    ({ client, machine } = createTestIdentityPair());
-    accessList = new AccessControlList();
-  });
-  it("should accept valid handshake with correct identity signature", async () => {
-    // Add client to access list
-    accessList.addEntry(toPublicIdentity(client), "full");
-    const result = await runCompleteHandshake(
-      client,
-      machine,
-      accessList,
-      { type: "access_list" }
-    );
-    expect(result.success).toBe(true);
-    expect(result.clientKeys).toBeDefined();
-    expect(result.machineSession).toBeDefined();
-  });
-  it("should reject ClientAuth with forged identity key", async () => {
-    // Create two identities - client will claim to be impersonator
-    const impersonator = createTestIdentity("Impersonator");
-    // Add the impersonator to access list (but attacker won't have their private key)
-    accessList.addEntry(toPublicIdentity(impersonator), "full");
-    // Manually run handshake to forge the identity key
-    const serverState = createServerState(machine);
-    const { state: clientState, message: clientHello } = createClientHello(machine.id);
-    const stateAfterHello = processClientHello(serverState, clientHello);
-    expect(stateAfterHello).not.toBeNull();
-    const { state: stateAfterServerHello, message: serverHello } = createServerHello(
-      stateAfterHello!,
-      machine
-    );
-    const clientStateAfterServerHello = processServerHello(clientState, serverHello);
-    expect(clientStateAfterServerHello).not.toBeNull();
-    // Create ClientAuth with client's identity but forging impersonator's public key
-    // This should fail because signature won't verify
-    const { message: clientAuth } = createClientAuth(
-      clientStateAfterServerHello!,
-      client, // Use client's keys for signing
-      { type: "access_list" }
-    );
-    // Forge the identity key to claim impersonator's identity
-    const forgedAuth: X3DHAuthMessage = {
-      ...clientAuth,
-      identityKey: Buffer.from(impersonator.signing.publicKey).toString("base64"),
-    };
-    // Process the forged ClientAuth - should fail signature verification
-    const result = processClientAuth(stateAfterServerHello, forgedAuth, machine);
-    expect(result).toBeNull(); // Should reject due to signature mismatch
-  });
-  it("should reject ClientAuth with missing identity signature", async () => {
-    accessList.addEntry(toPublicIdentity(client), "full");
-    // Manually run handshake to create ClientAuth without signature
-    const serverState = createServerState(machine);
-    const { state: clientState, message: clientHello } = createClientHello(machine.id);
-    const stateAfterHello = processClientHello(serverState, clientHello);
-    expect(stateAfterHello).not.toBeNull();
-    const { state: stateAfterServerHello, message: serverHello } = createServerHello(
-      stateAfterHello!,
-      machine
-    );
-    const clientStateAfterServerHello = processServerHello(clientState, serverHello);
-    expect(clientStateAfterServerHello).not.toBeNull();
-    const { message: clientAuth } = createClientAuth(
-      clientStateAfterServerHello!,
-      client,
-      { type: "access_list" }
-    );
-    // Remove the signature using type-safe utility
-    // We cast to X3DHAuthMessage because we're deliberately testing what happens
-    // when a required field is missing - the function should reject this
-    const authWithoutSignature = omit(clientAuth, 'identitySignature') as unknown as X3DHAuthMessage;
-    // Process - should reject due to missing signature
-    const result = processClientAuth(stateAfterServerHello, authWithoutSignature, machine);
-    expect(result).toBeNull();
-  });
-  it("should reject ClientAuth with wrong signature", async () => {
-    // Another client whose signature we'll use
-    const other = createTestIdentity("Other");
-    accessList.addEntry(toPublicIdentity(client), "full");
-    // Manually run handshake
-    const serverState = createServerState(machine);
-    const { state: clientState, message: clientHello } = createClientHello(machine.id);
-    const stateAfterHello = processClientHello(serverState, clientHello);
-    expect(stateAfterHello).not.toBeNull();
-    const { state: stateAfterServerHello, message: serverHello } = createServerHello(
-      stateAfterHello!,
-      machine
-    );
-    const clientStateAfterServerHello = processServerHello(clientState, serverHello);
-    expect(clientStateAfterServerHello).not.toBeNull();
-    const { message: clientAuth } = createClientAuth(
-      clientStateAfterServerHello!,
-      client,
-      { type: "access_list" }
-    );
-    // Create a wrong signature (signed by other identity)
-    const wrongSignature = sign(
-      new Uint8Array(128), // Some random data
-      other.signing.secretKey
-    );
-    const authWithWrongSignature: X3DHAuthMessage = {
-      ...clientAuth,
-      identitySignature: Buffer.from(wrongSignature).toString("base64"),
-    };
-    // Process - should reject due to signature verification failure
-    const result = processClientAuth(stateAfterServerHello, authWithWrongSignature, machine);
-    expect(result).toBeNull();
-  });
-});
-// ============================================================================
-// Issue 2: Permission Enforcement Tests
-// ============================================================================
-describe("Issue 2: Permission Enforcement", () => {
-  describe("canWrite permission", () => {
-    it("should allow PTY writes for full access clients", async () => {
-      const { client, machine } = createTestIdentityPair();
-      const accessList = new AccessControlList();
-      accessList.addEntry(toPublicIdentity(client), "full");
-      const result = await runCompleteHandshake(
-        client,
-        machine,
-        accessList,
-        { type: "access_list" }
-      );
-      expect(result.success).toBe(true);
-      expect(result.machineSession?.accessType).toBe("full");
-    });
-    it("should grant session-invite access via invite token", async () => {
-      const { client, machine } = createTestIdentityPair();
-      const accessList = new AccessControlList();
-      // Don't add client to access list - use invite
-      const result = await runCompleteHandshake(
-        client,
-        machine,
-        accessList,
-        { type: "invite", accessType: "session-invite", sessionId: "test-session-123" }
-      );
-      expect(result.success).toBe(true);
-      expect(result.machineSession?.accessType).toBe("session-invite");
-      expect(result.machineSession?.sessionId).toBe("test-session-123");
-    });
-  });
-  describe("Access type from access list", () => {
-    it("should respect session-invite access type from access list", async () => {
-      const { client, machine } = createTestIdentityPair();
-      const accessList = new AccessControlList();
-      accessList.addEntry(toPublicIdentity(client), "session-invite", "session-abc");
-      const result = await runCompleteHandshake(
-        client,
-        machine,
-        accessList,
-        { type: "access_list" }
-      );
-      expect(result.success).toBe(true);
-      expect(result.machineSession?.accessType).toBe("session-invite");
-      expect(result.machineSession?.sessionId).toBe("session-abc");
-    });
-  });
-});
-// ============================================================================
-// Issue 3: Machine Takeover Prevention Tests
-// ============================================================================
-describe("Issue 3: Machine Takeover Prevention", () => {
-  beforeEach(() => {
-    clearAllRegistries();
-  });
-  it("should allow initial machine registration", () => {
-    const machine = createTestIdentity("Machine");
-    const mockWs = asMockWs<ServerWebSocket<WebSocketData>>(
-      createMockWebSocket({ data: { machineId: machine.id } })
-    );
-    const result = registerMachine(
-      machine.id,
-      "account-alice",
-      Buffer.from(machine.signing.publicKey).toString("base64"),
-      Buffer.from(machine.keyExchange.publicKey).toString("base64"),
-      mockWs,
-      "Alice's Machine"
-    );
-    expect(result.success).toBe(true);
-    if (result.success) {
-      expect(result.registration.machineId).toBe(machine.id);
-      expect(result.registration.accountId).toBe("account-alice");
-    }
-  });
-  it("should allow re-registration from same account with same keys", () => {
-    const machine = createTestIdentity("Machine");
-    const mockWs1 = asMockWs<ServerWebSocket<WebSocketData>>(
-      createMockWebSocket({ data: { machineId: machine.id, connectionId: "conn-1" } })
-    );
-    const mockWs2 = asMockWs<ServerWebSocket<WebSocketData>>(
-      createMockWebSocket({ data: { machineId: machine.id, connectionId: "conn-2" } })
-    );
-    const signingKey = Buffer.from(machine.signing.publicKey).toString("base64");
-    const keyExchangeKey = Buffer.from(machine.keyExchange.publicKey).toString("base64");
-    // First registration
-    const result1 = registerMachine(
-      machine.id,
-      "account-alice",
-      signingKey,
-      keyExchangeKey,
-      mockWs1
-    );
-    expect(result1.success).toBe(true);
-    // Re-registration from same account with same keys
-    const result2 = registerMachine(
-      machine.id,
-      "account-alice",
-      signingKey,
-      keyExchangeKey,
-      mockWs2
-    );
-    expect(result2.success).toBe(true);
-  });
-  it("should reject re-registration from different account", () => {
-    const machine = createTestIdentity("Machine");
-    const mockWs1 = asMockWs<ServerWebSocket<WebSocketData>>(
-      createMockWebSocket({ data: { machineId: machine.id, connectionId: "conn-1" } })
-    );
-    const mockWs2 = asMockWs<ServerWebSocket<WebSocketData>>(
-      createMockWebSocket({ data: { machineId: machine.id, connectionId: "conn-2" } })
-    );
-    const signingKey = Buffer.from(machine.signing.publicKey).toString("base64");
-    const keyExchangeKey = Buffer.from(machine.keyExchange.publicKey).toString("base64");
-    // First registration by Alice
-    const result1 = registerMachine(
-      machine.id,
-      "account-alice",
-      signingKey,
-      keyExchangeKey,
-      mockWs1
-    );
-    expect(result1.success).toBe(true);
-    // Attacker Eve tries to hijack
-    const result2 = registerMachine(
-      machine.id,
-      "account-eve", // Different account!
-      signingKey,
-      keyExchangeKey,
-      mockWs2
-    );
-    expect(result2.success).toBe(false);
-    if (!result2.success) {
-      expect(result2.error).toContain("different account");
-    }
-  });
-  it("should reject re-registration with different signing key", () => {
-    const machine = createTestIdentity("Machine");
-    const attacker = createTestIdentity("Attacker");
-    const mockWs1 = asMockWs<ServerWebSocket<WebSocketData>>(
-      createMockWebSocket({ data: { machineId: machine.id, connectionId: "conn-1" } })
-    );
-    const mockWs2 = asMockWs<ServerWebSocket<WebSocketData>>(
-      createMockWebSocket({ data: { machineId: machine.id, connectionId: "conn-2" } })
-    );
-    const originalSigningKey = Buffer.from(machine.signing.publicKey).toString("base64");
-    const originalKeyExchangeKey = Buffer.from(machine.keyExchange.publicKey).toString("base64");
-    const attackerSigningKey = Buffer.from(attacker.signing.publicKey).toString("base64");
-    // First registration
-    const result1 = registerMachine(
-      machine.id,
-      "account-alice",
-      originalSigningKey,
-      originalKeyExchangeKey,
-      mockWs1
-    );
-    expect(result1.success).toBe(true);
-    // Same account but different signing key (key substitution attack)
-    const result2 = registerMachine(
-      machine.id,
-      "account-alice", // Same account
-      attackerSigningKey, // Different key!
-      originalKeyExchangeKey,
-      mockWs2
-    );
-    expect(result2.success).toBe(false);
-    if (!result2.success) {
-      expect(result2.error).toContain("Signing key mismatch");
-    }
-  });
-});
-// ============================================================================
-// Issue 4: Single-Use Invite Enforcement Tests
-// ============================================================================
-describe("Issue 4: Single-Use Invite Enforcement", () => {
-  it("should NOT add client to access list for singleUse=true invites", async () => {
-    const { client, machine } = createTestIdentityPair();
-    const accessList = new AccessControlList();
-    // Verify client is not in access list initially
-    expect(accessList.getEntry(client.id)).toBeUndefined();
-    // Create single-use invite
-    const inviteToken = createInviteToken(machine, "wss://test.relay", {
-      accessType: "full",
-      singleUse: true,
-      validityMs: 3600000,
-    });
-    // Create handler with the access list
-    const handler = new HandshakeHandler({
-      identity: machine,
-      accessList,
-    });
-    // Run handshake with single-use invite
-    const connectionId = "test-conn-1";
-    // ClientHello
-    const { state: clientState, message: clientHello } = createClientHello(machine.id);
-    const helloResult = await handler.processMessage(connectionId, {
-      type: "handshake",
-      phase: "client_hello",
-      data: clientHello,
-    });
-    expect(helloResult.type).toBe("reply");
-    if (!isReplyResult(helloResult)) throw new Error("Expected reply");
-    // Process ServerHello
-    const serverHello = getReplyData<X3DHResponseMessage>(helloResult);
-    const stateAfterServerHello = processServerHello(clientState, serverHello);
-    expect(stateAfterServerHello).not.toBeNull();
-    // ClientAuth with single-use invite
-    const { message: clientAuth } = createClientAuth(
-      stateAfterServerHello!,
-      client,
-      { type: "invite", inviteToken }
-    );
-    const authResult = await handler.processMessage(connectionId, {
-      type: "handshake",
-      phase: "client_auth",
-      data: clientAuth,
-    });
-    // Should succeed
-    expect(authResult.type).toBe("established");
-    // Client should NOT be in access list (single-use)
-    expect(accessList.getEntry(client.id)).toBeUndefined();
-  });
-  it("should add client to access list for singleUse=false invites", async () => {
-    const { client, machine } = createTestIdentityPair();
-    const accessList = new AccessControlList();
-    // Verify client is not in access list initially
-    expect(accessList.getEntry(client.id)).toBeUndefined();
-    // Create reusable invite (singleUse=false)
-    const inviteToken = createInviteToken(machine, "wss://test.relay", {
-      accessType: "full",
-      singleUse: false,
-      validityMs: 3600000,
-    });
-    // Create handler with the access list
-    const handler = new HandshakeHandler({
-      identity: machine,
-      accessList,
-    });
-    // Run handshake with reusable invite
-    const connectionId = "test-conn-2";
-    // ClientHello
-    const { state: clientState, message: clientHello } = createClientHello(machine.id);
-    const helloResult = await handler.processMessage(connectionId, {
-      type: "handshake",
-      phase: "client_hello",
-      data: clientHello,
-    });
-    expect(helloResult.type).toBe("reply");
-    if (!isReplyResult(helloResult)) throw new Error("Expected reply");
-    // Process ServerHello
-    const serverHello = getReplyData<X3DHResponseMessage>(helloResult);
-    const stateAfterServerHello = processServerHello(clientState, serverHello);
-    expect(stateAfterServerHello).not.toBeNull();
-    // ClientAuth with reusable invite
-    const { message: clientAuth } = createClientAuth(
-      stateAfterServerHello!,
-      client,
-      { type: "invite", inviteToken }
-    );
-    const authResult = await handler.processMessage(connectionId, {
-      type: "handshake",
-      phase: "client_auth",
-      data: clientAuth,
-    });
-    // Should succeed
-    expect(authResult.type).toBe("established");
-    // Client SHOULD be in access list (not single-use)
-    const entry = accessList.getEntry(client.id);
-    expect(entry).toBeDefined();
-    expect(entry?.accessType).toBe("full");
-  });
-  it("should grant session access for single-use invite during connection", async () => {
-    const { client, machine } = createTestIdentityPair();
-    const accessList = new AccessControlList();
-    // Create single-use session-invite
-    const inviteToken = createInviteToken(machine, "wss://test.relay", {
-      accessType: "session-invite",
-      sessionId: "session-xyz",
-      singleUse: true,
-      validityMs: 3600000,
-    });
-    const handler = new HandshakeHandler({
-      identity: machine,
-      accessList,
-    });
-    const connectionId = "test-conn-3";
-    // ClientHello
-    const { state: clientState, message: clientHello } = createClientHello(machine.id);
-    const helloResult = await handler.processMessage(connectionId, {
-      type: "handshake",
-      phase: "client_hello",
-      data: clientHello,
-    });
-    if (!isReplyResult(helloResult)) throw new Error("Expected reply");
-    // Process ServerHello
-    const serverHello = getReplyData<X3DHResponseMessage>(helloResult);
-    const stateAfterServerHello = processServerHello(clientState, serverHello);
-    // ClientAuth with single-use invite
-    const { message: clientAuth } = createClientAuth(
-      stateAfterServerHello!,
-      client,
-      { type: "invite", inviteToken }
-    );
-    const authResult = await handler.processMessage(connectionId, {
-      type: "handshake",
-      phase: "client_auth",
-      data: clientAuth,
-    });
-    // Should succeed with session access
-    expect(authResult.type).toBe("established");
-    if (authResult.type === "established") {
-      expect(authResult.session.accessType).toBe("session-invite");
-      expect(authResult.session.sessionId).toBe("session-xyz");
-    }
-    // But client should NOT be permanently in access list
-    expect(accessList.getEntry(client.id)).toBeUndefined();
-  });
-});