codex/issue-396-signed-swm-gossip-auth

[lupuszr]

Summary

• Authenticate shared-memory gossip by wrapping outgoing SWM writes in signed GossipEnvelopes when a local
  agent key is available.
• Enforce DKG_ALLOWED_AGENT / DKG_PARTICIPANT_AGENT on receiver-side SWM handling so agent-gated context
  graphs reject unsigned or unauthorized writes.
• Preserve legacy raw SWM gossip only for non-agent-gated graphs.
• Add fallback signer selection for open graphs when the default agent cannot sign but another local
  custodial agent key exists.
• Add focused sender/receiver regression coverage and update SWM auth docs.

Testing

• Added sender-side tests for signed outgoing SWM envelopes, agent-gated signer selection, missing local
  signer rejection, and raw open-graph fallback.
• Added receiver-side tests for raw gated rejection, signed authorized acceptance, and signed unauthorized
  rejection.
• No generated deployment artifacts are included.

Should fix #396

[github-actions]

🔴 Bug: computeGossipSigningPayload() now signs a different byte stream, but the advertised envelope version stays 10.0.0. During a rolling upgrade, old and new nodes will both claim the same protocol version while rejecting each other’s signatures, which can split agent-gated SWM gossip. Bump the envelope version (or accept both signing formats during migration) when changing the signed payload layout.

[github-actions]

🔴 Bug: throwing here turns a missing local signer into a hard failure after the local SWM write has already been committed. publishAsync(), share(), and conditionalShare() all call writeToWorkspace() first, so callers can get an error even though local state and async-lift jobs were already created. Either decide this before mutating local state, or downgrade it to “skip broadcast and keep the local write” so the API result matches what actually happened.

[github-actions]

🔴 Bug: inbound verification now depends on this node owning an allowed agent key, not just on the sender being authorized. That means a subscribed/read-only peer, or a node that temporarily lacks its local key material, will reject otherwise valid signed gossip and stop converging. The receiver should verify that the envelope signer is in the graph’s allowlist; whether the local node can publish is a separate concern that should stay on the sender side.

[Jurij89]

Thanks for the work here. One important gap to fix before we can call this complete: this appears to gate writes / receiver-side ingestion, but it does not fully gate reads / visibility of SWM data.

The new GossipEnvelope authenticates the SWM writer and lets SharedMemoryHandler reject unsigned or unauthorized messages before storing them. That is good for write authorization. However, the envelope payload is still plaintext SWM data. If an unauthorized peer can receive or subscribe to the gossip topic, it can still decode the payload bytes even if the standard handler later refuses to persist them.

The intended behavior is both:

• only allowlisted agents can write SWM for an agent-gated context graph; and
• only allowlisted agents/users can see/read the SWM data for that context graph.

So I do not think this PR fully satisfies the read/confidentiality side yet. To close the gap, we need one of these guarantees, with tests:

• encrypt SWM payloads to the allowed agents/users so gossip bytes are unreadable to outsiders;
• or enforce subscription/delivery/read-path authorization so unauthorized peers cannot receive, sync, or query SWM for the graph;
• ideally add regression coverage proving an unauthorized peer cannot receive/decode/query SWM data for a graph gated only by DKG_ALLOWED_AGENT / DKG_PARTICIPANT_AGENT, not just that its handler rejects storing an unauthorized write.

In short: current PR looks like write-gating plus authenticated ingest; the acceptance target should be write-gating and read/confidentiality gating.