feat(a2a): cross-device relay ingress with pairing gate#85
Merged
Conversation
Second of the cross-device messaging PRs (after the pairing store in #84). Adds the receive side of the LAN relay: the endpoint a remote daemon POSTs to, gated by the operator's chosen trust model. - POST /v1/relay (circle-aware, same circleOrBearer gate as /v1/agents): a paired peer relays a message here over the LAN. The handler runs the first-contact pairing gate — an unknown sender is recorded pending (202 + a 4-digit code) and refused until the receiving operator approves; an approved sender's message is delivered. Not a code-execution surface (it enqueues into local inboxes), so circle auth + pairing approval are the trust boundary. - a2a.InstallID / InstallDisplayName: a stable per-install fingerprint (persisted UUID) the relay will present as the sender identity — peer_ids churn per session and can't anchor a pairing decision. - Registry.DeliverToLocal: enqueues a relayed message into every LOCAL agent's inbox (source != mdns), so it reaches whatever agent is live here without looping back out to other remote peers. - a2a.GlobalPairingStore: lazy process-wide store the handler reads; corrupt-file-safe (re-prompts rather than wedging delivery). Tests: relay first-contact→202+code (nothing delivered), approve→200 delivered into the local inbox, missing-field rejects; InstallID stability; DeliverToLocal skips mdns peers. Send side next: `peer send` to an mdns target relays to the remote's /v1/relay (instead of writing the local inbox) and surfaces the pairing-required response.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Second cross-device-messaging PR (after the pairing store in #84). Adds the receive side of the LAN relay — the endpoint a remote daemon POSTs to, gated by the operator's chosen trust model (circle key + first-contact pairing approval).
What
circleOrBearergate as/v1/agents): a paired peer relays a message over the LAN. Unknown sender →202 pairing_required+ 4-digit code, refused until the receiving operator approves; approved sender → delivered. Enqueues into local inboxes (not code execution), so circle auth + pairing approval are the trust boundary.a2a.InstallID/InstallDisplayName— stable per-install fingerprint (persisted UUID) the relay presents as sender identity; peer_ids churn per session and can't anchor a pairing decision.Registry.DeliverToLocal— enqueues into every LOCAL agent inbox (source != mdns), so a relayed message reaches whatever agent is live here without looping back out to remote peers.a2a.GlobalPairingStore— lazy process-wide store; corrupt-file-safe (re-prompts rather than wedging delivery).Tests
relay first-contact→202+code (nothing delivered), approve→200 delivered into local inbox, missing-field rejects;
InstallIDstability;DeliverToLocalskips mdns peers.internal/a2a+internal/serversuites green.Next (PR 3)
Send side:
peer sendto an mdns target relays to the remote's/v1/relay(instead of writing the local inbox) and surfaces the pairing-required response;clawtool peer pair list/approve/denyCLI; app approval prompt + liveness re-announce.