feat: harden Miranda for v0.7.0 release candidate#51
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1a63b21f7d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // so an answer can only ever reach a session the agent owns. | ||
| if bc := ac.session(m.Session); bc != nil { | ||
| bc.notify(SignalMsg{Type: TypeAnswer, SDP: m.SDP}) | ||
| bc.close() // signaling is one-shot; writer flushes the queued answer |
There was a problem hiding this comment.
Keep signaling open until web setup finishes
When a browser attaches through the relay, the SPA still treats ws.onclose as a setup failure while connected is false (web/src/app.js:141), and connected is not set until after the WebRTC data channel opens and Noise completes. Closing the browser signaling socket immediately after queuing the answer makes normal one-shot shutdown race ahead of ICE/data-channel establishment on typical web clients, causing the SPA to tear down the peer connection with “signal socket closed” instead of completing the attach.
Useful? React with 👍 / 👎.
| // Verify owner control before allocating ICE, TURN, file descriptors, or a | ||
| // Pion PeerConnection. The stable binding selects the Noise key; the fresh | ||
| // signature binds this exact SDP to the relay-issued one-shot session. | ||
| if !rt.cfg.IsOwnerPinned(owner) || m.Session == "" || m.Auth == "" { |
There was a problem hiding this comment.
Accept owners loaded by the hot-reload loop
When mir pair adds an owner while mir up is already running, Up only calls ReloadOwners and starts serveOwner for the new owner; it never updates rt.cfg.PairedOwners. For those hot-loaded owners this stale IsOwnerPinned guard rejects every signed offer even though the agent successfully registered for that owner, so pairing appears to work but attaches fail until the agent is restarted.
Useful? React with 👍 / 👎.
What changed
mir doctor, reproducible builds, fuzz smoke tests, pinned supply-chain gates, audit scope, and operations/release documentationWhy
This turns the current prototype into a focused security release candidate for a private, P2P terminal-continuity mesh around tmux.
Impact
This is a security-driven identity migration. Existing wallet-era state must be backed up and devices paired again. The relay remains blind to terminal plaintext.
Validation
go test ./...go test -race -count=1 ./...go vet ./...govulncheck@v1.6.0 ./...npm audit --omit=dev: 0 vulnerabilities