peat-protocol 0.9.0-rc.8

Peat Coordination Protocol — hierarchical capability composition over CRDTs for heterogeneous mesh networks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

//! # Security Module - Device Authentication (PKI) for Peat Protocol
//!
//! Implements ADR-006 Layer 1: Device Identity and Authentication.
//!
//! ## Overview
//!
//! This module provides cryptographic device authentication using Ed25519 signatures.
//! Every device has a keypair that proves its identity through challenge-response.
//!
//! ## Key Types
//!
//! - [`DeviceId`] - Unique identifier derived from Ed25519 public key
//! - [`DeviceKeypair`] - Ed25519 keypair for signing and identity
//! - [`DeviceAuthenticator`] - Manages challenge-response authentication
//!
//! ## Usage
//!
//! ```ignore
//! use peat_protocol::security::{DeviceKeypair, DeviceAuthenticator, DeviceId};
//!
//! // Generate a new device identity
//! let keypair = DeviceKeypair::generate();
//! let device_id = keypair.device_id();
//!
//! // Create authenticator
//! let authenticator = DeviceAuthenticator::new(keypair);
//!
//! // Generate challenge for peer
//! let challenge = authenticator.generate_challenge();
//!
//! // Respond to challenge (peer side)
//! let response = peer_authenticator.respond_to_challenge(&challenge)?;
//!
//! // Verify peer response
//! let peer_id = authenticator.verify_response(&response)?;
//! ```

// Re-export stub submodules (generic primitives now live in peat-mesh)
mod callsign;
mod device_id;
mod encryption;
mod error;
mod formation_key;
mod keypair;

// Peat-specific security modules (depend on peat-schema / domain types)
mod audit;
mod auth_state;
mod authenticator;
mod authorization;
mod membership;
mod transport;
mod user_auth;

// --- Generic security primitives re-exported from peat-mesh ---

pub use peat_mesh::security::{
    // Callsign generation
    CallsignError,
    CallsignGenerator,
    // Device identity
    DeviceId,
    DeviceKeypair,
    // Encryption
    EncryptedCellMessage,
    EncryptedData,
    EncryptedDocument,
    EncryptionKeypair,
    EncryptionManager,
    // Formation key authentication
    FormationAuthResult,
    FormationChallenge,
    FormationChallengeResponse,
    FormationKey,
    GroupKey,
    SecureChannel,
    SecurityError,
    SymmetricKey,
    // Module-level constants
    CHALLENGE_NONCE_SIZE,
    DEFAULT_CHALLENGE_TIMEOUT_SECS,
    // Formation constants
    FORMATION_CHALLENGE_SIZE,
    FORMATION_RESPONSE_SIZE,
    // Constants
    MAX_CALLSIGN_LENGTH,
    NATO_ALPHABET,
    // Encryption constants
    NONCE_SIZE,
    PUBLIC_KEY_SIZE,
    SIGNATURE_SIZE,
    SYMMETRIC_KEY_SIZE,
    TOTAL_CALLSIGNS,
    X25519_PUBLIC_KEY_SIZE,
};

// --- Peat-specific exports ---

pub use audit::{
    AuditEventType, AuditLogEntry, AuditLogger, FileAuditLogger, MemoryAuditLogger,
    NullAuditLogger, SecurityViolation,
};
pub use authenticator::{DeviceAuthenticator, VerifiedPeer};
pub use authorization::{
    AuthenticatedEntity, AuthorizationContext, AuthorizationController, AuthorizationPolicy,
    CellMembershipContext, DeviceIdentityInfo, DeviceType, HierarchyLevel, Permission, Role,
    UserIdentityInfo,
};
pub use transport::{AuthenticatedConnection, AuthenticationChannel, SecureMeshTransport};
pub use user_auth::{
    AccountStatus, AuthMethod, Credential, LocalUserStore, MilitaryRank, OrganizationUnit,
    SecurityClearance, SessionId, UserAuthenticator, UserIdentity, UserIdentityBuilder, UserRecord,
    UserSession, UserStore,
};

// Membership certificates (ADR-048: Tactical Trust)
pub use membership::{
    CertificateRegistry, MemberPermissions, MembershipCertificate, CERTIFICATE_BASE_SIZE,
    MAX_CALLSIGN_LEN, MESH_ID_LEN,
};

// Auth state tracking (ADR-048: Graceful Degradation)
pub use auth_state::{
    AuthConfig, AuthStateEvent, AuthStateMonitor, AuthStateTracker, CertificateState,
};

// Re-export protobuf types for convenience
pub use peat_schema::security::v1::{
    Challenge, DeviceIdentity, DeviceType as ProtoDeviceType,
    HierarchyLevel as ProtoHierarchyLevel, SecurityError as ProtoSecurityError, SignedBeacon,
    SignedChallengeResponse,
};

// Integration with main crate error type (moved from error.rs)
impl From<peat_mesh::security::SecurityError> for crate::Error {
    fn from(err: peat_mesh::security::SecurityError) -> Self {
        crate::Error::Security(err.to_string())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_module_exports() {
        // Verify all public types are accessible
        let _: fn() -> DeviceKeypair = DeviceKeypair::generate;
    }
}