refactor(ocap-kernel): neutral remote identity (netlayer phase 2)#971
Draft
rekmarks wants to merge 2 commits into
Draft
refactor(ocap-kernel): neutral remote identity (netlayer phase 2)#971rekmarks wants to merge 2 commits into
rekmarks wants to merge 2 commits into
Conversation
Make the kernel's peer identity netlayer-neutral and remove libp2p-specific crypto from the identity/URL/error layer: - Add remotes/kernel/identity.ts: deriveNeutralPeerId / neutralPeerIdToPublicKey / publicKeyToNeutralPeerId (base58btc multibase of the raw Ed25519 public key via @noble/curves), exported from the package barrel. - remote-comms.ts derives the neutral peerId from the seed and encrypts ocap-URL oids with WebCrypto AES-256-GCM (crypto.subtle, key used directly, random IV) instead of @libp2p/crypto AES_GCM/Ed25519. - connection-factory.ts converts neutral <-> libp2p peerIds at the libp2p boundary (dial, inbound handler, peer:disconnect); the transport layer only ever sees neutral ids. - kernel-errors drops its @libp2p/interface import: isRetryableNetworkError classifies ChannelResetError and matches MuxerClosedError by name. - ocap: URL host is now the neutral z... id; format otherwise unchanged. Compatibility breaks by design (no migration). Verified with fresh storage. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
Coverage Report
File Coverage
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Phase 2 of the pluggable-netlayer effort (issue #968), stacked on #970 (base
rekm/netlayer-1).Makes the kernel's peer identity netlayer-neutral and removes libp2p-specific crypto from the identity/URL/error layer. Compatibility breaks by design (no migration); verified against fresh storage.
What changed
remotes/kernel/identity.ts(libp2p-free;@noble/curves/ed25519+multiformatsonly):deriveNeutralPeerId(seed),neutralPeerIdToPublicKey(peerId),publicKeyToNeutralPeerId(publicKey), exported from the ocap-kernel barrel. The neutral peerId is multibase base58btc (z…) of the raw 32-byte Ed25519 public key.remote-comms.ts: derives the peerId viaderiveNeutralPeerId(replacing@libp2p/crypto/keys+@libp2p/peer-id); encrypts ocap-URL oids with WebCrypto AES-256-GCM (crypto.subtle, 32-byte key used directly, fresh 12-byte IV) instead of@libp2p/cryptoAES_GCM. The "amateur cryptography" warning is retained.connection-factory.ts: converts neutral ↔ libp2p peerIds at the libp2p boundary only —#toLibp2pPeerIdfor dialing,publicKeyToNeutralPeerId(connection.remotePeer.publicKey.raw)for the inbound handler andpeer:disconnect. The transport layer only ever sees neutral ids;#inflightDialsand#relayPeerIdsguards keep their existing keyspaces.@metamask/kernel-errors: drops the@libp2p/interfaceimport —isRetryableNetworkErrorclassifiesChannelResetErrorand matchesMuxerClosedErrorbyerror.name(behavior-preserving; the libp2p name/message sniffing is annotated to move to@metamask/netlayer-libp2pin Phase 4).ocap:URL:hostis now the neutralz…id;oid=base58btc(iv ‖ ciphertext ‖ tag). String shape unchanged; hints stay opaque libp2p multiaddrs.ocap-kernelstill depends on libp2pconnection-factory.tsstill constructs libp2p and now also uses@libp2p/crypto/keyspublicKeyFromRaw+@libp2p/peer-idpeerIdFromPublicKeyfor the boundary conversion, so no@libp2pdep is removable this phase (that's Phase 4). Added@noble/curves.Crypto review flag
The WebCrypto AES-GCM swap is security-sensitive. It reduces surface (drops PBKDF2/salt on an already-random 32-byte key): non-extractable 256-bit key, fresh random 12-byte IV per encryption, auth-tag failure surfaced as
ocapURL has bad object referencewith no oracle detail.Verification
yarn lint:fix,yarn build, per-packagetest:dev:quiet --coverage=truefor@metamask/ocap-kerneland@metamask/kernel-errors, and@ocap/kernel-testintegration (two-kernel remote-comms end-to-end with neutral ids). Coverage held at/above baseline (the changed files are 100% covered).remote-comms.tsandkernel-errors/srcare@libp2p-free;connection-factory.tsstill uses libp2p;ocap-kernel/package.jsonretains its libp2p deps.Plan docs updated:
docs/plans/netlayer/master.md(Phase 2 marked done + landed decisions) anddocs/plans/netlayer/phase-3.md(reconciled against landed Phases 1–2).🤖 Generated with Claude Code