Shadowbroker/backend/tests/mesh/test_gate_rns_envelope_distribution.py

import hashlib
import json
import threading


def test_rns_gate_publish_preserves_durable_envelope_fields(monkeypatch):
    from services.mesh import mesh_hashchain
    from services.mesh.mesh_rns import RNSBridge

    bridge = RNSBridge.__new__(RNSBridge)
    bridge._enabled = True
    bridge._ready = True
    bridge._dedupe = {}
    bridge._dedupe_lock = threading.Lock()

    sent: list[bytes] = []
    peer_urls: list[str] = []

    monkeypatch.setattr(bridge, "enabled", lambda: True)
    monkeypatch.setattr(bridge, "_maybe_rotate_session", lambda: None)
    monkeypatch.setattr(bridge, "_seen", lambda _message_id: False)
    monkeypatch.setattr(bridge, "_make_message_id", lambda prefix: f"{prefix}:test")
    monkeypatch.setattr(bridge, "_local_hash", lambda: "abcd1234")
    monkeypatch.setattr(bridge, "_dandelion_hops", lambda: 0)
    monkeypatch.setattr(bridge, "_pick_stem_peer", lambda: None)
    monkeypatch.setattr(bridge, "_send_diffuse", lambda payload, exclude=None: sent.append(payload) or 1)
    monkeypatch.setattr(
        mesh_hashchain,
        "build_gate_wire_ref",
        lambda gate_id, event, peer_url="": peer_urls.append(peer_url) or "gate-ref-test",
    )

    gate_envelope = "durable-envelope-token"
    event = {
        "event_id": "a" * 64,
        "event_type": "gate_message",
        "timestamp": 1710000000.0,
        "node_id": "!sb_sender",
        "sequence": 7,
        "signature": "b" * 128,
        "public_key": "pub",
        "public_key_algo": "ed25519",
        "protocol_version": "infonet/2",
        "payload": {
            "gate": "general-talk",
            "ciphertext": "mls-ciphertext",
            "nonce": "mls-nonce",
            "sender_ref": "sender-ref",
            "format": "mls1",
            "epoch": 3,
            "gate_envelope": gate_envelope,
            "envelope_hash": hashlib.sha256(gate_envelope.encode("ascii")).hexdigest(),
            "reply_to": "parent-event",
            "transport_lock": "private_strong",
        },
    }

    bridge.publish_gate_event("general-talk", event)

    assert sent, "RNS gate publish should emit a gate_event payload"
    wire = json.loads(sent[0].decode("utf-8"))
    payload = wire["body"]["event"]["payload"]
    assert wire["meta"]["reply_to"] == "abcd1234"
    assert payload["ciphertext"] == "mls-ciphertext"
    assert payload["gate_envelope"] == gate_envelope
    assert payload["envelope_hash"] == hashlib.sha256(gate_envelope.encode("ascii")).hexdigest()
    assert payload["reply_to"] == "parent-event"
    assert payload["transport_lock"] == "private_strong"
    assert payload["gate_ref"] == "gate-ref-test"
    assert peer_urls == ["rns://abcd1234"]
    assert "gate" not in payload


def test_private_gate_sanitizer_preserves_distribution_fields():
    from services.mesh.mesh_hashchain import _private_gate_signature_payload, _sanitize_private_gate_event

    event = {
        "event_id": "c" * 64,
        "event_type": "gate_message",
        "timestamp": 1710000000.0,
        "node_id": "!sb_sender",
        "sequence": 9,
        "signature": "d" * 128,
        "public_key": "pub",
        "public_key_algo": "ed25519",
        "protocol_version": "infonet/2",
        "payload": {
            "gate": "general-talk",
            "ciphertext": "mls-ciphertext",
            "nonce": "mls-nonce",
            "sender_ref": "sender-ref",
            "format": "mls1",
            "epoch": 4,
            "envelope_hash": "e" * 64,
            "gate_envelope": "durable-envelope-token",
            "reply_to": "parent-event",
            "transport_lock": "private_strong",
        },
    }

    sanitized = _sanitize_private_gate_event("general-talk", event)
    payload = sanitized["payload"]
    assert payload["gate_envelope"] == "durable-envelope-token"
    assert payload["envelope_hash"] == "e" * 64
    assert payload["reply_to"] == "parent-event"
    assert payload["transport_lock"] == "private_strong"

    signed_payload = _private_gate_signature_payload("general-talk", event)
    assert signed_payload["envelope_hash"] == "e" * 64
    assert signed_payload["reply_to"] == "parent-event"
    assert signed_payload["transport_lock"] == "private_strong"


def test_high_privacy_rns_gate_publish_batches_before_fallback_send(monkeypatch):
    from types import SimpleNamespace

    from services.mesh import mesh_hashchain, mesh_rns
    from services.mesh.mesh_rns import RNSBridge

    bridge = RNSBridge()
    sent: list[bytes] = []
    timers: list[object] = []

    class FakeTimer:
        def __init__(self, delay, fn):
            self.delay = delay
            self.fn = fn
            self.daemon = False
            self.cancelled = False

        def start(self):
            timers.append(self)

        def cancel(self):
            self.cancelled = True

    settings = SimpleNamespace(
        MESH_PEER_PUSH_SECRET="peer-secret",
        MESH_RNS_MAX_PAYLOAD=8192,
        MESH_RNS_DANDELION_DELAY_MS=0,
        MESH_RNS_BATCH_MS=250,
    )
    monkeypatch.setattr(mesh_rns, "get_settings", lambda: settings)
    monkeypatch.setattr(mesh_rns.threading, "Timer", FakeTimer)
    monkeypatch.setattr(mesh_hashchain, "build_gate_wire_ref", lambda gate_id, event, peer_url="": "gate-ref-test")
    monkeypatch.setattr(bridge, "enabled", lambda: True)
    monkeypatch.setattr(bridge, "_is_high_privacy", lambda: True)
    monkeypatch.setattr(bridge, "_maybe_rotate_session", lambda: None)
    monkeypatch.setattr(bridge, "_seen", lambda _message_id: False)
    monkeypatch.setattr(bridge, "_make_message_id", lambda prefix: f"{prefix}:test")
    monkeypatch.setattr(bridge, "_local_hash", lambda: "abcd1234")
    monkeypatch.setattr(bridge, "_dandelion_hops", lambda: 0)
    monkeypatch.setattr(bridge, "_pick_stem_peer", lambda: None)
    monkeypatch.setattr(bridge, "_send_diffuse", lambda payload, exclude=None: sent.append(payload) or 1)

    event = {
        "event_id": "b" * 64,
        "event_type": "gate_message",
        "timestamp": 1710000000.0,
        "node_id": "!sb_sender",
        "sequence": 8,
        "signature": "c" * 128,
        "public_key": "pub",
        "public_key_algo": "ed25519",
        "protocol_version": "infonet/2",
        "payload": {
            "gate": "general-talk",
            "ciphertext": "mls-ciphertext",
            "nonce": "mls-nonce",
            "sender_ref": "sender-ref",
            "format": "mls1",
            "transport_lock": "private_strong",
        },
    }

    bridge.publish_gate_event("general-talk", event)

    assert sent == []
    assert len(timers) == 1
    assert timers[0].delay == 0.25
    timers[0].fn()

    assert len(sent) == 1
    wire = json.loads(sent[0].decode("utf-8"))
    assert wire["type"] == "gate_event"
    assert wire["meta"]["reply_to"] == "abcd1234"
    assert wire["body"]["event"]["payload"]["gate_ref"] == "gate-ref-test"