provides: "Updated onCommandReady with signing before sendEvent"
key_links:
- from: "SseConnectionManager.onCommandReady"
to: "SsePayloadSigner.signPayload"
via: "Signs payload before SSE delivery"
pattern: "ssePayloadSigner\\.signPayload"
- from: "SsePayloadSigner"
to: "Ed25519SigningService.sign"
via: "Delegates signing to Ed25519 service"
pattern: "ed25519SigningService\\.sign"
---
<objective>
Add Ed25519 signature to all SSE command payloads (config-update, deep-trace, replay) before delivery. The signature is computed over the data JSON and included as a `signature` field in the event data, enabling agents to verify payload integrity using the server's public key.
Purpose: Ensures all pushed configuration and commands are integrity-protected, so agents can trust the payloads they receive.
Output: All SSE command events carry verifiable Ed25519 signatures.
boolean sent = sendEvent(agentId, command.id(), eventType, signedPayload);
```
- The `sendEvent` method already sends `data` as `MediaType.APPLICATION_JSON`. Since `signedPayload` is already a JSON string, the SseEmitter will serialize it. IMPORTANT: Since the payload is already a JSON string and SseEmitter will try to JSON-serialize it (wrapping in quotes), we need to send it as a pre-serialized value. Change `sendEvent` to use `.data(signedPayload)` without MediaType for signed payloads, OR parse it to a JsonNode/Map first so Jackson serializes it correctly. The cleanest approach: parse the signed JSON string into a `JsonNode` via `objectMapper.readTree(signedPayload)` and pass that as the data object -- Jackson will serialize the tree correctly.
3. Write `SsePayloadSignerTest` (unit test, no Spring context):
- Create a real `Ed25519SigningServiceImpl` and `ObjectMapper` for testing
- Test cases per behavior spec above
- Verify signature by using JDK `Signature.getInstance("Ed25519")` with the public key
- Register agent using bootstrap token (from application-test.yml)
- Extract `serverPublicKey` from registration response
- Get JWT from registration response
- Open SSE connection via `java.net.http.HttpClient` async API (same pattern as AgentSseControllerIT) with `?token=<jwt>`
- Use the agent command endpoint to push a config-update command to the agent
- Read the SSE event from the stream
- Parse the event data JSON, extract the `signature` field
- Reconstruct the unsigned payload (remove signature field, serialize)
- Verify signature using `Signature.getInstance("Ed25519")` with the public key decoded from Base64
- NOTE: This test depends on Plan 02's bootstrap token and JWT auth being in place. If Plan 03 executes before Plan 02, the test will need the TestSecurityHelper or a different auth approach. Since both are Wave 2 but independent, document this: "If Plan 02 is not yet complete, use TestSecurityHelper from Plan 01's temporary permit-all config."
