fix: tidy deps after dappco.re migration

Co-Authored-By: Virgil <virgil@lethean.io>

docs/architecture.md

@@ -98,7 +98,7 @@ The `Transport` manages a WebSocket server (gorilla/websocket) and outbound conn
 | Timeout | −3.0 (floored at 0) |
 | Default (new peer) | 50.0 |
 
-**Peer name validation**: Names must be 1–64 characters, start and end with an alphanumeric character, and contain only alphanumeric, hyphen, underscore, or space characters.
+**Peer name validation**: Empty names are permitted. Non-empty names must be 1–64 characters, start and end with an alphanumeric character, and contain only alphanumeric, hyphen, underscore, or space characters.
 
 ### message.go — Protocol Messages
 

node/controller.go

@@ -210,6 +210,11 @@ func (c *Controller) StopRemoteMiner(peerID, minerName string) error {
 
 // GetRemoteLogs requests console logs from a remote miner.
 func (c *Controller) GetRemoteLogs(peerID, minerName string, lines int) ([]string, error) {
+	return c.GetRemoteLogsSince(peerID, minerName, lines, time.Time{})
+}
+
+// GetRemoteLogsSince requests console logs from a remote miner after a point in time.
+func (c *Controller) GetRemoteLogsSince(peerID, minerName string, lines int, since time.Time) ([]string, error) {
 	identity := c.node.GetIdentity()
 	if identity == nil {
 		return nil, ErrIdentityNotInitialized
@@ -219,10 +224,13 @@ func (c *Controller) GetRemoteLogs(peerID, minerName string, lines int) ([]strin
 		MinerName: minerName,
 		Lines:     lines,
 	}
+	if !since.IsZero() {
+		payload.Since = since.UnixMilli()
+	}
 
 	msg, err := NewMessage(MsgGetLogs, identity.ID, peerID, payload)
 	if err != nil {
-		return nil, coreerr.E("Controller.GetRemoteLogs", "failed to create message", err)
+		return nil, coreerr.E("Controller.GetRemoteLogsSince", "failed to create message", err)
 	}
 
 	resp, err := c.sendRequest(peerID, msg, 10*time.Second)

node/controller_test.go

@@ -7,6 +7,7 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"path/filepath"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"testing"
@@ -514,6 +515,40 @@ type mockMinerFull struct {
 func (m *mockMinerFull) GetName() string        { return m.name }
 func (m *mockMinerFull) GetType() string        { return m.minerType }
 func (m *mockMinerFull) GetStats() (any, error) { return m.stats, nil }
+func (m *mockMinerFull) GetConsoleHistorySince(lines int, since time.Time) []string {
+	if since.IsZero() {
+		if lines >= len(m.consoleHistory) {
+			return m.consoleHistory
+		}
+		return m.consoleHistory[:lines]
+	}
+
+	filtered := make([]string, 0, len(m.consoleHistory))
+	for _, line := range m.consoleHistory {
+		if lineAfter(line, since) {
+			filtered = append(filtered, line)
+		}
+	}
+	if lines >= len(filtered) {
+		return filtered
+	}
+	return filtered[:lines]
+}
+
+func lineAfter(line string, since time.Time) bool {
+	start := strings.IndexByte(line, '[')
+	end := strings.IndexByte(line, ']')
+	if start != 0 || end <= start+1 {
+		return true
+	}
+
+	ts, err := time.Parse("2006-01-02 15:04:05", line[start+1:end])
+	if err != nil {
+		return true
+	}
+	return ts.After(since) || ts.Equal(since)
+}
+
 func (m *mockMinerFull) GetConsoleHistory(lines int) []string {
 	if lines >= len(m.consoleHistory) {
 		return m.consoleHistory
@@ -616,6 +651,20 @@ func TestController_GetRemoteLogs_LimitedLines(t *testing.T) {
 	assert.Len(t, lines, 1, "should return only 1 line")
 }
 
+func TestController_GetRemoteLogsSince(t *testing.T) {
+	controller, _, tp := setupControllerPairWithMiner(t)
+	serverID := tp.ServerNode.GetIdentity().ID
+
+	since, err := time.Parse("2006-01-02 15:04:05", "2026-02-20 10:00:01")
+	require.NoError(t, err)
+
+	lines, err := controller.GetRemoteLogsSince(serverID, "running-miner", 10, since)
+	require.NoError(t, err, "GetRemoteLogsSince should succeed")
+	require.Len(t, lines, 2, "should return only log lines on or after the requested timestamp")
+	assert.Contains(t, lines[0], "connected to pool")
+	assert.Contains(t, lines[1], "new job received")
+}
+
 func TestController_GetRemoteLogs_NoIdentity(t *testing.T) {
 	tp := setupTestTransportPair(t)
 	nmNoID, err := NewNodeManagerWithPaths(

node/identity.go

@@ -8,6 +8,7 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
+	"os"
 	"path/filepath"
 	"sync"
 	"time"
@@ -108,6 +109,48 @@ func NewNodeManagerWithPaths(keyPath, configPath string) (*NodeManager, error) {
 	return nm, nil
 }
 
+// LoadOrCreateIdentity loads the node identity from the default XDG paths or
+// generates a new dual-role identity when none exists yet.
+func LoadOrCreateIdentity() (*NodeManager, error) {
+	keyPath, err := xdg.DataFile("lethean-desktop/node/private.key")
+	if err != nil {
+		return nil, coreerr.E("LoadOrCreateIdentity", "failed to get key path", err)
+	}
+
+	configPath, err := xdg.ConfigFile("lethean-desktop/node.json")
+	if err != nil {
+		return nil, coreerr.E("LoadOrCreateIdentity", "failed to get config path", err)
+	}
+
+	return LoadOrCreateIdentityWithPaths(keyPath, configPath)
+}
+
+// LoadOrCreateIdentityWithPaths loads an existing identity from the supplied
+// paths or creates a new dual-role identity if no persisted identity exists.
+// The generated identity name falls back to the host name, then a stable
+// project-specific default if the host name cannot be determined.
+func LoadOrCreateIdentityWithPaths(keyPath, configPath string) (*NodeManager, error) {
+	nm, err := NewNodeManagerWithPaths(keyPath, configPath)
+	if err != nil {
+		return nil, err
+	}
+
+	if nm.HasIdentity() {
+		return nm, nil
+	}
+
+	name, err := os.Hostname()
+	if err != nil || name == "" {
+		name = "lethean-node"
+	}
+
+	if err := nm.GenerateIdentity(name, RoleDual); err != nil {
+		return nil, coreerr.E("LoadOrCreateIdentityWithPaths", "failed to generate identity", err)
+	}
+
+	return nm, nil
+}
+
 // HasIdentity returns true if a node identity has been initialized.
 func (n *NodeManager) HasIdentity() bool {
 	n.mu.RLock()
@@ -208,10 +251,13 @@ func (n *NodeManager) savePrivateKey() error {
 		return coreerr.E("NodeManager.savePrivateKey", "failed to create key directory", err)
 	}
 
-	// Write private key
+	// Write private key and then tighten permissions explicitly.
 	if err := coreio.Local.Write(n.keyPath, string(n.privateKey)); err != nil {
 		return coreerr.E("NodeManager.savePrivateKey", "failed to write private key", err)
 	}
+	if err := os.Chmod(n.keyPath, 0600); err != nil {
+		return coreerr.E("NodeManager.savePrivateKey", "failed to set private key permissions", err)
+	}
 
 	return nil
 }

node/identity_test.go

@@ -74,6 +74,25 @@ func TestNodeIdentity(t *testing.T) {
 		}
 	})
 
+	t.Run("PrivateKeyPermissions", func(t *testing.T) {
+		nm, cleanup := setupTestNodeManager(t)
+		defer cleanup()
+
+		err := nm.GenerateIdentity("permission-test", RoleDual)
+		if err != nil {
+			t.Fatalf("failed to generate identity: %v", err)
+		}
+
+		info, err := os.Stat(nm.keyPath)
+		if err != nil {
+			t.Fatalf("failed to stat private key: %v", err)
+		}
+
+		if got := info.Mode().Perm(); got != 0600 {
+			t.Fatalf("expected private key permissions 0600, got %04o", got)
+		}
+	})
+
 	t.Run("LoadExistingIdentity", func(t *testing.T) {
 		tmpDir, err := os.MkdirTemp("", "node-load-test")
 		if err != nil {
@@ -196,6 +215,47 @@ func TestNodeIdentity(t *testing.T) {
 			t.Error("should not have identity after delete")
 		}
 	})
+
+	t.Run("LoadOrCreateIdentityWithPaths", func(t *testing.T) {
+		tmpDir, err := os.MkdirTemp("", "node-load-or-create-test")
+		if err != nil {
+			t.Fatalf("failed to create temp dir: %v", err)
+		}
+		defer os.RemoveAll(tmpDir)
+
+		keyPath := filepath.Join(tmpDir, "private.key")
+		configPath := filepath.Join(tmpDir, "node.json")
+
+		nm, err := LoadOrCreateIdentityWithPaths(keyPath, configPath)
+		if err != nil {
+			t.Fatalf("failed to load or create identity: %v", err)
+		}
+
+		if !nm.HasIdentity() {
+			t.Fatal("expected identity to be initialised")
+		}
+
+		identity := nm.GetIdentity()
+		if identity == nil {
+			t.Fatal("identity should not be nil")
+		}
+
+		if identity.Name == "" {
+			t.Error("identity name should be populated")
+		}
+
+		if identity.Role != RoleDual {
+			t.Errorf("expected default role dual, got %s", identity.Role)
+		}
+
+		if _, err := os.Stat(keyPath); err != nil {
+			t.Fatalf("expected private key to be persisted: %v", err)
+		}
+
+		if _, err := os.Stat(configPath); err != nil {
+			t.Fatalf("expected identity config to be persisted: %v", err)
+		}
+	})
 }
 
 func TestNodeRoles(t *testing.T) {

node/peer.go

@@ -51,9 +51,8 @@ const (
 	PeerAuthAllowlist
 )
 
-// Peer name validation constants
+// Peer name validation constants.
 const (
-	PeerNameMinLength = 1
 	PeerNameMaxLength = 64
 )
 
@@ -72,14 +71,12 @@ func safeKeyPrefix(key string) string {
 }
 
 // validatePeerName checks if a peer name is valid.
-// Peer names must be 1-64 characters, start and end with alphanumeric,
-// and contain only alphanumeric, hyphens, underscores, and spaces.
+// Empty names are permitted. Non-empty names must be 1-64 characters,
+// start and end with alphanumeric, and contain only alphanumeric,
+// hyphens, underscores, and spaces.
 func validatePeerName(name string) error {
 	if name == "" {
-		return nil // Empty names are allowed (optional field)
-	}
-	if len(name) < PeerNameMinLength {
-		return coreerr.E("validatePeerName", "peer name too short", nil)
+		return nil
 	}
 	if len(name) > PeerNameMaxLength {
 		return coreerr.E("validatePeerName", "peer name too long", nil)
@@ -101,6 +98,7 @@ type PeerRegistry struct {
 	authMode           PeerAuthMode    // How to handle unknown peers
 	allowedPublicKeys  map[string]bool // Allowlist of public keys (when authMode is Allowlist)
 	allowedPublicKeyMu sync.RWMutex    // Protects allowedPublicKeys
+	allowlistPath      string          // Sidecar file for persisted allowlist keys
 
 	// Debounce disk writes
 	dirty        bool          // Whether there are unsaved changes
@@ -135,6 +133,7 @@ func NewPeerRegistryWithPath(peersPath string) (*PeerRegistry, error) {
 	pr := &PeerRegistry{
 		peers:             make(map[string]*Peer),
 		path:              peersPath,
+		allowlistPath:     peersPath + ".allowlist.json",
 		stopChan:          make(chan struct{}),
 		authMode:          PeerAuthOpen, // Default to open for backward compatibility
 		allowedPublicKeys: make(map[string]bool),
@@ -144,7 +143,12 @@ func NewPeerRegistryWithPath(peersPath string) (*PeerRegistry, error) {
 	if err := pr.load(); err != nil {
 		// No existing peers, that's ok
 		pr.rebuildKDTree()
-		return pr, nil
+	}
+
+	// Load any persisted allowlist entries. This is best effort so that a
+	// missing or corrupt sidecar does not block peer registry startup.
+	if err := pr.loadAllowedPublicKeys(); err != nil {
+		logging.Warn("failed to load peer allowlist", logging.Fields{"error": err})
 	}
 
 	pr.rebuildKDTree()
@@ -169,17 +173,25 @@ func (r *PeerRegistry) GetAuthMode() PeerAuthMode {
 // AllowPublicKey adds a public key to the allowlist.
 func (r *PeerRegistry) AllowPublicKey(publicKey string) {
 	r.allowedPublicKeyMu.Lock()
-	defer r.allowedPublicKeyMu.Unlock()
 	r.allowedPublicKeys[publicKey] = true
+	r.allowedPublicKeyMu.Unlock()
 	logging.Debug("public key added to allowlist", logging.Fields{"key": safeKeyPrefix(publicKey)})
+
+	if err := r.saveAllowedPublicKeys(); err != nil {
+		logging.Warn("failed to persist peer allowlist", logging.Fields{"error": err})
+	}
 }
 
 // RevokePublicKey removes a public key from the allowlist.
 func (r *PeerRegistry) RevokePublicKey(publicKey string) {
 	r.allowedPublicKeyMu.Lock()
-	defer r.allowedPublicKeyMu.Unlock()
 	delete(r.allowedPublicKeys, publicKey)
+	r.allowedPublicKeyMu.Unlock()
 	logging.Debug("public key removed from allowlist", logging.Fields{"key": safeKeyPrefix(publicKey)})
+
+	if err := r.saveAllowedPublicKeys(); err != nil {
+		logging.Warn("failed to persist peer allowlist", logging.Fields{"error": err})
+	}
 }
 
 // IsPublicKeyAllowed checks if a public key is in the allowlist.
@@ -708,6 +720,72 @@ func (r *PeerRegistry) Close() error {
 	return nil
 }
 
+// saveAllowedPublicKeys persists the allowlist to disk immediately.
+// It keeps the allowlist in a separate sidecar file so peer persistence remains
+// backwards compatible with the existing peers.json array format.
+func (r *PeerRegistry) saveAllowedPublicKeys() error {
+	r.allowedPublicKeyMu.RLock()
+	keys := make([]string, 0, len(r.allowedPublicKeys))
+	for key := range r.allowedPublicKeys {
+		keys = append(keys, key)
+	}
+	r.allowedPublicKeyMu.RUnlock()
+
+	slices.Sort(keys)
+
+	dir := filepath.Dir(r.allowlistPath)
+	if err := coreio.Local.EnsureDir(dir); err != nil {
+		return coreerr.E("PeerRegistry.saveAllowedPublicKeys", "failed to create allowlist directory", err)
+	}
+
+	data, err := json.MarshalIndent(keys, "", "  ")
+	if err != nil {
+		return coreerr.E("PeerRegistry.saveAllowedPublicKeys", "failed to marshal allowlist", err)
+	}
+
+	tmpPath := r.allowlistPath + ".tmp"
+	if err := coreio.Local.Write(tmpPath, string(data)); err != nil {
+		return coreerr.E("PeerRegistry.saveAllowedPublicKeys", "failed to write allowlist temp file", err)
+	}
+
+	if err := coreio.Local.Rename(tmpPath, r.allowlistPath); err != nil {
+		coreio.Local.Delete(tmpPath)
+		return coreerr.E("PeerRegistry.saveAllowedPublicKeys", "failed to rename allowlist file", err)
+	}
+
+	return nil
+}
+
+// loadAllowedPublicKeys loads the allowlist from disk.
+func (r *PeerRegistry) loadAllowedPublicKeys() error {
+	if !coreio.Local.Exists(r.allowlistPath) {
+		return nil
+	}
+
+	content, err := coreio.Local.Read(r.allowlistPath)
+	if err != nil {
+		return coreerr.E("PeerRegistry.loadAllowedPublicKeys", "failed to read allowlist", err)
+	}
+
+	var keys []string
+	if err := json.Unmarshal([]byte(content), &keys); err != nil {
+		return coreerr.E("PeerRegistry.loadAllowedPublicKeys", "failed to unmarshal allowlist", err)
+	}
+
+	r.allowedPublicKeyMu.Lock()
+	defer r.allowedPublicKeyMu.Unlock()
+
+	r.allowedPublicKeys = make(map[string]bool, len(keys))
+	for _, key := range keys {
+		if key == "" {
+			continue
+		}
+		r.allowedPublicKeys[key] = true
+	}
+
+	return nil
+}
+
 // save is a helper that schedules a debounced save.
 // Kept for backward compatibility but now debounces writes.
 // Must NOT be called with r.mu held.

node/peer_test.go

@@ -389,6 +389,39 @@ func TestPeerRegistry_Persistence(t *testing.T) {
 	}
 }
 
+func TestPeerRegistry_AllowlistPersistence(t *testing.T) {
+	tmpDir, _ := os.MkdirTemp("", "allowlist-persist-test")
+	defer os.RemoveAll(tmpDir)
+
+	peersPath := filepath.Join(tmpDir, "peers.json")
+
+	pr1, err := NewPeerRegistryWithPath(peersPath)
+	if err != nil {
+		t.Fatalf("failed to create first registry: %v", err)
+	}
+
+	key := "allowlist-key-1234567890"
+	pr1.AllowPublicKey(key)
+
+	if err := pr1.Close(); err != nil {
+		t.Fatalf("failed to close first registry: %v", err)
+	}
+
+	pr2, err := NewPeerRegistryWithPath(peersPath)
+	if err != nil {
+		t.Fatalf("failed to create second registry: %v", err)
+	}
+
+	if !pr2.IsPublicKeyAllowed(key) {
+		t.Fatal("expected allowlisted key to survive reload")
+	}
+
+	keys := pr2.ListAllowedPublicKeys()
+	if !slices.Contains(keys, key) {
+		t.Fatalf("expected allowlisted key to be listed after reload, got %v", keys)
+	}
+}
+
 // --- Security Feature Tests ---
 
 func TestPeerRegistry_AuthMode(t *testing.T) {

node/transport.go

@@ -76,10 +76,20 @@ func NewMessageDeduplicator(ttl time.Duration) *MessageDeduplicator {
 
 // IsDuplicate checks if a message ID has been seen recently
 func (d *MessageDeduplicator) IsDuplicate(msgID string) bool {
-	d.mu.RLock()
-	_, exists := d.seen[msgID]
-	d.mu.RUnlock()
-	return exists
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	seenAt, exists := d.seen[msgID]
+	if !exists {
+		return false
+	}
+
+	if d.ttl > 0 && time.Since(seenAt) > d.ttl {
+		delete(d.seen, msgID)
+		return false
+	}
+
+	return true
 }
 
 // Mark records a message ID as seen

node/transport_test.go

@@ -159,6 +159,17 @@ func TestMessageDeduplicator(t *testing.T) {
 		}
 	})
 
+	t.Run("ExpiredEntriesAreNotDuplicates", func(t *testing.T) {
+		d := NewMessageDeduplicator(25 * time.Millisecond)
+		d.Mark("msg-expired")
+
+		time.Sleep(40 * time.Millisecond)
+
+		if d.IsDuplicate("msg-expired") {
+			t.Error("expired message should not remain a duplicate")
+		}
+	})
+
 	t.Run("ConcurrentAccess", func(t *testing.T) {
 		d := NewMessageDeduplicator(5 * time.Minute)
 		var wg sync.WaitGroup

node/worker.go

@@ -26,7 +26,7 @@ type MinerInstance interface {
 	GetName() string
 	GetType() string
 	GetStats() (any, error)
-	GetConsoleHistory(lines int) []string
+	GetConsoleHistorySince(lines int, since time.Time) []string
 }
 
 // ProfileManager interface for profile operations.
@@ -55,7 +55,6 @@ func NewWorker(node *NodeManager, transport *Transport) *Worker {
 	}
 }
 
-
 // SetMinerManager sets the miner manager for handling miner operations.
 func (w *Worker) SetMinerManager(manager MinerManager) {
 	w.minerManager = manager
@@ -286,7 +285,12 @@ func (w *Worker) handleGetLogs(msg *Message) (*Message, error) {
 		return nil, coreerr.E("Worker.handleGetLogs", "miner not found: "+payload.MinerName, nil)
 	}
 
-	lines := miner.GetConsoleHistory(payload.Lines)
+	var since time.Time
+	if payload.Since > 0 {
+		since = time.UnixMilli(payload.Since)
+	}
+
+	lines := miner.GetConsoleHistorySince(payload.Lines, since)
 
 	logs := LogsPayload{
 		MinerName: payload.MinerName,

node/worker_test.go

@@ -550,10 +550,14 @@ type mockMinerInstance struct {
 	stats     any
 }
 
-func (m *mockMinerInstance) GetName() string                      { return m.name }
-func (m *mockMinerInstance) GetType() string                      { return m.minerType }
-func (m *mockMinerInstance) GetStats() (any, error)               { return m.stats, nil }
-func (m *mockMinerInstance) GetConsoleHistory(lines int) []string { return []string{} }
+func (m *mockMinerInstance) GetName() string { return m.name }
+func (m *mockMinerInstance) GetType() string { return m.minerType }
+func (m *mockMinerInstance) GetStats() (any, error) {
+	return m.stats, nil
+}
+func (m *mockMinerInstance) GetConsoleHistorySince(lines int, since time.Time) []string {
+	return []string{}
+}
 
 type mockProfileManager struct{}