fix: enforce JWT secret, add connection pool, tighten auth window

gcmsg · claude · gcmsg · commit 581df54ef156 · 2026-03-15T15:07:46.000+08:00
- SRV-02: Reject startup when jwt_secret is empty and auth.required=true
- SRV-03: Configure DB connection pool (MaxOpenConns=25, MaxIdleConns=5,
  ConnMaxLifetime=30m) for both SQLite and PostgreSQL
- SRV-04: Reduce signaling auth frame replay window from 30s to 5s
- SRV-09: Increase Redis Pub/Sub buffer from 256 to 4096

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/cmd/peerclawd/main.go b/cmd/peerclawd/main.go
@@ -132,6 +132,10 @@ func main() {
 
 		jwtSecret := cfg.UserAuth.JWTSecret
 		if jwtSecret == "" {
+			if cfg.Auth.Required {
+				logger.Error("user_auth.jwt_secret must be set when auth.required=true")
+				os.Exit(1)
+			}
 			jwtSecret = "peerclaw-dev-secret-change-me"
 			logger.Warn("using default JWT secret — set user_auth.jwt_secret in config for production")
 		}
diff --git a/internal/registry/postgres.go b/internal/registry/postgres.go
@@ -28,6 +28,11 @@ func NewPostgresStore(dsn string) (*PostgresStore, error) {
 		_ = db.Close()
 		return nil, fmt.Errorf("ping postgres: %w", err)
 	}
+	// Configure connection pool for production workloads.
+	db.SetMaxOpenConns(25)
+	db.SetMaxIdleConns(5)
+	db.SetConnMaxLifetime(30 * time.Minute)
+
 	s := &PostgresStore{db: db}
 	if err := s.migrate(); err != nil {
 		_ = db.Close()
diff --git a/internal/registry/sqlite.go b/internal/registry/sqlite.go
@@ -30,6 +30,11 @@ func NewSQLiteStore(dsn string) (*SQLiteStore, error) {
 		_ = db.Close()
 		return nil, fmt.Errorf("set WAL mode: %w", err)
 	}
+	// Configure connection pool for production workloads.
+	db.SetMaxOpenConns(25)
+	db.SetMaxIdleConns(5)
+	db.SetConnMaxLifetime(30 * time.Minute)
+
 	s := &SQLiteStore{db: db}
 	if err := s.migrate(); err != nil {
 		_ = db.Close()
diff --git a/internal/signaling/redis_broker.go b/internal/signaling/redis_broker.go
@@ -67,7 +67,7 @@ func (b *RedisBroker) Subscribe(ctx context.Context) (<-chan signaling.SignalMes
 		return nil, fmt.Errorf("redis subscribe: %w", err)
 	}
 
-	ch := make(chan signaling.SignalMessage, 256)
+	ch := make(chan signaling.SignalMessage, 4096)
 	go func() {
 		defer close(ch)
 		defer pubsub.Close()
diff --git a/internal/signaling/ws.go b/internal/signaling/ws.go
@@ -295,9 +295,9 @@ func (h *Hub) authenticateConn(ctx context.Context, conn *websocket.Conn, expect
 		return "", fmt.Errorf("agent_id mismatch: query=%s, frame=%s", expectedAgentID, frame.AgentID)
 	}
 
-	// Verify timestamp is within 30 seconds to prevent replay.
+	// Verify timestamp is within 5 seconds to prevent replay.
 	now := time.Now().Unix()
-	if abs64(now-frame.Timestamp) > 30 {
+	if abs64(now-frame.Timestamp) > 5 {
 		return "", fmt.Errorf("auth frame timestamp too old")
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ func (b *RedisBroker) Subscribe(ctx context.Context) (<-chan signaling.SignalMes`
`67`	`67`	`return nil, fmt.Errorf("redis subscribe: %w", err)`
`68`	`68`	`}`
`69`	`69`
`70`		`- ch := make(chan signaling.SignalMessage, 256)`
	`70`	`+ ch := make(chan signaling.SignalMessage, 4096)`
`71`	`71`	`go func() {`
`72`	`72`	`defer close(ch)`
`73`	`73`	`defer pubsub.Close()`
Original file line number	Diff line number	Diff line change
`@@ -295,9 +295,9 @@ func (h Hub) authenticateConn(ctx context.Context, conn websocket.Conn, expect`
`295`	`295`	`return "", fmt.Errorf("agent_id mismatch: query=%s, frame=%s", expectedAgentID, frame.AgentID)`
`296`	`296`	`}`
`297`	`297`
`298`		`- // Verify timestamp is within 30 seconds to prevent replay.`
	`298`	`+ // Verify timestamp is within 5 seconds to prevent replay.`
`299`	`299`	`now := time.Now().Unix()`
`300`		`- if abs64(now-frame.Timestamp) > 30 {`
	`300`	`+ if abs64(now-frame.Timestamp) > 5 {`
`301`	`301`	`return "", fmt.Errorf("auth frame timestamp too old")`
`302`	`302`	`}`
`303`	`303`