Files
Fredrik Johansson 3a105e2c9a fix: protocol compliance — DTLS binding, sha256 integrity, derived signaling ID
Go (transport.go, crypto.go):
- DeriveForNetwork: HKDF per-room Ed25519 identity to avoid anchor peer-ID collision
  when daemon holds multiple simultaneous pair-room connections (§ waste-go pattern)
- sendHello: sign prefix||local_fp||remote_fp per yaw/2 §6 DTLS fingerprint binding
- onControl hello: verify fingerprint binding + sig before setting verified=true
- FileOffer.SHA256: carry file hash in offer message per yaw/2 §9
- SendFile: sha256 before offer, sends file-done with hash after streaming
- wireFileRecv: pion Detach API + sha256 during recv + wait for file-done + verify
- pendingDones map: goroutine-safe channel for file-done routing
- signaling keepalive: ping with 10 s timeout, 3-min read deadline on anchor loop

PWA (flit.ts):
- dtlsFP/sha256hex helpers
- Split PeerConn.signalingId (routing) from .peerId (cryptoId, for crypto/hello)
- _sendHello: include DTLS fingerprints in signature per §6
- _onControl hello: verify fingerprint binding
- sendFile: async, sha256 before offer
- _stream: send file-done after DC close
- _wire: set dataComplete=true on DC close, defer emit until file-done arrives
- _onControl file-done: set expectedSHA256, conditionally call _finalizeRecv
- _finalizeRecv: concatenate bufs, verify sha256, create URL, emit fileRecv

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-02 18:44:48 +02:00
..

flit — PWA

React/TypeScript/Vite frontend. See the root README for the full project overview.

Development

npm install
npm run dev      # dev server at localhost:5173
npm run build    # output to dist/
npm run lint

public/config.js sets the anchor and TURN URLs at runtime and is excluded from production deploys (so the host copy isn't overwritten). The repo's default points at the live anchor — fine for local dev.

Deploy

See ../deploy-pwa.sh and ../serve-pwa.sh at the repo root.