mesh(core): replay caches + override-resume + safety topic handlers (6/9 of #195 split)

[cagataycali]

Part 6 / 9 of the split of #195 — tracked by #219.

Drafted until PR-2 (#223), PR-3 (#224), PR-4 (#221), and PR-5 (#222) merge. CI on this branch in isolation is expected red — it imports from strands_robots.mesh.security (PR-2), strands_robots.mesh.audit.log_safety_event (PR-4), strands_robots.mesh.session.start (PR-3), and the new bridge contract (PR-5).

The integration centre

This is where everything else gets wired together. It carries ~50 of the 213 review threads on #195 — the largest slice. Recommend two reviewers.

What's in this PR

• strands_robots/mesh/core.py (+1,713/-33) — mesh lifecycle, RPC dispatch, replay caches with _evict_replay_cache helper (R23 PEP-695 generic over key type), override-code resume, safety topic handlers (_on_safety_estop / _on_safety_resume), wire-handler exception narrowing (R24-A 4-handler symmetry pin: AttributeError / UnicodeDecodeError / json.JSONDecodeError), per-peer source_zid HMAC binding (R25), _exec_cmd non-dict rejection (R24-B — bare string commands no longer auto-coerce to {action:execute, instruction:<str>, policy_provider:mock}).
• strands_robots/mesh/sensors.py (+32/-15) — SensorLoopsMixin cleanup, narrowed exception clauses.
• strands_robots/mesh/input.py (+2/-2) — minor signature fixes.
• strands_robots/mesh/__init__.py (+3/-3) — export surface tweak.

Reviewer focus

• Wire-handler exception narrowness symmetry (R24-A pin test enforces this across all 4 handlers).
• time.monotonic() for replay TTL (R19).
• Per-peer source_zid HMAC binding (R25 commit 7423be2 on the source PR — prevents replay-from-different-peer-zid).
• Resume HMAC clauses.
• _exec_cmd non-dict rejection (R24-B).

Carries review fixes from #195

R9, R13, R17, R19, R23, R24-A, R25-source-zid — see commit message for the full list.

Optional further split

If reviewers ask, I'll split into PR-6a (safety topics + replay caches) / PR-6b (override-resume + RPC). Both halves still ~800 LOC and call into each other, so a single PR is cleaner.

Tests

1,420 LOC across 12 files: every wire handler, every safety topic, replay-cache eviction (10 helper unit tests + 25 integration tests preserved), the 4-handler exception symmetry pin, source_zid binding (458-LOC test_safety_source_zid_binding.py), resume env validation (10 tests), resume replay (380 LOC).

Stacking note

Depends on PR-1 (#220), PR-2 (#223), PR-3 (#224), PR-4 (#221), PR-5 (#222). Will be marked Ready for Review once all four upstream PRs land. Until then the diff is reviewable but CI is red.

---

Landing order: PR-1 → PR-2/3/4/5 → PR-6 → PR-7 → PR-8 → PR-9. Full plan: PR_LIST.md. Tracking: #219.

[yinsong1986]

Summary

PR-6 of the #195 split — wires the mesh integration centre: replay caches, override-resume, safety topic handlers, narrowed wire-handler exception clauses, per-peer source_zid HMAC binding, and _exec_cmd non-dict rejection. ~1.7k LOC of production code in core.py plus ~1.4k LOC of tests across 12 files. Carries a substantial fraction of the upstream review-thread fixes.

The security model (mTLS + ACL + body-level HMAC + wire-level zid binding + freshness window + per-issuer fairness cap) is well-considered and the test surface is broader than I expected for a PR this size — most behavioural fixes have a dedicated regression test that fails on pre-fix code, matching AGENTS.md > Review Learnings (#85) > 'Pin regression tests for reviewed fixes'.

What's good

• Pin tests for every reviewed fix — test_estop_peer_id_replay.py, test_replay_cache_monotonic.py, test_resume_env_validation.py, test_wire_handler_narrow_except.py, test_safety_source_zid_binding.py. Each anchors a specific regression so a future refactor surfaces the bug here, not in production.
• Wire-handler exception narrowing is symmetric across all four handlers (_on_cmd, _on_response, _on_safety_estop, _on_safety_resume) and pinned by an explicit symmetry test. Matches AGENTS.md > Review Learnings (#86) > 'Exception Clauses Must Be Narrow'.
• Lazy env-var resolution with documented import-order rationale closes a real ergonomic footgun for operators tuning STRANDS_MESH_RESUME_*.
• _exec_cmd non-dict rejection with structured error envelope + command_rejected audit log + symmetric ValidationError treatment — well done.
• Defence-in-depth layering (cache key on t alone, per-issuer cap derived from cache contents, lockout-engagement gated by per-issuer cap) addresses the peer_id-permutation surface and the denial-of-estop surface from prior reviews.

Concerns

• Botched search/replace regression in docstrings/comments — confirmed in three files (__init__.py, input.py, tests/mesh/test_mesh_robustness.py). See inline. This is unrelated to the PR's stated scope and trivial to revert; it should not ride along.
• Stacking note — CI is expected red and the PR is drafted on PR-2/3/4/5. Reviewers verifying this in isolation cannot exercise the integration; the value of this review is bounded to the code-level findings and _security / audit API expectations.
• Optional split (PR-6a / PR-6b) — the diff is large enough that two reviewers + a single PR is reasonable, but if either reviewer asks for a split, the safety-topic handlers (_on_safety_estop / _on_safety_resume + replay caches) form a coherent unit that could land first; override-resume + RPC scoping is a second coherent unit.

Verification suggestions

Once the upstream stack lands and CI is green:

hatch run test tests/mesh/  # exercise the ~1.4k LOC of new tests
# Spot-check the security-sensitive ones that should fail on a pre-fix tree:
pytest tests/mesh/test_replay_cache_monotonic.py -v
pytest tests/mesh/test_estop_peer_id_replay.py -v
pytest tests/mesh/test_safety_source_zid_binding.py -v
pytest tests/mesh/test_wire_handler_narrow_except.py -v

For the corroboration-window concern (see inline) it would be worth adding an attacker-replay-vs-corroboration discrimination test before merge — pin the intended behaviour explicitly so a future tightening doesn't silently break the alert-severity model.

[yinsong1986]

Replay-vs-corroboration misclassification, security-sensitive.

A cache hit within 200ms of _last_estop_ts is unconditionally classified as estop_corroborated (severity info) instead of estop_replay_rejected (severity warning). An attacker who captures a legitimate estop envelope and replays it within 200ms of the original — or whose own envelope arrives first and engages the lockout, then a same-t replay arrives — gets the wrong forensic signal:

• Severity downgraded warning → info, hiding from any operator dashboard alerting on replay attempts.
• Attribution: payload={"issuer": issuer_id, ...} records the replay's body peer_id, which is attacker-chosen (the cache key is float(t) alone, which was the whole point of the peer_id-permutation defence). A malicious peer can wait 50ms after a legit estop, republish unchanged but with their own peer_id, and earn a "corroboration" attribution they did not provide.

The existing test test_estop_replay.py::test_distinct_issuers_same_t_audited_as_corroborated pins this as intended, but the test does not cover the attacker-replay-with-mutated-peer_id case, which is indistinguishable from corroboration with the current heuristic.

Suggested tightening: gate the corroboration branch on something the attacker can't synthesise — e.g. require body.source_zid (or wire-zid via _extract_sample_source_zid(sample)) to differ from the cached entry's issuer's session zid. If both envelopes carry the same wire zid, that's a same-session replay; if they differ, it's two distinct sessions = legitimate corroboration.

At minimum, please add a regression test that fires a same-t replay with a mutated peer_id from the same wire zid and asserts the audit signal is estop_replay_rejected, not estop_corroborated. Per AGENTS.md > Review Learnings (#85) > 'Pin regression tests for reviewed fixes'.

[yinsong1986]

Search/replace regression unrelated to PR scope. from .session (with the space) is the import-statement form; from.session is ungrammatical. Same pattern hit strands_robots/mesh/input.py:15-16 ({"motor.pos": float,...} vs {"motor.pos": float, ...}) and tests/mesh/test_mesh_robustness.py:235 (.mesh attribute lost its leading space). Looks like a regex sweep that stripped a single space adjacent to . and ,. Please revert these three drive-by edits — they are not part of PR-6 and they break the docstring/comment grammar.

[yinsong1986]

_evict_replay_cache shape contract drift. The helper takes dict[K, float] but _estop_replay_cache is dict[float, tuple[str, float]]. The current pattern (build a ts_view, evict on the view, set-difference back to the real cache) works, but it strips the issuer_id attribution before the helper sees it.

This means the helper's "single source of truth" claim in its docstring is overstated — any future eviction policy that needs issuer awareness (e.g. "evict over-cap issuers preferentially" or "weight TTL by issuer") cannot live in _evict_replay_cache; it would have to be re-implemented inline at the estop call site, exactly the duplication the helper was introduced to prevent.

Not blocking, but consider either (a) widening the helper to accept dict[K, V] + a value_to_ts: Callable[[V], float], so the estop cache passes its tuple values through directly, or (b) acknowledging in the docstring that the resume cache is the only direct user and the estop cache uses a view-shim by design.

[yinsong1986]

Constant-time-compare oracle defence still leaks len(expected).

hmac.compare_digest(a, b) is documented as constant-time only when len(a) == len(b). When the lengths differ, CPython returns False quickly via a length-mismatch shortcut. The compare_target = ... else b"\x00" * max(1, len(provided)) line tries to avoid the "compare didn't run" oracle, but when the operator HAS configured STRANDS_MESH_OVERRIDE_CODE, an attacker submitting probes of varying length still observes len(expected) == len(provided) vs len(expected) != len(provided) via response time.

The lockout-engaged and code-configured oracles are correctly closed; the length oracle is a residual but lower-severity concern. The docstring at L1673-1685 reads as if the timing oracle is fully closed — please soften it to acknowledge the residual length leak, or normalise both inputs to a fixed digest length first (e.g. hmac.new(some_key, value.encode(), 'sha256').digest() on both sides).

Reference: AGENTS.md > Review Learnings (#85) > 'Match docstrings to semantics'.

[yinsong1986]

SensorLoopsMixin.publish stub is correct but the rationale chain is fragile.

The NotImplementedError body is fine — it satisfies the CodeQL no-effect-statement check the comment references. But the contract "Mesh.publish shadows this stub via MRO" depends on every host class declaring class Mesh(SensorLoopsMixin) and also defining its own publish (which happens at core.py:2353). If a future refactor inserts another mixin between them that also implements publish but forwards differently, this stub becomes the wrong fallback.

Not blocking — a regression test pinning that Mesh.publish shadows the mixin (e.g. assert Mesh.publish is not SensorLoopsMixin.publish) would make the invariant explicit and surface a subclass authoring error at test time rather than runtime. Per AGENTS.md > Review Learnings (#85) > 'Pin regression tests for reviewed fixes'.

[cagataycali]

🎯 Pentest evidence for this PR (#225 — replay caches + safety topic handlers)

2026-05-26 pentest run cagataycali/robots-pentest@1731f62.

What this PR is achieving (positive control)

The replay caches + monotonic-t defences implemented here are the only reason the bridge-mode tests didn't see fleet-wide damage from forged safety envelopes. Three independent observations:

Observation	Status	Where
Replay of retained MQTT estop with 5-day-old timestamp	✅ BLOCKED with explicit freshness_window_s=60 log line	bridge boot logs
Forged estop envelope with missing peer_id field	✅ BLOCKED: refusing remote estop -- envelope missing/invalid peer_id	br03
Same (issuer_peer_id, t) published twice within window	✅ BLOCKED via the new replay cache (PR #225 line ~341 _estop_replay_cache)	inferred from log silence on second forwarder

F-27 / B-21 is captured as a positive-control finding to pin.

Edge cases worth a regression test in this PR

• _estop_replay_cache MUST evict per _resume_replay_cache_max() so a steady-state attacker can't fill the cache and exhaust memory. (PR mesh(core): replay caches + override-resume + safety topic handlers (6/9 of #195 split) #225 already has test_replay_cache_eviction.py and test_replay_cache_monotonic.py — verify both still green.)
• _publish_safety_envelope MUST attach the receiver's expected proof_nonce so a captured envelope can't replay even within the freshness window via tweaking unsigned fields. The pentest's br03 retained-message wasn't proof-nonce-bound in 2026-05-21's payload, so the freshness window caught it; pin a test that proves an in-window message with a never-seen proof_nonce is also rejected if HMAC isn't valid.

Finding NOT closed by this PR

• F-04 / B-01 — the rejection itself is silent in the audit log when STRANDS_MESH_AUDIT_PSK is unset. The defence-in-depth ask is to drop a safety_envelope_rejected audit record on every rejection path even without PSK — belongs in PR mesh(audit): tamper-evident audit log (HMAC + per-peer seq + rotation) (4/9 of #195 split) #221.

---

Mapping for all PRs: PLAN.md.