fix: final review

Alex Godoroja · Alex Godoroja · commit 3ac09cbe7b62 · 2026-03-08T20:23:02.000+02:00
diff --git a/README.md b/README.md
@@ -470,9 +470,25 @@ with Driver() as d:
         "other-agent"
     )
     
-    # Send a message
-    with d.dial("other-agent:1000") as conn:
-        conn.write(b"hello")
+    # Send a file
+    d.send_file("other-agent",
+                "./data.json")
+    
+    # Send typed message
+    d.send_message("other-agent",
+        b'{"status":"ready"}',
+        msg_type="json")
+    
+    # Subscribe to events
+    for topic, data in d.subscribe_event(
+        "other-agent", "status", 
+        timeout=30
+    ):
+        print(f"{topic}: {data}")
+    
+    # Publish an event
+    d.publish_event("other-agent", 
+        "status", b"online")
     
     # Handshake & trust
     d.handshake(peer_id, "hello")
diff --git a/cmd/pilotctl/main.go b/cmd/pilotctl/main.go
@@ -1028,7 +1028,7 @@ func cmdDaemonStart(args []string) {
 	encrypt := !flagBool(flags, "no-encrypt")
 	identityPath := flagString(flags, "identity", "")
 	if identityPath == "" {
-		identityPath = configDir() + "/identity.key"
+		identityPath = configDir() + "/identity.json"
 	}
 	owner := flagString(flags, "owner", "")
 	configFile := flagString(flags, "config", "")
diff --git a/configs/daemon.json b/configs/daemon.json
@@ -4,7 +4,7 @@
   "listen": ":4000",
   "socket": "/tmp/pilot.sock",
   "encrypt": true,
-  "identity": "/var/lib/pilot/identity.key",
+  "identity": "/var/lib/pilot/identity.json",
   "owner": "",
   "log-level": "info",
   "log-format": "text"
diff --git a/examples/go/config/daemon.json b/examples/go/config/daemon.json
@@ -5,7 +5,7 @@
   "socket": "/tmp/pilot.sock",
   "encrypt": true,
   "registry-tls": false,
-  "identity": "/var/lib/pilot/identity.key",
+  "identity": "/var/lib/pilot/identity.json",
   "owner": "",
   "keepalive": "30s",
   "idle-timeout": "120s",
diff --git a/pkg/registry/dashboard.go b/pkg/registry/dashboard.go
@@ -121,11 +121,17 @@ func (s *Server) ServeDashboard(addr string) error {
 
 	// Snapshot trigger endpoint (POST only, localhost only)
 	mux.HandleFunc("/api/snapshot", func(w http.ResponseWriter, r *http.Request) {
-		// Check localhost
-		clientIP := r.Header.Get("X-Real-IP")
-		if clientIP == "" {
-			clientIP, _, _ = net.SplitHostPort(r.RemoteAddr)
+		// Check localhost - only trust X-Real-IP if request is from a trusted proxy
+		remoteIP, _, _ := net.SplitHostPort(r.RemoteAddr)
+		clientIP := remoteIP
+
+		// Only trust X-Real-IP header if the request is already from localhost (trusted proxy)
+		if remoteIP == "127.0.0.1" || remoteIP == "::1" || remoteIP == "localhost" {
+			if realIP := r.Header.Get("X-Real-IP"); realIP != "" {
+				clientIP = realIP
+			}
 		}
+
 		if clientIP != "127.0.0.1" && clientIP != "::1" && clientIP != "localhost" {
 			http.Error(w, "Forbidden", http.StatusForbidden)
 			return
@@ -146,14 +152,20 @@ func (s *Server) ServeDashboard(addr string) error {
 	})
 
 	// localhostOnly rejects requests not originating from loopback.
-	// Checks X-Real-IP / X-Forwarded-For (set by nginx) to detect proxied public requests.
+	// Only trusts X-Real-IP header when the request is from a trusted proxy (localhost).
 	localhostOnly := func(next http.HandlerFunc) http.HandlerFunc {
 		return func(w http.ResponseWriter, r *http.Request) {
-			// If behind a reverse proxy, the real client IP is in X-Real-IP
-			clientIP := r.Header.Get("X-Real-IP")
-			if clientIP == "" {
-				clientIP, _, _ = net.SplitHostPort(r.RemoteAddr)
+			// Get the actual remote address
+			remoteIP, _, _ := net.SplitHostPort(r.RemoteAddr)
+			clientIP := remoteIP
+
+			// Only trust X-Real-IP header if the request is already from localhost (trusted proxy)
+			if remoteIP == "127.0.0.1" || remoteIP == "::1" || remoteIP == "localhost" {
+				if realIP := r.Header.Get("X-Real-IP"); realIP != "" {
+					clientIP = realIP
+				}
 			}
+
 			if clientIP != "127.0.0.1" && clientIP != "::1" && clientIP != "localhost" {
 				http.Error(w, "Forbidden", http.StatusForbidden)
 				return
diff --git a/pkg/registry/server.go b/pkg/registry/server.go
@@ -2086,8 +2086,7 @@ func (s *Server) TriggerSnapshot() error {
 	if s.storePath == "" {
 		return nil // no persistence configured
 	}
-	s.flushSave()
-	return nil
+	return s.flushSave()
 }
 
 // snapshot is the JSON-serializable registry state.
@@ -2157,7 +2156,9 @@ func (s *Server) saveLoop() {
 			dirty = true
 		case <-ticker.C:
 			if dirty {
-				s.flushSave()
+				if err := s.flushSave(); err != nil {
+					slog.Error("periodic save failed", "err", err)
+				}
 				dirty = false
 			}
 		case <-s.done:
@@ -2168,15 +2169,17 @@ func (s *Server) saveLoop() {
 			default:
 			}
 			if dirty {
-				s.flushSave()
+				if err := s.flushSave(); err != nil {
+					slog.Error("final save failed", "err", err)
+				}
 			}
 			return
 		}
 	}
 }
 
 // flushSave serializes the full registry state and writes it to disk.
-func (s *Server) flushSave() {
+func (s *Server) flushSave() error {
 	s.mu.RLock()
 	snap := snapshot{
 		NextNode: s.nextNode,
@@ -2272,20 +2275,22 @@ func (s *Server) flushSave() {
 	data, err := json.Marshal(snap)
 	if err != nil {
 		slog.Error("registry save marshal error", "err", err)
-		return
+		return fmt.Errorf("marshal snapshot: %w", err)
 	}
 
 	// Persist to disk atomically
 	if s.storePath != "" {
 		if err := fsutil.AtomicWrite(s.storePath, data); err != nil {
 			slog.Error("registry save error", "err", err)
+			return fmt.Errorf("write snapshot: %w", err)
 		}
 	}
 
 	// Push to replication subscribers
 	s.replMgr.push(data)
 
 	slog.Debug("registry state saved", "nodes", nodeCount, "networks", netCount)
+	return nil
 }
 
 // load reads the registry state from disk.
diff --git a/sdk/cgo/bindings.go b/sdk/cgo/bindings.go
@@ -20,7 +20,7 @@ import (
 // Keeps Go heap objects alive while C/Python holds a uint64 token.
 
 var handles struct {
-	sync.Mutex
+	sync.RWMutex
 	m    map[uint64]interface{}
 	next uint64
 }
@@ -40,9 +40,9 @@ func storeHandle(v interface{}) uint64 {
 }
 
 func loadHandle(id uint64) (interface{}, bool) {
-	handles.Lock()
+	handles.RLock()
 	v, ok := handles.m[id]
-	handles.Unlock()
+	handles.RUnlock()
 	return v, ok
 }
 
diff --git a/sdk/python/README.md b/sdk/python/README.md
@@ -192,6 +192,48 @@ dg = d.recv_from()
 # Returns: {"src_addr": "...", "src_port": 8080, "dst_port": 9090, "data": ...}
 ```
 
+### Data Exchange Service (Port 1001)
+
+```python
+# Send a message (text, JSON, or binary)
+result = d.send_message("other-agent", b"hello", msg_type="text")
+# Returns: {"sent": 5, "type": "text", "target": "0:0001.0000.0002", "ack": "..."}
+
+# Send a file
+result = d.send_file("other-agent", "/path/to/file.txt")
+# Returns: {"sent": 1234, "filename": "file.txt", "target": "0:0001.0000.0002", "ack": "..."}
+```
+
+### Event Stream Service (Port 1002)
+
+```python
+# Publish an event
+result = d.publish_event("other-agent", "sensor/temperature", b'{"temp": 25.5}')
+# Returns: {"status": "published", "topic": "sensor/temperature", "bytes": 15}
+
+# Subscribe to events (generator)
+for topic, data in d.subscribe_event("other-agent", "sensor/*", timeout=30):
+    print(f"{topic}: {data}")
+
+# Subscribe with callback
+def handle_event(topic, data):
+    print(f"Event: {topic} -> {data}")
+
+d.subscribe_event("other-agent", "*", callback=handle_event, timeout=30)
+```
+
+### Task Submit Service (Port 1003)
+
+```python
+# Submit a task for execution
+task = {
+    "task_description": "process data",
+    "parameters": {"input": "data.csv"}
+}
+result = d.submit_task("other-agent", task)
+# Returns: {"status": 200, "task_id": "...", "message": "Task accepted"}
+```
+
 ### Configuration
 
 ```python
@@ -242,20 +284,7 @@ cd sdk/python
 python -m pytest tests/ -v
 ```
 
-47 tests cover all wrapper methods, error handling, and library discovery.
-
-## Development
-
-```bash
-# Build shared library
-make sdk-lib
-
-# Install SDK in development mode
-cd sdk/python && pip install -e .
-
-# Run tests
-pytest tests/ -v
-```
+61 tests cover all wrapper methods, error handling, and library discovery.
 
 ## Development
 
diff --git a/sdk/python/scripts/generate-coverage-badge.sh b/sdk/python/scripts/generate-coverage-badge.sh
@@ -13,7 +13,7 @@ if [ ! -f coverage.json ]; then
 fi
 
 # Extract coverage percentage
-coverage=$(/Users/alexgodo/web4/pilotprotocol/.venv/bin/python -c "import json; data=json.load(open('coverage.json')); print(int(data['totals']['percent_covered']))")
+coverage=$(python3 -c "import json; data=json.load(open('coverage.json')); print(int(data['totals']['percent_covered']))")
 
 echo "Coverage: ${coverage}%"
 
diff --git a/tests/integration/test_cli.sh b/tests/integration/test_cli.sh
@@ -72,7 +72,7 @@ LOG_LEVEL="${PILOT_LOG_LEVEL:-info}"
 
 pilot-daemon \
     --hostname "$TEST_HOSTNAME" \
-    --identity /root/.pilot/identity.key \
+    --identity /root/.pilot/identity.json \
     --log-level "$LOG_LEVEL" > "$DAEMON_LOG" 2>&1 &
 DAEMON_PID=$!
 
diff --git a/web/docs/concepts.html b/web/docs/concepts.html
@@ -118,7 +118,7 @@ <h2 id="encryption">Encryption</h2>
     <li><strong>Random nonce prefix</strong> — each secure connection uses a unique nonce prefix to prevent replay</li>
   </ul>
 
-  <p>Every node has a persistent <strong>Ed25519 identity keypair</strong> stored at <code>~/.pilot/identity.key</code>. The public key is registered with the registry and used for trust handshake signing.</p>
+  <p>Every node has a persistent <strong>Ed25519 identity keypair</strong> stored at <code>~/.pilot/identity.json</code>. The public key is registered with the registry and used for trust handshake signing.</p>
 
   <h2 id="nat">NAT Traversal</h2>
 
diff --git a/web/docs/configuration.html b/web/docs/configuration.html
@@ -104,7 +104,7 @@ <h2 id="directory">Directory structure</h2>
   <pre><code>~/.pilot/
   bin/                <span class="comment"># Installed binaries (pilotctl, pilot-rendezvous)</span>
   config.json         <span class="comment"># Configuration file</span>
-  identity.key        <span class="comment"># Ed25519 keypair (persistent identity)</span>
+  identity.json       <span class="comment"># Ed25519 keypair (persistent identity)</span>
   trust.json          <span class="comment"># Trust state (trusted peers, pending requests)</span>
   received/           <span class="comment"># Files received via data exchange</span>
   inbox/              <span class="comment"># Messages received via data exchange</span>
diff --git a/web/docs/python-sdk.html b/web/docs/python-sdk.html

Original file line number	Diff line number	Diff line change
`@@ -1028,7 +1028,7 @@ func cmdDaemonStart(args []string) {`
`1028`	`1028`	`encrypt := !flagBool(flags, "no-encrypt")`
`1029`	`1029`	`identityPath := flagString(flags, "identity", "")`
`1030`	`1030`	`if identityPath == "" {`
`1031`		`- identityPath = configDir() + "/identity.key"`
	`1031`	`+ identityPath = configDir() + "/identity.json"`
`1032`	`1032`	`}`
`1033`	`1033`	`owner := flagString(flags, "owner", "")`
`1034`	`1034`	`configFile := flagString(flags, "config", "")`
Original file line number	Diff line number	Diff line change
`@@ -2086,8 +2086,7 @@ func (s *Server) TriggerSnapshot() error {`
`2086`	`2086`	`if s.storePath == "" {`
`2087`	`2087`	`return nil // no persistence configured`
`2088`	`2088`	`}`
`2089`		`- s.flushSave()`
`2090`		`- return nil`
	`2089`	`+ return s.flushSave()`
`2091`	`2090`	`}`
`2092`	`2091`
`2093`	`2092`	`// snapshot is the JSON-serializable registry state.`
`@@ -2157,7 +2156,9 @@ func (s *Server) saveLoop() {`
`2157`	`2156`	`dirty = true`
`2158`	`2157`	`case <-ticker.C:`
`2159`	`2158`	`if dirty {`
`2160`		`- s.flushSave()`
	`2159`	`+ if err := s.flushSave(); err != nil {`
	`2160`	`+ slog.Error("periodic save failed", "err", err)`
	`2161`	`+ }`
`2161`	`2162`	`dirty = false`
`2162`	`2163`	`}`
`2163`	`2164`	`case <-s.done:`
`@@ -2168,15 +2169,17 @@ func (s *Server) saveLoop() {`
`2168`	`2169`	`default:`
`2169`	`2170`	`}`
`2170`	`2171`	`if dirty {`
`2171`		`- s.flushSave()`
	`2172`	`+ if err := s.flushSave(); err != nil {`
	`2173`	`+ slog.Error("final save failed", "err", err)`
	`2174`	`+ }`
`2172`	`2175`	`}`
`2173`	`2176`	`return`
`2174`	`2177`	`}`
`2175`	`2178`	`}`
`2176`	`2179`	`}`
`2177`	`2180`
`2178`	`2181`	`// flushSave serializes the full registry state and writes it to disk.`
`2179`		`-func (s *Server) flushSave() {`
	`2182`	`+func (s *Server) flushSave() error {`
`2180`	`2183`	`s.mu.RLock()`
`2181`	`2184`	`snap := snapshot{`
`2182`	`2185`	`NextNode: s.nextNode,`
`@@ -2272,20 +2275,22 @@ func (s *Server) flushSave() {`
`2272`	`2275`	`data, err := json.Marshal(snap)`
`2273`	`2276`	`if err != nil {`
`2274`	`2277`	`slog.Error("registry save marshal error", "err", err)`
`2275`		`- return`
	`2278`	`+ return fmt.Errorf("marshal snapshot: %w", err)`
`2276`	`2279`	`}`
`2277`	`2280`
`2278`	`2281`	`// Persist to disk atomically`
`2279`	`2282`	`if s.storePath != "" {`
`2280`	`2283`	`if err := fsutil.AtomicWrite(s.storePath, data); err != nil {`
`2281`	`2284`	`slog.Error("registry save error", "err", err)`
	`2285`	`+ return fmt.Errorf("write snapshot: %w", err)`
`2282`	`2286`	`}`
`2283`	`2287`	`}`
`2284`	`2288`
`2285`	`2289`	`// Push to replication subscribers`
`2286`	`2290`	`s.replMgr.push(data)`
`2287`	`2291`
`2288`	`2292`	`slog.Debug("registry state saved", "nodes", nodeCount, "networks", netCount)`
	`2293`	`+ return nil`
`2289`	`2294`	`}`
`2290`	`2295`
`2291`	`2296`	`// load reads the registry state from disk.`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ import (`
`20`	`20`	`// Keeps Go heap objects alive while C/Python holds a uint64 token.`
`21`	`21`
`22`	`22`	`var handles struct {`
`23`		`- sync.Mutex`
	`23`	`+ sync.RWMutex`
`24`	`24`	`m map[uint64]interface{}`
`25`	`25`	`next uint64`
`26`	`26`	`}`
`@@ -40,9 +40,9 @@ func storeHandle(v interface{}) uint64 {`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`func loadHandle(id uint64) (interface{}, bool) {`
`43`		`- handles.Lock()`
	`43`	`+ handles.RLock()`
`44`	`44`	`v, ok := handles.m[id]`
`45`		`- handles.Unlock()`
	`45`	`+ handles.RUnlock()`
`46`	`46`	`return v, ok`
`47`	`47`	`}`
`48`	`48`