Description
Implement the signed plaintext licensed-mode remote-administration design from meshtastic/design#123 as a separate follow-up stacked on #10967 and #10969.
This must reuse existing Router-verified XEdDSA, security.admin_key[], and the AdminModule session challenge. It must not add an authentication version, signature format, certificate scheme, encrypted ham traffic, or normal-mode signed-admin fallback.
Required behavior
- Accept a licensed remote Admin request/mutation only when it is directed to this node, has a successfully verified XEdDSA signature, and the exact verified signer key matches a populated
admin_key slot.
- Carry the exact verified signer key from Router to AdminModule as transient authenticated state; clear and ignore serialized auth flags/keys at ingress.
- Require prior verified signed NodeInfo discovery or warm-store key retention;
admin_key is authorization, not discovery.
- Retain the existing session-passkey requirement for mutations.
- Add explicit session-initialized state so an all-zero passkey cannot authorize during the first minutes after boot.
- Require licensed Admin replies to be directed, plaintext, and Router-verified signed.
- Keep normal PKI remote administration unchanged.
- Keep decoded MQTT Admin injection blocked; binary ingress must traverse normal Router verification.
- Reject unsigned, oversized-unsigned, malformed, invalid, unverifiable, unknown-key, non-allowlisted, broadcast, and wrong-destination Admin traffic.
Client dependency
Official clients must avoid setting pki_encrypted=true when sending remote Admin traffic through a licensed local radio and must display verified-signature semantics rather than an encryption lock. Track client changes separately after the firmware behavior is reviewable.
Validation
- authorized/unauthorized signer keys and empty admin slots;
- missing, zero-before-generation, valid, stale, and reboot-invalidated session values;
- getters, session request, mutation, and response paths;
- first-contact signed NodeInfo followed by Admin and warm-store signer lookup;
- invalid/malformed/unsigned/oversized signatures, broadcast, and wrong destination;
- normal-mode PKI regression coverage;
- decoded MQTT rejection and binary Router-verified ingress;
- two-radio RF capture showing readable plaintext request/reply and no PKI/PSK encryption.
Keep the implementation PR draft until representative hardware and cross-device interoperability are recorded.
Dependencies
Description
Implement the signed plaintext licensed-mode remote-administration design from meshtastic/design#123 as a separate follow-up stacked on #10967 and #10969.
This must reuse existing Router-verified XEdDSA,
security.admin_key[], and the AdminModule session challenge. It must not add an authentication version, signature format, certificate scheme, encrypted ham traffic, or normal-mode signed-admin fallback.Required behavior
admin_keyslot.admin_keyis authorization, not discovery.Client dependency
Official clients must avoid setting
pki_encrypted=truewhen sending remote Admin traffic through a licensed local radio and must display verified-signature semantics rather than an encryption lock. Track client changes separately after the firmware behavior is reviewable.Validation
Keep the implementation PR draft until representative hardware and cross-device interoperability are recorded.
Dependencies