Skip to content

Support signed remote Admin in licensed mode#2068

Draft
RCGV1 wants to merge 3 commits into
meshtastic:mainfrom
RCGV1:codex/licensed-signed-admin
Draft

Support signed remote Admin in licensed mode#2068
RCGV1 wants to merge 3 commits into
meshtastic:mainfrom
RCGV1:codex/licensed-signed-admin

Conversation

@RCGV1

@RCGV1 RCGV1 commented Jul 10, 2026

Copy link
Copy Markdown
Member

Closes #2067

Design: meshtastic/design#123
Firmware dependency: meshtastic/firmware#10972

Summary

  • apply the licensed remote Admin transport invariant at the final packet-send boundary: directed, decoded ADMIN_APP traffic uses channel 0 with pkiEncrypted=false and an empty public key;
  • derive licensed mode only from the persisted connected local owner, not the destination;
  • exclude self, broadcast, unknown-owner, normal-mode, encrypted, and non-Admin packets so their existing behavior remains unchanged;
  • show “Signed remote admin” with verified-signature shield semantics in licensed mode while retaining PKI wording in normal mode.

This aligns the client with the existing XEdDSA signing path. It does not add a new authentication protocol or bypass firmware authorization/session checks.

Validation

  • targeted iPhone 16e / iOS 26.0.1 simulator suite passed 6/6 before the final broadcast fail-closed regression was added;
  • the added broadcast case is source-validated but its repeat simulator run was environment-blocked by local disk exhaustion before test execution, not a compile or test failure;
  • git diff --check, jq empty Localizable.xcstrings, and plutil -lint Meshtastic.xcodeproj/project.pbxproj pass;
  • independent dedicated security review approved exact commit ea84f7f0ce58f83f8e977261d16db8b854a22c4f.

Coverage includes licensed direct Admin, shared device-config requests, normal mode, self, unknown owner, exact conditional wording, and broadcast preservation. Generated Xcode package and asset artifacts are excluded.

Draft / hardware status

This remains draft until firmware#10972 is validated with two licensed RF nodes. Required hardware checks include signed plaintext getter/session/mutation/reply traffic, rejection of broadcast/unauthorized/stale-session requests, and unchanged normal-mode PKI behavior.

Summary by CodeRabbit

  • New Features

    • Added new localized remote-admin UI strings for signed-admin and request labels.
    • Updated Settings remote-admin wording and icons based on whether the connected local owner is licensed.
  • Bug Fixes

    • Ensured licensed remote-admin transmissions are converted to the correct plaintext form when sending to a remote recipient, while preserving PKI settings for self-admin, broadcast, and unknown-owner cases.
  • Tests

    • Added unit tests covering remote-admin transport policy and the licensing-specific wording output.

@RCGV1

RCGV1 commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 47c90690-dd28-4e0c-bd1c-bbca947b03a0

📥 Commits

Reviewing files that changed from the base of the PR and between 3159748 and ea84f7f.

📒 Files selected for processing (2)
  • Meshtastic/Views/Settings/Settings.swift
  • MeshtasticTests/RemoteAdminTransportPolicyTests.swift
🚧 Files skipped from review as they are similar to previous changes (2)
  • Meshtastic/Views/Settings/Settings.swift
  • MeshtasticTests/RemoteAdminTransportPolicyTests.swift

📝 Walkthrough

Walkthrough

Licensed remote-admin packets are normalized at the outbound send boundary, settings wording and icons vary by local licensing state, localization entries are added, and tests cover licensed, normal, self, broadcast, and unknown-owner scenarios.

Changes

Remote Admin Alignment

Layer / File(s) Summary
Licensed transport policy
Meshtastic/Accessory/Accessory Manager/AccessoryManager.swift
Admin packets sent through a licensed connected owner are converted to channel 0 plaintext for eligible remote destinations; other packets remain unchanged.
Mode-specific admin wording
Meshtastic/Views/Settings/Settings.swift, Localizable.xcstrings
Settings derives the local owner’s license state and selects signed or PKI wording and icons using the new localized templates.
Transport policy validation
MeshtasticTests/RemoteAdminTransportPolicyTests.swift, Meshtastic.xcodeproj/project.pbxproj
The test suite records outgoing packets and verifies transport and wording behavior across licensing and destination modes; the test file is added to the Xcode target.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Settings
  participant AccessoryManager
  participant SwiftData
  participant Connection
  Settings->>AccessoryManager: Request remote admin operation
  AccessoryManager->>SwiftData: Fetch connected owner license state
  SwiftData-->>AccessoryManager: Return UserEntity.isLicensed
  AccessoryManager->>Connection: Send normalized admin packet
Loading

Possibly related issues

  • meshtastic/design#123 — Defines the licensed-mode plaintext remote-admin transport and wording implemented here.
  • meshtastic/firmware#10971 — Covers the corresponding licensed remote-admin packet behavior.
  • meshtastic/Meshtastic-Android#6183 — Describes equivalent licensed remote-admin packet normalization.
  • meshtastic/design#122 — Relates to authenticated plaintext licensed-admin traffic.

Suggested reviewers: garthvh

Poem

I’m a rabbit with packets to send,
Signed admin messages hop round the bend.
PKI locks rest when plaintext is due,
Tests guard each path, both old and new.
Localization gives every hop a bright hue!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: licensed-mode signed remote Admin support.
Description check ✅ Passed The description covers what changed, why, validation, and draft/hardware status, with only minor template fields omitted.
Linked Issues check ✅ Passed The transport policy, wording updates, and tests match #2067's licensed-mode remote Admin requirements.
Out of Scope Changes check ✅ Passed The changes stay focused on remote Admin transport, wording, tests, and localization support.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Comment @coderabbitai help to get the list of available commands.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@RCGV1

RCGV1 commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

The docs-coverage job did not report a source failure; its warning-comment step received 403 Resource not accessible by integration on this fork PR. Because this hardware-pending draft changes conditional remote-Admin wording but does not introduce a stable released workflow yet, documentation is deferred until the firmware design is accepted and RF-validated. A maintainer can apply skip-docs-check for the draft, or request the final docs location before readiness.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
MeshtasticTests/RemoteAdminTransportPolicyTests.swift (1)

207-213: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Test the signature-shield semantics, not only wording.

conditionalWording() checks only localized strings, so a regression that shows PKI iconography in licensed mode—or omits the verified-signature shield—would pass. Add assertions for the licensed and normal icon/signature-state mapping.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@MeshtasticTests/RemoteAdminTransportPolicyTests.swift` around lines 207 -
213, The conditionalWording() test verifies only text and misses iconography and
signature-state regressions. Add assertions covering both licensed and
unlicensed modes, confirming the licensed path uses the
signed/verified-signature shield mapping while the normal path uses the PKI icon
and corresponding unverified state; reference the existing RemoteAdminWording
icon and signature-state APIs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@MeshtasticTests/RemoteAdminTransportPolicyTests.swift`:
- Around line 1-4: Replace the placeholder header comments at the top of
RemoteAdminTransportPolicyTests.swift with the required file-level header, such
as “// MARK: RemoteAdminTransportPolicyTests”, or an approved file-level
copyright comment.
- Around line 144-158: Update normalRemoteAdminIsUnchanged to create the remote
destination user with isLicensed: true before sending the packet, while keeping
the owner non-licensed. Retain the existing assertions for channel, encryption,
and public key to verify normal-mode behavior remains unchanged with a licensed
destination.

---

Nitpick comments:
In `@MeshtasticTests/RemoteAdminTransportPolicyTests.swift`:
- Around line 207-213: The conditionalWording() test verifies only text and
misses iconography and signature-state regressions. Add assertions covering both
licensed and unlicensed modes, confirming the licensed path uses the
signed/verified-signature shield mapping while the normal path uses the PKI icon
and corresponding unverified state; reference the existing RemoteAdminWording
icon and signature-state APIs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ddb5b4ac-daca-4447-bb39-5fb36cec2843

📥 Commits

Reviewing files that changed from the base of the PR and between 76da012 and 3159748.

📒 Files selected for processing (5)
  • Localizable.xcstrings
  • Meshtastic.xcodeproj/project.pbxproj
  • Meshtastic/Accessory/Accessory Manager/AccessoryManager.swift
  • Meshtastic/Views/Settings/Settings.swift
  • MeshtasticTests/RemoteAdminTransportPolicyTests.swift

Comment thread MeshtasticTests/RemoteAdminTransportPolicyTests.swift Outdated
Comment thread MeshtasticTests/RemoteAdminTransportPolicyTests.swift
@RCGV1

RCGV1 commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

Addressed the remaining CodeRabbit presentation test request in ea84f7f: a shared mapping now drives the licensed signed/verified shield and normal PKI icon, with both states asserted. @coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@RCGV1 Thanks for the update — I'll take a fresh look at the shared mapping for the signed/verified shield and PKI icon states, along with the new assertions.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[2.8.0] Align licensed remote Admin transport and signature UI

1 participant