feat: implement secure cluster authentication (issue #13)

Implemented a comprehensive secure authentication mechanism for inter-node
cluster communication with the following features:

1. Global Cluster Secret (GCS)
   - Auto-generated cryptographically secure random secret (256-bit)
   - Configurable via YAML config file
   - Shared across all cluster nodes for authentication

2. Cluster Authentication Middleware
   - Validates X-Cluster-Secret and X-Node-ID headers
   - Applied to all cluster endpoints (/members/*, /merkle_tree/*, /kv_range)
   - Comprehensive logging of authentication attempts

3. Authenticated HTTP Client
   - Custom HTTP client with cluster auth headers
   - TLS support with configurable certificate verification
   - Protocol-aware (http/https based on TLS settings)

4. Secure Bootstrap Endpoint
   - New /auth/cluster-bootstrap endpoint
   - Protected by JWT authentication with admin scope
   - Allows new nodes to securely obtain cluster secret

5. Updated Cluster Communication
   - All gossip protocol requests include auth headers
   - All Merkle tree sync requests include auth headers
   - All data replication requests include auth headers

6. Configuration
   - cluster_secret: Shared secret (auto-generated if not provided)
   - cluster_tls_enabled: Enable TLS for inter-node communication
   - cluster_tls_cert_file: Path to TLS certificate
   - cluster_tls_key_file: Path to TLS private key
   - cluster_tls_skip_verify: Skip TLS verification (testing only)

This implementation addresses the security vulnerability of unprotected
cluster endpoints and provides a flexible, secure approach to protecting
internal cluster communication while allowing for automated node bootstrapping.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

types/types.go

@@ -13,20 +13,20 @@ type StoredValue struct {
 
 // User represents a system user
 type User struct {
-	UUID         string   `json:"uuid"`         // Server-generated UUID
+	UUID         string   `json:"uuid"`          // Server-generated UUID
 	NicknameHash string   `json:"nickname_hash"` // SHA3-512 hash of nickname
-	Groups       []string `json:"groups"`       // List of group UUIDs this user belongs to
-	CreatedAt    int64    `json:"created_at"`   // Unix timestamp
-	UpdatedAt    int64    `json:"updated_at"`   // Unix timestamp
+	Groups       []string `json:"groups"`        // List of group UUIDs this user belongs to
+	CreatedAt    int64    `json:"created_at"`    // Unix timestamp
+	UpdatedAt    int64    `json:"updated_at"`    // Unix timestamp
 }
 
 // Group represents a user group
 type Group struct {
-	UUID        string   `json:"uuid"`        // Server-generated UUID
-	NameHash    string   `json:"name_hash"`   // SHA3-512 hash of group name
-	Members     []string `json:"members"`     // List of user UUIDs in this group
-	CreatedAt   int64    `json:"created_at"`  // Unix timestamp
-	UpdatedAt   int64    `json:"updated_at"`  // Unix timestamp
+	UUID      string   `json:"uuid"`       // Server-generated UUID
+	NameHash  string   `json:"name_hash"`  // SHA3-512 hash of group name
+	Members   []string `json:"members"`    // List of user UUIDs in this group
+	CreatedAt int64    `json:"created_at"` // Unix timestamp
+	UpdatedAt int64    `json:"updated_at"` // Unix timestamp
 }
 
 // APIToken represents a JWT authentication token
@@ -40,12 +40,12 @@ type APIToken struct {
 
 // ResourceMetadata contains ownership and permission information for stored resources
 type ResourceMetadata struct {
-	OwnerUUID   string `json:"owner_uuid"`   // UUID of the resource owner
-	GroupUUID   string `json:"group_uuid"`   // UUID of the resource group
-	Permissions int    `json:"permissions"`  // 12-bit permission mask (POSIX-inspired)
-	TTL         string `json:"ttl"`          // Time-to-live duration (Go format)
-	CreatedAt   int64  `json:"created_at"`   // Unix timestamp when resource was created
-	UpdatedAt   int64  `json:"updated_at"`   // Unix timestamp when resource was last updated
+	OwnerUUID   string `json:"owner_uuid"`  // UUID of the resource owner
+	GroupUUID   string `json:"group_uuid"`  // UUID of the resource group
+	Permissions int    `json:"permissions"` // 12-bit permission mask (POSIX-inspired)
+	TTL         string `json:"ttl"`         // Time-to-live duration (Go format)
+	CreatedAt   int64  `json:"created_at"`  // Unix timestamp when resource was created
+	UpdatedAt   int64  `json:"updated_at"`  // Unix timestamp when resource was last updated
 }
 
 // Permission constants for POSIX-inspired ACL
@@ -55,19 +55,19 @@ const (
 	PermOwnerDelete = 1 << 10
 	PermOwnerWrite  = 1 << 9
 	PermOwnerRead   = 1 << 8
-	
+
 	// Group permissions (bits 7-4)
 	PermGroupCreate = 1 << 7
 	PermGroupDelete = 1 << 6
 	PermGroupWrite  = 1 << 5
 	PermGroupRead   = 1 << 4
-	
+
 	// Others permissions (bits 3-0)
 	PermOthersCreate = 1 << 3
 	PermOthersDelete = 1 << 2
 	PermOthersWrite  = 1 << 1
 	PermOthersRead   = 1 << 0
-	
+
 	// Default permissions: Owner(1111), Group(0110), Others(0010)
 	DefaultPermissions = (PermOwnerCreate | PermOwnerDelete | PermOwnerWrite | PermOwnerRead) |
 		(PermGroupWrite | PermGroupRead) |
@@ -231,50 +231,57 @@ type KVRangeResponse struct {
 
 // Configuration
 type Config struct {
-	NodeID             string   `yaml:"node_id"`
-	BindAddress        string   `yaml:"bind_address"`
-	Port               int      `yaml:"port"`
-	DataDir            string   `yaml:"data_dir"`
-	SeedNodes          []string `yaml:"seed_nodes"`
-	ReadOnly           bool     `yaml:"read_only"`
-	LogLevel           string   `yaml:"log_level"`
-	GossipIntervalMin  int      `yaml:"gossip_interval_min"`
-	GossipIntervalMax  int      `yaml:"gossip_interval_max"`
-	SyncInterval       int      `yaml:"sync_interval"`
-	CatchupInterval    int      `yaml:"catchup_interval"`
-	BootstrapMaxAgeHours int    `yaml:"bootstrap_max_age_hours"`
-	ThrottleDelayMs    int      `yaml:"throttle_delay_ms"`
-	FetchDelayMs       int      `yaml:"fetch_delay_ms"`
-	
+	NodeID               string   `yaml:"node_id"`
+	BindAddress          string   `yaml:"bind_address"`
+	Port                 int      `yaml:"port"`
+	DataDir              string   `yaml:"data_dir"`
+	SeedNodes            []string `yaml:"seed_nodes"`
+	ReadOnly             bool     `yaml:"read_only"`
+	LogLevel             string   `yaml:"log_level"`
+	GossipIntervalMin    int      `yaml:"gossip_interval_min"`
+	GossipIntervalMax    int      `yaml:"gossip_interval_max"`
+	SyncInterval         int      `yaml:"sync_interval"`
+	CatchupInterval      int      `yaml:"catchup_interval"`
+	BootstrapMaxAgeHours int      `yaml:"bootstrap_max_age_hours"`
+	ThrottleDelayMs      int      `yaml:"throttle_delay_ms"`
+	FetchDelayMs         int      `yaml:"fetch_delay_ms"`
+
 	// Database compression configuration
 	CompressionEnabled bool `yaml:"compression_enabled"`
 	CompressionLevel   int  `yaml:"compression_level"`
-	
+
 	// TTL configuration
-	DefaultTTL    string `yaml:"default_ttl"`      // Go duration format, "0" means no default TTL
-	MaxJSONSize   int    `yaml:"max_json_size"`    // Maximum JSON size in bytes
-	
+	DefaultTTL  string `yaml:"default_ttl"`   // Go duration format, "0" means no default TTL
+	MaxJSONSize int    `yaml:"max_json_size"` // Maximum JSON size in bytes
+
 	// Rate limiting configuration
 	RateLimitRequests int    `yaml:"rate_limit_requests"` // Max requests per window
 	RateLimitWindow   string `yaml:"rate_limit_window"`   // Window duration (Go format)
-	
+
 	// Tamper-evident logging configuration
 	TamperLogActions []string `yaml:"tamper_log_actions"` // Actions to log
-	
+
 	// Backup system configuration
-	BackupEnabled   bool   `yaml:"backup_enabled"`    // Enable/disable automated backups
-	BackupSchedule  string `yaml:"backup_schedule"`   // Cron schedule format
-	BackupPath      string `yaml:"backup_path"`       // Directory to store backups
-	BackupRetention int    `yaml:"backup_retention"`  // Days to keep backups
-	
+	BackupEnabled   bool   `yaml:"backup_enabled"`   // Enable/disable automated backups
+	BackupSchedule  string `yaml:"backup_schedule"`  // Cron schedule format
+	BackupPath      string `yaml:"backup_path"`      // Directory to store backups
+	BackupRetention int    `yaml:"backup_retention"` // Days to keep backups
+
 	// Feature toggles for optional functionalities
 	AuthEnabled            bool `yaml:"auth_enabled"`             // Enable/disable authentication system
 	TamperLoggingEnabled   bool `yaml:"tamper_logging_enabled"`   // Enable/disable tamper-evident logging
 	ClusteringEnabled      bool `yaml:"clustering_enabled"`       // Enable/disable clustering/gossip
 	RateLimitingEnabled    bool `yaml:"rate_limiting_enabled"`    // Enable/disable rate limiting
 	RevisionHistoryEnabled bool `yaml:"revision_history_enabled"` // Enable/disable revision history
-	
+
 	// Anonymous access control (Issue #5)
-	AllowAnonymousRead     bool `yaml:"allow_anonymous_read"`     // Allow unauthenticated read access to KV endpoints
-	AllowAnonymousWrite    bool `yaml:"allow_anonymous_write"`    // Allow unauthenticated write access to KV endpoints
-}
+	AllowAnonymousRead  bool `yaml:"allow_anonymous_read"`  // Allow unauthenticated read access to KV endpoints
+	AllowAnonymousWrite bool `yaml:"allow_anonymous_write"` // Allow unauthenticated write access to KV endpoints
+
+	// Cluster authentication (Issue #13)
+	ClusterSecret        string `yaml:"cluster_secret"`          // Shared secret for cluster authentication (auto-generated if empty)
+	ClusterTLSEnabled    bool   `yaml:"cluster_tls_enabled"`     // Require TLS for inter-node communication
+	ClusterTLSCertFile   string `yaml:"cluster_tls_cert_file"`   // Path to TLS certificate file
+	ClusterTLSKeyFile    string `yaml:"cluster_tls_key_file"`    // Path to TLS private key file
+	ClusterTLSSkipVerify bool   `yaml:"cluster_tls_skip_verify"` // Skip TLS verification (insecure, for testing only)
+}