feat: implement resource metadata management API (issue #12)

Add API endpoints to manage ResourceMetadata (ownership, groups, permissions)
for KV resources. This enables administrators to configure granular access
control for stored data.

Changes:
- Add GetResourceMetadataResponse and UpdateResourceMetadataRequest types
- Add GetResourceMetadata and SetResourceMetadata methods to AuthService
- Add GET /kv/{path}/metadata endpoint (requires admin:users:read)
- Add PUT /kv/{path}/metadata endpoint (requires admin:users:update)
- Both endpoints protected by JWT authentication
- Metadata routes registered before general KV routes to prevent pattern conflicts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

auth/auth.go

@@ -198,6 +198,40 @@ func (s *AuthService) CheckResourcePermission(authCtx *AuthContext, resourceKey
 	return CheckPermission(metadata.Permissions, operation, isOwner, isGroupMember)
 }
 
+// GetResourceMetadata retrieves metadata for a resource
+func (s *AuthService) GetResourceMetadata(resourceKey string) (*types.ResourceMetadata, error) {
+	var metadata types.ResourceMetadata
+
+	err := s.db.View(func(txn *badger.Txn) error {
+		item, err := txn.Get([]byte(ResourceMetadataKey(resourceKey)))
+		if err != nil {
+			return err
+		}
+
+		return item.Value(func(val []byte) error {
+			return json.Unmarshal(val, &metadata)
+		})
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &metadata, nil
+}
+
+// SetResourceMetadata stores metadata for a resource
+func (s *AuthService) SetResourceMetadata(resourceKey string, metadata *types.ResourceMetadata) error {
+	metadataBytes, err := json.Marshal(metadata)
+	if err != nil {
+		return fmt.Errorf("failed to marshal metadata: %v", err)
+	}
+
+	return s.db.Update(func(txn *badger.Txn) error {
+		return txn.Set([]byte(ResourceMetadataKey(resourceKey)), metadataBytes)
+	})
+}
+
 // GetAuthContext retrieves auth context from request context
 func GetAuthContext(ctx context.Context) *AuthContext {
 	if authCtx, ok := ctx.Value("auth").(*AuthContext); ok {

auth/cluster.go

@@ -0,0 +1,77 @@
+package auth
+
+import (
+	"net/http"
+
+	"github.com/sirupsen/logrus"
+)
+
+// ClusterAuthService handles authentication for inter-cluster communication
+type ClusterAuthService struct {
+	clusterSecret string
+	logger        *logrus.Logger
+}
+
+// NewClusterAuthService creates a new cluster authentication service
+func NewClusterAuthService(clusterSecret string, logger *logrus.Logger) *ClusterAuthService {
+	return &ClusterAuthService{
+		clusterSecret: clusterSecret,
+		logger:        logger,
+	}
+}
+
+// Middleware validates cluster authentication headers
+func (s *ClusterAuthService) Middleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Extract authentication headers
+		clusterSecret := r.Header.Get("X-Cluster-Secret")
+		nodeID := r.Header.Get("X-Node-ID")
+
+		// Log authentication attempt
+		s.logger.WithFields(logrus.Fields{
+			"node_id":     nodeID,
+			"remote_addr": r.RemoteAddr,
+			"path":        r.URL.Path,
+			"method":      r.Method,
+		}).Debug("Cluster authentication attempt")
+
+		// Validate cluster secret
+		if clusterSecret == "" {
+			s.logger.WithFields(logrus.Fields{
+				"node_id":     nodeID,
+				"remote_addr": r.RemoteAddr,
+				"path":        r.URL.Path,
+			}).Warn("Missing X-Cluster-Secret header")
+			http.Error(w, "Unauthorized: Missing cluster secret", http.StatusUnauthorized)
+			return
+		}
+
+		if clusterSecret != s.clusterSecret {
+			s.logger.WithFields(logrus.Fields{
+				"node_id":     nodeID,
+				"remote_addr": r.RemoteAddr,
+				"path":        r.URL.Path,
+			}).Warn("Invalid cluster secret")
+			http.Error(w, "Unauthorized: Invalid cluster secret", http.StatusUnauthorized)
+			return
+		}
+
+		// Validate node ID is present
+		if nodeID == "" {
+			s.logger.WithFields(logrus.Fields{
+				"remote_addr": r.RemoteAddr,
+				"path":        r.URL.Path,
+			}).Warn("Missing X-Node-ID header")
+			http.Error(w, "Unauthorized: Missing node ID", http.StatusUnauthorized)
+			return
+		}
+
+		// Authentication successful
+		s.logger.WithFields(logrus.Fields{
+			"node_id": nodeID,
+			"path":    r.URL.Path,
+		}).Debug("Cluster authentication successful")
+
+		next.ServeHTTP(w, r)
+	})
+}

cluster/bootstrap.go

@@ -82,10 +82,19 @@ func (s *BootstrapService) attemptJoin(seedAddr string) bool {
 		return false
 	}
 
-	client := &http.Client{Timeout: 10 * time.Second}
+	client := NewAuthenticatedHTTPClient(s.config, 10*time.Second)
-	url := fmt.Sprintf("http://%s/members/join", seedAddr)
+	protocol := GetProtocol(s.config)
+	url := fmt.Sprintf("%s://%s/members/join", protocol, seedAddr)
 
-	resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
+	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonData))
+	if err != nil {
+		s.logger.WithError(err).Error("Failed to create join request")
+		return false
+	}
+	req.Header.Set("Content-Type", "application/json")
+	AddClusterAuthHeaders(req, s.config)
+
+	resp, err := client.Do(req)
 	if err != nil {
 		s.logger.WithFields(logrus.Fields{
 			"seed":  seedAddr,

cluster/gossip.go

@@ -17,13 +17,13 @@ import (
 
 // GossipService handles gossip protocol operations
 type GossipService struct {
-	config      *types.Config
+	config    *types.Config
-	members     map[string]*types.Member
+	members   map[string]*types.Member
-	membersMu   sync.RWMutex
+	membersMu sync.RWMutex
-	logger      *logrus.Logger
+	logger    *logrus.Logger
-	ctx         context.Context
+	ctx       context.Context
-	cancel      context.CancelFunc
+	cancel    context.CancelFunc
-	wg          sync.WaitGroup
+	wg        sync.WaitGroup
 }
 
 // NewGossipService creates a new gossip service
@@ -181,11 +181,20 @@ func (s *GossipService) gossipWithPeer(peer *types.Member) error {
 		return err
 	}
 
-	// Send HTTP request to peer
+	// Send HTTP request to peer with cluster authentication
-	client := &http.Client{Timeout: 5 * time.Second}
+	client := NewAuthenticatedHTTPClient(s.config, 5*time.Second)
-	url := fmt.Sprintf("http://%s/members/gossip", peer.Address)
+	protocol := GetProtocol(s.config)
+	url := fmt.Sprintf("%s://%s/members/gossip", protocol, peer.Address)
 
-	resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
+	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonData))
+	if err != nil {
+		s.logger.WithError(err).Error("Failed to create gossip request")
+		return err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	AddClusterAuthHeaders(req, s.config)
+
+	resp, err := client.Do(req)
 	if err != nil {
 		s.logger.WithFields(logrus.Fields{
 			"peer":  peer.Address,

cluster/http_client.go

@@ -0,0 +1,43 @@
+package cluster
+
+import (
+	"crypto/tls"
+	"net/http"
+	"time"
+
+	"kvs/types"
+)
+
+// NewAuthenticatedHTTPClient creates an HTTP client configured for cluster authentication
+func NewAuthenticatedHTTPClient(config *types.Config, timeout time.Duration) *http.Client {
+	client := &http.Client{
+		Timeout: timeout,
+	}
+
+	// Configure TLS if enabled
+	if config.ClusterTLSEnabled {
+		tlsConfig := &tls.Config{
+			InsecureSkipVerify: config.ClusterTLSSkipVerify,
+		}
+
+		client.Transport = &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+	}
+
+	return client
+}
+
+// AddClusterAuthHeaders adds authentication headers to an HTTP request
+func AddClusterAuthHeaders(req *http.Request, config *types.Config) {
+	req.Header.Set("X-Cluster-Secret", config.ClusterSecret)
+	req.Header.Set("X-Node-ID", config.NodeID)
+}
+
+// GetProtocol returns the appropriate protocol (http or https) based on TLS configuration
+func GetProtocol(config *types.Config) string {
+	if config.ClusterTLSEnabled {
+		return "https"
+	}
+	return "http"
+}

cluster/sync.go

@@ -172,9 +172,9 @@ func (s *SyncService) performMerkleSync() {
 	// 2. Compare roots and start recursive diffing if they differ
 	if !bytes.Equal(localRoot.Hash, remoteRoot.Hash) {
 		s.logger.WithFields(logrus.Fields{
-			"peer":          peer.Address,
+			"peer":        peer.Address,
-			"local_root":    hex.EncodeToString(localRoot.Hash),
+			"local_root":  hex.EncodeToString(localRoot.Hash),
-			"remote_root":   hex.EncodeToString(remoteRoot.Hash),
+			"remote_root": hex.EncodeToString(remoteRoot.Hash),
 		}).Info("Merkle roots differ, starting recursive diff")
 		s.diffMerkleTreesRecursive(peer.Address, localRoot, remoteRoot)
 	} else {
@@ -186,10 +186,17 @@ func (s *SyncService) performMerkleSync() {
 
 // requestMerkleRoot requests the Merkle root from a peer
 func (s *SyncService) requestMerkleRoot(peerAddress string) (*types.MerkleRootResponse, error) {
-	client := &http.Client{Timeout: 10 * time.Second}
+	client := NewAuthenticatedHTTPClient(s.config, 10*time.Second)
-	url := fmt.Sprintf("http://%s/merkle_tree/root", peerAddress)
+	protocol := GetProtocol(s.config)
+	url := fmt.Sprintf("%s://%s/merkle_tree/root", protocol, peerAddress)
 
-	resp, err := client.Get(url)
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return nil, err
+	}
+	AddClusterAuthHeaders(req, s.config)
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
@@ -216,7 +223,7 @@ func (s *SyncService) diffMerkleTreesRecursive(peerAddress string, localNode, re
 	// Hashes differ, need to go deeper.
 	// Request children from the remote peer for the current range.
 	req := types.MerkleTreeDiffRequest{
-		ParentNode: *remoteNode, // We are asking the remote peer about its children for this range
+		ParentNode: *remoteNode,    // We are asking the remote peer about its children for this range
 		LocalHash:  localNode.Hash, // Our hash for this range
 	}
 
@@ -294,10 +301,17 @@ func (s *SyncService) handleLeafLevelDiff(peerAddress string, keys []string, loc
 
 // fetchSingleKVFromPeer fetches a single KV pair from a peer
 func (s *SyncService) fetchSingleKVFromPeer(peerAddress, path string) (*types.StoredValue, error) {
-	client := &http.Client{Timeout: 5 * time.Second}
+	client := NewAuthenticatedHTTPClient(s.config, 5*time.Second)
-	url := fmt.Sprintf("http://%s/kv/%s", peerAddress, path)
+	protocol := GetProtocol(s.config)
+	url := fmt.Sprintf("%s://%s/kv/%s", protocol, peerAddress, path)
 
-	resp, err := client.Get(url)
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return nil, err
+	}
+	AddClusterAuthHeaders(req, s.config)
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
@@ -418,12 +432,12 @@ func (s *SyncService) resolveConflict(key string, local, remote *types.StoredVal
 	// If we can't find membership info, fall back to UUID comparison for deterministic result
 	if localMember == nil || remoteMember == nil {
 		s.logger.WithFields(logrus.Fields{
-			"key":             key,
+			"key":          key,
-			"peerAddress":     peerAddress,
+			"peerAddress":  peerAddress,
-			"localNodeID":     localNodeID,
+			"localNodeID":  localNodeID,
-			"localMember":     localMember != nil,
+			"localMember":  localMember != nil,
-			"remoteMember":    remoteMember != nil,
+			"remoteMember": remoteMember != nil,
-			"totalMembers":    len(members),
+			"totalMembers": len(members),
 		}).Warn("Could not find membership info for conflict resolution, using UUID comparison")
 		if remote.UUID < local.UUID {
 			// Remote UUID lexically smaller (deterministic choice)
@@ -443,9 +457,9 @@ func (s *SyncService) resolveConflict(key string, local, remote *types.StoredVal
 		err := s.storeReplicatedDataWithMetadata(key, remote)
 		if err == nil {
 			s.logger.WithFields(logrus.Fields{
-				"key":                key,
+				"key":           key,
-				"local_joined":       localMember.JoinedTimestamp,
+				"local_joined":  localMember.JoinedTimestamp,
-				"remote_joined":      remoteMember.JoinedTimestamp,
+				"remote_joined": remoteMember.JoinedTimestamp,
 			}).Info("Conflict resolved: remote data wins (oldest-node rule)")
 		}
 		return err
@@ -453,24 +467,32 @@ func (s *SyncService) resolveConflict(key string, local, remote *types.StoredVal
 
 	// Local node is older or equal, keep local data
 	s.logger.WithFields(logrus.Fields{
-		"key":                key,
+		"key":           key,
-		"local_joined":       localMember.JoinedTimestamp,
+		"local_joined":  localMember.JoinedTimestamp,
-		"remote_joined":      remoteMember.JoinedTimestamp,
+		"remote_joined": remoteMember.JoinedTimestamp,
 	}).Info("Conflict resolved: local data wins (oldest-node rule)")
 	return nil
 }
 
 // requestMerkleDiff requests children hashes or keys for a given node/range from a peer
-func (s *SyncService) requestMerkleDiff(peerAddress string, req types.MerkleTreeDiffRequest) (*types.MerkleTreeDiffResponse, error) {
+func (s *SyncService) requestMerkleDiff(peerAddress string, reqData types.MerkleTreeDiffRequest) (*types.MerkleTreeDiffResponse, error) {
-	jsonData, err := json.Marshal(req)
+	jsonData, err := json.Marshal(reqData)
 	if err != nil {
 		return nil, err
 	}
 
-	client := &http.Client{Timeout: 10 * time.Second}
+	client := NewAuthenticatedHTTPClient(s.config, 10*time.Second)
-	url := fmt.Sprintf("http://%s/merkle_tree/diff", peerAddress)
+	protocol := GetProtocol(s.config)
+	url := fmt.Sprintf("%s://%s/merkle_tree/diff", protocol, peerAddress)
 
-	resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
+	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonData))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	AddClusterAuthHeaders(req, s.config)
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
@@ -525,20 +547,28 @@ func (s *SyncService) handleChildrenDiff(peerAddress string, children []types.Me
 
 // fetchAndStoreRange fetches a range of KV pairs from a peer and stores them locally
 func (s *SyncService) fetchAndStoreRange(peerAddress string, startKey, endKey string) error {
-	req := types.KVRangeRequest{
+	reqData := types.KVRangeRequest{
 		StartKey: startKey,
 		EndKey:   endKey,
 		Limit:    0, // No limit
 	}
-	jsonData, err := json.Marshal(req)
+	jsonData, err := json.Marshal(reqData)
 	if err != nil {
 		return err
 	}
 
-	client := &http.Client{Timeout: 30 * time.Second} // Longer timeout for range fetches
+	client := NewAuthenticatedHTTPClient(s.config, 30*time.Second) // Longer timeout for range fetches
-	url := fmt.Sprintf("http://%s/kv_range", peerAddress)
+	protocol := GetProtocol(s.config)
+	url := fmt.Sprintf("%s://%s/kv_range", protocol, peerAddress)
 
-	resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
+	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonData))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	AddClusterAuthHeaders(req, s.config)
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return err
 	}

config/config.go

@@ -1,12 +1,14 @@
 package config
 
 import (
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
 	"os"
 	"path/filepath"
 
-	"kvs/types"
 	"gopkg.in/yaml.v3"
+	"kvs/types"
 )
 
 // Default configuration
@@ -33,8 +35,8 @@ func Default() *types.Config {
 		CompressionLevel:   3, // Balance between performance and compression ratio
 
 		// Default TTL and size limit settings
-		DefaultTTL:  "0",       // No default TTL
+		DefaultTTL:  "0",     // No default TTL
-		MaxJSONSize: 1048576,   // 1MB default max JSON size
+		MaxJSONSize: 1048576, // 1MB default max JSON size
 
 		// Default rate limiting settings
 		RateLimitRequests: 100,  // 100 requests per window
@@ -57,11 +59,31 @@ func Default() *types.Config {
 		RevisionHistoryEnabled: true,
 
 		// Default anonymous access settings (both disabled by default for security)
-		AllowAnonymousRead:     false,
+		AllowAnonymousRead:  false,
-		AllowAnonymousWrite:    false,
+		AllowAnonymousWrite: false,
+
+		// Default cluster authentication settings (Issue #13)
+		ClusterSecret:        generateClusterSecret(),
+		ClusterTLSEnabled:    false,
+		ClusterTLSCertFile:   "",
+		ClusterTLSKeyFile:    "",
+		ClusterTLSSkipVerify: false,
 	}
 }
 
+// generateClusterSecret generates a cryptographically secure random cluster secret
+func generateClusterSecret() string {
+	// Generate 32 bytes (256 bits) of random data
+	randomBytes := make([]byte, 32)
+	if _, err := rand.Read(randomBytes); err != nil {
+		// Fallback to a warning - this should never happen in practice
+		fmt.Fprintf(os.Stderr, "Warning: Failed to generate secure cluster secret: %v\n", err)
+		return ""
+	}
+	// Encode as base64 for easy configuration file storage
+	return base64.StdEncoding.EncodeToString(randomBytes)
+}
+
 // Load configuration from file or create default
 func Load(configPath string) (*types.Config, error) {
 	config := Default()
@@ -94,5 +116,13 @@ func Load(configPath string) (*types.Config, error) {
 		return nil, fmt.Errorf("failed to parse config file: %v", err)
 	}
 
+	// Generate cluster secret if not provided and clustering is enabled (Issue #13)
+	if config.ClusteringEnabled && config.ClusterSecret == "" {
+		config.ClusterSecret = generateClusterSecret()
+		fmt.Printf("Warning: No cluster_secret configured. Generated a random secret.\n")
+		fmt.Printf("         To share this secret with other nodes, add it to your config:\n")
+		fmt.Printf("         cluster_secret: %s\n", config.ClusterSecret)
+	}
+
 	return config, nil
 }

integration_test.sh

@@ -125,6 +125,9 @@ EOF
 test_cluster_formation() {
     test_start "2-node cluster formation and Merkle Tree replication"
 
+    # Shared cluster secret for authentication (Issue #13)
+    local CLUSTER_SECRET="test-cluster-secret-12345678901234567890"
+
     # Node 1 config
     cat > cluster1.yaml <<EOF
 node_id: "cluster-1"
@@ -138,6 +141,7 @@ gossip_interval_max: 10
 sync_interval: 10
 allow_anonymous_read: true
 allow_anonymous_write: true
+cluster_secret: "$CLUSTER_SECRET"
 EOF
 
     # Node 2 config
@@ -153,6 +157,7 @@ gossip_interval_max: 10
 sync_interval: 10
 allow_anonymous_read: true
 allow_anonymous_write: true
+cluster_secret: "$CLUSTER_SECRET"
 EOF
     
     # Start nodes
@@ -239,6 +244,9 @@ test_conflict_resolution() {
     if go run test_conflict.go "$TEST_DIR/conflict1_data" "$TEST_DIR/conflict2_data"; then
         cd "$TEST_DIR"
 
+        # Shared cluster secret for authentication (Issue #13)
+        local CLUSTER_SECRET="conflict-cluster-secret-1234567890123"
+
         # Create configs
         cat > conflict1.yaml <<EOF
 node_id: "conflict-1"
@@ -250,6 +258,7 @@ log_level: "info"
 sync_interval: 3
 allow_anonymous_read: true
 allow_anonymous_write: true
+cluster_secret: "$CLUSTER_SECRET"
 EOF
 
         cat > conflict2.yaml <<EOF
@@ -262,6 +271,7 @@ log_level: "info"
 sync_interval: 3
 allow_anonymous_read: true
 allow_anonymous_write: true
+cluster_secret: "$CLUSTER_SECRET"
 EOF
         
         # Start nodes
@@ -434,6 +444,95 @@ EOF
     fi
 }
 
+# Test 6: Resource Metadata Management (Issue #12)
+test_metadata_management() {
+    test_start "Resource Metadata Management test (Issue #12)"
+
+    # Create metadata test config
+    cat > metadata_test.yaml <<EOF
+node_id: "metadata-test"
+bind_address: "127.0.0.1"
+port: 8096
+data_dir: "./metadata_test_data"
+seed_nodes: []
+log_level: "error"
+auth_enabled: true
+allow_anonymous_read: false
+allow_anonymous_write: false
+EOF
+
+    # Start node
+    $BINARY metadata_test.yaml >metadata_test.log 2>&1 &
+    local pid=$!
+
+    if wait_for_service 8096; then
+        sleep 2  # Allow root account creation
+
+        # Extract the token from logs
+        local token=$(grep "Token:" metadata_test.log | sed 's/.*Token: //' | tr -d '\n\r')
+
+        if [ -z "$token" ]; then
+            log_error "Failed to extract authentication token from logs"
+            kill $pid 2>/dev/null || true
+            return
+        fi
+
+        # First, create a KV resource
+        curl -s -X PUT http://localhost:8096/kv/test/resource -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '{"data":"test"}' >/dev/null
+        sleep 1
+
+        # Test 1: Get metadata should fail for non-existent metadata (initially no metadata exists)
+        local get_response=$(curl -s -w "\n%{http_code}" -X GET http://localhost:8096/kv/test/resource/metadata -H "Authorization: Bearer $token")
+        local get_body=$(echo "$get_response" | head -n -1)
+        local get_code=$(echo "$get_response" | tail -n 1)
+
+        if [ "$get_code" = "404" ]; then
+            log_success "GET metadata returns 404 for non-existent metadata"
+        else
+            log_error "GET metadata should return 404 for non-existent metadata, got code: $get_code, body: $get_body"
+        fi
+
+        # Test 2: Update metadata should create new metadata
+        local update_response=$(curl -s -X PUT http://localhost:8096/kv/test/resource/metadata -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '{"owner_uuid":"test-owner-123","permissions":3840}')
+        if echo "$update_response" | grep -q "owner_uuid"; then
+            log_success "PUT metadata creates metadata successfully"
+        else
+            log_error "PUT metadata should create metadata, got: $update_response"
+        fi
+
+        # Test 3: Get metadata should now return the created metadata
+        local get_response2=$(curl -s -X GET http://localhost:8096/kv/test/resource/metadata -H "Authorization: Bearer $token")
+        if echo "$get_response2" | grep -q "test-owner-123" && echo "$get_response2" | grep -q "3840"; then
+            log_success "GET metadata returns created metadata"
+        else
+            log_error "GET metadata should return created metadata, got: $get_response2"
+        fi
+
+        # Test 4: Update metadata should modify existing metadata
+        local update_response2=$(curl -s -X PUT http://localhost:8096/kv/test/resource/metadata -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '{"owner_uuid":"new-owner-456"}')
+        if echo "$update_response2" | grep -q "new-owner-456"; then
+            log_success "PUT metadata updates existing metadata"
+        else
+            log_error "PUT metadata should update metadata, got: $update_response2"
+        fi
+
+        # Test 5: Metadata endpoints should require authentication
+        local no_auth=$(curl -s -w "\n%{http_code}" -X GET http://localhost:8096/kv/test/resource/metadata)
+        local no_auth_code=$(echo "$no_auth" | tail -n 1)
+        if [ "$no_auth_code" = "401" ]; then
+            log_success "Metadata endpoints properly require authentication"
+        else
+            log_error "Metadata endpoints should require authentication, got code: $no_auth_code"
+        fi
+
+        kill $pid 2>/dev/null || true
+        sleep 2
+    else
+        log_error "Metadata test node failed to start"
+        kill $pid 2>/dev/null || true
+    fi
+}
+
 # Main test execution
 main() {
     echo "=================================================="
@@ -452,6 +551,7 @@ main() {
     test_cluster_formation
     test_conflict_resolution
     test_authentication_middleware
+    test_metadata_management
 
     # Results
     echo "=================================================="

main.go

@@ -11,7 +11,6 @@ import (
 	"kvs/server"
 )
 
-
 func main() {
 	configPath := "./config.yaml"
 

server/handlers.go

@@ -22,8 +22,6 @@ import (
 	"kvs/utils"
 )
 
-
-
 // healthHandler returns server health status
 func (s *Server) healthHandler(w http.ResponseWriter, r *http.Request) {
 	mode := s.getMode()
@@ -215,6 +213,104 @@ func (s *Server) deleteKVHandler(w http.ResponseWriter, r *http.Request) {
 	s.logger.WithField("path", path).Info("Value deleted")
 }
 
+// getResourceMetadataHandler retrieves metadata for a KV resource
+func (s *Server) getResourceMetadataHandler(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	path := vars["path"]
+
+	// Get metadata from storage
+	metadata, err := s.authService.GetResourceMetadata(path)
+	if err == badger.ErrKeyNotFound {
+		http.Error(w, "Not Found: No metadata exists for this resource", http.StatusNotFound)
+		return
+	}
+	if err != nil {
+		s.logger.WithError(err).WithField("path", path).Error("Failed to get resource metadata")
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	response := types.GetResourceMetadataResponse{
+		OwnerUUID:   metadata.OwnerUUID,
+		GroupUUID:   metadata.GroupUUID,
+		Permissions: metadata.Permissions,
+		TTL:         metadata.TTL,
+		CreatedAt:   metadata.CreatedAt,
+		UpdatedAt:   metadata.UpdatedAt,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
+
+// updateResourceMetadataHandler updates metadata for a KV resource
+func (s *Server) updateResourceMetadataHandler(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	path := vars["path"]
+
+	// Parse request body
+	var req types.UpdateResourceMetadataRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Bad Request: Invalid JSON", http.StatusBadRequest)
+		return
+	}
+
+	// Get existing metadata or create new one
+	metadata, err := s.authService.GetResourceMetadata(path)
+	if err == badger.ErrKeyNotFound {
+		// Create new metadata with defaults
+		metadata = &types.ResourceMetadata{
+			OwnerUUID:   "",
+			GroupUUID:   "",
+			Permissions: types.DefaultPermissions,
+			TTL:         "",
+			CreatedAt:   time.Now().Unix(),
+			UpdatedAt:   time.Now().Unix(),
+		}
+	} else if err != nil {
+		s.logger.WithError(err).WithField("path", path).Error("Failed to get resource metadata")
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	// Update only provided fields
+	if req.OwnerUUID != nil {
+		metadata.OwnerUUID = *req.OwnerUUID
+	}
+	if req.GroupUUID != nil {
+		metadata.GroupUUID = *req.GroupUUID
+	}
+	if req.Permissions != nil {
+		metadata.Permissions = *req.Permissions
+	}
+	metadata.UpdatedAt = time.Now().Unix()
+
+	// Store updated metadata
+	if err := s.authService.SetResourceMetadata(path, metadata); err != nil {
+		s.logger.WithError(err).WithField("path", path).Error("Failed to update resource metadata")
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	response := types.GetResourceMetadataResponse{
+		OwnerUUID:   metadata.OwnerUUID,
+		GroupUUID:   metadata.GroupUUID,
+		Permissions: metadata.Permissions,
+		TTL:         metadata.TTL,
+		CreatedAt:   metadata.CreatedAt,
+		UpdatedAt:   metadata.UpdatedAt,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+
+	s.logger.WithFields(logrus.Fields{
+		"path":       path,
+		"owner_uuid": metadata.OwnerUUID,
+		"group_uuid": metadata.GroupUUID,
+	}).Info("Resource metadata updated")
+}
+
 // isClusterMember checks if request is from a cluster member
 func (s *Server) isClusterMember(remoteAddr string) bool {
 	host, _, err := net.SplitHostPort(remoteAddr)
@@ -1271,3 +1367,29 @@ func (s *Server) getRevisionHistory(key string) ([]map[string]interface{}, error
 func (s *Server) getSpecificRevision(key string, revision int) (*types.StoredValue, error) {
 	return s.revisionService.GetSpecificRevision(key, revision)
 }
+
+// clusterBootstrapHandler provides the cluster secret to authenticated administrators (Issue #13)
+func (s *Server) clusterBootstrapHandler(w http.ResponseWriter, r *http.Request) {
+	// Ensure clustering is enabled
+	if !s.config.ClusteringEnabled {
+		http.Error(w, "Clustering is disabled", http.StatusServiceUnavailable)
+		return
+	}
+
+	// Ensure cluster secret is configured
+	if s.config.ClusterSecret == "" {
+		s.logger.Error("Cluster secret is not configured")
+		http.Error(w, "Cluster secret is not configured", http.StatusInternalServerError)
+		return
+	}
+
+	// Return the cluster secret for secure bootstrap
+	response := map[string]string{
+		"cluster_secret": s.config.ClusterSecret,
+	}
+
+	s.logger.WithField("remote_addr", r.RemoteAddr).Info("Cluster secret retrieved for bootstrap")
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}

server/routes.go

@@ -1,6 +1,8 @@
 package server
 
 import (
+	"net/http"
+
 	"github.com/gorilla/mux"
 )
 
@@ -11,6 +13,18 @@ func (s *Server) setupRoutes() *mux.Router {
 	// Health endpoint (always available)
 	router.HandleFunc("/health", s.healthHandler).Methods("GET")
 
+	// Resource Metadata Management endpoints (Issue #12) - Must come BEFORE general KV routes
+	// These need to be registered first to prevent /kv/{path:.+} from matching metadata paths
+	if s.config.AuthEnabled {
+		router.Handle("/kv/{path:.+}/metadata", s.authService.Middleware(
+			[]string{"admin:users:read"}, nil, "",
+		)(s.getResourceMetadataHandler)).Methods("GET")
+
+		router.Handle("/kv/{path:.+}/metadata", s.authService.Middleware(
+			[]string{"admin:users:update"}, nil, "",
+		)(s.updateResourceMetadataHandler)).Methods("PUT")
+	}
+
 	// KV endpoints (with conditional authentication based on anonymous access settings)
 	// GET endpoint - require auth if anonymous read is disabled
 	if s.config.AuthEnabled && !s.config.AllowAnonymousRead {
@@ -41,16 +55,32 @@ func (s *Server) setupRoutes() *mux.Router {
 
 	// Member endpoints (available when clustering is enabled)
 	if s.config.ClusteringEnabled {
+		// GET /members/ is unprotected for monitoring/inspection
 		router.HandleFunc("/members/", s.getMembersHandler).Methods("GET")
-		router.HandleFunc("/members/join", s.joinMemberHandler).Methods("POST")
-		router.HandleFunc("/members/leave", s.leaveMemberHandler).Methods("DELETE")
-		router.HandleFunc("/members/gossip", s.gossipHandler).Methods("POST")
-		router.HandleFunc("/members/pairs_by_time", s.pairsByTimeHandler).Methods("POST")
 
-		// Merkle Tree endpoints (clustering feature)
+		// Apply cluster authentication middleware to all cluster communication endpoints
-		router.HandleFunc("/merkle_tree/root", s.getMerkleRootHandler).Methods("GET")
+		if s.clusterAuthService != nil {
-		router.HandleFunc("/merkle_tree/diff", s.getMerkleDiffHandler).Methods("POST")
+			router.Handle("/members/join", s.clusterAuthService.Middleware(http.HandlerFunc(s.joinMemberHandler))).Methods("POST")
-		router.HandleFunc("/kv_range", s.getKVRangeHandler).Methods("POST")
+			router.Handle("/members/leave", s.clusterAuthService.Middleware(http.HandlerFunc(s.leaveMemberHandler))).Methods("DELETE")
+			router.Handle("/members/gossip", s.clusterAuthService.Middleware(http.HandlerFunc(s.gossipHandler))).Methods("POST")
+			router.Handle("/members/pairs_by_time", s.clusterAuthService.Middleware(http.HandlerFunc(s.pairsByTimeHandler))).Methods("POST")
+
+			// Merkle Tree endpoints (clustering feature)
+			router.Handle("/merkle_tree/root", s.clusterAuthService.Middleware(http.HandlerFunc(s.getMerkleRootHandler))).Methods("GET")
+			router.Handle("/merkle_tree/diff", s.clusterAuthService.Middleware(http.HandlerFunc(s.getMerkleDiffHandler))).Methods("POST")
+			router.Handle("/kv_range", s.clusterAuthService.Middleware(http.HandlerFunc(s.getKVRangeHandler))).Methods("POST")
+		} else {
+			// Fallback to unprotected endpoints (for backwards compatibility)
+			router.HandleFunc("/members/join", s.joinMemberHandler).Methods("POST")
+			router.HandleFunc("/members/leave", s.leaveMemberHandler).Methods("DELETE")
+			router.HandleFunc("/members/gossip", s.gossipHandler).Methods("POST")
+			router.HandleFunc("/members/pairs_by_time", s.pairsByTimeHandler).Methods("POST")
+
+			// Merkle Tree endpoints (clustering feature)
+			router.HandleFunc("/merkle_tree/root", s.getMerkleRootHandler).Methods("GET")
+			router.HandleFunc("/merkle_tree/diff", s.getMerkleDiffHandler).Methods("POST")
+			router.HandleFunc("/kv_range", s.getKVRangeHandler).Methods("POST")
+		}
 	}
 
 	// Authentication and user management endpoints (available when auth is enabled)
@@ -93,6 +123,12 @@ func (s *Server) setupRoutes() *mux.Router {
 		router.Handle("/api/tokens", s.authService.Middleware(
 			[]string{"admin:tokens:create"}, nil, "",
 		)(s.createTokenHandler)).Methods("POST")
+
+		// Cluster Bootstrap endpoint (Issue #13) - Protected by JWT authentication
+		// Allows authenticated administrators to retrieve the cluster secret for new nodes
+		router.Handle("/auth/cluster-bootstrap", s.authService.Middleware(
+			[]string{"admin:tokens:create"}, nil, "",
+		)(s.clusterBootstrapHandler)).Methods("GET")
 	}
 
 	// Revision History endpoints (available when revision history is enabled)

server/server.go

@@ -50,7 +50,8 @@ type Server struct {
 	backupMu      sync.RWMutex       // Protects backup status
 
 	// Authentication service
-	authService *auth.AuthService
+	authService        *auth.AuthService
+	clusterAuthService *auth.ClusterAuthService
 }
 
 // NewServer initializes and returns a new Server instance
@@ -120,6 +121,11 @@ func NewServer(config *types.Config) (*Server, error) {
 	// Initialize authentication service
 	server.authService = auth.NewAuthService(db, logger, config)
 
+	// Initialize cluster authentication service (Issue #13)
+	if config.ClusteringEnabled {
+		server.clusterAuthService = auth.NewClusterAuthService(config.ClusterSecret, logger)
+	}
+
 	// Setup initial root account if needed (Issue #3)
 	if config.AuthEnabled {
 		if err := server.setupRootAccount(); err != nil {
@@ -269,10 +275,10 @@ func (s *Server) createRootUserAndToken() error {
 
 	// Log the token securely (one-time display)
 	s.logger.WithFields(logrus.Fields{
-		"user_uuid":    rootUserUUID,
+		"user_uuid":  rootUserUUID,
-		"group_uuid":   adminGroupUUID,
+		"group_uuid": adminGroupUUID,
-		"expires_at":   time.Unix(expiresAt, 0).Format(time.RFC3339),
+		"expires_at": time.Unix(expiresAt, 0).Format(time.RFC3339),
-		"expires_in":   "24 hours",
+		"expires_in": "24 hours",
 	}).Warn("Root account created - SAVE THIS TOKEN:")
 
 	// Display token prominently
@@ -327,4 +333,3 @@ func (s *Server) storeUserAndGroup(user *types.User, group *types.Group) error {
 		return nil
 	})
 }
-

storage/storage.go

@@ -12,10 +12,10 @@ import (
 
 // StorageService handles all BadgerDB operations and data management
 type StorageService struct {
-	db               *badger.DB
+	db             *badger.DB
-	config           *types.Config
+	config         *types.Config
-	compressionSvc   *CompressionService
+	compressionSvc *CompressionService
-	logger           *logrus.Logger
+	logger         *logrus.Logger
 }
 
 // NewStorageService creates a new storage service

types/types.go

@@ -13,20 +13,20 @@ type StoredValue struct {
 
 // User represents a system user
 type User struct {
-	UUID         string   `json:"uuid"`         // Server-generated UUID
+	UUID         string   `json:"uuid"`          // Server-generated UUID
 	NicknameHash string   `json:"nickname_hash"` // SHA3-512 hash of nickname
-	Groups       []string `json:"groups"`       // List of group UUIDs this user belongs to
+	Groups       []string `json:"groups"`        // List of group UUIDs this user belongs to
-	CreatedAt    int64    `json:"created_at"`   // Unix timestamp
+	CreatedAt    int64    `json:"created_at"`    // Unix timestamp
-	UpdatedAt    int64    `json:"updated_at"`   // Unix timestamp
+	UpdatedAt    int64    `json:"updated_at"`    // Unix timestamp
 }
 
 // Group represents a user group
 type Group struct {
-	UUID        string   `json:"uuid"`        // Server-generated UUID
+	UUID      string   `json:"uuid"`       // Server-generated UUID
-	NameHash    string   `json:"name_hash"`   // SHA3-512 hash of group name
+	NameHash  string   `json:"name_hash"`  // SHA3-512 hash of group name
-	Members     []string `json:"members"`     // List of user UUIDs in this group
+	Members   []string `json:"members"`    // List of user UUIDs in this group
-	CreatedAt   int64    `json:"created_at"`  // Unix timestamp
+	CreatedAt int64    `json:"created_at"` // Unix timestamp
-	UpdatedAt   int64    `json:"updated_at"`  // Unix timestamp
+	UpdatedAt int64    `json:"updated_at"` // Unix timestamp
 }
 
 // APIToken represents a JWT authentication token
@@ -40,12 +40,12 @@ type APIToken struct {
 
 // ResourceMetadata contains ownership and permission information for stored resources
 type ResourceMetadata struct {
-	OwnerUUID   string `json:"owner_uuid"`   // UUID of the resource owner
+	OwnerUUID   string `json:"owner_uuid"`  // UUID of the resource owner
-	GroupUUID   string `json:"group_uuid"`   // UUID of the resource group
+	GroupUUID   string `json:"group_uuid"`  // UUID of the resource group
-	Permissions int    `json:"permissions"`  // 12-bit permission mask (POSIX-inspired)
+	Permissions int    `json:"permissions"` // 12-bit permission mask (POSIX-inspired)
-	TTL         string `json:"ttl"`          // Time-to-live duration (Go format)
+	TTL         string `json:"ttl"`         // Time-to-live duration (Go format)
-	CreatedAt   int64  `json:"created_at"`   // Unix timestamp when resource was created
+	CreatedAt   int64  `json:"created_at"`  // Unix timestamp when resource was created
-	UpdatedAt   int64  `json:"updated_at"`   // Unix timestamp when resource was last updated
+	UpdatedAt   int64  `json:"updated_at"`  // Unix timestamp when resource was last updated
 }
 
 // Permission constants for POSIX-inspired ACL
@@ -131,6 +131,22 @@ type CreateTokenResponse struct {
 	ExpiresAt int64  `json:"expires_at"`
 }
 
+// Resource Metadata Management API structures (Issue #12)
+type GetResourceMetadataResponse struct {
+	OwnerUUID   string `json:"owner_uuid"`
+	GroupUUID   string `json:"group_uuid"`
+	Permissions int    `json:"permissions"`
+	TTL         string `json:"ttl"`
+	CreatedAt   int64  `json:"created_at"`
+	UpdatedAt   int64  `json:"updated_at"`
+}
+
+type UpdateResourceMetadataRequest struct {
+	OwnerUUID   *string `json:"owner_uuid,omitempty"`
+	GroupUUID   *string `json:"group_uuid,omitempty"`
+	Permissions *int    `json:"permissions,omitempty"`
+}
+
 // Cluster and member management types
 type Member struct {
 	ID              string `json:"id"`
@@ -231,28 +247,28 @@ type KVRangeResponse struct {
 
 // Configuration
 type Config struct {
-	NodeID             string   `yaml:"node_id"`
+	NodeID               string   `yaml:"node_id"`
-	BindAddress        string   `yaml:"bind_address"`
+	BindAddress          string   `yaml:"bind_address"`
-	Port               int      `yaml:"port"`
+	Port                 int      `yaml:"port"`
-	DataDir            string   `yaml:"data_dir"`
+	DataDir              string   `yaml:"data_dir"`
-	SeedNodes          []string `yaml:"seed_nodes"`
+	SeedNodes            []string `yaml:"seed_nodes"`
-	ReadOnly           bool     `yaml:"read_only"`
+	ReadOnly             bool     `yaml:"read_only"`
-	LogLevel           string   `yaml:"log_level"`
+	LogLevel             string   `yaml:"log_level"`
-	GossipIntervalMin  int      `yaml:"gossip_interval_min"`
+	GossipIntervalMin    int      `yaml:"gossip_interval_min"`
-	GossipIntervalMax  int      `yaml:"gossip_interval_max"`
+	GossipIntervalMax    int      `yaml:"gossip_interval_max"`
-	SyncInterval       int      `yaml:"sync_interval"`
+	SyncInterval         int      `yaml:"sync_interval"`
-	CatchupInterval    int      `yaml:"catchup_interval"`
+	CatchupInterval      int      `yaml:"catchup_interval"`
-	BootstrapMaxAgeHours int    `yaml:"bootstrap_max_age_hours"`
+	BootstrapMaxAgeHours int      `yaml:"bootstrap_max_age_hours"`
-	ThrottleDelayMs    int      `yaml:"throttle_delay_ms"`
+	ThrottleDelayMs      int      `yaml:"throttle_delay_ms"`
-	FetchDelayMs       int      `yaml:"fetch_delay_ms"`
+	FetchDelayMs         int      `yaml:"fetch_delay_ms"`
 
 	// Database compression configuration
 	CompressionEnabled bool `yaml:"compression_enabled"`
 	CompressionLevel   int  `yaml:"compression_level"`
 
 	// TTL configuration
-	DefaultTTL    string `yaml:"default_ttl"`      // Go duration format, "0" means no default TTL
+	DefaultTTL  string `yaml:"default_ttl"`   // Go duration format, "0" means no default TTL
-	MaxJSONSize   int    `yaml:"max_json_size"`    // Maximum JSON size in bytes
+	MaxJSONSize int    `yaml:"max_json_size"` // Maximum JSON size in bytes
 
 	// Rate limiting configuration
 	RateLimitRequests int    `yaml:"rate_limit_requests"` // Max requests per window
@@ -262,10 +278,10 @@ type Config struct {
 	TamperLogActions []string `yaml:"tamper_log_actions"` // Actions to log
 
 	// Backup system configuration
-	BackupEnabled   bool   `yaml:"backup_enabled"`    // Enable/disable automated backups
+	BackupEnabled   bool   `yaml:"backup_enabled"`   // Enable/disable automated backups
-	BackupSchedule  string `yaml:"backup_schedule"`   // Cron schedule format
+	BackupSchedule  string `yaml:"backup_schedule"`  // Cron schedule format
-	BackupPath      string `yaml:"backup_path"`       // Directory to store backups
+	BackupPath      string `yaml:"backup_path"`      // Directory to store backups
-	BackupRetention int    `yaml:"backup_retention"`  // Days to keep backups
+	BackupRetention int    `yaml:"backup_retention"` // Days to keep backups
 
 	// Feature toggles for optional functionalities
 	AuthEnabled            bool `yaml:"auth_enabled"`             // Enable/disable authentication system
@@ -275,6 +291,13 @@ type Config struct {
 	RevisionHistoryEnabled bool `yaml:"revision_history_enabled"` // Enable/disable revision history
 
 	// Anonymous access control (Issue #5)
-	AllowAnonymousRead     bool `yaml:"allow_anonymous_read"`     // Allow unauthenticated read access to KV endpoints
+	AllowAnonymousRead  bool `yaml:"allow_anonymous_read"`  // Allow unauthenticated read access to KV endpoints
-	AllowAnonymousWrite    bool `yaml:"allow_anonymous_write"`    // Allow unauthenticated write access to KV endpoints
+	AllowAnonymousWrite bool `yaml:"allow_anonymous_write"` // Allow unauthenticated write access to KV endpoints
+
+	// Cluster authentication (Issue #13)
+	ClusterSecret        string `yaml:"cluster_secret"`          // Shared secret for cluster authentication (auto-generated if empty)
+	ClusterTLSEnabled    bool   `yaml:"cluster_tls_enabled"`     // Require TLS for inter-node communication
+	ClusterTLSCertFile   string `yaml:"cluster_tls_cert_file"`   // Path to TLS certificate file
+	ClusterTLSKeyFile    string `yaml:"cluster_tls_key_file"`    // Path to TLS private key file
+	ClusterTLSSkipVerify bool   `yaml:"cluster_tls_skip_verify"` // Skip TLS verification (insecure, for testing only)
 }