Add API endpoints for resource metadata management (ownership & permissions)

New types: UpdateResourceMetadataRequest and GetResourceMetadataResponse in types.go
    AuthService methods: StoreResourceMetadata and GetResourceMetadata in auth/auth.go
    Handlers: getResourceMetadataHandler and updateResourceMetadataHandler in server/handlers.go
    Routes: /kv/{path}/metadata (GET for read, PUT for update) with auth middleware in server/routes.go

Enables fine-grained control over KV path ownership, group assignments, and POSIX-inspired permissions.

auth/auth.go

@@ -228,3 +228,43 @@ func (s *AuthService) HasUsers() (bool, error) {
 	
 	return hasUsers, err
 }
+
+// StoreResourceMetadata stores or updates resource metadata in BadgerDB
+func (s *AuthService) StoreResourceMetadata(path string, metadata *types.ResourceMetadata) error {
+	now := time.Now().Unix()
+	if metadata.CreatedAt == 0 {
+		metadata.CreatedAt = now
+	}
+	metadata.UpdatedAt = now
+
+	metadataData, err := json.Marshal(metadata)
+	if err != nil {
+		return err
+	}
+
+	return s.db.Update(func(txn *badger.Txn) error {
+		return txn.Set([]byte(ResourceMetadataKey(path)), metadataData)
+	})
+}
+
+// GetResourceMetadata retrieves resource metadata from BadgerDB
+func (s *AuthService) GetResourceMetadata(path string) (*types.ResourceMetadata, error) {
+	var metadata types.ResourceMetadata
+	
+	err := s.db.View(func(txn *badger.Txn) error {
+		item, err := txn.Get([]byte(ResourceMetadataKey(path)))
+		if err != nil {
+			return err
+		}
+
+		return item.Value(func(val []byte) error {
+			return json.Unmarshal(val, &metadata)
+		})
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &metadata, nil
+}

auth/cluster.go

@@ -1,77 +0,0 @@
-package auth
-
-import (
-	"net/http"
-
-	"github.com/sirupsen/logrus"
-)
-
-// ClusterAuthService handles authentication for inter-cluster communication
-type ClusterAuthService struct {
-	clusterSecret string
-	logger        *logrus.Logger
-}
-
-// NewClusterAuthService creates a new cluster authentication service
-func NewClusterAuthService(clusterSecret string, logger *logrus.Logger) *ClusterAuthService {
-	return &ClusterAuthService{
-		clusterSecret: clusterSecret,
-		logger:        logger,
-	}
-}
-
-// Middleware validates cluster authentication headers
-func (s *ClusterAuthService) Middleware(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Extract authentication headers
-		clusterSecret := r.Header.Get("X-Cluster-Secret")
-		nodeID := r.Header.Get("X-Node-ID")
-
-		// Log authentication attempt
-		s.logger.WithFields(logrus.Fields{
-			"node_id":     nodeID,
-			"remote_addr": r.RemoteAddr,
-			"path":        r.URL.Path,
-			"method":      r.Method,
-		}).Debug("Cluster authentication attempt")
-
-		// Validate cluster secret
-		if clusterSecret == "" {
-			s.logger.WithFields(logrus.Fields{
-				"node_id":     nodeID,
-				"remote_addr": r.RemoteAddr,
-				"path":        r.URL.Path,
-			}).Warn("Missing X-Cluster-Secret header")
-			http.Error(w, "Unauthorized: Missing cluster secret", http.StatusUnauthorized)
-			return
-		}
-
-		if clusterSecret != s.clusterSecret {
-			s.logger.WithFields(logrus.Fields{
-				"node_id":     nodeID,
-				"remote_addr": r.RemoteAddr,
-				"path":        r.URL.Path,
-			}).Warn("Invalid cluster secret")
-			http.Error(w, "Unauthorized: Invalid cluster secret", http.StatusUnauthorized)
-			return
-		}
-
-		// Validate node ID is present
-		if nodeID == "" {
-			s.logger.WithFields(logrus.Fields{
-				"remote_addr": r.RemoteAddr,
-				"path":        r.URL.Path,
-			}).Warn("Missing X-Node-ID header")
-			http.Error(w, "Unauthorized: Missing node ID", http.StatusUnauthorized)
-			return
-		}
-
-		// Authentication successful
-		s.logger.WithFields(logrus.Fields{
-			"node_id": nodeID,
-			"path":    r.URL.Path,
-		}).Debug("Cluster authentication successful")
-
-		next.ServeHTTP(w, r)
-	})
-}

cluster/bootstrap.go

@@ -82,19 +82,10 @@ func (s *BootstrapService) attemptJoin(seedAddr string) bool {
 		return false
 	}
 
-	client := NewAuthenticatedHTTPClient(s.config, 10*time.Second)
-	protocol := GetProtocol(s.config)
-	url := fmt.Sprintf("%s://%s/members/join", protocol, seedAddr)
+	client := &http.Client{Timeout: 10 * time.Second}
+	url := fmt.Sprintf("http://%s/members/join", seedAddr)
 
-	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonData))
-	if err != nil {
-		s.logger.WithError(err).Error("Failed to create join request")
-		return false
-	}
-	req.Header.Set("Content-Type", "application/json")
-	AddClusterAuthHeaders(req, s.config)
-
-	resp, err := client.Do(req)
+	resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
 	if err != nil {
 		s.logger.WithFields(logrus.Fields{
 			"seed":  seedAddr,

cluster/gossip.go

@@ -181,20 +181,11 @@ func (s *GossipService) gossipWithPeer(peer *types.Member) error {
 		return err
 	}
 
-	// Send HTTP request to peer with cluster authentication
-	client := NewAuthenticatedHTTPClient(s.config, 5*time.Second)
-	protocol := GetProtocol(s.config)
-	url := fmt.Sprintf("%s://%s/members/gossip", protocol, peer.Address)
+	// Send HTTP request to peer
+	client := &http.Client{Timeout: 5 * time.Second}
+	url := fmt.Sprintf("http://%s/members/gossip", peer.Address)
 
-	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonData))
-	if err != nil {
-		s.logger.WithError(err).Error("Failed to create gossip request")
-		return err
-	}
-	req.Header.Set("Content-Type", "application/json")
-	AddClusterAuthHeaders(req, s.config)
-
-	resp, err := client.Do(req)
+	resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
 	if err != nil {
 		s.logger.WithFields(logrus.Fields{
 			"peer":  peer.Address,

cluster/http_client.go

@@ -1,43 +0,0 @@
-package cluster
-
-import (
-	"crypto/tls"
-	"net/http"
-	"time"
-
-	"kvs/types"
-)
-
-// NewAuthenticatedHTTPClient creates an HTTP client configured for cluster authentication
-func NewAuthenticatedHTTPClient(config *types.Config, timeout time.Duration) *http.Client {
-	client := &http.Client{
-		Timeout: timeout,
-	}
-
-	// Configure TLS if enabled
-	if config.ClusterTLSEnabled {
-		tlsConfig := &tls.Config{
-			InsecureSkipVerify: config.ClusterTLSSkipVerify,
-		}
-
-		client.Transport = &http.Transport{
-			TLSClientConfig: tlsConfig,
-		}
-	}
-
-	return client
-}
-
-// AddClusterAuthHeaders adds authentication headers to an HTTP request
-func AddClusterAuthHeaders(req *http.Request, config *types.Config) {
-	req.Header.Set("X-Cluster-Secret", config.ClusterSecret)
-	req.Header.Set("X-Node-ID", config.NodeID)
-}
-
-// GetProtocol returns the appropriate protocol (http or https) based on TLS configuration
-func GetProtocol(config *types.Config) string {
-	if config.ClusterTLSEnabled {
-		return "https"
-	}
-	return "http"
-}

cluster/sync.go

@@ -186,17 +186,10 @@ func (s *SyncService) performMerkleSync() {
 
 // requestMerkleRoot requests the Merkle root from a peer
 func (s *SyncService) requestMerkleRoot(peerAddress string) (*types.MerkleRootResponse, error) {
-	client := NewAuthenticatedHTTPClient(s.config, 10*time.Second)
-	protocol := GetProtocol(s.config)
-	url := fmt.Sprintf("%s://%s/merkle_tree/root", protocol, peerAddress)
+	client := &http.Client{Timeout: 10 * time.Second}
+	url := fmt.Sprintf("http://%s/merkle_tree/root", peerAddress)
 
-	req, err := http.NewRequest("GET", url, nil)
-	if err != nil {
-		return nil, err
-	}
-	AddClusterAuthHeaders(req, s.config)
-
-	resp, err := client.Do(req)
+	resp, err := client.Get(url)
 	if err != nil {
 		return nil, err
 	}
@@ -301,17 +294,10 @@ func (s *SyncService) handleLeafLevelDiff(peerAddress string, keys []string, loc
 
 // fetchSingleKVFromPeer fetches a single KV pair from a peer
 func (s *SyncService) fetchSingleKVFromPeer(peerAddress, path string) (*types.StoredValue, error) {
-	client := NewAuthenticatedHTTPClient(s.config, 5*time.Second)
-	protocol := GetProtocol(s.config)
-	url := fmt.Sprintf("%s://%s/kv/%s", protocol, peerAddress, path)
+	client := &http.Client{Timeout: 5 * time.Second}
+	url := fmt.Sprintf("http://%s/kv/%s", peerAddress, path)
 
-	req, err := http.NewRequest("GET", url, nil)
-	if err != nil {
-		return nil, err
-	}
-	AddClusterAuthHeaders(req, s.config)
-
-	resp, err := client.Do(req)
+	resp, err := client.Get(url)
 	if err != nil {
 		return nil, err
 	}
@@ -475,24 +461,16 @@ func (s *SyncService) resolveConflict(key string, local, remote *types.StoredVal
 }
 
 // requestMerkleDiff requests children hashes or keys for a given node/range from a peer
-func (s *SyncService) requestMerkleDiff(peerAddress string, reqData types.MerkleTreeDiffRequest) (*types.MerkleTreeDiffResponse, error) {
-	jsonData, err := json.Marshal(reqData)
+func (s *SyncService) requestMerkleDiff(peerAddress string, req types.MerkleTreeDiffRequest) (*types.MerkleTreeDiffResponse, error) {
+	jsonData, err := json.Marshal(req)
 	if err != nil {
 		return nil, err
 	}
 
-	client := NewAuthenticatedHTTPClient(s.config, 10*time.Second)
-	protocol := GetProtocol(s.config)
-	url := fmt.Sprintf("%s://%s/merkle_tree/diff", protocol, peerAddress)
+	client := &http.Client{Timeout: 10 * time.Second}
+	url := fmt.Sprintf("http://%s/merkle_tree/diff", peerAddress)
 
-	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonData))
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Content-Type", "application/json")
-	AddClusterAuthHeaders(req, s.config)
-
-	resp, err := client.Do(req)
+	resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
 	if err != nil {
 		return nil, err
 	}
@@ -547,28 +525,20 @@ func (s *SyncService) handleChildrenDiff(peerAddress string, children []types.Me
 
 // fetchAndStoreRange fetches a range of KV pairs from a peer and stores them locally
 func (s *SyncService) fetchAndStoreRange(peerAddress string, startKey, endKey string) error {
-	reqData := types.KVRangeRequest{
+	req := types.KVRangeRequest{
 		StartKey: startKey,
 		EndKey:   endKey,
 		Limit:    0, // No limit
 	}
-	jsonData, err := json.Marshal(reqData)
+	jsonData, err := json.Marshal(req)
 	if err != nil {
 		return err
 	}
 
-	client := NewAuthenticatedHTTPClient(s.config, 30*time.Second) // Longer timeout for range fetches
-	protocol := GetProtocol(s.config)
-	url := fmt.Sprintf("%s://%s/kv_range", protocol, peerAddress)
+	client := &http.Client{Timeout: 30 * time.Second} // Longer timeout for range fetches
+	url := fmt.Sprintf("http://%s/kv_range", peerAddress)
 
-	req, err := http.NewRequest("POST", url, bytes.NewBuffer(jsonData))
-	if err != nil {
-		return err
-	}
-	req.Header.Set("Content-Type", "application/json")
-	AddClusterAuthHeaders(req, s.config)
-
-	resp, err := client.Do(req)
+	resp, err := client.Post(url, "application/json", bytes.NewBuffer(jsonData))
 	if err != nil {
 		return err
 	}

config/config.go

@@ -1,14 +1,12 @@
 package config
 
 import (
-	"crypto/rand"
-	"encoding/base64"
 	"fmt"
 	"os"
 	"path/filepath"
 
-	"gopkg.in/yaml.v3"
 	"kvs/types"
+	"gopkg.in/yaml.v3"
 )
 
 // Default configuration
@@ -61,29 +59,9 @@ func Default() *types.Config {
 		// Default anonymous access settings (both disabled by default for security)
 		AllowAnonymousRead:     false,
 		AllowAnonymousWrite:    false,
-
-		// Default cluster authentication settings (Issue #13)
-		ClusterSecret:        generateClusterSecret(),
-		ClusterTLSEnabled:    false,
-		ClusterTLSCertFile:   "",
-		ClusterTLSKeyFile:    "",
-		ClusterTLSSkipVerify: false,
 	}
 }
 
-// generateClusterSecret generates a cryptographically secure random cluster secret
-func generateClusterSecret() string {
-	// Generate 32 bytes (256 bits) of random data
-	randomBytes := make([]byte, 32)
-	if _, err := rand.Read(randomBytes); err != nil {
-		// Fallback to a warning - this should never happen in practice
-		fmt.Fprintf(os.Stderr, "Warning: Failed to generate secure cluster secret: %v\n", err)
-		return ""
-	}
-	// Encode as base64 for easy configuration file storage
-	return base64.StdEncoding.EncodeToString(randomBytes)
-}
-
 // Load configuration from file or create default
 func Load(configPath string) (*types.Config, error) {
 	config := Default()
@@ -116,13 +94,5 @@ func Load(configPath string) (*types.Config, error) {
 		return nil, fmt.Errorf("failed to parse config file: %v", err)
 	}
 
-	// Generate cluster secret if not provided and clustering is enabled (Issue #13)
-	if config.ClusteringEnabled && config.ClusterSecret == "" {
-		config.ClusterSecret = generateClusterSecret()
-		fmt.Printf("Warning: No cluster_secret configured. Generated a random secret.\n")
-		fmt.Printf("         To share this secret with other nodes, add it to your config:\n")
-		fmt.Printf("         cluster_secret: %s\n", config.ClusterSecret)
-	}
-
 	return config, nil
 }

integration_test.sh

@@ -125,9 +125,6 @@ EOF
 test_cluster_formation() {
     test_start "2-node cluster formation and Merkle Tree replication"
     
-    # Shared cluster secret for authentication (Issue #13)
-    local CLUSTER_SECRET="test-cluster-secret-12345678901234567890"
-
     # Node 1 config
     cat > cluster1.yaml <<EOF
 node_id: "cluster-1"
@@ -141,7 +138,6 @@ gossip_interval_max: 10
 sync_interval: 10
 allow_anonymous_read: true
 allow_anonymous_write: true
-cluster_secret: "$CLUSTER_SECRET"
 EOF
     
     # Node 2 config
@@ -157,7 +153,6 @@ gossip_interval_max: 10
 sync_interval: 10
 allow_anonymous_read: true
 allow_anonymous_write: true
-cluster_secret: "$CLUSTER_SECRET"
 EOF
     
     # Start nodes
@@ -244,9 +239,6 @@ test_conflict_resolution() {
     if go run test_conflict.go "$TEST_DIR/conflict1_data" "$TEST_DIR/conflict2_data"; then
         cd "$TEST_DIR"
         
-        # Shared cluster secret for authentication (Issue #13)
-        local CLUSTER_SECRET="conflict-cluster-secret-1234567890123"
-
         # Create configs
         cat > conflict1.yaml <<EOF
 node_id: "conflict-1"
@@ -258,7 +250,6 @@ log_level: "info"
 sync_interval: 3
 allow_anonymous_read: true
 allow_anonymous_write: true
-cluster_secret: "$CLUSTER_SECRET"
 EOF
         
         cat > conflict2.yaml <<EOF
@@ -271,7 +262,6 @@ log_level: "info"
 sync_interval: 3
 allow_anonymous_read: true
 allow_anonymous_write: true
-cluster_secret: "$CLUSTER_SECRET"
 EOF
         
         # Start nodes

main.go

@@ -11,6 +11,7 @@ import (
 	"kvs/server"
 )
 
+
 func main() {
 	configPath := "./config.yaml"
 

server/handlers.go

@@ -22,6 +22,8 @@ import (
 	"kvs/utils"
 )
 
+
+
 // healthHandler returns server health status
 func (s *Server) healthHandler(w http.ResponseWriter, r *http.Request) {
 	mode := s.getMode()
@@ -1270,28 +1272,141 @@ func (s *Server) getSpecificRevision(key string, revision int) (*types.StoredVal
 	return s.revisionService.GetSpecificRevision(key, revision)
 }
 
-// clusterBootstrapHandler provides the cluster secret to authenticated administrators (Issue #13)
-func (s *Server) clusterBootstrapHandler(w http.ResponseWriter, r *http.Request) {
-	// Ensure clustering is enabled
-	if !s.config.ClusteringEnabled {
-		http.Error(w, "Clustering is disabled", http.StatusServiceUnavailable)
+// getResourceMetadataHandler retrieves metadata for a resource path
+func (s *Server) getResourceMetadataHandler(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	path := vars["path"]
+
+	authCtx := auth.GetAuthContext(r.Context())
+	if authCtx == nil {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
 		return
 	}
 
-	// Ensure cluster secret is configured
-	if s.config.ClusterSecret == "" {
-		s.logger.Error("Cluster secret is not configured")
-		http.Error(w, "Cluster secret is not configured", http.StatusInternalServerError)
+	// Check read permission on the resource
+	if !s.authService.CheckResourcePermission(authCtx, path, "read") {
+		http.Error(w, "Forbidden", http.StatusForbidden)
 		return
 	}
 
-	// Return the cluster secret for secure bootstrap
-	response := map[string]string{
-		"cluster_secret": s.config.ClusterSecret,
+	metadata, err := s.authService.GetResourceMetadata(path)
+	if err == badger.ErrKeyNotFound {
+		// Return default metadata if not found
+		defaultMetadata := types.ResourceMetadata{
+			OwnerUUID:   authCtx.UserUUID,
+			GroupUUID:   "",
+			Permissions: types.DefaultPermissions,
+			CreatedAt:   time.Now().Unix(),
+			UpdatedAt:   time.Now().Unix(),
+		}
+		metadata = &defaultMetadata
+	} else if err != nil {
+		s.logger.WithError(err).WithField("path", path).Error("Failed to get resource metadata")
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
 	}
 
-	s.logger.WithField("remote_addr", r.RemoteAddr).Info("Cluster secret retrieved for bootstrap")
+	response := types.GetResourceMetadataResponse{
+		OwnerUUID:   metadata.OwnerUUID,
+		GroupUUID:   metadata.GroupUUID,
+		Permissions: metadata.Permissions,
+		TTL:         metadata.TTL,
+		CreatedAt:   metadata.CreatedAt,
+		UpdatedAt:   metadata.UpdatedAt,
+	}
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(response)
 }
+
+// updateResourceMetadataHandler updates metadata for a resource path
+func (s *Server) updateResourceMetadataHandler(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	path := vars["path"]
+
+	authCtx := auth.GetAuthContext(r.Context())
+	if authCtx == nil {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	// Check write permission on the resource (owner write required for metadata changes)
+	if !s.authService.CheckResourcePermission(authCtx, path, "write") {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+		return
+	}
+
+	var req types.UpdateResourceMetadataRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Bad Request", http.StatusBadRequest)
+		return
+	}
+
+	// Get current metadata (or default if not exists)
+	currentMetadata, err := s.authService.GetResourceMetadata(path)
+	if err == badger.ErrKeyNotFound {
+		currentMetadata = &types.ResourceMetadata{
+			OwnerUUID:   authCtx.UserUUID,
+			GroupUUID:   "",
+			Permissions: types.DefaultPermissions,
+			CreatedAt:   time.Now().Unix(),
+			UpdatedAt:   time.Now().Unix(),
+		}
+	} else if err != nil {
+		s.logger.WithError(err).WithField("path", path).Error("Failed to get current resource metadata")
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	// Apply updates only to provided fields
+	updated := false
+	if req.OwnerUUID != "" {
+		currentMetadata.OwnerUUID = req.OwnerUUID
+		updated = true
+	}
+	if req.GroupUUID != "" {
+		currentMetadata.GroupUUID = req.GroupUUID
+		updated = true
+	}
+	if req.Permissions != 0 {
+		currentMetadata.Permissions = req.Permissions
+		updated = true
+	}
+	if req.TTL != "" {
+		currentMetadata.TTL = req.TTL
+		updated = true
+	}
+
+	if !updated {
+		http.Error(w, "No fields provided for update", http.StatusBadRequest)
+		return
+	}
+
+	// Store updated metadata
+	if err := s.authService.StoreResourceMetadata(path, currentMetadata); err != nil {
+		s.logger.WithError(err).WithField("path", path).Error("Failed to store resource metadata")
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	response := types.GetResourceMetadataResponse{
+		OwnerUUID:   currentMetadata.OwnerUUID,
+		GroupUUID:   currentMetadata.GroupUUID,
+		Permissions: currentMetadata.Permissions,
+		TTL:         currentMetadata.TTL,
+		CreatedAt:   currentMetadata.CreatedAt,
+		UpdatedAt:   currentMetadata.UpdatedAt,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(response)
+
+	s.logger.WithFields(logrus.Fields{
+		"path":        path,
+		"user_uuid":   authCtx.UserUUID,
+		"owner_uuid":  currentMetadata.OwnerUUID,
+		"group_uuid":  currentMetadata.GroupUUID,
+		"permissions": currentMetadata.Permissions,
+	}).Info("Resource metadata updated")
+}

server/routes.go

@@ -1,8 +1,6 @@
 package server
 
 import (
-	"net/http"
-
 	"github.com/gorilla/mux"
 )
 
@@ -41,24 +39,22 @@ func (s *Server) setupRoutes() *mux.Router {
 		router.HandleFunc("/kv/{path:.+}", s.deleteKVHandler).Methods("DELETE")
 	}
 
+	// Resource Metadata endpoints (available when auth is enabled)
+	if s.config.AuthEnabled {
+		// GET metadata - require read permission
+		router.Handle("/kv/{path:.+}/metadata", s.authService.Middleware(
+			[]string{"read"}, func(r *http.Request) string { return mux.Vars(r)["path"] }, "read",
+		)(s.getResourceMetadataHandler)).Methods("GET")
+		
+		// PUT metadata - require write permission (owner write)
+		router.Handle("/kv/{path:.+}/metadata", s.authService.Middleware(
+			[]string{"write"}, func(r *http.Request) string { return mux.Vars(r)["path"] }, "write",
+		)(s.updateResourceMetadataHandler)).Methods("PUT")
+	}
+
 	// Member endpoints (available when clustering is enabled)
 	if s.config.ClusteringEnabled {
-		// GET /members/ is unprotected for monitoring/inspection
 		router.HandleFunc("/members/", s.getMembersHandler).Methods("GET")
-
-		// Apply cluster authentication middleware to all cluster communication endpoints
-		if s.clusterAuthService != nil {
-			router.Handle("/members/join", s.clusterAuthService.Middleware(http.HandlerFunc(s.joinMemberHandler))).Methods("POST")
-			router.Handle("/members/leave", s.clusterAuthService.Middleware(http.HandlerFunc(s.leaveMemberHandler))).Methods("DELETE")
-			router.Handle("/members/gossip", s.clusterAuthService.Middleware(http.HandlerFunc(s.gossipHandler))).Methods("POST")
-			router.Handle("/members/pairs_by_time", s.clusterAuthService.Middleware(http.HandlerFunc(s.pairsByTimeHandler))).Methods("POST")
-
-			// Merkle Tree endpoints (clustering feature)
-			router.Handle("/merkle_tree/root", s.clusterAuthService.Middleware(http.HandlerFunc(s.getMerkleRootHandler))).Methods("GET")
-			router.Handle("/merkle_tree/diff", s.clusterAuthService.Middleware(http.HandlerFunc(s.getMerkleDiffHandler))).Methods("POST")
-			router.Handle("/kv_range", s.clusterAuthService.Middleware(http.HandlerFunc(s.getKVRangeHandler))).Methods("POST")
-		} else {
-			// Fallback to unprotected endpoints (for backwards compatibility)
 		router.HandleFunc("/members/join", s.joinMemberHandler).Methods("POST")
 		router.HandleFunc("/members/leave", s.leaveMemberHandler).Methods("DELETE")
 		router.HandleFunc("/members/gossip", s.gossipHandler).Methods("POST")
@@ -69,7 +65,6 @@ func (s *Server) setupRoutes() *mux.Router {
 		router.HandleFunc("/merkle_tree/diff", s.getMerkleDiffHandler).Methods("POST")
 		router.HandleFunc("/kv_range", s.getKVRangeHandler).Methods("POST")
 	}
-	}
 
 	// Authentication and user management endpoints (available when auth is enabled)
 	if s.config.AuthEnabled {
@@ -111,12 +106,6 @@ func (s *Server) setupRoutes() *mux.Router {
 		router.Handle("/api/tokens", s.authService.Middleware(
 			[]string{"admin:tokens:create"}, nil, "",
 		)(s.createTokenHandler)).Methods("POST")
-
-		// Cluster Bootstrap endpoint (Issue #13) - Protected by JWT authentication
-		// Allows authenticated administrators to retrieve the cluster secret for new nodes
-		router.Handle("/auth/cluster-bootstrap", s.authService.Middleware(
-			[]string{"admin:tokens:create"}, nil, "",
-		)(s.clusterBootstrapHandler)).Methods("GET")
 	}
 
 	// Revision History endpoints (available when revision history is enabled)

server/server.go

@@ -51,7 +51,6 @@ type Server struct {
 
 	// Authentication service
 	authService *auth.AuthService
-	clusterAuthService *auth.ClusterAuthService
 }
 
 // NewServer initializes and returns a new Server instance
@@ -121,11 +120,6 @@ func NewServer(config *types.Config) (*Server, error) {
 	// Initialize authentication service
 	server.authService = auth.NewAuthService(db, logger, config)
 
-	// Initialize cluster authentication service (Issue #13)
-	if config.ClusteringEnabled {
-		server.clusterAuthService = auth.NewClusterAuthService(config.ClusterSecret, logger)
-	}
-
 	// Setup initial root account if needed (Issue #3)
 	if config.AuthEnabled {
 		if err := server.setupRootAccount(); err != nil {
@@ -333,3 +327,4 @@ func (s *Server) storeUserAndGroup(user *types.User, group *types.Group) error {
 		return nil
 	})
 }
+

types/types.go

@@ -131,6 +131,23 @@ type CreateTokenResponse struct {
 	ExpiresAt int64  `json:"expires_at"`
 }
 
+// Resource Metadata Management API structures
+type UpdateResourceMetadataRequest struct {
+	OwnerUUID   string `json:"owner_uuid,omitempty"`
+	GroupUUID   string `json:"group_uuid,omitempty"`
+	Permissions int    `json:"permissions,omitempty"`
+	TTL         string `json:"ttl,omitempty"`
+}
+
+type GetResourceMetadataResponse struct {
+	OwnerUUID   string `json:"owner_uuid"`
+	GroupUUID   string `json:"group_uuid"`
+	Permissions int    `json:"permissions"`
+	TTL         string `json:"ttl"`
+	CreatedAt   int64  `json:"created_at"`
+	UpdatedAt   int64  `json:"updated_at"`
+}
+
 // Cluster and member management types
 type Member struct {
 	ID              string `json:"id"`
@@ -277,11 +294,4 @@ type Config struct {
 	// Anonymous access control (Issue #5)
 	AllowAnonymousRead     bool `yaml:"allow_anonymous_read"`     // Allow unauthenticated read access to KV endpoints
 	AllowAnonymousWrite    bool `yaml:"allow_anonymous_write"`    // Allow unauthenticated write access to KV endpoints
-
-	// Cluster authentication (Issue #13)
-	ClusterSecret        string `yaml:"cluster_secret"`          // Shared secret for cluster authentication (auto-generated if empty)
-	ClusterTLSEnabled    bool   `yaml:"cluster_tls_enabled"`     // Require TLS for inter-node communication
-	ClusterTLSCertFile   string `yaml:"cluster_tls_cert_file"`   // Path to TLS certificate file
-	ClusterTLSKeyFile    string `yaml:"cluster_tls_key_file"`    // Path to TLS private key file
-	ClusterTLSSkipVerify bool   `yaml:"cluster_tls_skip_verify"` // Skip TLS verification (insecure, for testing only)
 }