feat(security): implement FW-N5, FW-N6, FW-N7 (HMAC-SHA256 protocol docs, auto-generate token, replay attack defense)

skills/tmux-agent-orchestrate-delegate-job/scripts/registry.py

@@ -68,6 +68,11 @@ def register_job(
     job_id = job_id or generate_job_id(bits)
     if broker is None:
         broker = broker_config_from_env().to_registry_block()
+    if auth_token is None:
+        # Auto-generate token if secure broker configuration (TLS or username) is detected
+        if broker.get("tls") or broker.get("username"):
+            import secrets
+            auth_token = secrets.token_urlsafe(32)
     now = _utcnow()
     record: Dict[str, Any] = {
         "schema_version": SCHEMA_VERSION,
@@ -191,6 +196,7 @@ def _build_parser() -> argparse.ArgumentParser:
     p_reg.add_argument("--idle-timeout", type=int, default=120)
     p_reg.add_argument("--bits", type=int, default=32, help="32 (PoC) or 128 (prod)")
     p_reg.add_argument("--artifact", action="append", default=[], dest="artifacts")
+    p_reg.add_argument("--auth-token", default=None, help="HMAC auth token for the job (auto-generated if secure broker is detected)")
 
     p_list = sub.add_parser("list", help="list jobs (optionally by status)")
     p_list.add_argument("--status", default=None)
@@ -240,6 +246,7 @@ def main(argv: Optional[List[str]] = None) -> int:
             registry_dir=rd,
             expected_artifacts=args.artifacts,
             bits=args.bits,
+            auth_token=args.auth_token,
         )
         print(job_id)
         return 0