feat: WZP-S-2 relay auth + WZP-S-3 featherChat signaling bridge

WZP-S-2: Relay token authentication
- New --auth-url flag: relay calls POST {url} with bearer token
- Clients must send SignalMessage::AuthToken as first signal
- Relay validates against featherChat's /v1/auth/validate endpoint
- Rejects unauthenticated clients before they join rooms
- New auth.rs module with validate_token() + tests

WZP-S-3: featherChat signaling bridge
- New featherchat.rs module for CallSignal interop
- WzpCallPayload: wraps SignalMessage + relay_addr + room name
- encode_call_payload/decode_call_payload for JSON serialization
- CallSignalType enum mirrors featherChat's variant
- signal_to_call_type maps WZP signals to FC types

Protocol: Added SignalMessage::AuthToken { token } variant

129 tests passing across all crates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

crates/wzp-relay/Cargo.toml

@@ -20,6 +20,8 @@ bytes = { workspace = true }
 serde = { workspace = true }
 toml = "0.8"
 anyhow = "1"
+reqwest = { version = "0.12", features = ["json"] }
+serde_json = "1"
 rustls = { version = "0.23", default-features = false, features = ["ring", "std"] }
 quinn = { workspace = true }
 

crates/wzp-relay/src/auth.rs

@@ -0,0 +1,106 @@
+//! featherChat token authentication.
+//!
+//! When `--auth-url` is configured, the relay validates bearer tokens
+//! against featherChat's `POST /v1/auth/validate` endpoint before
+//! allowing clients to join rooms.
+
+use serde::{Deserialize, Serialize};
+use tracing::{info, warn};
+
+/// Request body for featherChat token validation.
+#[derive(Serialize)]
+struct ValidateRequest {
+    token: String,
+}
+
+/// Response from featherChat token validation.
+#[derive(Deserialize, Debug)]
+pub struct ValidateResponse {
+    pub valid: bool,
+    pub fingerprint: Option<String>,
+    pub alias: Option<String>,
+}
+
+/// Validated client identity.
+#[derive(Clone, Debug)]
+pub struct AuthenticatedClient {
+    pub fingerprint: String,
+    pub alias: Option<String>,
+}
+
+/// Validate a bearer token against featherChat's auth endpoint.
+///
+/// Calls `POST {auth_url}` with `{ "token": "..." }`.
+/// Returns the client identity if valid, or an error string.
+pub async fn validate_token(
+    auth_url: &str,
+    token: &str,
+) -> Result<AuthenticatedClient, String> {
+    let client = reqwest::Client::builder()
+        .timeout(std::time::Duration::from_secs(5))
+        .build()
+        .map_err(|e| format!("http client error: {e}"))?;
+
+    let resp = client
+        .post(auth_url)
+        .json(&ValidateRequest {
+            token: token.to_string(),
+        })
+        .send()
+        .await
+        .map_err(|e| format!("auth request failed: {e}"))?;
+
+    if !resp.status().is_success() {
+        return Err(format!("auth endpoint returned {}", resp.status()));
+    }
+
+    let body: ValidateResponse = resp
+        .json()
+        .await
+        .map_err(|e| format!("invalid auth response: {e}"))?;
+
+    if body.valid {
+        let fingerprint = body
+            .fingerprint
+            .ok_or_else(|| "valid response missing fingerprint".to_string())?;
+        info!(%fingerprint, alias = ?body.alias, "token validated");
+        Ok(AuthenticatedClient {
+            fingerprint,
+            alias: body.alias,
+        })
+    } else {
+        warn!("token validation failed");
+        Err("invalid token".to_string())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn validate_request_serializes() {
+        let req = ValidateRequest {
+            token: "abc123".to_string(),
+        };
+        let json = serde_json::to_string(&req).unwrap();
+        assert!(json.contains("abc123"));
+    }
+
+    #[test]
+    fn validate_response_deserializes() {
+        let json = r#"{"valid": true, "fingerprint": "abcd1234", "alias": "manwe"}"#;
+        let resp: ValidateResponse = serde_json::from_str(json).unwrap();
+        assert!(resp.valid);
+        assert_eq!(resp.fingerprint.unwrap(), "abcd1234");
+        assert_eq!(resp.alias.unwrap(), "manwe");
+    }
+
+    #[test]
+    fn invalid_response_deserializes() {
+        let json = r#"{"valid": false}"#;
+        let resp: ValidateResponse = serde_json::from_str(json).unwrap();
+        assert!(!resp.valid);
+        assert!(resp.fingerprint.is_none());
+    }
+}

crates/wzp-relay/src/config.rs

@@ -19,6 +19,9 @@ pub struct RelayConfig {
     pub jitter_max_depth: usize,
     /// Logging level (trace, debug, info, warn, error).
     pub log_level: String,
+    /// featherChat auth validation URL (e.g., "https://chat.example.com/v1/auth/validate").
+    /// If set, clients must present a valid token before joining rooms.
+    pub auth_url: Option<String>,
 }
 
 impl Default for RelayConfig {
@@ -30,6 +33,7 @@ impl Default for RelayConfig {
             jitter_target_depth: 50,
             jitter_max_depth: 250,
             log_level: "info".to_string(),
+            auth_url: None,
         }
     }
 }

crates/wzp-relay/src/lib.rs

@@ -7,6 +7,7 @@
 //! It operates on FEC-protected packets, managing loss recovery and adaptive
 //! quality transitions.
 
+pub mod auth;
 pub mod config;
 pub mod handshake;
 pub mod pipeline;

crates/wzp-relay/src/main.rs

@@ -38,17 +38,23 @@ fn parse_args() -> RelayConfig {
                         .parse().expect("invalid --remote address"),
                 );
             }
+            "--auth-url" => {
+                i += 1;
+                config.auth_url = Some(
+                    args.get(i).expect("--auth-url requires a URL").to_string(),
+                );
+            }
             "--help" | "-h" => {
-                eprintln!("Usage: wzp-relay [--listen <addr>] [--remote <addr>]");
+                eprintln!("Usage: wzp-relay [--listen <addr>] [--remote <addr>] [--auth-url <url>]");
                 eprintln!();
                 eprintln!("Options:");
-                eprintln!("  --listen <addr>  Listen address (default: 0.0.0.0:4433)");
-                eprintln!("  --remote <addr>  Remote relay for forwarding (disables room mode)");
+                eprintln!("  --listen <addr>    Listen address (default: 0.0.0.0:4433)");
+                eprintln!("  --remote <addr>    Remote relay for forwarding (disables room mode)");
+                eprintln!("  --auth-url <url>   featherChat auth endpoint (e.g., https://chat.example.com/v1/auth/validate)");
+                eprintln!("                     When set, clients must send a bearer token as first signal message.");
                 eprintln!();
                 eprintln!("Room mode (default):");
-                eprintln!("  Clients join rooms by name. Packets are forwarded to all");
-                eprintln!("  other participants in the same room (SFU model).");
-                eprintln!("  Room name comes from QUIC SNI or defaults to 'default'.");
+                eprintln!("  Clients join rooms by name. Packets forwarded to all others (SFU).");
                 std::process::exit(0);
             }
             other => {
@@ -154,6 +160,12 @@ async fn main() -> anyhow::Result<()> {
     // Room manager (room mode only)
     let room_mgr = Arc::new(Mutex::new(RoomManager::new()));
 
+    if let Some(ref url) = config.auth_url {
+        info!(url, "auth enabled — clients must present featherChat token");
+    } else {
+        info!("auth disabled — any client can connect (use --auth-url to enable)");
+    }
+
     info!("Listening for connections...");
 
     loop {
@@ -164,12 +176,11 @@ async fn main() -> anyhow::Result<()> {
 
         let remote_transport = remote_transport.clone();
         let room_mgr = room_mgr.clone();
+        let auth_url = config.auth_url.clone();
 
         tokio::spawn(async move {
             let addr = connection.remote_address();
 
-            // Extract room name from QUIC handshake data (SNI).
-            // The web bridge connects with the room name as server_name.
             let room_name = connection
                 .handshake_data()
                 .and_then(|hd| {
@@ -180,7 +191,45 @@ async fn main() -> anyhow::Result<()> {
 
             let transport = Arc::new(wzp_transport::QuinnTransport::new(connection));
 
-            info!(%addr, room = %room_name, "new client");
+            // Auth check: if --auth-url is set, expect first signal message to be a token
+            if let Some(ref url) = auth_url {
+                info!(%addr, "waiting for auth token...");
+                match transport.recv_signal().await {
+                    Ok(Some(wzp_proto::SignalMessage::AuthToken { token })) => {
+                        match wzp_relay::auth::validate_token(url, &token).await {
+                            Ok(client) => {
+                                info!(
+                                    %addr,
+                                    fingerprint = %client.fingerprint,
+                                    alias = ?client.alias,
+                                    "authenticated"
+                                );
+                            }
+                            Err(e) => {
+                                error!(%addr, "auth failed: {e}");
+                                transport.close().await.ok();
+                                return;
+                            }
+                        }
+                    }
+                    Ok(Some(_)) => {
+                        error!(%addr, "expected AuthToken as first signal, got something else");
+                        transport.close().await.ok();
+                        return;
+                    }
+                    Ok(None) => {
+                        error!(%addr, "connection closed before auth");
+                        return;
+                    }
+                    Err(e) => {
+                        error!(%addr, "signal recv error during auth: {e}");
+                        transport.close().await.ok();
+                        return;
+                    }
+                }
+            }
+
+            info!(%addr, room = %room_name, "client joined");
 
             if let Some(remote) = remote_transport {
                 // Forward mode — same as before