From 2b8f359a83aa36246f1a3c5e5ffb0079f3de144e Mon Sep 17 00:00:00 2001
From: mleku <me@mleku.dev>
Date: Tue, 25 Nov 2025 11:04:04 +0000
Subject: [PATCH] fix workflow to fetch libsecp256k1.so

---
 .claude/settings.local.json |  3 ++-
 app/listener.go             | 36 ++++++++++++++++++++++++++++--------
 pkg/version/version         |  2 +-
 3 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/.claude/settings.local.json b/.claude/settings.local.json
index 33d8016..e568ed6 100644
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -131,7 +131,8 @@
       "Bash(systemctl:*)",
       "Bash(systemctl show:*)",
       "Bash(ssh relay1:*)",
-      "Bash(done)"
+      "Bash(done)",
+      "Bash(go run:*)"
     ],
     "deny": [],
     "ask": []
diff --git a/app/listener.go b/app/listener.go
index 02446f3..63410d6 100644
--- a/app/listener.go
+++ b/app/listener.go
@@ -1,6 +1,7 @@
 package app
 
 import (
+	"bytes"
 	"context"
 	"net/http"
 	"strings"
@@ -38,6 +39,7 @@ type Listener struct {
 	messageQueue     chan messageRequest // Buffered channel for message processing
 	processingDone   chan struct{}       // Closed when message processor exits
 	handlerWg        sync.WaitGroup      // Tracks spawned message handler goroutines
+	authProcessing   sync.RWMutex        // Ensures AUTH completes before other messages check authentication
 	// Flow control counters (atomic for concurrent access)
 	droppedMessages  atomic.Int64 // Messages dropped due to full queue
 	// Diagnostics: per-connection counters
@@ -218,14 +220,32 @@ func (l *Listener) messageProcessor() {
 				return
 			}
 
-			// Process the message in a separate goroutine to avoid blocking
-			// This allows multiple messages to be processed concurrently (like khatru does)
-			// Track the goroutine so we can wait for it during cleanup
-			l.handlerWg.Add(1)
-			go func(data []byte, remote string) {
-				defer l.handlerWg.Done()
-				l.HandleMessage(data, remote)
-			}(req.data, req.remote)
+			// Lock immediately to ensure AUTH is processed before subsequent messages
+			// are dequeued. This prevents race conditions where EVENT checks authentication
+			// before AUTH completes.
+			l.authProcessing.Lock()
+
+			// Check if this is an AUTH message by looking for the ["AUTH" prefix
+			isAuthMessage := len(req.data) > 7 && bytes.HasPrefix(req.data, []byte(`["AUTH"`))
+
+			if isAuthMessage {
+				// Process AUTH message synchronously while holding lock
+				// This blocks the messageProcessor from dequeuing the next message
+				// until authentication is complete and authedPubkey is set
+				log.D.F("ws->%s processing AUTH synchronously with lock", req.remote)
+				l.HandleMessage(req.data, req.remote)
+				// Unlock after AUTH completes so subsequent messages see updated authedPubkey
+				l.authProcessing.Unlock()
+			} else {
+				// Not AUTH - unlock immediately and process concurrently
+				// The next message can now be dequeued (possibly another non-AUTH to process concurrently)
+				l.authProcessing.Unlock()
+				l.handlerWg.Add(1)
+				go func(data []byte, remote string) {
+					defer l.handlerWg.Done()
+					l.HandleMessage(data, remote)
+				}(req.data, req.remote)
+			}
 		}
 	}
 }
diff --git a/pkg/version/version b/pkg/version/version
index 1824377..e0954ee 100644
--- a/pkg/version/version
+++ b/pkg/version/version
@@ -1 +1 @@
-v0.29.16
\ No newline at end of file
+v0.29.17
\ No newline at end of file