phase 4: connectrpc on the gateway authenticated edge

Replace the native-gRPC server bootstrap with a single
`connectrpc.com/connect` HTTP/h2c listener. Connect-Go natively
serves Connect, gRPC, and gRPC-Web on the same port, so browsers can
now reach the authenticated surface without giving up the gRPC
framing native and desktop clients may use later. The decorator
stack (envelope → session → payload-hash → signature →
freshness/replay → rate-limit → routing/push) is reused unchanged
behind a small Connect → gRPC adapter and a `grpc.ServerStream`
shim around `*connect.ServerStream`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

gateway/internal/grpcapi/signature_integration_test.go

@@ -5,12 +5,10 @@ import (
 	"testing"
 
 	"galaxy/gateway/internal/session"
-	gatewayv1 "galaxy/gateway/proto/galaxy/gateway/v1"
 
+	"connectrpc.com/connect"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 )
 
 func TestExecuteCommandRejectsInvalidSignature(t *testing.T) {
@@ -24,19 +22,15 @@ func TestExecuteCommandRejectsInvalidSignature(t *testing.T) {
 	defer runGateway.stop(t)
 
 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
+	client := newEdgeClient(t, addr)
 
 	req := newValidExecuteCommandRequest()
 	req.Signature[0] ^= 0xff
 
-	client := gatewayv1.NewEdgeGatewayClient(conn)
-	_, err := client.ExecuteCommand(context.Background(), req)
+	_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(req))
 	require.Error(t, err)
-	assert.Equal(t, codes.Unauthenticated, status.Code(err))
-	assert.Equal(t, "invalid request signature", status.Convert(err).Message())
+	assert.Equal(t, connect.CodeUnauthenticated, connect.CodeOf(err))
+	assert.Equal(t, "invalid request signature", connectErrorMessage(t, err))
 	assert.Zero(t, delegate.executeCalls)
 }
 
@@ -57,16 +51,11 @@ func TestExecuteCommandRejectsWrongKey(t *testing.T) {
 	defer runGateway.stop(t)
 
 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
-
-	client := gatewayv1.NewEdgeGatewayClient(conn)
-	_, err := client.ExecuteCommand(context.Background(), newValidExecuteCommandRequest())
+	client := newEdgeClient(t, addr)
+	_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequest()))
 	require.Error(t, err)
-	assert.Equal(t, codes.Unauthenticated, status.Code(err))
-	assert.Equal(t, "invalid request signature", status.Convert(err).Message())
+	assert.Equal(t, connect.CodeUnauthenticated, connect.CodeOf(err))
+	assert.Equal(t, "invalid request signature", connectErrorMessage(t, err))
 	assert.Zero(t, delegate.executeCalls)
 }
 
@@ -87,16 +76,11 @@ func TestExecuteCommandRejectsInvalidCachedPublicKey(t *testing.T) {
 	defer runGateway.stop(t)
 
 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
-
-	client := gatewayv1.NewEdgeGatewayClient(conn)
-	_, err := client.ExecuteCommand(context.Background(), newValidExecuteCommandRequest())
+	client := newEdgeClient(t, addr)
+	_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequest()))
 	require.Error(t, err)
-	assert.Equal(t, codes.Unavailable, status.Code(err))
-	assert.Equal(t, "session cache is unavailable", status.Convert(err).Message())
+	assert.Equal(t, connect.CodeUnavailable, connect.CodeOf(err))
+	assert.Equal(t, "session cache is unavailable", connectErrorMessage(t, err))
 	assert.Zero(t, delegate.executeCalls)
 }
 
@@ -111,19 +95,15 @@ func TestSubscribeEventsRejectsInvalidSignature(t *testing.T) {
 	defer runGateway.stop(t)
 
 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
+	client := newEdgeClient(t, addr)
 
 	req := newValidSubscribeEventsRequest()
 	req.Signature[0] ^= 0xff
 
-	client := gatewayv1.NewEdgeGatewayClient(conn)
 	err := subscribeEventsError(t, context.Background(), client, req)
 	require.Error(t, err)
-	assert.Equal(t, codes.Unauthenticated, status.Code(err))
-	assert.Equal(t, "invalid request signature", status.Convert(err).Message())
+	assert.Equal(t, connect.CodeUnauthenticated, connect.CodeOf(err))
+	assert.Equal(t, "invalid request signature", connectErrorMessage(t, err))
 	assert.Zero(t, delegate.subscribeCalls)
 }
 
@@ -144,16 +124,11 @@ func TestSubscribeEventsRejectsWrongKey(t *testing.T) {
 	defer runGateway.stop(t)
 
 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
-
-	client := gatewayv1.NewEdgeGatewayClient(conn)
+	client := newEdgeClient(t, addr)
 	err := subscribeEventsError(t, context.Background(), client, newValidSubscribeEventsRequest())
 	require.Error(t, err)
-	assert.Equal(t, codes.Unauthenticated, status.Code(err))
-	assert.Equal(t, "invalid request signature", status.Convert(err).Message())
+	assert.Equal(t, connect.CodeUnauthenticated, connect.CodeOf(err))
+	assert.Equal(t, "invalid request signature", connectErrorMessage(t, err))
 	assert.Zero(t, delegate.subscribeCalls)
 }
 
@@ -174,15 +149,10 @@ func TestSubscribeEventsRejectsInvalidCachedPublicKey(t *testing.T) {
 	defer runGateway.stop(t)
 
 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
-
-	client := gatewayv1.NewEdgeGatewayClient(conn)
+	client := newEdgeClient(t, addr)
 	err := subscribeEventsError(t, context.Background(), client, newValidSubscribeEventsRequest())
 	require.Error(t, err)
-	assert.Equal(t, codes.Unavailable, status.Code(err))
-	assert.Equal(t, "session cache is unavailable", status.Convert(err).Message())
+	assert.Equal(t, connect.CodeUnavailable, connect.CodeOf(err))
+	assert.Equal(t, "session cache is unavailable", connectErrorMessage(t, err))
 	assert.Zero(t, delegate.subscribeCalls)
 }