phase 3

ui/core/canon/canon.go

@@ -0,0 +1,30 @@
+// Package canon implements the canonical-bytes serializer for the
+// Galaxy v1 transport envelopes (galaxy-request-v1, galaxy-response-v1,
+// galaxy-event-v1). The canonical-bytes contract is documented in
+// `docs/ARCHITECTURE.md` §15 and mirrored byte-for-byte by the gateway
+// in `gateway/authn`. Drift between the two implementations is caught
+// by the parity test under `gateway/authn/parity_with_ui_core_test.go`.
+//
+// The package is network-free, storage-free, and TinyGo-friendly: it
+// does not depend on `crypto/x509`, `encoding/pem`, or `os`. Random
+// bytes are never read inside this package; the higher-level keypair
+// API in `galaxy/core/keypair` accepts a caller-supplied io.Reader so
+// the WASM build can inject `crypto.getRandomValues`.
+package canon
+
+import "encoding/binary"
+
+// appendLengthPrefixedString encodes value as uvarint(len(value))
+// followed by the raw bytes of value.
+func appendLengthPrefixedString(dst []byte, value string) []byte {
+	return appendLengthPrefixedBytes(dst, []byte(value))
+}
+
+// appendLengthPrefixedBytes encodes value as uvarint(len(value))
+// followed by the raw bytes of value.
+func appendLengthPrefixedBytes(dst []byte, value []byte) []byte {
+	dst = binary.AppendUvarint(dst, uint64(len(value)))
+	dst = append(dst, value...)
+
+	return dst
+}

ui/core/canon/event.go

@@ -0,0 +1,78 @@
+package canon
+
+import (
+	"crypto/ed25519"
+	"encoding/binary"
+	"errors"
+)
+
+const (
+	// EventDomainMarkerV1 binds the v1 server event signature to the Galaxy
+	// gateway transport contract.
+	EventDomainMarkerV1 = "galaxy-event-v1"
+)
+
+// ErrInvalidEventSignature reports that a gateway stream event signature is
+// not a raw Ed25519 signature for the canonical event signing input.
+var ErrInvalidEventSignature = errors.New("invalid event signature")
+
+// EventSigningFields contains the canonical v1 stream-event fields that are
+// bound into the server signing input.
+type EventSigningFields struct {
+	// EventType identifies the stable client-facing event category.
+	EventType string
+
+	// EventID is the stable event correlation identifier.
+	EventID string
+
+	// TimestampMS carries the server event timestamp in milliseconds.
+	TimestampMS int64
+
+	// RequestID optionally correlates the event to the opening client request.
+	RequestID string
+
+	// TraceID optionally carries the client-supplied tracing correlation value.
+	TraceID string
+
+	// PayloadHash is the raw SHA-256 digest of event payload bytes.
+	PayloadHash []byte
+}
+
+// BuildEventSigningInput returns the canonical byte sequence the v1 gateway
+// stream-event signature covers. String and byte fields are length-prefixed
+// with uvarint(len(field)) followed by raw bytes, while TimestampMS is
+// appended as an 8-byte big-endian uint64.
+func BuildEventSigningInput(fields EventSigningFields) []byte {
+	size := len(EventDomainMarkerV1) +
+		len(fields.EventType) +
+		len(fields.EventID) +
+		len(fields.RequestID) +
+		len(fields.TraceID) +
+		len(fields.PayloadHash) +
+		(6 * binary.MaxVarintLen64) +
+		8
+
+	buf := make([]byte, 0, size)
+	buf = appendLengthPrefixedString(buf, EventDomainMarkerV1)
+	buf = appendLengthPrefixedString(buf, fields.EventType)
+	buf = appendLengthPrefixedString(buf, fields.EventID)
+	buf = binary.BigEndian.AppendUint64(buf, uint64(fields.TimestampMS))
+	buf = appendLengthPrefixedString(buf, fields.RequestID)
+	buf = appendLengthPrefixedString(buf, fields.TraceID)
+	buf = appendLengthPrefixedBytes(buf, fields.PayloadHash)
+
+	return buf
+}
+
+// VerifyEventSignature verifies that signature authenticates fields under
+// publicKey using the canonical v1 event signing input.
+func VerifyEventSignature(publicKey ed25519.PublicKey, signature []byte, fields EventSigningFields) error {
+	if len(publicKey) != ed25519.PublicKeySize || len(signature) != ed25519.SignatureSize {
+		return ErrInvalidEventSignature
+	}
+	if !ed25519.Verify(publicKey, BuildEventSigningInput(fields), signature) {
+		return ErrInvalidEventSignature
+	}
+
+	return nil
+}

ui/core/canon/event_test.go

@@ -0,0 +1,162 @@
+package canon_test
+
+import (
+	"bytes"
+	"crypto/ed25519"
+	"encoding/hex"
+	"testing"
+
+	"galaxy/core/canon"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildEventSigningInputChangesWhenSignedFieldChanges(t *testing.T) {
+	t.Parallel()
+
+	base := canon.EventSigningFields{
+		EventType:   "gateway.server_time",
+		EventID:     "evt-123",
+		TimestampMS: 123456789,
+		RequestID:   "request-123",
+		TraceID:     "trace-123",
+		PayloadHash: sha256Sum([]byte("payload")),
+	}
+
+	baseInput := canon.BuildEventSigningInput(base)
+
+	tests := []struct {
+		name   string
+		mutate func(canon.EventSigningFields) canon.EventSigningFields
+	}{
+		{
+			name: "event type",
+			mutate: func(fields canon.EventSigningFields) canon.EventSigningFields {
+				fields.EventType = "gateway.other"
+				return fields
+			},
+		},
+		{
+			name: "event id",
+			mutate: func(fields canon.EventSigningFields) canon.EventSigningFields {
+				fields.EventID = "evt-456"
+				return fields
+			},
+		},
+		{
+			name: "timestamp",
+			mutate: func(fields canon.EventSigningFields) canon.EventSigningFields {
+				fields.TimestampMS++
+				return fields
+			},
+		},
+		{
+			name: "request id",
+			mutate: func(fields canon.EventSigningFields) canon.EventSigningFields {
+				fields.RequestID = "request-456"
+				return fields
+			},
+		},
+		{
+			name: "trace id",
+			mutate: func(fields canon.EventSigningFields) canon.EventSigningFields {
+				fields.TraceID = "trace-456"
+				return fields
+			},
+		},
+		{
+			name: "payload hash",
+			mutate: func(fields canon.EventSigningFields) canon.EventSigningFields {
+				fields.PayloadHash = sha256Sum([]byte("other"))
+				return fields
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			mutated := canon.BuildEventSigningInput(tt.mutate(base))
+			assert.False(t, bytes.Equal(baseInput, mutated))
+		})
+	}
+}
+
+func TestSignAndVerifyEventSignature(t *testing.T) {
+	t.Parallel()
+
+	seed := bytes.Repeat([]byte{0xBB}, ed25519.SeedSize)
+	privateKey := ed25519.NewKeyFromSeed(seed)
+	publicKey, _ := privateKey.Public().(ed25519.PublicKey)
+
+	fields := canon.EventSigningFields{
+		EventType:   "gateway.server_time",
+		EventID:     "evt-123",
+		TimestampMS: 123456789,
+		RequestID:   "request-123",
+		TraceID:     "trace-123",
+		PayloadHash: sha256Sum([]byte("payload")),
+	}
+
+	signature := ed25519.Sign(privateKey, canon.BuildEventSigningInput(fields))
+	require.NoError(t, canon.VerifyEventSignature(publicKey, signature, fields))
+
+	t.Run("rejects mutated trace id", func(t *testing.T) {
+		t.Parallel()
+
+		mutated := fields
+		mutated.TraceID = "trace-other"
+		require.ErrorIs(t,
+			canon.VerifyEventSignature(publicKey, signature, mutated),
+			canon.ErrInvalidEventSignature)
+	})
+
+	t.Run("rejects invalid signature length", func(t *testing.T) {
+		t.Parallel()
+
+		require.ErrorIs(t,
+			canon.VerifyEventSignature(publicKey, signature[:1], fields),
+			canon.ErrInvalidEventSignature)
+	})
+
+	t.Run("rejects invalid public key length", func(t *testing.T) {
+		t.Parallel()
+
+		require.ErrorIs(t,
+			canon.VerifyEventSignature(publicKey[:8], signature, fields),
+			canon.ErrInvalidEventSignature)
+	})
+}
+
+func TestEventCanonicalBytesFixture(t *testing.T) {
+	t.Parallel()
+
+	var fx eventFixture
+	loadJSONFixture(t, "event_gateway_server_time.json", &fx)
+
+	fields := canon.EventSigningFields{
+		EventType:   fx.EventType,
+		EventID:     fx.EventID,
+		TimestampMS: fx.TimestampMS,
+		RequestID:   fx.RequestID,
+		TraceID:     fx.TraceID,
+		PayloadHash: mustHex(t, fx.PayloadHashHex),
+	}
+
+	require.NoError(t,
+		canon.VerifyPayloadHash([]byte(fx.Payload), fields.PayloadHash))
+
+	gotInput := canon.BuildEventSigningInput(fields)
+	assert.Equal(t, fx.ExpectedCanonicalBytesHex, hex.EncodeToString(gotInput))
+
+	seed := mustHex(t, fx.PrivateKeySeedHex)
+	require.Len(t, seed, ed25519.SeedSize)
+	privateKey := ed25519.NewKeyFromSeed(seed)
+	publicKey, _ := privateKey.Public().(ed25519.PublicKey)
+	signature := ed25519.Sign(privateKey, gotInput)
+	assert.Equal(t, fx.ExpectedSignatureHex, hex.EncodeToString(signature))
+
+	require.NoError(t, canon.VerifyEventSignature(publicKey, signature, fields))
+}

ui/core/canon/request.go

@@ -0,0 +1,88 @@
+package canon
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"encoding/binary"
+	"errors"
+)
+
+const (
+	// RequestDomainMarkerV1 binds the v1 client request signature to the Galaxy
+	// gateway transport contract.
+	RequestDomainMarkerV1 = "galaxy-request-v1"
+)
+
+var (
+	// ErrInvalidPayloadHash reports that payloadHash is not a raw SHA-256 digest.
+	ErrInvalidPayloadHash = errors.New("payload_hash must be a 32-byte SHA-256 digest")
+
+	// ErrPayloadHashMismatch reports that payloadHash does not match payloadBytes.
+	ErrPayloadHashMismatch = errors.New("payload_hash does not match payload_bytes")
+)
+
+// RequestSigningFields contains the canonical v1 request fields that are bound
+// into the client signing input. The client populates this struct from a
+// request envelope before signing; the server populates it from a received
+// envelope before verification.
+type RequestSigningFields struct {
+	// ProtocolVersion identifies the transport envelope version.
+	ProtocolVersion string
+
+	// DeviceSessionID identifies the authenticated device session bound to the
+	// request.
+	DeviceSessionID string
+
+	// MessageType is the stable downstream routing key.
+	MessageType string
+
+	// TimestampMS carries the client request timestamp in milliseconds.
+	TimestampMS int64
+
+	// RequestID is the transport correlation and anti-replay identifier.
+	RequestID string
+
+	// PayloadHash is the raw SHA-256 digest of payload bytes.
+	PayloadHash []byte
+}
+
+// BuildRequestSigningInput returns the canonical byte sequence the v1 client
+// request signature covers. String and byte fields are length-prefixed with
+// uvarint(len(field)) followed by raw bytes, while TimestampMS is appended as
+// an 8-byte big-endian uint64.
+func BuildRequestSigningInput(fields RequestSigningFields) []byte {
+	size := len(RequestDomainMarkerV1) +
+		len(fields.ProtocolVersion) +
+		len(fields.DeviceSessionID) +
+		len(fields.MessageType) +
+		len(fields.RequestID) +
+		len(fields.PayloadHash) +
+		(6 * binary.MaxVarintLen64) +
+		8
+
+	buf := make([]byte, 0, size)
+	buf = appendLengthPrefixedString(buf, RequestDomainMarkerV1)
+	buf = appendLengthPrefixedString(buf, fields.ProtocolVersion)
+	buf = appendLengthPrefixedString(buf, fields.DeviceSessionID)
+	buf = appendLengthPrefixedString(buf, fields.MessageType)
+	buf = binary.BigEndian.AppendUint64(buf, uint64(fields.TimestampMS))
+	buf = appendLengthPrefixedString(buf, fields.RequestID)
+	buf = appendLengthPrefixedBytes(buf, fields.PayloadHash)
+
+	return buf
+}
+
+// VerifyPayloadHash checks that payloadHash is the raw SHA-256 digest of
+// payloadBytes. Empty payloadBytes are valid and must use sha256.Sum256(nil).
+func VerifyPayloadHash(payloadBytes, payloadHash []byte) error {
+	if len(payloadHash) != sha256.Size {
+		return ErrInvalidPayloadHash
+	}
+
+	sum := sha256.Sum256(payloadBytes)
+	if !bytes.Equal(sum[:], payloadHash) {
+		return ErrPayloadHashMismatch
+	}
+
+	return nil
+}

ui/core/canon/request_test.go

@@ -0,0 +1,184 @@
+package canon_test
+
+import (
+	"bytes"
+	"crypto/ed25519"
+	"crypto/sha256"
+	"encoding/hex"
+	"testing"
+
+	"galaxy/core/canon"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestVerifyPayloadHash(t *testing.T) {
+	t.Parallel()
+
+	payloadSum := sha256.Sum256([]byte("payload"))
+	emptySum := sha256.Sum256(nil)
+	otherSum := sha256.Sum256([]byte("other"))
+
+	tests := []struct {
+		name        string
+		payload     []byte
+		payloadHash []byte
+		wantErr     error
+	}{
+		{
+			name:        "matches non-empty payload",
+			payload:     []byte("payload"),
+			payloadHash: payloadSum[:],
+		},
+		{
+			name:        "matches empty payload",
+			payload:     nil,
+			payloadHash: emptySum[:],
+		},
+		{
+			name:        "rejects digest with invalid length",
+			payload:     []byte("payload"),
+			payloadHash: []byte("short"),
+			wantErr:     canon.ErrInvalidPayloadHash,
+		},
+		{
+			name:        "rejects digest mismatch",
+			payload:     []byte("payload"),
+			payloadHash: otherSum[:],
+			wantErr:     canon.ErrPayloadHashMismatch,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := canon.VerifyPayloadHash(tt.payload, tt.payloadHash)
+			if tt.wantErr == nil {
+				require.NoError(t, err)
+				return
+			}
+
+			require.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestBuildRequestSigningInputChangesWhenSignedFieldChanges(t *testing.T) {
+	t.Parallel()
+
+	base := canon.RequestSigningFields{
+		ProtocolVersion: "v1",
+		DeviceSessionID: "device-session-123",
+		MessageType:     "user.games.command",
+		TimestampMS:     123456789,
+		RequestID:       "request-123",
+		PayloadHash:     sha256Sum([]byte("payload")),
+	}
+
+	baseInput := canon.BuildRequestSigningInput(base)
+
+	tests := []struct {
+		name   string
+		mutate func(canon.RequestSigningFields) canon.RequestSigningFields
+	}{
+		{
+			name: "protocol version",
+			mutate: func(fields canon.RequestSigningFields) canon.RequestSigningFields {
+				fields.ProtocolVersion = "v2"
+				return fields
+			},
+		},
+		{
+			name: "device session id",
+			mutate: func(fields canon.RequestSigningFields) canon.RequestSigningFields {
+				fields.DeviceSessionID = "device-session-456"
+				return fields
+			},
+		},
+		{
+			name: "message type",
+			mutate: func(fields canon.RequestSigningFields) canon.RequestSigningFields {
+				fields.MessageType = "user.account.get"
+				return fields
+			},
+		},
+		{
+			name: "timestamp",
+			mutate: func(fields canon.RequestSigningFields) canon.RequestSigningFields {
+				fields.TimestampMS++
+				return fields
+			},
+		},
+		{
+			name: "request id",
+			mutate: func(fields canon.RequestSigningFields) canon.RequestSigningFields {
+				fields.RequestID = "request-456"
+				return fields
+			},
+		},
+		{
+			name: "payload hash",
+			mutate: func(fields canon.RequestSigningFields) canon.RequestSigningFields {
+				fields.PayloadHash = sha256Sum([]byte("other"))
+				return fields
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			mutated := canon.BuildRequestSigningInput(tt.mutate(base))
+			assert.False(t, bytes.Equal(baseInput, mutated))
+		})
+	}
+}
+
+func TestRequestCanonicalBytesFixtures(t *testing.T) {
+	t.Parallel()
+
+	fixtures := []string{
+		"request_user_account_get.json",
+		"request_lobby_my_games_list.json",
+		"request_user_games_command.json",
+	}
+
+	for _, name := range fixtures {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			var fx requestFixture
+			loadJSONFixture(t, name, &fx)
+
+			fields := canon.RequestSigningFields{
+				ProtocolVersion: fx.ProtocolVersion,
+				DeviceSessionID: fx.DeviceSessionID,
+				MessageType:     fx.MessageType,
+				TimestampMS:     fx.TimestampMS,
+				RequestID:       fx.RequestID,
+				PayloadHash:     mustHex(t, fx.PayloadHashHex),
+			}
+
+			require.NoError(t,
+				canon.VerifyPayloadHash([]byte(fx.Payload), fields.PayloadHash),
+				"payload hash must match payload bytes")
+
+			gotInput := canon.BuildRequestSigningInput(fields)
+			assert.Equal(t, fx.ExpectedCanonicalBytesHex, hex.EncodeToString(gotInput),
+				"canonical bytes drift from fixture")
+
+			seed := mustHex(t, fx.PrivateKeySeedHex)
+			require.Len(t, seed, ed25519.SeedSize)
+			privateKey := ed25519.NewKeyFromSeed(seed)
+			signature := ed25519.Sign(privateKey, gotInput)
+			assert.Equal(t, fx.ExpectedSignatureHex, hex.EncodeToString(signature),
+				"signature drift from fixture")
+
+			require.NoError(t,
+				canon.VerifyRequestSignature(fx.PublicKeyBase64, signature, fields))
+		})
+	}
+}

ui/core/canon/response.go

@@ -0,0 +1,74 @@
+package canon
+
+import (
+	"crypto/ed25519"
+	"encoding/binary"
+	"errors"
+)
+
+const (
+	// ResponseDomainMarkerV1 binds the v1 server response signature to the
+	// Galaxy gateway transport contract.
+	ResponseDomainMarkerV1 = "galaxy-response-v1"
+)
+
+// ErrInvalidResponseSignature reports that a server response signature is
+// not a raw Ed25519 signature for the canonical response signing input.
+var ErrInvalidResponseSignature = errors.New("invalid response signature")
+
+// ResponseSigningFields contains the canonical v1 response fields that are
+// bound into the server signing input.
+type ResponseSigningFields struct {
+	// ProtocolVersion identifies the transport envelope version.
+	ProtocolVersion string
+
+	// RequestID is the transport correlation identifier copied from the
+	// authenticated request.
+	RequestID string
+
+	// TimestampMS carries the server response timestamp in milliseconds.
+	TimestampMS int64
+
+	// ResultCode is the opaque downstream result code returned to the client.
+	ResultCode string
+
+	// PayloadHash is the raw SHA-256 digest of response payload bytes.
+	PayloadHash []byte
+}
+
+// BuildResponseSigningInput returns the canonical byte sequence the v1 server
+// response signature covers. String and byte fields are length-prefixed with
+// uvarint(len(field)) followed by raw bytes, while TimestampMS is appended as
+// an 8-byte big-endian uint64.
+func BuildResponseSigningInput(fields ResponseSigningFields) []byte {
+	size := len(ResponseDomainMarkerV1) +
+		len(fields.ProtocolVersion) +
+		len(fields.RequestID) +
+		len(fields.ResultCode) +
+		len(fields.PayloadHash) +
+		(5 * binary.MaxVarintLen64) +
+		8
+
+	buf := make([]byte, 0, size)
+	buf = appendLengthPrefixedString(buf, ResponseDomainMarkerV1)
+	buf = appendLengthPrefixedString(buf, fields.ProtocolVersion)
+	buf = appendLengthPrefixedString(buf, fields.RequestID)
+	buf = binary.BigEndian.AppendUint64(buf, uint64(fields.TimestampMS))
+	buf = appendLengthPrefixedString(buf, fields.ResultCode)
+	buf = appendLengthPrefixedBytes(buf, fields.PayloadHash)
+
+	return buf
+}
+
+// VerifyResponseSignature verifies that signature authenticates fields under
+// publicKey using the canonical v1 response signing input.
+func VerifyResponseSignature(publicKey ed25519.PublicKey, signature []byte, fields ResponseSigningFields) error {
+	if len(publicKey) != ed25519.PublicKeySize || len(signature) != ed25519.SignatureSize {
+		return ErrInvalidResponseSignature
+	}
+	if !ed25519.Verify(publicKey, BuildResponseSigningInput(fields), signature) {
+		return ErrInvalidResponseSignature
+	}
+
+	return nil
+}

ui/core/canon/response_test.go

@@ -0,0 +1,153 @@
+package canon_test
+
+import (
+	"bytes"
+	"crypto/ed25519"
+	"encoding/hex"
+	"testing"
+
+	"galaxy/core/canon"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildResponseSigningInputChangesWhenSignedFieldChanges(t *testing.T) {
+	t.Parallel()
+
+	base := canon.ResponseSigningFields{
+		ProtocolVersion: "v1",
+		RequestID:       "request-123",
+		TimestampMS:     123456789,
+		ResultCode:      "ok",
+		PayloadHash:     sha256Sum([]byte("payload")),
+	}
+
+	baseInput := canon.BuildResponseSigningInput(base)
+
+	tests := []struct {
+		name   string
+		mutate func(canon.ResponseSigningFields) canon.ResponseSigningFields
+	}{
+		{
+			name: "protocol version",
+			mutate: func(fields canon.ResponseSigningFields) canon.ResponseSigningFields {
+				fields.ProtocolVersion = "v2"
+				return fields
+			},
+		},
+		{
+			name: "request id",
+			mutate: func(fields canon.ResponseSigningFields) canon.ResponseSigningFields {
+				fields.RequestID = "request-456"
+				return fields
+			},
+		},
+		{
+			name: "timestamp",
+			mutate: func(fields canon.ResponseSigningFields) canon.ResponseSigningFields {
+				fields.TimestampMS++
+				return fields
+			},
+		},
+		{
+			name: "result code",
+			mutate: func(fields canon.ResponseSigningFields) canon.ResponseSigningFields {
+				fields.ResultCode = "denied"
+				return fields
+			},
+		},
+		{
+			name: "payload hash",
+			mutate: func(fields canon.ResponseSigningFields) canon.ResponseSigningFields {
+				fields.PayloadHash = sha256Sum([]byte("other"))
+				return fields
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			mutated := canon.BuildResponseSigningInput(tt.mutate(base))
+			assert.False(t, bytes.Equal(baseInput, mutated))
+		})
+	}
+}
+
+func TestSignAndVerifyResponseSignature(t *testing.T) {
+	t.Parallel()
+
+	seed := bytes.Repeat([]byte{0xAA}, ed25519.SeedSize)
+	privateKey := ed25519.NewKeyFromSeed(seed)
+	publicKey, _ := privateKey.Public().(ed25519.PublicKey)
+
+	fields := canon.ResponseSigningFields{
+		ProtocolVersion: "v1",
+		RequestID:       "request-123",
+		TimestampMS:     123456789,
+		ResultCode:      "ok",
+		PayloadHash:     sha256Sum([]byte("payload")),
+	}
+
+	signature := ed25519.Sign(privateKey, canon.BuildResponseSigningInput(fields))
+	require.NoError(t, canon.VerifyResponseSignature(publicKey, signature, fields))
+
+	t.Run("rejects mutated field", func(t *testing.T) {
+		t.Parallel()
+
+		mutated := fields
+		mutated.ResultCode = "denied"
+		require.ErrorIs(t,
+			canon.VerifyResponseSignature(publicKey, signature, mutated),
+			canon.ErrInvalidResponseSignature)
+	})
+
+	t.Run("rejects invalid public key length", func(t *testing.T) {
+		t.Parallel()
+
+		shortKey := publicKey[:len(publicKey)-1]
+		require.ErrorIs(t,
+			canon.VerifyResponseSignature(shortKey, signature, fields),
+			canon.ErrInvalidResponseSignature)
+	})
+
+	t.Run("rejects invalid signature length", func(t *testing.T) {
+		t.Parallel()
+
+		require.ErrorIs(t,
+			canon.VerifyResponseSignature(publicKey, signature[:len(signature)-1], fields),
+			canon.ErrInvalidResponseSignature)
+	})
+}
+
+func TestResponseCanonicalBytesFixture(t *testing.T) {
+	t.Parallel()
+
+	var fx responseFixture
+	loadJSONFixture(t, "response_ok.json", &fx)
+
+	fields := canon.ResponseSigningFields{
+		ProtocolVersion: fx.ProtocolVersion,
+		RequestID:       fx.RequestID,
+		TimestampMS:     fx.TimestampMS,
+		ResultCode:      fx.ResultCode,
+		PayloadHash:     mustHex(t, fx.PayloadHashHex),
+	}
+
+	require.NoError(t,
+		canon.VerifyPayloadHash([]byte(fx.Payload), fields.PayloadHash))
+
+	gotInput := canon.BuildResponseSigningInput(fields)
+	assert.Equal(t, fx.ExpectedCanonicalBytesHex, hex.EncodeToString(gotInput))
+
+	seed := mustHex(t, fx.PrivateKeySeedHex)
+	require.Len(t, seed, ed25519.SeedSize)
+	privateKey := ed25519.NewKeyFromSeed(seed)
+	publicKey, _ := privateKey.Public().(ed25519.PublicKey)
+	signature := ed25519.Sign(privateKey, gotInput)
+	assert.Equal(t, fx.ExpectedSignatureHex, hex.EncodeToString(signature))
+
+	require.NoError(t, canon.VerifyResponseSignature(publicKey, signature, fields))
+}

ui/core/canon/signature.go

@@ -0,0 +1,51 @@
+package canon
+
+import (
+	"crypto/ed25519"
+	"encoding/base64"
+	"errors"
+)
+
+var (
+	// ErrInvalidClientPublicKey reports that the provided client public key is
+	// not a base64-encoded raw Ed25519 public key.
+	ErrInvalidClientPublicKey = errors.New("client_public_key is not a valid base64-encoded Ed25519 public key")
+
+	// ErrInvalidRequestSignature reports that a request signature is not a raw
+	// Ed25519 signature for the canonical request signing input.
+	ErrInvalidRequestSignature = errors.New("invalid request signature")
+)
+
+// VerifyRequestSignature decodes the base64-encoded raw Ed25519 client public
+// key, builds the canonical v1 signing input from fields, and verifies that
+// signature authenticates the request.
+//
+// The base64 string form matches how a backend hands the client public key
+// back to the gateway after device-session resolution
+// (see docs/ARCHITECTURE.md §15).
+func VerifyRequestSignature(clientPublicKey string, signature []byte, fields RequestSigningFields) error {
+	publicKey, err := decodeClientPublicKey(clientPublicKey)
+	if err != nil {
+		return err
+	}
+	if len(signature) != ed25519.SignatureSize {
+		return ErrInvalidRequestSignature
+	}
+	if !ed25519.Verify(publicKey, BuildRequestSigningInput(fields), signature) {
+		return ErrInvalidRequestSignature
+	}
+
+	return nil
+}
+
+func decodeClientPublicKey(value string) (ed25519.PublicKey, error) {
+	decoded, err := base64.StdEncoding.Strict().DecodeString(value)
+	if err != nil {
+		return nil, ErrInvalidClientPublicKey
+	}
+	if len(decoded) != ed25519.PublicKeySize {
+		return nil, ErrInvalidClientPublicKey
+	}
+
+	return ed25519.PublicKey(decoded), nil
+}

ui/core/canon/signature_test.go

@@ -0,0 +1,145 @@
+package canon_test
+
+import (
+	"crypto/ed25519"
+	"crypto/sha256"
+	"encoding/base64"
+	"testing"
+
+	"galaxy/core/canon"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestVerifyRequestSignature(t *testing.T) {
+	t.Parallel()
+
+	clientPrivateKey := newTestPrivateKey("primary")
+	clientPublicKey, _ := clientPrivateKey.Public().(ed25519.PublicKey)
+	otherPrivateKey := newTestPrivateKey("other")
+	otherPublicKey, _ := otherPrivateKey.Public().(ed25519.PublicKey)
+
+	fields := canon.RequestSigningFields{
+		ProtocolVersion: "v1",
+		DeviceSessionID: "device-session-123",
+		MessageType:     "user.games.command",
+		TimestampMS:     123456789,
+		RequestID:       "request-123",
+		PayloadHash:     sha256Sum([]byte("payload")),
+	}
+
+	signature := ed25519.Sign(clientPrivateKey, canon.BuildRequestSigningInput(fields))
+
+	tests := []struct {
+		name            string
+		clientPublicKey string
+		signature       []byte
+		fields          canon.RequestSigningFields
+		wantErr         error
+	}{
+		{
+			name:            "valid signature",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       signature,
+			fields:          fields,
+		},
+		{
+			name:            "tampered payload hash rejects signature",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       signature,
+			fields: func() canon.RequestSigningFields {
+				mutated := fields
+				mutated.PayloadHash = sha256Sum([]byte("other"))
+				return mutated
+			}(),
+			wantErr: canon.ErrInvalidRequestSignature,
+		},
+		{
+			name:            "mismatched request id rejects signature",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       signature,
+			fields: func() canon.RequestSigningFields {
+				mutated := fields
+				mutated.RequestID = "request-456"
+				return mutated
+			}(),
+			wantErr: canon.ErrInvalidRequestSignature,
+		},
+		{
+			name:            "mismatched timestamp rejects signature",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       signature,
+			fields: func() canon.RequestSigningFields {
+				mutated := fields
+				mutated.TimestampMS++
+				return mutated
+			}(),
+			wantErr: canon.ErrInvalidRequestSignature,
+		},
+		{
+			name:            "wrong key rejects signature",
+			clientPublicKey: base64.StdEncoding.EncodeToString(otherPublicKey),
+			signature:       signature,
+			fields:          fields,
+			wantErr:         canon.ErrInvalidRequestSignature,
+		},
+		{
+			name:            "bit-flipped signature rejects",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature: func() []byte {
+				corrupted := append([]byte(nil), signature...)
+				corrupted[0] ^= 0xFF
+				return corrupted
+			}(),
+			fields:  fields,
+			wantErr: canon.ErrInvalidRequestSignature,
+		},
+		{
+			name:            "invalid signature length rejects",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       signature[:len(signature)-1],
+			fields:          fields,
+			wantErr:         canon.ErrInvalidRequestSignature,
+		},
+		{
+			name:            "empty signature rejects",
+			clientPublicKey: base64.StdEncoding.EncodeToString(clientPublicKey),
+			signature:       nil,
+			fields:          fields,
+			wantErr:         canon.ErrInvalidRequestSignature,
+		},
+		{
+			name:            "invalid base64 public key rejects",
+			clientPublicKey: "%%%not-base64%%%",
+			signature:       signature,
+			fields:          fields,
+			wantErr:         canon.ErrInvalidClientPublicKey,
+		},
+		{
+			name:            "invalid public key length rejects",
+			clientPublicKey: base64.StdEncoding.EncodeToString([]byte("short")),
+			signature:       signature,
+			fields:          fields,
+			wantErr:         canon.ErrInvalidClientPublicKey,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := canon.VerifyRequestSignature(tt.clientPublicKey, tt.signature, tt.fields)
+			if tt.wantErr == nil {
+				require.NoError(t, err)
+				return
+			}
+
+			require.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func newTestPrivateKey(label string) ed25519.PrivateKey {
+	seed := sha256.Sum256([]byte("ui-core-canon-signature-test-" + label))
+	return ed25519.NewKeyFromSeed(seed[:])
+}

ui/core/canon/testdata/event_gateway_server_time.json

@@ -0,0 +1,13 @@
+{
+  "event_type": "gateway.server_time",
+  "event_id": "evt-server-time-1",
+  "timestamp_ms": 1700000003000,
+  "request_id": "req-stream-1",
+  "trace_id": "trace-server-time-1",
+  "payload": "event-payload",
+  "payload_hash_hex": "f484a64a69d92ecf6c00aa2a387a7cdcee3bcf3c5944659d1fd381f4c40852f3",
+  "expected_canonical_bytes_hex": "0f67616c6178792d6576656e742d763113676174657761792e7365727665725f74696d65116576742d7365727665722d74696d652d310000018bcfe573b80c7265712d73747265616d2d311374726163652d7365727665722d74696d652d3120f484a64a69d92ecf6c00aa2a387a7cdcee3bcf3c5944659d1fd381f4c40852f3",
+  "private_key_seed_hex": "0505050505050505050505050505050505050505050505050505050505050505",
+  "public_key_base64": "bnoc3Smwt4/ROvTFWY/v9O8qlxZuPKby5Pv8zYBQW/E=",
+  "expected_signature_hex": "5f25daad5758c7b0b25601c6b0639f6262e87a54272e01ccf5062e52b9eaef6a86f2eba96b5a94bf3ef81419d55d3e77d26a55110111465f97dbaaba8f3fb908"
+}

ui/core/canon/testdata/request_lobby_my_games_list.json

@@ -0,0 +1,13 @@
+{
+  "message_type": "lobby.my.games.list",
+  "protocol_version": "v1",
+  "device_session_id": "device-session-1",
+  "timestamp_ms": 1700000000500,
+  "request_id": "req-lobby-1",
+  "payload": "lobby-payload",
+  "payload_hash_hex": "c1bf5b44b0254c7aca13830c1a85de8c7ac81d9989f41a82c44332ae040ab3f2",
+  "expected_canonical_bytes_hex": "1167616c6178792d726571756573742d7631027631106465766963652d73657373696f6e2d31136c6f6262792e6d792e67616d65732e6c6973740000018bcfe569f40b7265712d6c6f6262792d3120c1bf5b44b0254c7aca13830c1a85de8c7ac81d9989f41a82c44332ae040ab3f2",
+  "private_key_seed_hex": "0202020202020202020202020202020202020202020202020202020202020202",
+  "public_key_base64": "gTl3Dqh9F19Wo1Rmw0x+zMuNipG07jeiXfYPW4/Js5Q=",
+  "expected_signature_hex": "f8e1e382e8a95ae9d6bd297f4dd94ee252814d1fbbe62ae99859a1694c6ab1a0fc5e887d747ee1b9ba30d58d8986d7dd03af627be20f17edc5a37a495e8bc007"
+}

ui/core/canon/testdata/request_user_account_get.json

@@ -0,0 +1,13 @@
+{
+  "message_type": "user.account.get",
+  "protocol_version": "v1",
+  "device_session_id": "device-session-1",
+  "timestamp_ms": 1700000000000,
+  "request_id": "req-account-1",
+  "payload": "account-payload",
+  "payload_hash_hex": "c397741348585a420dafed41f7e809710bb09745889dcb699be827ed4d0f3fe8",
+  "expected_canonical_bytes_hex": "1167616c6178792d726571756573742d7631027631106465766963652d73657373696f6e2d3110757365722e6163636f756e742e6765740000018bcfe568000d7265712d6163636f756e742d3120c397741348585a420dafed41f7e809710bb09745889dcb699be827ed4d0f3fe8",
+  "private_key_seed_hex": "0101010101010101010101010101010101010101010101010101010101010101",
+  "public_key_base64": "iojj3XQJ8ZX9UtstPLpdcspnCb8dlBIb83SIAbQPb1w=",
+  "expected_signature_hex": "8fe30c4bb14e77e22e3c81a144fd03b53bba7e76664e36bdacbfa6b0575509279b5d97247eac25e104f09664e2e787f4c3e1a47af571d10c72a92a547c78f70d"
+}

ui/core/canon/testdata/request_user_games_command.json

@@ -0,0 +1,13 @@
+{
+  "message_type": "user.games.command",
+  "protocol_version": "v1",
+  "device_session_id": "device-session-1",
+  "timestamp_ms": 1700000001000,
+  "request_id": "req-games-1",
+  "payload": "games-payload",
+  "payload_hash_hex": "a8322c99bf424939cd3a1e5a41b5edb67e567bff87c49e8ff229be60976960e0",
+  "expected_canonical_bytes_hex": "1167616c6178792d726571756573742d7631027631106465766963652d73657373696f6e2d3112757365722e67616d65732e636f6d6d616e640000018bcfe56be80b7265712d67616d65732d3120a8322c99bf424939cd3a1e5a41b5edb67e567bff87c49e8ff229be60976960e0",
+  "private_key_seed_hex": "0303030303030303030303030303030303030303030303030303030303030303",
+  "public_key_base64": "7UkoxijRwsbq6QM4kFmVYSlZJzpcY/k2NsFGFKyHN9E=",
+  "expected_signature_hex": "262d5480451560d9b2ca96468b0e962e4288eabb4dff29dbc66c491a37dd92b779d2b89853083a695317f8535e49c402dcfd49a11fd2926f3af42ceb745e2b0a"
+}

ui/core/canon/testdata/response_ok.json

@@ -0,0 +1,12 @@
+{
+  "protocol_version": "v1",
+  "request_id": "req-response-1",
+  "timestamp_ms": 1700000002000,
+  "result_code": "ok",
+  "payload": "response-payload",
+  "payload_hash_hex": "2a9afa6f5873bca916cef860bf4902d5a665b1f01e832729eccccefe3424ea88",
+  "expected_canonical_bytes_hex": "1267616c6178792d726573706f6e73652d76310276310e7265712d726573706f6e73652d310000018bcfe56fd0026f6b202a9afa6f5873bca916cef860bf4902d5a665b1f01e832729eccccefe3424ea88",
+  "private_key_seed_hex": "0404040404040404040404040404040404040404040404040404040404040404",
+  "public_key_base64": "ypOsFwUYcHHWe4PH/w7+gQjo7EUwV113JoeTM9vavnw=",
+  "expected_signature_hex": "c9a1b79e602b7557c13d3554cd925be555ba0c5725d81c9baea75bee4693eb6f783e6654af9adfa589b93cf762417deaf7e5e3009d00ea8029c0de8996927b0e"
+}

ui/core/canon/testdata_test.go

@@ -0,0 +1,80 @@
+package canon_test
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// requestFixture captures one stable canonical-bytes test vector for a v1
+// authenticated request. Fixture files live under testdata/ and are
+// generated by hand using the canon package itself; they are committed as
+// golden data so every change to the canonical-bytes contract surfaces as
+// a hex diff in code review.
+type requestFixture struct {
+	MessageType               string `json:"message_type"`
+	ProtocolVersion           string `json:"protocol_version"`
+	DeviceSessionID           string `json:"device_session_id"`
+	TimestampMS               int64  `json:"timestamp_ms"`
+	RequestID                 string `json:"request_id"`
+	Payload                   string `json:"payload"`
+	PayloadHashHex            string `json:"payload_hash_hex"`
+	ExpectedCanonicalBytesHex string `json:"expected_canonical_bytes_hex"`
+	PrivateKeySeedHex         string `json:"private_key_seed_hex"`
+	PublicKeyBase64           string `json:"public_key_base64"`
+	ExpectedSignatureHex      string `json:"expected_signature_hex"`
+}
+
+type responseFixture struct {
+	ProtocolVersion           string `json:"protocol_version"`
+	RequestID                 string `json:"request_id"`
+	TimestampMS               int64  `json:"timestamp_ms"`
+	ResultCode                string `json:"result_code"`
+	Payload                   string `json:"payload"`
+	PayloadHashHex            string `json:"payload_hash_hex"`
+	ExpectedCanonicalBytesHex string `json:"expected_canonical_bytes_hex"`
+	PrivateKeySeedHex         string `json:"private_key_seed_hex"`
+	PublicKeyBase64           string `json:"public_key_base64"`
+	ExpectedSignatureHex      string `json:"expected_signature_hex"`
+}
+
+type eventFixture struct {
+	EventType                 string `json:"event_type"`
+	EventID                   string `json:"event_id"`
+	TimestampMS               int64  `json:"timestamp_ms"`
+	RequestID                 string `json:"request_id"`
+	TraceID                   string `json:"trace_id"`
+	Payload                   string `json:"payload"`
+	PayloadHashHex            string `json:"payload_hash_hex"`
+	ExpectedCanonicalBytesHex string `json:"expected_canonical_bytes_hex"`
+	PrivateKeySeedHex         string `json:"private_key_seed_hex"`
+	PublicKeyBase64           string `json:"public_key_base64"`
+	ExpectedSignatureHex      string `json:"expected_signature_hex"`
+}
+
+func loadJSONFixture(t *testing.T, name string, into any) {
+	t.Helper()
+
+	body, err := os.ReadFile(filepath.Join("testdata", name))
+	require.NoError(t, err, "read %s", name)
+	require.NoError(t, json.Unmarshal(body, into), "decode %s", name)
+}
+
+func mustHex(t *testing.T, value string) []byte {
+	t.Helper()
+
+	decoded, err := hex.DecodeString(value)
+	require.NoError(t, err)
+
+	return decoded
+}
+
+func sha256Sum(payload []byte) []byte {
+	sum := sha256.Sum256(payload)
+	return sum[:]
+}