feat(protocol): enforce X-Fabric-Version negotiation on node registration

Fabric.Backend.Center/src/common/version.ts

@@ -0,0 +1,7 @@
+export const FABRIC_PROTOCOL_VERSION = '1';
+
+export function normalizeVersion(input?: string): string {
+  if (!input) return FABRIC_PROTOCOL_VERSION;
+  const v = input.trim();
+  return v;
+}

Fabric.Backend.Center/src/nodes/nodes.controller.ts

@@ -6,6 +6,7 @@ import {
   ForbiddenException,
   Get,
   Headers,
+  HttpException,
   NotFoundException,
   Param,
   ParseIntPipe,
@@ -25,6 +26,7 @@ import {
   signCanonical,
   verifyRequestTime,
 } from '../common/hmac';
+import { FABRIC_PROTOCOL_VERSION, normalizeVersion } from '../common/version';
 
 @Controller('nodes')
 export class NodesController {
@@ -40,7 +42,23 @@ export class NodesController {
     @Headers('x-fabric-signature') signature?: string,
     @Headers('x-fabric-timestamp') timestamp?: string,
     @Headers('x-fabric-nonce') nonce?: string,
+    @Headers('x-fabric-version') fabricVersion?: string,
   ) {
+    const requestedVersion = normalizeVersion(fabricVersion);
+    if (requestedVersion !== FABRIC_PROTOCOL_VERSION) {
+      throw new HttpException(
+        {
+          error: {
+            code: 'FABRIC_VERSION_NOT_SUPPORTED',
+            message: `unsupported protocol version: ${requestedVersion}`,
+            retryable: false,
+          },
+          supportedVersion: FABRIC_PROTOCOL_VERSION,
+        },
+        400,
+      );
+    }
+
     const secret = process.env.CENTER_SHARED_SECRET as string;
     if (!signature || !timestamp || !nonce || !verifyRequestTime(timestamp)) {
       throw new ForbiddenException('invalid hmac headers');
@@ -88,6 +106,7 @@ export class NodesController {
 
     return {
       status: 'accepted',
+      negotiatedVersion: FABRIC_PROTOCOL_VERSION,
       node: {
         id: saved.id,
         nodeId: saved.nodeId,