feat: add RSA public-key handshake support for monitor server websocket

app/api/routers/monitor.py

@@ -23,6 +23,7 @@ from app.services.monitoring import (
     get_server_states_view,
     test_provider_connection,
 )
+from app.services.crypto_box import get_public_key_info, decrypt_payload_b64, ts_within
 
 router = APIRouter(prefix='/monitor', tags=['Monitor'])
 SUPPORTED_PROVIDERS = {'anthropic', 'openai', 'minimax', 'kimi', 'qwen'}
@@ -57,6 +58,11 @@ def require_admin(current_user: models.User = Depends(get_current_user_or_apikey
     return current_user
 
 
+@router.get('/public/server-public-key')
+def monitor_public_key():
+    return get_public_key_info()
+
+
 @router.get('/public/overview')
 def public_overview(db: Session = Depends(get_db)):
     return {
@@ -202,9 +208,22 @@ async def server_ws(websocket: WebSocket):
     server_id = None
     try:
         hello = await websocket.receive_json()
-        identifier = (hello.get('identifier') or '').strip()
-        challenge_uuid = (hello.get('challenge_uuid') or '').strip()
-        nonce = (hello.get('nonce') or '').strip()
+
+        encrypted_payload = (hello.get('encrypted_payload') or '').strip()
+        if encrypted_payload:
+            data = decrypt_payload_b64(encrypted_payload)
+            identifier = (data.get('identifier') or '').strip()
+            challenge_uuid = (data.get('challenge_uuid') or '').strip()
+            nonce = (data.get('nonce') or '').strip()
+            ts = data.get('ts')
+            if not ts_within(ts, max_minutes=10):
+                await websocket.close(code=4401)
+                return
+        else:
+            # backward compatible mode
+            identifier = (hello.get('identifier') or '').strip()
+            challenge_uuid = (hello.get('challenge_uuid') or '').strip()
+            nonce = (hello.get('nonce') or '').strip()
 
         if not identifier or not challenge_uuid or not nonce:
             await websocket.close(code=4400)