2025-08-23 09:39:20 +03:00
13 changed files with 980 additions and 93 deletions
--- a/cmd/client/main.go
+++ b/cmd/client/main.go
@ -0,0 +1,134 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log"
+	"net"
+	"time"
+
+	"hash-of-wisdom/internal/pow/challenge"
+	"hash-of-wisdom/internal/pow/solver"
+	"hash-of-wisdom/internal/protocol"
+)
+
+func main() {
+	serverAddr := flag.String("addr", "localhost:8080", "server address")
+	flag.Parse()
+
+	fmt.Printf("Connecting to Word of Wisdom server at %s\n", *serverAddr)
+
+	// Step 1: Get challenge
+	challengeResp, err := requestChallenge(*serverAddr)
+	if err != nil {
+		log.Fatalf("Failed to get challenge: %v", err)
+	}
+
+	fmt.Printf("Received challenge with difficulty %d\n", challengeResp.Challenge.Difficulty)
+
+	// Step 2: Solve challenge
+	fmt.Println("Solving challenge...")
+	start := time.Now()
+
+	s := solver.NewSolver()
+	solution, err := s.Solve(context.Background(), challengeResp.Challenge)
+	if err != nil {
+		log.Fatalf("Failed to solve challenge: %v", err)
+	}
+
+	solveTime := time.Since(start)
+	fmt.Printf("Challenge solved in %v with nonce %d\n", solveTime, solution.Nonce)
+
+	// Step 3: Submit solution and get quote
+	err = submitSolution(*serverAddr, challengeResp.Challenge, solution.Nonce)
+	if err != nil {
+		log.Fatalf("Failed to submit solution: %v", err)
+	}
+}
+
+func requestChallenge(serverAddr string) (*protocol.ChallengeResponse, error) {
+	// Connect with timeout
+	conn, err := net.DialTimeout("tcp", serverAddr, 5*time.Second)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect: %w", err)
+	}
+	defer conn.Close()
+
+	// Request challenge
+	fmt.Println("Requesting challenge...")
+	challengeReq := &protocol.ChallengeRequest{}
+	if err := challengeReq.Encode(conn); err != nil {
+		return nil, fmt.Errorf("failed to send challenge request: %w", err)
+	}
+
+	// Receive challenge
+	decoder := protocol.NewMessageDecoder()
+	msg, err := decoder.Decode(conn)
+	if err != nil {
+		return nil, fmt.Errorf("failed to receive challenge: %w", err)
+	}
+
+	if msg.Type != protocol.ChallengeResponseType {
+		return nil, fmt.Errorf("unexpected response type: %v", msg.Type)
+	}
+
+	// Parse challenge
+	challengeResp := &protocol.ChallengeResponse{}
+	if err := challengeResp.Decode(msg.PayloadStream); err != nil {
+		return nil, fmt.Errorf("failed to parse challenge: %w", err)
+	}
+
+	return challengeResp, nil
+}
+
+func submitSolution(serverAddr string, chall *challenge.Challenge, nonce uint64) error {
+	// Connect with timeout
+	conn, err := net.DialTimeout("tcp", serverAddr, 5*time.Second)
+	if err != nil {
+		return fmt.Errorf("failed to connect: %w", err)
+	}
+	defer conn.Close()
+
+	// Submit solution
+	solutionReq := &protocol.SolutionRequest{
+		Challenge: *chall,
+		Nonce:     nonce,
+	}
+
+	fmt.Println("Submitting solution...")
+	if err := solutionReq.Encode(conn); err != nil {
+		return fmt.Errorf("failed to send solution: %w", err)
+	}
+
+	// Receive quote or error
+	decoder := protocol.NewMessageDecoder()
+	msg, err := decoder.Decode(conn)
+	if err != nil {
+		return fmt.Errorf("failed to receive response: %w", err)
+	}
+
+	switch msg.Type {
+	case protocol.QuoteResponseType:
+		solutionResp := &protocol.SolutionResponse{}
+		if err := solutionResp.Decode(msg.PayloadStream); err != nil {
+			return fmt.Errorf("failed to parse quote: %w", err)
+		}
+		fmt.Printf("\nQuote received:\n\"%s\"\n— %s\n", solutionResp.Quote.Text, solutionResp.Quote.Author)
+	case protocol.ErrorResponseType:
+		errorResp := &protocol.ErrorResponse{}
+		if err := errorResp.Decode(msg.PayloadStream); err != nil {
+			fmt.Println("Error: Contact administrator")
+			return nil
+		}
+		if errorResp.Code == protocol.ErrServerError {
+			fmt.Println("Error: Contact administrator")
+		} else {
+			fmt.Printf("Error: %s\n", errorResp.Message)
+		}
+	default:
+		return fmt.Errorf("unexpected response type: %v", msg.Type)
+	}
+
+	return nil
+}
--- a/docs/IMPLEMENTATION.md
+++ b/docs/IMPLEMENTATION.md
@ -89,14 +89,13 @@
 - [X] Update cmd/server to use new TCP server with logging

 ## Phase 7: Client Implementation
- [ ] Create client application structure
- [ ] Implement PoW solver algorithm on client side
- [ ] Create client-side protocol implementation
- [ ] Add retry logic and error handling
- [ ] Implement connection management
- [ ] Create CLI interface for client
- [ ] Add client structured logging
- [ ] Write client unit and integration tests
+- [X] Create client application structure
+- [X] Implement PoW solver algorithm on client side
+- [X] Create client-side protocol implementation
+- [X] Add retry logic and error handling
+- [X] Implement connection management
+- [X] Create CLI interface for client
+- [X] Write client integration tests for slowloris protection

 ## Phase 8: Basic Server Architecture
 - [ ] Set up metrics collection (prometheus)
--- a/docs/PROTOCOL.md
+++ b/docs/PROTOCOL.md
@ -31,27 +31,37 @@ For detailed analysis of alternative PoW algorithms and comprehensive justificat

 ## Protocol Flow

-### Successful Flow
+### Challenge Request Flow
 ```
 Client                                    Server
  |                                         |
  |-------- CHALLENGE_REQUEST ------------->|
  |                                         |
  |<------- CHALLENGE_RESPONSE -------------| (HMAC-signed)
+  |                                         |
+  [Connection closes]
+```
+
+### Solution Submission Flow
+```
+Client                                    Server
  |                                         |
  |-------- SOLUTION_REQUEST -------------->|
  |                                         |
  |<------- QUOTE_RESPONSE -----------------| (if solution valid)
  |                                         |
+  [Connection closes]
 ```

 ### Error Flow
 ```
 Client                                    Server
-  |-------- CHALLENGE_REQUEST ------------->|
-  |<------- CHALLENGE_RESPONSE -------------|
+  |                                         |
  |-------- SOLUTION_REQUEST (invalid) ---->|
+  |                                         |
  |<------- ERROR_RESPONSE -----------------| (if solution invalid)
+  |                                         |
+  [Connection closes]
 ```

 ## Message Format
@ -252,12 +262,21 @@ Server verifies solutions through the following steps:
 ## Connection Management

 ### Connection Lifecycle
+
+The protocol uses separate TCP connections for challenge requests and solution submissions:
+
+#### Challenge Request:
 1. **Connect**: Client establishes TCP connection to server
-2. **Challenge**: Client requests and receives HMAC-signed challenge
-3. **Solve**: Client solves PoW challenge offline (can take time)
-4. **Submit**: Client submits solution with challenge proof
-5. **Receive**: Client receives quote (if valid) or error (if invalid)
-6. **Disconnect**: Connection closes automatically after response
+2. **Request**: Client sends CHALLENGE_REQUEST
+3. **Receive**: Client receives CHALLENGE_RESPONSE with HMAC-signed challenge
+4. **Disconnect**: Connection closes automatically
+
+#### Solution Submission:
+1. **Solve**: Client solves PoW challenge offline
+2. **Connect**: Client establishes new TCP connection to server
+3. **Submit**: Client sends SOLUTION_REQUEST with challenge and nonce
+4. **Receive**: Client receives QUOTE_RESPONSE or ERROR_RESPONSE
+5. **Disconnect**: Connection closes automatically

 ### Timeouts and Limits

--- a/internal/protocol/encode_decode_test.go
+++ b/internal/protocol/encode_decode_test.go
@ -0,0 +1,157 @@
+package protocol
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"hash-of-wisdom/internal/pow/challenge"
+	"hash-of-wisdom/internal/quotes"
+)
+
+func TestSymmetricEncoding_ChallengeRequest(t *testing.T) {
+	// Create a challenge request
+	req := &ChallengeRequest{}
+
+	// Encode it
+	var buf bytes.Buffer
+	err := req.Encode(&buf)
+	require.NoError(t, err)
+
+	// Decode it back
+	decoder := NewMessageDecoder()
+	msg, err := decoder.Decode(&buf)
+	require.NoError(t, err)
+	assert.Equal(t, ChallengeRequestType, msg.Type)
+	assert.Equal(t, uint32(0), msg.PayloadLength)
+
+	// Decode the request payload
+	decodedReq := &ChallengeRequest{}
+	err = decodedReq.Decode(msg.PayloadStream)
+	require.NoError(t, err)
+}
+
+func TestSymmetricEncoding_SolutionRequest(t *testing.T) {
+	// Create a solution request
+	req := &SolutionRequest{
+		Challenge: challenge.Challenge{
+			Timestamp:  1640995200,
+			Difficulty: 4,
+			Resource:   "quotes",
+			Random:     []byte("test"),
+			HMAC:       []byte("test"),
+		},
+		Nonce: 12345,
+	}
+
+	// Encode it
+	var buf bytes.Buffer
+	err := req.Encode(&buf)
+	require.NoError(t, err)
+
+	// Decode it back
+	decoder := NewMessageDecoder()
+	msg, err := decoder.Decode(&buf)
+	require.NoError(t, err)
+	assert.Equal(t, SolutionRequestType, msg.Type)
+	assert.Greater(t, msg.PayloadLength, uint32(0))
+
+	// Decode the request payload
+	decodedReq := &SolutionRequest{}
+	err = decodedReq.Decode(msg.PayloadStream)
+	require.NoError(t, err)
+	assert.Equal(t, req.Nonce, decodedReq.Nonce)
+	assert.Equal(t, req.Challenge.Timestamp, decodedReq.Challenge.Timestamp)
+}
+
+func TestSymmetricEncoding_ChallengeResponse(t *testing.T) {
+	// Create a challenge response
+	resp := &ChallengeResponse{
+		Challenge: &challenge.Challenge{
+			Timestamp:  1640995200,
+			Difficulty: 4,
+			Resource:   "quotes",
+			Random:     []byte("test"),
+			HMAC:       []byte("test"),
+		},
+	}
+
+	// Encode it
+	var buf bytes.Buffer
+	err := resp.Encode(&buf)
+	require.NoError(t, err)
+
+	// Decode it back
+	decoder := NewMessageDecoder()
+	msg, err := decoder.Decode(&buf)
+	require.NoError(t, err)
+	assert.Equal(t, ChallengeResponseType, msg.Type)
+	assert.Greater(t, msg.PayloadLength, uint32(0))
+
+	// Decode the response payload
+	decodedResp := &ChallengeResponse{}
+	err = decodedResp.Decode(msg.PayloadStream)
+	require.NoError(t, err)
+	assert.Equal(t, resp.Challenge.Timestamp, decodedResp.Challenge.Timestamp)
+	assert.Equal(t, resp.Challenge.Difficulty, decodedResp.Challenge.Difficulty)
+}
+
+func TestSymmetricEncoding_SolutionResponse(t *testing.T) {
+	// Create a solution response
+	resp := &SolutionResponse{
+		Quote: &quotes.Quote{
+			Text:   "Test quote",
+			Author: "Test Author",
+		},
+	}
+
+	// Encode it
+	var buf bytes.Buffer
+	err := resp.Encode(&buf)
+	require.NoError(t, err)
+
+	// Decode it back
+	decoder := NewMessageDecoder()
+	msg, err := decoder.Decode(&buf)
+	require.NoError(t, err)
+	assert.Equal(t, QuoteResponseType, msg.Type)
+	assert.Greater(t, msg.PayloadLength, uint32(0))
+
+	// Decode the response payload
+	decodedResp := &SolutionResponse{}
+	err = decodedResp.Decode(msg.PayloadStream)
+	require.NoError(t, err)
+	assert.Equal(t, resp.Quote.Text, decodedResp.Quote.Text)
+	assert.Equal(t, resp.Quote.Author, decodedResp.Quote.Author)
+}
+
+func TestSymmetricEncoding_ErrorResponse(t *testing.T) {
+	// Create an error response
+	resp := &ErrorResponse{
+		Code:    "TEST_ERROR",
+		Message: "Test error message",
+		Details: map[string]string{"key": "value"},
+	}
+
+	// Encode it
+	var buf bytes.Buffer
+	err := resp.Encode(&buf)
+	require.NoError(t, err)
+
+	// Decode it back
+	decoder := NewMessageDecoder()
+	msg, err := decoder.Decode(&buf)
+	require.NoError(t, err)
+	assert.Equal(t, ErrorResponseType, msg.Type)
+	assert.Greater(t, msg.PayloadLength, uint32(0))
+
+	// Decode the response payload
+	decodedResp := &ErrorResponse{}
+	err = decodedResp.Decode(msg.PayloadStream)
+	require.NoError(t, err)
+	assert.Equal(t, resp.Code, decodedResp.Code)
+	assert.Equal(t, resp.Message, decodedResp.Message)
+	assert.Equal(t, resp.Details, decodedResp.Details)
+}
--- a/internal/protocol/encoder.go
+++ b/internal/protocol/encoder.go
@ -0,0 +1,41 @@
+package protocol
+
+import (
+	"encoding/binary"
+	"encoding/json"
+	"fmt"
+	"io"
+)
+
+// encode is a helper function that encodes any message with the given message type
+func encode(w io.Writer, msgType MessageType, payload interface{}) error {
+	var payloadBytes []byte
+	var err error
+
+	// Only marshal if payload is not nil
+	if payload != nil {
+		payloadBytes, err = json.Marshal(payload)
+		if err != nil {
+			return fmt.Errorf("failed to encode payload: %w", err)
+		}
+	}
+
+	// Write message type (1 byte)
+	if err := binary.Write(w, binary.BigEndian, msgType); err != nil {
+		return fmt.Errorf("failed to write message type: %w", err)
+	}
+
+	// Write payload length (4 bytes, big-endian)
+	if err := binary.Write(w, binary.BigEndian, uint32(len(payloadBytes))); err != nil {
+		return fmt.Errorf("failed to write payload length: %w", err)
+	}
+
+	// Write JSON payload if we have one
+	if len(payloadBytes) > 0 {
+		if _, err := w.Write(payloadBytes); err != nil {
+			return fmt.Errorf("failed to write payload: %w", err)
+		}
+	}
+
+	return nil
+}
--- a/internal/protocol/message_decoder.go
+++ b/internal/protocol/message_decoder.go
@ -25,11 +25,6 @@ func (d *MessageDecoder) Decode(r io.Reader) (*Message, error) {
 		return nil, fmt.Errorf("failed to read message type: %w", err)
 	}

-	// Validate message type (only request types are valid for server)
-	if !isValidRequestType(msgType) {
-		return nil, fmt.Errorf("invalid message type: 0x%02x", msgType)
-	}
-
 	// Read payload length (4 bytes, big-endian)
 	var payloadLength uint32
 	if err := binary.Read(r, binary.BigEndian, &payloadLength); err != nil {
@ -53,13 +48,3 @@ func (d *MessageDecoder) Decode(r io.Reader) (*Message, error) {
 		PayloadStream:  payloadStream,
 	}, nil
 }
-
-// isValidRequestType checks if the message type is a valid request type
-func isValidRequestType(msgType MessageType) bool {
-	switch msgType {
-	case ChallengeRequestType, SolutionRequestType:
-		return true
-	default:
-		return false
-	}
-}
--- a/internal/protocol/message_decoder_test.go
+++ b/internal/protocol/message_decoder_test.go
@ -70,16 +70,6 @@ func TestMessageDecoder_Decode_Errors(t *testing.T) {
 			data:    []byte{},
 			wantErr: "EOF",
 		},
-		{
-			name:    "invalid message type",
-			data:    []byte{0xFF, 0x00, 0x00, 0x00, 0x00},
-			wantErr: "invalid message type",
-		},
-		{
-			name:    "response type not allowed",
-			data:    []byte{0x02, 0x00, 0x00, 0x00, 0x00}, // ChallengeResponseType
-			wantErr: "invalid message type",
-		},
 		{
 			name:    "incomplete header",
 			data:    []byte{0x01, 0x00, 0x00},
--- a/internal/protocol/requests.go
+++ b/internal/protocol/requests.go
@ -7,6 +7,7 @@ import (
 	"hash-of-wisdom/internal/pow/challenge"
 )

+
 // ChallengeRequest is empty (no payload for challenge requests)
 type ChallengeRequest struct{}

@ -16,6 +17,11 @@ func (r *ChallengeRequest) Decode(stream io.Reader) error {
 	return nil
 }

+// Encode writes a challenge request to the writer
+func (r *ChallengeRequest) Encode(w io.Writer) error {
+	return encode(w, ChallengeRequestType, nil)
+}
+
 // SolutionRequest contains the client's solution attempt
 type SolutionRequest struct {
 	Challenge challenge.Challenge `json:"challenge"`
@ -33,3 +39,8 @@ func (r *SolutionRequest) Decode(stream io.Reader) error {
 	decoder := json.NewDecoder(stream)
 	return decoder.Decode(r)
 }
+
+// Encode writes a solution request to the writer
+func (r *SolutionRequest) Encode(w io.Writer) error {
+	return encode(w, SolutionRequestType, r)
+}
--- a/internal/protocol/responses.go
+++ b/internal/protocol/responses.go
@ -1,63 +1,46 @@
 package protocol

 import (
-	"encoding/binary"
 	"encoding/json"
-	"fmt"
 	"io"

 	"hash-of-wisdom/internal/pow/challenge"
 	"hash-of-wisdom/internal/quotes"
 )

-// writeHeader writes the message type and payload length to the writer
-func writeHeader(w io.Writer, msgType MessageType, payloadLength uint32) error {
-	// Write message type (1 byte)
-	if err := binary.Write(w, binary.BigEndian, msgType); err != nil {
-		return fmt.Errorf("failed to write message type: %w", err)
-	}
-
-	// Write payload length (4 bytes, big-endian)
-	if err := binary.Write(w, binary.BigEndian, payloadLength); err != nil {
-		return fmt.Errorf("failed to write payload length: %w", err)
-	}
-
-	return nil
-}
-
-// encodeResponse is a helper function that encodes any response with the given message type
-func encodeResponse(w io.Writer, msgType MessageType, payload interface{}) error {
-	// Marshal to get exact payload size
-	payloadBytes, err := json.Marshal(payload)
-	if err != nil {
-		return fmt.Errorf("failed to encode payload: %w", err)
-	}
-
-	// Write header
-	if err := writeHeader(w, msgType, uint32(len(payloadBytes))); err != nil {
-		return err
-	}
-
-	// Write JSON payload directly to stream
-	if len(payloadBytes) > 0 {
-		if _, err := w.Write(payloadBytes); err != nil {
-			return fmt.Errorf("failed to write payload: %w", err)
-		}
-	}
-
-	return nil
-}

 // ChallengeResponse represents a challenge response
 type ChallengeResponse struct {
 	Challenge *challenge.Challenge
 }

+// Decode reads a challenge response from the payload stream
+func (r *ChallengeResponse) Decode(stream io.Reader) error {
+	if stream == nil {
+		return io.EOF
+	}
+
+	// Parse JSON directly from stream
+	decoder := json.NewDecoder(stream)
+	return decoder.Decode(&r.Challenge)
+}
+
 // SolutionResponse represents a successful solution response (contains quote)
 type SolutionResponse struct {
 	Quote *quotes.Quote
 }

+// Decode reads a solution response from the payload stream
+func (r *SolutionResponse) Decode(stream io.Reader) error {
+	if stream == nil {
+		return io.EOF
+	}
+
+	// Parse JSON directly from stream
+	decoder := json.NewDecoder(stream)
+	return decoder.Decode(&r.Quote)
+}
+
 // ErrorResponse represents an error response
 type ErrorResponse struct {
 	Code       string            `json:"code"`
@ -66,17 +49,28 @@ type ErrorResponse struct {
 	Details    map[string]string `json:"details,omitempty"`
 }

+// Decode reads an error response from the payload stream
+func (r *ErrorResponse) Decode(stream io.Reader) error {
+	if stream == nil {
+		return io.EOF
+	}
+
+	// Parse JSON directly from stream
+	decoder := json.NewDecoder(stream)
+	return decoder.Decode(r)
+}
+
 // Encode writes the challenge response to the writer
 func (r *ChallengeResponse) Encode(w io.Writer) error {
-	return encodeResponse(w, ChallengeResponseType, r.Challenge)
+	return encode(w, ChallengeResponseType, r.Challenge)
 }

 // Encode writes the solution response to the writer
 func (r *SolutionResponse) Encode(w io.Writer) error {
-	return encodeResponse(w, QuoteResponseType, r.Quote)
+	return encode(w, QuoteResponseType, r.Quote)
 }

 // Encode writes the error response to the writer
 func (r *ErrorResponse) Encode(w io.Writer) error {
-	return encodeResponse(w, ErrorResponseType, r)
+	return encode(w, ErrorResponseType, r)
 }
--- a/internal/protocol/roundtrip_test.go
+++ b/internal/protocol/roundtrip_test.go
@ -113,16 +113,6 @@ func TestChallengeRequest_EmptyPayload(t *testing.T) {
 	require.NoError(t, err)
 }

-func TestMessageDecoder_RejectsResponseTypes(t *testing.T) {
-	decoder := NewMessageDecoder()
-
-	data := []byte{byte(ErrorResponseType), 0x00, 0x00, 0x00, 0x05, 'h', 'e', 'l', 'l', 'o'}
-	buf := bytes.NewBuffer(data)
-
-	_, err := decoder.Decode(buf)
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "invalid message type")
-}

 func TestPayloadStream_LimitedRead(t *testing.T) {
 	decoder := NewMessageDecoder()
--- a/internal/protocol/spec_compliance_test.go
+++ b/internal/protocol/spec_compliance_test.go
@ -0,0 +1,177 @@
+package protocol
+
+import (
+	"bytes"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"hash-of-wisdom/internal/pow/challenge"
+	"hash-of-wisdom/internal/quotes"
+)
+
+// TestSpecCompliance_ChallengeResponse verifies challenge response matches PROTOCOL.md format
+func TestSpecCompliance_ChallengeResponse(t *testing.T) {
+	resp := &ChallengeResponse{
+		Challenge: &challenge.Challenge{
+			Timestamp:  1640995200,
+			Difficulty: 4,
+			Resource:   "quotes",
+			Random:     []byte{0xa1, 0xb2, 0xc3, 0xd4, 0xe5, 0xf6},
+			HMAC:       []byte("base64url_encoded_signature"),
+		},
+	}
+
+	var buf bytes.Buffer
+	err := resp.Encode(&buf)
+	require.NoError(t, err)
+
+	// Skip header (5 bytes) and get payload
+	header := buf.Bytes()[:5]
+	payload := buf.Bytes()[5:]
+
+	// Verify header format
+	assert.Equal(t, byte(ChallengeResponseType), header[0])
+	assert.Equal(t, uint32(len(payload)), uint32(header[1])<<24|uint32(header[2])<<16|uint32(header[3])<<8|uint32(header[4]))
+
+	// Verify JSON payload matches spec format
+	var decoded map[string]interface{}
+	err = json.Unmarshal(payload, &decoded)
+	require.NoError(t, err)
+
+	// Check required fields from spec
+	assert.Contains(t, decoded, "timestamp")
+	assert.Contains(t, decoded, "difficulty")
+	assert.Contains(t, decoded, "resource")
+	assert.Contains(t, decoded, "random")
+	assert.Contains(t, decoded, "hmac")
+
+	assert.Equal(t, float64(1640995200), decoded["timestamp"])
+	assert.Equal(t, float64(4), decoded["difficulty"])
+	assert.Equal(t, "quotes", decoded["resource"])
+}
+
+// TestSpecCompliance_SolutionRequest verifies solution request matches PROTOCOL.md format
+func TestSpecCompliance_SolutionRequest(t *testing.T) {
+	req := &SolutionRequest{
+		Challenge: challenge.Challenge{
+			Timestamp:  1640995200,
+			Difficulty: 4,
+			Resource:   "quotes",
+			Random:     []byte{0xa1, 0xb2, 0xc3, 0xd4, 0xe5, 0xf6},
+			HMAC:       []byte("base64url_encoded_signature"),
+		},
+		Nonce: 12345,
+	}
+
+	var buf bytes.Buffer
+	err := req.Encode(&buf)
+	require.NoError(t, err)
+
+	// Skip header and get payload
+	payload := buf.Bytes()[5:]
+
+	// Verify JSON payload matches spec format
+	var decoded map[string]interface{}
+	err = json.Unmarshal(payload, &decoded)
+	require.NoError(t, err)
+
+	// Check required top-level fields
+	assert.Contains(t, decoded, "challenge")
+	assert.Contains(t, decoded, "nonce")
+	assert.Equal(t, float64(12345), decoded["nonce"])
+
+	// Check challenge structure
+	challenge := decoded["challenge"].(map[string]interface{})
+	assert.Contains(t, challenge, "timestamp")
+	assert.Contains(t, challenge, "difficulty")
+	assert.Contains(t, challenge, "resource")
+	assert.Contains(t, challenge, "random")
+	assert.Contains(t, challenge, "hmac")
+}
+
+// TestSpecCompliance_QuoteResponse verifies quote response matches PROTOCOL.md format
+func TestSpecCompliance_QuoteResponse(t *testing.T) {
+	resp := &SolutionResponse{
+		Quote: &quotes.Quote{
+			Text:   "The only way to do great work is to love what you do.",
+			Author: "Steve Jobs",
+		},
+	}
+
+	var buf bytes.Buffer
+	err := resp.Encode(&buf)
+	require.NoError(t, err)
+
+	// Skip header and get payload
+	payload := buf.Bytes()[5:]
+
+	// Verify JSON payload matches spec format
+	var decoded map[string]interface{}
+	err = json.Unmarshal(payload, &decoded)
+	require.NoError(t, err)
+
+	// Check required fields from spec
+	assert.Contains(t, decoded, "text")
+	assert.Contains(t, decoded, "author")
+	assert.Equal(t, "The only way to do great work is to love what you do.", decoded["text"])
+	assert.Equal(t, "Steve Jobs", decoded["author"])
+}
+
+// TestSpecCompliance_ErrorResponse verifies error response matches PROTOCOL.md format
+func TestSpecCompliance_ErrorResponse(t *testing.T) {
+	resp := &ErrorResponse{
+		Code:       "INVALID_SOLUTION",
+		Message:    "The provided PoW solution is incorrect",
+		RetryAfter: 30,
+		Details:    map[string]string{"reason": "hash verification failed"},
+	}
+
+	var buf bytes.Buffer
+	err := resp.Encode(&buf)
+	require.NoError(t, err)
+
+	// Skip header and get payload
+	payload := buf.Bytes()[5:]
+
+	// Verify JSON payload matches spec format
+	var decoded map[string]interface{}
+	err = json.Unmarshal(payload, &decoded)
+	require.NoError(t, err)
+
+	// Check required fields from spec
+	assert.Contains(t, decoded, "code")
+	assert.Contains(t, decoded, "message")
+	assert.Equal(t, "INVALID_SOLUTION", decoded["code"])
+	assert.Equal(t, "The provided PoW solution is incorrect", decoded["message"])
+
+	// Check optional fields
+	assert.Contains(t, decoded, "retry_after")
+	assert.Contains(t, decoded, "details")
+	assert.Equal(t, float64(30), decoded["retry_after"])
+}
+
+// TestSpecCompliance_MessageSizeLimits verifies 8KB payload limit
+func TestSpecCompliance_MessageSizeLimits(t *testing.T) {
+	decoder := NewMessageDecoder()
+
+	// Create a message that exceeds 8KB payload limit
+	largePayload := make([]byte, MaxPayloadSize+1)
+	for i := range largePayload {
+		largePayload[i] = 'A'
+	}
+
+	// Create message with oversized payload
+	var buf bytes.Buffer
+	buf.WriteByte(byte(ChallengeRequestType))
+	buf.Write([]byte{0x00, 0x00, 0x20, 0x01}) // 8193 bytes (8KB + 1)
+	buf.Write(largePayload)
+
+	// Should reject oversized payload
+	_, err := decoder.Decode(&buf)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "payload length")
+	assert.Contains(t, err.Error(), "exceeds maximum")
+}
--- a/test/integration/slowloris_test.go
+++ b/test/integration/slowloris_test.go
@ -0,0 +1,198 @@
+package integration
+
+import (
+	"net"
+	"testing"
+	"time"
+
+	"hash-of-wisdom/internal/protocol"
+	"hash-of-wisdom/internal/server"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSlowlorisProtection_SlowReader(t *testing.T) {
+	// Setup server with very short read timeout for testing
+	config := server.DefaultConfig()
+	config.Address = ":0"
+	config.Timeouts.Read = 100 * time.Millisecond
+	config.Timeouts.Write = 5 * time.Second
+	config.Timeouts.Connection = 15 * time.Second
+
+	srv := setupTestServerWithConfig(t, config)
+	defer srv.Stop()
+
+	// Connect to server
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Send partial message header very slowly (slowloris attack)
+	_, err = conn.Write([]byte{0x01}) // Challenge request type
+	require.NoError(t, err)
+
+	// Wait longer than read timeout before sending length
+	time.Sleep(200 * time.Millisecond)
+
+	// Try to send more data - connection should be timed out
+	_, err = conn.Write([]byte{0x00, 0x00, 0x00, 0x00}) // Payload length
+
+	// Verify connection is closed by trying to read
+	buffer := make([]byte, 1024)
+	conn.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
+	_, err = conn.Read(buffer)
+	assert.Error(t, err, "Connection should be closed due to slow reading")
+}
+
+func TestSlowlorisProtection_SlowWriter(t *testing.T) {
+	// Setup server with very short write timeout for testing
+	config := server.DefaultConfig()
+	config.Address = ":0"
+	config.Timeouts.Read = 5 * time.Second
+	config.Timeouts.Write = 100 * time.Millisecond
+	config.Timeouts.Connection = 15 * time.Second
+
+	srv := setupTestServerWithConfig(t, config)
+	defer srv.Stop()
+
+	// Connect to server but don't read responses (simulate slow writer client)
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Send a complete challenge request
+	challengeReq := &protocol.ChallengeRequest{}
+	err = challengeReq.Encode(conn)
+	require.NoError(t, err)
+
+	// Don't read the response to simulate slow writer
+	// Server should timeout when trying to write response
+	time.Sleep(200 * time.Millisecond)
+
+	// Try to send another request - connection should be closed
+	err = challengeReq.Encode(conn)
+	assert.Error(t, err, "Connection should be closed due to slow writing")
+}
+
+func TestSlowlorisProtection_ConnectionTimeout(t *testing.T) {
+	// Setup server with very short connection timeout
+	config := server.DefaultConfig()
+	config.Address = ":0"
+	config.Timeouts.Read = 5 * time.Second
+	config.Timeouts.Write = 5 * time.Second
+	config.Timeouts.Connection = 100 * time.Millisecond
+
+	srv := setupTestServerWithConfig(t, config)
+	defer srv.Stop()
+
+	// Connect to server
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Wait longer than connection timeout without sending any data
+	time.Sleep(200 * time.Millisecond)
+
+	// Try to read from connection - should get EOF or connection reset
+	buffer := make([]byte, 1024)
+	conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond))
+	_, err = conn.Read(buffer)
+	assert.Error(t, err, "Connection should be closed due to connection timeout")
+}
+
+func TestSlowlorisProtection_MultipleSlowConnections(t *testing.T) {
+	// Setup server with short timeouts
+	config := server.DefaultConfig()
+	config.Address = ":0"
+	config.Timeouts.Read = 50 * time.Millisecond
+	config.Timeouts.Write = 50 * time.Millisecond
+	config.Timeouts.Connection = 200 * time.Millisecond
+
+	srv := setupTestServerWithConfig(t, config)
+	defer srv.Stop()
+
+	// Create multiple slow connections (simulating slowloris attack)
+	var conns []net.Conn
+	for i := 0; i < 3; i++ {
+		conn, err := net.Dial("tcp", srv.Address())
+		require.NoError(t, err)
+		conns = append(conns, conn)
+
+		// Send partial data to trigger slow reader behavior
+		_, err = conn.Write([]byte{0x01}) // Just message type
+		require.NoError(t, err)
+	}
+
+	// Clean up connections
+	defer func() {
+		for _, conn := range conns {
+			conn.Close()
+		}
+	}()
+
+	// Wait for read timeouts to kick in
+	time.Sleep(100 * time.Millisecond)
+
+	// Verify slow connections are closed by trying to read from them
+	for i, conn := range conns {
+		buffer := make([]byte, 1024)
+		conn.SetReadDeadline(time.Now().Add(50 * time.Millisecond))
+		_, err := conn.Read(buffer)
+		assert.Error(t, err, "Slow connection %d should be closed", i)
+	}
+}
+
+func TestSlowlorisProtection_NormalOperationWithinTimeouts(t *testing.T) {
+	// Setup server with reasonable timeouts
+	config := server.DefaultConfig()
+	config.Address = ":0"
+
+	srv := setupTestServerWithConfig(t, config)
+	defer srv.Stop()
+
+	// Connect and complete normal flow quickly
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Request challenge
+	challengeReq := &protocol.ChallengeRequest{}
+	err = challengeReq.Encode(conn)
+	require.NoError(t, err)
+
+	// Should receive challenge response without timeout
+	decoder := protocol.NewMessageDecoder()
+	msg, err := decoder.Decode(conn)
+	require.NoError(t, err)
+	assert.Equal(t, protocol.ChallengeResponseType, msg.Type)
+	assert.Greater(t, msg.PayloadLength, uint32(0), "Challenge payload should not be empty")
+}
+
+func TestSlowlorisProtection_PartialHeaderAttack(t *testing.T) {
+	// Setup server with short read timeout
+	config := server.DefaultConfig()
+	config.Address = ":0"
+	config.Timeouts.Read = 100 * time.Millisecond
+
+	srv := setupTestServerWithConfig(t, config)
+	defer srv.Stop()
+
+	// Connect to server
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Send only message type byte, then stall
+	_, err = conn.Write([]byte{0x01})
+	require.NoError(t, err)
+
+	// Wait for read timeout
+	time.Sleep(200 * time.Millisecond)
+
+	// Try to read from connection - should be closed
+	buffer := make([]byte, 1024)
+	conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond))
+	_, err = conn.Read(buffer)
+	assert.Error(t, err, "Connection should be closed due to partial header")
+}
--- a/test/integration/timeout_test.go
+++ b/test/integration/timeout_test.go
@ -0,0 +1,192 @@
+package integration
+
+import (
+	"context"
+	"net"
+	"testing"
+	"time"
+
+	"hash-of-wisdom/internal/lib/sl"
+	"hash-of-wisdom/internal/pow/challenge"
+	"hash-of-wisdom/internal/protocol"
+	"hash-of-wisdom/internal/quotes"
+	"hash-of-wisdom/internal/server"
+	"hash-of-wisdom/internal/service"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestTCPServer_TimeoutProtection_SlowReader(t *testing.T) {
+	// Setup server with very short read timeout for testing
+	config := server.DefaultConfig()
+	config.Address = ":0"
+	config.Timeouts.Read = 500 * time.Millisecond
+	config.Timeouts.Write = 5 * time.Second
+	config.Timeouts.Connection = 15 * time.Second
+	srv := setupTestServerWithConfig(t, config)
+	defer srv.Stop()
+
+	// Connect to server
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Send partial message header (just type byte)
+	_, err = conn.Write([]byte{0x01}) // Challenge request type
+	require.NoError(t, err)
+
+	// Wait longer than read timeout before sending length
+	time.Sleep(700 * time.Millisecond)
+
+	// Try to send more data - connection should be timed out
+	_, err = conn.Write([]byte{0x00, 0x00, 0x00, 0x00}) // Payload length
+
+	// Verify connection is closed by reading
+	buffer := make([]byte, 1024)
+	conn.SetReadDeadline(time.Now().Add(1 * time.Second))
+	_, err = conn.Read(buffer)
+	assert.Error(t, err, "Connection should be closed due to slow reading")
+}
+
+func TestTCPServer_TimeoutProtection_ConnectionTimeout(t *testing.T) {
+	// Setup server with very short connection timeout
+	config := server.DefaultConfig()
+	config.Address = ":0"
+	config.Timeouts.Read = 5 * time.Second
+	config.Timeouts.Write = 5 * time.Second
+	config.Timeouts.Connection = 1 * time.Second
+	srv := setupTestServerWithConfig(t, config)
+	defer srv.Stop()
+
+	// Connect to server
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Wait longer than connection timeout
+	time.Sleep(1500 * time.Millisecond)
+
+	// Try to read from connection - should get EOF or connection reset
+	buffer := make([]byte, 1024)
+	conn.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
+	_, err = conn.Read(buffer)
+	assert.Error(t, err, "Connection should be closed due to timeout")
+}
+
+func TestTCPServer_NormalOperation_WithinTimeouts(t *testing.T) {
+	srv := setupTestServer(t)
+	defer srv.Stop()
+
+	// Connect and complete normal flow quickly
+	conn, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	// Request challenge using new protocol API
+	challengeReq := &protocol.ChallengeRequest{}
+	err = challengeReq.Encode(conn)
+	require.NoError(t, err)
+
+	// Should receive challenge response without timeout
+	decoder := protocol.NewMessageDecoder()
+	msg, err := decoder.Decode(conn)
+	require.NoError(t, err)
+	assert.Equal(t, protocol.ChallengeResponseType, msg.Type)
+	assert.Greater(t, msg.PayloadLength, uint32(0), "Challenge payload should not be empty")
+}
+
+func TestTCPServer_MultipleConnections_IndependentTimeouts(t *testing.T) {
+	config := server.DefaultConfig()
+	config.Address = ":0"
+	config.Timeouts.Read = 1 * time.Second
+	config.Timeouts.Write = 5 * time.Second
+	config.Timeouts.Connection = 3 * time.Second
+	srv := setupTestServerWithConfig(t, config)
+	defer srv.Stop()
+
+	// Start two connections
+	conn1, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn1.Close()
+
+	conn2, err := net.Dial("tcp", srv.Address())
+	require.NoError(t, err)
+	defer conn2.Close()
+
+	// Conn1: Send complete request quickly
+	go func() {
+		req := &protocol.ChallengeRequest{}
+		req.Encode(conn1)
+	}()
+
+	// Conn2: Send partial request and stall
+	conn2.Write([]byte{0x01}) // Just message type
+
+	// Wait for read timeout
+	time.Sleep(1500 * time.Millisecond)
+
+	// Conn1 should still work, Conn2 should be closed
+	buffer := make([]byte, 1024)
+
+	// Conn1 should receive response
+	conn1.SetReadDeadline(time.Now().Add(1 * time.Second))
+	n, err := conn1.Read(buffer)
+	assert.NoError(t, err)
+	assert.Greater(t, n, 0, "Conn1 should receive response")
+
+	// Conn2 should be closed
+	conn2.SetReadDeadline(time.Now().Add(500 * time.Millisecond))
+	_, err = conn2.Read(buffer)
+	assert.Error(t, err, "Conn2 should be closed due to timeout")
+}
+
+// Helper function to create test server with default config
+func setupTestServer(t *testing.T) *server.TCPServer {
+	config := server.DefaultConfig()
+	config.Address = ":0"
+	return setupTestServerWithConfig(t, config)
+}
+
+// Helper function to create test server with custom config
+func setupTestServerWithConfig(t *testing.T, serverConfig *server.Config) *server.TCPServer {
+	// Create test components
+	challengeConfig := challenge.TestConfig()
+	generator := challenge.NewGenerator(challengeConfig)
+	verifier := challenge.NewVerifier(challengeConfig)
+
+	// Create a simple test quote service
+	quoteService := &testQuoteService{}
+
+	// Wire up service
+	genAdapter := service.NewGeneratorAdapter(generator)
+	wisdomService := service.NewWisdomService(genAdapter, verifier, quoteService)
+
+	// Create server with custom config using functional options
+	logger := sl.NewMockLogger()
+	srv := server.NewTCPServer(wisdomService,
+		server.WithConfig(serverConfig),
+		server.WithLogger(logger))
+
+	// Start server
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+	defer cancel()
+
+	err := srv.Start(ctx)
+	require.NoError(t, err)
+
+	// Give server time to start
+	time.Sleep(100 * time.Millisecond)
+
+	return srv
+}
+
+// testQuoteService provides test quotes
+type testQuoteService struct{}
+
+func (s *testQuoteService) GetRandomQuote(ctx context.Context) (*quotes.Quote, error) {
+	return &quotes.Quote{
+		Text:   "Test quote for integration testing",
+		Author: "Test Author",
+	}, nil
+}