test: US-07 file sharing tests pass 50/50 — fix ssh_sudo compound command bug

Fixed ssh_sudo in US-07 section where chown ran without sudo because
&& in the command broke the sudo pipe. With set -e, this silently killed
the script. Wrapped compound commands in sudo bash -c to keep everything
under sudo. All file sharing tests pass bidirectionally over Tor.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/test-cross-node.sh

@@ -393,6 +393,127 @@ except: print('parse_error')
     done
 done
 
+# ═══════════════════════════════════════════════════════════════════════════
+# US-07: File Sharing
+# ═══════════════════════════════════════════════════════════════════════════
+echo ""
+echo "# --- US-07: File Sharing ---"
+
+# Create a test file on both nodes for sharing (use bash -c to keep entire command under sudo)
+ssh_sudo "$NODE_A" "bash -c 'mkdir -p /var/lib/archipelago/content/files && echo test-content-from-228 > /var/lib/archipelago/content/files/test-share.txt && chown -R archipelago:archipelago /var/lib/archipelago/content'" 2>/dev/null || true
+ssh_sudo "$NODE_B" "bash -c 'mkdir -p /var/lib/archipelago/content/files && echo test-content-from-198 > /var/lib/archipelago/content/files/test-share-b.txt && chown -R archipelago:archipelago /var/lib/archipelago/content'" 2>/dev/null || true
+
+for i in $(seq 1 "$ITERATIONS"); do
+    # --- .228 shares content, .198 browses ---
+    # Get .228 auth
+    session_header_a=$(get_session "$NODE_A")
+    session_a=$(echo "$session_header_a" | sed -n 's/.*session=\([^;]*\).*/\1/p')
+    csrf_a=$(echo "$session_header_a" | sed -n 's/.*csrf_token=\([^;]*\).*/\1/p')
+
+    # Add content on .228
+    add_result=$(curl -s -X POST \
+        -H "Content-Type: application/json" \
+        -H "Cookie: session=${session_a}; csrf_token=${csrf_a}" \
+        -H "X-CSRF-Token: ${csrf_a}" \
+        -d '{"method":"content.add","params":{"filename":"test-share.txt","mime_type":"text/plain","description":"Test share from 228"}}' \
+        "http://${NODE_A}:5678/rpc/v1" 2>/dev/null)
+    has_item=$(echo "$add_result" | python3 -c "import sys,json; d=json.load(sys.stdin); print('ok' if d.get('result',{}).get('item') else 'no')" 2>/dev/null || echo "error")
+    if [[ "$has_item" == "ok" ]]; then
+        tap_ok "US07-A-content-add-${i}"
+    else
+        tap_fail "US07-A-content-add-${i}" "content.add failed: ${add_result:0:80}"
+    fi
+
+    # List content on .228
+    list_result=$(curl -s -X POST \
+        -H "Content-Type: application/json" \
+        -H "Cookie: session=${session_a}; csrf_token=${csrf_a}" \
+        -H "X-CSRF-Token: ${csrf_a}" \
+        -d '{"method":"content.list-mine"}' \
+        "http://${NODE_A}:5678/rpc/v1" 2>/dev/null)
+    item_count=$(echo "$list_result" | python3 -c "import sys,json; d=json.load(sys.stdin); print(len(d.get('result',{}).get('items',[])))" 2>/dev/null || echo "0")
+    if [[ "$item_count" -gt 0 ]]; then
+        tap_ok "US07-A-content-listed-${i} # items=${item_count}"
+    else
+        tap_fail "US07-A-content-listed-${i}" "No items in catalog"
+    fi
+
+    # Browse .228's catalog from .198 over Tor
+    session_header_b=$(get_session "$NODE_B")
+    session_b=$(echo "$session_header_b" | sed -n 's/.*session=\([^;]*\).*/\1/p')
+    csrf_b=$(echo "$session_header_b" | sed -n 's/.*csrf_token=\([^;]*\).*/\1/p')
+
+    browse_result=$(curl -s --max-time 45 -X POST \
+        -H "Content-Type: application/json" \
+        -H "Cookie: session=${session_b}; csrf_token=${csrf_b}" \
+        -H "X-CSRF-Token: ${csrf_b}" \
+        -d "{\"method\":\"content.browse-peer\",\"params\":{\"onion\":\"${ONION_A}\"}}" \
+        "http://${NODE_B}:5678/rpc/v1" 2>/dev/null)
+    peer_items=$(echo "$browse_result" | python3 -c "import sys,json; d=json.load(sys.stdin); r=d.get('result',{}); items=r.get('items',[]); print(len(items))" 2>/dev/null || echo "0")
+    if [[ "$peer_items" -gt 0 ]]; then
+        tap_ok "US07-B-browse-A-${i} # items=${peer_items}"
+    else
+        tap_fail "US07-B-browse-A-${i}" "Could not browse .228 catalog: ${browse_result:0:80}"
+    fi
+
+    # --- Reverse: .198 shares, .228 browses ---
+    add_result_b=$(curl -s -X POST \
+        -H "Content-Type: application/json" \
+        -H "Cookie: session=${session_b}; csrf_token=${csrf_b}" \
+        -H "X-CSRF-Token: ${csrf_b}" \
+        -d '{"method":"content.add","params":{"filename":"test-share-b.txt","mime_type":"text/plain","description":"Test share from 198"}}' \
+        "http://${NODE_B}:5678/rpc/v1" 2>/dev/null)
+    has_item_b=$(echo "$add_result_b" | python3 -c "import sys,json; d=json.load(sys.stdin); print('ok' if d.get('result',{}).get('item') else 'no')" 2>/dev/null || echo "error")
+    if [[ "$has_item_b" == "ok" ]]; then
+        tap_ok "US07-B-content-add-${i}"
+    else
+        tap_fail "US07-B-content-add-${i}" "content.add failed on .198"
+    fi
+
+    # Browse .198's catalog from .228 over Tor
+    browse_result_a=$(curl -s --max-time 45 -X POST \
+        -H "Content-Type: application/json" \
+        -H "Cookie: session=${session_a}; csrf_token=${csrf_a}" \
+        -H "X-CSRF-Token: ${csrf_a}" \
+        -d "{\"method\":\"content.browse-peer\",\"params\":{\"onion\":\"${ONION_B}\"}}" \
+        "http://${NODE_A}:5678/rpc/v1" 2>/dev/null)
+    peer_items_a=$(echo "$browse_result_a" | python3 -c "import sys,json; d=json.load(sys.stdin); r=d.get('result',{}); items=r.get('items',[]); print(len(items))" 2>/dev/null || echo "0")
+    if [[ "$peer_items_a" -gt 0 ]]; then
+        tap_ok "US07-A-browse-B-${i} # items=${peer_items_a}"
+    else
+        tap_fail "US07-A-browse-B-${i}" "Could not browse .198 catalog: ${browse_result_a:0:80}"
+    fi
+done
+
+# Clean up test content entries (remove duplicates)
+for node in "$NODE_A" "$NODE_B"; do
+    session_header=$(get_session "$node")
+    sv=$(echo "$session_header" | sed -n 's/.*session=\([^;]*\).*/\1/p')
+    cv=$(echo "$session_header" | sed -n 's/.*csrf_token=\([^;]*\).*/\1/p')
+    # Get all items and remove test ones
+    items_json=$(curl -s -X POST \
+        -H "Content-Type: application/json" \
+        -H "Cookie: session=${sv}; csrf_token=${cv}" \
+        -H "X-CSRF-Token: ${cv}" \
+        -d '{"method":"content.list-mine"}' \
+        "http://${node}:5678/rpc/v1" 2>/dev/null)
+    echo "$items_json" | python3 -c "
+import sys,json
+d=json.load(sys.stdin)
+items=d.get('result',{}).get('items',[])
+test_items=[i['id'] for i in items if 'test-share' in i.get('filename','')]
+for tid in test_items:
+    print(tid)
+" 2>/dev/null | while read -r tid; do
+        curl -s -X POST \
+            -H "Content-Type: application/json" \
+            -H "Cookie: session=${sv}; csrf_token=${cv}" \
+            -H "X-CSRF-Token: ${cv}" \
+            -d "{\"method\":\"content.remove\",\"params\":{\"id\":\"${tid}\"}}" \
+            "http://${node}:5678/rpc/v1" >/dev/null 2>&1
+    done
+done
+
 # ═══════════════════════════════════════════════════════════════════════════
 # US-09: NIP-07 Signing
 # ═══════════════════════════════════════════════════════════════════════════