Forwarder architecture fixes: trust model, data integrity, and decomposition#217
Merged
Conversation
0c63ac8 to
cf052a5
Compare
…annot revoke them
…eiver sync regression guard
…_reader_control gate for P2P reader control
…-loop self-deadlock
… document write-path contracts
Thread the authenticated peer NodeId from connection admission into the control loop and emit a tracing event (peer, verb, request_id, target, outcome) at every reader-control and remote-config dispatch arm, including capability-gate denials. Extend RemoteConfigHandler::set_config to take the peer so config writes are attributed in the UI log: ForwarderRemoteConfigHandler now holds the shared UiLogger and logs both accepted and rejected remote config writes with the requesting receiver's node id.
…d log fields, drop duplicate warn
…onfig via local TOML edit
… loader before persisting
… SQLite connections
… status_http; dedupe clock-sync helper
…fter failed allow-list applies
…token-resolution doc
…he P2P catalog at connect time
…Status TS contract
… ui_meaningful_eq
…ve unbounded legacy replay path
…in the remote config modal
…-detect, restore pause docs, e2e toml edit)
cf052a5 to
d5b8aa3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the issues found in the forwarder architecture review, in five phases (36 commits, each task TDD'd and reviewed):
Trust model (critical)
CAP_READER_CONTROLcapability and a newcontrol.allow_reader_controlflag (defaulttrue); capability-gate denials are written inline to prevent a control-loop deadlock under request floods[auth],[p2p], or[control]sections (privilege-escalation fix); the receiver UI renders those sections read-onlyData integrity
GET /forwarder/catalogserver endpointContention & decomposition
status_http.rsdecomposed:config_service.rsandstatus_store.rsextracted; reader/UPS tasks no longer depend on the HTTP moduleP2P mediums/lows
rt-p2p-protocol(single source of framing invariants); server HTTP clients split out ofallowlist.rs/api/v1/statusserves cached server reachability (no inline WAN call); change-gatedserver_status_changedUI eventpending_eventsreplay path removed (tests ported to the cursor API)One behavioral note for the E2E suite: the remote-config gating scenario now asserts that remote
[control]writes are rejected and flips the gate via a local TOML edit instead.Test Plan
cargo fmt --all -- --checkandcargo clippy --workspace --all-targetscleancargo test --workspace --libandcargo test --workspace -- --test-threads=4greenuv run scripts/e2e/run_stack.py: 65/65 checks GREEN (three lanes)bash scripts/validate-packaging.sh: 79/79npm test164 passed,npm run check/lintclean[p2p]write rejected end-to-end; journal-loss reboot restoresnext_seqfrom the server catalogWritten and posted by AI on behalf of Isaac.