serviceability: feed accounts + feed_key-scoped EdgeSeat metro gate#3952
Closed
nikw9944 wants to merge 2 commits into
Closed
serviceability: feed accounts + feed_key-scoped EdgeSeat metro gate#3952nikw9944 wants to merge 2 commits into
nikw9944 wants to merge 2 commits into
Conversation
…gate Add a Feed account (metro→group-set catalog) managed by a catalog admin (FEED_AUTHORITY/FOUNDATION); rework EdgeSeat into EdgeSeat(Vec<FeedSeat>); enforce a metro gate at multicast connect (MetroMismatch); provision feeds onto a pass via the oracle's ACCESS_PASS_ADMIN SetAccessPassFeeds instruction. CLI 'doublezero feed' verbs + Rust/Go/Python/TS SDK read support. Refs malbeclabs/infra#1700
…Pass, guard SetAccessPassFeeds to EdgeSeat passes, document layout/ref-count
bb5b385 to
41be2c8
Compare
This was referenced Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of Changes
Feedaccount — ametro(exchange)→group-setcatalog, managed by a catalog admin (FEED_AUTHORITYPermission orFOUNDATION) viaCreateFeed/UpdateFeed/DeleteFeed. A feed with no metros imposes no restriction.EdgeSeataccess-pass variant from a bare marker intoEdgeSeat(Vec<FeedSeat>)(feed_key+ per-feed cap); the per-feed cap is the authoritative concurrent-user quota for EdgeSeat multicast (legacymax_multicast_usersis now vestigial).MetroMismatch; the joinable groups are the matching feed's group-set for that exchange; the matching feed's seat is ticked.ACCESS_PASS_ADMINSetAccessPassFeedsinstruction (not the deprecatedfeed_authorityslot).doublezero feedCLI verbs + Rust/Go/Python/TypeScript read-SDK support; connect/subscribe/delete instructions take an optional trailingFeedaccount (wire-ordering change coordinated with siblings monitor: Add epoch change events to monitor so we can annotate dashboards #1699/Passport needs to be able to handle backup IDs for access requests #1701).malbeclabs/doublezero(smartcontract/). Fixes malbeclabs/infra#1700.Testing Verification
tests/feed_metro_gate_test.rs) cover the four issue scenarios: wrong-metro device rejected (MetroMismatch), right-metro joins the metro's group set, multi-feed seat (matching feed admits + ticks), no-metro feed reachable from anywhere.Feed::groups_for(covered/not-covered/unrestricted),FeedSeatcap tick/MetroMismatch, the instruction round-trip, and the supersede semantics inaccesspass.rs.cargo test -p doublezero-serviceability(all program + lib tests),sdk/rs+clitests, Go (go test ./sdk/go/serviceability/...), Python (uv run pytest, 123 passed), TypeScript (bun test, 146 passed) against regenerated fixtures (make generate-fixtures).Review follow-ups
Architecture + security reviews are posted on the issue. Addressed in this PR:
SetAccessPassnow preserves provisioned EdgeSeat seats instead of clobbering them;SetAccessPassFeedsrequires the pass to already be EdgeSeat; layout-compat andreference_countone-directionality documented in code.Open item for operator/
#1699(not addressed here): the feed a user connected on is not recorded on theUseraccount, so seat release relies on the caller passing the correctFeedaccount at delete (the program releases correctly when given it, but every shipped admin caller currently passesNone). The robust fix — recordfeed_keyonUserand release exactly that, ignoring caller input — is aUser-layout change across the program + Go/Python/TS SDKs + fixtures and is a natural fit for the oracle connection-lifecycle work in #1699. Flagging for a decision rather than expanding this PR's blast radius.🤖 Generated with Claude Code