Skip to content

serviceability: feed accounts + feed_key-scoped EdgeSeat metro gate#3952

Closed
nikw9944 wants to merge 2 commits into
mainfrom
nikw9944/infra-1700
Closed

serviceability: feed accounts + feed_key-scoped EdgeSeat metro gate#3952
nikw9944 wants to merge 2 commits into
mainfrom
nikw9944/infra-1700

Conversation

@nikw9944

Copy link
Copy Markdown
Contributor

Summary of Changes

  • Add a serviceability Feed account — a metro(exchange)→group-set catalog, managed by a catalog admin (FEED_AUTHORITY Permission or FOUNDATION) via CreateFeed/UpdateFeed/DeleteFeed. A feed with no metros imposes no restriction.
  • Rework the EdgeSeat access-pass variant from a bare marker into EdgeSeat(Vec<FeedSeat>) (feed_key + per-feed cap); the per-feed cap is the authoritative concurrent-user quota for EdgeSeat multicast (legacy max_multicast_users is now vestigial).
  • Enforce a metro gate at multicast connect: a device whose exchange isn't covered by any of the pass's feeds is rejected with MetroMismatch; the joinable groups are the matching feed's group-set for that exchange; the matching feed's seat is ticked.
  • Provision feed_keys onto an EdgeSeat pass via the oracle's ACCESS_PASS_ADMIN SetAccessPassFeeds instruction (not the deprecated feed_authority slot).
  • doublezero feed CLI verbs + Rust/Go/Python/TypeScript read-SDK support; connect/subscribe/delete instructions take an optional trailing Feed account (wire-ordering change coordinated with siblings monitor: Add epoch change events to monitor so we can annotate dashboards #1699/Passport needs to be able to handle backup IDs for access requests #1701).
  • Code lands in malbeclabs/doublezero (smartcontract/). Fixes malbeclabs/infra#1700.

Testing Verification

  • New program integration tests (tests/feed_metro_gate_test.rs) cover the four issue scenarios: wrong-metro device rejected (MetroMismatch), right-metro joins the metro's group set, multi-feed seat (matching feed admits + ticks), no-metro feed reachable from anywhere.
  • Unit tests for Feed::groups_for (covered/not-covered/unrestricted), FeedSeat cap tick/MetroMismatch, the instruction round-trip, and the supersede semantics in accesspass.rs.
  • Full suites green locally: cargo test -p doublezero-serviceability (all program + lib tests), sdk/rs + cli tests, Go (go test ./sdk/go/serviceability/...), Python (uv run pytest, 123 passed), TypeScript (bun test, 146 passed) against regenerated fixtures (make generate-fixtures).

Review follow-ups

Architecture + security reviews are posted on the issue. Addressed in this PR: SetAccessPass now preserves provisioned EdgeSeat seats instead of clobbering them; SetAccessPassFeeds requires the pass to already be EdgeSeat; layout-compat and reference_count one-directionality documented in code.

Open item for operator/#1699 (not addressed here): the feed a user connected on is not recorded on the User account, so seat release relies on the caller passing the correct Feed account at delete (the program releases correctly when given it, but every shipped admin caller currently passes None). The robust fix — record feed_key on User and release exactly that, ignoring caller input — is a User-layout change across the program + Go/Python/TS SDKs + fixtures and is a natural fit for the oracle connection-lifecycle work in #1699. Flagging for a decision rather than expanding this PR's blast radius.

🤖 Generated with Claude Code

@nikw9944 nikw9944 self-assigned this Jun 30, 2026
nikw9944 added 2 commits June 30, 2026 16:13
…gate

Add a Feed account (metro→group-set catalog) managed by a catalog admin
(FEED_AUTHORITY/FOUNDATION); rework EdgeSeat into EdgeSeat(Vec<FeedSeat>);
enforce a metro gate at multicast connect (MetroMismatch); provision feeds onto
a pass via the oracle's ACCESS_PASS_ADMIN SetAccessPassFeeds instruction. CLI
'doublezero feed' verbs + Rust/Go/Python/TS SDK read support.

Refs malbeclabs/infra#1700
…Pass, guard SetAccessPassFeeds to EdgeSeat passes, document layout/ref-count
@nikw9944

Copy link
Copy Markdown
Contributor Author

Superseded by a 4-PR stack for easier review (same changes, split by capability): #3953#3954#3955#3956. Closing in favor of the stack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant