documentation to use mycelium_network as message layer #44

New issue

Open

opened 2026-04-26 10:10:25 +00:00 by despiegk · 7 comments

despiegk commented 2026-04-26 10:10:25 +00:00

Owner

Copy link

there are features which allow us to use mycelium without tun adaptor

we need following features

• openrpc interface to talk to the messagebus for all features
• messages can be queued and organized per topic
• we can specify whitelists per topic (who can send messages)
• whitelist who is admin to manage the mycelium_network daemon e.g. specify the whitelists
• openrpc messages can be terminated to USD on local defined sockets (topic to socket) see how we do in skill /hero_sockets
• NEW: register a socket in line with /hero_sockets UDS which terminates as message on specified topic and destination (basically a proxy beteen local socket and a remote server so it works seamless)

so basically mycelium is then a swiss army knive to send openrpc messages around

document what we have and what still needs to be implemented and how we should do it best

how to test:

make e2e test where we launch 3 daemons in hero_proc
and we call them mycelium_network_test1 ...

and we boot them message bus layer allone (no tun)

then we test how we can send messages around between them
and how they can talk to each other

also we test how we can remotely manage them if we are the manager (the admin)

implementation notes for admin functionality

it might be that there is no admin functionality in there yet

if not implementit, so only whitelisted administrators (based on pub key of other mycelium node) can talk to us
for mgmt tasks

now also in _api implement socket to messages over the message bus
and termination

administrators can manage all

usecase is socket to socket

e.g.

2 nodes

• node A
• node B

on node A, there is socket ~/hero/var/sockets/hero_proc
on node B, we ask mycelium_server (engine?) to create ~/hero/var/sockets/hero_proc_remote_A

every openrpc message we now send to ~/hero/var/sockets/hero_proc_remote_A gets picked up by our mycelium node and forwarded to A where it gets terminated on hero_proc

so we basically implemented a proxy between a local socket & remote, fully seamless

the full configuration needs to be possible (B socket to openrpc message, openrpc message goes to A, there there is topic defining it where to terminate, and security mgmt)

admin UI

make sure our _ui is userfriendly so we can configure this seamless, I should be able to configure my remote endpoints from my local daemon if I am administrator of a remote node

there are features which allow us to use mycelium without tun adaptor we need following features - openrpc interface to talk to the messagebus for all features - messages can be queued and organized per topic - we can specify whitelists per topic (who can send messages) - whitelist who is admin to manage the mycelium_network daemon e.g. specify the whitelists - openrpc messages can be terminated to USD on local defined sockets (topic to socket) see how we do in skill /hero_sockets - NEW: register a socket in line with /hero_sockets UDS which terminates as message on specified topic and destination (basically a proxy beteen local socket and a remote server so it works seamless) so basically mycelium is then a swiss army knive to send openrpc messages around document what we have and what still needs to be implemented and how we should do it best ## how to test: make e2e test where we launch 3 daemons in hero_proc and we call them mycelium_network_test1 ... and we boot them message bus layer allone (no tun) then we test how we can send messages around between them and how they can talk to each other also we test how we can remotely manage them if we are the manager (the admin) ## implementation notes for admin functionality it might be that there is no admin functionality in there yet if not implementit, so only whitelisted administrators (based on pub key of other mycelium node) can talk to us for mgmt tasks now also in _api implement socket to messages over the message bus and termination administrators can manage all ## usecase is socket to socket e.g. 2 nodes - node A - node B on node A, there is socket ~/hero/var/sockets/hero_proc on node B, we ask mycelium_server (engine?) to create ~/hero/var/sockets/hero_proc_remote_A every openrpc message we now send to ~/hero/var/sockets/hero_proc_remote_A gets picked up by our mycelium node and forwarded to A where it gets terminated on hero_proc so we basically implemented a proxy between a local socket & remote, fully seamless the full configuration needs to be possible (B socket to openrpc message, openrpc message goes to A, there there is topic defining it where to terminate, and security mgmt) ## admin UI make sure our _ui is userfriendly so we can configure this seamless, I should be able to configure my remote endpoints from my local daemon if I am administrator of a remote node

despiegk added this to the now milestone 2026-04-26 10:10:27 +00:00

despiegk commented 2026-04-27 08:15:20 +00:00

Author

Owner

Copy link

Implementation Spec for Issue #44

Scope of this run: documentation + gap analysis only. No Rust changes.

Objective

Document mycelium_network's existing message-layer features and produce an unambiguous gap analysis against the asks in this issue. After this run, readers must be able to tell exactly which capabilities exist today (with code citations), which are partial, and which are missing — and what the proposed design for the missing pieces (persisted state model, admin layer, outbound socket proxy) looks like.

Requirements

• An OpenRPC interface for every message-bus feature.
• Topic-scoped queues with documented retention semantics.
• Per-topic source whitelists (who can send to a topic).
• Daemon-level admin authorization keyed off the remote node's mycelium pubkey.
• Inbound socket termination: topic message → local UDS (per /hero_sockets).
• NEW outbound feature: a local UDS that, when written to, is forwarded as a topic message to a remote node (local-socket ↔ remote-server proxy).
• 3-node e2e test plan (mycelium_network_test1..3, no TUN, message-bus only).
• Admin UI to configure remote endpoints from the local daemon when admin of the remote.
• All persistent state stored as .toml files under $MYCELIUM_STATE_DIR/, with a clean model layer.

Files to Modify/Create

• docs/messagebus.md — new, top-level "use mycelium_network as a message layer" guide. EXISTS/PARTIAL/MISSING matrix with file:line citations. Indexes the other docs.
• docs/message.md — update. Queue retention semantics (in-memory only, lost on restart), reply-correlation timeouts, limits/gaps section.
• docs/state_persistence.md — new. The model layer for everything we remember. Documents the existing DaemonState (priv_key.bin, config.toml, peers.toml) and the proposed additions: topics.toml and admin.toml. Atomic tmp+rename convention, file modes, RPC-write-through behavior.
• docs/topic_configuration.md — update. Add "Limits today" (subnet-only ACL), make clear forward_socket is inbound-only, add a "Persistence" section pointing at state_persistence.md.
• docs/admin.md — new. Section 1: existing UI-tier ADMIN_SECRETS IP whitelist. Section 2: what the issue asks for. Section 3: proposed daemon-level admin model with admin.toml, RPC surface, authorize step.
• docs/socket_proxy.md — new. Section 1: inbound forward_socket (exists). Section 2: outbound socket → topic (proposed, nested under [topics.<name>] in topics.toml). Section 3: contrast with the existing SOCKS5 proxy.rs so they aren't conflated.
• docs/e2e_messagebus_test.md — new. 3-node test plan with phases A (today), B (admin model), C (outbound proxy), D (restart persistence).
• CLAUDE.md — update. Add a "Message-bus surface" section linking to the new docs.
• README.md — update. Add the new doc paths under existing docs links.

Current State (audit summary)

• Topic messaging — EXISTS. Wire types in crates/mycelium_api/src/message.rs, engine API push_message / reply_message / get_message in crates/mycelium_engine/src/message.rs:541-700. Topic byte-string max 255 bytes. Inbox is an in-memory VecDeque<ReceivedMessage> — no on-disk persistence, lost on restart. popMessage peek/pop/timeout/topic filter exposed via OpenRPC (crates/mycelium_api/openrpc.json, dispatcher crates/mycelium_api/src/rpc.rs:277).

• Per-topic source whitelists — PARTIAL. Subnet-based whitelist fully implemented in crates/mycelium_engine/src/message/topic.rs:51-118 (TopicConfig, TopicWhitelistConfig); enforcement in crates/mycelium_engine/src/message.rs:703-728 (topic_allowed checks src: IpAddr). RPC: addTopic, removeTopic, addTopicSource, removeTopicSource, getTopicSources, getDefaultTopicAction, setDefaultTopicAction. Gap: no pubkey-based whitelist. The pubkey is available later in receive (mycelium_engine/src/message.rs:543-558) but not consulted by topic_allowed. Adding it means extending TopicWhitelistConfig with pubkeys: Vec<PublicKey> and adding RPC methods addTopicPubkeySource / removeTopicPubkeySource.

• Topic → local-socket termination (inbound) — EXISTS. TopicWhitelistConfig::forward_socket: Option<PathBuf> (crates/mycelium_engine/src/message/topic.rs:13-49); dispatcher in crates/mycelium_engine/src/message.rs:580-650 writes message data to the UDS, reads a reply with 5s timeout, sends it back via reply_message. RPC: getTopicForwardSocket, setTopicForwardSocket, removeTopicForwardSocket.

• Local-socket → remote-topic outbound proxy — MISSING. No code listens on a local UDS and forwards writes onto the message bus. grep -rn UnixListener finds only the mycelium_ui HTTP socket and the RPC UDS. Proposed: new daemon component (sibling of forward_socket in topic config) that takes (topic, dst_pubkey_or_ip, local_socket_path) and runs an accept loop; each inbound write becomes a pushMessage; replies route back to the originating UDS connection (correlate via mycelium MessageId). RPC mirror: addTopicOutboundSocket(topic, dst, path), removeTopicOutboundSocket(topic), getTopicOutboundSocket(topic). Stored on disk as a nested outbound_socket = { path, dst } field under [topics.<name>] in the proposed topics.toml.

• Admin / pubkey-based authorization — MISSING (at the daemon). MyceliumRpc trait (crates/mycelium_api/src/rpc.rs:248-377) has no auth context. UDS server (crates/mycelium_api/src/rpc/unix.rs) accepts every caller. The only existing admin gate is the UI-tier ADMIN_SECRETS IP whitelist in crates/mycelium_ui/src/admin_secrets.rs — gates which TCP clients can reach the UI, not which mycelium peers can RPC the daemon. Proposed: daemon-side admin_pubkeys: Vec<PublicKey> config (with RPC admin.list/add/remove); admin-only RPC methods routed through an authorize step that compares the caller's mycelium source pubkey to the admin set. Persisted as admin.toml in $MYCELIUM_STATE_DIR/. Pattern reference: herolib_openrpc_authorize.

• OpenRPC method surface for messages — EXISTS. crates/mycelium_api/openrpc.json and trait crates/mycelium_api/src/rpc.rs:248-330: pushMessage, popMessage, pushMessageReply, getMessageInfo, getDefaultTopicAction, setDefaultTopicAction, getTopics, addTopic, removeTopic, getTopicSources, addTopicSource, removeTopicSource, getTopicForwardSocket, setTopicForwardSocket, removeTopicForwardSocket. All gated behind the message Cargo feature. No RPC for: per-pubkey topic ACL, outbound socket forwarding, admin pubkey management.

• Persisted state — PARTIAL. Today DaemonState (crates/mycelium_daemon/src/state.rs) owns priv_key.bin (mode 0o640), config.toml and peers.toml (mode 0o644), with atomic tmp+rename writes; state dir mode 0o700. Topic config (TopicConfig in the engine) lives only in memory — every addTopic/addTopicSource/setTopicForwardSocket mutation is lost on restart. The legacy path (crates/mycelium_daemon/src/legacy_runner.rs:35-40) reads a stand-alone topic toml read-only at startup, which is not the model we want going forward.

• UI coverage — PARTIAL. Templates exist for messages and topics: crates/mycelium_ui/templates/messages.html (push/pop) and crates/mycelium_ui/templates/topics.html (default action, add topic, configure subnets, configure forward socket). The crates/mycelium_ui/templates/admin.html page configures the UI's own ADMIN_SECRETS IP list, not a daemon-level admin set. Missing UI: pubkey-based topic ACLs, outbound socket forwarding, remote-node management.

• E2E test coverage — PARTIAL. crates/mycelium_e2e/tests/two_node_linux.rs (325 lines) spins up two mycelium_server children with isolated MYCELIUM_STATE_DIR / HERO_SOCKET_DIR / TCP ports, peers them, exercises peers/routes/topics/messaging through mycelium_sdk (add_topic at line 260, push_message at line 290, pop_message at line 300). Missing: a third node, the cross-node admin-management flow, restart-persistence assertions, and any messagebus-only no-TUN three-way scenario as named in the issue.

Proposed persisted-state model layer (design only — not implemented this run)

User decision: one consolidated topics.toml + one admin.toml; reuse TopicConfig directly (no DTO); admin lives in the daemon.

$MYCELIUM_STATE_DIR/
├── priv_key.bin          (existing — mode 0o640)
├── config.toml           (existing — node config)
├── peers.toml            (existing — bootstrap peers)
├── topics.toml           ← NEW. Serialised mycelium_engine::message::topic::TopicConfig
│   • default_action      ("accept" | "reject")
│   • [topics.<name>]
│       • subnets         = [...]
│       • pubkeys         = [...]              (proposed extension)
│       • forward_socket  = "/path/to/uds"     (existing, inbound)
│       • outbound_socket = { path = "...", dst = { pk|ip = "..." } }  (proposed)
└── admin.toml            ← NEW. mycelium_daemon::AdminConfig
    • admin_pubkeys   = [...]
    • method_patterns = [...]                  (which RPC method globs require admin)

Rust shape (design only, no code in this run):

• mycelium_daemon::DaemonState grows two fields — topics: TopicConfig and admin: AdminConfig — and two save methods — save_topics(), save_admin() — mirroring the existing save_config()/save_peers() (atomic tmp+rename, mode 0o644).
• On startup, load_or_init reads each file with the existing "missing → write defaults → continue" pattern. Engine boot uses state.topics to seed its in-memory Arc<RwLock<TopicConfig>>.
• TopicConfig stays in mycelium_engine and is reused as the on-disk shape (it already derives serde) — no DTO drift.
• AdminConfig is a new type in mycelium_daemon (not the engine; admin is an RPC-authorization concern, not a routing concern).
• Every mutating RPC (addTopic, setTopicForwardSocket, addTopicPubkeySource, admin.add, etc.) updates the in-memory copy then calls state.save_*() before returning. Persist failure → return RPC error, do not leave drift.

Implementation Plan

Step 1: Author docs/messagebus.md — single entry point and gap matrix

Files: docs/messagebus.md

• Top-level overview of "use mycelium_network as a message layer."
• One capability table, columns: Capability / Status (EXISTS/PARTIAL/MISSING) / Code citations / Gap notes, derived from the audit above.
• Persistence row: lists topics.toml (proposed) and admin.toml (proposed) alongside existing config.toml / peers.toml.
• Each PARTIAL/MISSING row links to the deeper doc (admin.md, socket_proxy.md, state_persistence.md).
• "Reading order" pointing at message.md → state_persistence.md → topic_configuration.md → admin.md → socket_proxy.md → e2e_messagebus_test.md.
• Cite crates/mycelum_messagebus/message_bus_docs.md (note: the crate name is misspelled — out of scope to rename, flag it in Notes).
  Dependencies: none.

Step 2: Refresh docs/message.md

Files: docs/message.md

• Add "Queue retention" — in-memory VecDeque, no on-disk persistence (cite crates/mycelium_engine/src/message.rs:541-700).
• Add "Reply correlation and timeouts" listing DEFAULT_MESSAGE_TRY_DURATION = 300s, RETRANSMISSION_DELAY = 100ms, REPLY_SUBSCRIBER_CLEAR_DELAY = 60s, SOCKET_REPLY_TIMEOUT = 5s with citations.
• Add "Limits and gaps" listing subnet-only ACL, no on-disk message queue, no admin model, no outbound socket forwarding. Each linked to messagebus.md.
• Cross-link to state_persistence.md, topic_configuration.md, admin.md, socket_proxy.md.
  Dependencies: Step 1.

Step 2a: Author docs/state_persistence.md — the model layer

Files: docs/state_persistence.md

• Section 1 "Today": directory layout under $MYCELIUM_STATE_DIR/, files and modes (priv_key.bin 0o640, config/peers.toml 0o644, dir 0o700), atomic tmp+rename pattern (cite crates/mycelium_daemon/src/state.rs:140-213). Make explicit: topic config is NOT persisted today — every RPC mutation is lost on restart.
• Section 2 "Proposed": directory tree shown above, with one-paragraph rationale per file.
• Section 3 "Model layer (Rust)": DaemonState extension shape, AdminConfig location, "RPC writes through to disk" rule, atomic-write reuse, error contract on persist failure. Design only — no code in this run.
• Section 4 "Why one topics.toml and not many": topic name is the natural primary key; subnet/pubkey ACL, inbound forward_socket, and outbound socket all hang off the same topic.
• Section 5 "Why reuse engine TopicConfig and not a DTO": already serde-derived; eliminates drift; engine stays the source of truth for the wire shape.
• Section 6 "Why admin lives in the daemon, not the engine": admin is an RPC-authorization concern; engine stays unaware (matches herolib_openrpc_authorize).
• Cross-link to admin.md, socket_proxy.md, topic_configuration.md.
  Dependencies: Step 1.

Step 3: Update docs/topic_configuration.md

Files: docs/topic_configuration.md

• Add "Limits today" callout: ACL is subnet-only (cite crates/mycelium_engine/src/message/topic.rs:13-49 and crates/mycelium_engine/src/message.rs:703-728).
• Make clear forward_socket is inbound-only (topic → local UDS); point at socket_proxy.md for the proposed outbound mirror.
• Add "Persistence" section pointing at state_persistence.md and stating that topic config is not persisted today; all mutations are lost on restart.
• Tidy stray triple-backticks at lines 81 and 110 while editing.
• Cross-link messagebus.md, socket_proxy.md, state_persistence.md.
  Dependencies: Step 1, Step 2a.

Step 4: Author docs/admin.md

Files: docs/admin.md

• Section 1 "What exists today": UI-tier ADMIN_SECRETS IP whitelist (cite crates/mycelium_ui/src/admin_secrets.rs:1-60 and crates/mycelium_ui/src/main.rs:41,98-107). Make explicit: UI-only, has nothing to do with mycelium pubkeys, daemon RPC is unauthenticated.
• Section 2 "What the issue asks for": daemon-level admin keyed off remote node's mycelium pubkey, admin-only RPC methods.
• Section 3 "Proposed design (NOT IMPLEMENTED)": admin set persisted in $MYCELIUM_STATE_DIR/admin.toml; mycelium_daemon::AdminConfig; RPC admin.list / admin.add / admin.remove; authorize step in dispatcher; identity surfaced for message-bus-arrived requests via source pubkey on ReceivedMessage; "implicit local admin" for the local UDS. Reference herolib_openrpc_authorize.
• Section 4 "Out of scope for this run": no Rust changes here.
  Dependencies: Step 1, Step 2a.

Step 5: Author docs/socket_proxy.md

Files: docs/socket_proxy.md

• Section 1 "Inbound (EXISTS)": full description of forward_socket — RPC names, engine flow, timeouts. Cite crates/mycelium_engine/src/message.rs:580-650, crates/mycelium_engine/src/message/topic.rs:13-49, crates/mycelium_api/src/rpc.rs:318-330.
• Section 2 "Outbound (MISSING) — proposed design": local UDS → topic message to remote pubkey. Document (a) on-disk shape outbound_socket = { path = "...", dst = { pk = "..." | ip = "..." } } nested under [topics.<name>] in the proposed topics.toml (cross-link state_persistence.md), (b) RPC surface addTopicOutboundSocket / removeTopicOutboundSocket / getTopicOutboundSocket, (c) lifecycle (one accept loop per configured outbound socket; per-connection mapping of mycelium MessageId → local stream for reply routing), (d) error behavior. No Rust.
• Section 3 "Why not reuse the existing SOCKS5 proxy.rs": one-paragraph contrast — crates/mycelium_engine/src/proxy.rs is a SOCKS5 TCP forwarder, not the requested per-topic UDS feature; cite docs/proxy.md.
  Dependencies: Step 1, Step 2a, Step 3.

Step 6: Author docs/e2e_messagebus_test.md

Files: docs/e2e_messagebus_test.md

• Topology: three nodes mycelium_network_test1..3, no_tun = true, isolated state dirs/socket dirs/TCP ports (cite crates/mycelium_e2e/tests/two_node_linux.rs:62-77).
• Phase A (today): two-way pushMessage/popMessage round-trip across all three pairs; topic add + subnet whitelist over RPC.
• Phase B (DEPENDS ON ADMIN MODEL): node 1 admin of node 3, issues setTopicForwardSocket against node 3 over the message bus, node 3 enforces.
• Phase C (DEPENDS ON OUTBOUND PROXY): node 1 writes to a configured local UDS, bytes arrive at node 3's inbound forward_socket for the matching topic, node 3 echoes, node 1 reads the reply on its UDS.
• Phase D (DEPENDS ON PERSISTENCE): kill and restart node 3; verify topic ACLs, admin set, and outbound-socket configs survive (read from topics.toml / admin.toml).
• For each phase, list exact mycelium_sdk calls and assertion shape, mirroring the structure of the two-node test. No Rust written.
  Dependencies: Step 2a, Step 4, Step 5.

Step 7: Cross-link from CLAUDE.md and README.md

Files: CLAUDE.md, README.md

• CLAUDE.md: short "Message-bus surface" section after "Hero Socket Compliance", linking to docs/messagebus.md, docs/state_persistence.md, docs/admin.md, docs/socket_proxy.md, docs/e2e_messagebus_test.md.
• README.md: add the four new doc paths under existing docs links.
  Dependencies: all prior steps.

Acceptance Criteria

• docs/messagebus.md exists with an EXISTS/PARTIAL/MISSING table for every issue capability and at least one crates/...:line citation per "EXISTS"/"PARTIAL" row.
• No new doc claims a feature is implemented unless a real file:line is cited; every "proposed" section is labelled NOT IMPLEMENTED and references this issue.
• docs/state_persistence.md lists every remembered item, distinguishes existing files (config.toml, peers.toml, priv_key.bin) from proposed (topics.toml, admin.toml), shows the proposed DaemonState shape, and explains why one topics.toml and why admin lives in the daemon.
• docs/topic_configuration.md makes clear ACL is subnet-only and forward_socket is inbound-only, and points at state_persistence.md for the persistence story.
• docs/admin.md distinguishes UI-tier ADMIN_SECRETS from the proposed daemon-level pubkey admin model persisted in admin.toml.
• docs/socket_proxy.md documents inbound (existing) and outbound (proposed nested under topics.toml), and disambiguates from the SOCKS5 proxy.
• docs/e2e_messagebus_test.md lists phases A–D with explicit dependencies, including a restart-persistence phase.
• CLAUDE.md and README.md link to the new docs.
• No Rust source files have been touched.

Notes

• The existing crates/mycelum_messagebus/message_bus_docs.md is internal design notes and remains authoritative for the current engine surface; the new top-level docs/messagebus.md is broader (covers admin, persistence, outbound proxy too).
• The crate path crates/mycelum_messagebus/ is misspelled (should be mycelium_*). Out of scope for this run; flagged for a follow-up.
• docs/message.md:74 already states that messages received with no listener are queued — the doc should be sharper that this is in-memory only, lost on restart.
• Step 5's outbound design intentionally lives next to forward_socket in the topic config so inbound and outbound share one mental model; persistence is one consolidated topics.toml, not split.
• All new docs use crates/<crate>/<path>:<line> citations so a future implementer can grep straight to the spot.

## Implementation Spec for Issue #44 **Scope of this run: documentation + gap analysis only. No Rust changes.** ### Objective Document mycelium_network's existing message-layer features and produce an unambiguous gap analysis against the asks in this issue. After this run, readers must be able to tell exactly which capabilities exist today (with code citations), which are partial, and which are missing — and what the proposed design for the missing pieces (persisted state model, admin layer, outbound socket proxy) looks like. ### Requirements - An OpenRPC interface for every message-bus feature. - Topic-scoped queues with documented retention semantics. - Per-topic source whitelists (who can send to a topic). - Daemon-level admin authorization keyed off the **remote node's mycelium pubkey**. - Inbound socket termination: topic message → local UDS (per `/hero_sockets`). - **NEW** outbound feature: a local UDS that, when written to, is forwarded as a topic message to a remote node (local-socket ↔ remote-server proxy). - 3-node e2e test plan (`mycelium_network_test1..3`, no TUN, message-bus only). - Admin UI to configure remote endpoints from the local daemon when admin of the remote. - All persistent state stored as `.toml` files under `$MYCELIUM_STATE_DIR/`, with a clean model layer. ### Files to Modify/Create - `docs/messagebus.md` — **new**, top-level "use mycelium_network as a message layer" guide. EXISTS/PARTIAL/MISSING matrix with file:line citations. Indexes the other docs. - `docs/message.md` — **update**. Queue retention semantics (in-memory only, lost on restart), reply-correlation timeouts, limits/gaps section. - `docs/state_persistence.md` — **new**. The model layer for everything we remember. Documents the existing `DaemonState` (priv_key.bin, config.toml, peers.toml) and the proposed additions: `topics.toml` and `admin.toml`. Atomic tmp+rename convention, file modes, RPC-write-through behavior. - `docs/topic_configuration.md` — **update**. Add "Limits today" (subnet-only ACL), make clear `forward_socket` is inbound-only, add a "Persistence" section pointing at `state_persistence.md`. - `docs/admin.md` — **new**. Section 1: existing UI-tier `ADMIN_SECRETS` IP whitelist. Section 2: what the issue asks for. Section 3: proposed daemon-level admin model with `admin.toml`, RPC surface, authorize step. - `docs/socket_proxy.md` — **new**. Section 1: inbound `forward_socket` (exists). Section 2: outbound socket → topic (proposed, nested under `[topics.<name>]` in `topics.toml`). Section 3: contrast with the existing SOCKS5 `proxy.rs` so they aren't conflated. - `docs/e2e_messagebus_test.md` — **new**. 3-node test plan with phases A (today), B (admin model), C (outbound proxy), D (restart persistence). - `CLAUDE.md` — **update**. Add a "Message-bus surface" section linking to the new docs. - `README.md` — **update**. Add the new doc paths under existing docs links. ### Current State (audit summary) - **Topic messaging — EXISTS.** Wire types in `crates/mycelium_api/src/message.rs`, engine API `push_message` / `reply_message` / `get_message` in `crates/mycelium_engine/src/message.rs:541-700`. Topic byte-string max 255 bytes. Inbox is an in-memory `VecDeque<ReceivedMessage>` — **no on-disk persistence, lost on restart**. `popMessage` peek/pop/timeout/topic filter exposed via OpenRPC (`crates/mycelium_api/openrpc.json`, dispatcher `crates/mycelium_api/src/rpc.rs:277`). - **Per-topic source whitelists — PARTIAL.** Subnet-based whitelist fully implemented in `crates/mycelium_engine/src/message/topic.rs:51-118` (`TopicConfig`, `TopicWhitelistConfig`); enforcement in `crates/mycelium_engine/src/message.rs:703-728` (`topic_allowed` checks `src: IpAddr`). RPC: `addTopic`, `removeTopic`, `addTopicSource`, `removeTopicSource`, `getTopicSources`, `getDefaultTopicAction`, `setDefaultTopicAction`. **Gap:** no pubkey-based whitelist. The pubkey is available later in receive (`mycelium_engine/src/message.rs:543-558`) but not consulted by `topic_allowed`. Adding it means extending `TopicWhitelistConfig` with `pubkeys: Vec<PublicKey>` and adding RPC methods `addTopicPubkeySource` / `removeTopicPubkeySource`. - **Topic → local-socket termination (inbound) — EXISTS.** `TopicWhitelistConfig::forward_socket: Option<PathBuf>` (`crates/mycelium_engine/src/message/topic.rs:13-49`); dispatcher in `crates/mycelium_engine/src/message.rs:580-650` writes message data to the UDS, reads a reply with 5s timeout, sends it back via `reply_message`. RPC: `getTopicForwardSocket`, `setTopicForwardSocket`, `removeTopicForwardSocket`. - **Local-socket → remote-topic outbound proxy — MISSING.** No code listens on a local UDS and forwards writes onto the message bus. `grep -rn UnixListener` finds only the `mycelium_ui` HTTP socket and the RPC UDS. **Proposed:** new daemon component (sibling of `forward_socket` in topic config) that takes `(topic, dst_pubkey_or_ip, local_socket_path)` and runs an accept loop; each inbound write becomes a `pushMessage`; replies route back to the originating UDS connection (correlate via mycelium `MessageId`). RPC mirror: `addTopicOutboundSocket(topic, dst, path)`, `removeTopicOutboundSocket(topic)`, `getTopicOutboundSocket(topic)`. Stored on disk as a nested `outbound_socket = { path, dst }` field under `[topics.<name>]` in the proposed `topics.toml`. - **Admin / pubkey-based authorization — MISSING (at the daemon).** `MyceliumRpc` trait (`crates/mycelium_api/src/rpc.rs:248-377`) has no auth context. UDS server (`crates/mycelium_api/src/rpc/unix.rs`) accepts every caller. The only existing admin gate is the **UI-tier** `ADMIN_SECRETS` IP whitelist in `crates/mycelium_ui/src/admin_secrets.rs` — gates which TCP clients can reach the UI, **not** which mycelium peers can RPC the daemon. **Proposed:** daemon-side `admin_pubkeys: Vec<PublicKey>` config (with RPC `admin.list/add/remove`); admin-only RPC methods routed through an authorize step that compares the caller's mycelium source pubkey to the admin set. Persisted as `admin.toml` in `$MYCELIUM_STATE_DIR/`. Pattern reference: `herolib_openrpc_authorize`. - **OpenRPC method surface for messages — EXISTS.** `crates/mycelium_api/openrpc.json` and trait `crates/mycelium_api/src/rpc.rs:248-330`: `pushMessage`, `popMessage`, `pushMessageReply`, `getMessageInfo`, `getDefaultTopicAction`, `setDefaultTopicAction`, `getTopics`, `addTopic`, `removeTopic`, `getTopicSources`, `addTopicSource`, `removeTopicSource`, `getTopicForwardSocket`, `setTopicForwardSocket`, `removeTopicForwardSocket`. All gated behind the `message` Cargo feature. **No** RPC for: per-pubkey topic ACL, outbound socket forwarding, admin pubkey management. - **Persisted state — PARTIAL.** Today `DaemonState` (`crates/mycelium_daemon/src/state.rs`) owns `priv_key.bin` (mode 0o640), `config.toml` and `peers.toml` (mode 0o644), with atomic tmp+rename writes; state dir mode 0o700. Topic config (`TopicConfig` in the engine) lives **only in memory** — every `addTopic`/`addTopicSource`/`setTopicForwardSocket` mutation is lost on restart. The legacy path (`crates/mycelium_daemon/src/legacy_runner.rs:35-40`) reads a stand-alone topic toml read-only at startup, which is not the model we want going forward. - **UI coverage — PARTIAL.** Templates exist for messages and topics: `crates/mycelium_ui/templates/messages.html` (push/pop) and `crates/mycelium_ui/templates/topics.html` (default action, add topic, configure subnets, configure forward socket). The `crates/mycelium_ui/templates/admin.html` page configures the **UI's own** `ADMIN_SECRETS` IP list, not a daemon-level admin set. **Missing UI:** pubkey-based topic ACLs, outbound socket forwarding, remote-node management. - **E2E test coverage — PARTIAL.** `crates/mycelium_e2e/tests/two_node_linux.rs` (325 lines) spins up two `mycelium_server` children with isolated `MYCELIUM_STATE_DIR` / `HERO_SOCKET_DIR` / TCP ports, peers them, exercises peers/routes/topics/messaging through `mycelium_sdk` (`add_topic` at line 260, `push_message` at line 290, `pop_message` at line 300). **Missing:** a third node, the cross-node admin-management flow, restart-persistence assertions, and any messagebus-only no-TUN three-way scenario as named in the issue. ### Proposed persisted-state model layer (design only — not implemented this run) User decision: one consolidated `topics.toml` + one `admin.toml`; reuse `TopicConfig` directly (no DTO); admin lives in the daemon. ``` $MYCELIUM_STATE_DIR/ ├── priv_key.bin (existing — mode 0o640) ├── config.toml (existing — node config) ├── peers.toml (existing — bootstrap peers) ├── topics.toml ← NEW. Serialised mycelium_engine::message::topic::TopicConfig │ • default_action ("accept" | "reject") │ • [topics.<name>] │ • subnets = [...] │ • pubkeys = [...] (proposed extension) │ • forward_socket = "/path/to/uds" (existing, inbound) │ • outbound_socket = { path = "...", dst = { pk|ip = "..." } } (proposed) └── admin.toml ← NEW. mycelium_daemon::AdminConfig • admin_pubkeys = [...] • method_patterns = [...] (which RPC method globs require admin) ``` Rust shape (design only, no code in this run): - `mycelium_daemon::DaemonState` grows two fields — `topics: TopicConfig` and `admin: AdminConfig` — and two save methods — `save_topics()`, `save_admin()` — mirroring the existing `save_config()`/`save_peers()` (atomic tmp+rename, mode 0o644). - On startup, `load_or_init` reads each file with the existing "missing → write defaults → continue" pattern. Engine boot uses `state.topics` to seed its in-memory `Arc<RwLock<TopicConfig>>`. - `TopicConfig` stays in `mycelium_engine` and is reused as the on-disk shape (it already derives serde) — no DTO drift. - `AdminConfig` is a new type in `mycelium_daemon` (not the engine; admin is an RPC-authorization concern, not a routing concern). - Every mutating RPC (`addTopic`, `setTopicForwardSocket`, `addTopicPubkeySource`, `admin.add`, etc.) updates the in-memory copy **then** calls `state.save_*()` before returning. Persist failure → return RPC error, do not leave drift. ### Implementation Plan #### Step 1: Author `docs/messagebus.md` — single entry point and gap matrix Files: `docs/messagebus.md` - Top-level overview of "use mycelium_network as a message layer." - One capability table, columns: *Capability / Status (EXISTS/PARTIAL/MISSING) / Code citations / Gap notes*, derived from the audit above. - Persistence row: lists `topics.toml` (proposed) and `admin.toml` (proposed) alongside existing `config.toml` / `peers.toml`. - Each PARTIAL/MISSING row links to the deeper doc (`admin.md`, `socket_proxy.md`, `state_persistence.md`). - "Reading order" pointing at `message.md` → `state_persistence.md` → `topic_configuration.md` → `admin.md` → `socket_proxy.md` → `e2e_messagebus_test.md`. - Cite `crates/mycelum_messagebus/message_bus_docs.md` (note: the crate name is misspelled — out of scope to rename, flag it in Notes). Dependencies: none. #### Step 2: Refresh `docs/message.md` Files: `docs/message.md` - Add "Queue retention" — in-memory `VecDeque`, no on-disk persistence (cite `crates/mycelium_engine/src/message.rs:541-700`). - Add "Reply correlation and timeouts" listing `DEFAULT_MESSAGE_TRY_DURATION = 300s`, `RETRANSMISSION_DELAY = 100ms`, `REPLY_SUBSCRIBER_CLEAR_DELAY = 60s`, `SOCKET_REPLY_TIMEOUT = 5s` with citations. - Add "Limits and gaps" listing subnet-only ACL, no on-disk message queue, no admin model, no outbound socket forwarding. Each linked to `messagebus.md`. - Cross-link to `state_persistence.md`, `topic_configuration.md`, `admin.md`, `socket_proxy.md`. Dependencies: Step 1. #### Step 2a: Author `docs/state_persistence.md` — the model layer Files: `docs/state_persistence.md` - Section 1 "Today": directory layout under `$MYCELIUM_STATE_DIR/`, files and modes (priv_key.bin 0o640, config/peers.toml 0o644, dir 0o700), atomic tmp+rename pattern (cite `crates/mycelium_daemon/src/state.rs:140-213`). Make explicit: topic config is **NOT** persisted today — every RPC mutation is lost on restart. - Section 2 "Proposed": directory tree shown above, with one-paragraph rationale per file. - Section 3 "Model layer (Rust)": `DaemonState` extension shape, `AdminConfig` location, "RPC writes through to disk" rule, atomic-write reuse, error contract on persist failure. **Design only — no code in this run.** - Section 4 "Why one `topics.toml` and not many": topic name is the natural primary key; subnet/pubkey ACL, inbound `forward_socket`, and outbound socket all hang off the same topic. - Section 5 "Why reuse engine `TopicConfig` and not a DTO": already serde-derived; eliminates drift; engine stays the source of truth for the wire shape. - Section 6 "Why admin lives in the daemon, not the engine": admin is an RPC-authorization concern; engine stays unaware (matches `herolib_openrpc_authorize`). - Cross-link to `admin.md`, `socket_proxy.md`, `topic_configuration.md`. Dependencies: Step 1. #### Step 3: Update `docs/topic_configuration.md` Files: `docs/topic_configuration.md` - Add "Limits today" callout: ACL is subnet-only (cite `crates/mycelium_engine/src/message/topic.rs:13-49` and `crates/mycelium_engine/src/message.rs:703-728`). - Make clear `forward_socket` is **inbound-only** (topic → local UDS); point at `socket_proxy.md` for the proposed outbound mirror. - Add "Persistence" section pointing at `state_persistence.md` and stating that topic config is **not** persisted today; all mutations are lost on restart. - Tidy stray triple-backticks at lines 81 and 110 while editing. - Cross-link `messagebus.md`, `socket_proxy.md`, `state_persistence.md`. Dependencies: Step 1, Step 2a. #### Step 4: Author `docs/admin.md` Files: `docs/admin.md` - Section 1 "What exists today": UI-tier `ADMIN_SECRETS` IP whitelist (cite `crates/mycelium_ui/src/admin_secrets.rs:1-60` and `crates/mycelium_ui/src/main.rs:41,98-107`). Make explicit: UI-only, has nothing to do with mycelium pubkeys, daemon RPC is unauthenticated. - Section 2 "What the issue asks for": daemon-level admin keyed off remote node's mycelium pubkey, admin-only RPC methods. - Section 3 "Proposed design (NOT IMPLEMENTED)": admin set persisted in `$MYCELIUM_STATE_DIR/admin.toml`; `mycelium_daemon::AdminConfig`; RPC `admin.list / admin.add / admin.remove`; authorize step in dispatcher; identity surfaced for message-bus-arrived requests via source pubkey on `ReceivedMessage`; "implicit local admin" for the local UDS. Reference `herolib_openrpc_authorize`. - Section 4 "Out of scope for this run": no Rust changes here. Dependencies: Step 1, Step 2a. #### Step 5: Author `docs/socket_proxy.md` Files: `docs/socket_proxy.md` - Section 1 "Inbound (EXISTS)": full description of `forward_socket` — RPC names, engine flow, timeouts. Cite `crates/mycelium_engine/src/message.rs:580-650`, `crates/mycelium_engine/src/message/topic.rs:13-49`, `crates/mycelium_api/src/rpc.rs:318-330`. - Section 2 "Outbound (MISSING) — proposed design": local UDS → topic message to remote pubkey. Document (a) on-disk shape `outbound_socket = { path = "...", dst = { pk = "..." | ip = "..." } }` nested under `[topics.<name>]` in the proposed `topics.toml` (cross-link `state_persistence.md`), (b) RPC surface `addTopicOutboundSocket` / `removeTopicOutboundSocket` / `getTopicOutboundSocket`, (c) lifecycle (one accept loop per configured outbound socket; per-connection mapping of mycelium `MessageId` → local stream for reply routing), (d) error behavior. **No Rust.** - Section 3 "Why not reuse the existing SOCKS5 `proxy.rs`": one-paragraph contrast — `crates/mycelium_engine/src/proxy.rs` is a SOCKS5 TCP forwarder, not the requested per-topic UDS feature; cite `docs/proxy.md`. Dependencies: Step 1, Step 2a, Step 3. #### Step 6: Author `docs/e2e_messagebus_test.md` Files: `docs/e2e_messagebus_test.md` - Topology: three nodes `mycelium_network_test1..3`, `no_tun = true`, isolated state dirs/socket dirs/TCP ports (cite `crates/mycelium_e2e/tests/two_node_linux.rs:62-77`). - Phase A (today): two-way `pushMessage`/`popMessage` round-trip across all three pairs; topic add + subnet whitelist over RPC. - Phase B (DEPENDS ON ADMIN MODEL): node 1 admin of node 3, issues `setTopicForwardSocket` against node 3 over the message bus, node 3 enforces. - Phase C (DEPENDS ON OUTBOUND PROXY): node 1 writes to a configured local UDS, bytes arrive at node 3's inbound `forward_socket` for the matching topic, node 3 echoes, node 1 reads the reply on its UDS. - Phase D (DEPENDS ON PERSISTENCE): kill and restart node 3; verify topic ACLs, admin set, and outbound-socket configs survive (read from `topics.toml` / `admin.toml`). - For each phase, list exact `mycelium_sdk` calls and assertion shape, mirroring the structure of the two-node test. **No Rust written.** Dependencies: Step 2a, Step 4, Step 5. #### Step 7: Cross-link from `CLAUDE.md` and `README.md` Files: `CLAUDE.md`, `README.md` - `CLAUDE.md`: short "Message-bus surface" section after "Hero Socket Compliance", linking to `docs/messagebus.md`, `docs/state_persistence.md`, `docs/admin.md`, `docs/socket_proxy.md`, `docs/e2e_messagebus_test.md`. - `README.md`: add the four new doc paths under existing docs links. Dependencies: all prior steps. ### Acceptance Criteria - [ ] `docs/messagebus.md` exists with an EXISTS/PARTIAL/MISSING table for every issue capability and at least one `crates/...:line` citation per "EXISTS"/"PARTIAL" row. - [ ] No new doc claims a feature is implemented unless a real file:line is cited; every "proposed" section is labelled NOT IMPLEMENTED and references this issue. - [ ] `docs/state_persistence.md` lists every remembered item, distinguishes existing files (`config.toml`, `peers.toml`, `priv_key.bin`) from proposed (`topics.toml`, `admin.toml`), shows the proposed `DaemonState` shape, and explains why one `topics.toml` and why admin lives in the daemon. - [ ] `docs/topic_configuration.md` makes clear ACL is subnet-only and `forward_socket` is inbound-only, and points at `state_persistence.md` for the persistence story. - [ ] `docs/admin.md` distinguishes UI-tier `ADMIN_SECRETS` from the proposed daemon-level pubkey admin model persisted in `admin.toml`. - [ ] `docs/socket_proxy.md` documents inbound (existing) and outbound (proposed nested under `topics.toml`), and disambiguates from the SOCKS5 proxy. - [ ] `docs/e2e_messagebus_test.md` lists phases A–D with explicit dependencies, including a restart-persistence phase. - [ ] `CLAUDE.md` and `README.md` link to the new docs. - [ ] No Rust source files have been touched. ### Notes - The existing `crates/mycelum_messagebus/message_bus_docs.md` is internal design notes and remains authoritative for the current engine surface; the new top-level `docs/messagebus.md` is broader (covers admin, persistence, outbound proxy too). - The crate path `crates/mycelum_messagebus/` is misspelled (should be `mycelium_*`). Out of scope for this run; flagged for a follow-up. - `docs/message.md:74` already states that messages received with no listener are queued — the doc should be sharper that this is in-memory only, lost on restart. - Step 5's outbound design intentionally lives next to `forward_socket` in the topic config so inbound and outbound share one mental model; persistence is one consolidated `topics.toml`, not split. - All new docs use `crates/<crate>/<path>:<line>` citations so a future implementer can grep straight to the spot.

despiegk commented 2026-04-27 08:17:43 +00:00

Author

Owner

Copy link

Implementation Spec for Issue #44

Scope of this run: documentation + gap analysis only. No Rust changes.

Objective

Document mycelium_network's existing message-layer features and produce an unambiguous gap analysis against the asks in this issue. After this run, readers must be able to tell exactly which capabilities exist today (with code citations), which are partial, and which are missing — and what the proposed design for the missing pieces (persisted state model, admin layer, outbound socket proxy) looks like.

Requirements

• An OpenRPC interface for every message-bus feature.
• Topic-scoped queues with documented retention semantics.
• Per-topic source whitelists (who can send to a topic).
• Daemon-level admin authorization keyed off the remote node's mycelium pubkey.
• Inbound socket termination: topic message → local UDS (per /hero_sockets).
• NEW outbound feature: a local UDS that, when written to, is forwarded as a topic message to a remote node (local-socket ↔ remote-server proxy).
• 3-node e2e test plan (mycelium_network_test1..3, no TUN, message-bus only).
• Admin UI to configure remote endpoints from the local daemon when admin of the remote.
• All persistent state stored as .toml files under $MYCELIUM_STATE_DIR/, with a clean model layer.

Files to Modify/Create

• docs/messagebus.md — new, top-level "use mycelium_network as a message layer" guide. EXISTS/PARTIAL/MISSING matrix with file:line citations. Indexes the other docs.
• docs/message.md — update. Queue retention semantics (in-memory only, lost on restart), reply-correlation timeouts, limits/gaps section.
• docs/state_persistence.md — new. The model layer for everything we remember. Documents the existing DaemonState (priv_key.bin, config.toml, peers.toml) and the proposed additions: topics.toml and admin.toml. Atomic tmp+rename convention, file modes, RPC-write-through behavior.
• docs/topic_configuration.md — update. Add "Limits today" (subnet-only ACL), make clear forward_socket is inbound-only, add a "Persistence" section pointing at state_persistence.md.
• docs/admin.md — new. Section 1: existing UI-tier ADMIN_SECRETS IP whitelist. Section 2: what the issue asks for. Section 3: proposed daemon-level admin model with admin.toml, RPC surface, authorize step.
• docs/socket_proxy.md — new. Section 1: inbound forward_socket (exists). Section 2: outbound socket → topic (proposed, nested under [topics.<name>] in topics.toml). Section 3: contrast with the existing SOCKS5 proxy.rs so they aren't conflated.
• docs/e2e_messagebus_test.md — new. 3-node test plan with phases A (today), B (admin model), C (outbound proxy), D (restart persistence).
• CLAUDE.md — update. Add a "Message-bus surface" section linking to the new docs.
• README.md — update. Add the new doc paths under existing docs links.

Current State (audit summary)

• Topic messaging — EXISTS. Wire types in crates/mycelium_api/src/message.rs, engine API push_message / reply_message / get_message in crates/mycelium_engine/src/message.rs:541-700. Topic byte-string max 255 bytes. Inbox is an in-memory VecDeque<ReceivedMessage> — no on-disk persistence, lost on restart. popMessage peek/pop/timeout/topic filter exposed via OpenRPC (crates/mycelium_api/openrpc.json, dispatcher crates/mycelium_api/src/rpc.rs:277).

• Per-topic source whitelists — PARTIAL. Subnet-based whitelist fully implemented in crates/mycelium_engine/src/message/topic.rs:51-118 (TopicConfig, TopicWhitelistConfig); enforcement in crates/mycelium_engine/src/message.rs:703-728 (topic_allowed checks src: IpAddr). RPC: addTopic, removeTopic, addTopicSource, removeTopicSource, getTopicSources, getDefaultTopicAction, setDefaultTopicAction. Gap: no pubkey-based whitelist. The pubkey is available later in receive (mycelium_engine/src/message.rs:543-558) but not consulted by topic_allowed. Adding it means extending TopicWhitelistConfig with pubkeys: Vec<PublicKey> and adding RPC methods addTopicPubkeySource / removeTopicPubkeySource.

• Topic → local-socket termination (inbound) — EXISTS. TopicWhitelistConfig::forward_socket: Option<PathBuf> (crates/mycelium_engine/src/message/topic.rs:13-49); dispatcher in crates/mycelium_engine/src/message.rs:580-650 writes message data to the UDS, reads a reply with 5s timeout, sends it back via reply_message. RPC: getTopicForwardSocket, setTopicForwardSocket, removeTopicForwardSocket.

• Local-socket → remote-topic outbound proxy — MISSING. No code listens on a local UDS and forwards writes onto the message bus. grep -rn UnixListener finds only the mycelium_ui HTTP socket and the RPC UDS. Proposed: new daemon component (sibling of forward_socket in topic config) that takes (topic, dst_pubkey_or_ip, local_socket_path) and runs an accept loop; each inbound write becomes a pushMessage; replies route back to the originating UDS connection (correlate via mycelium MessageId). RPC mirror: addTopicOutboundSocket(topic, dst, path), removeTopicOutboundSocket(topic), getTopicOutboundSocket(topic). Stored on disk as a nested outbound_socket = { path, dst } field under [topics.<name>] in the proposed topics.toml.

• Admin / pubkey-based authorization — MISSING (at the daemon). MyceliumRpc trait (crates/mycelium_api/src/rpc.rs:248-377) has no auth context. UDS server (crates/mycelium_api/src/rpc/unix.rs) accepts every caller. The only existing admin gate is the UI-tier ADMIN_SECRETS IP whitelist in crates/mycelium_ui/src/admin_secrets.rs — gates which TCP clients can reach the UI, not which mycelium peers can RPC the daemon. Proposed: daemon-side admin_pubkeys: Vec<PublicKey> config (with RPC admin.list/add/remove); admin-only RPC methods routed through an authorize step that compares the caller's mycelium source pubkey to the admin set. Persisted as admin.toml in $MYCELIUM_STATE_DIR/. Pattern reference: herolib_openrpc_authorize.

• OpenRPC method surface for messages — EXISTS. crates/mycelium_api/openrpc.json and trait crates/mycelium_api/src/rpc.rs:248-330: pushMessage, popMessage, pushMessageReply, getMessageInfo, getDefaultTopicAction, setDefaultTopicAction, getTopics, addTopic, removeTopic, getTopicSources, addTopicSource, removeTopicSource, getTopicForwardSocket, setTopicForwardSocket, removeTopicForwardSocket. All gated behind the message Cargo feature. No RPC for: per-pubkey topic ACL, outbound socket forwarding, admin pubkey management.

• Persisted state — PARTIAL. Today DaemonState (crates/mycelium_daemon/src/state.rs) owns priv_key.bin (mode 0o640), config.toml and peers.toml (mode 0o644), with atomic tmp+rename writes; state dir mode 0o700. Topic config (TopicConfig in the engine) lives only in memory — every addTopic/addTopicSource/setTopicForwardSocket mutation is lost on restart. The legacy path (crates/mycelium_daemon/src/legacy_runner.rs:35-40) reads a stand-alone topic toml read-only at startup, which is not the model we want going forward.

• UI coverage — PARTIAL. Templates exist for messages and topics: crates/mycelium_ui/templates/messages.html (push/pop) and crates/mycelium_ui/templates/topics.html (default action, add topic, configure subnets, configure forward socket). The crates/mycelium_ui/templates/admin.html page configures the UI's own ADMIN_SECRETS IP list, not a daemon-level admin set. Missing UI: pubkey-based topic ACLs, outbound socket forwarding, remote-node management.

• E2E test coverage — PARTIAL. crates/mycelium_e2e/tests/two_node_linux.rs (325 lines) spins up two mycelium_server children with isolated MYCELIUM_STATE_DIR / HERO_SOCKET_DIR / TCP ports, peers them, exercises peers/routes/topics/messaging through mycelium_sdk (add_topic at line 260, push_message at line 290, pop_message at line 300). Missing: a third node, the cross-node admin-management flow, restart-persistence assertions, and any messagebus-only no-TUN three-way scenario as named in the issue.

Proposed persisted-state model layer (design only — not implemented this run)

User decision: one consolidated topics.toml + one admin.toml; reuse TopicConfig directly (no DTO); admin lives in the daemon.

$MYCELIUM_STATE_DIR/
├── priv_key.bin          (existing — mode 0o640)
├── config.toml           (existing — node config)
├── peers.toml            (existing — bootstrap peers)
├── topics.toml           ← NEW. Serialised mycelium_engine::message::topic::TopicConfig
│   • default_action      ("accept" | "reject")
│   • [topics.<name>]
│       • subnets         = [...]
│       • pubkeys         = [...]              (proposed extension)
│       • forward_socket  = "/path/to/uds"     (existing, inbound)
│       • outbound_socket = { path = "...", dst = { pk|ip = "..." } }  (proposed)
└── admin.toml            ← NEW. mycelium_daemon::AdminConfig
    • admin_pubkeys   = [...]
    • method_patterns = [...]                  (which RPC method globs require admin)

Rust shape (design only, no code in this run):

• mycelium_daemon::DaemonState grows two fields — topics: TopicConfig and admin: AdminConfig — and two save methods — save_topics(), save_admin() — mirroring the existing save_config()/save_peers() (atomic tmp+rename, mode 0o644).
• On startup, load_or_init reads each file with the existing "missing → write defaults → continue" pattern. Engine boot uses state.topics to seed its in-memory Arc<RwLock<TopicConfig>>.
• TopicConfig stays in mycelium_engine and is reused as the on-disk shape (it already derives serde) — no DTO drift.
• AdminConfig is a new type in mycelium_daemon (not the engine; admin is an RPC-authorization concern, not a routing concern).
• Every mutating RPC (addTopic, setTopicForwardSocket, addTopicPubkeySource, admin.add, etc.) updates the in-memory copy then calls state.save_*() before returning. Persist failure → return RPC error, do not leave drift.

Implementation Plan

Step 1: Author docs/messagebus.md — single entry point and gap matrix

Files: docs/messagebus.md

• Top-level overview of "use mycelium_network as a message layer."
• One capability table, columns: Capability / Status (EXISTS/PARTIAL/MISSING) / Code citations / Gap notes, derived from the audit above.
• Persistence row: lists topics.toml (proposed) and admin.toml (proposed) alongside existing config.toml / peers.toml.
• Each PARTIAL/MISSING row links to the deeper doc (admin.md, socket_proxy.md, state_persistence.md).
• "Reading order" pointing at message.md → state_persistence.md → topic_configuration.md → admin.md → socket_proxy.md → e2e_messagebus_test.md.
• Cite crates/mycelum_messagebus/message_bus_docs.md (note: the crate name is misspelled — out of scope to rename, flag it in Notes).
  Dependencies: none.

Step 2: Refresh docs/message.md

Files: docs/message.md

• Add "Queue retention" — in-memory VecDeque, no on-disk persistence (cite crates/mycelium_engine/src/message.rs:541-700).
• Add "Reply correlation and timeouts" listing DEFAULT_MESSAGE_TRY_DURATION = 300s, RETRANSMISSION_DELAY = 100ms, REPLY_SUBSCRIBER_CLEAR_DELAY = 60s, SOCKET_REPLY_TIMEOUT = 5s with citations.
• Add "Limits and gaps" listing subnet-only ACL, no on-disk message queue, no admin model, no outbound socket forwarding. Each linked to messagebus.md.
• Cross-link to state_persistence.md, topic_configuration.md, admin.md, socket_proxy.md.
  Dependencies: Step 1.

Step 2a: Author docs/state_persistence.md — the model layer

Files: docs/state_persistence.md

• Section 1 "Today": directory layout under $MYCELIUM_STATE_DIR/, files and modes (priv_key.bin 0o640, config/peers.toml 0o644, dir 0o700), atomic tmp+rename pattern (cite crates/mycelium_daemon/src/state.rs:140-213). Make explicit: topic config is NOT persisted today — every RPC mutation is lost on restart.
• Section 2 "Proposed": directory tree shown above, with one-paragraph rationale per file.
• Section 3 "Model layer (Rust)": DaemonState extension shape, AdminConfig location, "RPC writes through to disk" rule, atomic-write reuse, error contract on persist failure. Design only — no code in this run.
• Section 4 "Why one topics.toml and not many": topic name is the natural primary key; subnet/pubkey ACL, inbound forward_socket, and outbound socket all hang off the same topic.
• Section 5 "Why reuse engine TopicConfig and not a DTO": already serde-derived; eliminates drift; engine stays the source of truth for the wire shape.
• Section 6 "Why admin lives in the daemon, not the engine": admin is an RPC-authorization concern; engine stays unaware (matches herolib_openrpc_authorize).
• Cross-link to admin.md, socket_proxy.md, topic_configuration.md.
  Dependencies: Step 1.

Step 3: Update docs/topic_configuration.md

Files: docs/topic_configuration.md

• Add "Limits today" callout: ACL is subnet-only (cite crates/mycelium_engine/src/message/topic.rs:13-49 and crates/mycelium_engine/src/message.rs:703-728).
• Make clear forward_socket is inbound-only (topic → local UDS); point at socket_proxy.md for the proposed outbound mirror.
• Add "Persistence" section pointing at state_persistence.md and stating that topic config is not persisted today; all mutations are lost on restart.
• Tidy stray triple-backticks at lines 81 and 110 while editing.
• Cross-link messagebus.md, socket_proxy.md, state_persistence.md.
  Dependencies: Step 1, Step 2a.

Step 4: Author docs/admin.md

Files: docs/admin.md

• Section 1 "What exists today": UI-tier ADMIN_SECRETS IP whitelist (cite crates/mycelium_ui/src/admin_secrets.rs:1-60 and crates/mycelium_ui/src/main.rs:41,98-107). Make explicit: UI-only, has nothing to do with mycelium pubkeys, daemon RPC is unauthenticated.
• Section 2 "What the issue asks for": daemon-level admin keyed off remote node's mycelium pubkey, admin-only RPC methods.
• Section 3 "Proposed design (NOT IMPLEMENTED)": admin set persisted in $MYCELIUM_STATE_DIR/admin.toml; mycelium_daemon::AdminConfig; RPC admin.list / admin.add / admin.remove; authorize step in dispatcher; identity surfaced for message-bus-arrived requests via source pubkey on ReceivedMessage; "implicit local admin" for the local UDS. Reference herolib_openrpc_authorize.
• Section 4 "Out of scope for this run": no Rust changes here.
  Dependencies: Step 1, Step 2a.

Step 5: Author docs/socket_proxy.md

Files: docs/socket_proxy.md

• Section 1 "Inbound (EXISTS)": full description of forward_socket — RPC names, engine flow, timeouts. Cite crates/mycelium_engine/src/message.rs:580-650, crates/mycelium_engine/src/message/topic.rs:13-49, crates/mycelium_api/src/rpc.rs:318-330.
• Section 2 "Outbound (MISSING) — proposed design": local UDS → topic message to remote pubkey. Document (a) on-disk shape outbound_socket = { path = "...", dst = { pk = "..." | ip = "..." } } nested under [topics.<name>] in the proposed topics.toml (cross-link state_persistence.md), (b) RPC surface addTopicOutboundSocket / removeTopicOutboundSocket / getTopicOutboundSocket, (c) lifecycle (one accept loop per configured outbound socket; per-connection mapping of mycelium MessageId → local stream for reply routing), (d) error behavior. No Rust.
• Section 3 "Why not reuse the existing SOCKS5 proxy.rs": one-paragraph contrast — crates/mycelium_engine/src/proxy.rs is a SOCKS5 TCP forwarder, not the requested per-topic UDS feature; cite docs/proxy.md.
  Dependencies: Step 1, Step 2a, Step 3.

Step 6: Author docs/e2e_messagebus_test.md

Files: docs/e2e_messagebus_test.md

• Topology: three nodes mycelium_network_test1..3, no_tun = true, isolated state dirs/socket dirs/TCP ports (cite crates/mycelium_e2e/tests/two_node_linux.rs:62-77).
• Phase A (today): two-way pushMessage/popMessage round-trip across all three pairs; topic add + subnet whitelist over RPC.
• Phase B (DEPENDS ON ADMIN MODEL): node 1 admin of node 3, issues setTopicForwardSocket against node 3 over the message bus, node 3 enforces.
• Phase C (DEPENDS ON OUTBOUND PROXY): node 1 writes to a configured local UDS, bytes arrive at node 3's inbound forward_socket for the matching topic, node 3 echoes, node 1 reads the reply on its UDS.
• Phase D (DEPENDS ON PERSISTENCE): kill and restart node 3; verify topic ACLs, admin set, and outbound-socket configs survive (read from topics.toml / admin.toml).
• For each phase, list exact mycelium_sdk calls and assertion shape, mirroring the structure of the two-node test. No Rust written.
  Dependencies: Step 2a, Step 4, Step 5.

Step 7: Cross-link from CLAUDE.md and README.md

Files: CLAUDE.md, README.md

• CLAUDE.md: short "Message-bus surface" section after "Hero Socket Compliance", linking to docs/messagebus.md, docs/state_persistence.md, docs/admin.md, docs/socket_proxy.md, docs/e2e_messagebus_test.md.
• README.md: add the four new doc paths under existing docs links.
  Dependencies: all prior steps.

Acceptance Criteria

• docs/messagebus.md exists with an EXISTS/PARTIAL/MISSING table for every issue capability and at least one crates/...:line citation per "EXISTS"/"PARTIAL" row.
• No new doc claims a feature is implemented unless a real file:line is cited; every "proposed" section is labelled NOT IMPLEMENTED and references this issue.
• docs/state_persistence.md lists every remembered item, distinguishes existing files (config.toml, peers.toml, priv_key.bin) from proposed (topics.toml, admin.toml), shows the proposed DaemonState shape, and explains why one topics.toml and why admin lives in the daemon.
• docs/topic_configuration.md makes clear ACL is subnet-only and forward_socket is inbound-only, and points at state_persistence.md for the persistence story.
• docs/admin.md distinguishes UI-tier ADMIN_SECRETS from the proposed daemon-level pubkey admin model persisted in admin.toml.
• docs/socket_proxy.md documents inbound (existing) and outbound (proposed nested under topics.toml), and disambiguates from the SOCKS5 proxy.
• docs/e2e_messagebus_test.md lists phases A–D with explicit dependencies, including a restart-persistence phase.
• CLAUDE.md and README.md link to the new docs.
• No Rust source files have been touched.

Notes

• The existing crates/mycelum_messagebus/message_bus_docs.md is internal design notes and remains authoritative for the current engine surface; the new top-level docs/messagebus.md is broader (covers admin, persistence, outbound proxy too).
• The crate path crates/mycelum_messagebus/ is misspelled (should be mycelium_*). Out of scope for this run; flagged for a follow-up.
• docs/message.md:74 already states that messages received with no listener are queued — the doc should be sharper that this is in-memory only, lost on restart.
• Step 5's outbound design intentionally lives next to forward_socket in the topic config so inbound and outbound share one mental model; persistence is one consolidated topics.toml, not split.
• All new docs use crates/<crate>/<path>:<line> citations so a future implementer can grep straight to the spot.

## Implementation Spec for Issue #44 **Scope of this run: documentation + gap analysis only. No Rust changes.** ### Objective Document mycelium_network's existing message-layer features and produce an unambiguous gap analysis against the asks in this issue. After this run, readers must be able to tell exactly which capabilities exist today (with code citations), which are partial, and which are missing — and what the proposed design for the missing pieces (persisted state model, admin layer, outbound socket proxy) looks like. ### Requirements - An OpenRPC interface for every message-bus feature. - Topic-scoped queues with documented retention semantics. - Per-topic source whitelists (who can send to a topic). - Daemon-level admin authorization keyed off the **remote node's mycelium pubkey**. - Inbound socket termination: topic message → local UDS (per `/hero_sockets`). - **NEW** outbound feature: a local UDS that, when written to, is forwarded as a topic message to a remote node (local-socket ↔ remote-server proxy). - 3-node e2e test plan (`mycelium_network_test1..3`, no TUN, message-bus only). - Admin UI to configure remote endpoints from the local daemon when admin of the remote. - All persistent state stored as `.toml` files under `$MYCELIUM_STATE_DIR/`, with a clean model layer. ### Files to Modify/Create - `docs/messagebus.md` — **new**, top-level "use mycelium_network as a message layer" guide. EXISTS/PARTIAL/MISSING matrix with file:line citations. Indexes the other docs. - `docs/message.md` — **update**. Queue retention semantics (in-memory only, lost on restart), reply-correlation timeouts, limits/gaps section. - `docs/state_persistence.md` — **new**. The model layer for everything we remember. Documents the existing `DaemonState` (priv_key.bin, config.toml, peers.toml) and the proposed additions: `topics.toml` and `admin.toml`. Atomic tmp+rename convention, file modes, RPC-write-through behavior. - `docs/topic_configuration.md` — **update**. Add "Limits today" (subnet-only ACL), make clear `forward_socket` is inbound-only, add a "Persistence" section pointing at `state_persistence.md`. - `docs/admin.md` — **new**. Section 1: existing UI-tier `ADMIN_SECRETS` IP whitelist. Section 2: what the issue asks for. Section 3: proposed daemon-level admin model with `admin.toml`, RPC surface, authorize step. - `docs/socket_proxy.md` — **new**. Section 1: inbound `forward_socket` (exists). Section 2: outbound socket → topic (proposed, nested under `[topics.<name>]` in `topics.toml`). Section 3: contrast with the existing SOCKS5 `proxy.rs` so they aren't conflated. - `docs/e2e_messagebus_test.md` — **new**. 3-node test plan with phases A (today), B (admin model), C (outbound proxy), D (restart persistence). - `CLAUDE.md` — **update**. Add a "Message-bus surface" section linking to the new docs. - `README.md` — **update**. Add the new doc paths under existing docs links. ### Current State (audit summary) - **Topic messaging — EXISTS.** Wire types in `crates/mycelium_api/src/message.rs`, engine API `push_message` / `reply_message` / `get_message` in `crates/mycelium_engine/src/message.rs:541-700`. Topic byte-string max 255 bytes. Inbox is an in-memory `VecDeque<ReceivedMessage>` — **no on-disk persistence, lost on restart**. `popMessage` peek/pop/timeout/topic filter exposed via OpenRPC (`crates/mycelium_api/openrpc.json`, dispatcher `crates/mycelium_api/src/rpc.rs:277`). - **Per-topic source whitelists — PARTIAL.** Subnet-based whitelist fully implemented in `crates/mycelium_engine/src/message/topic.rs:51-118` (`TopicConfig`, `TopicWhitelistConfig`); enforcement in `crates/mycelium_engine/src/message.rs:703-728` (`topic_allowed` checks `src: IpAddr`). RPC: `addTopic`, `removeTopic`, `addTopicSource`, `removeTopicSource`, `getTopicSources`, `getDefaultTopicAction`, `setDefaultTopicAction`. **Gap:** no pubkey-based whitelist. The pubkey is available later in receive (`mycelium_engine/src/message.rs:543-558`) but not consulted by `topic_allowed`. Adding it means extending `TopicWhitelistConfig` with `pubkeys: Vec<PublicKey>` and adding RPC methods `addTopicPubkeySource` / `removeTopicPubkeySource`. - **Topic → local-socket termination (inbound) — EXISTS.** `TopicWhitelistConfig::forward_socket: Option<PathBuf>` (`crates/mycelium_engine/src/message/topic.rs:13-49`); dispatcher in `crates/mycelium_engine/src/message.rs:580-650` writes message data to the UDS, reads a reply with 5s timeout, sends it back via `reply_message`. RPC: `getTopicForwardSocket`, `setTopicForwardSocket`, `removeTopicForwardSocket`. - **Local-socket → remote-topic outbound proxy — MISSING.** No code listens on a local UDS and forwards writes onto the message bus. `grep -rn UnixListener` finds only the `mycelium_ui` HTTP socket and the RPC UDS. **Proposed:** new daemon component (sibling of `forward_socket` in topic config) that takes `(topic, dst_pubkey_or_ip, local_socket_path)` and runs an accept loop; each inbound write becomes a `pushMessage`; replies route back to the originating UDS connection (correlate via mycelium `MessageId`). RPC mirror: `addTopicOutboundSocket(topic, dst, path)`, `removeTopicOutboundSocket(topic)`, `getTopicOutboundSocket(topic)`. Stored on disk as a nested `outbound_socket = { path, dst }` field under `[topics.<name>]` in the proposed `topics.toml`. - **Admin / pubkey-based authorization — MISSING (at the daemon).** `MyceliumRpc` trait (`crates/mycelium_api/src/rpc.rs:248-377`) has no auth context. UDS server (`crates/mycelium_api/src/rpc/unix.rs`) accepts every caller. The only existing admin gate is the **UI-tier** `ADMIN_SECRETS` IP whitelist in `crates/mycelium_ui/src/admin_secrets.rs` — gates which TCP clients can reach the UI, **not** which mycelium peers can RPC the daemon. **Proposed:** daemon-side `admin_pubkeys: Vec<PublicKey>` config (with RPC `admin.list/add/remove`); admin-only RPC methods routed through an authorize step that compares the caller's mycelium source pubkey to the admin set. Persisted as `admin.toml` in `$MYCELIUM_STATE_DIR/`. Pattern reference: `herolib_openrpc_authorize`. - **OpenRPC method surface for messages — EXISTS.** `crates/mycelium_api/openrpc.json` and trait `crates/mycelium_api/src/rpc.rs:248-330`: `pushMessage`, `popMessage`, `pushMessageReply`, `getMessageInfo`, `getDefaultTopicAction`, `setDefaultTopicAction`, `getTopics`, `addTopic`, `removeTopic`, `getTopicSources`, `addTopicSource`, `removeTopicSource`, `getTopicForwardSocket`, `setTopicForwardSocket`, `removeTopicForwardSocket`. All gated behind the `message` Cargo feature. **No** RPC for: per-pubkey topic ACL, outbound socket forwarding, admin pubkey management. - **Persisted state — PARTIAL.** Today `DaemonState` (`crates/mycelium_daemon/src/state.rs`) owns `priv_key.bin` (mode 0o640), `config.toml` and `peers.toml` (mode 0o644), with atomic tmp+rename writes; state dir mode 0o700. Topic config (`TopicConfig` in the engine) lives **only in memory** — every `addTopic`/`addTopicSource`/`setTopicForwardSocket` mutation is lost on restart. The legacy path (`crates/mycelium_daemon/src/legacy_runner.rs:35-40`) reads a stand-alone topic toml read-only at startup, which is not the model we want going forward. - **UI coverage — PARTIAL.** Templates exist for messages and topics: `crates/mycelium_ui/templates/messages.html` (push/pop) and `crates/mycelium_ui/templates/topics.html` (default action, add topic, configure subnets, configure forward socket). The `crates/mycelium_ui/templates/admin.html` page configures the **UI's own** `ADMIN_SECRETS` IP list, not a daemon-level admin set. **Missing UI:** pubkey-based topic ACLs, outbound socket forwarding, remote-node management. - **E2E test coverage — PARTIAL.** `crates/mycelium_e2e/tests/two_node_linux.rs` (325 lines) spins up two `mycelium_server` children with isolated `MYCELIUM_STATE_DIR` / `HERO_SOCKET_DIR` / TCP ports, peers them, exercises peers/routes/topics/messaging through `mycelium_sdk` (`add_topic` at line 260, `push_message` at line 290, `pop_message` at line 300). **Missing:** a third node, the cross-node admin-management flow, restart-persistence assertions, and any messagebus-only no-TUN three-way scenario as named in the issue. ### Proposed persisted-state model layer (design only — not implemented this run) User decision: one consolidated `topics.toml` + one `admin.toml`; reuse `TopicConfig` directly (no DTO); admin lives in the daemon. ``` $MYCELIUM_STATE_DIR/ ├── priv_key.bin (existing — mode 0o640) ├── config.toml (existing — node config) ├── peers.toml (existing — bootstrap peers) ├── topics.toml ← NEW. Serialised mycelium_engine::message::topic::TopicConfig │ • default_action ("accept" | "reject") │ • [topics.<name>] │ • subnets = [...] │ • pubkeys = [...] (proposed extension) │ • forward_socket = "/path/to/uds" (existing, inbound) │ • outbound_socket = { path = "...", dst = { pk|ip = "..." } } (proposed) └── admin.toml ← NEW. mycelium_daemon::AdminConfig • admin_pubkeys = [...] • method_patterns = [...] (which RPC method globs require admin) ``` Rust shape (design only, no code in this run): - `mycelium_daemon::DaemonState` grows two fields — `topics: TopicConfig` and `admin: AdminConfig` — and two save methods — `save_topics()`, `save_admin()` — mirroring the existing `save_config()`/`save_peers()` (atomic tmp+rename, mode 0o644). - On startup, `load_or_init` reads each file with the existing "missing → write defaults → continue" pattern. Engine boot uses `state.topics` to seed its in-memory `Arc<RwLock<TopicConfig>>`. - `TopicConfig` stays in `mycelium_engine` and is reused as the on-disk shape (it already derives serde) — no DTO drift. - `AdminConfig` is a new type in `mycelium_daemon` (not the engine; admin is an RPC-authorization concern, not a routing concern). - Every mutating RPC (`addTopic`, `setTopicForwardSocket`, `addTopicPubkeySource`, `admin.add`, etc.) updates the in-memory copy **then** calls `state.save_*()` before returning. Persist failure → return RPC error, do not leave drift. ### Implementation Plan #### Step 1: Author `docs/messagebus.md` — single entry point and gap matrix Files: `docs/messagebus.md` - Top-level overview of "use mycelium_network as a message layer." - One capability table, columns: *Capability / Status (EXISTS/PARTIAL/MISSING) / Code citations / Gap notes*, derived from the audit above. - Persistence row: lists `topics.toml` (proposed) and `admin.toml` (proposed) alongside existing `config.toml` / `peers.toml`. - Each PARTIAL/MISSING row links to the deeper doc (`admin.md`, `socket_proxy.md`, `state_persistence.md`). - "Reading order" pointing at `message.md` → `state_persistence.md` → `topic_configuration.md` → `admin.md` → `socket_proxy.md` → `e2e_messagebus_test.md`. - Cite `crates/mycelum_messagebus/message_bus_docs.md` (note: the crate name is misspelled — out of scope to rename, flag it in Notes). Dependencies: none. #### Step 2: Refresh `docs/message.md` Files: `docs/message.md` - Add "Queue retention" — in-memory `VecDeque`, no on-disk persistence (cite `crates/mycelium_engine/src/message.rs:541-700`). - Add "Reply correlation and timeouts" listing `DEFAULT_MESSAGE_TRY_DURATION = 300s`, `RETRANSMISSION_DELAY = 100ms`, `REPLY_SUBSCRIBER_CLEAR_DELAY = 60s`, `SOCKET_REPLY_TIMEOUT = 5s` with citations. - Add "Limits and gaps" listing subnet-only ACL, no on-disk message queue, no admin model, no outbound socket forwarding. Each linked to `messagebus.md`. - Cross-link to `state_persistence.md`, `topic_configuration.md`, `admin.md`, `socket_proxy.md`. Dependencies: Step 1. #### Step 2a: Author `docs/state_persistence.md` — the model layer Files: `docs/state_persistence.md` - Section 1 "Today": directory layout under `$MYCELIUM_STATE_DIR/`, files and modes (priv_key.bin 0o640, config/peers.toml 0o644, dir 0o700), atomic tmp+rename pattern (cite `crates/mycelium_daemon/src/state.rs:140-213`). Make explicit: topic config is **NOT** persisted today — every RPC mutation is lost on restart. - Section 2 "Proposed": directory tree shown above, with one-paragraph rationale per file. - Section 3 "Model layer (Rust)": `DaemonState` extension shape, `AdminConfig` location, "RPC writes through to disk" rule, atomic-write reuse, error contract on persist failure. **Design only — no code in this run.** - Section 4 "Why one `topics.toml` and not many": topic name is the natural primary key; subnet/pubkey ACL, inbound `forward_socket`, and outbound socket all hang off the same topic. - Section 5 "Why reuse engine `TopicConfig` and not a DTO": already serde-derived; eliminates drift; engine stays the source of truth for the wire shape. - Section 6 "Why admin lives in the daemon, not the engine": admin is an RPC-authorization concern; engine stays unaware (matches `herolib_openrpc_authorize`). - Cross-link to `admin.md`, `socket_proxy.md`, `topic_configuration.md`. Dependencies: Step 1. #### Step 3: Update `docs/topic_configuration.md` Files: `docs/topic_configuration.md` - Add "Limits today" callout: ACL is subnet-only (cite `crates/mycelium_engine/src/message/topic.rs:13-49` and `crates/mycelium_engine/src/message.rs:703-728`). - Make clear `forward_socket` is **inbound-only** (topic → local UDS); point at `socket_proxy.md` for the proposed outbound mirror. - Add "Persistence" section pointing at `state_persistence.md` and stating that topic config is **not** persisted today; all mutations are lost on restart. - Tidy stray triple-backticks at lines 81 and 110 while editing. - Cross-link `messagebus.md`, `socket_proxy.md`, `state_persistence.md`. Dependencies: Step 1, Step 2a. #### Step 4: Author `docs/admin.md` Files: `docs/admin.md` - Section 1 "What exists today": UI-tier `ADMIN_SECRETS` IP whitelist (cite `crates/mycelium_ui/src/admin_secrets.rs:1-60` and `crates/mycelium_ui/src/main.rs:41,98-107`). Make explicit: UI-only, has nothing to do with mycelium pubkeys, daemon RPC is unauthenticated. - Section 2 "What the issue asks for": daemon-level admin keyed off remote node's mycelium pubkey, admin-only RPC methods. - Section 3 "Proposed design (NOT IMPLEMENTED)": admin set persisted in `$MYCELIUM_STATE_DIR/admin.toml`; `mycelium_daemon::AdminConfig`; RPC `admin.list / admin.add / admin.remove`; authorize step in dispatcher; identity surfaced for message-bus-arrived requests via source pubkey on `ReceivedMessage`; "implicit local admin" for the local UDS. Reference `herolib_openrpc_authorize`. - Section 4 "Out of scope for this run": no Rust changes here. Dependencies: Step 1, Step 2a. #### Step 5: Author `docs/socket_proxy.md` Files: `docs/socket_proxy.md` - Section 1 "Inbound (EXISTS)": full description of `forward_socket` — RPC names, engine flow, timeouts. Cite `crates/mycelium_engine/src/message.rs:580-650`, `crates/mycelium_engine/src/message/topic.rs:13-49`, `crates/mycelium_api/src/rpc.rs:318-330`. - Section 2 "Outbound (MISSING) — proposed design": local UDS → topic message to remote pubkey. Document (a) on-disk shape `outbound_socket = { path = "...", dst = { pk = "..." | ip = "..." } }` nested under `[topics.<name>]` in the proposed `topics.toml` (cross-link `state_persistence.md`), (b) RPC surface `addTopicOutboundSocket` / `removeTopicOutboundSocket` / `getTopicOutboundSocket`, (c) lifecycle (one accept loop per configured outbound socket; per-connection mapping of mycelium `MessageId` → local stream for reply routing), (d) error behavior. **No Rust.** - Section 3 "Why not reuse the existing SOCKS5 `proxy.rs`": one-paragraph contrast — `crates/mycelium_engine/src/proxy.rs` is a SOCKS5 TCP forwarder, not the requested per-topic UDS feature; cite `docs/proxy.md`. Dependencies: Step 1, Step 2a, Step 3. #### Step 6: Author `docs/e2e_messagebus_test.md` Files: `docs/e2e_messagebus_test.md` - Topology: three nodes `mycelium_network_test1..3`, `no_tun = true`, isolated state dirs/socket dirs/TCP ports (cite `crates/mycelium_e2e/tests/two_node_linux.rs:62-77`). - Phase A (today): two-way `pushMessage`/`popMessage` round-trip across all three pairs; topic add + subnet whitelist over RPC. - Phase B (DEPENDS ON ADMIN MODEL): node 1 admin of node 3, issues `setTopicForwardSocket` against node 3 over the message bus, node 3 enforces. - Phase C (DEPENDS ON OUTBOUND PROXY): node 1 writes to a configured local UDS, bytes arrive at node 3's inbound `forward_socket` for the matching topic, node 3 echoes, node 1 reads the reply on its UDS. - Phase D (DEPENDS ON PERSISTENCE): kill and restart node 3; verify topic ACLs, admin set, and outbound-socket configs survive (read from `topics.toml` / `admin.toml`). - For each phase, list exact `mycelium_sdk` calls and assertion shape, mirroring the structure of the two-node test. **No Rust written.** Dependencies: Step 2a, Step 4, Step 5. #### Step 7: Cross-link from `CLAUDE.md` and `README.md` Files: `CLAUDE.md`, `README.md` - `CLAUDE.md`: short "Message-bus surface" section after "Hero Socket Compliance", linking to `docs/messagebus.md`, `docs/state_persistence.md`, `docs/admin.md`, `docs/socket_proxy.md`, `docs/e2e_messagebus_test.md`. - `README.md`: add the four new doc paths under existing docs links. Dependencies: all prior steps. ### Acceptance Criteria - [ ] `docs/messagebus.md` exists with an EXISTS/PARTIAL/MISSING table for every issue capability and at least one `crates/...:line` citation per "EXISTS"/"PARTIAL" row. - [ ] No new doc claims a feature is implemented unless a real file:line is cited; every "proposed" section is labelled NOT IMPLEMENTED and references this issue. - [ ] `docs/state_persistence.md` lists every remembered item, distinguishes existing files (`config.toml`, `peers.toml`, `priv_key.bin`) from proposed (`topics.toml`, `admin.toml`), shows the proposed `DaemonState` shape, and explains why one `topics.toml` and why admin lives in the daemon. - [ ] `docs/topic_configuration.md` makes clear ACL is subnet-only and `forward_socket` is inbound-only, and points at `state_persistence.md` for the persistence story. - [ ] `docs/admin.md` distinguishes UI-tier `ADMIN_SECRETS` from the proposed daemon-level pubkey admin model persisted in `admin.toml`. - [ ] `docs/socket_proxy.md` documents inbound (existing) and outbound (proposed nested under `topics.toml`), and disambiguates from the SOCKS5 proxy. - [ ] `docs/e2e_messagebus_test.md` lists phases A–D with explicit dependencies, including a restart-persistence phase. - [ ] `CLAUDE.md` and `README.md` link to the new docs. - [ ] No Rust source files have been touched. ### Notes - The existing `crates/mycelum_messagebus/message_bus_docs.md` is internal design notes and remains authoritative for the current engine surface; the new top-level `docs/messagebus.md` is broader (covers admin, persistence, outbound proxy too). - The crate path `crates/mycelum_messagebus/` is misspelled (should be `mycelium_*`). Out of scope for this run; flagged for a follow-up. - `docs/message.md:74` already states that messages received with no listener are queued — the doc should be sharper that this is in-memory only, lost on restart. - Step 5's outbound design intentionally lives next to `forward_socket` in the topic config so inbound and outbound share one mental model; persistence is one consolidated `topics.toml`, not split. - All new docs use `crates/<crate>/<path>:<line>` citations so a future implementer can grep straight to the spot.

despiegk commented 2026-04-27 08:38:25 +00:00

Author

Owner

Copy link

Verification report

This run was scoped to documentation + gap analysis only — no Rust source files were touched. There is no cargo test output to share. Instead, the verification below confirms the docs were written, cross-link correctly, and every code citation points at a real file:line.

Files written (5 new + 4 modified)

File	Change	Lines
docs/messagebus.md	new	67
docs/state_persistence.md	new	178
docs/admin.md	new	158
docs/socket_proxy.md	new	139
docs/e2e_messagebus_test.md	new	120
docs/message.md	updated (3 sections appended + See also)	225
docs/topic_configuration.md	updated (Limits today, inbound-only callout, Persistence, See also; stray triple-backticks tidied)	260
CLAUDE.md	new "Message-bus surface" section after "Hero Socket Compliance"	167
README.md	new "Documentation" section before "Remarks"	424

Code-citation spot checks

The plan agent and each writing agent verified citations by reading the cited files. Examples (all confirmed against the working tree):

• crates/mycelium_engine/src/message/topic.rs:13-49 — TopicWhitelistConfig (subnet whitelist + forward_socket: Option<PathBuf>).
• crates/mycelium_engine/src/message.rs:541-700 — push_message / reply_message / get_message API and inbox VecDeque.
• crates/mycelium_engine/src/message.rs:703-728 — topic_allowed (subnet check, no pubkey path).
• crates/mycelium_engine/src/message.rs:59 — SOCKET_REPLY_TIMEOUT = 5 s.
• crates/mycelium_api/src/rpc.rs:248-330 — MyceliumRpc trait method surface (no auth context).
• crates/mycelium_api/src/rpc/unix.rs:49-82, 172-241 — UDS server accepts every caller, no identity check.
• crates/mycelium_ui/src/admin_secrets.rs and crates/mycelium_ui/src/main.rs:36-41, 86-92, 96-110 — UI-tier ADMIN_SECRETS IP whitelist (UI-only).
• crates/mycelium_daemon/src/state.rs:22-24, 50-58, 136-148, 151-164, 180-203 — existing DaemonState (file constants, MYCELIUM_STATE_DIR resolution, save methods, dir mode, atomic writers).
• crates/mycelium_daemon/src/legacy_runner.rs:35-40 — legacy stand-alone topic toml read at startup, no write-back.
• crates/mycelium_e2e/tests/two_node_linux.rs:30-322 — structural template for the proposed 3-node test.

Cross-links

Each new doc has a "See also" footer linking to the others, and each updated doc gained the same. The messagebus.md capability matrix points each PARTIAL/MISSING row at the relevant deeper doc. CLAUDE.md and README.md link to all five new docs.

Out of scope (deliberate)

• No Rust changes. The proposed topics.toml / admin.toml files, the TopicWhitelistConfig::pubkeys extension, the outbound_socket field, the addTopicPubkeySource / addTopicOutboundSocket / admin.* RPC methods, and the dispatcher authorize step are all documented as proposals only.
• No new tests were written. crates/mycelium_e2e/tests/three_node_linux.rs does not exist; the plan in docs/e2e_messagebus_test.md is a written specification of what such a test would do across phases A (basic messaging — achievable today) and B/C/D (blocked on the proposed admin / outbound-proxy / persistence work).
• The misspelled crate path crates/mycelum_messagebus/ is flagged in docs/messagebus.md Notes as a follow-up; not renamed.

Pre-existing changes in the working tree

The working tree contains many other modified files (Rust sources under crates/, Cargo.toml, scripts, etc.) — these were already present at the start of this session and are unrelated to this run. The single commit at the end of this skill will only stage the 9 doc files listed above.

## Verification report This run was scoped to **documentation + gap analysis only** — no Rust source files were touched. There is no `cargo test` output to share. Instead, the verification below confirms the docs were written, cross-link correctly, and every code citation points at a real file:line. ### Files written (5 new + 4 modified) | File | Change | Lines | |---|---|---| | `docs/messagebus.md` | new | 67 | | `docs/state_persistence.md` | new | 178 | | `docs/admin.md` | new | 158 | | `docs/socket_proxy.md` | new | 139 | | `docs/e2e_messagebus_test.md` | new | 120 | | `docs/message.md` | updated (3 sections appended + See also) | 225 | | `docs/topic_configuration.md` | updated (Limits today, inbound-only callout, Persistence, See also; stray triple-backticks tidied) | 260 | | `CLAUDE.md` | new "Message-bus surface" section after "Hero Socket Compliance" | 167 | | `README.md` | new "Documentation" section before "Remarks" | 424 | ### Code-citation spot checks The plan agent and each writing agent verified citations by reading the cited files. Examples (all confirmed against the working tree): - `crates/mycelium_engine/src/message/topic.rs:13-49` — `TopicWhitelistConfig` (subnet whitelist + `forward_socket: Option<PathBuf>`). - `crates/mycelium_engine/src/message.rs:541-700` — `push_message` / `reply_message` / `get_message` API and inbox `VecDeque`. - `crates/mycelium_engine/src/message.rs:703-728` — `topic_allowed` (subnet check, no pubkey path). - `crates/mycelium_engine/src/message.rs:59` — `SOCKET_REPLY_TIMEOUT = 5 s`. - `crates/mycelium_api/src/rpc.rs:248-330` — `MyceliumRpc` trait method surface (no auth context). - `crates/mycelium_api/src/rpc/unix.rs:49-82, 172-241` — UDS server accepts every caller, no identity check. - `crates/mycelium_ui/src/admin_secrets.rs` and `crates/mycelium_ui/src/main.rs:36-41, 86-92, 96-110` — UI-tier `ADMIN_SECRETS` IP whitelist (UI-only). - `crates/mycelium_daemon/src/state.rs:22-24, 50-58, 136-148, 151-164, 180-203` — existing `DaemonState` (file constants, `MYCELIUM_STATE_DIR` resolution, save methods, dir mode, atomic writers). - `crates/mycelium_daemon/src/legacy_runner.rs:35-40` — legacy stand-alone topic toml read at startup, no write-back. - `crates/mycelium_e2e/tests/two_node_linux.rs:30-322` — structural template for the proposed 3-node test. ### Cross-links Each new doc has a "See also" footer linking to the others, and each updated doc gained the same. The `messagebus.md` capability matrix points each PARTIAL/MISSING row at the relevant deeper doc. `CLAUDE.md` and `README.md` link to all five new docs. ### Out of scope (deliberate) - No Rust changes. The proposed `topics.toml` / `admin.toml` files, the `TopicWhitelistConfig::pubkeys` extension, the `outbound_socket` field, the `addTopicPubkeySource` / `addTopicOutboundSocket` / `admin.*` RPC methods, and the dispatcher authorize step are all documented as proposals only. - No new tests were written. `crates/mycelium_e2e/tests/three_node_linux.rs` does not exist; the plan in `docs/e2e_messagebus_test.md` is a written specification of what such a test would do across phases A (basic messaging — achievable today) and B/C/D (blocked on the proposed admin / outbound-proxy / persistence work). - The misspelled crate path `crates/mycelum_messagebus/` is flagged in `docs/messagebus.md` Notes as a follow-up; not renamed. ### Pre-existing changes in the working tree The working tree contains many other modified files (Rust sources under `crates/`, `Cargo.toml`, scripts, etc.) — these were already present at the start of this session and are unrelated to this run. The single commit at the end of this skill will only stage the 9 doc files listed above.

despiegk commented 2026-04-27 08:39:00 +00:00

Author

Owner

Copy link

Verification report

This run was scoped to documentation + gap analysis only — no Rust source files were touched. There is no cargo test output to share. Instead, the verification below confirms the docs were written, cross-link correctly, and every code citation points at a real file:line.

Files written (5 new + 4 modified)

File	Change	Lines
docs/messagebus.md	new	67
docs/state_persistence.md	new	178
docs/admin.md	new	158
docs/socket_proxy.md	new	139
docs/e2e_messagebus_test.md	new	120
docs/message.md	updated (3 sections appended + See also)	225
docs/topic_configuration.md	updated (Limits today, inbound-only callout, Persistence, See also; stray triple-backticks tidied)	260
CLAUDE.md	new "Message-bus surface" section after "Hero Socket Compliance"	167
README.md	new "Documentation" section before "Remarks"	424

Code-citation spot checks

The plan agent and each writing agent verified citations by reading the cited files. Examples (all confirmed against the working tree):

• crates/mycelium_engine/src/message/topic.rs:13-49 — TopicWhitelistConfig (subnet whitelist + forward_socket: Option<PathBuf>).
• crates/mycelium_engine/src/message.rs:541-700 — push_message / reply_message / get_message API and inbox VecDeque.
• crates/mycelium_engine/src/message.rs:703-728 — topic_allowed (subnet check, no pubkey path).
• crates/mycelium_engine/src/message.rs:59 — SOCKET_REPLY_TIMEOUT = 5 s.
• crates/mycelium_api/src/rpc.rs:248-330 — MyceliumRpc trait method surface (no auth context).
• crates/mycelium_api/src/rpc/unix.rs:49-82, 172-241 — UDS server accepts every caller, no identity check.
• crates/mycelium_ui/src/admin_secrets.rs and crates/mycelium_ui/src/main.rs:36-41, 86-92, 96-110 — UI-tier ADMIN_SECRETS IP whitelist (UI-only).
• crates/mycelium_daemon/src/state.rs:22-24, 50-58, 136-148, 151-164, 180-203 — existing DaemonState (file constants, MYCELIUM_STATE_DIR resolution, save methods, dir mode, atomic writers).
• crates/mycelium_daemon/src/legacy_runner.rs:35-40 — legacy stand-alone topic toml read at startup, no write-back.
• crates/mycelium_e2e/tests/two_node_linux.rs:30-322 — structural template for the proposed 3-node test.

Cross-links

Each new doc has a "See also" footer linking to the others, and each updated doc gained the same. The messagebus.md capability matrix points each PARTIAL/MISSING row at the relevant deeper doc. CLAUDE.md and README.md link to all five new docs.

Out of scope (deliberate)

• No Rust changes. The proposed topics.toml / admin.toml files, the TopicWhitelistConfig::pubkeys extension, the outbound_socket field, the addTopicPubkeySource / addTopicOutboundSocket / admin.* RPC methods, and the dispatcher authorize step are all documented as proposals only.
• No new tests were written. crates/mycelium_e2e/tests/three_node_linux.rs does not exist; the plan in docs/e2e_messagebus_test.md is a written specification of what such a test would do across phases A (basic messaging — achievable today) and B/C/D (blocked on the proposed admin / outbound-proxy / persistence work).
• The misspelled crate path crates/mycelum_messagebus/ is flagged in docs/messagebus.md Notes as a follow-up; not renamed.

Pre-existing changes in the working tree

The working tree contains many other modified files (Rust sources under crates/, Cargo.toml, scripts, etc.) — these were already present at the start of this session and are unrelated to this run. The single commit at the end of this skill will only stage the 9 doc files listed above.

## Verification report This run was scoped to **documentation + gap analysis only** — no Rust source files were touched. There is no `cargo test` output to share. Instead, the verification below confirms the docs were written, cross-link correctly, and every code citation points at a real file:line. ### Files written (5 new + 4 modified) | File | Change | Lines | |---|---|---| | `docs/messagebus.md` | new | 67 | | `docs/state_persistence.md` | new | 178 | | `docs/admin.md` | new | 158 | | `docs/socket_proxy.md` | new | 139 | | `docs/e2e_messagebus_test.md` | new | 120 | | `docs/message.md` | updated (3 sections appended + See also) | 225 | | `docs/topic_configuration.md` | updated (Limits today, inbound-only callout, Persistence, See also; stray triple-backticks tidied) | 260 | | `CLAUDE.md` | new "Message-bus surface" section after "Hero Socket Compliance" | 167 | | `README.md` | new "Documentation" section before "Remarks" | 424 | ### Code-citation spot checks The plan agent and each writing agent verified citations by reading the cited files. Examples (all confirmed against the working tree): - `crates/mycelium_engine/src/message/topic.rs:13-49` — `TopicWhitelistConfig` (subnet whitelist + `forward_socket: Option<PathBuf>`). - `crates/mycelium_engine/src/message.rs:541-700` — `push_message` / `reply_message` / `get_message` API and inbox `VecDeque`. - `crates/mycelium_engine/src/message.rs:703-728` — `topic_allowed` (subnet check, no pubkey path). - `crates/mycelium_engine/src/message.rs:59` — `SOCKET_REPLY_TIMEOUT = 5 s`. - `crates/mycelium_api/src/rpc.rs:248-330` — `MyceliumRpc` trait method surface (no auth context). - `crates/mycelium_api/src/rpc/unix.rs:49-82, 172-241` — UDS server accepts every caller, no identity check. - `crates/mycelium_ui/src/admin_secrets.rs` and `crates/mycelium_ui/src/main.rs:36-41, 86-92, 96-110` — UI-tier `ADMIN_SECRETS` IP whitelist (UI-only). - `crates/mycelium_daemon/src/state.rs:22-24, 50-58, 136-148, 151-164, 180-203` — existing `DaemonState` (file constants, `MYCELIUM_STATE_DIR` resolution, save methods, dir mode, atomic writers). - `crates/mycelium_daemon/src/legacy_runner.rs:35-40` — legacy stand-alone topic toml read at startup, no write-back. - `crates/mycelium_e2e/tests/two_node_linux.rs:30-322` — structural template for the proposed 3-node test. ### Cross-links Each new doc has a "See also" footer linking to the others, and each updated doc gained the same. The `messagebus.md` capability matrix points each PARTIAL/MISSING row at the relevant deeper doc. `CLAUDE.md` and `README.md` link to all five new docs. ### Out of scope (deliberate) - No Rust changes. The proposed `topics.toml` / `admin.toml` files, the `TopicWhitelistConfig::pubkeys` extension, the `outbound_socket` field, the `addTopicPubkeySource` / `addTopicOutboundSocket` / `admin.*` RPC methods, and the dispatcher authorize step are all documented as proposals only. - No new tests were written. `crates/mycelium_e2e/tests/three_node_linux.rs` does not exist; the plan in `docs/e2e_messagebus_test.md` is a written specification of what such a test would do across phases A (basic messaging — achievable today) and B/C/D (blocked on the proposed admin / outbound-proxy / persistence work). - The misspelled crate path `crates/mycelum_messagebus/` is flagged in `docs/messagebus.md` Notes as a follow-up; not renamed. ### Pre-existing changes in the working tree The working tree contains many other modified files (Rust sources under `crates/`, `Cargo.toml`, scripts, etc.) — these were already present at the start of this session and are unrelated to this run. The single commit at the end of this skill will only stage the 9 doc files listed above.

despiegk commented 2026-04-27 08:39:10 +00:00

Author

Owner

Copy link

Verification report

This run was scoped to documentation + gap analysis only — no Rust source files were touched. There is no cargo test output to share. Instead, the verification below confirms the docs were written, cross-link correctly, and every code citation points at a real file:line.

Files written (5 new + 4 modified)

File	Change	Lines
docs/messagebus.md	new	67
docs/state_persistence.md	new	178
docs/admin.md	new	158
docs/socket_proxy.md	new	139
docs/e2e_messagebus_test.md	new	120
docs/message.md	updated (3 sections appended + See also)	225
docs/topic_configuration.md	updated (Limits today, inbound-only callout, Persistence, See also; stray triple-backticks tidied)	260
CLAUDE.md	new "Message-bus surface" section after "Hero Socket Compliance"	167
README.md	new "Documentation" section before "Remarks"	424

Code-citation spot checks

The plan agent and each writing agent verified citations by reading the cited files. Examples (all confirmed against the working tree):

• crates/mycelium_engine/src/message/topic.rs:13-49 — TopicWhitelistConfig (subnet whitelist + forward_socket: Option<PathBuf>).
• crates/mycelium_engine/src/message.rs:541-700 — push_message / reply_message / get_message API and inbox VecDeque.
• crates/mycelium_engine/src/message.rs:703-728 — topic_allowed (subnet check, no pubkey path).
• crates/mycelium_engine/src/message.rs:59 — SOCKET_REPLY_TIMEOUT = 5 s.
• crates/mycelium_api/src/rpc.rs:248-330 — MyceliumRpc trait method surface (no auth context).
• crates/mycelium_api/src/rpc/unix.rs:49-82, 172-241 — UDS server accepts every caller, no identity check.
• crates/mycelium_ui/src/admin_secrets.rs and crates/mycelium_ui/src/main.rs:36-41, 86-92, 96-110 — UI-tier ADMIN_SECRETS IP whitelist (UI-only).
• crates/mycelium_daemon/src/state.rs:22-24, 50-58, 136-148, 151-164, 180-203 — existing DaemonState (file constants, MYCELIUM_STATE_DIR resolution, save methods, dir mode, atomic writers).
• crates/mycelium_daemon/src/legacy_runner.rs:35-40 — legacy stand-alone topic toml read at startup, no write-back.
• crates/mycelium_e2e/tests/two_node_linux.rs:30-322 — structural template for the proposed 3-node test.

Cross-links

Each new doc has a "See also" footer linking to the others, and each updated doc gained the same. The messagebus.md capability matrix points each PARTIAL/MISSING row at the relevant deeper doc. CLAUDE.md and README.md link to all five new docs.

Out of scope (deliberate)

• No Rust changes. The proposed topics.toml / admin.toml files, the TopicWhitelistConfig::pubkeys extension, the outbound_socket field, the addTopicPubkeySource / addTopicOutboundSocket / admin.* RPC methods, and the dispatcher authorize step are all documented as proposals only.
• No new tests were written. crates/mycelium_e2e/tests/three_node_linux.rs does not exist; the plan in docs/e2e_messagebus_test.md is a written specification of what such a test would do across phases A (basic messaging — achievable today) and B/C/D (blocked on the proposed admin / outbound-proxy / persistence work).
• The misspelled crate path crates/mycelum_messagebus/ is flagged in docs/messagebus.md Notes as a follow-up; not renamed.

Pre-existing changes in the working tree

The working tree contains many other modified files (Rust sources under crates/, Cargo.toml, scripts, etc.) — these were already present at the start of this session and are unrelated to this run. The single commit at the end of this skill will only stage the 9 doc files listed above.

## Verification report This run was scoped to **documentation + gap analysis only** — no Rust source files were touched. There is no `cargo test` output to share. Instead, the verification below confirms the docs were written, cross-link correctly, and every code citation points at a real file:line. ### Files written (5 new + 4 modified) | File | Change | Lines | |---|---|---| | `docs/messagebus.md` | new | 67 | | `docs/state_persistence.md` | new | 178 | | `docs/admin.md` | new | 158 | | `docs/socket_proxy.md` | new | 139 | | `docs/e2e_messagebus_test.md` | new | 120 | | `docs/message.md` | updated (3 sections appended + See also) | 225 | | `docs/topic_configuration.md` | updated (Limits today, inbound-only callout, Persistence, See also; stray triple-backticks tidied) | 260 | | `CLAUDE.md` | new "Message-bus surface" section after "Hero Socket Compliance" | 167 | | `README.md` | new "Documentation" section before "Remarks" | 424 | ### Code-citation spot checks The plan agent and each writing agent verified citations by reading the cited files. Examples (all confirmed against the working tree): - `crates/mycelium_engine/src/message/topic.rs:13-49` — `TopicWhitelistConfig` (subnet whitelist + `forward_socket: Option<PathBuf>`). - `crates/mycelium_engine/src/message.rs:541-700` — `push_message` / `reply_message` / `get_message` API and inbox `VecDeque`. - `crates/mycelium_engine/src/message.rs:703-728` — `topic_allowed` (subnet check, no pubkey path). - `crates/mycelium_engine/src/message.rs:59` — `SOCKET_REPLY_TIMEOUT = 5 s`. - `crates/mycelium_api/src/rpc.rs:248-330` — `MyceliumRpc` trait method surface (no auth context). - `crates/mycelium_api/src/rpc/unix.rs:49-82, 172-241` — UDS server accepts every caller, no identity check. - `crates/mycelium_ui/src/admin_secrets.rs` and `crates/mycelium_ui/src/main.rs:36-41, 86-92, 96-110` — UI-tier `ADMIN_SECRETS` IP whitelist (UI-only). - `crates/mycelium_daemon/src/state.rs:22-24, 50-58, 136-148, 151-164, 180-203` — existing `DaemonState` (file constants, `MYCELIUM_STATE_DIR` resolution, save methods, dir mode, atomic writers). - `crates/mycelium_daemon/src/legacy_runner.rs:35-40` — legacy stand-alone topic toml read at startup, no write-back. - `crates/mycelium_e2e/tests/two_node_linux.rs:30-322` — structural template for the proposed 3-node test. ### Cross-links Each new doc has a "See also" footer linking to the others, and each updated doc gained the same. The `messagebus.md` capability matrix points each PARTIAL/MISSING row at the relevant deeper doc. `CLAUDE.md` and `README.md` link to all five new docs. ### Out of scope (deliberate) - No Rust changes. The proposed `topics.toml` / `admin.toml` files, the `TopicWhitelistConfig::pubkeys` extension, the `outbound_socket` field, the `addTopicPubkeySource` / `addTopicOutboundSocket` / `admin.*` RPC methods, and the dispatcher authorize step are all documented as proposals only. - No new tests were written. `crates/mycelium_e2e/tests/three_node_linux.rs` does not exist; the plan in `docs/e2e_messagebus_test.md` is a written specification of what such a test would do across phases A (basic messaging — achievable today) and B/C/D (blocked on the proposed admin / outbound-proxy / persistence work). - The misspelled crate path `crates/mycelum_messagebus/` is flagged in `docs/messagebus.md` Notes as a follow-up; not renamed. ### Pre-existing changes in the working tree The working tree contains many other modified files (Rust sources under `crates/`, `Cargo.toml`, scripts, etc.) — these were already present at the start of this session and are unrelated to this run. The single commit at the end of this skill will only stage the 9 doc files listed above.

despiegk commented 2026-04-27 08:40:08 +00:00

Author

Owner

Copy link

Final summary

Scope delivered: documentation + gap analysis. No Rust code changes.

What landed in this run

5 new docs:

• docs/messagebus.md — top-level entry point with a capability matrix (EXISTS / PARTIAL / MISSING) for every ask in this issue, each row backed by crates/<crate>/<file>:<line> citations.
• docs/state_persistence.md — the model layer for everything we remember on disk. Documents the existing DaemonState (priv_key.bin, config.toml, peers.toml) and the proposed additions (topics.toml, admin.toml). Reuses engine TopicConfig directly as the on-disk shape; daemon-only AdminConfig. Atomic tmp+rename writes; RPC write-through rule.
• docs/admin.md — distinguishes the existing UI-tier ADMIN_SECRETS IP whitelist (UI-only, IP-keyed) from the proposed daemon-level pubkey admin model. Authorize step in the dispatcher; admin.list/add/remove RPC; "implicit local admin" for the local UDS.
• docs/socket_proxy.md — inbound forward_socket (existing) vs proposed outbound local-UDS → remote-topic proxy nested under [topics.<name>] in topics.toml. Disambiguates from the existing SOCKS5 proxy (docs/proxy.md).
• docs/e2e_messagebus_test.md — 3-node test plan (mycelium_network_test1..3, no_tun = true). Phase A (basic messaging — achievable today), Phase B (admin management — blocked on admin model), Phase C (outbound socket — blocked on socket_proxy proposal), Phase D (restart persistence — blocked on persistence proposal).

4 docs updated:

• docs/message.md — added "Queue retention", "Reply correlation and timeouts" (with verified constants), "Limits and gaps", "See also".
• docs/topic_configuration.md — added "Limits today" (subnet-only ACL), made forward_socket direction explicit (inbound only), added "Persistence" section, tidied stray triple-backticks.
• CLAUDE.md — new "Message-bus surface" section linking to the five new docs.
• README.md — new "Documentation" section linking to the five new docs.

Key design decisions captured in the docs

• One consolidated topics.toml + one admin.toml under $MYCELIUM_STATE_DIR/. Topic name is the natural primary key; per-topic subnet ACL, proposed pubkey ACL, inbound forward_socket, and proposed outbound socket all hang off the same topic.
• Reuse mycelium_engine::message::topic::TopicConfig as the on-disk shape — it already derives serde, no DTO drift.
• AdminConfig lives in mycelium_daemon, not the engine. Admin is an RPC-authorization concern, not a routing concern (matches herolib_openrpc_authorize).
• RPC write-through rule: every mutating RPC updates the in-memory copy then calls state.save_*() before returning. Persist failure → return RPC error.
• Local UDS implicit-local-admin: the local socket already has filesystem-permission gating; layering pubkey auth on top would be redundant. Pubkey admin gating applies to the message-bus path.

Gap summary (capabilities missing today)

• Per-topic pubkey-keyed whitelist (subnet-only today).
• Daemon-level admin authorization (RPC is unauthenticated today; UI ADMIN_SECRETS is UI-only).
• Outbound local-UDS → remote-topic proxy (only inbound forward_socket exists today).
• Persistence of topic config and admin set across daemon restarts (only priv_key.bin / config.toml / peers.toml are persisted today).
• 3-node e2e test with admin and restart-persistence coverage (only a 2-node test exists today).
• Admin UI for remote-node management.

Each is documented with proposed RPC surface, on-disk shape, and architecture sketch — implementation is a separate run.

Out of scope

• No Rust changes (no engine, daemon, API, SDK, CLI, or UI source touched).
• No new RPC methods wired up.
• The misspelled crate path crates/mycelum_messagebus/ is flagged in messagebus.md Notes; not renamed.
• The legacy TCP JSON-RPC on port 8990 is unauthenticated; hardening it is called out in admin.md as a separate decision.

Verification

See the verification report earlier in the thread — files, sizes, citation spot checks, and cross-link confirmation.

## Final summary **Scope delivered:** documentation + gap analysis. No Rust code changes. ### What landed in this run **5 new docs:** - `docs/messagebus.md` — top-level entry point with a capability matrix (EXISTS / PARTIAL / MISSING) for every ask in this issue, each row backed by `crates/<crate>/<file>:<line>` citations. - `docs/state_persistence.md` — the model layer for everything we remember on disk. Documents the existing `DaemonState` (`priv_key.bin`, `config.toml`, `peers.toml`) and the proposed additions (`topics.toml`, `admin.toml`). Reuses engine `TopicConfig` directly as the on-disk shape; daemon-only `AdminConfig`. Atomic tmp+rename writes; RPC write-through rule. - `docs/admin.md` — distinguishes the existing UI-tier `ADMIN_SECRETS` IP whitelist (UI-only, IP-keyed) from the proposed daemon-level pubkey admin model. Authorize step in the dispatcher; `admin.list/add/remove` RPC; "implicit local admin" for the local UDS. - `docs/socket_proxy.md` — inbound `forward_socket` (existing) vs proposed outbound local-UDS → remote-topic proxy nested under `[topics.<name>]` in `topics.toml`. Disambiguates from the existing SOCKS5 proxy (`docs/proxy.md`). - `docs/e2e_messagebus_test.md` — 3-node test plan (`mycelium_network_test1..3`, `no_tun = true`). Phase A (basic messaging — achievable today), Phase B (admin management — blocked on admin model), Phase C (outbound socket — blocked on socket_proxy proposal), Phase D (restart persistence — blocked on persistence proposal). **4 docs updated:** - `docs/message.md` — added "Queue retention", "Reply correlation and timeouts" (with verified constants), "Limits and gaps", "See also". - `docs/topic_configuration.md` — added "Limits today" (subnet-only ACL), made `forward_socket` direction explicit (inbound only), added "Persistence" section, tidied stray triple-backticks. - `CLAUDE.md` — new "Message-bus surface" section linking to the five new docs. - `README.md` — new "Documentation" section linking to the five new docs. ### Key design decisions captured in the docs - **One consolidated `topics.toml` + one `admin.toml`** under `$MYCELIUM_STATE_DIR/`. Topic name is the natural primary key; per-topic subnet ACL, proposed pubkey ACL, inbound `forward_socket`, and proposed outbound socket all hang off the same topic. - **Reuse `mycelium_engine::message::topic::TopicConfig`** as the on-disk shape — it already derives serde, no DTO drift. - **`AdminConfig` lives in `mycelium_daemon`**, not the engine. Admin is an RPC-authorization concern, not a routing concern (matches `herolib_openrpc_authorize`). - **RPC write-through rule:** every mutating RPC updates the in-memory copy then calls `state.save_*()` before returning. Persist failure → return RPC error. - **Local UDS implicit-local-admin:** the local socket already has filesystem-permission gating; layering pubkey auth on top would be redundant. Pubkey admin gating applies to the message-bus path. ### Gap summary (capabilities missing today) - Per-topic **pubkey-keyed** whitelist (subnet-only today). - **Daemon-level admin authorization** (RPC is unauthenticated today; UI `ADMIN_SECRETS` is UI-only). - **Outbound** local-UDS → remote-topic proxy (only inbound `forward_socket` exists today). - **Persistence** of topic config and admin set across daemon restarts (only `priv_key.bin` / `config.toml` / `peers.toml` are persisted today). - **3-node e2e test** with admin and restart-persistence coverage (only a 2-node test exists today). - **Admin UI** for remote-node management. Each is documented with proposed RPC surface, on-disk shape, and architecture sketch — implementation is a separate run. ### Out of scope - No Rust changes (no engine, daemon, API, SDK, CLI, or UI source touched). - No new RPC methods wired up. - The misspelled crate path `crates/mycelum_messagebus/` is flagged in `messagebus.md` Notes; not renamed. - The legacy TCP JSON-RPC on port 8990 is unauthenticated; hardening it is called out in `admin.md` as a separate decision. ### Verification See the [verification report](https://forge.ourworld.tf/geomind_code/mycelium_network/issues/44) earlier in the thread — files, sizes, citation spot checks, and cross-link confirmation.

despiegk referenced this issue from a commit 2026-04-28 02:23:36 +00:00

docs(messagebus): document message-layer + gap analysis (#44)

despiegk commented 2026-04-28 09:10:51 +00:00

Author

Owner

Copy link

Implementation complete — six phases shipped

All deliverables from the spec earlier in this thread are now on development_crate_layout. Six commits, each green (cargo check --workspace clean, lib tests pass) before the next began.

Commits

Commit	Phase	Title
81e2bf4	1	feat(daemon): persist TopicConfig and AdminConfig under MYCELIUM_STATE_DIR
f7521f7	2	feat(message): pubkey-keyed per-topic ACL
eb11275	4	feat(daemon): outbound local-UDS to remote-topic proxy
8fd1902	3	feat(daemon): admin model and OpenRPC over the message bus
ef24b00	5	test(e2e): three-node messagebus-only Linux test
70b777a	6	feat(ui): admin tabs and remote management over the bus

(Phases were shipped in order 1, 2, 4, 3, 5, 6 — Phase 4 went before 3 because it is independent of the admin model and let us defer the harder design questions.)

What landed

Persistence (Phase 1) — Two new files alongside config.toml / peers.toml:

$MYCELIUM_STATE_DIR/
├── priv_key.bin      (existing)
├── config.toml       (existing)
├── peers.toml        (existing)
├── topics.toml       (NEW — full TopicConfig snapshot)
└── admin.toml        (NEW — AdminConfig)

DaemonState gains topics: TopicConfig + admin: AdminConfig fields with atomic save_topics() / save_admin(). Engine boot seeds Arc<RwLock<TopicConfig>> from disk. Every existing mutating topic RPC writes through to disk before returning; persist failure surfaces as RpcError::Domain { code: -32099 }. The engine's TopicConfig is reused directly as the on-disk shape — no DTO drift.

Pubkey ACL (Phase 2) — TopicWhitelistConfig gains pubkeys: Vec<PublicKey> next to subnets. A topic is allowed when EITHER the source IP matches a subnet entry OR the source pubkey matches a pubkey entry. New RPC: addTopicPubkeySource / removeTopicPubkeySource / getTopicPubkeySources. Wired through the SDK, CLI (topic pubkey-source), and the topics UI.

Outbound socket proxy (Phase 4) — Per-topic accept loop bound to a local UDS. Each accepted connection reads a request body to EOF, calls node.push_message(... subscribe_reply=true), awaits the reply watcher with a 5-minute timeout, writes the reply back, half-shuts. New OutboundSocketManager owns lifecycle (start / stop / shutdown / replay-on-boot from topics.toml). RPC: setTopicOutboundSocket / removeTopicOutboundSocket / getTopicOutboundSocket. UDS bind failure rolls back the engine state and returns -32030 outbound_socket_bind_failed. Stale socket files are cleaned on bind and on listener exit.

Admin model + bus RPC (Phase 3) — Reserved topic mycelium.admin carries raw JSON-RPC 2.0 requests; the receiver dispatches them through the same MyceliumRpc impl with a bus-aware authorizer. Caller identity = sender pubkey from ReceivedMessage.src_pk. New AuthorizeMethod trait with authorize + check_lockout hooks; dispatch_with_auth wraps the existing dispatch. Local UDS / TCP keep using the no-op authorizer (implicit-local-admin); the bus path uses BusAuthorizerSnapshot which checks AdminConfig.allow(...) against method_patterns (default-deny — empty patterns reject every bus call). Lockout protection refuses admin.remove over the bus when the caller is the only admin; UDS keeps the freedom to wipe locally. RPC surface: admin.list / admin.add / admin.remove / admin.getMethodPatterns / admin.setMethodPatterns. CLI: mycelium_cli admin {list,add,remove,patterns,call}.

Three-node e2e (Phase 5) — crates/mycelium_e2e/tests/three_node_linux.rs with four cases:

• basic_three_way_messaging — triangle peering, push/pop across all three pairs.
• pubkey_acl_three_nodes — node 1 with a pubkey-only whitelist for node 3; node 3 messages succeed, node 2 messages drop.
• admin_over_bus_three_nodes — node 1 admins node 3; node 3's bus addTopic succeeds, node 2's returns -32001.
• restart_persistence_three_nodes — configures default action + topic + subnet + pubkey + forward_socket + outbound_socket + admin entry, kills node, re-spawns against the same MYCELIUM_STATE_DIR, asserts every setting survived.

Helpers were factored into tests/common/mod.rs (332 lines) shared by both two-node and three-node tests. Linux-gated; macOS compiles to empty modules.

Admin UI (Phase 6) — Two new tabs in admin.html:

• Daemon admins — list / add / remove admin_pubkeys; edit method_patterns as one-pattern-per-line textarea.
• Remote management — destination input (auto-detects IPv6 vs hex pubkey), method input with autocomplete suggestions, JSON params textarea, timeout. Send button calls admin.busCall via the existing /rpc proxy and pretty-prints the JSON-RPC reply.

The new daemon RPC admin.busCall(dst_pubkey, dst_ip, method, params, id?, timeout_secs?) is the primitive that powers the Remote management tab; it's also useful for scripting (the CLI's admin call from Phase 3 uses the same shape).

Tests

• cargo test --workspace --lib: 102 tests pass across mycelium_engine (83), mycelium_daemon (14), mycelium_api (4), mycelium_sdk (1).
• cargo check --workspace --tests: clean. Two- and three-node Linux e2e binaries compile on macOS as empty modules; run on Linux with cargo test -p mycelium_e2e.

Open follow-ups (not gating the issue)

• The legacy TCP JSON-RPC on port 8990 remains implicit-local-admin (same trust as the local UDS). Hardening it is a separate decision noted in docs/admin.md.
• The misspelled crate path crates/mycelum_messagebus/ is still flagged for a rename in docs/messagebus.md Notes.
• admin.busCall itself is implicit-local-admin (anyone with UDS access can use it to drive remote nodes). Not gated further; documented as such on the trait method.

Documentation

The doc commits (02a0876) earlier in this thread are still accurate; the proposal language in docs/admin.md, docs/socket_proxy.md, docs/state_persistence.md and docs/e2e_messagebus_test.md describes what these commits implement. A doc refresh that flips "proposed" → "implemented" wherever it applies is a small follow-up — easy to do in a single pass once you confirm the implementation matches the design.

## Implementation complete — six phases shipped All deliverables from the spec earlier in this thread are now on `development_crate_layout`. Six commits, each green (`cargo check --workspace` clean, lib tests pass) before the next began. ### Commits | Commit | Phase | Title | |---|---|---| | `81e2bf4` | 1 | feat(daemon): persist TopicConfig and AdminConfig under MYCELIUM_STATE_DIR | | `f7521f7` | 2 | feat(message): pubkey-keyed per-topic ACL | | `eb11275` | 4 | feat(daemon): outbound local-UDS to remote-topic proxy | | `8fd1902` | 3 | feat(daemon): admin model and OpenRPC over the message bus | | `ef24b00` | 5 | test(e2e): three-node messagebus-only Linux test | | `70b777a` | 6 | feat(ui): admin tabs and remote management over the bus | (Phases were shipped in order 1, 2, 4, 3, 5, 6 — Phase 4 went before 3 because it is independent of the admin model and let us defer the harder design questions.) ### What landed **Persistence (Phase 1)** — Two new files alongside `config.toml` / `peers.toml`: ``` $MYCELIUM_STATE_DIR/ ├── priv_key.bin (existing) ├── config.toml (existing) ├── peers.toml (existing) ├── topics.toml (NEW — full TopicConfig snapshot) └── admin.toml (NEW — AdminConfig) ``` `DaemonState` gains `topics: TopicConfig` + `admin: AdminConfig` fields with atomic `save_topics()` / `save_admin()`. Engine boot seeds `Arc<RwLock<TopicConfig>>` from disk. Every existing mutating topic RPC writes through to disk before returning; persist failure surfaces as `RpcError::Domain { code: -32099 }`. The engine's `TopicConfig` is reused directly as the on-disk shape — no DTO drift. **Pubkey ACL (Phase 2)** — `TopicWhitelistConfig` gains `pubkeys: Vec<PublicKey>` next to `subnets`. A topic is allowed when EITHER the source IP matches a subnet entry OR the source pubkey matches a pubkey entry. New RPC: `addTopicPubkeySource` / `removeTopicPubkeySource` / `getTopicPubkeySources`. Wired through the SDK, CLI (`topic pubkey-source`), and the topics UI. **Outbound socket proxy (Phase 4)** — Per-topic accept loop bound to a local UDS. Each accepted connection reads a request body to EOF, calls `node.push_message(... subscribe_reply=true)`, awaits the reply watcher with a 5-minute timeout, writes the reply back, half-shuts. New `OutboundSocketManager` owns lifecycle (start / stop / shutdown / replay-on-boot from `topics.toml`). RPC: `setTopicOutboundSocket` / `removeTopicOutboundSocket` / `getTopicOutboundSocket`. UDS bind failure rolls back the engine state and returns `-32030 outbound_socket_bind_failed`. Stale socket files are cleaned on bind and on listener exit. **Admin model + bus RPC (Phase 3)** — Reserved topic `mycelium.admin` carries raw JSON-RPC 2.0 requests; the receiver dispatches them through the same `MyceliumRpc` impl with a bus-aware authorizer. Caller identity = sender pubkey from `ReceivedMessage.src_pk`. New `AuthorizeMethod` trait with `authorize` + `check_lockout` hooks; `dispatch_with_auth` wraps the existing `dispatch`. Local UDS / TCP keep using the no-op authorizer (implicit-local-admin); the bus path uses `BusAuthorizerSnapshot` which checks `AdminConfig.allow(...)` against `method_patterns` (default-deny — empty patterns reject every bus call). Lockout protection refuses `admin.remove` over the bus when the caller is the only admin; UDS keeps the freedom to wipe locally. RPC surface: `admin.list / admin.add / admin.remove / admin.getMethodPatterns / admin.setMethodPatterns`. CLI: `mycelium_cli admin {list,add,remove,patterns,call}`. **Three-node e2e (Phase 5)** — `crates/mycelium_e2e/tests/three_node_linux.rs` with four cases: - `basic_three_way_messaging` — triangle peering, push/pop across all three pairs. - `pubkey_acl_three_nodes` — node 1 with a pubkey-only whitelist for node 3; node 3 messages succeed, node 2 messages drop. - `admin_over_bus_three_nodes` — node 1 admins node 3; node 3's bus addTopic succeeds, node 2's returns -32001. - `restart_persistence_three_nodes` — configures default action + topic + subnet + pubkey + forward_socket + outbound_socket + admin entry, kills node, re-spawns against the same `MYCELIUM_STATE_DIR`, asserts every setting survived. Helpers were factored into `tests/common/mod.rs` (332 lines) shared by both two-node and three-node tests. Linux-gated; macOS compiles to empty modules. **Admin UI (Phase 6)** — Two new tabs in `admin.html`: - **Daemon admins** — list / add / remove `admin_pubkeys`; edit `method_patterns` as one-pattern-per-line textarea. - **Remote management** — destination input (auto-detects IPv6 vs hex pubkey), method input with autocomplete suggestions, JSON params textarea, timeout. Send button calls `admin.busCall` via the existing `/rpc` proxy and pretty-prints the JSON-RPC reply. The new daemon RPC `admin.busCall(dst_pubkey, dst_ip, method, params, id?, timeout_secs?)` is the primitive that powers the Remote management tab; it's also useful for scripting (the CLI's `admin call` from Phase 3 uses the same shape). ### Tests - `cargo test --workspace --lib`: **102 tests pass** across mycelium_engine (83), mycelium_daemon (14), mycelium_api (4), mycelium_sdk (1). - `cargo check --workspace --tests`: clean. Two- and three-node Linux e2e binaries compile on macOS as empty modules; run on Linux with `cargo test -p mycelium_e2e`. ### Open follow-ups (not gating the issue) - The legacy TCP JSON-RPC on port 8990 remains implicit-local-admin (same trust as the local UDS). Hardening it is a separate decision noted in `docs/admin.md`. - The misspelled crate path `crates/mycelum_messagebus/` is still flagged for a rename in `docs/messagebus.md` Notes. - `admin.busCall` itself is implicit-local-admin (anyone with UDS access can use it to drive remote nodes). Not gated further; documented as such on the trait method. ### Documentation The doc commits (`02a0876`) earlier in this thread are still accurate; the proposal language in `docs/admin.md`, `docs/socket_proxy.md`, `docs/state_persistence.md` and `docs/e2e_messagebus_test.md` describes what these commits implement. A doc refresh that flips "proposed" → "implemented" wherever it applies is a small follow-up — easy to do in a single pass once you confirm the implementation matches the design.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

development_crate_layout

development_hero

vsock_support

aidl_experimentation

feature/build-scripts-readme

master_peers

peter-patch-1

master_fix_dns_forward

development

async_route_lookup

main-integration

v0.7.6

v0.7.5

v0.7.4

v0.7.3

v0.7.2

v0.7.1

v0.7.0

v0.6.2

v0.6.1

v0.6.0

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.2

v0.0.1

Labels

Clear labels   

Urgent

No labels

Urgent

Milestone

Clear milestone

No items

No milestone

now

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

geomind_code/mycelium_network#44

No description provided.