m/rdp-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
26cb65e93660beb78b1fea8f8e7fb868ee90d7ef
rdp-proxy/CODEX_CONTEXT.md
T
m 8f69d53193 Record project continuation changes
2026-05-12 21:02:29 +03:00

2761 lines
184 KiB
Markdown
Raw Blame History

# CODEX CONTEXT
## Project identity
This project is a production-grade distributed secure access platform.
It started as a custom RDP proxy with persistent server-side sessions, but the final target architecture is broader:
- distributed secure access fabric
- multi-tenant platform
- session broker for GUI and future non-GUI protocols
- cluster mesh of nodes
- connector/VPN layer
- customer-managed and platform-managed nodes
- node-agent based self-update / rollback / health supervision
## Product architecture rule: VPN and Remote Workspace are separate products/layers
Do not merge VPN/IP tunnel work with Remote Workspace / remote desktop work.
- VPN is a universal network-layer IP tunnel. It carries any traffic generated
by a phone, Windows PC, Linux host, or other client device: HTTP, DNS, ping,
RDP clients, SSH clients, SMB, business apps, and future protocols. VPN must
stay protocol-agnostic and must not contain remote-desktop-specific logic.
- Remote Workspace is an application/session-layer service. The client talks to
RAP using RAP's own client protocol. RAP workers/connectors then talk to the
target server using protocol adapters such as RDP, SSH, VNC, or future
adapters, convert screen/input/clipboard/files/audio/control into RAP's
format, and render it in the RAP client.
- VPN optimization work must focus on generic data-plane transport,
full-tunnel/split-tunnel routing, DNS, MTU/MSS, QoS, NAT traversal, direct
UDP/QUIC transport, fallback relay, diagnostics, and stability for arbitrary
traffic.
- Remote Workspace optimization work must focus on server catalog, session
broker, workers/connectors, protocol adapters, RAP client protocol, separate
connection windows, rendering/input/clipboard/file/audio behavior, and
user-facing remote-workspace UX.
- Both VPN and Remote Workspace must consume the shared Fabric Service Channel
runtime. Control/API traffic may use backend/admin ingress, but working
service data must use the fabric channel whenever available. Backend relay is
a compatibility/degraded fallback, not the production steady-state.
- The accepted service-channel direction is documented in
`docs/architecture/FABRIC_SERVICE_CHANNEL_RUNTIME.md`: a service requests a
channel with entry pool, exit pool, roles, service class, channel classes,
QoS and failover policy; the fabric selects the fastest healthy route and
rebuilds it on failure. Protocol-specific services must not reimplement this
transport.
- Current implementation: backend issues `rap.fabric_service_channel_lease.v1`
leases and embeds them in VPN client profiles. Leases include
cluster-authority-signed `rap.fabric_service_channel_lease_authority.v1`
payloads that bind token hash, selected route, generation, fencing epoch, and
expiry, plus a signed `data_plane` contract declaring that working data uses
the Fabric Service Channel over fabric routes while backend relay is only an
explicit degraded/disabled fallback policy. `rap-node-agent` accepts the
first VPN packet service-channel entry
endpoint under
`/api/v1/clusters/{cluster_id}/fabric/service-channels/{channel_id}/vpn-connections/{resource_id}/packets`
plus `/packets/ws`. The endpoint validates the signed or introspected
data-plane contract, applies the preferred fabric route, uses the existing
production `vpn_packet` fabric route, reports contract adoption in heartbeat
access telemetry, and refuses backend relay when the contract disables it.
Backend access telemetry and web-admin now show data-plane adoption,
working/steady-state transport, backend relay policy, data-plane mode, and
logical flow mode at cluster/node/channel levels. The next slice is explicit
route/fallback violation incidents from that telemetry, plus client
consumption of the lease endpoint template.
## Current proven foundation
The current codebase already proved the most risky low-level lifecycle assumptions for RDP:
- real FreeRDP connect works
- session state transitions to active work
- terminate works
- detach works without killing the remote session
- reattach works without recreating the remote session
- takeover works without recreating the remote session
- per-resource certificate verification policy exists
- `certificate_verification_mode = strict | ignore`
- `strict` is default
- `ignore` works on a per-resource basis
- worker build is reproducible
- backend build is reproducible
This proven lifecycle must NOT be broken by future architecture work.
## Current architecture baseline
Current audit and baseline snapshot:
- `docs/audits/PROJECT_AUDIT_2026-04-26.md`
- `docs/audits/CURRENT_BASELINE_MATRIX.md`
### Test environment
- Canonical test Docker host: `192.168.200.61`
- Canonical Docker context: `test-ubuntu`
- Canonical SSH alias: `docker-test`
- Current external control-plane endpoint for remote/offsite node enrollment:
`http://94.141.118.222:19191` / `http://vpn.cin.su:19191`.
- Current port forward: `94.141.118.222:19191` -> `192.168.200.61:18080`.
- For offsite Windows/Linux nodes, install profiles should use:
`http://vpn.cin.su:19191/api/v1` as control-plane endpoint and
`http://vpn.cin.su:19191/downloads` as artifact endpoint unless the user
explicitly chooses the raw IP endpoint.
- Backend API for local/client smoke runs: `http://192.168.200.61:8080/api/v1`
- WebSocket gateway for local/client smoke runs: `ws://192.168.200.61:8080/api/v1/gateway/ws`
- Stage C17 planning is completed.
- C17A synthetic mesh runtime skeleton is implemented and test-proven in
`rap-node-agent` only. It is disabled by default and carries synthetic
`fabric.probe` / `fabric.probe_ack` messages only.
- C17B route health and failover probes are implemented and test-proven in
`rap-node-agent` only. They are disabled by default and carry synthetic
`fabric.route_health` / `fabric.route_health_ack` messages only.
- C17C relay semantic hardening is implemented and test-proven in
`rap-node-agent` only. It is disabled by default and models synthetic
per-channel queues/QoS/backpressure only.
- C17D non-production test-service path is implemented and test-proven in
`rap-node-agent` only. It is disabled by default and carries only bounded
`synthetic.echo` test payloads.
- C17E/C17F/C17G are implemented and proven for live synthetic HTTP transport,
scoped synthetic route config, and Control Plane scoped synthetic config
consumption.
- C17H deployed multi-agent synthetic config smoke is runtime-proven on
`docker-test`: five running `rap-node-agent` containers consume
backend-issued node-scoped synthetic config, direct and single-relay
synthetic route-health observations return to the Control Plane, and
production forwarding remains disabled.
- C17I production forwarding gate foundation is implemented and test-proven:
`rap-node-agent` has an explicit production-forwarding gate, while
`/mesh/v1/forward` still refuses production payload forwarding until a later
approved runtime stage.
- C17J production envelope contract is implemented and test-proven:
`/mesh/v1/forward` validates route-bound production envelopes for
`fabric_control` / `fabric.control` only when the gate is enabled, rejects
service channels, and still refuses production forwarding.
- C17K production envelope observation is implemented and test-proven:
valid accepted envelopes can be observed locally as metadata-only records
after validation; rejected envelopes are not observed, observation failure
fails closed, and production forwarding remains unavailable.
- C17L bounded production observation sink is implemented and test-proven:
accepted metadata-only observations can be retained locally with fixed
capacity, oldest-entry drop behavior, and no payload body storage.
- C17M production observation sink wiring is implemented and test-proven:
node-agent can wire the bounded local metadata-only sink when
`RAP_MESH_PRODUCTION_OBSERVATION_SINK_CAPACITY` is explicitly greater than
zero; the wiring is disabled by default and exposes no read API.
- C17N production observation sink metrics are implemented and test-proven:
local sink metrics expose only capacity, current depth, accepted total, and
dropped-oldest total; they expose no observation records or payload metadata.
- C17O production observation sink local metrics logging is implemented and
test-proven: node-agent logs aggregate sink metrics locally when the sink is
explicitly enabled; no read API or Control Plane reporting is added.
- C17P production observation sink change-driven metrics logging is implemented
and test-proven: node-agent suppresses repeated identical local sink metrics
logs; no read API or Control Plane reporting is added.
- C17Q production forwarding gate/runtime log boundary is implemented and
test-proven: node-agent logs production forwarding gate state separately from
production forwarding runtime state. Runtime state remained false until
C17Z introduced gate-controlled `fabric.control` direct forwarding.
- C17R production observation sink capacity guard is implemented and
test-proven: `RAP_MESH_PRODUCTION_OBSERVATION_SINK_CAPACITY` is rejected
above `10000`.
- C17S production observation panic fail-closed hardening is implemented and
test-proven: observer errors and observer panics both fail closed as
observation failure.
- C17T production envelope payload boundary is implemented and test-proven:
validated production `fabric.control` envelope payloads are bounded to
`4096` bytes and oversized envelopes are rejected before observation.
- C17U production envelope created-at skew boundary is implemented and
test-proven: validated production `fabric.control` envelopes whose
`created_at` is more than one minute in the future are rejected before
observation.
- C17V peer endpoint candidate model is implemented and test-proven:
node-scoped synthetic mesh config now carries route-scoped endpoint
candidates with transport, address, reachability, NAT type, connectivity
mode, priority, policy tags, verification time, and metadata. This is a
model/config boundary only; no production route scoring, NAT traversal,
shortcut routing, or forwarding runtime is implemented.
- C17W peer endpoint candidate scoring model is implemented and test-proven:
`rap-node-agent` can rank already-scoped endpoint candidates using soft
inputs such as transport, reachability, connectivity mode, NAT type,
priority, region, policy tags, channel class, and verification age. This is
a scoring helper only; it does not open connections, choose production
routes, or forward payloads.
- C17X health-aware endpoint candidate scoring overlay is implemented and
test-proven: endpoint candidate scoring can optionally use local health
observations keyed by `endpoint_id`, including latency, success/failure
history, recent failure reason, reliability score, and observation freshness.
This remains advisory scoring only and is not wired into production route
execution.
- C17Y Platform Owner synthetic mesh visibility is implemented and
build/test-proven: `web-admin` reads node-scoped synthetic mesh config and
shows config enabled state, route counts, peer endpoints, endpoint
candidates, C17X advisory scoring boundary, and `production_forwarding`.
This remains platform-owner visibility only and does not enable production
forwarding.
- C17Z production fabric-control direct forwarding boundary is implemented and
test-proven: when `RAP_MESH_PRODUCTION_FORWARDING_ENABLED=true`,
`/mesh/v1/forward` can deliver valid route-bound `fabric.control` envelopes
at the local destination or forward them to a direct next hop from explicit
peer endpoint config. Service channels, arbitrary relay forwarding,
multi-hop production route execution, and RDP/VPN/file/video/service payloads
remain unavailable.
- C17Z1 production fabric-control multi-hop route-path boundary is implemented
and test-proven: production `fabric.control` envelopes can carry
`route_path` and `visited_node_ids`; relay nodes validate path position,
forward only to the next path node, update TTL/hop/visited metadata, and
reject loops. Service payloads remain unavailable.
- C17Z2 production fabric-control forwarding observability boundary is
implemented and test-proven: node-agent emits local
`mesh_production_forward_event` logs for accepted, forwarded, delivered, and
rejected production `fabric.control` envelopes. Logs are metadata-only and
include no payload bodies or read API.
- C17Z3 production fabric-control route-config boundary is implemented and
test-proven: when scoped/control-plane mesh routes are available locally,
production `fabric.control` envelopes must match configured route_id/path/
next-hop/channel/expiry/TTL/hop limits before forwarding.
- C17Z4 scoped peer directory and recovery seeds boundary is implemented and
test/build-proven: node-scoped mesh config carries scoped `peer_directory`
and explicit bounded `recovery_seeds`; node-agent parses/validates them and
web-admin shows counts.
- C17Z5 node-agent peer cache runtime boundary is implemented and test-proven:
node-agent builds a local `PeerCache`, selects bounded warm peers, probes warm
peers with `/mesh/v1/health`, and reports metadata-only mesh-link
observations when synthetic mesh testing is enabled.
- C17Z6 dynamic endpoint reporting boundary is implemented and test-proven:
node-agent reports explicit advertised mesh endpoint metadata in heartbeat,
and Control Plane projects latest reported endpoints/candidates into
node-scoped synthetic mesh config.
- C17Z7 private/corporate endpoint candidate boundary is implemented and
test-proven: node-agent reports multiple advertised endpoint candidates,
scoring rewards private/corporate same-site candidates, and peer cache can
use the best candidate address for warm health.
- C17Z8 peer connection state machine boundary is implemented and test-proven:
node-agent tracks warm-peer states `disconnected`, `connecting`, `ready`,
`degraded`, and `backoff`, with bounded backoff after repeated health probe
failures.
- C17Z9 peer recovery planner boundary is implemented and test-proven:
node-agent targets a bounded stable ready-peer set, enters recovery when
ready peers fall below target, and selects bounded recovery probes from warm
peers, recovery seeds, and other connectable scoped peers.
- C17Z10 peer connection intent planner boundary is implemented and
test-proven: node-agent classifies bounded peer work as maintain/probe/
recover and classifies transport readiness as direct/private_lan/
corporate_lan/outbound_only/relay_required, with rendezvous-required
metadata only.
- C17Z11 peer connection manager runtime boundary is implemented and
test-proven: node-agent uses a reusable HTTP keep-alive client for real
control-plane health probes of direct/private/corporate peers and records
`waiting_rendezvous` for outbound-only/relay-required peers.
- C17Z12 rendezvous/relay control-plane contract is implemented and
docker-test-runtime-proven: backend issues node-scoped `rendezvous_leases`,
node-agent resolves matching `waiting_rendezvous` intents into
`relay_control`, probes relay `/mesh/v1/health`, records and maintains
`relay_ready`, and keeps service payload forwarding disabled.
- C17Z13 rendezvous lease telemetry is implemented and
docker-test-runtime-proven: node-agent reports
`mesh_rendezvous_lease_report` with relay admission, peer admission,
TTL/renewal posture, `relay_ready`, and explicit no-payload boundary flags;
web-admin shows `rv leases` in recent heartbeat tables.
- C17Z14 rendezvous lease refresh contract is implemented and
docker-test-runtime-proven: node-agent refreshes renewal-needed/stale
rendezvous leases through node-scoped synthetic config reload, updates the
running peer cache/route/lease state, and reports refresh plus stale relay
withdrawal/reselection telemetry. Service payload forwarding remains
unavailable.
- C17Z15 backend relay replacement policy is implemented and
docker-test-runtime-proven: backend consumes recent stale-relay heartbeat
feedback, withdraws stale explicit rendezvous leases, scores alternate relay
candidates from route adjacency, endpoint priority, policy tags, and recent
mesh-link health, and returns replacement leases plus
`rendezvous_relay_policy` decisions in node-scoped synthetic config.
Node-agent reports `c17z15.mesh_rendezvous_lease_report.v1` and keeps stale
state scoped to the exact lease/relay, so replacement leases for the same
peer are not marked stale by association. Service payload forwarding remains
unavailable.
- C17Z16 route/path decision artifact is implemented and
docker-test-runtime-proven: backend `c17z16.synthetic.v1` config includes
`route_path_decisions` with original hops, effective hops, local previous/
next hop, selected replacement relay, generation, score reasons, and
no-payload boundary flags. Node-agent stores the control-plane route
generation and reports `c17z16.mesh_route_path_decision_report.v1` plus
`c17z16.mesh_rendezvous_lease_report.v1`. Service payload forwarding remains
unavailable.
- C17Z17 node-side route generation tracker is implemented and
docker-test-runtime-proven: backend `c17z17.synthetic.v1` config and
node-agent `mesh_route_generation_report` track active/applied/unchanged/
withdrawn route decisions, generation changes, total counters, and
`withdrawn_by_replacement` records for stale relay paths when replacement is
first observed. Service payload forwarding remains unavailable.
- C17Z18 synthetic route-health effective path runtime is implemented and
docker-test-runtime-proven: backend `c17z18.synthetic.v1` config and
node-agent `mesh_route_health_config_report` apply Control Plane
`route_path_decisions` to synthetic route-health route config only. The
synthetic runtime probes selected effective paths through replacement relays,
reports expected/observed hops and drift state, and backend latest mesh links
preserve route-health observations separately from connection-manager
observations. Service payload forwarding remains unavailable.
- C17Z19 synthetic route-health feedback scoring is implemented and
docker-test-runtime-proven: backend consumes recent `synthetic_route_health`
observations in relay scoring, uses drift/unreachable/failure metadata to
mark the exact selected relay stale, boosts healthy low-latency relay
candidates, and returns replacement leases/route decisions through the
existing synthetic config contract. Migration `000022` adds the `synthetic`
mesh service class. Service payload forwarding remains unavailable.
- C17Z20 node-side route-health feedback refresh is implemented and
docker-test-runtime-proven: after reporting synthetic route-health
drift/unreachable/failure, node-agent performs a bounded node-scoped
synthetic-config refresh, applies returned replacement route decisions to
route-health config immediately, and reports
`c17z20.mesh_route_health_feedback_refresh_report.v1`. Service payload
forwarding remains unavailable.
- C17Z21 offsite control-plane bootstrap relay and Windows updater foundation
are implemented and docker-test/runtime-proven: backend exposes
`/mesh/v1/health` through the admin/nginx control-plane origin and issues
control-plane-only bootstrap rendezvous leases for outbound-only nodes using
their reported public control-plane URL. Remote Windows node
`ifcm-rufms-s-mo1cr` resolved 3/3 peers to `relay_ready` through
`http://94.141.118.222:19191`, while service/RDP/VPN payload forwarding
remains disabled. Release `0.1.3` is published for Docker and Windows
`windows_service` artifacts, and `install-windows` now installs a
per-node Scheduled Task updater for future Windows node-agent updates.
- C17Z22 updater observability and Windows host-agent self-update staging are
implemented and test-proven: `rap-host-agent` reports `phase=plan`,
`status=noop` for already-current/no-op plans, update state is scoped per
product so `rap-node-agent` and `rap-host-agent` do not overwrite each
other's current version, and the Windows updater wrapper runs short
one-shot cycles that can apply staged `rap-host-agent.exe.next` before the
next update check. Release `rap-host-agent 0.1.3` is published for
`linux_binary` and `windows_binary`; Docker updater containers on
`test-1/2/3` report no-op plans.
- Installation Authority foundation is implemented: production requires strict
Product Root public key config, first-owner bootstrap uses signed Ed25519
activation manifests, `installation_authority` and signed
`platform_role_grants` are persisted, and strict platform-admin checks ignore
direct `users.platform_role` database edits without a valid signed grant.
Web-admin exposes installation status/first-owner bootstrap, and
`scripts/installation/product-root-tool.go` generates keys/manifests for
offline product-root operations.
- Cluster Authority and node enrollment bootstrap are docker-test lifecycle
smoke-proven in run `dev-bootstrap-20260428-201430`: a fresh dev install
bootstrapped the first owner, created a cluster, issued a signed join token,
accepted real `rap-node-agent` enrollment, owner-approved the join request,
agent-polled signed bootstrap, persisted cluster authority pin, heartbeated,
and verified signed `c17z18.synthetic.v1` Control Plane config. Production
service payload forwarding remains unavailable.
- Migration `000021_cluster_authority_keys` drops/recreates
`cluster_admin_summaries` because fresh replay proved PostgreSQL cannot
change that view layout via `CREATE OR REPLACE VIEW`.
- `rap-node-agent` desired-workload polling/status reporting is gated by
`RAP_WORKLOAD_SUPERVISION_ENABLED=false` by default while service runtime
supervision remains a stub.
- C18 VPN/IP tunnel service target design is completed as documentation only.
- C18A VPN/IP tunnel control-plane data model foundation is implemented and
backend-test-proven.
- C18B VPN/IP tunnel lease/fencing hardening is implemented and
backend-test-proven.
- C18C VPN/IP tunnel node-agent desired-state consumption/reporting is
implemented and backend-test-proven.
- No next platform-core implementation step is automatically authorized after
C17Z20. The next mesh layer should stay limited to route-health feedback
refresh dampening/no-change cooldown unless the user explicitly chooses
another staged task.
- Latest RDP performance reference image:
`rap-rdp-worker:rdp-perf6-dirty-region`
- Stage 5.2 file-download runtime artifacts remain preserved for when RDP work
resumes, but they are not the active next task.
- Do not use `docker.cin.su` for this project unless explicitly requested for a separate one-off check.
### Backend
- Go
- PostgreSQL = source of truth
- Redis = live coordination / routing only
- REST for control plane
- WebSocket for live session channel
### Worker
- C++ worker
- FreeRDP integration
- worker runtime hides FreeRDP details from backend
- The C++ worker remains the primary RDP runtime.
- Target RDP performance direction: `docs/architecture/RDP_SERVICE_CPP_PERFORMANCE_TARGET.md`.
- The RDP performance rewrite scope is limited to C++ RDP service adapter
internals. It must not redesign backend control plane, cluster transport,
organizations, leases, or session lifecycle.
- The C# RDP service skeleton is inactive research scaffolding and is not the
current runtime direction.
- Current RDP Adapter baseline: RDP-Perf-6 dirty-region direct binary rendering
is completed and smoke-proven on `docker-test`. RDP work is paused by product
decision; next active work is Fabric Core / cluster foundation.
- P3/P3.1 security-readiness foundation exists: production mode rejects
plaintext credential-like resource metadata, requires `secret_ref` for
RDP/VNC/SSH resources, and has an encrypted PostgreSQL-backed resource secret
storage/resolver MVP. P3.2 direct-worker TLS/PKI guard exists.
- P3.3 production-like test-stand smoke is complete on `docker-test`: backend
runs in `APP_ENV=production` with a test-only secret key file, a secret-backed
RDP resource starts real sessions through the resolver path, metadata/audit do
not contain plaintext credentials, and backend gateway fallback remains
available when direct worker WSS trust is `smoke_insecure`.
- P3.4 production direct-worker WSS trust model is documented in
`docs/architecture/PRODUCTION_DIRECT_WORKER_WSS_TRUST.md`; it defines
platform CA/public CA behavior, worker certificate SAN/identity requirements,
app-local Windows trust direction, rotation/revocation, and the future
`platform_ca` smoke plan. No RDP runtime behavior changed in P3.4.
- P3.5 app-local platform CA trust is implemented and runtime-proven on
`docker-test`: Windows client validates direct worker WSS with an app-local
platform CA bundle, keeps hostname/SAN validation enabled, selects
`direct_worker_wss` without insecure TLS bypass, and falls back to backend
gateway for unknown CA / smoke-only production cases.
- P3.6 stale Redis worker/live event idempotency is implemented and
runtime-proven: stale worker events for terminal PostgreSQL sessions are
ignored, backend restart survives stale Redis events, and terminal sessions
are not reopened.
- Stage 5.2 server-to-client file download core data path is runtime-proven:
direct worker WSS and backend gateway fallback both download text/binary
files from `RAP_Transfers\ToClient` with matching size/hash, and direct
policy blocking is proven for `disabled` and `client_to_server`. Lifecycle
blocking is also runtime-proven for detach, old-client takeover, and worker
failure. Runtime report:
`artifacts/stage5-2-file-download-runtime-report.md`.
- Stage 5.2 is not fully accepted yet. Remaining proof: Windows desktop UI
download path and regression matrix for rendering/input/clipboard/upload/
reconnect/takeover.
### Clients
- future native clients:
- Windows: native desktop client first
- Linux: native desktop client later
- web UI is admin/control plane, not the primary power-user client
## Final architecture direction
The long-term target architecture is documented in:
- `docs/architecture/SECURE_ACCESS_FABRIC_TARGET.md`
- `docs/architecture/CLUSTER_NODE_ADMIN_FOUNDATION.md`
- `docs/architecture/WEB_INGRESS_AND_ADMIN_UI_MODEL.md`
This document defines the target Secure Access Fabric architecture only. It is not the current implementation scope and must not be used as permission to start mesh, VPN, multi-cluster, updater, or realtime data-plane migration work without an explicit staged prompt.
`CLUSTER_NODE_ADMIN_FOUNDATION.md` defines the next platform-core planning
baseline for clusters, node enrollment, native node-agent identity, platform
admin console, multi-cluster administration, and future organization admin
visibility. It is a staged foundation document, not permission to implement
mesh packet routing or VPN runtime.
`WEB_INGRESS_AND_ADMIN_UI_MODEL.md` defines WEB as HTTP/HTTPS ingress and
Admin UI presentation only. Cluster configuration remains Control Plane
ownership through scoped APIs, PostgreSQL source-of-truth mutations, and audit.
Dynamic pages must be safe schema-driven projections and must not embed
internal topology, peer caches, route caches, secrets, raw credentials, or
arbitrary executable code.
Admin endpoint placement is explicit. Fabric Storage / Config Storage nodes do
not automatically host or move the cluster panel. Platform Owner Console
remains global platform-owner scope. Cluster Admin Endpoint requires explicit
admin/web ingress role assignment, cluster health/trust readiness, and Control
Plane authorization. Organization Admin Panel remains a tenant-safe projection.
The final platform must support:
1. Multi-tenancy / Organizations
- platform has many organizations
- each organization has isolated users, groups, resources, policies, audit, connectors
- users may belong to multiple organizations
- organization admins only see their organization
- platform admins see platform scope
2. Identity federation
- local users
- LDAP / Active Directory
- OIDC
- future extensibility for more identity sources
- access mappings based on external groups / claims
3. Cluster of nodes
- no mandatory single central node
- many nodes across many sites
- nodes can be platform-managed or customer-managed
- customer-managed nodes are sandboxed cluster participants, not full cluster owners
4. Node agent
- small stable always-running agent on every node
- supervises services
- downloads updates
- verifies signed artifacts
- can rollback to previous version
- can restart crashed services
- can work on thin or thick nodes
5. Service-based node model
Each node is not monolithic.
A node has:
- capabilities: what it can do physically/technically
- enabled services: what it is allowed/assigned to do
Possible services include:
- ingress-gateway
- mesh-router
- relay
- connector-host
- vpn-adapter
- session-worker
- media-relay
- file-relay
- update-cache
- config-replica
- audit-sink
- metrics-exporter
6. Cluster mesh and routing
- encrypted inter-node communication
- dynamic topology
- no need for full mesh
- multi-hop routing allowed
- route failover
- client failover between ingress nodes
- connector failover between nodes
7. Split-brain prevention
- quorum-based cluster behavior
- minority partition must not become a second authoritative cluster
- degraded / recovery / isolated modes
- manual recovery / promote decision by platform recovery admin
8. Connector / VPN layer
- connectors are reusable network access methods
- one connector may be used by multiple resources
- connector placement and failover are controlled by policy
- nodes may be allowed or disallowed to host connectors
- direct access, VPN, relay and future egress modes must fit this model
9. Future exit mode
- split tunnel
- full tunnel
- internet access through cluster
- not first implementation priority
## Non-negotiable design rules
- Do not rewrite proven session lifecycle carelessly.
- Do not turn Redis into a source of truth.
- Do not make certificate-ignore a global worker setting.
- Do not make customer-managed nodes platform-wide trusted by default.
- Do not create a separate cluster per organization.
- Do not assume a single permanently reachable central node.
- Do not rely on “secret protocol with no docs” as security.
- Security must come from crypto, auth, isolation, policy and observability.
- Prefer incremental evolution from current proven system.
- Do not collapse platform control plane and data plane into one vague layer.
## Implementation strategy
The codebase must evolve in phases.
Current implementation focus remains:
- RDP work is paused by product decision
- preserve the accepted RDP Adapter baseline and Stage 5.x file-transfer work
- do not delete or rewrite the current RDP MVP while platform-core work starts
- C1-C9 platform-core foundations are implemented and verified: clusters,
node enrollment, node-agent scaffold, platform admin console, workload
supervision contract, mesh control-plane prep, mesh skeleton, multi-cluster
hardening, and organization admin foundation
- C10 Fabric Core configuration distribution design is completed
- C11 signed scoped cluster snapshot model is completed
- C12 node local state store is completed
- C13 Fabric Storage / Config Storage service foundation is completed
- C14 peer directory and cache model is completed
- C15 Fabric Routing Engine skeleton is completed
- C16 secure node-to-node channel lifecycle is completed
- C17 mesh routing runtime implementation plan is completed
- C17A synthetic mesh runtime skeleton is implemented and test-proven with
synthetic fabric messages only, no RDP/VPN/production service traffic
- C17B route health and failover probes are implemented and test-proven with
synthetic traffic only, no RDP/VPN/production service traffic
- C17C relay semantic hardening is implemented and test-proven with synthetic
channel classes only, no RDP/VPN/production service traffic
- C17D non-production test-service path is implemented and test-proven with
bounded `synthetic.echo` traffic only, no RDP/VPN/production service traffic
- C17E live node-to-node synthetic HTTP transport is implemented and
smoke-proven with synthetic traffic only
- C17F scoped synthetic route config loading and route-health reporting is
implemented and smoke-proven with synthetic traffic only
- C17G Control Plane scoped synthetic config read/consume is implemented and
test-proven with synthetic traffic only
- C17H deployed multi-agent synthetic config smoke is implemented and
runtime-proven on `docker-test` with synthetic traffic only
- C17I production forwarding gate foundation is implemented and test-proven;
production forwarding remains unavailable
- C17J production envelope contract validation is implemented and test-proven;
production forwarding remains unavailable
- C17K production envelope observation is implemented and test-proven;
production forwarding remains unavailable
- C17L bounded production observation sink is implemented and test-proven;
production forwarding remains unavailable
- C17M production observation sink wiring is implemented and test-proven;
production forwarding remains unavailable
- C17N production observation sink metrics are implemented and test-proven;
production forwarding remains unavailable
- C17O production observation sink local metrics logging is implemented and
test-proven; production forwarding remains unavailable
- C17P production observation sink change-driven metrics logging is implemented
and test-proven; production forwarding remains unavailable
- C17Q production forwarding gate/runtime log boundary is implemented and
test-proven; production forwarding remains unavailable
- C17R production observation sink capacity guard is implemented and
test-proven; production forwarding remains unavailable
- C17S production observation panic fail-closed hardening is implemented and
test-proven; production forwarding remains unavailable
- C17T production envelope payload boundary is implemented and test-proven;
production forwarding remains unavailable
- C17U production envelope created-at skew boundary is implemented and
test-proven; production forwarding remains unavailable
- C17V peer endpoint candidate model and NAT/connectivity hints are
implemented and test-proven; production forwarding remains unavailable
- C17W peer endpoint candidate scoring model is implemented and test-proven;
production forwarding remains unavailable
- C17X health-aware endpoint candidate scoring overlay is implemented and
test-proven; production forwarding remains unavailable
- C17Y Platform Owner synthetic mesh visibility is implemented and
build/test-proven; production forwarding remains unavailable
- C17Z production fabric-control direct forwarding is implemented and
test-proven; production service traffic remains unavailable
- C17Z1 production fabric-control multi-hop route-path forwarding is
implemented and test-proven; production service traffic remains unavailable
- C17Z2 production fabric-control forwarding observability is implemented and
test-proven; production service traffic remains unavailable
- C17Z3 production fabric-control route-config boundary is implemented and
test-proven; production service traffic remains unavailable
- C17Z4 scoped peer directory/recovery seed boundary is implemented and
test/build-proven; production service traffic remains unavailable
- C17Z5 node-agent peer cache runtime boundary is implemented and test-proven;
production service traffic remains unavailable
- C17Z6 dynamic endpoint reporting boundary is implemented and test-proven;
production service traffic remains unavailable
- C17Z7 private/corporate endpoint candidate boundary is implemented and
test-proven; production service traffic remains unavailable
- C17Z8 peer connection state machine boundary is implemented and test-proven;
production service traffic remains unavailable
- C17Z9 peer recovery planner boundary is implemented and test-proven;
production service traffic remains unavailable
- C17Z10 peer connection intent planner boundary is implemented and
test-proven; production service traffic remains unavailable
- C17Z11 peer connection manager runtime boundary is implemented and
test-proven; production service traffic remains unavailable
- C17Z12 rendezvous/relay control-plane contract is implemented and
docker-test-runtime-proven; production service traffic remains unavailable
- C17Z13 rendezvous lease telemetry is implemented and
docker-test-runtime-proven; production service traffic remains unavailable
- C17Z14 rendezvous lease refresh contract is implemented and
docker-test-runtime-proven; production service traffic remains unavailable
- C17Z15 backend relay replacement policy is implemented and
docker-test-runtime-proven; production service traffic remains unavailable
- C17Z16 route/path decision artifact is implemented and
docker-test-runtime-proven; production service traffic remains unavailable
- C17Z17 node-side route generation tracker is implemented and
docker-test-runtime-proven; production service traffic remains unavailable
- C17Z18 synthetic route-health effective path runtime is implemented and
docker-test-runtime-proven; production service traffic remains unavailable
- C17Z19 synthetic route-health feedback scoring is implemented and
docker-test-runtime-proven; production service traffic remains unavailable
- C17Z20 node-side route-health feedback refresh is implemented and
docker-test-runtime-proven; production service traffic remains unavailable
- C17Z21 node installation/update control-plane is implemented and
docker-test-runtime-proven for Docker nodes; production service traffic
remains unavailable
- C17Z22 Windows host-agent install/update supervision is implemented and
runtime-proven on the remote Windows node; production service traffic remains
unavailable
- C17Z23 update observability is implemented in backend/admin UI: per-node
updater status history is exposed and deployed on docker-test, so node-agent
and host-agent update activity can be audited from node details
- C17Z24 combined updater reporting is implemented and docker-test-proven:
Linux/Docker `rap-host-agent update-loop` now also polls/reports
`rap-host-agent` status, release `0.1.4` is published for node-agent and
host-agent artifacts, and docker-test nodes `test-1/2/3` auto-updated to
node-agent `0.1.4` while reporting host-agent `0.1.4` no-op status.
- C17Z25 Windows updater repair visibility is implemented in admin UI: node
details / Updates now shows a ready CMD repair command for existing Windows
nodes using `http://vpn.cin.su:19191/api/v1`, `--replace`, and
`--auto-update-current-version 0.0.0` so a stale updater wrapper can be
recreated without a new join token.
- C17Z26 updater fleet visibility is implemented in admin UI: the node list now
shows per-node updater status based on latest `rap-node-agent` and
`rap-host-agent` reports, explicitly flagging missing host-agent reports,
stale update reports, or update errors before opening node details.
- C17Z27 backend version-state projection is implemented and deployed on
docker-test: node list responses now derive `version_state` from active
`rap-node-agent` desired policy plus latest update report. Docker/Linux nodes
on `0.1.4` show `current`; the remote Windows node still on `0.1.3` shows
`outdated` while remaining heartbeat-healthy.
- C17Z28 Windows updater loop hardening is implemented and partially
docker-test-proven via release `0.1.5`: Windows host-agent updater scripts now
run combined `update-loop --max-runs 1`, and Windows `update-loop` also
polls/applies `rap-host-agent` updates. Release `0.1.5` artifacts are
published for Docker/Linux and Windows; docker-test nodes `test-1/2/3`
updated to `rap-node-agent 0.1.5`. Existing remote Windows nodes with stale
pre-0.1.5 updater wrapper still require one repair command from admin UI to
replace their local wrapper, after which automatic polling should continue.
- Admin UI now marks missing host-agent updater reports as `repair updater` in
the node list and explains in node details / Updates when to run the Windows
repair command. The command uses the external control-plane endpoint and does
not require a join token for already enrolled Windows nodes.
- Admin UI node details / Updates also provides a ready downloadable
`rap-repair-updater-<node>.cmd` plus copy-command action for Windows repair,
reducing operator copy/paste mistakes on remote Windows hosts.
- Windows repair command generation was hardened after the first remote repair:
foreground `update-loop` now includes explicit `--node-id`, copies any staged
`rap-host-agent.exe.next` over the main host-agent binary after the one-shot
loop exits, deletes the staged file, and runs the updater scheduled task.
The node list now distinguishes `host-agent staged` from generic stale/error.
- C17Z29 Windows persistent updater repair is implemented in `rap-host-agent`
release `0.1.6`: `install-windows` accepts `--node-id` and writes that node
id into the persistent Windows updater wrapper so Scheduled Task polling no
longer depends on finding `identity.json` in the expected state directory.
Docker-test nodes `test-1/2/3` updated to `0.1.6`; existing Windows and
off-host Docker nodes still need their local updater wrappers to pick up the
0.1.6 host-agent repair path.
- C17Z30 operator-configured public mesh endpoints are implemented and
docker-test-deployed: desired `mesh-listener.advertise_endpoint` is now
projected into peer endpoint candidates for other nodes and preferred over
auto-discovered private heartbeat endpoints. `home-1`
(`8ad04829-cd30-4290-913d-1ce5c7ef7bb3`) is configured with
`listen_addr=0.0.0.0:19131`, `advertise_endpoint=http://94.141.118.222:19199`,
`connectivity_mode=direct`, `nat_type=port_restricted`, `region=home`.
`test-1` synthetic config now receives `home-1` peer endpoint
`http://94.141.118.222:19199`; internal `192.168.200.85:19131` responds with
HTTP 405 on GET, while external `94.141.118.222:19199` currently refuses TCP,
so router/firewall forwarding still needs correction outside the platform.
- C17Z31 offsite bootstrap peer selection is implemented and docker-test
deployed: operator-configured public/direct desired mesh-listener endpoints
are kept in core-mesh bootstrap even after the default warm-peer target is
reached. This fixes the case where remote Windows node
`ifcm-rufms-s-mo1cr` received only `test-*` warm peers and no `home-1`.
Its synthetic config now includes `home-1` endpoint
`http://94.141.118.222:19199` and candidates ordered as operator public,
heartbeat advertised public, then private LAN converted to relay-required for
offsite. External TCP to `94.141.118.222:19199` still failed from Codex and
docker-test checks while internal `192.168.200.85:19131` succeeds, so a real
offsite `Test-NetConnection 94.141.118.222 -Port 19199` is the next network
validation.
- C17Z32 native Ubuntu/Linux service install is implemented and docker-test
deployed: backend exposes `/node-agents/linux-install-profile`, host-agent
supports `install-linux`, installs `rap-node-agent` under
`/opt/rap/<node>`, state under `/var/lib/rap/nodes/<node>`, config under
`/etc/rap/<node>`, creates `rap-node-agent-<node>.service`, and creates a
persistent `rap-host-agent-updater-<node>.service` for automatic node-agent
and host-agent updates. Release `0.1.7` is published for `rap-node-agent`
(`linux_binary`, `windows_service`) and `rap-host-agent`
(`linux_binary`, `windows_binary`). Admin UI now has an `Ubuntu service`
install profile and generates profile-based `install-linux` commands.
A one-use token for `vps-ubuntu-1` is active until 2026-05-02T08:41:41Z:
`rap_join_a23Xhz63YstshWUBAPGPz5fzQ8YpHDP05RXaaYa4DoA`; scope roles are
`core-mesh` and `relay-node`, control-plane endpoint is
`http://vpn.cin.su:19191/api/v1`, artifact endpoint is
`http://vpn.cin.su:19191/downloads`.
- Admin UI and docs now cover the full Windows updater operational workflow:
node details shows an `Updater health` summary, generated repair CMD prints
scheduled-task and binary diagnostics before/after repair, applies staged
host-agent binaries, restarts the updater task, and README documents first
install, repair without join-token, system-task/user-task behavior, staged
host-agent recovery, and reboot/autostart verification.
- Cluster Authority plus node enrollment bootstrap polling are docker-test
lifecycle-smoke-proven; fresh install migration replay is fixed for
`cluster_admin_summaries`
- C18 VPN/IP tunnel service target design is completed as documentation only
- C18A VPN/IP tunnel control-plane data model foundation is implemented and
backend-test-proven
- C18B VPN/IP tunnel lease/fencing hardening is implemented and
backend-test-proven
- C18C VPN/IP tunnel node-agent desired-state consumption/reporting is
implemented and backend-test-proven
- Version Storage / Update Repository is documented as a future Fabric Core
service for signed release manifests, OS/arch artifacts,
stable/current/candidate channels, update-cache mirroring, node-agent
update supervision, rollback, and explicit data-structure migration bundles.
Runtime updater behavior is partially implemented for the current Docker and
Windows node-agent/host-agent paths; broader staged rollout policy and
service payload forwarding remain separate work.
- no next platform-core implementation step is automatically authorized after
C17Z20; choose the next narrow staged prompt explicitly before continuing
- preserve the proven RDP lifecycle behavior
- keep the current backend gateway available as the active/fallback implementation path
- accepted VPN data-plane target: the phone/client connects only to an
available entry node; the entry node uses the existing mesh/fabric route to a
selected exit node/pool, and the exit node handles LAN/internet egress. Nodes
behind NAT may participate when they can maintain outbound mesh/control
sessions. Backend packet relay must remain a compatibility/fallback path, not
the desired steady-state path.
- C18D VPN-over-fabric foundation is implemented and docker-test-started:
VPN client profiles include `vpn_fabric_route` with entry pool, exit pool,
selected entry/exit, preferred `fabric_mesh` data-plane, and
`backend_relay` fallback. Node-agent `0.2.39` adds a dedicated production
`vpn_packet` channel (`vpn.packet_batch`, 256 KiB batch limit), destination
delivery hook, `vpnruntime.FabricPacketTransport`, and
`vpn_fabric_packet_transport` heartbeat capability. `home-1` auto-updated to
`0.2.39`; other nodes have automatic desired policy `0.2.39` and should move
as their updater loops pick it up. Live Android VPN traffic still uses backend
relay until entry-node client ingress is wired to the fabric transport.
- C18E VPN-over-fabric route contract is backend-deployed on docker-test as
`rap-backend:test-vpn-fabric-route-0.2.41`: when a VPN client profile selects
different entry and exit nodes, backend now ensures two active
`mesh_route_intents` with service_class `vpn_packets` and allowed channel
`vpn_packet`. The live HOME profile currently selects `usa-los-1` as entry
and `home-1` as exit when `entry_node_id=b829ffde-...` is requested, and the
synthetic config for both nodes includes the two `vpn_packet` routes. Existing
fallback remains `backend_relay`; production forwarding gate is still disabled
on old/live remote nodes until their runtime is explicitly updated/enabled.
- External/offsite updater gap found and fixed for version `0.2.40`: native
`rap-node-agent` binaries for `linux_binary`, `linux_service`, and
`windows_service` plus matching `rap-host-agent` binaries are copied under
`/downloads` and registered in channel `dev-external`. Update plans for
`usa-los-1` (`linux_binary`) and `ifcm-rufms-s-mo1cr` (`windows_service`) now
return `action=update`, `target_version=0.2.40` instead of
`no_matching_artifact`.
- C18F production-forwarding gate work is partially live: backend
`rap-backend:test-vpn-fabric-route-0.2.42` signs node synthetic configs with
`production_forwarding=true` / `control_plane_only=false` when the node's
desired `mesh-listener` workload has `production_forwarding_enabled=true`.
`home-1` and `usa-los-1` desired mesh-listener configs have this flag enabled.
Node-agent `0.2.44` accepts signed production-forwarding mesh configs and
host-agent `0.2.44` fixes Docker updater behavior so synthetic mesh runtime is
not disabled on Docker updates. Runtime status: `usa-los-1` reports
`mesh_production_forwarding=true`; `home-1` reports `0.2.44` and synthetic
runtime enabled, but its listener report is still `disabled/listen_addr_empty`,
so `home-1` is not yet a usable production fabric endpoint. Next action is to
repair why `home-1` is not applying the signed mesh-listener config
(`listen_addr=0.0.0.0:19131`) after Docker updater restart.
- C18G VPN-over-fabric runtime path is live-tested on docker-test. Backend is
deployed as `rap-backend:test-vpn-fabric-route-0.2.43`; VPN route intents now
allow both `vpn_packet` data and `fabric_control` health probes. Node-agent
`0.2.47` fixes initial production VPN packet envelope hop addressing and
reports the matching version. `home-1` and `usa-los-1` both report
`0.2.47`, healthy, listener `0.0.0.0:19131`, and
`mesh_production_forwarding=true`. Live route health is reachable in both
directions (`usa-los-1 -> home-1` around 200 ms, `home-1 -> usa-los-1`
around 200-415 ms). A direct live POST to
`http://195.123.240.88:19131/api/v1/clusters/.../vpn-connections/.../tunnel/client/packets`
returns `202 Accepted`, proving entry-node VPN packet ingress can forward
over fabric to the home exit. The HOME VPN placement policy now has entry
pool `[usa-los-1, home-1]` and exit `home-1`; client profile with preferred
`usa-los-1` selects `usa-los-1 -> home-1`.
- C18H live VPN triage on 2026-05-04: `home-1` and `usa-los-1` report
node-agent `0.2.48`, healthy heartbeats, active HOME VPN assignment on
`home-1`, and `packet_forwarding=true` / `runtime_available=true`. Manual
packet tests through the USA entry proved the path
Android-style packet -> `usa-los-1` -> fabric -> `home-1` -> LAN/DNS ->
fabric -> `usa-los-1` -> client can return ICMP and DNS replies. The remaining
live symptom was the phone not sending fresh packets to the current entry
after the backend relay queue was cleared. Android VPN app `0.2.59` was built
and published to `/downloads/rap-android-rdp-vpn-latest-debug.apk`; it
normalizes old saved backend URLs (`vpn.cin.su:19191`,
`94.141.118.222:19191`, `192.168.200.61:18080`, etc.) to the current USA
entry backend `http://195.123.240.88:19131/api/v1` and shows app version,
device id, and connection id in the header for live log correlation.
- C18I fabric service-channel foundation is live on 2026-05-07. Backend,
node-agent, and Android VPN release `0.2.159` are published. VPN profiles now
include a signed `rap.fabric_service_channel_lease.v1` with
`entry_direct_http_v1` packet and WebSocket templates. Android consumes this
lease and sends service-channel headers. The `usa-los-1` entry endpoint
validates the cluster-authority signed lease payload and token hash; a live
smoke through `http://195.123.240.88:19131/.../fabric/service-channels/...`
succeeded with a valid lease and rejected a bad token with `403`. Current HOME
profile selects `usa-los-1` as entry and `home-1` as exit; both nodes report
`0.2.159`. Docker-test nodes `test-1`, `test-2`, and `test-3` also report
`0.2.159`. `ifcm-rufms-s-mo1cr` is still on `0.2.119`; it has staged the
host-agent `0.2.159` update and should finish on the next Windows updater
loop/restart.
- C18J fabric service-channel runtime route-manager slice is live on
2026-05-07 as node/host-agent `0.2.162`. The entry-node
`FabricClientPacketIngress` now preserves its runtime object across synthetic
config refreshes, so heartbeat telemetry reports the same ingress object that
serves HTTP/WebSocket service-channel traffic. It tracks send/receive batches,
route attempts/failures, selected route/next hop, local-gateway fallback, and
inbox queue depths. `SendClientPacketBatch` now retries all valid
`vpn_packet` route candidates with sticky preference before backend relay is
allowed as degraded compatibility fallback. Release `0.2.161` was superseded
because its Docker tar was rebuilt after registration; `0.2.162` is the
clean published release with matching artifact hashes. Docker-test
`test-1/2/3`, `usa-los-1`, and `ifcm-rufms-s-mo1cr` report `0.2.162`;
`home-1` is healthy and still on `0.2.161` awaiting its next updater loop.
Live smoke through `http://195.123.240.88:19131/.../fabric/service-channels`
returned `202` and `usa-los-1` telemetry then showed route attempts,
one route failure, and selected next hop `home-1`, proving live ingress
telemetry and alternate-route retry are active.
- C18K service-neutral flow/channel scheduler is live on 2026-05-07 as
node/host-agent `0.2.163`. The VPN proving service still carries universal
IP packets and does not route by application protocol, but the entry runtime
now hashes packets by IP 5-tuple, or packet hash for non-IP/invalid packets,
into 32 logical `flow-*` channels. Each channel has bounded queue accounting,
high-watermark/backpressure/dropped telemetry, and batches are fanned out per
logical channel before being sent through the same fabric route-manager. Live
smoke against `usa-los-1` posted two different IP flows through the signed
service-channel endpoint and heartbeat reported `send_packets=2`,
`send_flow_batches=2`, `flow_scheduler.channel_count=2`, `enqueued=2`,
`dequeued=2`, `dropped=0`, with queue depths for `flow-12` and `flow-14`.
All six current cluster nodes (`home-1`, `usa-los-1`, `ifcm-rufms-s-mo1cr`,
`test-1`, `test-2`, `test-3`) report node-agent `0.2.163` and healthy.
- C18L active flow scheduling telemetry is live on 2026-05-07 as
node/host-agent `0.2.164`. Each `flow-*` channel now keeps route memory,
served count, last served time, last route/next hop, failed-route marker,
consecutive failures, stall count, last send duration, and explicit
`route_rebuild_recommended` / `degraded_fallback_recommended` signals. The
scheduler drains non-stalled channels first, prefers less-served/older
channels, avoids a channel's last failed route on the next send, and only
marks degraded fallback after repeated failures. Live smoke against
`usa-los-1` posted two IP flows through the signed service-channel endpoint:
heartbeat reported schema `c18l.fabric_service_channel_runtime_report.v1`,
`send_packets=2`, `send_flow_batches=2`, `flow_scheduler.channel_count=2`,
`dropped=0`, `backpressure=false`, `last_next_hop=home-1`, and per-flow
`served=1`. One stale candidate route failed and was bypassed before the
successful route to `home-1`. All six current cluster nodes (`home-1`,
`usa-los-1`, `ifcm-rufms-s-mo1cr`, `test-1`, `test-2`, `test-3`) report
node-agent `0.2.164` and healthy.
- C18M Control Plane service-channel feedback is live on 2026-05-07. Backend
image `rap-backend:fabric-service-channel-0.2.165` is deployed on
docker-test, and node/host-agent `0.2.165` artifacts are published. When
issuing `rap.fabric_service_channel_lease.v1`, backend now reads fresh
entry-node heartbeat metadata
`fabric_service_channel_runtime_report.ingress.flow_scheduler.channel_stats`,
builds per-route service-channel feedback, boosts recently successful routes,
penalizes recent failures, and fences routes that report
`route_rebuild_recommended`, `degraded_fallback_recommended`, or repeated
consecutive failures. Fenced routes are not selected as primary or alternate;
if all selected entry/exit routes are fenced, the lease uses explicit
degraded backend fallback with reason
`fabric_routes_fenced_by_service_channel_feedback`. Live smoke created two
short-lived `test-1 -> test-2` route intents, injected a fresh
service-channel flow feedback heartbeat marking the higher-priority route as
rebuild-required, and the next lease selected the lower-priority healthy
route with score reason `service_channel_recent_success`; the bad route was
not offered as an alternate. Current node rollout: `home-1`, `usa-los-1`,
`test-1`, `test-2`, and `test-3` report `0.2.165`; Windows `ifcm-rufms-s-mo1cr`
remains healthy on `0.2.164` and should move on its next updater cycle.
- C18N durable service-channel route feedback is live on 2026-05-07. Backend
image `rap-backend:fabric-service-channel-0.2.166` is deployed on
docker-test with migration `000025_fabric_service_channel_route_feedback`.
Heartbeats now persist service-neutral route observations into
`fabric_service_channel_route_feedback_observations` and maintain an
expiring latest view in `fabric_service_channel_route_feedback_latest`.
Lease selection reads this durable latest feedback before falling back to
in-memory heartbeat parsing, so route fencing survives backend restarts and
stale heartbeat replacement. Node/host-agent `0.2.166` artifacts and Docker
image are published, update policies target `0.2.166`, and `test-1/2/3`,
`usa-los-1`, and `ifcm-rufms-s-mo1cr` report `0.2.166`; `home-1` is healthy
but still on `0.2.165` until its next updater cycle. Live smoke created two
short-lived `test-1 -> test-2` routes, persisted a fenced observation for the
higher-priority bad route and a healthy observation for the lower-priority
route, restarted backend, and the next lease selected the healthy route with
`service_channel_recent_success`.
- C18O service-channel feedback diagnostics and synthetic route avoidance are
live on 2026-05-07. Backend image
`rap-backend:fabric-service-channel-0.2.167` is deployed on docker-test and
web-admin is rebuilt/published. Admin/API now expose fresh durable feedback
through `GET /clusters/{clusterID}/fabric/service-channels/route-feedback`,
and each node synthetic config includes
`service_channel_route_feedback` with healthy/degraded/fenced counts and
observations. Synthetic config generation skips routes fenced by the local
node's durable service-channel feedback, so nodes stop receiving known-bad
route configs while the feedback is active. Live smoke created fresh
`test-1 -> test-2` routes, persisted `fenced` feedback for the higher-priority
route and `healthy` feedback for the lower-priority route, confirmed the API
returned both observations, and confirmed `test-1` synthetic config excluded
the bad route while keeping the healthy route.
- C18P proactive service-channel replacement decisions are live on 2026-05-07.
Backend image `rap-backend:fabric-service-channel-0.2.168` is deployed on
docker-test and web-admin is rebuilt/published. When synthetic config
generation withholds a route fenced by local service-channel feedback, it now
records a `route_path_decisions` item with
`decision_source=service_channel_feedback_replacement`,
`replacement_route_id`, effective replacement hops, and score reasons. If no
alternate exists, the decision source becomes
`service_channel_feedback_no_alternate` with visible score reason
`no_unfenced_alternate_route`. Live smoke created fresh `test-1 -> test-2`
bad/good routes, fenced the bad route, disabled older smoke routes, and
confirmed `test-1` synthetic config excluded the bad route, kept the good
route, and reported replacement from bad route to good route.
- C18Q service-channel replacement dampening is live on 2026-05-07. Backend
image `rap-backend:fabric-service-channel-0.2.169`, node/host-agent
`0.2.169` artifacts, Docker image, update policies, and web-admin are
published on docker-test. Replacement selection now gives a large stable
preference to routes with active healthy durable feedback, adding
`active_healthy_feedback_dampening_window` to score reasons, so a recently
successful replacement wins over a higher-priority but unproven route until
the feedback window expires or a newer fenced/healthy observation changes the
state. `RoutePathDecisionReport` now includes `degraded_decision_count` for
`service_channel_feedback_no_alternate`, and node-agent heartbeat reports
include `replacement_route_id` and degraded counts after upgrade. Live smoke
fenced a high-priority bad `test-1 -> test-2` route, supplied healthy feedback
for a low-priority route, also created a higher-priority unproven route, and
confirmed replacement selected the healthy route because of the dampening
window.
- C18Q hotfix `0.2.171` is published on 2026-05-07. Node-agent now includes
`service_channel_route_feedback` in the signed synthetic config model before
recalculating the authority payload hash. Without this, upgraded backend
configs were signed correctly but `0.2.169` agents rejected them with
`control-plane synthetic mesh config authority payload hash mismatch`.
Regression coverage verifies a signed config containing durable
service-channel feedback. Artifacts, Docker image, latest download aliases,
and update policies were moved to `0.2.171`; `test-1/2/3` are running
`0.2.171` and loading `source=control_plane` again. The release includes
`linux_service`, Docker, Windows service, and binary artifacts so service
installs can auto-update. Old C18 smoke/expired route intents were disabled
after validation.
- C18R fleet diagnostics/operator action slice is live on 2026-05-07. Backend
image `rap-backend:fabric-service-channel-0.2.172` adds route feedback
filters (`route_id`, `feedback_status`, `include_expired`) and
`POST /clusters/{clusterID}/fabric/service-channels/route-feedback/expire`.
The expire action is cluster-mutable/admin gated and marks latest feedback
expired without deleting historical observations. Web-admin / Fabric Links
now shows a cluster-level service-channel feedback panel with fenced,
degraded, healthy and no-alternate counts, replacement/no-alternate decisions,
and an operator `expire` action for stale non-healthy feedback.
- C18S service-channel feedback churn guardrails are implemented on
2026-05-07. Operator expire now records
`fabric.service_channel_route_feedback.expired` audit events, returns and
persists a short `operator_retry_cooldown_until`, and route generation adds
`service_channel_route_retry_after_operator_expire` when a manually expired
route is being retried. During that cooldown, repeated non-healthy feedback
from the same reporter/route/service is suppressed as
`operator_retry_cooldown` instead of immediately fencing the route again.
Web-admin shows the retry/cooldown state in Fabric Links.
- C18T automatic rebuild decision contract is implemented on 2026-05-07.
`RoutePathDecision` now carries `rebuild_request_id`, `rebuild_status`,
`rebuild_reason`, and `rebuild_attempt`. When fenced service-channel feedback
keeps failing outside manual retry cooldown, Control Plane records a bounded
rebuild request. If an unfenced alternate exists, the decision is marked
`rebuild_status=applied`; if not, it is
`pending_degraded_fallback` and leases expose backend relay with reason
`fabric_route_rebuild_pending_backend_relay`. Web-admin shows rebuild counts,
status, and attempts in Fabric Links. A live smoke on docker-test created
short-lived `test-1 -> test-2` bad/good routes, reported fenced feedback for
the bad route and healthy feedback for the good route, and confirmed scoped
synthetic config returned `service_channel_feedback_replacement` with
`rebuild_status=applied` and `rebuild_attempt=3`. Node/host-agent `0.2.175`
is published so agents preserve the new signed rebuild fields.
- C18U node-agent route-manager rebuild consumption is live on 2026-05-07.
Node-agent `0.2.176` now converts backend rebuild decisions into a
service-channel route-manager snapshot, counts rebuild requests/applies,
marks applied/pending-degraded routes as withdrawn, clears a withdrawn cached
selected route, and excludes withdrawn routes from new service-channel route
candidates. This keeps new flows from retrying a route that Control Plane has
already rebuilt away from. Unit coverage verifies a bad route is skipped in
favor of its replacement. Node/host-agent `0.2.176` artifacts, Docker image,
latest download aliases, release manifests, and node policies are published.
`test-1/2/3`, `usa-los-1`, and `ifcm-rufms-s-mo1cr` report `0.2.176`.
Backend `rap-backend:fabric-service-channel-0.2.176` is deployed with a
panel consistency fix: if a node reports the target version, stale failed
update status no longer overrides `version_state=current`.
- C18V route-manager churn telemetry is live on 2026-05-07. Node-agent
`0.2.177` adds `route_manager_transition` to the service-channel runtime
report with previous/current generation, transition status, decision counts,
withdrawn/restored route counts, pending-degraded fallback count, rebuild
applied count, and any cleared cached route. Tests cover applied rebuild
replacement, pending degraded fallback with no alternate, and restoration by
a fresh config so withdrawn routes do not become sticky local state. Artifacts,
Docker image, latest download aliases, release manifests, and node policies
are published. `test-1/2/3` run `0.2.177`; their heartbeat metadata exposes
`rap.fabric_service_channel_route_manager_transition.v1`.
- C18W live Control Plane/runtime verification is implemented and smoke-passed
on 2026-05-07. Script
`scripts/fabric/c18w-service-channel-route-manager-smoke.ps1` drives the
whole loop against docker-test API: creates temporary service-channel route
intents for `test-1 -> test-2`, injects fenced/healthy route feedback through
heartbeat, verifies scoped config emits `rebuild_status=applied`, waits for
node-agent heartbeat `route_manager_transition.status=applied_rebuild`,
expires the feedback, verifies the restored config has no rebuild decision,
and waits for `restored_by_new_config`. Result artifact:
`artifacts/c18w-service-channel-route-manager-smoke-result.json` with run
`c18w-20260507-173226`. During the smoke, operator expire exposed live pgx
parameter issues; backend `rap-backend:fabric-service-channel-0.2.179` is
deployed with safer UUID/text timestamp handling for feedback expire.
- C18X logical-channel isolation and bounded backpressure coverage is
implemented and smoke-passed on 2026-05-07. Node-agent/host-agent `0.2.180`
artifacts, Docker image, latest download aliases, release manifests, and
node policies are published. The key runtime fix is in
`FabricClientPacketIngress.routeCandidatesForChannel`: a channel with a local
failed-route avoid state no longer falls back to the global last selected
route, so one degraded logical flow cannot drag unrelated flows back onto the
failed path. Coverage proves independent logical-channel failover, bounded
same-channel backpressure/drop telemetry, and packet-flow hashing. Script
`scripts/fabric/c18x-service-channel-logical-channel-smoke.ps1` passes with
result artifact `artifacts/c18x-service-channel-logical-channel-smoke-result.json`
run `c18x-20260507-180647`. Test docker nodes `test-1/2/3` are running
`rap-node-agent:0.2.180`; backend remains
`rap-backend:fabric-service-channel-0.2.179`.
- C18Y route-intent lifecycle cleanup is implemented and smoke-passed on
2026-05-07. Backend `rap-backend:fabric-service-channel-0.2.181` is deployed
on docker-test, and web-admin Fabric Links now shows route-intent lifecycle
counts/table with operator `expire` and `disable` actions. Route intents are
enriched with `lifecycle_status`, `is_expired`, and `policy_expires_at`.
Node-scoped synthetic mesh config now filters out expired policy routes, so
stale smoke routes no longer get emitted to agents for route-health probing.
API actions are available at
`POST /clusters/{clusterID}/mesh/route-intents/{routeIntentID}/expire` and
`/disable`. Script `scripts/fabric/c18y-route-intent-lifecycle-smoke.ps1`
passed against docker-test API, result
`artifacts/c18y-route-intent-lifecycle-smoke-result.json` run
`c18y-20260507-192702`. During deploy, docker-test root disk was full from
build cache/images; `docker builder prune -af` and `docker image prune -f`
freed space before redeploy.
- C18Z bounded service-channel load coverage is implemented, published, and
smoke-passed on 2026-05-07. Node-agent/host-agent `0.2.181` artifacts,
Docker image `rap-node-agent:0.2.181`, latest download aliases, release
manifests, and update policies are published. `test-1/2/3` are restarted on
`rap-node-agent:0.2.181`; `usa-los-1` also reports `0.2.181`. The key runtime
fix is in `FabricFlowScheduler.Snapshot`: backpressure remains visible when
bounded drops occurred, even after the queue drains. Coverage proves
multi-channel rebuild away from a withdrawn primary route and per-channel
bounded drop/high-water telemetry. Script
`scripts/fabric/c18z-service-channel-load-smoke.ps1` passed against
docker-test API, result
`artifacts/c18z-service-channel-load-smoke-result.json` run
`c18z-20260507-194616`. Release artifacts were corrected after initial
publication to use backend-relative `/downloads/...` primary URLs plus
internal/external mirror URLs, so offsite nodes resolve downloads through
their own control-plane origin such as `http://vpn.cin.su:19191`. Current
caveat: `ifcm-rufms-s-mo1cr` and `home-1` remained `version_state=failed`
at the last check; their next update plan now points to reachable `0.2.181`
artifacts, but the local updater loop still needs to retry/report success.
- C18Z1 live service-channel ingress is implemented, published, and
smoke-passed on 2026-05-07. Node-agent/host-agent `0.2.182` artifacts,
Docker image `rap-node-agent:0.2.182`, release manifests, and update
policies are published. Backend `rap-backend:fabric-service-channel-0.2.182`
is deployed on docker-test. The runtime fix is a dynamic mesh listener
handler: synthetic config refreshes now update `/mesh/v1/forward`,
service-channel ingress, production routes, delivery inbox, and forward
transport without requiring a port/listener restart. Backend route-feedback
latest policy now prevents a fresh healthy heartbeat from immediately
overwriting active degraded/fenced feedback before TTL expiry, so rebuild
decisions survive long enough for nodes to apply them. Script
`scripts/fabric/c18z1-live-service-channel-ingress-smoke.ps1` posts signed
generic packet batches to the running `test-1` service-channel HTTP endpoint,
waits both entry and exit runtime configs, verifies exit inbox delivery,
injects route feedback, observes Control Plane rebuild, waits node
`applied_rebuild`, sends a second batch over the replacement route, and
expires both temporary route intents. Result:
`artifacts/c18z1-live-service-channel-ingress-smoke-result.json` run
`c18z1-20260507-203628`. All current nodes report `0.2.182/current` at the
last check.
- C18Z2 live service-channel sustained soak/failure smoke is implemented and
passed on 2026-05-07 without a new runtime release. Script
`scripts/fabric/c18z2-live-service-channel-soak-smoke.ps1` drives signed
generic packet batches through the running `test-1` service-channel HTTP
endpoint, keeps temporary primary/alternate `test-1 -> test-2` route intents
visible, restarts the exit-node container `rap_test_node_test_2`, waits for
the exit runtime to reload synthetic config, and verifies recovery batches
reach the exit fabric inbox after the restart. Result:
`artifacts/c18z2-live-service-channel-soak-smoke-result.json` run
`c18z2-20260507-205112`: warm batches `6/6`, during-restart batches `3/3`,
recovery batches `8/8`, exit inbox depth grew from post-restart baseline
`0` to `88`, drops `0`, and both temporary route intents expired.
- C18Z3 live service-channel entry/WebSocket/degraded-fallback smoke is
implemented, published, and passed on 2026-05-07. Node-agent/host-agent
`0.2.183` artifacts and Docker image `rap-node-agent:0.2.183` are published
to docker-test downloads; update policies for `test-1/2/3` are set to
`rolling` target `0.2.183`, and the test containers run that image. The
runtime fix makes the entry node honor the signed service-channel lease
authority: leases with `status=degraded_fallback` or
`primary_route.status=missing_route_intent` now force backend fallback instead
of reusing stale generic route candidates. The same fallback rule is applied
to HTTP and WebSocket packet ingress. Script
`scripts/fabric/c18z3-live-service-channel-entry-ws-fallback-smoke.ps1`
verifies signed HTTP warm batches, WebSocket ingress parity, entry-node
container restart while the lease exists, recovery batches over the same
lease, explicit degraded fallback for a no-route exit, and route-intent
expiry. Result:
`artifacts/c18z3-live-service-channel-entry-ws-fallback-smoke-result.json`
run `c18z3-20260507-211402`: warm `4/4`, WebSocket packets `8`, recovery
`4/4`, backend fallback queue `0 -> 8`, route failures `0`, and all checks
passed. During publication the first `0.2.183` Docker tar had a malformed
entrypoint and stale size/hash metadata; it was rebuilt, the latest tar alias
was replaced, and the release artifact row was corrected to sha256
`231286cf5860b22cf8ca6550f67f61b0ca4b5011ab9b09995bcabbafe883fee1`, size
`7261696`.
- C18Z4 live service-channel long-session pressure smoke is implemented and
passed on 2026-05-07 without a new runtime release beyond `0.2.183`. Script
`scripts/fabric/c18z4-live-service-channel-session-pressure-smoke.ps1` opens
one signed long-lived service-channel WebSocket from `test-1` to `test-2`,
sends 48 packet batches / 384 packets, expires the primary route intent while
the WebSocket session is still active, waits for dynamic synthetic-config
refresh, and verifies the remaining packets use the alternate route. Result:
`artifacts/c18z4-live-service-channel-session-pressure-smoke-result.json`
run `c18z4-20260507-212748`: exit inbox depth `0 -> 384`, route failure delta
`0`, flow drop delta `0`, backend fallback queue `0 -> 0`, primary route
removed from entry/exit configs, alternate route selected after the switch,
and both route intents expired. This proves the shared Fabric Service Channel
can keep a service session alive while Control Plane changes the live route
set, without falling back to backend relay.
- C18Z5 live service-channel exit-restart smoke is implemented and passed on
2026-05-07 without a new runtime release beyond `0.2.183`. Script
`scripts/fabric/c18z5-live-service-channel-exit-restart-smoke.ps1` keeps one
signed WebSocket service-channel session open from `test-1` to `test-2`,
sends pre-outage traffic, stops `test-2` for a bounded outage while traffic
continues, starts it again, waits runtime readiness, then sends recovery
traffic over the same WebSocket. Result:
`artifacts/c18z5-live-service-channel-exit-restart-smoke-result.json` run
`c18z5-20260507-213745`: pre/outage/recovery batches `12/24/24`, total
packets `480`, route failure delta `48`, backend fallback queue `0 -> 192`,
flow drop delta `0`, and recovery exit inbox `0 -> 192`. This proves real
exit-node failure is visible as fallback/failure telemetry while the
long-lived service channel remains usable and fabric delivery resumes after
the exit runtime returns. After the test, `test-2` and all active cluster
nodes were healthy/current on `0.2.183`.
- C18Z6 live service-channel active rebuild smoke is implemented and passed on
2026-05-07 without a new runtime release beyond `0.2.183`. Script
`scripts/fabric/c18z6-live-service-channel-active-rebuild-smoke.ps1` keeps a
signed WebSocket service-channel session open from `test-1` to `test-2`,
sends pre-rebuild traffic, injects route-health feedback that marks the
primary route stale and names the alternate route as replacement, waits for
Control Plane `rebuild_status=applied`, waits for node-agent
`route_manager_transition.status=applied_rebuild`, then continues sending
over the same WebSocket. Result:
`artifacts/c18z6-live-service-channel-active-rebuild-smoke-result.json` run
`c18z6-20260507-214900`: pre/post batches `16/32`, total packets `384`,
exit inbox depth `0 -> 384`, Control Plane replacement route
`b2f3c510-46d2-4dce-8389-3952a99d0311`, route failure delta `0`, flow drop
delta `0`, backend fallback queue `0 -> 0`, all checks passed, and all
active nodes remained healthy/current on `0.2.183`. This proves a live
service channel can apply a route-manager rebuild decision without rebuilding
the service WebSocket.
- C18Z7 live service-channel concurrent isolation smoke is implemented and
passed on 2026-05-07 without a new runtime release beyond `0.2.183`. Script
`scripts/fabric/c18z7-live-service-channel-concurrent-isolation-smoke.ps1`
opens three signed WebSocket service-channel sessions over the same
`test-1 -> test-2` entry/exit pair, interleaves packet batches across all
sessions, injects primary-route stale feedback, waits for Control Plane
`rebuild_status=applied` and node-agent `applied_rebuild`, then continues all
sessions over the same sockets. Result:
`artifacts/c18z7-live-service-channel-concurrent-isolation-smoke-result.json`
run `c18z7-20260507-215727`: 3 sessions, 36 rounds, 288 packets per session,
864 packets total, each session exit inbox depth `288`, total exit depth
`864`, backend fallback delta `0`, route failure delta `0`, flow drop delta
`0`, and all active nodes healthy/current on `0.2.183`. This proves rebuild
and route-manager state are shared correctly without one active service
session starving or poisoning the other concurrent sessions.
- C18Z8 live service-channel backpressure isolation smoke is implemented and
passed on 2026-05-07 without a new runtime release beyond `0.2.183`. Script
`scripts/fabric/c18z8-live-service-channel-backpressure-isolation-smoke.ps1`
opens two interactive signed WebSocket sessions plus one abusive session over
the same `test-1 -> test-2` entry/exit pair. The abusive session sends 1300
packets on one stable 5-tuple to force a single flow shard to hit bounded
queue pressure while the interactive sessions continue sending small batches.
Result:
`artifacts/c18z8-live-service-channel-backpressure-isolation-smoke-result.json`
run `c18z8-20260507-221347`: both interactive sessions delivered 192 packets
each, the abusive flow reached scheduler high watermark `1024`, scheduled
`1030` packets on the hottest channel, dropped `282` packets on that channel,
produced backend fallback delta `0`, route failure delta `0`, and all active
nodes stayed healthy/current on `0.2.183`. This proves bounded backpressure is
visible and isolated to the overloaded logical flow without starving other
active service sessions.
- C18Z9 route-pool runtime selection is implemented, released as node/host
agent `0.2.184`, published to docker-test downloads, and passed on
2026-05-07. Runtime fix: when Control Plane marks a service-channel route
`rebuild_status=applied` and provides `replacement_route_id`, node-agent now
treats that replacement as the preferred route for sticky flow/channel
selection instead of merely withdrawing the bad route and falling back to
config order. Unit coverage:
`TestFabricClientPacketIngressPrefersControlPlaneReplacementOverConfigOrder`.
Live script
`scripts/fabric/c18z9-live-service-channel-route-pool-smoke.ps1` creates a
route pool with slow relay primary `test-1 -> test-3 -> test-2` and fast
direct replacement `test-1 -> test-2`, keeps one signed WebSocket active,
injects stale-route feedback, waits for Control Plane and node-agent
`applied_rebuild`, then verifies the same service session continues over the
direct replacement. Result:
`artifacts/c18z9-live-service-channel-route-pool-smoke-result.json` run
`c18z9-20260507-224901`: 54 batches / 432 packets sent and delivered to exit,
backend fallback delta `0`, route failure delta `0`, flow drop delta `0`, and
temporary route intents expired. Test containers `test-1/2/3` run
`rap-node-agent:0.2.184`; `usa-los-1`, `home-1`, and
`ifcm-rufms-s-mo1cr` remain healthy on `0.2.183` until their rollout policy is
advanced.
- C18Z10 service-channel exit-pool failover is implemented, released as
node/host-agent `0.2.185`, published to docker-test downloads, registered in
the stable update channel, and passed on 2026-05-07. Backend service-channel
leases now bind signed entry/exit pools, selected exit follows the selected
primary route, and Control Plane replacement can cross to another authorized
exit when route intents share an exit-pool/resource metadata key. Node-agent
now honors the signed lease primary route as the initial service-channel
preference before normal config-order selection. Unit coverage:
`TestIssueFabricServiceChannelLeaseSelectsHealthyAlternateExitFromPool`,
`TestGetNodeSyntheticMeshConfigReplacesFencedServiceChannelRouteAcrossExitPool`,
and `TestFabricClientPacketIngressUsesLeasePreferredRouteBeforeConfigOrder`.
Live script
`scripts/fabric/c18z10-live-service-channel-exit-pool-smoke.ps1` creates a
primary exit route `test-1 -> test-2` and an alternate exit route
`test-1 -> test-3` in the same exit pool, keeps one signed WebSocket active,
verifies pre-rebuild traffic reaches the primary exit, injects stale-route
feedback, waits for Control Plane/node-agent `applied_rebuild`, then verifies
post-rebuild traffic reaches the alternate exit. Result:
`artifacts/c18z10-live-service-channel-exit-pool-smoke-result.json` run
`c18z10-20260507-232645`: 54 batches / 432 packets sent, primary exit queue
`144`, alternate exit queue `288`, backend fallback `0`, route failure delta
`0`, flow drop delta `0`, decision source
`service_channel_feedback_exit_pool_replacement`, and temporary route intents
expired. Backend and `test-1/2/3` are running `0.2.185`; update plans now
return download URLs on `192.168.200.61:18080` when the API is reached
directly on `18121`.
- C18Z11 service-channel entry-pool failover contract is implemented and
backend-deployed as `rap-backend:fabric-service-channel-0.2.186`; node-agent
remains `0.2.185` because no node runtime binary change was required.
Backend lease selection now keeps `selected_entry_node_id` aligned with the
selected primary route when the healthy route starts at another authorized
entry node. Route replacement scope also understands entry-pool metadata
keys (`entry_pool_id`, `service_entry_pool_id`, `fabric_entry_pool_id`) in
addition to exit-pool/resource keys, and route decision reports count
entry-pool replacement decisions. Unit coverage:
`TestIssueFabricServiceChannelLeaseSelectsHealthyAlternateEntryFromPool` and
`TestGetNodeSyntheticMeshConfigReplacesFencedServiceChannelRouteAcrossEntryPool`.
Live script
`scripts/fabric/c18z11-live-service-channel-entry-pool-smoke.ps1` creates
primary entry route `test-1 -> test-2` and alternate entry route
`test-3 -> test-2`, verifies the initial lease uses `test-1`, sends 144
packets, injects service-channel feedback fencing the primary entry route,
verifies a refreshed lease selects `test-3`, then sends 288 more packets
through the alternate entry to the same exit. Result:
`artifacts/c18z11-live-service-channel-entry-pool-smoke-result.json` run
`c18z11-20260507-235341`: exit queue `432`, backend fallback `0`, route
failure deltas `0/0`, flow drop deltas `0/0`, and temporary route intents
expired. This is a lease refresh/reconnect contract for entry replacement;
preserving a broken client-to-entry socket across an entry node outage is not
expected.
- C18Z12 service-channel route quality scoring is implemented and
backend-deployed as `rap-backend:fabric-service-channel-0.2.187`; node-agent
remains `0.2.185`. Backend now uses service-neutral runtime quality feedback
from `fabric_service_channel_runtime_report.ingress.flow_scheduler` when
scoring lease routes: `last_send_duration_ms` adds deterministic latency
boosts/penalties, and recent failures/stalls apply bounded penalties. This is
protocol-agnostic and applies to the shared fabric channel, not HTTP/RDP/DNS
special cases. Unit coverage:
`TestIssueFabricServiceChannelLeasePrefersFastHealthyRouteFeedback`. Live
script `scripts/fabric/c18z12-service-channel-route-quality-smoke.ps1`
creates a high-priority slow relay route `test-1 -> test-3 -> test-2` and a
lower-priority fast direct route `test-1 -> test-2`; the initial lease
selects the slow route by policy priority, then quality telemetry reports
fast route `8ms` and slow route `900ms`, and the refreshed lease selects the
fast route with score reason `service_channel_quality_latency_le_10ms`.
Result: `artifacts/c18z12-service-channel-route-quality-smoke-result.json`
run `c18z12-20260508-000209`; all checks passed and temporary route intents
expired.
- C18Z13 live service-channel route quality self-learning is implemented,
released as node-agent `0.2.188`, published to docker-test downloads,
registered in the stable update channel, and deployed to docker-test
containers `test-1/2/3`. Runtime fix: positive sub-millisecond
service-channel send durations are rounded to `1ms`, preventing fast local
routes from looking like "no quality sample". Unit coverage:
`TestFabricFlowSchedulerRoundsSubMillisecondSendDuration`. Live script
`scripts/fabric/c18z13-live-service-channel-route-quality-smoke.ps1` proves
the self-learning path without heartbeat injection: initial lease picks a
higher-priority relay route, real service-channel traffic sends 24 batches /
192 packets over the fast direct route, backend persists healthy route
feedback from the node-agent heartbeat (`last_send_duration_ms=1`,
`score_adjustment=90`), and a refreshed lease prefers that fast route over a
newly introduced higher-priority relay candidate. Result:
`artifacts/c18z13-live-service-channel-route-quality-smoke-result.json` run
`c18z13-20260508-001610`; backend fallback `0`, flow drops `0`, temporary
route intents expired. Published release id:
`64effc62-18b6-4eeb-a1c9-f5fb8e251491`.
- C18Z14 active-session route-quality preference is implemented. Backend
`rap-backend:fabric-service-channel-0.2.190` and node-agent `0.2.189` are
deployed to docker-test `test-1/2/3`; node-agent `0.2.189` is published to
docker-test downloads and registered in the stable update channel as release
`9bda9bac-71f3-4e8f-ae70-2abccb1cb866`. Backend now decays older healthy
service-channel feedback before lease scoring so stale success loses weight
before expiry. Node-agent consumes healthy route-quality observations from
signed synthetic config and can override sticky per-flow/config-order route
choice when a learned route is significantly better. Unit coverage:
`TestFabricClientPacketIngressQualityPreferenceOverridesStickyRoute` and
`TestIssueFabricServiceChannelLeaseDecaysOlderHealthyRouteFeedback`. Live
script
`scripts/fabric/c18z14-live-service-channel-active-quality-shift-smoke.ps1`
keeps one signed WebSocket open while route policy changes: it starts on a
higher-priority relay route, expires that route, sends real traffic through
the fast direct route to teach feedback, introduces a new higher-priority
relay candidate, and verifies the same active session stays on the learned
fast route. Result:
`artifacts/c18z14-live-service-channel-active-quality-shift-smoke-result.json`
run `c18z14-20260508-071644`; 60 batches / 480 packets delivered, backend
fallback `0`, flow drops `0`, temporary route intents expired.
- C18Z15 effective route-quality score telemetry is implemented. Backend
`rap-backend:fabric-service-channel-0.2.191` is deployed on docker-test, and
node-agent `0.2.190` is built, published to docker-test downloads, registered
in the stable update channel, and deployed to `test-1/2/3`. Published release
id: `2e4cd0c8-2480-4637-b845-6dcb115dbebd`. Backend feedback reports now
include decayed `effective_score_adjustment` alongside raw
`score_adjustment`; node-agent consumes the effective score for active
route-quality preference and exposes sorted `route_quality_preferences` in
runtime telemetry with raw/effective score and decay reasons. Unit coverage:
`TestFabricClientPacketIngressQualityPreferenceUsesEffectiveScore` and
`TestServiceChannelRouteFeedbackReportIncludesEffectiveDecayedScore`. Live
script
`scripts/fabric/c18z15-live-service-channel-effective-quality-smoke.ps1`
verifies route-quality preference telemetry, effective score visibility, and
decayed effective score visibility after the active-session quality-shift
scenario. Result:
`artifacts/c18z15-live-service-channel-effective-quality-smoke-result.json`
run `c18z14-20260508-073538`; 60 batches / 480 packets delivered, backend
fallback `0`, flow drops `0`, temporary route intents expired.
- C18Z16 per-channel route-quality fairness telemetry is implemented. Node-agent
`0.2.191` is built, published to docker-test downloads, registered in the
stable update channel, and deployed to `test-1/2/3`; backend remains
`rap-backend:fabric-service-channel-0.2.191`. Published release id:
`f072759c-5c3b-4ba0-936a-f59b6d3d7632`. Flow-scheduler channel stats now
expose the applied `quality_preference_route_id`, effective/raw preference
score, and preference reasons, so operators can see which logical channels
actually used learned route quality. Unit coverage:
`TestFabricClientPacketIngressQualityPreferencePreservesMultiChannelFairness`.
Live script
`scripts/fabric/c18z16-live-service-channel-quality-fairness-smoke.ps1`
validates multi-channel quality-preference fairness after the active-session
route-quality shift. Result:
`artifacts/c18z16-live-service-channel-quality-fairness-smoke-result.json`
run `c18z14-20260508-074943`; 60 batches / 480 packets delivered, 32 served
logical channels, 32 channels with quality preference applied, backend
fallback `0`, flow drops `0`, temporary route intents expired.
- C18Z17 stale route-quality marker cleanup is implemented. Node-agent
`0.2.192` is built, published to docker-test downloads, registered in the
stable update channel, and deployed to `test-1/2/3`; backend remains
`rap-backend:fabric-service-channel-0.2.191`. Published release id:
`846881bd-e7e0-4212-b8c9-4a6012c6eff7`. Flow-scheduler channel stats now
clear quality preference markers when the preference is no longer in the
effective preference set or when the route manager withdraws that route. Unit
coverage:
`TestFabricClientPacketIngressClearsStaleQualityPreferenceMarkers` and
`TestFabricClientPacketIngressClearsWithdrawnQualityPreferenceMarkers`.
Live script
`scripts/fabric/c18z17-live-service-channel-quality-cleanup-smoke.ps1`
verifies cleanup after the active-session quality/fairness scenario. Result:
`artifacts/c18z17-live-service-channel-quality-cleanup-smoke-result.json`
run `c18z14-20260508-075750`; 60 batches / 480 packets delivered, active
quality markers `32`, stale quality markers `0`, visible preferences `3`,
backend fallback `0`, flow drops `0`, temporary route intents expired.
- C18Z18 service-session-scoped flow scheduler memory is implemented.
Node-agent `0.2.193` is built, published to docker-test downloads,
registered in the stable update channel, and deployed to `test-1/2/3`;
backend remains `rap-backend:fabric-service-channel-0.2.191`. Published
release id: `05a3d29e-8a62-4bc8-84a3-1d00b794b9c9`. Runtime-sent flow
scheduler channel keys now include the VPN/service session:
`vpn:{vpnConnectionID}:flow-NN`. This keeps route memory, failed-route
avoidance, served/drop counters, and route-quality markers isolated when
several service-channel sessions share one entry/exit and hash to the same
logical flow shard. Unit coverage:
`TestFabricClientPacketIngressIsolatesRouteMemoryPerVPNConnection` and
`TestFabricClientPacketIngressQualityPreferencePreservesMultiChannelFairness`.
Live script
`scripts/fabric/c18z18-service-channel-session-scoped-fairness-smoke.ps1`
wraps the live C18Z17 quality path and verifies served live channels are
session-scoped, unscoped served `flow-NN` channels are absent, quality
markers are session-scoped, backend fallback is `0`, and flow drops are `0`.
Result:
`artifacts/c18z18-service-channel-session-scoped-fairness-smoke-result.json`
run `c18z14-20260508-082520`; 60 batches / 480 packets delivered, served
channels `32`, session-scoped served channels `32`, session-scoped quality
channels `32`, unscoped served channels `0`, backend fallback `0`, flow drops
`0`, temporary route intents expired.
- C18Z19 bounded parallel logical-flow send window is implemented. Node-agent
`0.2.194` is built, published to docker-test downloads, registered in the
stable update channel, and deployed to `test-1/2/3`; backend remains
`rap-backend:fabric-service-channel-0.2.191`. Published release id:
`926e5b84-4b0b-4f47-b1fe-798d8105679f`. The live node-agent runtime enables
`MaxParallelFlowSends=4`, so independent scheduled logical channels can send
concurrently instead of one slow channel blocking all following channels.
This remains service-neutral and does not inspect HTTP/RDP/DNS/application
traffic. Telemetry now exposes `max_parallel_flow_sends` and
`send_flow_parallel_batches`. Unit coverage:
`TestFabricClientPacketIngressParallelFlowWindowDoesNotBlockIndependentChannel`.
Live script
`scripts/fabric/c18z19-service-channel-parallel-flow-window-smoke.ps1` wraps
the C18Z18 live route-quality/session-scoped path and verifies the parallel
window is enabled and observed while backend fallback and flow drops stay at
zero. Result:
`artifacts/c18z19-service-channel-parallel-flow-window-smoke-result.json`
run `c18z14-20260508-084133`; 60 batches / 480 packets delivered,
`max_parallel_flow_sends=4`, `send_flow_parallel_batches=60`, served
channels `32`, session-scoped quality channels `32`, backend fallback `0`,
flow drops `0`, temporary route intents expired.
- C18Z20 per-channel latency/retry/in-flight telemetry and adaptive recommended
send-window telemetry are implemented. Node-agent `0.2.195` is built,
published to docker-test downloads, registered in the stable update channel,
and deployed to `test-1/2/3`; backend remains
`rap-backend:fabric-service-channel-0.2.191`. Published release id:
`b9e198e0-e012-4600-ad14-856820aff41c`. Scheduler telemetry now includes
global `in_flight`, `max_in_flight`, slow/failing channel counts, and
per-channel `send_attempts`, `send_successes`, `send_failures`,
`in_flight`, `max_in_flight`, and latency buckets. Ingress telemetry now
includes `recommended_parallel_flow_sends`; the recommendation shrinks under
bounded drops, degraded fallback recommendations, repeated failures, or
slow/stalled channels. Unit coverage:
`TestFabricFlowSchedulerRecommendsSmallerWindowUnderPressure` and
`TestFabricClientPacketIngressParallelFlowWindowDoesNotBlockIndependentChannel`.
Live script
`scripts/fabric/c18z20-service-channel-adaptive-window-telemetry-smoke.ps1`
wraps the C18Z19 live path and verifies the new telemetry on real docker-test
nodes. Result:
`artifacts/c18z20-service-channel-adaptive-window-telemetry-smoke-result.json`
run `c18z14-20260508-085635`; 60 batches / 480 packets delivered,
`max_parallel_flow_sends=4`, `recommended_parallel_flow_sends=4`,
`scheduler_max_in_flight=4`, attempts/success/latency visible on 32 channels,
backend fallback `0`, flow drops `0`, temporary route intents expired.
- C18Z21 rolling per-channel/session quality windows are implemented.
Node-agent `0.2.196` is built, published to docker-test downloads,
registered in the stable update channel, and deployed to `test-1/2/3`;
backend remains `rap-backend:fabric-service-channel-0.2.191`. Published
release id: `813b2050-4d4e-444c-9bde-72b1d1f7dd35`. Scheduler decisions now
use a bounded fresh quality window instead of lifetime-only drop/failure
counters, so old pressure rolls out after newer successful samples. Telemetry
now exposes scheduler-level `quality_window_sample_count`,
`quality_window_failure_count`, `quality_window_slow_count`,
`quality_window_drop_count`, and per-channel success/failure/slow/drop sample
counts, average latency, and last update time. Unit coverage:
`TestFabricFlowSchedulerRollingQualityWindowForgetsOldPressure`,
`TestFabricFlowSchedulerRecommendsSmallerWindowUnderPressure`, and
`TestFabricClientPacketIngressParallelFlowWindowDoesNotBlockIndependentChannel`.
Live script
`scripts/fabric/c18z21-service-channel-rolling-quality-window-smoke.ps1`
wraps the C18Z20 live path and verifies the rolling-window telemetry on real
docker-test nodes. Result:
`artifacts/c18z21-service-channel-rolling-quality-window-smoke-result.json`
run `c18z14-20260508-091952`; 60 batches / 480 packets delivered,
scheduler quality-window samples `480`, failures `0`, drops `0`, window
samples/success/latency visible on 32 channels, `recommended_parallel_flow_sends=4`,
backend fallback `0`, flow drops `0`, temporary route intents expired.
- C18Z22 backend durable route feedback now consumes the rolling quality
window from node-agent heartbeat metadata. Backend
`rap-backend:fabric-service-channel-0.2.197` is built and deployed on
docker-test; node-agent remains `0.2.196` on `test-1/2/3`. For agents that
expose `quality_window_*`, backend uses fresh rolling failure/drop/slow
counts and rolling average latency when creating `fabric_service_channel`
route feedback; old `last_failed_route_id`, `consecutive_failures`, and
`stall_count` remain fallback inputs for older agents only. This prevents old
route failures from dominating durable scoring after the channel has recovered
with a clean rolling window. Unit coverage:
`TestRecordHeartbeatUsesRollingQualityWindowForRouteFeedback` and
`TestRecordHeartbeatPersistsServiceChannelRouteFeedbackForLaterLease`.
Live script
`scripts/fabric/c18z22-service-channel-rolling-feedback-smoke.ps1` wraps the
C18Z21 live path and verifies persisted route feedback contains
`service_channel_rolling_quality_window` plus payload `quality_window_*`
fields. Result:
`artifacts/c18z22-service-channel-rolling-feedback-smoke-result.json` run
`c18z14-20260508-093100`; 60 batches / 480 packets delivered, route feedback
count `1`, rolling feedback count `1`, healthy rolling feedback count `1`,
rolling payload count `1`, backend fallback `0`, flow drops `0`.
- C18Z23 recovery hysteresis is implemented for recovered service-channel
routes. Backend `rap-backend:fabric-service-channel-0.2.198` is built and
deployed on docker-test; node-agent remains `0.2.196` on `test-1/2/3`.
When a route has an operator-expire/manual retry cooldown from prior fenced
feedback but now also has healthy rolling-window feedback, backend re-admits
the route as `authorized` while applying a bounded recovery hysteresis score
penalty (`150`) and `service_channel_recovery_hysteresis` reason. This keeps
recovered routes available as alternates without immediately displacing a
steady route and reducing route-selection flapping. Unit coverage:
`TestIssueFabricServiceChannelLeaseDampensRecoveredRouteDuringRetryCooldown`
and `TestRecordHeartbeatUsesRollingQualityWindowForRouteFeedback`. Live
script
`scripts/fabric/c18z23-service-channel-recovery-hysteresis-smoke.ps1` wraps
the C18Z22 live path and verifies backend `0.2.198`, rolling feedback, and
clean live forwarding. Result:
`artifacts/c18z23-service-channel-recovery-hysteresis-smoke-result.json` run
`c18z14-20260508-094111`; 60 batches / 480 packets delivered, backend
fallback `0`, flow drops `0`, recovery hysteresis penalty `150`.
- C18Z24 recovery visibility is implemented for service-channel route
diagnostics. Backend `rap-backend:fabric-service-channel-0.2.199` is built
and deployed on docker-test; node-agent remains `0.2.196` on `test-1/2/3`.
Route feedback API responses and node-scoped service-channel feedback reports
now expose `recovery_state`, `recovery_hysteresis_active`, and
`recovery_hysteresis_penalty`, while route path decision reports count
`recovery_hysteresis_count`. Admin diagnostics now show recovered/hysteresis
chips and a recovery column beside route feedback status. Unit coverage:
`TestIssueFabricServiceChannelLeaseDampensRecoveredRouteDuringRetryCooldown`,
`TestServiceChannelRouteFeedbackReportExposesRecoveryState`, and
`TestRoutePathDecisionReportCountsRecoveryHysteresis`. Smoke result:
`artifacts/c18z24-service-channel-recovery-visibility-smoke-result.json`;
route feedback API exposed recovery shape for 109 observations, backend
image `0.2.199` was live, and the web-admin build was published to
`rap_web_admin`.
- C18Z25 recovery promotion policy is implemented. Backend
`rap-backend:fabric-service-channel-0.2.200` is built and deployed on
docker-test; node-agent remains `0.2.196`. A route under manual retry
cooldown remains `recovered` with hysteresis penalty until it reports at
least 64 clean rolling-window samples (`success >= 64`, failures/slow/drops
zero). After that it is promoted back to steady `healthy`, gets
`recovery_promoted=true`, `service_channel_recovery_promoted`, and no
hysteresis penalty. Admin/API now expose promoted counts/flags alongside
recovered/hysteresis state. Smoke result:
`artifacts/c18z25-service-channel-recovery-promotion-smoke-result.json`;
backend image `0.2.200` was live and route-feedback API exposed recovery
state for 109 observations.
- C18Z26 recovery demotion policy is implemented. Backend
`rap-backend:fabric-service-channel-0.2.201` is built and deployed on
docker-test; node-agent remains `0.2.196`. If a previously recovered or
promoted route under retry cooldown reports fresh rolling failures, drops,
slow samples, degraded fallback, rebuild recommendation, or fenced feedback,
backend now exposes `recovery_demoted=true` with a concrete
`recovery_reason` such as `service_channel_recovery_demoted_failure`,
`..._slow`, `..._rebuild`, or `..._fenced`. Route score reasons include
`service_channel_recovery_demoted` and the specific demotion reason, and
route path decision reports count `recovery_demoted_count`. Admin diagnostics
now show demoted feedback/path chips and the demotion reason. Smoke result:
`artifacts/c18z26-service-channel-recovery-demotion-smoke-result.json`;
backend image `0.2.201` was live and route-feedback API exposed recovery
state for 109 observations.
- C18Z27 recovery policy tuning is implemented. Backend
`rap-backend:fabric-service-channel-0.2.202` is built and deployed on
docker-test; node-agent remains `0.2.196`. Effective service-channel
recovery policy now has a strict default contract and optional cluster
metadata override at `fabric_service_channel_recovery_policy`. API endpoints
`GET/PUT /clusters/{clusterID}/fabric/service-channels/recovery-policy`
expose and update hysteresis penalty, promotion minimum samples, demotion
thresholds for failures/drops/slow samples, and rebuild/fenced demotion
toggles. Lease route selection, route feedback reports, and node-scoped
synthetic config feedback consume the effective policy. Web-admin shows and
edits the policy in the service-channel route feedback card. Smoke result:
`artifacts/c18z27-service-channel-recovery-policy-smoke-result.json`; live
API updated policy values, then restored strict defaults
(`penalty=150`, `promotion_min_samples=64`, demotion thresholds `1`).
- C18Z28 recovery policy provenance is implemented. Backend
`rap-backend:fabric-service-channel-0.2.203` is built and deployed on
docker-test; node-agent remains `0.2.196`. `FabricServiceChannelRoute`,
`FabricServiceChannelLease`, signed lease authority payloads,
service-channel route feedback reports, and route path decision reports now
carry the effective recovery policy used for scoring and recovery decisions.
This makes every primary/alternate/fallback choice auditable against the
policy source and thresholds that produced it. Web-admin node diagnostics
show the service-channel feedback policy and route decision policy source.
Smoke result:
`artifacts/c18z28-service-channel-recovery-policy-provenance-smoke-result.json`;
live synthetic config and live lease issuance both exposed recovery policy
provenance on docker-test.
- C18Z29 feedback provenance guardrails are implemented. Backend
`rap-backend:fabric-service-channel-0.2.204` is built and deployed on
docker-test; node-agent remains `0.2.196`. Recovery policy now has a stable
fingerprint. Backend recognizes optional runtime feedback provenance fields
(`recovery_policy_fingerprint`, `route_generation`, `route_policy_version`,
`policy_version`), exposes observed/effective fingerprints/generations on
route feedback observations, and reports missing/stale counters. Explicit
stale policy/generation feedback is scored conservatively, cannot fence a
current route, and cannot request rebuild/demotion; missing provenance stays
compatible for current old agents but is visible in diagnostics. Web-admin
shows provenance warnings in service-channel feedback. Smoke result:
`artifacts/c18z29-service-channel-feedback-provenance-guard-smoke-result.json`.
- C18Z30 node-agent feedback provenance is implemented. Backend
`rap-backend:fabric-service-channel-0.2.209` and node-agent `0.2.208` are
built and deployed on docker-test (`test-1/2/3`). Node-agent now preserves the
signed synthetic config contract for recovery feedback/route decision fields
and records per-flow `recovery_policy_fingerprint`, `route_policy_version`,
and `route_generation` at send time, so feedback remains auditable even after
route churn/expiry. Backend heartbeat parsing now preserves those fields into
durable service-channel feedback payloads. Live smoke passed with 28/28
runtime channel stats carrying provenance, 3/3 feedback observations carrying
provenance, and no missing/stale provenance counters. Artifacts:
`artifacts/c18z30-node-telemetry-provenance-live-smoke-base-result.json` and
`artifacts/c18z30-node-agent-feedback-provenance-smoke-result.json`.
- C18Z31 service-channel rebuild ledger is implemented. Backend
`rap-backend:fabric-service-channel-0.2.211` is built and deployed on
docker-test; node-agent remains `0.2.208` on `test-1/2/3`. Backend now keeps
durable route rebuild attempt history in
`fabric_service_channel_route_rebuild_attempts`, upserted from synthetic
config route decisions when service-channel feedback requests rebuild. The
ledger stores trigger/rebuild status, old route, selected replacement,
policy fingerprint, generation, feedback status/reasons, latency/failure
counters, outcome, and compact decision payload. API endpoint
`GET /clusters/{clusterID}/fabric/service-channels/rebuild-attempts` exposes
the history; web-admin loads it into Service-channel route feedback
diagnostics as a rebuild ledger table. Migration `000026` is applied on
docker-test. Live smoke passed:
`artifacts/c18z31-base-active-rebuild-smoke-result.json` and
`artifacts/c18z31-service-channel-rebuild-ledger-smoke-result.json`.
- C18Z32 service-channel rebuild timeline is implemented. Backend
`rap-backend:fabric-service-channel-0.2.213` is built and deployed on
docker-test; node-agent remains `0.2.208` on `test-1/2/3`. The rebuild
attempts API now enriches durable ledger rows with node-agent heartbeat
correlation: matching `route_manager_transition`, route-generation apply or
withdrawn decision, post-rebuild selected route, flow packet/drop/failure
counters, and a compact chronological `timeline` with
`backend_decision`, `node_route_generation_apply`,
`node_route_manager_transition`, and `post_rebuild_traffic` stages. Matching
is generation-strict when the backend attempt has a generation, preventing
stale transition/status matches. Web-admin rebuild ledger shows backend,
agent, route-generation, and traffic columns. Live smoke passed:
`artifacts/c18z32-base-rebuild-ledger-smoke-result.json` and
`artifacts/c18z32-service-channel-rebuild-timeline-smoke-result.json`.
- C18Z33 service-channel rebuild guardrails are implemented. Backend
`rap-backend:fabric-service-channel-0.2.214` is built and deployed on
docker-test; node-agent remains `0.2.208`. Rebuild attempts API now adds
computed guard fields: `guard_status`, `guard_severity`, `guard_reason`,
age, and transition/traffic deadlines. Successful correlated rebuilds report
`guard_status=ok`, `guard_severity=good`; missing node transition,
route-generation correlation, post-rebuild traffic, unexpected selected
route, or post-rebuild drops/failures surface as warn/bad states. Web-admin
shows guard chips and counts in the service-channel rebuild ledger. Live
smoke passed: `artifacts/c18z33-base-rebuild-ledger-smoke-result.json` and
`artifacts/c18z33-service-channel-rebuild-guard-smoke-result.json`.
- C18Z34 service-channel rebuild health summary is implemented. Backend
`rap-backend:fabric-service-channel-0.2.215` is built and deployed on
docker-test; node-agent remains `0.2.208`. New endpoint
`GET /clusters/{clusterID}/fabric/service-channels/rebuild-health` returns a
cluster-level operational summary over the durable rebuild ledger/timeline:
counts by guard status/severity, applied/pending counts, affected reporter
nodes/routes, most recent bad attempts, and recommended operator action.
Web-admin shows the summary as a Rebuild health subpanel above the rebuild
ledger. Live smoke passed:
`artifacts/c18z34-base-rebuild-guard-smoke-result.json` and
`artifacts/c18z34-service-channel-rebuild-health-smoke-result.json`.
- C18Z35 service-channel rebuild alert silence lifecycle is implemented.
Backend `rap-backend:fabric-service-channel-0.2.216` is built and deployed on
docker-test; node-agent remains `0.2.208`. Migration `000027` creates
`fabric_service_channel_rebuild_alert_silences`, applied on docker-test. New
API `POST /clusters/{clusterID}/fabric/service-channels/rebuild-health/silences`
records bounded operator silence for an exact alert fingerprint:
reporter node, route, guard status, and generation. Rebuild health now
separates total bad/warn from active bad/warn and silenced counts; silenced
alerts are omitted from affected nodes/routes and active bad attempt lists.
A new generation, route, or reporter remains active by design. Web-admin
exposes `silence 6h` on active bad rebuild-health rows. Live smoke passed:
`artifacts/c18z35-base-rebuild-health-smoke-result.json` and
`artifacts/c18z35-service-channel-rebuild-alert-silence-smoke-result.json`.
- C18Z36 service-channel rebuild alert resurfacing is implemented. Backend
`rap-backend:fabric-service-channel-0.2.217` is built and deployed on
docker-test; node-agent remains `0.2.208`. Rebuild health marks active
bad/warn attempts as `alert_resurfaced` when an active silence exists for the
same reporter node, route, and guard status but a different generation. The
summary exposes `resurfaced_count` and `resurfaced_attempts`, including the
previous silenced generation and silence expiry. Web-admin shows a resurfaced
chip/table and allows silencing the new generation separately. Live smoke
passed: `artifacts/c18z36-base-rebuild-health-smoke-result.json` and
`artifacts/c18z36-service-channel-rebuild-alert-resurface-smoke-result.json`.
- C18Z37 service-channel readiness gate is implemented. Backend
`rap-backend:fabric-service-channel-0.2.218` is built and deployed on
docker-test; node-agent remains `0.2.208`. New endpoint
`GET /clusters/{clusterID}/fabric/service-channels/readiness` returns a fast
recent-window verdict: `clean`, `degraded`, or `blocked`, with active
bad/warn counts, resurfaced/silenced counts, missing transition,
route-generation, post-rebuild traffic, unexpected-route, and post-rebuild
degraded counters plus blocking/degraded reasons and recommended operator
action. Web-admin shows this as a top-level readiness panel in
Service-channel route feedback. Readiness and default admin health queries
are intentionally capped to a small recent window so the operator view stays
responsive after many rebuild attempts; deep ledger diagnostics remain a
separate next layer. Live smoke passed:
`artifacts/c18z37-base-rebuild-health-smoke-result.json` and
`artifacts/c18z37-service-channel-readiness-smoke-result.json`.
- C18Z38 service-channel rebuild ledger enrichment split is implemented.
Backend `rap-backend:fabric-service-channel-0.2.219` is built and deployed
on docker-test; node-agent remains `0.2.208`. The rebuild attempts API now
defaults to `enrichment=summary`, returning durable ledger rows without the
expensive heartbeat/timeline guard correlation. Operators can request
`enrichment=deep` explicitly for per-route investigation. Web-admin defaults
to the fast ledger, shows timeline/guard fields as deep-only in summary mode,
and provides a manual deep ledger toggle. C18Z32/C18Z33 smokes now request
deep enrichment. Live smoke passed:
`artifacts/c18z38-service-channel-rebuild-ledger-enrichment-smoke-result.json`.
- C18Z39 service-channel rebuild ledger drilldown is implemented. Backend
`rap-backend:fabric-service-channel-0.2.220` is built and deployed on
docker-test; node-agent remains `0.2.208`. The rebuild attempts API now
accepts `generation` and `offset`, allowing narrow deep investigations by
reporter node, route, service class, and route generation with bounded
pagination. Web-admin adds rebuild ledger filters for reporter/route/
generation/service plus prev/next paging in deep mode. Live smoke passed:
`artifacts/c18z39-service-channel-rebuild-ledger-drilldown-smoke-result.json`.
- C18Z40 service-channel rebuild incident grouping is implemented. Backend
`rap-backend:fabric-service-channel-0.2.222` is built and deployed on
docker-test; node-agent remains `0.2.208`. New endpoint
`GET /clusters/{clusterID}/fabric/service-channels/rebuild-incidents`
groups the bounded recent rebuild window by reporter node, route, service
class, generation, and guard status, exposing first/last seen, attempt count,
latest guard/replacement/outcome, silence/resurface flags, and recommended
action. The incident window is capped to 5 to keep default admin refresh
bounded; broader investigation still uses filtered deep ledger. Web-admin
shows a Rebuild incidents list and `open deep` loads the exact filtered deep
ledger slice for that incident. Live smoke passed:
`artifacts/c18z40-service-channel-rebuild-incidents-smoke-result.json`.
- C18Z41 service-channel rebuild incident actions are implemented. Backend
`rap-backend:fabric-service-channel-0.2.223` is built and deployed on
docker-test; node-agent remains `0.2.208`. New API
`POST /clusters/{clusterID}/fabric/service-channels/rebuild-incidents/investigations`
records an audit event when an operator opens a deep rebuild investigation.
Web-admin incident rows now expose `open deep` with audit and `silence 6h`
using the incident fingerprint fields; after silence the panel refreshes only
rebuild health/readiness/incidents instead of the whole cluster scope. Live
smoke passed:
`artifacts/c18z41-service-channel-rebuild-incident-actions-smoke-result.json`.
- C18Z42 service-channel rebuild correlation snapshots are implemented.
Backend `rap-backend:fabric-service-channel-0.2.224` is built and deployed
on docker-test; node-agent remains `0.2.208`. Migration `000028` adds
durable correlation/guard snapshot columns to
`fabric_service_channel_route_rebuild_attempts`, including node transition,
route-generation, post-rebuild traffic, guard status/severity/reason,
compact timeline, and `correlation_snapshot_at`. Deep enrichment now writes
the snapshot once; later deep/readiness/health/incidents reuse it and only
recompute age-sensitive guard state without scanning heartbeat history.
External summary ledger still strips guard/timeline fields to preserve the
fast C18Z38 contract. On docker-test, applying `000028` manually was required
before smoke because this manual backend redeploy path does not auto-apply
migrations. Live smoke passed twice; after warm snapshot timings were roughly
summary 92 ms, deep 2 ms, incidents 2 ms:
`artifacts/c18z42-service-channel-rebuild-correlation-snapshot-smoke-result.json`.
- C18Z43 service-channel schema preflight is implemented. Backend
`rap-backend:fabric-service-channel-0.2.225` is built and deployed on
docker-test; web-admin is redeployed. New endpoint
`GET /clusters/{clusterID}/fabric/service-channels/schema-status` checks the
DB relation/columns required by migration `000028` before operators rely on
rebuild health/readiness/incidents. Web-admin shows a Fabric schema preflight
panel beside service-channel readiness, with required/missing check counts and
operator action. Live smoke passed:
`artifacts/c18z43-service-channel-schema-preflight-smoke-result.json`.
- C18Z44 service-channel rebuild snapshot warmup is implemented. Backend
`rap-backend:fabric-service-channel-0.2.226` is built and deployed on
docker-test; web-admin is redeployed. New endpoint
`POST /clusters/{clusterID}/fabric/service-channels/rebuild-snapshots/warmup`
performs a bounded proactive pass over recent rebuild attempts. It fills
missing correlation snapshots, counts stale snapshots, and defers heavy stale
rescans because age-sensitive guard state is already recomputed from cached
snapshots on read. Web-admin adds a `warm snapshots` action and displays
warmed/fresh/missing/stale/deferred/error counts. Live smoke passed:
`artifacts/c18z44-service-channel-rebuild-snapshot-warmup-smoke-result.json`.
- C18Z45 service-channel rebuild snapshot auto-warmup is implemented. Backend
`rap-backend:fabric-service-channel-0.2.227` is built and deployed on
docker-test; node-agent remains `0.2.208`. Heartbeat processing now performs a
bounded missing-snapshot maintenance pass for the reporting node's recent
rebuild attempts. It only persists a snapshot when the heartbeat contains
runtime evidence such as post-rebuild traffic or matched route-manager/
route-generation state, preventing backend-only timelines from becoming stale
cache entries. Auto-warmup writes an audit event
`fabric.service_channel_rebuild_snapshot.auto_warmup` with trigger, heartbeat,
warmed route IDs, generations, rebuild IDs, counts, and errors. Live smoke
passed:
`artifacts/c18z45-service-channel-rebuild-snapshot-auto-warmup-smoke-result.json`.
- C18Z46 service-channel rebuild snapshot maintenance health is implemented.
Backend `rap-backend:fabric-service-channel-0.2.228` is built and deployed
on docker-test; web-admin is redeployed. New endpoint
`GET /clusters/{clusterID}/fabric/service-channels/rebuild-snapshots/health`
exposes bounded snapshot-cache maintenance status: recent attempt count,
valid/missing/overdue runtime-evidence snapshots, heartbeat threshold, latest
auto-warmup audit summary, and per-node warmed/error/missing counts. Web-admin
adds a `Snapshot maintenance` panel beside schema/readiness. Live smoke
passed:
`artifacts/c18z46-service-channel-rebuild-snapshot-health-smoke-result.json`.
- C18Z47 service-channel signed lease enforcement is implemented. Node-agent
release `0.2.230` is built, published under `/downloads`, registered as the
active `rap-node-agent` dev release, and deployed on docker-test
`test-1/2/3`; all three report `0.2.230`, healthy, and current after policy
update. When a cluster authority public key is pinned, the node-agent now
rejects unsigned `rap_fsc_*` service-channel requests and requires the
signed `rap.fabric_service_channel_lease_authority.v1` payload/signature
headers. Legacy unsigned tokens remain accepted only in unpinned test mode.
Live smoke proved unsigned POST is rejected with 403 while signed lease POST
is accepted with 202:
`artifacts/c18z47-service-channel-signed-lease-enforcement-smoke-result.json`.
- C18Z48 service-channel backend introspection compatibility is implemented.
Backend `rap-backend:fabric-service-channel-0.2.231` is built/deployed on
docker-test. Node-agent/host-agent artifacts `0.2.232` are published under
`/downloads`; `rap-node-agent` release `0.2.232` is registered and deployed
on `test-1/2/3`, and all three report healthy/current. When signed
service-channel authority headers are absent but cluster authority is pinned,
node-agent now calls backend lease introspection before accepting an unsigned
token. Bad tokens are still rejected. Live smoke passed:
`artifacts/c18z48-service-channel-introspection-smoke-result.json`.
- C18Z49 service-channel acceptance telemetry is implemented in node-agent
`0.2.232`. Each accepted Fabric Service Channel ingress records
`accepted_by=signed|introspection|legacy_unsigned`, route preference, and
backend-fallback state in structured node logs. HTTP packet ingress also
returns `X-RAP-Service-Channel-Accepted-By` for smoke/diagnostics.
- C18Z50 durable service-channel lease introspection is implemented. Migration
`000029_fabric_service_channel_leases` adds a durable lease table keyed by
cluster/channel and stores only `token_hash` plus a scrubbed lease payload
with the raw bearer token removed. Backend
`rap-backend:fabric-service-channel-0.2.233` is built/deployed on
docker-test after applying the migration. Introspection now reads memory
first, then durable storage, so compatibility clients survive backend
restart. Live smoke restarted `rap_test_backend`, accepted the unsigned token
through introspection, rejected a bad token, and verified the durable lease
omits the raw token:
`artifacts/c18z50-service-channel-durable-introspection-smoke-result.json`.
- C18Z51 service-channel lease maintenance is implemented. Backend
`rap-backend:fabric-service-channel-0.2.234` is built/deployed on
docker-test. New endpoints list durable service-channel lease maintenance
state and run bounded expired-lease cleanup:
`GET /clusters/{clusterID}/fabric/service-channels/leases` and
`POST /clusters/{clusterID}/fabric/service-channels/leases/cleanup`.
Web-admin adds a `Service-channel leases` panel with active/expired counts,
recent lease rows, and cleanup action. Live smoke issued a 1-second lease,
observed it as expired, cleaned it up, and verified it disappeared:
`artifacts/c18z51-service-channel-lease-maintenance-smoke-result.json`.
- C18Z52 service-channel access telemetry visibility is implemented. Backend
`rap-backend:fabric-service-channel-0.2.235` is built/deployed on
docker-test; node-agent/host-agent `0.2.235` artifacts are published under
`/downloads`, registered as active dev releases, and deployed on
`test-1/2/3`. Node-agent now reports accepted service-channel ingress
counters by `signed`, `introspection`, and `legacy_unsigned`, including
backend-fallback count and last accepted timestamp. Backend exposes
`GET /clusters/{clusterID}/fabric/service-channels/access-telemetry`,
reading telemetry observations with heartbeat metadata fallback. Web-admin
adds a `Service-channel access` panel with cluster totals and per-node rows.
Live smoke sent packets through test-1, observed
`X-RAP-Service-Channel-Accepted-By: introspection`, and verified backend
aggregate visibility:
`artifacts/c18z52-service-channel-access-telemetry-smoke-result.json`.
- C18Z53 service-channel access/session correlation is implemented. Backend
`rap-backend:fabric-service-channel-0.2.236` is built/deployed on
docker-test; node-agent remains `0.2.235`. The access telemetry endpoint now
correlates accepted ingress counters with active durable service-channel
leases, selected entry/exit nodes, primary route status, explicit backend
fallback, and latest route-quality feedback when a route exists. Web-admin's
`Service-channel access` panel now shows active channel rows before per-node
counters, so operators can see whether a live service channel is using normal
route quality feedback or degraded backend fallback. Live smoke created an
active lease, sent ingress traffic through test-1, and verified active
channel correlation plus fallback visibility:
`artifacts/c18z53-service-channel-access-correlation-smoke-result.json`.
- C18Z54 normal-route access correlation is smoke-proven on the existing
C18Z53 backend/admin surface. New smoke creates a temporary direct
`vpn_packets` route intent, injects healthy route-quality heartbeat
telemetry, issues a service-channel lease that selects the normal primary
route, sends ingress traffic, and verifies the access telemetry active
channel row is `ready`, not backend fallback, with `route_feedback_status`
`healthy`, rolling quality counters, and last send duration:
`artifacts/c18z54-service-channel-normal-route-access-smoke-result.json`.
- C18Z55 degraded normal-route access correlation is smoke-proven on the same
backend/admin surface. The smoke first issues a lease on a normal primary
`vpn_packets` route, then injects degraded/fenced route-quality heartbeat
feedback for that already-selected route. Access telemetry correctly reports
the active channel as `ready` and `force_backend_fallback=false`, while route
feedback is `fenced`, rolling failure/drop/slow counters are visible, and the
aggregate access status becomes `degraded` because `degraded_route_count > 0`:
`artifacts/c18z55-service-channel-degraded-route-access-smoke-result.json`.
- C18Z56 active-channel remediation diagnostics are implemented. Backend
`rap-backend:fabric-service-channel-0.2.237` is built/deployed on
docker-test; node-agent remains `0.2.235`. Active access telemetry channel
rows now include `remediation_action`, `remediation_reason`,
`remediation_route_id`, `remediation_route_status`, and an operator hint.
Decisions distinguish explicit backend fallback, degraded/fenced normal
route with an authorized alternate (`prefer_alternate_route`), degraded/fenced
route needing rebuild (`rebuild_route`), and healthy route (`none`).
Web-admin shows the remediation action in the `Service-channel access`
active-channel table. C18Z55 smoke now verifies
`remediation_action=rebuild_route`; backend unit coverage verifies the
alternate-route remediation branch.
- C18Z56 alternate-route remediation is also live-smoke-proven. New smoke
creates primary and authorized alternate `vpn_packets` routes, issues a lease
while primary is still healthy/selected, then injects fenced feedback for the
selected primary. Access telemetry keeps the active channel on the normal
route with `force_backend_fallback=false`, reports `route_feedback_status`
`fenced`, and recommends `remediation_action=prefer_alternate_route` with the
alternate route id/status; `degraded_fallback_channel_count` stays zero:
`artifacts/c18z56-service-channel-alternate-remediation-smoke-result.json`.
- C18Z57 bounded remediation command contract is implemented. Backend
`rap-backend:fabric-service-channel-0.2.238` is built/deployed on
docker-test; node-agent remains `0.2.235`. Active access telemetry channel
rows now include `remediation_command` for non-noop remediation actions, with
schema version, deterministic command id, action, channel/resource/service,
entry/exit, primary route, replacement route when present, reason/operator
hint, issued time, and a bounded TTL capped to the lease lifetime. Web-admin
marks remediation rows with `cmd` when this machine-readable command is
present. Live smoke proves a fenced selected primary route with an authorized
alternate emits a `prefer_alternate_route` command pointing at the alternate:
`artifacts/c18z57-service-channel-remediation-command-smoke-result.json`.
- C18Z58 service-channel remediation command consumption is implemented.
Backend `rap-backend:fabric-service-channel-0.2.239` and node-agent
`rap-node-agent:0.2.237` are built/deployed on docker-test (`test-1/2/3`).
Backend now projects active `remediation_command` items into node-scoped
synthetic mesh config as `service_channel_remediation_commands`. Node-agent
parses those commands and turns `prefer_alternate_route` into an explicit
route-manager `applied` decision with source
`service_channel_remediation_command`, so an active channel that still
presents the old primary route can be routed through the replacement route.
Web-admin node details show remediation-command count/table in the Mesh tab.
Live smoke proves access telemetry, synthetic config projection, and
node-agent route-manager consumption:
`artifacts/c18z58-service-channel-remediation-apply-smoke-result.json`.
- C18Z59 active remediation traffic proof is smoke-proven on the same
backend/node-agent images with production forwarding enabled on docker-test
`test-1/2/3`. The smoke sends service-channel traffic before/after the
remediation command is consumed, then verifies runtime heartbeat evidence:
`last_selected_route_id` and flow-scheduler `last_route_id` move to the
replacement route, `send_successes=1`, `send_failures=0`,
`send_fallback_local=0`, and no degraded backend fallback is recommended.
Result:
`artifacts/c18z59-service-channel-remediation-traffic-smoke-result.json`.
- C18Z60 multi-flow remediation traffic proof is smoke-proven. The smoke sends
a batch of twelve IPv4/TCP-like packets that classify into multiple
independent VPN flow channels after the remediation command is consumed.
Runtime heartbeat evidence shows the replacement route selected, at least two
flow-scheduler channels on that route, no local/backend fallback, no flow
drops, and no route send failures. Result:
`artifacts/c18z60-service-channel-remediation-multiflow-smoke-result.json`.
- C18Z61 pressure remediation traffic proof is smoke-proven. The smoke sends a
batch of 128 IPv4/TCP-like packets after remediation; runtime evidence shows
32 replacement-route flow stats, scheduler high-watermark 5,
max-in-flight 4, `send_fallback_local=0`, route failures 0, and flow/scheduler
drops 0. Result:
`artifacts/c18z61-service-channel-remediation-pressure-smoke-result.json`.
- C18Z62 service-channel QoS class wiring is implemented in node-agent and
live-smoke-proven on docker-test image `rap-node-agent:0.2.238-c18z62`.
Service-channel HTTP ingress accepts neutral `X-RAP-Traffic-Class`
(`control`, `interactive`, `reliable`, `bulk`, `droppable`) and the flow
scheduler keeps distinct traffic-class channel ids/stats while preserving the
old default bulk channel ids. Unit tests prove priority ordering
`control > interactive > reliable > bulk > droppable`; live smoke proves a
bulk 128-packet pressure batch plus an interactive packet both move through
the remediation replacement route with no local/backend fallback, drops, or
route failures. Result:
`artifacts/c18z62-service-channel-remediation-qos-smoke-result.json`.
- C18Z63 concurrent QoS isolation is implemented and unit-proven. A controlled
runtime test holds a bulk traffic-class send in-flight with a blocking
production transport, then sends an independent interactive traffic-class
packet through the same ingress; the interactive send completes before the
bulk release, with `MaxInFlight >= 2`, traffic-class-specific stats, no drops,
and no failures. This proves the shared Fabric Service Channel runtime does
not globally serialize interactive/control-style traffic behind bulk work.
Artifact:
`artifacts/c18z63-service-channel-concurrent-qos-go-test.jsonl`.
- C18Z64 traffic-class telemetry aggregation is implemented and live-proven on
docker-test image `rap-node-agent:0.2.239-c18z64`. `rap.fabric_flow_scheduler.v1`
snapshots now include `traffic_class_counts`, giving backend/admin/diagnostics
a compact count of active flow channels per traffic class without scanning
every channel stat. Unit coverage proves the counts for explicit
control/interactive/bulk classes and for the concurrent bulk+interactive
isolation case. Live smoke re-ran the QoS path on `test-1/2/3`; latest
heartbeat snapshot showed `traffic_class_counts` `bulk=32`,
`interactive=12`, drops 0. Artifacts:
`artifacts/c18z64-service-channel-traffic-class-telemetry-go-test.jsonl`,
`artifacts/c18z64-service-channel-traffic-class-telemetry-live-smoke-result.json`,
and
`artifacts/c18z64-service-channel-traffic-class-telemetry-live-snapshot.json`.
- C18Z65/C18Z66 backend/admin QoS diagnostics are implemented and live-proven.
Backend `rap-backend:fabric-service-channel-0.2.241-c18z66` is deployed on
docker-test and projects runtime `traffic_class_counts`, flow channel count,
max in-flight, dropped, and high-watermark from node heartbeats into
`GET /fabric/service-channels/access-telemetry` at node, active-channel, and
cluster aggregate levels. Web-admin Service-channel access shows flow QoS
chips/rows for cluster totals, active channels, and nodes. Live API aggregate
result showed `bulk=32`, `interactive=12`, `flow_channel_count=44`,
`flow_max_in_flight=4`. Artifacts:
`artifacts/c18z65-service-channel-access-qos-telemetry-api-result.json`,
`artifacts/c18z65-service-channel-access-qos-telemetry-smoke-result.json`,
and
`artifacts/c18z66-service-channel-access-qos-aggregate-api-result.json`.
- C18Z67 live concurrent QoS proof is implemented and smoke-proven against
docker-test backend `rap-backend:fabric-service-channel-0.2.241-c18z66` and
node-agent image `rap-node-agent:0.2.239-c18z64`. The smoke pushes six
parallel bulk service-channel HTTP packet requests while an interactive
traffic-class request is injected through the same entry path after
remediation. Run `c18z67-20260508-213452` accepted all 6 bulk requests,
forwarded 3072 post-remediation packets, completed the interactive request in
132 ms, observed 32 bulk and 12 interactive replacement-route flow stats, and
kept local/backend fallback, route failures, flow drops, and scheduler drops
at 0. Artifact:
`artifacts/c18z67-service-channel-concurrent-qos-live-smoke-result.json`.
- C18Z68 service-channel flow-health guard is implemented and deployed on
docker-test as `rap-backend:fabric-service-channel-0.2.242-c18z68`, with
web-admin rebuilt/deployed. Access telemetry now projects
`flow_health_status` and `flow_health_reason` at cluster, node, and
active-channel levels from traffic-class counts, queue pressure, flow drops,
backend fallback, route-quality failures/drops/slow samples, and route send
latency. Web-admin shows explicit flow-health chips beside flow QoS so
sustained bulk pressure, degraded latency, fallback, and drops are visible
before adding user services. Verification passed:
`go test ./internal/modules/cluster`, web-admin `npm run build`, updated
C18Z67 live smoke against backend `0.2.242-c18z68`, and live API artifact
`artifacts/c18z68-service-channel-flow-health-api-result.json`.
- C18Z69 node-side adaptive backpressure is implemented and deployed on
docker-test image `rap-node-agent:0.2.243-c18z69` for `test-1/2/3`.
`FabricFlowScheduler` now calculates per-traffic-class
`recommended_parallel_windows` and reports `adaptive_backpressure_active` /
`adaptive_backpressure_reason` in runtime heartbeat snapshots. Bulk and
droppable classes are reduced first under pressure, reliable is reduced
moderately, while control/interactive keep their full window unless their own
class has drops/failures/slow samples. Live C18Z69 smoke wraps the C18Z67
pressure path and verified `bulk=1`, `droppable=1`, `reliable=3`,
`interactive=4`, `control=4`, `bulk=32`, `interactive=12`, high-watermark
72, max-in-flight 4, drops 0, and
`bulk_window_reduced_to_protect_interactive`. Artifacts:
`artifacts/c18z67-service-channel-concurrent-qos-live-smoke-result.json` and
`artifacts/c18z69-service-channel-adaptive-backpressure-smoke-result.json`.
- C18Z70 backend/admin adaptive backpressure visibility is implemented and
deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.244-c18z70`; web-admin is rebuilt and
deployed. Access telemetry now projects node-agent
`recommended_parallel_windows`, `adaptive_backpressure_active`, and
`adaptive_backpressure_reason` at cluster, node, and active-channel levels.
Cluster aggregation uses the minimum non-zero recommended window per class,
so the operator sees the most conservative active runtime limit. Web-admin
shows adaptive windows next to flow health and flow QoS. Live API returned
`adaptive=true`, reason `bulk_window_reduced_to_protect_interactive`, and
windows `bulk=1`, `droppable=1`, `reliable=3`, `interactive=4`,
`control=4`. Verification passed: `go test ./internal/modules/cluster`,
web-admin `npm run build`, C18Z69 live smoke, and
`artifacts/c18z70-service-channel-adaptive-telemetry-api-result.json`.
- C18Z71 adaptive policy contract is implemented and deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.245-c18z71` with node-agent image
`rap-node-agent:0.2.245-c18z71` on `test-1/2/3`. Backend exposes audited
`GET/PUT /clusters/{clusterID}/fabric/service-channels/adaptive-policy` for
max parallel window, queue/bulk pressure thresholds, and per-class windows.
The effective policy is embedded in signed node synthetic config and
node-agent runtime heartbeat snapshots now report
`adaptive_policy_fingerprint`. The scheduler consumes the policy at runtime:
default policy preserves the C18Z69 behavior, while the C18Z71 live smoke
proved an operator policy can raise max window to 6 and bulk pressure window
to 2 while keeping interactive/control at 6. During smoke, a signed synthetic
config hash mismatch was found and fixed by preserving adaptive policy
provenance fields in the node-agent client model. Verification passed:
`go test ./internal/modules/cluster`,
`go test ./cmd/rap-node-agent ./internal/mesh ./internal/vpnruntime ./internal/client ./internal/config`,
web-admin `npm run build`, C18Z71 live smoke, and C18Z69 regression smoke.
Artifacts:
`artifacts/c18z71-service-channel-adaptive-policy-smoke-result.json` and
`artifacts/c18z69-service-channel-adaptive-backpressure-smoke-result.json`.
- C18Z72 service-channel pool/failover policy contract is implemented and
deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.246-c18z72`; node-agent remains
`rap-node-agent:0.2.245-c18z71` on `test-1/2/3`. Backend exposes audited
`GET/PUT /clusters/{clusterID}/fabric/service-channels/pool-policy` for
entry/exit pool constraints, preferred entry/exit, selection strategy,
route/entry/exit failover modes, backend fallback allowance, and sticky
session mode. Lease issuance now applies the effective policy before route
selection, constrains `entry_pool`/`exit_pool`, chooses policy preferred
nodes when present, embeds `pool_policy` provenance in the lease, and signs
it into `rap.fabric_service_channel_lease_authority.v1`. Web-admin API/types
know the new policy contract. Verification passed:
`go test ./internal/modules/cluster`, web-admin `npm run build`,
C18Z72 live smoke, and C18Z71 regression smoke. Artifact:
`artifacts/c18z72-service-channel-pool-policy-smoke-result.json`.
- C18Z73 pool-policy remediation guard and telemetry is implemented and
deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.247-c18z73` with node-agent image
`rap-node-agent:0.2.247-c18z73` on `test-1/2/3`; web-admin is rebuilt and
deployed. Active access telemetry now projects the signed
`pool_policy_fingerprint`, remediation guard status/reason, and guarded
remediation commands. Backend remediation rejects an alternate route outside
the signed entry/exit lease pools and emits `rebuild_route` instead of
`prefer_alternate_route`; node-agent defensively ignores guarded rejected
remediation commands before route-manager application. Web-admin shows guard
chips in access telemetry and node synthetic-config remediation rows.
Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
`go test ./cmd/rap-node-agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
web-admin `npm run build`, C18Z73 live smoke, C18Z72 regression smoke, and
C18Z71/C18Z67 live regression smoke. Artifacts:
`artifacts/c18z73-service-channel-pool-policy-remediation-guard-smoke-result.json`,
`artifacts/c18z72-service-channel-pool-policy-smoke-result.json`,
`artifacts/c18z71-service-channel-adaptive-policy-smoke-result.json`, and
`artifacts/c18z67-service-channel-concurrent-qos-live-smoke-result.json`.
- C18Z74 service-channel remediation execution visibility is implemented and
deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.248-c18z74` with node-agent image
`rap-node-agent:0.2.248-c18z74` on `test-1/2/3`; web-admin is rebuilt and
deployed. Active access telemetry now computes
`remediation_execution_status`, reason, generation, and observed timestamp
by correlating active remediation commands with the entry node's latest
route-manager heartbeat. `prefer_alternate_route` commands show
`waiting_node_apply` until the node reports a matching route-manager decision
and then `applied`; guarded commands show `rejected_by_policy_guard`; bounded
`rebuild_route` commands show `pending_rebuild_request`. The execution state
is copied into the machine-readable remediation command and displayed in
web-admin access telemetry / node synthetic remediation rows. Verification
passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
`go test ./cmd/rap-node-agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
web-admin `npm run build`, C18Z74 live smoke, C18Z73 regression smoke, and
C18Z72 regression smoke. Artifacts:
`artifacts/c18z74-service-channel-remediation-execution-smoke-result.json`,
`artifacts/c18z67-service-channel-concurrent-qos-live-smoke-result.json`,
`artifacts/c18z73-service-channel-pool-policy-remediation-guard-smoke-result.json`,
and `artifacts/c18z72-service-channel-pool-policy-smoke-result.json`.
- C18Z75 durable remediation rebuild intent foundation is implemented and
deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.249-c18z75`; node-agent remains
`rap-node-agent:0.2.248-c18z74` on `test-1/2/3`. When a node fetches
synthetic config containing a `rebuild_route` remediation command, backend
now records a durable row in the existing
`fabric_service_channel_route_rebuild_attempts` ledger with
`rebuild_status=requested` / `outcome=rebuild_requested`, or
`rebuild_status=rejected` / `outcome=policy_guard_rejected` when the pool
policy guard rejects it. Access telemetry correlates that ledger row back to
the active channel and reports `rebuild_request_recorded` or
`rebuild_request_rejected` in `remediation_execution_status`. The C18Z75
smoke isolates a route pair, proves `rebuild_route`, fetches synthetic
config to persist the intent, verifies the rebuild ledger row, and verifies
access telemetry reports the recorded execution state. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
`go test ./cmd/rap-node-agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
web-admin `npm run build`, C18Z75 live smoke, C18Z73 regression smoke, and
C18Z72 regression smoke. Artifacts:
`artifacts/c18z75-service-channel-rebuild-intent-smoke-result.json`,
`artifacts/c18z73-service-channel-pool-policy-remediation-guard-smoke-result.json`,
and `artifacts/c18z72-service-channel-pool-policy-smoke-result.json`.
- C18Z76 service-channel rebuild-route node acknowledgement is implemented and
deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.250-c18z76` with node-agent image
`rap-node-agent:0.2.250-c18z76` on `test-1/2/3`. Node-agent now consumes
allowed `rebuild_route` remediation commands as route-manager decisions with
`rebuild_status=pending_degraded_fallback` and
`decision_source=service_channel_remediation_command`; guarded commands are
still ignored. Backend access telemetry correlates this route-manager
acknowledgement with the durable ledger intent and reports
`rebuild_request_recorded_node_pending`. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
`go test ./cmd/rap-node-agent ./internal/agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
C18Z76 live smoke, C18Z75 regression smoke, and C18Z74/C18Z67 regression
smoke. Artifacts:
`artifacts/c18z76-service-channel-rebuild-node-pending-smoke-result.json`,
`artifacts/c18z75-service-channel-rebuild-intent-smoke-result.json`,
`artifacts/c18z74-service-channel-remediation-execution-smoke-result.json`,
and `artifacts/c18z67-service-channel-concurrent-qos-live-smoke-result.json`.
- C18Z77 service-channel rebuild planner resolution is implemented and
deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.251-c18z77` with node-agent image
`rap-node-agent:0.2.251-c18z77` on `test-1/2/3`. Backend now resolves
durable `rebuild_route` remediation requests during node-scoped synthetic
config generation: it keeps lease pool-policy guardrails, records
`applied` / `replacement_selected` when a signed-pool-valid alternate route
exists, records `no_alternate` when no safe alternate exists, records
`deferred_by_policy` when the active lease cannot authorize the replacement,
and records `expired` for stale commands. When a replacement is applied, the
same command id is projected as a route-manager decision so node-agent can
consume the resolved planner decision without duplicating the raw command.
Access telemetry reports planner states such as `rebuild_request_applied`
and `rebuild_request_no_alternate`. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
`go test ./cmd/rap-node-agent ./internal/agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
C18Z77 live smoke, C18Z75 regression smoke, and C18Z74/C18Z67 regression
smoke. Artifacts:
`artifacts/c18z77-service-channel-rebuild-planner-resolution-smoke-result.json`,
`artifacts/c18z75-service-channel-rebuild-intent-smoke-result.json`,
`artifacts/c18z74-service-channel-remediation-execution-smoke-result.json`,
and `artifacts/c18z67-service-channel-concurrent-qos-live-smoke-result.json`.
- C18Z78 service-channel rebuild planner applied-branch visibility is
implemented and deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.252-c18z78` with node-agent image
`rap-node-agent:0.2.252-c18z78` on `test-1/2/3`; web-admin is rebuilt and
deployed to `rap_web_admin`. The admin access-telemetry execution column and
node synthetic remediation rows now render planner outcomes with explicit
labels and tones: `rebuild_request_applied` is good,
`rebuild_request_recorded(_node_pending)`, `rebuild_request_no_alternate`,
and `rebuild_request_deferred_by_policy` are warning states, while rejected
or expired requests are bad states. The C18Z78 live smoke proves the applied
planner branch: a primary route is leased first, the primary route is then
degraded, an alternate route is added after the lease, synthetic config
fetch resolves the existing `rebuild_route` command to `applied` /
`replacement_selected`, and access telemetry reports
`rebuild_request_applied`. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
`go test ./cmd/rap-node-agent ./internal/agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
web-admin `npm run build`, C18Z78 live smoke, C18Z77 regression smoke, and
C18Z74/C18Z67 regression smoke. Artifacts:
`artifacts/c18z78-service-channel-rebuild-planner-applied-smoke-result.json`,
`artifacts/c18z77-service-channel-rebuild-planner-resolution-smoke-result.json`,
`artifacts/c18z74-service-channel-remediation-execution-smoke-result.json`,
and `artifacts/c18z67-service-channel-concurrent-qos-live-smoke-result.json`.
- C18Z79 service-channel planner-to-runtime loop proof is implemented and
deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.253-c18z79` with node-agent image
`rap-node-agent:0.2.253-c18z79` on `test-1/2/3`. The new live smoke extends
the C18Z78 applied branch: after planner resolves the existing
`rebuild_route` command to `applied` / `replacement_selected`, the entry node
reports a route-manager decision for the same `rebuild_request_id`, reports
transition `applied_rebuild`, and live service-channel packet ingress selects
the replacement route with no local/backend fallback, route failures, or flow
drops. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
`go test ./cmd/rap-node-agent ./internal/agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
C18Z79 live smoke, C18Z78 and C18Z77 sequential regressions, and C18Z67
concurrent QoS regression. Artifact:
`artifacts/c18z79-service-channel-planner-runtime-loop-smoke-result.json`.
- C18Z80 service-channel sustained post-rebuild pressure proof is implemented
and deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.254-c18z80` with node-agent image
`rap-node-agent:0.2.254-c18z80` on `test-1/2/3`. The new live smoke keeps the
C18Z79 planner-applied loop, then sends five post-rebuild bursts of mixed
`interactive`, `bulk`, and `reliable` VPN packet batches. It proves every
burst is accepted by the service-channel runtime, every burst reports the
replacement route, the stale primary is not reselected, and fallback,
route-failure, flow-drop, and scheduler-drop deltas stay zero from the
pre-pressure baseline. Smoke route hygiene was tightened: C18Z67 now disables
pre-existing active `vpn_packets` intents for its entry/exit pair, and
C18Z79/C18Z80 expire their temporary primary/alternate intents after a
successful run. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
`go test ./cmd/rap-node-agent ./internal/agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
C18Z80 live smoke, C18Z79 regression smoke, and C18Z67 concurrent QoS
regression. Artifact:
`artifacts/c18z80-service-channel-post-rebuild-pressure-smoke-result.json`.
- C18Z81 service-channel replacement-degradation recovery proof is implemented
and deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.255-c18z81` with node-agent image
`rap-node-agent:0.2.255-c18z81` on `test-1/2/3`. The new live smoke proves
the negative branch after C18Z80: once the initial replacement is applied and
used, a generation-valid fenced feedback report for that replacement causes
the Control Plane to select a new safe recovery route. Live traffic then
moves to the recovery route, the degraded replacement is not reselected, and
fallback, route-failure, flow-drop, and scheduler-drop deltas stay zero for
the recovery send. The smoke also documents an important guardrail: stale
route-generation feedback must not trigger recovery. C18Z67/C18Z79 were
tightened to check per-run counter deltas rather than cumulative runtime
counters. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
`go test ./cmd/rap-node-agent ./internal/agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
C18Z81 live smoke, C18Z80 regression smoke, C18Z79 regression smoke, and
C18Z67 concurrent QoS regression. Artifact:
`artifacts/c18z81-service-channel-replacement-degradation-recovery-smoke-result.json`.
- C18Z82 service-channel no-safe-recovery proof is implemented and deployed on
docker-test as `rap-backend:fabric-service-channel-0.2.256-c18z82` with
node-agent image `rap-node-agent:0.2.256-c18z82` on `test-1/2/3`. The new
live smoke proves the branch where the original primary is degraded, the
replacement is applied and used, then that replacement reports
generation-valid fenced feedback while no new safe recovery route exists.
Node-scoped synthetic config reports
`service_channel_feedback_no_alternate` with
`pending_degraded_fallback`; score reasons include
`no_unfenced_alternate_route` and
`backend_relay_degraded_fallback_until_rebuild`, so the Control Plane exposes
an explicit degraded/no-alternate state instead of silently sticking to a bad
replacement. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
`go test ./cmd/rap-node-agent ./internal/agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
C18Z82 live smoke, C18Z81 recovery regression, C18Z80 pressure regression,
and C18Z67 concurrent QoS regression. Artifact:
`artifacts/c18z82-service-channel-no-safe-recovery-smoke-result.json`.
- C18Z83 service-channel access-telemetry no-safe projection is implemented and
deployed on docker-test as `rap-backend:fabric-service-channel-0.2.257-c18z83`;
node-agent remains `rap-node-agent:0.2.256-c18z82` on `test-1/2/3`, and
web-admin is rebuilt/deployed to `rap_web_admin`. Active access telemetry
channels now expose route-decision source, route id, replacement route id,
rebuild status/reason/generation, and score reasons. Web-admin shows a
dedicated `decision` column in the active-channel table. The live smoke
proves no-safe recovery is visible through access telemetry as
`service_channel_feedback_no_alternate` /
`pending_degraded_fallback`, while durable ledger state can still report
`rebuild_request_no_alternate`. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
web-admin `npm run build`, and C18Z83 live smoke. Artifact:
`artifacts/c18z83-service-channel-access-telemetry-no-safe-smoke-result.json`.
- C18Z84 service-channel access-decision aggregate proof is implemented and
deployed on docker-test as `rap-backend:fabric-service-channel-0.2.258-c18z84`;
node-agent remains `rap-node-agent:0.2.256-c18z82` on `test-1/2/3`, and
web-admin is rebuilt/deployed to `rap_web_admin`. Access telemetry now
exposes aggregate route-decision counters:
`route_decision_channel_count`, `replacement_decision_count`,
`applied_rebuild_decision_count`, `recovery_decision_count`, and
`no_safe_recovery_decision_count`. Web-admin summary chips show these counts,
and no-safe route decisions now prioritize the aggregate reason
`active_channels_no_safe_recovery` over generic missing access-report noise.
Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
web-admin `npm run build`, C18Z84 live smoke, and C18Z83 regression smoke.
Artifact:
`artifacts/c18z84-service-channel-access-decision-aggregate-smoke-result.json`.
- C18Z85 service-channel access-decision incident projection is implemented and
deployed on docker-test as `rap-backend:fabric-service-channel-0.2.259-c18z85`;
node-agent remains `rap-node-agent:0.2.256-c18z82` on `test-1/2/3`, and
web-admin is rebuilt/deployed to `rap_web_admin`. Rebuild health summary now
carries access decision counts and prioritizes
`inspect_access_no_safe_recovery_route_pool_and_signed_policy` when no-safe
is active. Rebuild incidents now include `incident_source=access_decision`
entries with channel id and operator-facing severity/action, including
`access_no_safe_recovery` as a bad incident. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
web-admin `npm run build`, C18Z85 live smoke, and C18Z84 regression smoke.
Artifact:
`artifacts/c18z85-service-channel-access-decision-incident-smoke-result.json`.
- C18Z86 service-channel access-decision silence/acknowledgement is
implemented and deployed on docker-test as
`rap-backend:fabric-service-channel-0.2.261-c18z86`; node-agent remains
`rap-node-agent:0.2.256-c18z82` on `test-1/2/3`, and web-admin is
rebuilt/deployed to `rap_web_admin`. Rebuild alert silence requests now carry
`incident_source` and `channel_id`; `incident_source=access_decision`
no-safe incidents require `channel_id` and are stored with channel-scoped
route keys. Rebuild health and incident lists apply those silences, so an
acknowledged current-generation access no-safe incident is silenced and no
longer contributes to active bad count. Generation-change resurfacing is
covered in unit tests; live smoke proves the channel-scoped silence path.
Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
web-admin `npm run build`, C18Z86 live smoke, and C18Z85 regression smoke.
Artifact:
`artifacts/c18z86-service-channel-access-decision-silence-smoke-result.json`.
- C18Z87 service-channel access-decision silence management is implemented and
deployed on docker-test as `rap-backend:fabric-service-channel-0.2.262-c18z87`;
node-agent remains `rap-node-agent:0.2.256-c18z82` on `test-1/2/3`, and
web-admin is rebuilt/deployed to `rap_web_admin`. Backend now exposes active
rebuild alert silences, enriches access-decision silences with
`incident_source`, `channel_id`, and `display_route_id`, and supports
unsilence by id. Web-admin shows an `Active rebuild silences` table with an
`unsilence` action. The live smoke proves the operator path:
access no-safe incident -> silence -> active silence listed -> unsilence ->
active bad incident restored. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
web-admin `npm run build`, C18Z87 live smoke, and C18Z86 regression smoke.
Artifact:
`artifacts/c18z87-service-channel-access-decision-unsilence-smoke-result.json`.
- C18Z88 service-channel access-decision resurface proof is implemented and
deployed on docker-test as `rap-backend:fabric-service-channel-0.2.263-c18z88`;
node-agent remains `rap-node-agent:0.2.256-c18z82` on `test-1/2/3`, and
web-admin is rebuilt/deployed to `rap_web_admin`. Access-decision incidents
now include resurface details (`alert_resurfaced_from_silence_id`,
`alert_resurfaced_previous_generation`, and
`alert_resurfaced_previous_until`) when a previously acknowledged
access-decision incident changes generation/route/channel and becomes active
again. Web-admin shows the previous generation/expiry beside resurfaced
incidents. The live smoke proves access no-safe -> silence current generation
-> route-decision generation changes -> incident resurfaces as active bad
with previous-generation metadata preserved. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
web-admin `npm run build`, C18Z88 live smoke, and C18Z87 regression smoke.
Artifact:
`artifacts/c18z88-service-channel-access-decision-resurface-smoke-result.json`.
- C18Z89 service-channel access-decision resurface action loop is implemented
and deployed on docker-test as `rap-backend:fabric-service-channel-0.2.264-c18z89`;
node-agent remains `rap-node-agent:0.2.256-c18z82` on `test-1/2/3`, and
web-admin is rebuilt/deployed to `rap_web_admin`. Resurfaced
access-decision incidents now include `alert_resurfaced_cause`,
`alert_resurfaced_previous_route_id`, and
`alert_resurfaced_previous_channel_id`. Web-admin shows the cause beside the
resurfaced action text. The live smoke proves the operator path:
access no-safe -> silence current generation -> generation changes and
resurfaces -> active-channel decision context matches the incident ->
re-acknowledge current generation -> incident returns to silenced state.
Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
web-admin `npm run build`, C18Z89 live smoke, and C18Z88 regression smoke.
Artifact:
`artifacts/c18z89-service-channel-access-decision-resurface-action-smoke-result.json`.
- C18Z90 service-channel production data-plane contract is implemented and
deployed on docker-test as `rap-backend:fabric-service-channel-0.2.265-c18z90`;
node-agent remains `rap-node-agent:0.2.256-c18z82` on `test-1/2/3`, and
web-admin is rebuilt/deployed to `rap_web_admin`. Service-channel leases now
include a signed `data_plane` contract in the lease, authority payload,
introspection response, and lease-maintenance/admin list. The contract
declares backend API as control-plane transport, fabric service channel over
fabric routes as working/steady-state data transport, backend relay as
degraded fallback only, production forwarding required, and service-neutral
protocol-agnostic logical flow isolation. Web-admin shows data-plane/fallback
policy in service-channel leases. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
web-admin `npm run build`, C18Z90 live smoke, and C18Z89 regression smoke.
Artifact:
`artifacts/c18z90-service-channel-data-plane-contract-smoke-result.json`.
- C18Z91 node-agent data-plane contract consumption is implemented and
deployed on docker-test as `rap-node-agent:0.2.266-c18z91` on `test-1/2/3`
with backend still `rap-backend:fabric-service-channel-0.2.265-c18z90`.
Service-channel VPN packet ingress now parses signed/introspected
`data_plane`, validates the production contract, applies the preferred fabric
route, logs data-plane mode/transports/backend-relay policy/logical-flow
mode, and reports `data_plane_contract` plus last transport/policy fields in
heartbeat access telemetry. Verification passed:
`go test ./cmd/rap-node-agent ./internal/agent ./internal/mesh ./internal/vpnruntime ./internal/config`,
backend cluster tests, web-admin build, C18Z91 live smoke, and C18Z90
regression smoke. Artifact:
`artifacts/c18z91-node-agent-data-plane-contract-enforcement-smoke-result.json`.
- C18Z92 node-agent backend-fallback policy enforcement is implemented and
deployed on docker-test as `rap-node-agent:0.2.267-c18z92` on `test-1/2/3`.
If a signed data-plane contract has `backend_relay_policy=disabled`, the
service-channel runtime no longer proxies failed/missing fabric-route working
data through backend relay; it returns a visible service unavailable result.
The live smoke temporarily disables backend fallback in pool policy, issues a
no-route lease, verifies `backend_relay_policy=disabled`, posts to test-1,
and proves the node rejects with 503 instead of backend relay. Verification
passed: node-agent tests, C18Z92 live smoke, and C18Z91 regression smoke.
Artifact:
`artifacts/c18z92-node-agent-disabled-backend-fallback-smoke-result.json`.
- C18Z93 access-telemetry data-plane projection is implemented and deployed on
docker-test as `rap-backend:fabric-service-channel-0.2.268-c18z93`;
node-agent remains `rap-node-agent:0.2.267-c18z92` on `test-1/2/3`, and
web-admin is rebuilt/deployed to `rap_web_admin`. Backend access telemetry
now promotes node-reported `data_plane_contract` and last data-plane
mode/working transport/steady-state transport/backend relay policy/logical
flow mode to cluster, node, and active-channel diagnostics. Web-admin shows
summary chips plus channel/node table columns for data-plane adoption and
relay policy. Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
web-admin `npm run build`, C18Z93 live smoke, C18Z92 regression smoke, and
C18Z91 regression smoke. Artifact:
`artifacts/c18z93-access-telemetry-data-plane-contract-smoke-result.json`.
- C18Z94 data-plane contract incident diagnostics are implemented and deployed
on docker-test as `rap-backend:fabric-service-channel-0.2.269-c18z94`;
node-agent remains `rap-node-agent:0.2.267-c18z92` on `test-1/2/3`, and
web-admin is rebuilt/deployed to `rap_web_admin`. Access/rebuild incident
diagnostics now include `incident_source=data_plane_contract` rows for
missing data-plane contract reports after accepted traffic, working/steady
transport mismatches, logical-flow mismatch, disabled backend relay observed,
and degraded/backend-relay policy violations. The smoke now proves disabled
backend relay is emitted as a bad incident with action
`restore_fabric_route_or_change_signed_backend_relay_policy_before_retry`.
Verification passed:
`go test ./internal/modules/cluster ./internal/platform/runtime ./internal/modules/nodeagent`,
web-admin `npm run build`, C18Z94 live smoke, C18Z93 regression smoke, C18Z92
regression smoke, and C18Z91 regression smoke. Artifact:
`artifacts/c18z94-data-plane-contract-incident-smoke-result.json`.
- C18Z95 node-agent blocked-fallback telemetry is implemented and deployed on
docker-test as backend `rap-backend:fabric-service-channel-0.2.270-c18z95`
and node-agent `rap-node-agent:0.2.270-c18z95` on `test-1/2/3`; web-admin is
rebuilt/deployed to `rap_web_admin`. Node-agent now reports
`backend_fallback_blocked`, `fabric_route_send_failure`, and last data-plane
violation status/reason in `fabric_service_channel_access_report`. Backend
access telemetry projects those fields to cluster, node, and active-channel
rows, and `data_plane_contract` incidents distinguish policy-blocked fallback
from real backend relay usage. Verification passed: node-agent tests,
backend tests, web-admin build, C18Z95 live smoke, and C18Z94/C18Z93/C18Z92
regressions. Artifact:
`artifacts/c18z95-node-agent-blocked-fallback-telemetry-smoke-result.json`.
- C18Z96 blocked-fallback rebuild feedback is implemented and deployed on
docker-test as backend `rap-backend:fabric-service-channel-0.2.281-c18z109`;
node-agent remains `rap-node-agent:0.2.270-c18z95` on `test-1/2/3`, and
web-admin remains deployed. Backend now converts heartbeat access reports
with `fabric_route_send_failed_backend_fallback_blocked` into durable fenced
`fabric_service_channel_route_feedback` for the active channel primary route.
The existing route rebuild planner then selects an authorized replacement
route when one exists. Verification passed: backend tests, node-agent tests,
web-admin build, C18Z96 live smoke, and C18Z95/C18Z93 regressions. Artifact:
`artifacts/c18z96-blocked-fallback-rebuild-feedback-smoke-result.json`.
- C18Z97 blocked-fallback feedback dedup is implemented and deployed on
docker-test as backend `rap-backend:fabric-service-channel-0.2.281-c18z109`.
Backend now suppresses repeated access-report-derived route feedback while an
active fenced/degraded observation from `fabric_service_channel_access_report`
already exists for the same cluster, reporter node, route, and service class.
This keeps repeated blocked-fallback send-failure heartbeats from refreshing
the same feedback and churning rebuild attempts. Verification passed:
backend tests, node-agent tests, C18Z97 live smoke, and C18Z96/C18Z95
regressions. Artifact:
`artifacts/c18z97-blocked-fallback-feedback-dedup-smoke-result.json`.
- C18Z98 blocked-fallback rebuild correlation is implemented and deployed on
docker-test as backend `rap-backend:fabric-service-channel-0.2.281-c18z109`;
web-admin is rebuilt/deployed to `rap_web_admin`. Backend now carries the
originating access-report route-feedback identity into replacement decisions
and rebuild-attempt ledger rows: `feedback_observation_id`,
`feedback_source`, feedback observed/expiry times, channel/resource ids, and
data-plane violation status/reason. Web-admin shows this correlation in
Route decisions and Rebuild ledger. Verification passed: backend tests,
node-agent tests, web-admin build, C18Z98 live smoke, and C18Z97/C18Z96/C18Z95
regressions. Artifact:
`artifacts/c18z98-blocked-fallback-rebuild-correlation-smoke-result.json`.
- C18Z99 rebuild correlation filters are implemented and deployed on
docker-test as backend `rap-backend:fabric-service-channel-0.2.281-c18z109`;
web-admin is rebuilt/deployed to `rap_web_admin`. The rebuild-attempt ledger
API now accepts `feedback_source`, `feedback_channel_id`, and
`feedback_violation_status` filters, and web-admin exposes them in the
rebuild ledger filter form. Verification passed: backend tests, node-agent
tests, web-admin build, C18Z99 live smoke, and C18Z98/C18Z97/C18Z96/C18Z95/
C18Z93 regressions. Artifact:
`artifacts/c18z99-rebuild-correlation-filter-smoke-result.json`.
- C18Z100 rebuild-health feedback breakdown is implemented and deployed on
docker-test as backend `rap-backend:fabric-service-channel-0.2.281-c18z109`;
web-admin is rebuilt/deployed to `rap_web_admin`. The rebuild-health summary
now returns `feedback_breakdowns` grouped by feedback source, feedback
channel id, and feedback violation status, with total/good/warn/bad/unknown
counts, active warn/bad counts, silenced count, latest observation time, and
affected reporter nodes/routes. Web-admin shows the breakdown in the Rebuild
health panel. Verification passed: backend tests, node-agent tests,
web-admin build, C18Z100 live smoke, and C18Z99/C18Z98/C18Z97/C18Z96/C18Z95/
C18Z93 regressions. Artifact:
`artifacts/c18z100-rebuild-health-feedback-breakdown-smoke-result.json`.
- C18Z101 rebuild-health feedback drilldown UI is implemented and deployed to
`rap_web_admin`; backend remains
`rap-backend:fabric-service-channel-0.2.281-c18z109`. Web-admin now shows
related incident context on rebuild-health feedback breakdown rows and an
`open ledger` action that switches to deep rebuild ledger with
`feedback_source`, `feedback_channel_id`, and `feedback_violation_status`
prefilled from the selected breakdown. Verification passed: web-admin build
and deployed asset/download checks.
- C18Z102 rebuild-health feedback drilldown audit breadcrumbs are implemented
and deployed on docker-test as backend
`rap-backend:fabric-service-channel-0.2.281-c18z109`; web-admin is rebuilt/
deployed to `rap_web_admin`. The existing rebuild investigation endpoint now
accepts feedback source/channel/violation drilldown payloads and records
`fabric.service_channel_rebuild_feedback_breakdown.investigation_opened`
cluster audit events before web-admin opens the filtered deep rebuild ledger.
Verification passed: backend tests, web-admin build, C18Z102 live smoke, and
C18Z100/C18Z99/C18Z98 regressions. Artifact:
`artifacts/c18z102-rebuild-health-feedback-drilldown-audit-smoke-result.json`.
- C18Z103 Fabric diagnostics drilldown audit visibility is implemented and
deployed to `rap_web_admin`; backend remains
`rap-backend:fabric-service-channel-0.2.281-c18z109`. Web-admin now filters
the loaded cluster audit list for rebuild incident and feedback-breakdown
investigation events and shows recent drilldowns in the Fabric diagnostics
panel with time, source, feedback filters, target reporter/route, actor, and
reason. Verification passed: web-admin build and deployed asset/download
checks.
- C18Z104 focused Fabric audit loading is implemented and deployed on
docker-test as backend `rap-backend:fabric-service-channel-0.2.281-c18z109`;
web-admin is rebuilt/deployed to `rap_web_admin`. The cluster audit API now
accepts repeated or comma-separated `event_type` filters plus `target_type`
filters, and Fabric diagnostics loads recent rebuild incident/feedback
breakdown investigation breadcrumbs with a dedicated filtered request instead
of depending on the generic latest-100 audit list. Verification passed:
backend tests, web-admin build, C18Z104 live smoke, and C18Z102/C18Z100
regressions. Artifact:
`artifacts/c18z104-focused-fabric-audit-smoke-result.json`.
- C18Z105 Fabric drilldown breadcrumb correlation UI is implemented and
deployed to `rap_web_admin`; backend remains
`rap-backend:fabric-service-channel-0.2.281-c18z109`. Recent investigation
rows in Fabric diagnostics now show whether each breadcrumb still matches a
current rebuild-health feedback breakdown or visible rebuild incident, and
provide an `open` action to jump back into the matching filtered ledger path.
Verification passed: web-admin build and deployed asset/download checks.
- C18Z106 server-side Fabric drilldown breadcrumb correlation is implemented
and deployed on docker-test as backend
`rap-backend:fabric-service-channel-0.2.281-c18z109`; web-admin is rebuilt/
deployed to `rap_web_admin`. Focused audit reads with
`correlation=fabric_diagnostics` now return `correlation_hints` with current
diagnostic status and matching rebuild-health feedback breakdown or rebuild
incident when present. Web-admin consumes those hints and keeps local matching
as fallback. The rebuild-health feedback breakdown window is raised to 100
groups after C18Z100 regression exposed the previous cap could hide fresh
failure classes on noisy test history. Verification passed: backend tests,
web-admin build, C18Z106 live smoke, and C18Z104/C18Z100 regressions.
Artifact: `artifacts/c18z106-audit-correlation-hints-smoke-result.json`.
- C18Z107 drilldown breadcrumb summary is implemented and deployed on
docker-test as backend `rap-backend:fabric-service-channel-0.2.281-c18z109`;
web-admin is rebuilt/deployed to `rap_web_admin`. Audit responses now include
compact `audit_summary` aggregates beside `audit_events`; focused Fabric
diagnostics uses them to show counts by current diagnostic status, feedback
source, feedback violation status, correlated/not-visible totals, and latest
time above the Recent investigations rows. Verification passed: backend
tests, web-admin build, C18Z107 live smoke, and C18Z106/C18Z104 regressions.
Artifact: `artifacts/c18z107-audit-correlation-summary-smoke-result.json`.
- C18Z108 dedicated Fabric diagnostics breadcrumbs are implemented and deployed
on docker-test as backend `rap-backend:fabric-service-channel-0.2.281-c18z109`;
web-admin is rebuilt/deployed to `rap_web_admin`. Backend exposes
`GET /clusters/{clusterID}/fabric/service-channels/rebuild-investigations/breadcrumbs`
returning `rebuild_investigation_breadcrumbs` with events and summary, so the
operator Recent investigations workflow no longer overloads the generic
cluster audit endpoint. Verification passed: backend tests, web-admin build,
C18Z108 live smoke, and C18Z107/C18Z106/C18Z100 regressions. Artifact:
`artifacts/c18z108-dedicated-breadcrumbs-smoke-result.json`.
- C18Z109 Fabric diagnostics breadcrumb freshness windows are implemented and
deployed on docker-test as backend
`rap-backend:fabric-service-channel-0.2.281-c18z109`; web-admin is rebuilt/
deployed to `rap_web_admin`. The dedicated breadcrumb endpoint accepts
`current_window_seconds` and `history_window_seconds`, annotates events with
`correlation_hints.breadcrumb_status` (`current`, `stale`, `expired`) plus
age/window seconds, returns current/stale/expired totals, and includes
`counts_by_breadcrumb_status` in summary. Web-admin shows freshness chips and
age in Recent investigations. Verification passed: backend tests, web-admin
build, C18Z109 live smoke, and C18Z108/C18Z107/C18Z106 regressions. Artifact:
`artifacts/c18z109-breadcrumb-freshness-window-smoke-result.json`.
- C19Q Remote Workspace mailbox guardrails are implemented and
runtime-smoke-proven on docker-test. The adapter-session mailbox handoff now
has unit and live coverage for invalid adapter session IDs, unknown sessions,
invalid limits, and bounded `drain=true&limit=N` partial drain semantics.
This remains probe-only and node-local: it does not enable RDP protocol
forwarding, desktop frame transport, Android work, or backend relay behavior.
Verification passed: `go test ./internal/mesh` in `agents/rap-node-agent` and
`scripts/fabric/c19q-remote-workspace-adapter-mailbox-guardrails-smoke.ps1`.
Artifact:
`artifacts/c19q-remote-workspace-adapter-mailbox-guardrails-smoke-result.json`.
- C19R Remote Workspace mailbox long-poll ergonomics are implemented and
runtime-smoke-proven on docker-test. The mailbox endpoint now accepts bounded
`wait_ms`, returns explicit `empty`, `waited`, `wait_timeout`, and `wait_ms`
fields, and wakes when a delayed mailbox event arrives before timeout.
Node-agent image `rap-node-agent:codex-service-supervisor-20260512s` is built
and deployed on `test-1/2/3`. Verification passed:
`go test ./internal/mesh`, C19R live smoke, and C19Q regression smoke.
Artifact:
`artifacts/c19r-remote-workspace-mailbox-long-poll-smoke-result.json`.
- C19S Remote Workspace mailbox telemetry is implemented and
runtime-smoke-proven on docker-test. Workload status and heartbeat telemetry
now expose mailbox read/wait/timeout/empty-read counters plus last mailbox
read metadata, so adapter consumer polling behavior is visible without
enabling desktop frame transport. Node-agent image
`rap-node-agent:codex-service-supervisor-20260512t` is built and deployed on
`test-1/2/3`. Verification passed: `go test ./internal/mesh`, C19S live
smoke, and C19R regression smoke. Artifact:
`artifacts/c19s-remote-workspace-mailbox-telemetry-smoke-result.json`.
- C19T Remote Workspace mailbox consumer checkpoint/ack metadata is implemented
and runtime-smoke-proven on docker-test. The mailbox endpoint now accepts a
validated `consumer_id` and optional `ack_sequence`, returns consumer
checkpoint/ack/lag/read metadata, and keeps bounded per-session node-local
consumer cursor state. Workload status and heartbeat telemetry expose
aggregate/current-session consumer read and ack counters. Node-agent image
`rap-node-agent:codex-service-supervisor-20260512u` is built and deployed on
`test-1/2/3`. Verification passed: `go test ./internal/mesh`, C19T live
smoke, and C19S regression smoke. Artifact:
`artifacts/c19t-remote-workspace-mailbox-consumer-checkpoint-smoke-result.json`.
- C19U Remote Workspace mailbox consumer lifecycle guardrails are implemented
and runtime-smoke-proven on docker-test. Consumers can pass
`reset_consumer=true` with a validated `consumer_id` to clear cursor state
before the current read is recorded. Mailbox responses expose consumer
count/capacity, created/reset/evicted lifecycle flags, and consumer
timestamps; workload status and heartbeat telemetry expose consumer reset and
eviction counters. Node-agent image
`rap-node-agent:codex-service-supervisor-20260512v` is built and deployed on
`test-1/2/3`. Verification passed: `go test ./internal/mesh`, C19U live
smoke, and C19T regression smoke. Artifact:
`artifacts/c19u-remote-workspace-mailbox-consumer-lifecycle-smoke-result.json`.
- C19V Remote Workspace mailbox consumer cursor inspection is implemented and
runtime-smoke-proven on docker-test. Active adapter sessions now expose a
read-only
`/mesh/v1/remote-workspace/adapter-sessions/{adapter_session_id}/mailbox/consumers`
endpoint with bounded cursor snapshots: consumer ids, checkpoint/ack
sequences, lag, read/ack totals, and timestamps. The endpoint is read-only and
does not increment mailbox reads, acks, resets, or drain events. Node-agent
image `rap-node-agent:codex-service-supervisor-20260512w` is built and
deployed on `test-1/2/3`. Verification passed: `go test ./internal/mesh`,
C19V live smoke, and C19U regression smoke. Artifact:
`artifacts/c19v-remote-workspace-mailbox-consumer-snapshot-smoke-result.json`.
- C19W Remote Workspace mailbox cursor-aware resume reads are implemented and
runtime-smoke-proven on docker-test. The mailbox endpoint now accepts
`after_sequence` for non-destructive reads, returns `skipped_count` and
`returned_count`, and long-polls for events newer than the requested sequence.
`after_sequence` with `drain=true` is rejected to keep resume reads separate
from destructive drains. Node-agent image
`rap-node-agent:codex-service-supervisor-20260512x` is built and deployed on
`test-1/2/3`. Verification passed: `go test ./internal/mesh`, C19W live
smoke, and C19V regression smoke. Artifact:
`artifacts/c19w-remote-workspace-mailbox-after-sequence-smoke-result.json`.
- C19X Remote Workspace mailbox consumer-aware resume is implemented and
runtime-smoke-proven on docker-test. Mailbox reads with `consumer_id` can pass
`resume_from=ack|checkpoint`; the node-agent resolves the stored cursor to
`after_sequence` before reading and returns `resume_from`/`resume_sequence`.
Guardrails reject mixing resume with manual `after_sequence`, drain, reset,
missing consumers, or invalid cursor names. Node-agent image
`rap-node-agent:codex-service-supervisor-20260512y` is built and deployed on
`test-1/2/3`. Verification passed: `go test ./internal/mesh`, C19X live
smoke, and C19W regression smoke. Artifact:
`artifacts/c19x-remote-workspace-mailbox-consumer-resume-smoke-result.json`.
- C19Y Remote Workspace mailbox resume telemetry is implemented and
runtime-smoke-proven on docker-test. Workload status and heartbeat telemetry
now expose resume/after-sequence read totals, returned/skipped totals, and the
last resume cursor/sequence/consumer plus returned/skipped counts for
operator diagnostics. Session snapshots include the same per-session resume
counters. Node-agent image
`rap-node-agent:codex-service-supervisor-20260512z` is built and deployed on
`test-1/2/3`. Verification passed: `go test ./internal/mesh`, C19Y live
smoke, C19X source smoke, and C19W regression smoke. Artifact:
`artifacts/c19y-remote-workspace-mailbox-resume-telemetry-smoke-result.json`.
- C19Z Remote Workspace adapter runtime readiness summary is implemented and
runtime-smoke-proven on docker-test. The sink report now includes compact
`adapter_runtime_readiness` diagnostics with session lifecycle state, mailbox
depth, consumer cursor, resume cursor, skipped/returned counts, and
ready/diagnostic status for operator handoff checks. Node-agent image
`rap-node-agent:codex-service-supervisor-20260512z1` is built and deployed on
`test-1/2/3`. Verification passed: `go test ./internal/mesh`, C19Z live
smoke, C19X source smoke, and C19Y regression smoke. Artifact:
`artifacts/c19z-remote-workspace-adapter-readiness-smoke-result.json`.
- C19Z1 Remote Workspace mailbox handoff preflight is implemented and
runtime-smoke-proven on docker-test. The node-agent now exposes read-only
`GET /mesh/v1/remote-workspace/adapter-sessions/{adapter_session_id}/mailbox/preflight`
for `consumer_id` plus `resume_from=ack|checkpoint`; it validates the cursor
and reports the expected next event window without reading, draining, acking,
or mutating consumer state. Node-agent image
`rap-node-agent:codex-service-supervisor-20260512z2` is built and deployed on
`test-1/2/3`. Verification passed: `go test ./internal/mesh`, C19Z1 live
smoke, C19X source smoke, and C19Z regression smoke. Artifact:
`artifacts/c19z1-remote-workspace-mailbox-preflight-smoke-result.json`.
The current phase is NOT:
- full mesh routing implementation
- full VPN orchestration
- multi-cluster runtime traffic handling
- production data-plane migration
- complete updater rollout orchestration
- video meetings
- final native client UI redesign
Future mesh, VPN, multi-cluster, node-agent updater, and production realtime data-plane work must be introduced only through explicit, narrow, staged implementation prompts.
Always keep the project production-oriented. Do not simplify it into a toy app.
Reference in New Issue View Git Blame Copy Permalink