slice 8A (controller half): bootstrap.json ingestion + pinned agent local-API client (v0.35.0)

internal/bootstrap: first-run bootstrap.json ingestion (decision (c)) — seed
controller.yaml + skip setup; idempotent + fail-safe. internal/agentapi:
minimal pinned local-API client (leaf-cert SHA-256 pin, fails closed). config
LocalAPIConfig; startup /storage connectivity probe.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

controller/cmd/controller/main.go

@@ -18,10 +18,12 @@ import (
 	"crypto/subtle"
 	"strings"
 
+	"gitea.dooplex.hu/admin/felhom-controller/internal/agentapi"
 	"gitea.dooplex.hu/admin/felhom-controller/internal/api"
 	"gitea.dooplex.hu/admin/felhom-controller/internal/appexport"
 	"gitea.dooplex.hu/admin/felhom-controller/internal/assets"
 	"gitea.dooplex.hu/admin/felhom-controller/internal/backup"
+	"gitea.dooplex.hu/admin/felhom-controller/internal/bootstrap"
 	cf "gitea.dooplex.hu/admin/felhom-controller/internal/cloudflare"
 	"gitea.dooplex.hu/admin/felhom-controller/internal/crypto"
 	"gitea.dooplex.hu/admin/felhom-controller/internal/config"
@@ -73,6 +75,13 @@ func main() {
 
 	logger, logBuffer := setupLogger(cfg)
 
+	// --- Bootstrap ingestion (slice 8A, doc 03 §6) ---
+	// On first run, if this controller is not yet configured AND the host agent's provisioning
+	// back-half attached a bootstrap.json config mount, seed controller.yaml from it and come up
+	// CONFIGURED — skipping setup mode. Idempotent (never clobbers an existing controller.yaml)
+	// and fail-safe (a malformed/absent bootstrap leaves us in setup mode).
+	cfg = bootstrap.MaybeIngest(*configPath, cfg, logger)
+
 	// --- Wire system package debug logging ---
 	if cfg.Logging.Level == "debug" {
 		system.DebugLogger = logger
@@ -85,6 +94,12 @@ func main() {
 		return
 	}
 
+	// --- Local API connectivity probe (slice 8A) ---
+	// When seeded with a local-API endpoint, prove the controller↔agent channel at startup and
+	// learn this guest's mounts (placement view). Non-fatal — the controller runs regardless; a
+	// failure is logged for diagnosis. The full /backup/due quiesce loop lands in 8B.
+	probeLocalAPI(cfg, logger)
+
 	logger.Printf("[INFO] felhom-controller %s starting (customer: %s, domain: %s)",
 		Version, cfg.Customer.ID, cfg.Customer.Domain)
 
@@ -1286,6 +1301,34 @@ func fileExists(path string) bool {
 	return err == nil
 }
 
+// probeLocalAPI proves the controller↔agent local-API channel at startup and logs this guest's
+// mounts (slice 8A). Non-fatal: it only runs when a local-API endpoint is configured, and any
+// error is logged for diagnosis without affecting the controller's boot. The leaf SHA-256 from
+// the bootstrap is pinned by the client (fails closed on mismatch).
+func probeLocalAPI(cfg *config.Config, logger *log.Logger) {
+	if cfg.LocalAPI.Endpoint == "" || cfg.LocalAPI.Token == "" {
+		return
+	}
+	client, err := agentapi.New(cfg.LocalAPI.Endpoint, cfg.LocalAPI.Token, cfg.LocalAPI.Fingerprint)
+	if err != nil {
+		logger.Printf("[WARN] local-api: client init failed (%v) — channel not verified", err)
+		return
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+	resp, err := client.Storage(ctx)
+	if err != nil {
+		logger.Printf("[WARN] local-api: GET /storage failed (%v) — channel not verified", err)
+		return
+	}
+	logger.Printf("[INFO] local-api: channel up (agent %s) — guest %d, %d mount(s) visible",
+		cfg.LocalAPI.Endpoint, resp.VMID, len(resp.Mounts))
+	for _, m := range resp.Mounts {
+		logger.Printf("[INFO] local-api: mount %s → %s (storage=%s, class=%s, backup=%v)",
+			m.Key, m.MountPoint, m.Storage, m.Class, m.Backup)
+	}
+}
+
 // runSetupMode starts the setup wizard on dual listeners and blocks until signal.
 func runSetupMode(cfg *config.Config, logger *log.Logger) {
 	ips := setup.DetectLocalIPs()

controller/internal/agentapi/client.go

@@ -0,0 +1,141 @@
+// Package agentapi is the in-guest controller's client for the host agent's per-guest local
+// API (doc 03 §6, slice 8A). It reaches the agent over the bridge, pinning the agent's
+// self-signed leaf by SHA-256 (the same pin convention the agent uses for the Proxmox/PBS host
+// certs), and authenticates with the per-guest bearer token. In 8A it exercises GET /storage
+// (connectivity + the controller learning its mounts); the full surface (the /backup/due
+// quiesce loop) lands in 8B.
+package agentapi
+
+import (
+	"context"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// Client talks to one agent local-API endpoint with a pinned leaf + bearer token.
+type Client struct {
+	baseURL string
+	token   string
+	hc      *http.Client
+}
+
+// MountInfo mirrors the agent's GET /storage mount entry (doc 03 §6).
+type MountInfo struct {
+	Key        string `json:"key"`
+	Storage    string `json:"storage"`
+	MountPoint string `json:"mount_point"`
+	Class      string `json:"class"` // fast | slow | ""
+	Backup     bool   `json:"backup"`
+}
+
+// StorageResponse mirrors the agent's GET /storage data payload.
+type StorageResponse struct {
+	VMID   int         `json:"vmid"`
+	Mounts []MountInfo `json:"mounts"`
+}
+
+// apiResponse is the agent's {ok,data,error} envelope.
+type apiResponse struct {
+	OK    bool            `json:"ok"`
+	Data  json.RawMessage `json:"data"`
+	Error string          `json:"error"`
+}
+
+// New builds a pinned client for endpoint ("host:port") with the given per-guest token and the
+// agent leaf-cert SHA-256 fingerprint (hex, ':'-separators tolerated). The pin is the trust
+// anchor — the agent serves a self-signed cert, so chain verification is replaced by an exact
+// leaf-DER SHA-256 match (fails closed on any mismatch).
+func New(endpoint, token, fingerprintHex string) (*Client, error) {
+	endpoint = strings.TrimSpace(endpoint)
+	if endpoint == "" {
+		return nil, fmt.Errorf("agentapi: endpoint required")
+	}
+	if token == "" {
+		return nil, fmt.Errorf("agentapi: token required")
+	}
+	want, err := normalizeFingerprint(fingerprintHex)
+	if err != nil {
+		return nil, err
+	}
+	tlsCfg := &tls.Config{
+		InsecureSkipVerify: true, // self-signed leaf — the pin below is the real check
+		VerifyPeerCertificate: func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
+			if len(rawCerts) == 0 {
+				return fmt.Errorf("agentapi: TLS pin: peer presented no certificate")
+			}
+			got := sha256.Sum256(rawCerts[0]) // leaf DER
+			if hex.EncodeToString(got[:]) != want {
+				return fmt.Errorf("agentapi: TLS pin mismatch: agent leaf SHA-256 does not match the bootstrap fingerprint")
+			}
+			return nil
+		},
+		MinVersion: tls.VersionTLS12,
+	}
+	return &Client{
+		baseURL: "https://" + endpoint,
+		token:   token,
+		hc: &http.Client{
+			Timeout:   15 * time.Second,
+			Transport: &http.Transport{TLSClientConfig: tlsCfg},
+		},
+	}, nil
+}
+
+// Storage calls GET /storage and returns this guest's mounts (connectivity + placement view).
+func (c *Client) Storage(ctx context.Context) (StorageResponse, error) {
+	var out StorageResponse
+	body, err := c.get(ctx, "/storage")
+	if err != nil {
+		return out, err
+	}
+	if err := json.Unmarshal(body, &out); err != nil {
+		return out, fmt.Errorf("agentapi: decode /storage: %w", err)
+	}
+	return out, nil
+}
+
+// get issues an authenticated GET and unwraps the {ok,data,error} envelope.
+func (c *Client) get(ctx context.Context, path string) (json.RawMessage, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.baseURL+path, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Authorization", "Bearer "+c.token)
+	resp, err := c.hc.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("agentapi: GET %s: %w", path, err)
+	}
+	defer resp.Body.Close()
+	raw, _ := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("agentapi: GET %s: HTTP %d", path, resp.StatusCode)
+	}
+	var env apiResponse
+	if err := json.Unmarshal(raw, &env); err != nil {
+		return nil, fmt.Errorf("agentapi: GET %s: bad envelope: %w", path, err)
+	}
+	if !env.OK {
+		return nil, fmt.Errorf("agentapi: GET %s: %s", path, env.Error)
+	}
+	return env.Data, nil
+}
+
+// normalizeFingerprint lowercases and strips ':'/' ' separators, requiring a 64-hex SHA-256.
+func normalizeFingerprint(fp string) (string, error) {
+	s := strings.ToLower(strings.NewReplacer(":", "", " ", "", "\t", "").Replace(strings.TrimSpace(fp)))
+	if len(s) != 64 {
+		return "", fmt.Errorf("agentapi: fingerprint must be a SHA-256 (64 hex chars), got %d", len(s))
+	}
+	if _, err := hex.DecodeString(s); err != nil {
+		return "", fmt.Errorf("agentapi: fingerprint is not valid hex: %w", err)
+	}
+	return s, nil
+}

controller/internal/agentapi/client_test.go

@@ -0,0 +1,101 @@
+package agentapi
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+// storageStub serves the agent's {ok,data} envelope for GET /storage, requiring the bearer.
+func storageStub(token string) http.Handler {
+	mux := http.NewServeMux()
+	mux.HandleFunc("GET /storage", func(w http.ResponseWriter, r *http.Request) {
+		if r.Header.Get("Authorization") != "Bearer "+token {
+			w.WriteHeader(http.StatusUnauthorized)
+			_, _ = w.Write([]byte(`{"ok":false,"error":"unauthorized"}`))
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = w.Write([]byte(`{"ok":true,"data":{"vmid":8200,"mounts":[{"key":"mp0","storage":"fast","mount_point":"/var/lib/docker","class":"fast","backup":true}]}}`))
+	})
+	return mux
+}
+
+func leafPin(t *testing.T, s *httptest.Server) string {
+	t.Helper()
+	der := s.Certificate().Raw
+	sum := sha256.Sum256(der)
+	return hex.EncodeToString(sum[:])
+}
+
+// The correct pin + token reaches /storage and decodes the mounts.
+func TestClient_PinnedStorageOK(t *testing.T) {
+	s := httptest.NewTLSServer(storageStub("TOK"))
+	defer s.Close()
+	endpoint := strings.TrimPrefix(s.URL, "https://")
+
+	c, err := New(endpoint, "TOK", leafPin(t, s))
+	if err != nil {
+		t.Fatalf("new: %v", err)
+	}
+	resp, err := c.Storage(context.Background())
+	if err != nil {
+		t.Fatalf("storage: %v", err)
+	}
+	if resp.VMID != 8200 || len(resp.Mounts) != 1 || resp.Mounts[0].Class != "fast" {
+		t.Fatalf("unexpected storage response: %+v", resp)
+	}
+}
+
+// A WRONG pin fails closed — the TLS handshake is rejected before any data flows.
+func TestClient_WrongPinFailsClosed(t *testing.T) {
+	s := httptest.NewTLSServer(storageStub("TOK"))
+	defer s.Close()
+	endpoint := strings.TrimPrefix(s.URL, "https://")
+
+	wrong := strings.Repeat("ab", 32) // 64 hex chars, valid format, wrong value
+	c, err := New(endpoint, "TOK", wrong)
+	if err != nil {
+		t.Fatalf("new: %v", err)
+	}
+	if _, err := c.Storage(context.Background()); err == nil {
+		t.Fatal("expected a TLS pin failure, got success")
+	}
+}
+
+// A bad fingerprint format is rejected at construction.
+func TestClient_BadFingerprintRejected(t *testing.T) {
+	if _, err := New("host:8443", "TOK", "not-a-fingerprint"); err == nil {
+		t.Fatal("expected an error for a non-SHA256 fingerprint")
+	}
+	if _, err := New("host:8443", "", strings.Repeat("a", 64)); err == nil {
+		t.Fatal("expected an error for an empty token")
+	}
+}
+
+// Colon-separated fingerprints (the agent logs them with ':') are accepted.
+func TestClient_AcceptsColonFingerprint(t *testing.T) {
+	s := httptest.NewTLSServer(storageStub("TOK"))
+	defer s.Close()
+	endpoint := strings.TrimPrefix(s.URL, "https://")
+
+	pin := leafPin(t, s)
+	var colon strings.Builder
+	for i := 0; i < len(pin); i += 2 {
+		if i > 0 {
+			colon.WriteByte(':')
+		}
+		colon.WriteString(pin[i : i+2])
+	}
+	c, err := New(endpoint, "TOK", colon.String())
+	if err != nil {
+		t.Fatalf("new with colon fp: %v", err)
+	}
+	if _, err := c.Storage(context.Background()); err != nil {
+		t.Fatalf("storage with colon fp: %v", err)
+	}
+}

controller/internal/bootstrap/bootstrap.go

@@ -0,0 +1,151 @@
+// Package bootstrap implements first-run bootstrap.json ingestion (slice 8A, doc 03 §6,
+// config-contract decision (c)). The host agent's provisioning back-half writes a stable
+// bootstrap.json into a read-only config mount; on first run the controller seeds its own
+// controller.yaml from it and comes up CONFIGURED, skipping the setup wizard. The agent emits
+// the stable contract; the controller owns the translation — the two stay decoupled.
+package bootstrap
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"gitea.dooplex.hu/admin/felhom-controller/internal/config"
+	"gopkg.in/yaml.v3"
+)
+
+// DefaultMountPath is where the agent attaches the read-only config mount (spike S2). Override
+// with FELHOM_BOOTSTRAP_PATH for tests / non-standard layouts.
+const DefaultMountPath = "/etc/felhom-bootstrap/bootstrap.json"
+
+// SchemaV1 is the stable contract version the agent emits and the controller ingests.
+const SchemaV1 = "felhom.bootstrap/v1"
+
+// Bootstrap is the stable agent→controller config contract (JSON). It carries exactly what the
+// controller needs to come up configured + reach the agent's local API. It is deliberately a
+// SEPARATE shape from controller.yaml (decision (c)): the agent never needs to know the
+// controller's full config schema.
+type Bootstrap struct {
+	Schema   string            `json:"schema"`
+	Customer BootstrapCustomer `json:"customer"`
+	Hub      BootstrapHub      `json:"hub"`
+	LocalAPI BootstrapLocalAPI `json:"local_api"`
+}
+
+type BootstrapCustomer struct {
+	ID     string `json:"id"`
+	Name   string `json:"name"`
+	Domain string `json:"domain"`
+	Email  string `json:"email"`
+}
+
+type BootstrapHub struct {
+	URL    string `json:"url"`
+	APIKey string `json:"api_key"`
+	HostID string `json:"host_id"` // the agent's host id (reference; not load-bearing for the controller)
+}
+
+type BootstrapLocalAPI struct {
+	Endpoint    string `json:"endpoint"`    // host bridge IP:port
+	Fingerprint string `json:"fingerprint"` // agent leaf-cert SHA-256 (hex) to pin
+	Token       string `json:"token"`       // per-guest bearer; SECRET
+}
+
+// Path returns the bootstrap mount path (env override → default).
+func Path() string {
+	if p := strings.TrimSpace(os.Getenv("FELHOM_BOOTSTRAP_PATH")); p != "" {
+		return p
+	}
+	return DefaultMountPath
+}
+
+// MaybeIngest seeds controller.yaml from a bootstrap.json mount when the controller is NOT yet
+// configured, and returns the config the caller should use.
+//
+// Contract:
+//   - Idempotent: if cfg is already configured (customer.id set), the existing controller.yaml is
+//     NEVER clobbered — returns cfg unchanged.
+//   - Fail-safe: an absent or malformed bootstrap, or one missing the minimum identity, leaves cfg
+//     unchanged (the caller proceeds to normal setup mode) — it logs and never crashes.
+//   - On success: writes controller.yaml (0600, atomic), reloads it, and returns the reloaded cfg.
+func MaybeIngest(configPath string, cfg *config.Config, logger *log.Logger) *config.Config {
+	if cfg != nil && cfg.Customer.ID != "" {
+		return cfg // already configured — do not clobber (idempotent)
+	}
+	bpath := Path()
+	data, err := os.ReadFile(bpath)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			logger.Printf("[WARN] bootstrap: cannot read %s: %v — staying in setup", bpath, err)
+		}
+		return cfg // no bootstrap → normal setup
+	}
+
+	var b Bootstrap
+	if err := json.Unmarshal(data, &b); err != nil {
+		logger.Printf("[WARN] bootstrap: %s is not valid JSON: %v — staying in setup", bpath, err)
+		return cfg
+	}
+	if b.Schema != "" && b.Schema != SchemaV1 {
+		logger.Printf("[WARN] bootstrap: unsupported schema %q (want %q) — staying in setup", b.Schema, SchemaV1)
+		return cfg
+	}
+	if b.Customer.ID == "" || b.Customer.Domain == "" {
+		logger.Printf("[WARN] bootstrap: %s missing customer.id/domain — staying in setup", bpath)
+		return cfg
+	}
+
+	seeded := configFromBootstrap(b)
+	if err := writeYAML(configPath, seeded); err != nil {
+		logger.Printf("[WARN] bootstrap: could not write %s: %v — staying in setup", configPath, err)
+		return cfg
+	}
+	reloaded, err := config.LoadPermissive(configPath)
+	if err != nil {
+		logger.Printf("[WARN] bootstrap: wrote %s but reload failed: %v — staying in setup", configPath, err)
+		return cfg
+	}
+	logger.Printf("[INFO] bootstrap: seeded %s from %s (customer=%s, local_api=%s) — coming up configured",
+		configPath, bpath, b.Customer.ID, b.LocalAPI.Endpoint)
+	return reloaded
+}
+
+// configFromBootstrap maps the stable contract onto a controller.yaml Config. Only the
+// identity/hub/local-api fields are seeded; all other config keeps controller defaults (the
+// customer configures the rest via the dashboard / hub manifest).
+func configFromBootstrap(b Bootstrap) *config.Config {
+	cfg := &config.Config{}
+	cfg.Customer.ID = b.Customer.ID
+	cfg.Customer.Name = b.Customer.Name
+	cfg.Customer.Domain = b.Customer.Domain
+	cfg.Customer.Email = b.Customer.Email
+	if b.Hub.URL != "" {
+		cfg.Hub.Enabled = b.Hub.APIKey != ""
+		cfg.Hub.URL = b.Hub.URL
+		cfg.Hub.APIKey = b.Hub.APIKey
+	}
+	cfg.LocalAPI.Endpoint = b.LocalAPI.Endpoint
+	cfg.LocalAPI.Fingerprint = b.LocalAPI.Fingerprint
+	cfg.LocalAPI.Token = b.LocalAPI.Token
+	return cfg
+}
+
+// writeYAML marshals cfg to YAML and writes it atomically (tmp + rename), 0600 (it carries the
+// local-api token + any hub key).
+func writeYAML(path string, cfg *config.Config) error {
+	out, err := yaml.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("marshal: %w", err)
+	}
+	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+		return fmt.Errorf("config dir: %w", err)
+	}
+	tmp := path + ".tmp"
+	if err := os.WriteFile(tmp, out, 0o600); err != nil {
+		return err
+	}
+	return os.Rename(tmp, path)
+}

controller/internal/bootstrap/bootstrap_test.go

@@ -0,0 +1,133 @@
+package bootstrap
+
+import (
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"gitea.dooplex.hu/admin/felhom-controller/internal/config"
+)
+
+func testLogger() *log.Logger { return log.New(io.Discard, "", 0) }
+
+const goodBootstrap = `{
+  "schema": "felhom.bootstrap/v1",
+  "customer": {"id": "cust-8200", "name": "Teszt", "domain": "cust8200.felhom.eu", "email": "a@b.hu"},
+  "hub": {"url": "https://hub.felhom.eu", "api_key": "HUBKEY", "host_id": "demo-felhom-01"},
+  "local_api": {"endpoint": "192.168.0.162:8443", "fingerprint": "ab12", "token": "PERGUESTTOKEN"}
+}`
+
+// A present bootstrap on an unconfigured controller seeds controller.yaml and skips setup.
+func TestMaybeIngest_SeedsWhenUnconfigured(t *testing.T) {
+	dir := t.TempDir()
+	bpath := filepath.Join(dir, "bootstrap.json")
+	cfgPath := filepath.Join(dir, "controller.yaml")
+	if err := os.WriteFile(bpath, []byte(goodBootstrap), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath)
+
+	got := MaybeIngest(cfgPath, config.Default(), testLogger())
+	if got.Customer.ID != "cust-8200" || got.Customer.Domain != "cust8200.felhom.eu" {
+		t.Fatalf("customer not seeded: %+v", got.Customer)
+	}
+	if got.LocalAPI.Endpoint != "192.168.0.162:8443" || got.LocalAPI.Token != "PERGUESTTOKEN" || got.LocalAPI.Fingerprint != "ab12" {
+		t.Fatalf("local_api not seeded: %+v", got.LocalAPI)
+	}
+	if !got.Hub.Enabled || got.Hub.URL != "https://hub.felhom.eu" || got.Hub.APIKey != "HUBKEY" {
+		t.Fatalf("hub not seeded: %+v", got.Hub)
+	}
+	// controller.yaml must now exist on disk (so a restart reads it directly).
+	if _, err := os.Stat(cfgPath); err != nil {
+		t.Fatalf("controller.yaml not written: %v", err)
+	}
+	// And it must reload as configured (not setup).
+	reloaded, err := config.LoadPermissive(cfgPath)
+	if err != nil || reloaded.Customer.ID != "cust-8200" {
+		t.Fatalf("seeded controller.yaml does not reload configured: %v / %+v", err, reloaded.Customer)
+	}
+}
+
+// An already-configured controller is NEVER clobbered (idempotent).
+func TestMaybeIngest_DoesNotClobberConfigured(t *testing.T) {
+	dir := t.TempDir()
+	bpath := filepath.Join(dir, "bootstrap.json")
+	cfgPath := filepath.Join(dir, "controller.yaml")
+	if err := os.WriteFile(bpath, []byte(goodBootstrap), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath)
+
+	existing := config.Default()
+	existing.Customer.ID = "already-here"
+	existing.Customer.Domain = "existing.felhom.eu"
+
+	got := MaybeIngest(cfgPath, existing, testLogger())
+	if got.Customer.ID != "already-here" {
+		t.Fatalf("configured controller was clobbered by bootstrap: %+v", got.Customer)
+	}
+	if _, err := os.Stat(cfgPath); err == nil {
+		t.Fatal("controller.yaml was written despite an already-configured controller")
+	}
+}
+
+// A malformed bootstrap leaves the controller in setup mode (cfg unchanged), no crash.
+func TestMaybeIngest_MalformedStaysInSetup(t *testing.T) {
+	dir := t.TempDir()
+	bpath := filepath.Join(dir, "bootstrap.json")
+	cfgPath := filepath.Join(dir, "controller.yaml")
+	if err := os.WriteFile(bpath, []byte("{not json"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath)
+
+	got := MaybeIngest(cfgPath, config.Default(), testLogger())
+	if got.Customer.ID != "" {
+		t.Fatalf("malformed bootstrap seeded a config: %+v", got.Customer)
+	}
+	if _, err := os.Stat(cfgPath); err == nil {
+		t.Fatal("controller.yaml written from malformed bootstrap")
+	}
+}
+
+// A bootstrap missing the minimum identity is rejected (stays in setup).
+func TestMaybeIngest_MissingIdentityStaysInSetup(t *testing.T) {
+	dir := t.TempDir()
+	bpath := filepath.Join(dir, "bootstrap.json")
+	cfgPath := filepath.Join(dir, "controller.yaml")
+	if err := os.WriteFile(bpath, []byte(`{"schema":"felhom.bootstrap/v1","local_api":{"endpoint":"x:1"}}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath)
+
+	got := MaybeIngest(cfgPath, config.Default(), testLogger())
+	if got.Customer.ID != "" {
+		t.Fatal("seeded despite missing customer identity")
+	}
+}
+
+// An absent bootstrap is a no-op (normal setup).
+func TestMaybeIngest_AbsentIsNoop(t *testing.T) {
+	dir := t.TempDir()
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", filepath.Join(dir, "nope.json"))
+	got := MaybeIngest(filepath.Join(dir, "controller.yaml"), config.Default(), testLogger())
+	if got.Customer.ID != "" {
+		t.Fatal("seeded with no bootstrap present")
+	}
+}
+
+// An unsupported schema is rejected.
+func TestMaybeIngest_UnsupportedSchema(t *testing.T) {
+	dir := t.TempDir()
+	bpath := filepath.Join(dir, "bootstrap.json")
+	if err := os.WriteFile(bpath, []byte(`{"schema":"felhom.bootstrap/v999","customer":{"id":"x","domain":"y"}}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath)
+	got := MaybeIngest(filepath.Join(dir, "controller.yaml"), config.Default(), testLogger())
+	if got.Customer.ID != "" {
+		t.Fatal("seeded from an unsupported schema")
+	}
+}

controller/internal/config/config.go

@@ -28,6 +28,16 @@ type Config struct {
 	Logging        LoggingConfig        `yaml:"logging"`
 	Assets         AssetsConfig         `yaml:"assets"`
 	System         SystemConfig         `yaml:"system"`
+	LocalAPI       LocalAPIConfig       `yaml:"local_api"`
+}
+
+// LocalAPIConfig is the in-guest controller's handle on the host agent's per-guest local API
+// (doc 03 §6, slice 8A). The agent mints the token + serves a self-signed leaf; the controller
+// reaches it over the bridge, pinning the leaf SHA-256. Seeded from bootstrap.json at first run.
+type LocalAPIConfig struct {
+	Endpoint    string `yaml:"endpoint"`    // host bridge IP:port, e.g. "192.168.0.162:8443"
+	Fingerprint string `yaml:"fingerprint"` // agent leaf-cert SHA-256 (hex) to pin
+	Token       string `yaml:"token"`       // per-guest bearer; SECRET
 }
 
 type SystemConfig struct {