slice 8A (controller half): bootstrap.json ingestion + pinned agent local-API client (v0.35.0)

internal/bootstrap: first-run bootstrap.json ingestion (decision (c)) — seed
controller.yaml + skip setup; idempotent + fail-safe. internal/agentapi:
minimal pinned local-API client (leaf-cert SHA-256 pin, fails closed). config
LocalAPIConfig; startup /storage connectivity probe.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

controller/internal/bootstrap/bootstrap.go

@@ -0,0 +1,151 @@
+// Package bootstrap implements first-run bootstrap.json ingestion (slice 8A, doc 03 §6,
+// config-contract decision (c)). The host agent's provisioning back-half writes a stable
+// bootstrap.json into a read-only config mount; on first run the controller seeds its own
+// controller.yaml from it and comes up CONFIGURED, skipping the setup wizard. The agent emits
+// the stable contract; the controller owns the translation — the two stay decoupled.
+package bootstrap
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"gitea.dooplex.hu/admin/felhom-controller/internal/config"
+	"gopkg.in/yaml.v3"
+)
+
+// DefaultMountPath is where the agent attaches the read-only config mount (spike S2). Override
+// with FELHOM_BOOTSTRAP_PATH for tests / non-standard layouts.
+const DefaultMountPath = "/etc/felhom-bootstrap/bootstrap.json"
+
+// SchemaV1 is the stable contract version the agent emits and the controller ingests.
+const SchemaV1 = "felhom.bootstrap/v1"
+
+// Bootstrap is the stable agent→controller config contract (JSON). It carries exactly what the
+// controller needs to come up configured + reach the agent's local API. It is deliberately a
+// SEPARATE shape from controller.yaml (decision (c)): the agent never needs to know the
+// controller's full config schema.
+type Bootstrap struct {
+	Schema   string            `json:"schema"`
+	Customer BootstrapCustomer `json:"customer"`
+	Hub      BootstrapHub      `json:"hub"`
+	LocalAPI BootstrapLocalAPI `json:"local_api"`
+}
+
+type BootstrapCustomer struct {
+	ID     string `json:"id"`
+	Name   string `json:"name"`
+	Domain string `json:"domain"`
+	Email  string `json:"email"`
+}
+
+type BootstrapHub struct {
+	URL    string `json:"url"`
+	APIKey string `json:"api_key"`
+	HostID string `json:"host_id"` // the agent's host id (reference; not load-bearing for the controller)
+}
+
+type BootstrapLocalAPI struct {
+	Endpoint    string `json:"endpoint"`    // host bridge IP:port
+	Fingerprint string `json:"fingerprint"` // agent leaf-cert SHA-256 (hex) to pin
+	Token       string `json:"token"`       // per-guest bearer; SECRET
+}
+
+// Path returns the bootstrap mount path (env override → default).
+func Path() string {
+	if p := strings.TrimSpace(os.Getenv("FELHOM_BOOTSTRAP_PATH")); p != "" {
+		return p
+	}
+	return DefaultMountPath
+}
+
+// MaybeIngest seeds controller.yaml from a bootstrap.json mount when the controller is NOT yet
+// configured, and returns the config the caller should use.
+//
+// Contract:
+//   - Idempotent: if cfg is already configured (customer.id set), the existing controller.yaml is
+//     NEVER clobbered — returns cfg unchanged.
+//   - Fail-safe: an absent or malformed bootstrap, or one missing the minimum identity, leaves cfg
+//     unchanged (the caller proceeds to normal setup mode) — it logs and never crashes.
+//   - On success: writes controller.yaml (0600, atomic), reloads it, and returns the reloaded cfg.
+func MaybeIngest(configPath string, cfg *config.Config, logger *log.Logger) *config.Config {
+	if cfg != nil && cfg.Customer.ID != "" {
+		return cfg // already configured — do not clobber (idempotent)
+	}
+	bpath := Path()
+	data, err := os.ReadFile(bpath)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			logger.Printf("[WARN] bootstrap: cannot read %s: %v — staying in setup", bpath, err)
+		}
+		return cfg // no bootstrap → normal setup
+	}
+
+	var b Bootstrap
+	if err := json.Unmarshal(data, &b); err != nil {
+		logger.Printf("[WARN] bootstrap: %s is not valid JSON: %v — staying in setup", bpath, err)
+		return cfg
+	}
+	if b.Schema != "" && b.Schema != SchemaV1 {
+		logger.Printf("[WARN] bootstrap: unsupported schema %q (want %q) — staying in setup", b.Schema, SchemaV1)
+		return cfg
+	}
+	if b.Customer.ID == "" || b.Customer.Domain == "" {
+		logger.Printf("[WARN] bootstrap: %s missing customer.id/domain — staying in setup", bpath)
+		return cfg
+	}
+
+	seeded := configFromBootstrap(b)
+	if err := writeYAML(configPath, seeded); err != nil {
+		logger.Printf("[WARN] bootstrap: could not write %s: %v — staying in setup", configPath, err)
+		return cfg
+	}
+	reloaded, err := config.LoadPermissive(configPath)
+	if err != nil {
+		logger.Printf("[WARN] bootstrap: wrote %s but reload failed: %v — staying in setup", configPath, err)
+		return cfg
+	}
+	logger.Printf("[INFO] bootstrap: seeded %s from %s (customer=%s, local_api=%s) — coming up configured",
+		configPath, bpath, b.Customer.ID, b.LocalAPI.Endpoint)
+	return reloaded
+}
+
+// configFromBootstrap maps the stable contract onto a controller.yaml Config. Only the
+// identity/hub/local-api fields are seeded; all other config keeps controller defaults (the
+// customer configures the rest via the dashboard / hub manifest).
+func configFromBootstrap(b Bootstrap) *config.Config {
+	cfg := &config.Config{}
+	cfg.Customer.ID = b.Customer.ID
+	cfg.Customer.Name = b.Customer.Name
+	cfg.Customer.Domain = b.Customer.Domain
+	cfg.Customer.Email = b.Customer.Email
+	if b.Hub.URL != "" {
+		cfg.Hub.Enabled = b.Hub.APIKey != ""
+		cfg.Hub.URL = b.Hub.URL
+		cfg.Hub.APIKey = b.Hub.APIKey
+	}
+	cfg.LocalAPI.Endpoint = b.LocalAPI.Endpoint
+	cfg.LocalAPI.Fingerprint = b.LocalAPI.Fingerprint
+	cfg.LocalAPI.Token = b.LocalAPI.Token
+	return cfg
+}
+
+// writeYAML marshals cfg to YAML and writes it atomically (tmp + rename), 0600 (it carries the
+// local-api token + any hub key).
+func writeYAML(path string, cfg *config.Config) error {
+	out, err := yaml.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("marshal: %w", err)
+	}
+	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+		return fmt.Errorf("config dir: %w", err)
+	}
+	tmp := path + ".tmp"
+	if err := os.WriteFile(tmp, out, 0o600); err != nil {
+		return err
+	}
+	return os.Rename(tmp, path)
+}

controller/internal/bootstrap/bootstrap_test.go

@@ -0,0 +1,133 @@
+package bootstrap
+
+import (
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"gitea.dooplex.hu/admin/felhom-controller/internal/config"
+)
+
+func testLogger() *log.Logger { return log.New(io.Discard, "", 0) }
+
+const goodBootstrap = `{
+  "schema": "felhom.bootstrap/v1",
+  "customer": {"id": "cust-8200", "name": "Teszt", "domain": "cust8200.felhom.eu", "email": "a@b.hu"},
+  "hub": {"url": "https://hub.felhom.eu", "api_key": "HUBKEY", "host_id": "demo-felhom-01"},
+  "local_api": {"endpoint": "192.168.0.162:8443", "fingerprint": "ab12", "token": "PERGUESTTOKEN"}
+}`
+
+// A present bootstrap on an unconfigured controller seeds controller.yaml and skips setup.
+func TestMaybeIngest_SeedsWhenUnconfigured(t *testing.T) {
+	dir := t.TempDir()
+	bpath := filepath.Join(dir, "bootstrap.json")
+	cfgPath := filepath.Join(dir, "controller.yaml")
+	if err := os.WriteFile(bpath, []byte(goodBootstrap), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath)
+
+	got := MaybeIngest(cfgPath, config.Default(), testLogger())
+	if got.Customer.ID != "cust-8200" || got.Customer.Domain != "cust8200.felhom.eu" {
+		t.Fatalf("customer not seeded: %+v", got.Customer)
+	}
+	if got.LocalAPI.Endpoint != "192.168.0.162:8443" || got.LocalAPI.Token != "PERGUESTTOKEN" || got.LocalAPI.Fingerprint != "ab12" {
+		t.Fatalf("local_api not seeded: %+v", got.LocalAPI)
+	}
+	if !got.Hub.Enabled || got.Hub.URL != "https://hub.felhom.eu" || got.Hub.APIKey != "HUBKEY" {
+		t.Fatalf("hub not seeded: %+v", got.Hub)
+	}
+	// controller.yaml must now exist on disk (so a restart reads it directly).
+	if _, err := os.Stat(cfgPath); err != nil {
+		t.Fatalf("controller.yaml not written: %v", err)
+	}
+	// And it must reload as configured (not setup).
+	reloaded, err := config.LoadPermissive(cfgPath)
+	if err != nil || reloaded.Customer.ID != "cust-8200" {
+		t.Fatalf("seeded controller.yaml does not reload configured: %v / %+v", err, reloaded.Customer)
+	}
+}
+
+// An already-configured controller is NEVER clobbered (idempotent).
+func TestMaybeIngest_DoesNotClobberConfigured(t *testing.T) {
+	dir := t.TempDir()
+	bpath := filepath.Join(dir, "bootstrap.json")
+	cfgPath := filepath.Join(dir, "controller.yaml")
+	if err := os.WriteFile(bpath, []byte(goodBootstrap), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath)
+
+	existing := config.Default()
+	existing.Customer.ID = "already-here"
+	existing.Customer.Domain = "existing.felhom.eu"
+
+	got := MaybeIngest(cfgPath, existing, testLogger())
+	if got.Customer.ID != "already-here" {
+		t.Fatalf("configured controller was clobbered by bootstrap: %+v", got.Customer)
+	}
+	if _, err := os.Stat(cfgPath); err == nil {
+		t.Fatal("controller.yaml was written despite an already-configured controller")
+	}
+}
+
+// A malformed bootstrap leaves the controller in setup mode (cfg unchanged), no crash.
+func TestMaybeIngest_MalformedStaysInSetup(t *testing.T) {
+	dir := t.TempDir()
+	bpath := filepath.Join(dir, "bootstrap.json")
+	cfgPath := filepath.Join(dir, "controller.yaml")
+	if err := os.WriteFile(bpath, []byte("{not json"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath)
+
+	got := MaybeIngest(cfgPath, config.Default(), testLogger())
+	if got.Customer.ID != "" {
+		t.Fatalf("malformed bootstrap seeded a config: %+v", got.Customer)
+	}
+	if _, err := os.Stat(cfgPath); err == nil {
+		t.Fatal("controller.yaml written from malformed bootstrap")
+	}
+}
+
+// A bootstrap missing the minimum identity is rejected (stays in setup).
+func TestMaybeIngest_MissingIdentityStaysInSetup(t *testing.T) {
+	dir := t.TempDir()
+	bpath := filepath.Join(dir, "bootstrap.json")
+	cfgPath := filepath.Join(dir, "controller.yaml")
+	if err := os.WriteFile(bpath, []byte(`{"schema":"felhom.bootstrap/v1","local_api":{"endpoint":"x:1"}}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath)
+
+	got := MaybeIngest(cfgPath, config.Default(), testLogger())
+	if got.Customer.ID != "" {
+		t.Fatal("seeded despite missing customer identity")
+	}
+}
+
+// An absent bootstrap is a no-op (normal setup).
+func TestMaybeIngest_AbsentIsNoop(t *testing.T) {
+	dir := t.TempDir()
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", filepath.Join(dir, "nope.json"))
+	got := MaybeIngest(filepath.Join(dir, "controller.yaml"), config.Default(), testLogger())
+	if got.Customer.ID != "" {
+		t.Fatal("seeded with no bootstrap present")
+	}
+}
+
+// An unsupported schema is rejected.
+func TestMaybeIngest_UnsupportedSchema(t *testing.T) {
+	dir := t.TempDir()
+	bpath := filepath.Join(dir, "bootstrap.json")
+	if err := os.WriteFile(bpath, []byte(`{"schema":"felhom.bootstrap/v999","customer":{"id":"x","domain":"y"}}`), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	t.Setenv("FELHOM_BOOTSTRAP_PATH", bpath)
+	got := MaybeIngest(filepath.Join(dir, "controller.yaml"), config.Default(), testLogger())
+	if got.Customer.ID != "" {
+		t.Fatal("seeded from an unsupported schema")
+	}
+}