v1

package

v0.8.0 Latest Latest Go to latest Published: May 12, 2026 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/schmitthub/clawker

Links

Open Source Insights

Documentation ¶

Overview ¶

Package v1 defines the gRPC AgentService for clawkerd-to-CP communication.

AgentService is the agent-side surface clawkerd dials on the CP's clawker-net agent listener. The Connect RPC is server-streaming and IS the agent's lifetime command channel; Events is a client-streaming telemetry channel (stub in this branch — B5 fills in payloads).

Index ¶

Constants
Variables
func RegisterAgentServiceServer(s grpc.ServiceRegistrar, srv AgentServiceServer)
type AgentServiceClient
- func NewAgentServiceClient(cc grpc.ClientConnInterface) AgentServiceClient
type AgentServiceServer
type RegisterRequest
type UnimplementedAgentServiceServer
- func (UnimplementedAgentServiceServer) Register(context.Context, *RegisterRequest) (*Welcome, error)
type UnsafeAgentServiceServer
type Welcome

Constants ¶

View Source

const (
	AgentService_Register_FullMethodName = "/clawker.agent.v1.AgentService/Register"
)

View Source

const ServiceName = "clawker.agent.v1.AgentService"

ServiceName is the fully-qualified gRPC service name for AgentService.

Variables ¶

View Source

var AgentService_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "clawker.agent.v1.AgentService",
	HandlerType: (*AgentServiceServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "Register",
			Handler:    _AgentService_Register_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "agent/v1/agent.proto",
}

AgentService_ServiceDesc is the grpc.ServiceDesc for AgentService service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

View Source

var File_agent_v1_agent_proto protoreflect.FileDescriptor

Functions ¶

func RegisterAgentServiceServer ¶

func RegisterAgentServiceServer(s grpc.ServiceRegistrar, srv AgentServiceServer)

Types ¶

type AgentServiceClient ¶

type AgentServiceClient interface {
	// Register binds (peer cert thumbprint, container_id) into the CP's
	// agentregistry. Container_id is read from the peer cert's URI SAN;
	// the request body carries only the human-readable identity fields
	// for cross-checking against the cert's CN and the docker
	// container's labels.
	//
	// Welcome is empty — success is signaled by the call returning
	// without error. Failure modes return PermissionDenied (cert/CN
	// mismatch, peer-IP mismatch, label mismatch, thumbprint replay) or
	// InvalidArgument (malformed identity fields).
	Register(ctx context.Context, in *RegisterRequest, opts ...grpc.CallOption) (*Welcome, error)
}

AgentServiceClient is the client API for AgentService service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

AgentService is the inbound gRPC surface clawkerd calls on the CP's clawker-net agent listener. Today the only RPC is Register, the one-time-per-container provenance handshake CP triggers via a RegisterRequired Command on the existing CP→clawkerd Session stream.

Trust model:

The CLI mints the agent's leaf cert at container-create time, signed by the CLI CA. The cert's CN is the canonical clawker.<project>.<agent> identity. The cert carries a URI SAN of the form `urn:clawker:container:<id>` binding it to the docker container_id it was minted for.
clawkerd presents that cert in mTLS when calling Register. CP captures the peer thumbprint (SHA-256 over cert.Raw) at handler entry — the thumbprint is a CAPTURE, not a CLI-pre-staged attestation. CP writes the (thumbprint, container_id) row.
The Register call is gated by a Hydra-issued bearer token the agent obtains by exchanging a single-use CLI-signed client_assertion JWT. Once the assertion is consumed, Register cannot be re-attempted for that container — registration is one-time per container creation.

Transport: mTLS over TCP on the CP's clawker-net agent listener. Server requires a client cert chained to the CLI CA; authorization via Hydra-issued bearer tokens scoped to the `clawker-agent` OAuth2 client (scope `agent:self:register`).

func NewAgentServiceClient ¶

func NewAgentServiceClient(cc grpc.ClientConnInterface) AgentServiceClient

type AgentServiceServer ¶

type AgentServiceServer interface {
	// Register binds (peer cert thumbprint, container_id) into the CP's
	// agentregistry. Container_id is read from the peer cert's URI SAN;
	// the request body carries only the human-readable identity fields
	// for cross-checking against the cert's CN and the docker
	// container's labels.
	//
	// Welcome is empty — success is signaled by the call returning
	// without error. Failure modes return PermissionDenied (cert/CN
	// mismatch, peer-IP mismatch, label mismatch, thumbprint replay) or
	// InvalidArgument (malformed identity fields).
	Register(context.Context, *RegisterRequest) (*Welcome, error)
	// contains filtered or unexported methods
}

AgentServiceServer is the server API for AgentService service. All implementations must embed UnimplementedAgentServiceServer for forward compatibility.

AgentService is the inbound gRPC surface clawkerd calls on the CP's clawker-net agent listener. Today the only RPC is Register, the one-time-per-container provenance handshake CP triggers via a RegisterRequired Command on the existing CP→clawkerd Session stream.

Trust model:

The CLI mints the agent's leaf cert at container-create time, signed by the CLI CA. The cert's CN is the canonical clawker.<project>.<agent> identity. The cert carries a URI SAN of the form `urn:clawker:container:<id>` binding it to the docker container_id it was minted for.
clawkerd presents that cert in mTLS when calling Register. CP captures the peer thumbprint (SHA-256 over cert.Raw) at handler entry — the thumbprint is a CAPTURE, not a CLI-pre-staged attestation. CP writes the (thumbprint, container_id) row.
The Register call is gated by a Hydra-issued bearer token the agent obtains by exchanging a single-use CLI-signed client_assertion JWT. Once the assertion is consumed, Register cannot be re-attempted for that container — registration is one-time per container creation.

Transport: mTLS over TCP on the CP's clawker-net agent listener. Server requires a client cert chained to the CLI CA; authorization via Hydra-issued bearer tokens scoped to the `clawker-agent` OAuth2 client (scope `agent:self:register`).

type RegisterRequest ¶

type RegisterRequest struct {
	AgentName string `protobuf:"bytes,1,opt,name=agent_name,json=agentName,proto3" json:"agent_name,omitempty"`
	Project   string `protobuf:"bytes,2,opt,name=project,proto3" json:"project,omitempty"`
	// contains filtered or unexported fields
}

RegisterRequest carries the human-readable identity claim. The agent_name and project are cross-checked against:

the peer cert's canonical CN (clawker.<project>.<agent>)
the docker container's dev.clawker.agent / dev.clawker.project labels (resolved via the container_id read from the cert URI SAN)

container_id is NOT a request field — the handler reads it from the cert's URI SAN to defend against a leaked cert being presented for the wrong container. The cert's binding to container_id is structural, not request-claimed.

func (*RegisterRequest) Descriptor deprecated

func (*RegisterRequest) Descriptor() ([]byte, []int)

Deprecated: Use RegisterRequest.ProtoReflect.Descriptor instead.

func (*RegisterRequest) GetAgentName ¶

func (x *RegisterRequest) GetAgentName() string

func (*RegisterRequest) GetProject ¶

func (x *RegisterRequest) GetProject() string

func (*RegisterRequest) ProtoMessage ¶

func (*RegisterRequest) ProtoMessage()

func (*RegisterRequest) ProtoReflect ¶

func (x *RegisterRequest) ProtoReflect() protoreflect.Message

func (*RegisterRequest) Reset ¶

func (x *RegisterRequest) Reset()

func (*RegisterRequest) String ¶

func (x *RegisterRequest) String() string

type UnimplementedAgentServiceServer ¶

type UnimplementedAgentServiceServer struct{}

UnimplementedAgentServiceServer must be embedded to have forward compatible implementations.

NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.

func (UnimplementedAgentServiceServer) Register ¶

func (UnimplementedAgentServiceServer) Register(context.Context, *RegisterRequest) (*Welcome, error)

type UnsafeAgentServiceServer ¶

type UnsafeAgentServiceServer interface {
	// contains filtered or unexported methods
}

UnsafeAgentServiceServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to AgentServiceServer will result in compilation errors.

type Welcome ¶

type Welcome struct {
	// contains filtered or unexported fields
}

Welcome is the success response. Empty — the act of returning without error is the signal.

func (*Welcome) Descriptor deprecated

func (*Welcome) Descriptor() ([]byte, []int)

Deprecated: Use Welcome.ProtoReflect.Descriptor instead.

func (*Welcome) ProtoMessage ¶

func (*Welcome) ProtoMessage()

func (*Welcome) ProtoReflect ¶

func (x *Welcome) ProtoReflect() protoreflect.Message

func (*Welcome) Reset ¶

func (x *Welcome) Reset()

func (*Welcome) String ¶

func (x *Welcome) String() string

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL