Files
stack/docs/guides/lease-broker-operations.md
ms-lead-reviewer 0b953faf79 fix(#828): bound persisted broker token state
Prune consumed and revoked tokens, cap pending token state, reject oversized serialization before replacement, and roll back in-memory mutations when persistence fails.\n\ncloses #828
2026-07-17 21:04:21 -05:00

2.4 KiB

Lease broker operations

Place the socket and state file in a dedicated directory with mode 0700. Start the packaged daemon with:

python3 "$MOSAIC_HOME/tools/lease-broker/daemon.py" \
  --socket /run/user/1000/mosaic-lease/broker.sock \
  --state /run/user/1000/mosaic-lease/state.json

The broker refuses an existing parent directory whose mode is not exactly 0700, an existing state file not at 0600, corrupt/incompatible state, or an already-existing socket path. After bind it sets the socket to 0600. It never silently unlinks a pre-existing socket. On normal termination it unlinks only the socket inode it created, so it does not remove a replacement path.

Clients must complete the request boundary before waiting for a reply. After sending the single JSON object and its terminating newline, the client MUST half-close the socket's write side (shutdown(SHUT_WR) in POSIX clients; socket.end() in Node) and only then await the response. Merely calling write() and waiting is invalid: the broker waits for EOF to enforce the exact-one-frame contract and fails closed at its one-second deadline. Do not replace end() with write() in client helpers. A delayed second frame remains malformed and is rejected.

There is no automated recovery workflow in WI-1. After a crash, preserve the protected state file and restart only after verifying that no broker owns the socket. A leftover socket requires an operator to verify the owning service is stopped and remove that exact socket deliberately. Corrupt, oversized, symlinked, or non-regular state fails closed; do not overwrite it. Preserve it for incident review and establish new state only through an explicit operational decision, which invalidates prior sessions and tokens.

Security posture

Directory 0700 plus socket/state 0600 is built-in same-principal hardening only: it excludes other UIDs but does not stop the same UID from unlinking and counterfeiting the socket. It therefore does not close T-C same-UID replacement. WI-1 does not provide a distinct-principal boundary. A stronger distinct-principal deployment requires an external protected proxy, ACL, or service boundary that clients cannot unlink or rebind and that preserves the authenticated client identity required by the broker's SO_PEERCRED and ancestry checks. Server-side branch protection remains the irreducible backstop.