Skip to content

Node Manager Phase 2a-2: acl ItemKind, verify pass & engine hardening#3954

Merged
Apollon77 merged 12 commits into
node-managerfrom
node-manager-phase2a2
Jun 22, 2026
Merged

Node Manager Phase 2a-2: acl ItemKind, verify pass & engine hardening#3954
Apollon77 merged 12 commits into
node-managerfrom
node-manager-phase2a2

Conversation

@Apollon77

@Apollon77 Apollon77 commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

Sub-PR into node-manager (umbrella PR #3948 picks it up in CI). Phase 2a-2 makes the 2a-1 reconciler engine real end-to-end with the first concrete ItemKind.

What's in it

  • Verify pass re-pends drift for any mode (planActions): reconcile(verify:true) == JFDS RefreshNode. converge re-checked only on explicit verify; maintain auto-verifies on periodic passes.
  • ItemKind.verify?() added to the @matter/node Tier-1 interface — kinds own device read + match; engine builds driftedKeys from false results.
  • acl ItemKind (@matter/node-manager): per-entry intent, additive coexistence (never removes foreign/admin entries; appends our exact entry only when not covered; OMIT_FABRIC writes), per-(subject × target)-cell subsumption verify (tolerates device-side compression/split), capacity = accessControlEntriesPerFabric. Reads fabric-filtered. Compression deferred to Phase 4 (Tier-3 optimizer).
  • Engine: verify-wiring, acl auto-registration + public registerItemKind().
  • Hardenings (deferred from 2a-1): Add tlv schema for unsigned integer #3 capacity-read failure isolation, Update package name so it can be published to npm #4 in-flight reconcile coalescing (InFlightGuard), Add build and test before merging to main #5 start-after-dispose guard.
  • Logging (debug + a capacity-skip notice, docs/LOGGING.md-conformant; steady state quiet).
  • Priority bands (keyset/group/membership/acl, acl last).
  • Test harness promoted to @matter/node/testing (MockSite/MockServerNode/MockExchange/node-helpers), so @matter/node-manager (and future phases) can commission peers in tests. 65 node test files repointed.
  • ReconcilerBehavior.early = true so it initializes before subscription/peer events (matches NetworkBehavior/CommissioningClient).

Tests

  • Single-peer commissioning integration test (4 scenarios): apply intent → committed + admin intact; subscription down → pending → drains on reconnect; ACL full → AclCapacityExceededError; mutate ACL behind the engine → verify re-pends + re-applies.
  • build --clean, format-verify, lint green; @matter/node-manager 40/40; @matter/node 1223/1223.

Review

Whole-branch opus review: merge-ready, zero Critical/Important. ACL subsumption verified to have no false-positive (security-relevant direction); admin-ACL clobber-safety confirmed.

🤖 Generated with Claude Code

Apollon77 and others added 11 commits June 20, 2026 18:53
@Apollon77 @claude
feat(node-manager): verify pass re-pends drift for any item mode
69ccef2 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 @claude
feat(node): add optional ItemKind.verify() for drift detection
3d47800 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 @claude
feat(node-manager): add ACL subsumption coverage helper
73e6c78 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 @claude
feat(node-manager): add acl ItemKind with subsumption verify and prio…
72d2fca 
…rity bands

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 @claude
feat(node-manager): wire verify pass and register acl kind in reconciler
e36744e 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 @claude
fix(node-manager): harden capacity-read isolation, in-flight coalesci…
0ffc94c 
…ng, dispose race

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 @claude
feat(node-manager): instrument reconciler triggers and passes at debug
09e0918 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 @claude
refactor(node): export commissioning test harness at @matter/node/tes…
18ef7e9 
…ting

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 @claude
test(node-manager): single-peer commissioning proof for acl reconcile
2782300 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 @claude
fix(node-manager): void un-awaited reconcile re-entries in InFlightGu…
ca42ae3 
…ard test

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 @claude
refactor(node-manager): drop WHAT-comment, document verify-coalescing…
b198d1d 
… tradeoff

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mergify

mergify Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@Apollon77 @claude
fix(node-manager): assume acl spec-min capacity (4) when device limit…
02fa3b9 
… unread

Pre-flight admission stays meaningful instead of failing open; the device
write remains the authoritative gate for over-capacity (RESOURCE_EXHAUSTED).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Apollon77 Apollon77 merged commit 6bccb13 into node-manager Jun 22, 2026
2 checks passed
@Apollon77 Apollon77 deleted the node-manager-phase2a2 branch June 22, 2026 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Apollon77