Skip to content

feat(version): advertise broker_egress capability in version --json#36

Merged
ysyneu merged 2 commits into
mainfrom
feat/broker-capability-probe
Jun 8, 2026
Merged

feat(version): advertise broker_egress capability in version --json#36
ysyneu merged 2 commits into
mainfrom
feat/broker-capability-probe

Conversation

@ysyneu

@ysyneu ysyneu commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

What

fduty version --json now includes a broker_egress boolean — the capability the runner probes to decide whether to advertise broker mode to safari.

{ "broker_egress": true, "commit": "...", "date": "...", "version": "..." }

Plain fduty version output is unchanged.

Why

A runner built with broker support always advertises broker=1, which makes safari deliver the per-person app_key out-of-band (never in the bash env). If that runner's bundled fduty is older than broker support, it can't read FLASHDUTY_CRED_FD and auth breaks. The runner doesn't refresh fduty on self-update, so a fleet runner can carry a stale fduty.

This field lets the runner gate its broker=1 advertisement on the actual capability of its bundled fduty (companion runner PR). Stale fduty → no advertisement → safari falls back to the env-key path → old fduty keeps working. Self-healing, and works in zero-egress BYOC (no fduty refresh needed).

Design notes

  • broker_egress is a compile-time capability (const brokerEgressCapable: true on unix where broker_dial_unix.go is built, false elsewhere) — not a version-number comparison, so dev builds (version "") and future releases are handled uniformly.
  • An older fduty ignores --json for version and prints the plain line → not valid JSON / no field → reads as 'not capable'.
  • Uses the package-standard marshalStructured (honors --json and --output-format toon).

Test

TestVersionJSONAdvertisesBrokerEgress locks the contract; TestVersionPlainOutput keeps the human line stable.

Part of the egress-auth broker rollout (follows #35).

ysyneu added 2 commits June 8, 2026 20:45
The runner probes `fduty version --json` to learn whether the bundled fduty
can act as a broker-mode client (read FLASHDUTY_CRED_FD and dial over the
inherited control fd). It advertises broker mode to safari only when the probe
reports broker_egress=true; otherwise safari would deliver the per-person key
out-of-band to an fduty that cannot read it, breaking auth.

broker_egress is a compile-time capability (true on unix, where broker_dial_unix.go
is built; false elsewhere) — not a version comparison — so dev builds and future
versions are handled uniformly. An older fduty ignores --json for the version
command and prints the plain line, so the missing field reads as 'not capable',
and the runner falls back to the legacy env-key path.
…rect

- check fmt.Fprintln/Fprintf returns (errcheck under golangci-lint v2.11)
- assert broker_egress matches the compile-time capability (true on unix, false
  on windows) instead of hard-asserting true, which failed the windows build
@ysyneu ysyneu merged commit 361b78c into main Jun 8, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant