docs(rfc-0001): data-verb naming (ingest, not push) + flow-family framing#96
Merged
Merged
Conversation
…to the #877–880 trackers Folds in two decisions made with Lukas (2026-06-23) that postdate Rev 3: - Naming: `dataset push|list|rm` → `data ingest|list|delete`. **ingest, not push** (data is loaded into the client's own on-prem cluster and never leaves it; "push" implies egress to a remote and undermines the core trust message). **delete, not rm** (spelled-out, consistent with `client delete`). `dataset`/`push`/`rm` kept as hidden aliases for one deprecation cycle. Swapped across §3.2/§4.6/§6.2/§6.4/§7.3/§13 + a rationale note in §6.2. - §8: framed the drafted flows as the four acceptance families (#877–880) under the 2-phase shape (one human gate → unattended idempotent convergence) + the 7 design principles. Additive only — does NOT touch the cluster_id anchor design. Two round-2 review residuals remain for Rev 4: the heartbeat `cluster_id` backfill names a carrier (jobs-manager) that lacks RBAC to read the kube-system UID, and §7.2 step-2a adopts the in-cluster credential before the cross-account check (a 409 bypass). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
saadqbal
approved these changes
Jun 24, 2026
saadqbal
merged commit 6d42de7
into
docs/rfc-0001-cli-auth-provisioning
4 checks passed
saadqbal
added a commit
that referenced
this pull request
Jun 24, 2026
Carrier decision: cluster_id is set/backfilled by the CLI/installer (the kubeconfig-holder that can read the kube-system UID), NOT the heartbeat — whose sender (jobs-manager) has no `namespaces` RBAC and can't read it. - Residual 1 (carrier): §4.5 / §6.3 / §10 / R7 / C.4 / C.7 — the heartbeat no longer carries cluster_id; the CLI PATCHes it on adopt (new C.3 PATCH /edge-device/<id>/), with the §7.2 step-2a live-release guard covering the pre-backfill window. §9: since the authenticated CLI sets it from the real UID, the self-report spoofing surface is gone. - Residual 2 (ordering): §7.2 — the account-scoped backend check now gates ADOPTION itself, so reading a live TB_CLIENT_ID off the cluster can't bypass the cross-account 409 (previously step-2a adopted before the check). - §13 + Appendix C updated to match. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Folds two decisions made with @LukasWodka (2026-06-23) into the RFC — both postdate Rev 3, so they weren't in the doc yet. Additive + surgical (one file, +27/−10); I deliberately did not touch the
cluster_idanchor design — that's your Rev 4.What changed
data ingest / list / delete(wasdataset push|list|rm), swapped across §3.2 / §4.6 / §6.2 / §6.4 / §7.3 / §13 + a rationale note in §6.2:ingest, notpush— the data loads into the client's own on-prem cluster and never leaves; "push" implies egress to a remote and undercuts the core trust message. Lukas made this a hard convention (applies to all copy, not just the command).delete, notrm— consistent withclient delete, beginner-clear.dataset/push/rmkept as hidden aliases for one deprecation cycle.Two round-2 residuals left for your Rev 4 (anchor design is yours)
cluster_id"from the heartbeat", but the sender (jobs-manager) ClusterRole lacksnamespacesand can't read thekube-systemUID — only the disableable resource-monitor can. Pick + spec the carrier.(The rest of my round-2 review is already folded — §9 "authenticate the
cluster_idclaim", the password-reset gate, machine-credential revoke, the tenancy boundary. 👍)Merge into the RFC branch whenever — it's the naming + framing catch-up so the doc is the complete planning ground-truth.
🤖 Generated with Claude Code