cellos-supervisor 0.5.1

CellOS execution-cell runner — boots cells in Firecracker microVMs or gVisor, enforces narrow typed authority, emits signed CloudEvents.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

//! Cell spec path reading (`O_NOFOLLOW` on Unix) and NATS subject template resolution.

use std::fs;
use std::io::Read;
use std::path::Path;

use anyhow::Context;
use sha2::{Digest, Sha256};

/// Read the cell spec. If `path` is `-`, reads the entire document from **stdin** (no `O_NOFOLLOW`;
/// caller supplies bytes from a sealed pipe or CI artifact). Otherwise reads from a file: on Unix,
/// opens with `O_NOFOLLOW` on the final path component so a swapped-in symlink cannot be followed.
pub fn read_cell_spec(path: &Path) -> anyhow::Result<String> {
    if path.as_os_str() == std::ffi::OsStr::new("-") {
        let mut raw = String::new();
        std::io::stdin()
            .read_to_string(&mut raw)
            .context("read cell spec from stdin")?;
        return Ok(raw);
    }

    #[cfg(unix)]
    {
        use std::os::unix::fs::OpenOptionsExt;
        let mut opts = fs::OpenOptions::new();
        opts.read(true);
        opts.custom_flags(libc::O_RDONLY | libc::O_NOFOLLOW);
        let mut file = opts
            .open(path)
            .with_context(|| format!("read cell spec {}", path.display()))?;
        let mut raw = String::new();
        file.read_to_string(&mut raw)
            .with_context(|| format!("read cell spec {}", path.display()))?;
        Ok(raw)
    }
    #[cfg(not(unix))]
    {
        fs::read_to_string(path).with_context(|| format!("read cell spec {}", path.display()))
    }
}

/// Compute the SHA-256 of raw spec bytes and return the lowercase hex digest.
///
/// This digest is included in `lifecycle.started` so the audit trail can detect
/// spec file tampering between submission and execution.  The hash covers the
/// raw bytes as-read — JSON whitespace and key ordering are not normalized, so
/// the hash changes if anyone edits the file.
pub fn spec_sha256(raw: &str) -> String {
    let digest = Sha256::digest(raw.as_bytes());
    digest.iter().map(|b| format!("{b:02x}")).collect()
}

/// Token substituted for `{tenantId}` when a spec has no `correlation.tenantId`.
///
/// Mirrors the canonical "absent tenant" placeholder used by
/// `cellos-sink-jetstream` so multi-tenant subject namespaces stay structurally
/// uniform whether or not the operator declared a tenant.
pub const TENANT_ID_DEFAULT_TOKEN: &str = "_no_tenant_";

/// Resolve the NATS event subject for this supervisor run.
///
/// Precedence (highest first):
///
/// 1. `CELLOS_EVENTS_SUBJECT_TEMPLATE` (non-empty): substitute `{spec_id}`,
///    `{run_id}`, and `{tenantId}` verbatim.
/// 2. `CELLOS_TENANT_ID` (T12 RBAC, non-empty): produce
///    `cellos.events.<CELLOS_TENANT_ID>.<spec_id>.<run_id>` so multi-tenant
///    deployments get per-tenant subject namespaces without an explicit
///    template. This is the 1.0 RBAC default for operators that pin a single
///    tenant per supervisor process. Preserves backward compat: unset
///    `CELLOS_TENANT_ID` keeps the legacy literal-subject behaviour below.
/// 3. `CELL_OS_EVENTS_SUBJECT` (legacy literal): used verbatim.
/// 4. Default: `cellos.events.v1`.
///
/// `tenant_id` (the spec-side `correlation.tenantId`) is `None` when the spec
/// has no `correlation.tenantId`; in that case the literal token
/// [`TENANT_ID_DEFAULT_TOKEN`] is substituted in the template path, matching
/// the convention used by the JetStream sink. Callers SHOULD have already
/// validated the tenant id with
/// [`cellos_core::validate_tenant_id_for_subject_token`] at admission so no
/// NATS subject-token reserved char (`.`, `*`, `>`, whitespace) reaches the
/// wire. This function does NOT re-validate — substitution is verbatim.
pub fn resolve_event_subject(spec_id: &str, run_id: &str, tenant_id: Option<&str>) -> String {
    let tmpl = std::env::var("CELLOS_EVENTS_SUBJECT_TEMPLATE").unwrap_or_default();
    if !tmpl.trim().is_empty() {
        let tenant = tenant_id.unwrap_or(TENANT_ID_DEFAULT_TOKEN);
        return tmpl
            .replace("{spec_id}", spec_id)
            .replace("{run_id}", run_id)
            .replace("{tenantId}", tenant);
    }
    // T12 multi-tenant default: when CELLOS_TENANT_ID is set on the
    // supervisor process, lift it into the subject so every event for this
    // run lands on a tenant-namespaced subject. The supervisor is single-
    // tenant-per-process under T12 (one CELLOS_TENANT_ID), so we burn the
    // tenant directly into the subject rather than templating per event.
    // Unset/empty preserves byte-identical pre-T12 behaviour.
    if let Ok(env_tenant) = std::env::var("CELLOS_TENANT_ID") {
        let env_tenant = env_tenant.trim();
        if !env_tenant.is_empty() {
            return format!("cellos.events.{env_tenant}.{spec_id}.{run_id}");
        }
    }
    std::env::var("CELL_OS_EVENTS_SUBJECT").unwrap_or_else(|_| "cellos.events.v1".into())
}

#[cfg(test)]
mod tests {
    use super::resolve_event_subject;

    // Guard env-var mutation so resolve_event_subject tests don't race.
    static SUBJECT_MUTEX: std::sync::Mutex<()> = std::sync::Mutex::new(());

    #[test]
    fn resolve_subject_default_when_neither_var_set() {
        let _g = SUBJECT_MUTEX.lock().unwrap();
        std::env::remove_var("CELLOS_EVENTS_SUBJECT_TEMPLATE");
        std::env::remove_var("CELL_OS_EVENTS_SUBJECT");
        assert_eq!(
            resolve_event_subject("my-spec", "run-1", None),
            "cellos.events.v1"
        );
    }

    #[test]
    fn resolve_subject_literal_from_env() {
        let _g = SUBJECT_MUTEX.lock().unwrap();
        std::env::remove_var("CELLOS_EVENTS_SUBJECT_TEMPLATE");
        std::env::set_var("CELL_OS_EVENTS_SUBJECT", "cellos.events.custom");
        let result = resolve_event_subject("my-spec", "run-1", None);
        std::env::remove_var("CELL_OS_EVENTS_SUBJECT");
        assert_eq!(result, "cellos.events.custom");
    }

    #[test]
    fn resolve_subject_template_substitutes_spec_id_and_run_id() {
        let _g = SUBJECT_MUTEX.lock().unwrap();
        std::env::set_var(
            "CELLOS_EVENTS_SUBJECT_TEMPLATE",
            "cellos.{spec_id}.{run_id}.v1",
        );
        let result = resolve_event_subject("demo-cell", "run-42", None);
        std::env::remove_var("CELLOS_EVENTS_SUBJECT_TEMPLATE");
        assert_eq!(result, "cellos.demo-cell.run-42.v1");
    }

    #[test]
    fn resolve_subject_template_takes_priority_over_literal_env() {
        let _g = SUBJECT_MUTEX.lock().unwrap();
        std::env::set_var("CELLOS_EVENTS_SUBJECT_TEMPLATE", "cellos.{spec_id}.v1");
        std::env::set_var("CELL_OS_EVENTS_SUBJECT", "cellos.events.custom");
        let result = resolve_event_subject("cell-abc", "run-1", None);
        std::env::remove_var("CELLOS_EVENTS_SUBJECT_TEMPLATE");
        std::env::remove_var("CELL_OS_EVENTS_SUBJECT");
        assert_eq!(result, "cellos.cell-abc.v1");
    }

    // ── T12: CELLOS_TENANT_ID multi-tenant subject default ──────────────────

    #[test]
    fn resolve_subject_cellos_tenant_id_produces_namespaced_subject() {
        let _g = SUBJECT_MUTEX.lock().unwrap();
        std::env::remove_var("CELLOS_EVENTS_SUBJECT_TEMPLATE");
        std::env::remove_var("CELL_OS_EVENTS_SUBJECT");
        std::env::set_var("CELLOS_TENANT_ID", "tenant-a");
        let result = resolve_event_subject("demo-cell", "run-42", None);
        std::env::remove_var("CELLOS_TENANT_ID");
        assert_eq!(result, "cellos.events.tenant-a.demo-cell.run-42");
    }

    #[test]
    fn resolve_subject_no_cellos_tenant_id_preserves_legacy_default() {
        let _g = SUBJECT_MUTEX.lock().unwrap();
        std::env::remove_var("CELLOS_EVENTS_SUBJECT_TEMPLATE");
        std::env::remove_var("CELL_OS_EVENTS_SUBJECT");
        std::env::remove_var("CELLOS_TENANT_ID");
        let result = resolve_event_subject("demo-cell", "run-42", None);
        assert_eq!(result, "cellos.events.v1");
    }

    #[test]
    fn resolve_subject_template_beats_cellos_tenant_id() {
        let _g = SUBJECT_MUTEX.lock().unwrap();
        std::env::set_var("CELLOS_EVENTS_SUBJECT_TEMPLATE", "cellos.{spec_id}.v1");
        std::env::set_var("CELLOS_TENANT_ID", "tenant-a");
        let result = resolve_event_subject("demo-cell", "run-42", None);
        std::env::remove_var("CELLOS_EVENTS_SUBJECT_TEMPLATE");
        std::env::remove_var("CELLOS_TENANT_ID");
        assert_eq!(result, "cellos.demo-cell.v1");
    }
}