centra/lightscale
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lightscale/TODO.md

3.7 KiB
Raw Blame History

Lightscale TODO

This list captures every feature discussed in the design conversation and tracks the current implementation status. Items marked as done are implemented in a minimal form; the rest are pending or stubbed.

Control plane

  • Network creation + enrollment tokens
  • Deterministic overlay prefixes (IPv4/IPv6)
  • Netmap with node/peer metadata
  • Relay config surfaced in netmap (STUN/TURN/stream relay/UDP relay lists)
  • Device naming + DNS name metadata in netmap
  • Admin approval flow for new devices
  • Auth URL onboarding flow (approval link)
  • Token revocation endpoint
  • ACL / policy rules per network
  • Key rotation policy and revocation
  • Key transparency / audit log
  • TLS pinning / server identity bootstrapping
  • Control plane HA with shared DB (multi-server, no single point of failure)
  • Client failover across multiple control URLs

Data plane

  • WireGuard interface bring-up (Linux)
  • Userspace WireGuard fallback (boringtun embedded)
  • Peer config from netmap (AllowedIPs per peer)
  • Basic route application (wg-up --apply-routes)
  • Basic exit-node acceptance flag (first advertised default route)
  • Dynamic peer updates (long-polling or streaming)
  • Subnet routing conflict detection and metrics
  • Exit node selection and routing policy (multi-exit, per-app, metrics)
  • Exit node selection by peer ID/name (single)
  • DNS push / resolver integration
  • L2 segment support (optional, non-default)
  • Subnet router SNAT mode + return-route guidance

NAT traversal and relay

  • STUN client to discover public endpoints (best effort)
  • Server-observed endpoint merge (heartbeat listen port)
  • Peer probe to trigger NAT traversal (best effort)
  • Dynamic endpoint rotation on stale handshakes
  • UDP relay (best effort, not TURN/stream relay)
  • Stream relay (TCP, DERP-like)
  • Stream relay signaling for peer probes
  • TURN client (UDP)
  • Stream relay integration into dataplane (fallback tunnels)
  • IPv6-only server strategy (use IPv6 listen + IPv6 control URLs)

Multi-network (one client, multiple networks)

  • Profile-scoped client state
  • Concurrent multi-network routing isolation
  • Default no-forwarding between networks (prevent accidental routing)
  • Route conflict detection for overlapping subnets
  • Route translation / prefix mapping for overlaps
  • Per-network DNS suffix + split DNS
  • Exit node selection when multiple networks advertise default routes

Onboarding and UX

  • CLI init/register/heartbeat/netmap/status
  • CLI wg-up/wg-down for local testing
  • CLI dns export and relay inspection
  • CLI to approve devices
  • CLI to manage ACLs
  • Local UI / agent mode for background operation

Testing

  • NixOS VM lab (2-node fast)
  • NixOS VM lab (5-node)
  • NAT and firewall scenario tests
  • Relay fallback tests
  • Multi-network overlap tests
  • CLI smoke assertions for status/netmap/relay outputs in lab tests
  • Negative-path enrollment tests (invalid/expired/revoked tokens, approval-required flow)
  • Key rotation + revoke flow validation (netmap status + peer removal)
  • DNS export + resolver integration tests (hosts/json, split DNS)
  • IPv6 dataplane connectivity tests (overlay + subnet routes)
  • Userspace endpoint refresh/relay fallback regression test coverage
  • Scale lab test (8-10 nodes) to validate full-mesh and relay fallback
  • Agent restart + state recovery tests (graceful restart, endpoint re-discovery)
  • Control plane restart/outage resilience (data plane stays up, netmap recovers)
  • Multi-relay server failover (stream relay list, first down)