|
| 1 | +// Hello-world Pilot app. |
| 2 | +// |
| 3 | +// Demonstrates the smallest possible app that the daemon's supervisor |
| 4 | +// can spawn and route IPC calls into. Sideload-safe by design: it |
| 5 | +// declares only audit.log + fs.read/fs.write under $APP, so a user |
| 6 | +// can install it via `pilotctl appstore install ./examples/hello-world --local` |
| 7 | +// without tripping any sideload-policy refusal. |
| 8 | +// |
| 9 | +// Read alongside ../manifest.json — the manifest is the only thing that |
| 10 | +// authorises this binary to do anything privileged. Every flag below is |
| 11 | +// part of the standard lifecycle contract the supervisor passes to every |
| 12 | +// app at spawn time: |
| 13 | +// |
| 14 | +// --addr, --db, --socket, --identity, --manifest, --cap-state |
| 15 | +// |
| 16 | +// An app may add its own flags on top, but these six are guaranteed by |
| 17 | +// the supervisor and should not error if unrecognised by future tooling. |
| 18 | +package main |
| 19 | + |
| 20 | +import ( |
| 21 | + "context" |
| 22 | + "encoding/json" |
| 23 | + "flag" |
| 24 | + "fmt" |
| 25 | + "log" |
| 26 | + "net" |
| 27 | + "os" |
| 28 | + "os/signal" |
| 29 | + "syscall" |
| 30 | + |
| 31 | + "github.com/pilot-protocol/app-store/pkg/ipc" |
| 32 | +) |
| 33 | + |
| 34 | +const ( |
| 35 | + // methodEcho is the only IPC entrypoint this app exposes. The |
| 36 | + // manifest's "exposes" array must mirror this — see manifest.json. |
| 37 | + methodEcho = "hello.echo" |
| 38 | + |
| 39 | + // envSideloaded is the supervisor's hint that the app was installed |
| 40 | + // via `--local` rather than from the signed catalogue. Cap-aware |
| 41 | + // apps can use this to refuse high-privilege operations even when |
| 42 | + // their own manifest authorises them — defence in depth on top of |
| 43 | + // the supervisor's manifest gate. |
| 44 | + envSideloaded = "PILOT_SIDELOAD" |
| 45 | +) |
| 46 | + |
| 47 | +type echoReq struct { |
| 48 | + Message string `json:"message"` |
| 49 | +} |
| 50 | + |
| 51 | +type echoResp struct { |
| 52 | + Echo string `json:"echo"` |
| 53 | + Sideloaded bool `json:"sideloaded"` |
| 54 | +} |
| 55 | + |
| 56 | +func main() { |
| 57 | + fs := flag.NewFlagSet("hello", flag.ExitOnError) |
| 58 | + var ( |
| 59 | + // Pilot address the daemon assigned this app — opaque to the app |
| 60 | + // itself in the hello-world case, but real apps use it for |
| 61 | + // identity in peer-facing messages. |
| 62 | + _ = fs.String("addr", "", "pilot address (e.g. 0:0001.HHHH.LLLL)") |
| 63 | + _ = fs.String("db", "", "sqlite path (unused by hello-world; declared for lifecycle parity)") |
| 64 | + sockPath = fs.String("socket", "", "unix socket to listen on; supervisor sets this") |
| 65 | + _ = fs.String("identity", "", "ed25519 identity file (unused by hello-world)") |
| 66 | + _ = fs.String("manifest", "", "path to manifest.json (unused by hello-world)") |
| 67 | + _ = fs.String("cap-state", "", "spend-cap state log (unused by hello-world)") |
| 68 | + ) |
| 69 | + if err := fs.Parse(os.Args[1:]); err != nil { |
| 70 | + log.Fatalf("flag parse: %v", err) |
| 71 | + } |
| 72 | + if *sockPath == "" { |
| 73 | + log.Fatalf("supervisor did not pass --socket; refusing to start") |
| 74 | + } |
| 75 | + |
| 76 | + sideloaded := os.Getenv(envSideloaded) == "1" |
| 77 | + logger := log.New(os.Stderr, "hello-world: ", log.LstdFlags|log.Lmicroseconds) |
| 78 | + logger.Printf("starting (sideloaded=%v) listening on %s", sideloaded, *sockPath) |
| 79 | + |
| 80 | + // Unix-domain socket sat exactly where the supervisor told us to |
| 81 | + // put it. The supervisor watches for this file's appearance to mark |
| 82 | + // the app "ready"; if we listen anywhere else, the supervisor will |
| 83 | + // time out and the app stays "stopped" from its perspective. |
| 84 | + if err := os.Remove(*sockPath); err != nil && !os.IsNotExist(err) { |
| 85 | + logger.Fatalf("remove stale socket: %v", err) |
| 86 | + } |
| 87 | + ln, err := net.Listen("unix", *sockPath) |
| 88 | + if err != nil { |
| 89 | + logger.Fatalf("listen: %v", err) |
| 90 | + } |
| 91 | + defer ln.Close() |
| 92 | + |
| 93 | + d := ipc.NewDispatcher() |
| 94 | + d.Register(methodEcho, echoHandler(sideloaded)) |
| 95 | + |
| 96 | + ctx, cancel := context.WithCancel(context.Background()) |
| 97 | + defer cancel() |
| 98 | + // Clean shutdown on SIGTERM: the supervisor sends SIGTERM to the |
| 99 | + // whole process group when uninstalling, restarting, or stopping |
| 100 | + // the daemon. Ignoring it would let the supervisor wait the full |
| 101 | + // grace period before SIGKILLing — slower restarts. |
| 102 | + sigCh := make(chan os.Signal, 1) |
| 103 | + signal.Notify(sigCh, syscall.SIGTERM, syscall.SIGINT) |
| 104 | + go func() { |
| 105 | + <-sigCh |
| 106 | + logger.Printf("shutdown signal received") |
| 107 | + cancel() |
| 108 | + _ = ln.Close() |
| 109 | + }() |
| 110 | + |
| 111 | + for { |
| 112 | + conn, err := ln.Accept() |
| 113 | + if err != nil { |
| 114 | + if ctx.Err() != nil { |
| 115 | + return |
| 116 | + } |
| 117 | + logger.Printf("accept: %v", err) |
| 118 | + continue |
| 119 | + } |
| 120 | + // One Serve loop per connection, on its own goroutine. The |
| 121 | + // daemon may open multiple connections in parallel — this is |
| 122 | + // the standard concurrency model for every app. |
| 123 | + go func(c net.Conn) { |
| 124 | + defer c.Close() |
| 125 | + if err := ipc.Serve(ctx, c, d); err != nil { |
| 126 | + logger.Printf("serve: %v", err) |
| 127 | + } |
| 128 | + }(conn) |
| 129 | + } |
| 130 | +} |
| 131 | + |
| 132 | +// echoHandler is the entire business logic of this app: take a |
| 133 | +// message, return it back. The sideloaded flag is surfaced in the |
| 134 | +// reply so callers can confirm at runtime which trust regime the |
| 135 | +// supervisor put the app in. |
| 136 | +func echoHandler(sideloaded bool) ipc.Handler { |
| 137 | + return func(_ context.Context, req *ipc.Envelope) (json.RawMessage, error) { |
| 138 | + var args echoReq |
| 139 | + if len(req.Payload) > 0 { |
| 140 | + if err := json.Unmarshal(req.Payload, &args); err != nil { |
| 141 | + return nil, fmt.Errorf("decode echo args: %w", err) |
| 142 | + } |
| 143 | + } |
| 144 | + resp := echoResp{Echo: args.Message, Sideloaded: sideloaded} |
| 145 | + body, err := json.Marshal(resp) |
| 146 | + if err != nil { |
| 147 | + return nil, fmt.Errorf("marshal echo resp: %w", err) |
| 148 | + } |
| 149 | + return body, nil |
| 150 | + } |
| 151 | +} |
0 commit comments