diff --git a/AI.md b/AI.md index 4d041c3..5f763f6 100644 --- a/AI.md +++ b/AI.md @@ -696,10 +696,19 @@ Latest endpoint audit checkpoint from patch 0231: not grow a second management database or return fake success for detailed information that is not modeled. -Latest redesign checkpoint from patch 0231: +Latest redesign checkpoint from patch 0232: -- `REDESIGN.md` now records that NetWare-4.x `0x2222/123` server information - and statistics belongs to `servermgmt`, alongside TimeSync and guarded RPC. - Keep it in-process unless a concrete backend requires otherwise. +- `REDESIGN.md` now records `nwservermgmt` as a possible future process for the + `servermgmt` provider once multiple NetWare-4.x management families become + real: `123/xx` server information/statistics, `114/xx` TimeSync adapter, + selected `23/200+` console/server-management calls, and guarded `131/xx` RPC + server-control requests. +- This does not make `nwserv` a data-plane router. `nwserv` remains supervisor, + provider registry, and control plane. If `nwservermgmt` exists later, `nwconn` + sends normalized handoff requests directly to it; `nwservermgmt` may query + `nwserv` only for control-plane state such as provider status/capabilities. +- Small static/status calls may stay in-process until a dedicated process is + justified. RPC/server-control calls must not fake success and require a real + privilege model before activation. -Next patch number should be `0232`. +Next patch number should be `0233`. diff --git a/REDESIGN.md b/REDESIGN.md index 2845c69..f2e7d6c 100644 --- a/REDESIGN.md +++ b/REDESIGN.md @@ -918,21 +918,54 @@ negotiation, and connection-state cleanup are fundamentally tied to the session that received the packet. Moving them into another process would make cleanup ordering and error handling harder. -#### Simple server-management calls +#### Server-management provider and possible `nwservermgmt` process -Simple management and information calls should not become their own process. -Examples include login-status queries, server description strings, server time, -NetWare-4.x TimeSync compatibility stubs, console-privilege checks, and small -broadcast/control helpers. The NetWare-4.x `0x2222/123` server-information and -statistics family also belongs here: it should adapt existing mars-nwe, host, -transport, filesystem, and queue state into NetWare-compatible information -replies rather than grow a second management database. NetWare-4.x RPC -server-control calls such as load/unload NLM, mount/dismount volume, SET command -changes, and NCF execution also belong to this provider boundary, but they are -not simple information calls and must remain disabled until there is a real -privilege model and backend behavior. These can be represented as a -`servermgmt` provider for dispatch clarity, but they should stay in-process -unless a specific call requires an existing backend service. +Server-management and information calls should first become a clear logical +provider, not an immediate payload route through `nwserv`. The `servermgmt` +provider covers login-status queries, server description strings, server time, +NetWare-4.x TimeSync compatibility stubs, console-privilege checks, small +broadcast/control helpers, the NetWare-4.x `0x2222/123` server-information and +statistics family, and guarded NetWare-4.x RPC/server-control calls. + +Small calls may remain in-process while they only adapt local state. For +example, `0x2222/123` should adapt existing mars-nwe, host, transport, +filesystem, and queue state into NetWare-compatible information replies rather +than grow a second management database. TimeSync should remain a host-time +adapter. Console/status queries should not require a new daemon merely to +return static or already-known information. + +However, once multiple NetWare-4.x management families are implemented, a +dedicated `nwservermgmt` process becomes a reasonable future process boundary. +That process would own the server-management provider data plane for `123/xx`, +`114/xx`, selected `23/200+` console/server-management calls, and guarded +`131/xx` RPC/server-control requests. It may query `nwserv` for supervised +process status, provider capabilities, restart state, or registered endpoints, +but it must not replace `nwserv` as supervisor. + +The intended split is: + +```text +nwserv + control plane / supervisor / provider registry + starts, monitors, restarts, and publishes provider endpoints + does not broker decoded NCP management payloads + +nwservermgmt + optional future server-management provider process + handles server-info, TimeSync adapter, console/status, and guarded RPC surfaces + asks nwserv only for control-plane state when needed + +nwconn + sends normalized handoff requests directly to nwservermgmt if it exists + remains final owner of the client NCP reply envelope +``` + +NetWare-4.x RPC server-control calls such as load/unload NLM, mount/dismount +volume, SET command changes, and NCF execution must remain disabled until there +is a real privilege model and backend behavior. A future `nwservermgmt` process +may be the right owner for those checks, but it must still use normalized +handoff replies and must not fake success for operations that change server +state. ##### TimeSync should adapt host time discipline, not implement NTP @@ -985,8 +1018,9 @@ Only some providers should ever become processes: ```text already process-like: bindery / nwbind likely future process: queue / possible nwqueue, including queue printing/direct-spool bridge +reasonable future process: servermgmt / possible nwservermgmt once 123/114/131/23-management are real maybe, high risk: filesystem -usually in-process: semaphore, message, servermgmt, accounting, AFP helpers +usually in-process: semaphore, message, accounting, AFP helpers ``` The practical design rule is: