feat(meroctl): add 'tee fleet-join' subcommand + bump to rc.27 (#2167)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chefsale

Cargo.toml

@@ -9,7 +9,7 @@ description = "Core Calimero infrastructure and tools"
 # Update workspace metadata (see docs/RELEASE.md for versioning and release)
 [workspace.metadata.workspaces]
 # Shared version of all public crates; bump this when cutting a release.
-version = "0.10.1-rc.26"
+version = "0.10.1-rc.27"
 exclude = [
     "./apps/abi_conformance",
     "./apps/blobs",

crates/client/src/client/system.rs

@@ -1,8 +1,8 @@
 //! System-level operations for the Calimero client.
 
 use calimero_server_primitives::admin::{
-    GenerateContextIdentityResponse, GetPeersCountResponse, InviteSpecializedNodeRequest,
-    InviteSpecializedNodeResponse,
+    FleetJoinRequest, FleetJoinResponse, GenerateContextIdentityResponse, GetPeersCountResponse,
+    InviteSpecializedNodeRequest, InviteSpecializedNodeResponse,
 };
 use eyre::Result;
 
@@ -41,4 +41,19 @@ where
             .await?;
         Ok(response)
     }
+
+    /// Announce this node as a TEE fleet member for the given group.
+    ///
+    /// Calls POST /admin-api/tee/fleet-join. The local node generates a TDX
+    /// attestation, broadcasts `TeeAttestationAnnounce` on the namespace
+    /// topic, waits for admission (up to 30s), and auto-joins all contexts
+    /// in the group. Used by the mero-tee fleet sidecar after the manager
+    /// assigns it to a group via /api/fleet/should-join.
+    pub async fn fleet_join(&self, group_id: String) -> Result<FleetJoinResponse> {
+        let response = self
+            .connection
+            .post("admin-api/tee/fleet-join", FleetJoinRequest { group_id })
+            .await?;
+        Ok(response)
+    }
 }

crates/meroctl/src/cli.rs

@@ -26,6 +26,7 @@ mod group;
 mod namespace;
 mod node;
 mod peers;
+mod tee;
 mod upgrade_policy;
 pub mod validation;
 
@@ -38,6 +39,7 @@ use group::GroupCommand;
 use namespace::NamespaceCommand;
 use node::NodeCommand;
 use peers::PeersCommand;
+use tee::TeeCommand;
 
 use crate::auth::{authenticate_with_session_cache, check_authentication};
 
@@ -93,6 +95,7 @@ pub enum SubCommands {
     Namespace(NamespaceCommand),
     Call(CallCommand),
     Peers(PeersCommand),
+    Tee(TeeCommand),
     #[command(subcommand)]
     Node(NodeCommand),
 }
@@ -167,6 +170,7 @@ impl RootCommand {
             SubCommands::Namespace(ns) => ns.run(&mut environment).await,
             SubCommands::Call(call) => call.run(&mut environment).await,
             SubCommands::Peers(peers) => peers.run(&mut environment).await,
+            SubCommands::Tee(tee) => tee.run(&mut environment).await,
             SubCommands::Node(node) => {
                 node.run(&environment, self.args.node.as_deref(), &self.args.home)
                     .await

crates/meroctl/src/cli/tee.rs

@@ -0,0 +1,38 @@
+use clap::{Parser, Subcommand};
+use const_format::concatcp;
+use eyre::Result;
+
+use crate::cli::Environment;
+
+pub mod fleet_join;
+
+pub const EXAMPLES: &str = r"
+  # Announce this node as a TEE fleet member and auto-join all contexts
+  # in the group once admission succeeds.
+  $ meroctl --node node1 tee fleet-join <GROUP_ID>
+";
+
+#[derive(Debug, Parser)]
+#[command(about = "TEE fleet-node commands")]
+#[command(after_help = concatcp!(
+    "Examples:",
+    EXAMPLES
+))]
+pub struct TeeCommand {
+    #[command(subcommand)]
+    pub subcommand: TeeSubCommands,
+}
+
+#[derive(Debug, Subcommand)]
+pub enum TeeSubCommands {
+    #[command(name = "fleet-join", alias = "fleet_join")]
+    FleetJoin(fleet_join::FleetJoinCommand),
+}
+
+impl TeeCommand {
+    pub async fn run(self, environment: &mut Environment) -> Result<()> {
+        match self.subcommand {
+            TeeSubCommands::FleetJoin(cmd) => cmd.run(environment).await,
+        }
+    }
+}

crates/meroctl/src/cli/tee/fleet_join.rs

@@ -0,0 +1,21 @@
+use clap::Parser;
+use eyre::Result;
+
+use crate::cli::Environment;
+
+#[derive(Clone, Debug, Parser)]
+#[command(about = "Announce this node as a TEE fleet member for a group")]
+pub struct FleetJoinCommand {
+    /// Hex-encoded group ID (64 hex chars / 32 bytes).
+    #[clap(name = "GROUP_ID")]
+    pub group_id: String,
+}
+
+impl FleetJoinCommand {
+    pub async fn run(self, environment: &mut Environment) -> Result<()> {
+        let client = environment.client()?;
+        let response = client.fleet_join(self.group_id).await?;
+        environment.output.write(&response);
+        Ok(())
+    }
+}

crates/meroctl/src/output.rs

@@ -5,6 +5,7 @@ pub mod blobs;
 pub mod common;
 pub mod contexts;
 pub mod groups;
+pub mod tee;
 
 // Re-export common types
 pub use blobs::{BlobDownloadResponse, BlobUploadResponse};

crates/meroctl/src/output/tee.rs

@@ -0,0 +1,27 @@
+use calimero_server_primitives::admin::FleetJoinResponse;
+use comfy_table::{Cell, Color, Table};
+
+use super::Report;
+
+impl Report for FleetJoinResponse {
+    fn report(&self) {
+        let mut table = Table::new();
+        let _ = table.set_header(vec![
+            Cell::new("Fleet Join").fg(Color::Green),
+            Cell::new("Value").fg(Color::Blue),
+        ]);
+        let _ = table.add_row(vec!["Status", &self.status]);
+        let _ = table.add_row(vec!["Admitted", &self.admitted.to_string()]);
+        let _ = table.add_row(vec!["Group ID", &self.group_id]);
+        let _ = table.add_row(vec!["Namespace ID", &self.namespace_id]);
+        let _ = table.add_row(vec!["Public Key", &self.public_key]);
+        let _ = table.add_row(vec![
+            "Contexts Joined",
+            &self.contexts_joined.len().to_string(),
+        ]);
+        println!("{table}");
+        for (idx, ctx) in self.contexts_joined.iter().enumerate() {
+            println!("  [{idx}] {ctx}");
+        }
+    }
+}

crates/server/primitives/src/admin/mod.rs

@@ -1153,6 +1153,16 @@ impl Validate for FleetJoinRequest {
     }
 }
 
+#[derive(Clone, Debug, Deserialize, Serialize)]
+pub struct FleetJoinResponse {
+    pub status: String,
+    pub group_id: String,
+    pub namespace_id: String,
+    pub public_key: String,
+    pub admitted: bool,
+    pub contexts_joined: Vec<String>,
+}
+
 #[derive(Debug, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct TeeInfoResponseData {