Fail closed on server nodes without HTTP control roles

Fail closed on server nodes without HTTP control roles

Author: durable-workflow-ops

README.md

@@ -698,6 +698,13 @@ behavior for each role failure domain, the scaling axis for each role, and the
 incremental migration steps from today's standalone shape to the split
 control/execution topology.
 
+Authenticated API routes now also fail closed against that advertised process
+class. Nodes that do not host the server's current HTTP control surface return
+`503` with `reason: "topology_role_unavailable"` on role-gated routes instead
+of pretending to be interchangeable HTTP peers. `GET /api/cluster/info`,
+`/api/health`, and `/api/ready` stay available for discovery and liveness even
+on scheduler-only, execution-only, or matching-only nodes.
+
 The same `GET /api/cluster/info` response now includes a versioned
 `coordination_health` manifest for rollout-safety coordination risk. It
 summarizes the current server-wide workflow v2 health status, warning and error

app/Http/Middleware/RequireTopologyRoles.php

@@ -0,0 +1,84 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Support\ControlPlaneProtocol;
+use App\Support\ServerTopology;
+use App\Support\WorkerProtocol;
+use Closure;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class RequireTopologyRoles
+{
+    public function handle(Request $request, Closure $next, string ...$roles): Response
+    {
+        $requiredRoles = $this->requiredRoles($roles);
+
+        if ($requiredRoles === []) {
+            return self::error($request, 500, 'server_error', 'Route topology requirement is not configured.');
+        }
+
+        $currentNode = ServerTopology::currentNode();
+        $currentRoles = $currentNode['roles'];
+        $missingRoles = array_values(array_diff($requiredRoles, $currentRoles));
+
+        if ($missingRoles === []) {
+            return $next($request);
+        }
+
+        return self::error(
+            $request,
+            503,
+            'topology_role_unavailable',
+            'This node does not host the topology roles required for this endpoint.',
+            [
+                'current_shape' => $currentNode['shape'],
+                'current_process_class' => $currentNode['process_class'],
+                'current_roles' => $currentRoles,
+                'required_roles' => $requiredRoles,
+                'missing_roles' => $missingRoles,
+            ],
+        );
+    }
+
+    /**
+     * @param  array<int, string>  $roles
+     * @return array<int, string>
+     */
+    private function requiredRoles(array $roles): array
+    {
+        $required = [];
+
+        foreach ($roles as $role) {
+            foreach (explode(',', $role) as $part) {
+                $part = trim($part);
+
+                if ($part !== '') {
+                    $required[] = $part;
+                }
+            }
+        }
+
+        return array_values(array_unique($required));
+    }
+
+    /**
+     * @param  array<string, mixed>  $extra
+     */
+    private static function error(Request $request, int $status, string $reason, string $message, array $extra = []): JsonResponse
+    {
+        if (WorkerProtocol::isWorkerPlaneRequest($request)) {
+            return WorkerProtocol::json(array_filter([
+                'reason' => $reason,
+                'message' => $message,
+            ] + $extra, static fn (mixed $value): bool => $value !== null), $status);
+        }
+
+        return ControlPlaneProtocol::jsonForRequest($request, array_filter([
+            'reason' => $reason,
+            'message' => $message,
+        ] + $extra, static fn (mixed $value): bool => $value !== null), $status);
+    }
+}

app/Support/ServerTopology.php

@@ -39,21 +39,19 @@ final class ServerTopology
     public static function info(): array
     {
         $shapeAssignments = self::shapeAssignments();
-        $currentShape = self::currentShape();
-        $currentProcessClass = self::currentProcessClass($currentShape, $shapeAssignments);
-        $currentRoles = self::rolesForProcessClass($currentShape, $currentProcessClass, $shapeAssignments);
+        $currentNode = self::currentNode($shapeAssignments);
 
         return [
             'schema' => self::SCHEMA,
             'version' => self::VERSION,
             'supported_shapes' => self::SUPPORTED_SHAPES,
             'role_vocabulary' => self::ROLE_VOCABULARY,
-            'current_shape' => $currentShape,
-            'current_process_class' => $currentProcessClass,
-            'current_roles' => $currentRoles,
+            'current_shape' => $currentNode['shape'],
+            'current_process_class' => $currentNode['process_class'],
+            'current_roles' => $currentNode['roles'],
             'execution_mode' => self::executionMode(),
             'matching_role' => self::matchingRole(),
-            'role_catalog' => self::roleCatalog($currentRoles),
+            'role_catalog' => self::roleCatalog($currentNode['roles']),
             'shape_assignments' => $shapeAssignments,
             'authority_boundaries' => self::authorityBoundaries(),
             'authority_surfaces' => self::authoritySurfaces(),
@@ -64,6 +62,23 @@ public static function info(): array
         ];
     }
 
+    /**
+     * @param  array<string, array{process_classes: list<array{name: string, roles: list<string>}>}>|null  $shapeAssignments
+     * @return array{shape: string, process_class: string, roles: list<string>}
+     */
+    public static function currentNode(?array $shapeAssignments = null): array
+    {
+        $shapeAssignments ??= self::shapeAssignments();
+        $shape = self::currentShape();
+        $processClass = self::currentProcessClass($shape, $shapeAssignments);
+
+        return [
+            'shape' => $shape,
+            'process_class' => $processClass,
+            'roles' => self::rolesForProcessClass($shape, $processClass, $shapeAssignments),
+        ];
+    }
+
     private static function executionMode(): string
     {
         return config('server.mode') === 'embedded'

routes/api.php

@@ -18,6 +18,7 @@
 use App\Http\Middleware\ControlPlaneVersionResolver;
 use App\Http\Middleware\NamespaceResolver;
 use App\Http\Middleware\RequireRole;
+use App\Http\Middleware\RequireTopologyRoles;
 use App\Http\Middleware\WorkerProtocolVersionResolver;
 use Illuminate\Support\Facades\Route;
 
@@ -46,6 +47,10 @@
 // omitted — it is the version-advertising endpoint and must remain callable
 // without the header.
 //
+// RequireTopologyRoles sits after protocol validation and before
+// NamespaceResolver on hosted routes so wrong-node requests fail closed with a
+// machine-readable topology reason without leaking namespace existence.
+//
 // WorkerProtocolVersionResolver follows the same ordering for worker-plane
 // routes, keeping protocol skew and namespace errors in the worker envelope.
 Route::middleware([Authenticate::class])->group(function () {
@@ -55,27 +60,29 @@
     $authenticated = RequireRole::class.':worker,operator,admin';
     $ns = NamespaceResolver::class;
     $cpv = ControlPlaneVersionResolver::class;
+    $httpControl = RequireTopologyRoles::class.':api_ingress,control_plane';
+    $httpWorker = RequireTopologyRoles::class.':api_ingress,control_plane';
     $wpv = WorkerProtocolVersionResolver::class;
 
     // ── System ───────────────────────────────────────────────────────
     Route::get('/cluster/info', [HealthController::class, 'clusterInfo'])->middleware([$authenticated, $ns]);
 
     // ── Namespaces ───────────────────────────────────────────────────
-    Route::prefix('namespaces')->group(function () use ($admin, $operator, $ns, $cpv) {
-        Route::get('/', [NamespaceController::class, 'index'])->middleware([$operator, $cpv, $ns]);
-        Route::post('/', [NamespaceController::class, 'store'])->middleware([$admin, $cpv, $ns]);
-        Route::get('/{namespace}', [NamespaceController::class, 'show'])->middleware([$operator, $cpv, $ns]);
-        Route::put('/{namespace}', [NamespaceController::class, 'update'])->middleware([$admin, $cpv, $ns]);
-        Route::put('/{namespace}/external-storage', [NamespaceController::class, 'updateExternalStorage'])->middleware([$admin, $cpv, $ns]);
+    Route::prefix('namespaces')->group(function () use ($admin, $operator, $ns, $cpv, $httpControl) {
+        Route::get('/', [NamespaceController::class, 'index'])->middleware([$operator, $cpv, $httpControl, $ns]);
+        Route::post('/', [NamespaceController::class, 'store'])->middleware([$admin, $cpv, $httpControl, $ns]);
+        Route::get('/{namespace}', [NamespaceController::class, 'show'])->middleware([$operator, $cpv, $httpControl, $ns]);
+        Route::put('/{namespace}', [NamespaceController::class, 'update'])->middleware([$admin, $cpv, $httpControl, $ns]);
+        Route::put('/{namespace}/external-storage', [NamespaceController::class, 'updateExternalStorage'])->middleware([$admin, $cpv, $httpControl, $ns]);
     });
 
     // ── External Payload Storage ───────────────────────────────────
-    Route::prefix('storage')->middleware([$admin, $cpv, $ns])->group(function () {
+    Route::prefix('storage')->middleware([$admin, $cpv, $httpControl, $ns])->group(function () {
         Route::post('/test', [StorageController::class, 'test']);
     });
 
     // ── Workflows ────────────────────────────────────────────────────
-    Route::prefix('workflows')->middleware([$operator, $cpv, $ns])->group(function () {
+    Route::prefix('workflows')->middleware([$operator, $cpv, $httpControl, $ns])->group(function () {
         Route::get('/', [WorkflowController::class, 'index']);
         Route::post('/', [WorkflowController::class, 'start']);
         Route::get('/{workflowId}', [WorkflowController::class, 'show']);
@@ -106,12 +113,12 @@
     });
 
     // ── Bridge Adapters ──────────────────────────────────────────────
-    Route::prefix('bridge-adapters')->middleware([$operator, $cpv, $ns])->group(function () {
+    Route::prefix('bridge-adapters')->middleware([$operator, $cpv, $httpControl, $ns])->group(function () {
         Route::post('/webhook/{adapter}', [BridgeAdapterController::class, 'webhook']);
     });
 
     // ── Worker Task Polling ──────────────────────────────────────────
-    Route::prefix('worker')->middleware([$worker, $wpv, $ns])->group(function () {
+    Route::prefix('worker')->middleware([$worker, $wpv, $httpWorker, $ns])->group(function () {
         // Registration
         Route::post('/register', [WorkerController::class, 'register']);
         Route::post('/heartbeat', [WorkerController::class, 'heartbeat']);
@@ -136,14 +143,14 @@
     });
 
     // ── Workers (Management) ──────────────────────────────────────────
-    Route::prefix('workers')->group(function () use ($admin, $operator, $ns, $cpv) {
-        Route::get('/', [WorkerManagementController::class, 'index'])->middleware([$operator, $cpv, $ns]);
-        Route::get('/{workerId}', [WorkerManagementController::class, 'show'])->middleware([$operator, $cpv, $ns]);
-        Route::delete('/{workerId}', [WorkerManagementController::class, 'destroy'])->middleware([$admin, $cpv, $ns]);
+    Route::prefix('workers')->group(function () use ($admin, $operator, $ns, $cpv, $httpControl) {
+        Route::get('/', [WorkerManagementController::class, 'index'])->middleware([$operator, $cpv, $httpControl, $ns]);
+        Route::get('/{workerId}', [WorkerManagementController::class, 'show'])->middleware([$operator, $cpv, $httpControl, $ns]);
+        Route::delete('/{workerId}', [WorkerManagementController::class, 'destroy'])->middleware([$admin, $cpv, $httpControl, $ns]);
     });
 
     // ── Task Queues ──────────────────────────────────────────────────
-    Route::prefix('task-queues')->middleware([$operator, $cpv, $ns])->group(function () {
+    Route::prefix('task-queues')->middleware([$operator, $cpv, $httpControl, $ns])->group(function () {
         Route::get('/', [TaskQueueController::class, 'index']);
         Route::get('/{taskQueue}/build-ids', [TaskQueueController::class, 'buildIds']);
         Route::post('/{taskQueue}/build-ids/drain', [TaskQueueController::class, 'drainBuildId']);
@@ -152,7 +159,7 @@
     });
 
     // ── Schedules ────────────────────────────────────────────────────
-    Route::prefix('schedules')->middleware([$operator, $cpv, $ns])->group(function () {
+    Route::prefix('schedules')->middleware([$operator, $cpv, $httpControl, $ns])->group(function () {
         Route::get('/', [ScheduleController::class, 'index']);
         Route::post('/', [ScheduleController::class, 'store']);
         Route::get('/{scheduleId}', [ScheduleController::class, 'show']);
@@ -166,14 +173,14 @@
     });
 
     // ── Search Attributes ────────────────────────────────────────────
-    Route::prefix('search-attributes')->middleware([$operator, $cpv, $ns])->group(function () {
+    Route::prefix('search-attributes')->middleware([$operator, $cpv, $httpControl, $ns])->group(function () {
         Route::get('/', [SearchAttributeController::class, 'index']);
         Route::post('/', [SearchAttributeController::class, 'store']);
         Route::delete('/{name}', [SearchAttributeController::class, 'destroy']);
     });
 
     // ── Service Catalog ──────────────────────────────────────────────
-    Route::prefix('service-endpoints')->middleware([$admin, $cpv, $ns])->group(function () {
+    Route::prefix('service-endpoints')->middleware([$admin, $cpv, $httpControl, $ns])->group(function () {
         Route::get('/', [ServiceCatalogController::class, 'endpointIndex']);
         Route::post('/', [ServiceCatalogController::class, 'endpointStore']);
         Route::get('/{endpointName}', [ServiceCatalogController::class, 'endpointShow']);
@@ -194,7 +201,7 @@
     });
 
     // ── System / Operations ─────────────────────────────────────────
-    Route::prefix('system')->middleware([$admin, $cpv, $ns])->group(function () {
+    Route::prefix('system')->middleware([$admin, $cpv, $httpControl, $ns])->group(function () {
         Route::get('/health', [SystemController::class, 'health']);
         Route::match(['get', 'post'], '/metrics', [SystemController::class, 'metrics']);
         Route::get('/operator-metrics', [SystemController::class, 'operatorMetrics']);