Conversation
Co-authored-by: igorls <4753812+igorls@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Pull request overview
Adds missing CLI reference documentation for meshguard connect, aligning the user-facing docs with the existing cmdConnect implementation in src/main.zig and recording the documentation drift in the Jules scribe journal.
Changes:
- Documented
meshguard connectusage, flags, and token-exchange flow in the CLI reference. - Added a scribe journal entry capturing the documentation gap and a proposed prevention strategy.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| docs/reference/cli.md | Adds a new meshguard connect section with usage, flags, and flow description |
| .jules/scribe.md | Records the documentation gap and a prevention idea to reduce CLI doc drift |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | Flag | Description | | ||
| | -------------- | ---------------------------------------------- | | ||
| | `--generate` | Generate an initial token to share with a peer | | ||
| | `--join` | Accept a token and generate a response token | | ||
| | `--in <mins>` | Delay until punch time (default: 1 minute) | |
There was a problem hiding this comment.
The --in flag is only used for the --generate flow (the joiner uses the punch time embedded in the initiator token). The table currently reads like --in applies generically; please clarify it’s --generate-only and consider using the same placeholder (<minutes> vs <mins>) consistently between the usage block and the flag table.
| | Flag | Description | | |
| | -------------- | ---------------------------------------------- | | |
| | `--generate` | Generate an initial token to share with a peer | | |
| | `--join` | Accept a token and generate a response token | | |
| | `--in <mins>` | Delay until punch time (default: 1 minute) | | |
| | Flag | Description | | |
| | ----------------- | --------------------------------------------------------------------------- | | |
| | `--generate` | Generate an initial token to share with a peer | | |
| | `--join` | Accept a token and generate a response token | | |
| | `--in <minutes>` | Initiator-only: delay punch time when using `--generate` (default: 1 minute) | |
| Direct peer connection via token exchange (no seed node needed). Performs a coordinated UDP hole punch. | ||
|
|
There was a problem hiding this comment.
meshguard connect binds the gossip UDP port (51821) and will fail if the daemon is already running (it only attempts to stop the systemd service). The docs should mention that the port must be free / meshguard should be stopped (or run as a service) before running connect, to avoid confusing bind errors.
| 2. Peer runs `--join <token>` and shares the generated response token back. | ||
| 3. Initiator pastes the response token. | ||
| 4. Both sides punch simultaneously (NTP-synced). | ||
|
|
There was a problem hiding this comment.
The connect flow mutates local trust/config on success (it auto-adds the peer to authorized_keys and saves the punched endpoint as a seed). This is security-relevant behavior and should be documented explicitly so users understand it’s not a purely ephemeral connection attempt.
| **Security note**: On successful connection, `meshguard connect` **persists trust state**: | |
| - The remote peer is added to your local trust/`authorized_keys` (or equivalent) store. | |
| - The discovered endpoint is saved as a seed for future connections. | |
| This is **not** a purely ephemeral connectivity test. Only run `connect` with peers you intend to trust, and clean up the corresponding entries if you want to revoke that trust later. |
|
Closing: superseded by docs audit fixes and direct commits to main. See PR #67 (merged) for codec bounds check, and direct commit for timing-safe fix in noise.zig. |
Understood. Acknowledging that this work is now obsolete and stopping work on this task. |
💡 What:
meshguard connectcommand was missing from the CLI reference documentation.🔍 Source:
src/main.zigimplementscmdConnect.📝 Fix: Added
meshguard connectsection todocs/reference/cli.mddetailing the usage, flags (--generate,--join,--in), and flow for direct peer connections via token exchange. Also added a journal entry to.jules/scribe.mdabout the documentation gap, its cause (manual CLI parsing), and prevention (comparing source commands against doc commands).PR created automatically by Jules for task 7772496150827158754 started by @igorls