feat(fleetnode): route miner commands to fleet-node-paired devices

[ankitgoswami]

Summary

Builds the actual capability: operator commands now reach miners paired via fleet nodes. Stacked on #389 (the ControlStream foundation) — review/merge that first.

A command issued through the existing RPCs/UI against a fleet-node-paired device now routes down that node's ControlStream, the node reconstructs the LAN miner and executes the action, and the result comes back as a ControlAck. The entire command service / queue / status / permissions / curtailment pipeline is unchanged — this is RFC 0001's remote-node Miner adapter slotted in at miner resolution.

What changed

• proto: pairing.v1.MinerCommand — a oneof over reboot / start / stop / blink-LED / curtail / uncurtail / set-cooling-mode / set-power-target, plus a MinerConnectionDescriptor (the cloud supplies connection coords; the node has no device DB) and an opaque credential field. Wired as AgentCommand.miner_command. Added ACK_CODE_UNAUTHENTICATED / ACK_CODE_UNIMPLEMENTED.
• server adapter (internal/domain/miner/remotenode): an interfaces.Miner whose methods marshal a MinerCommand, call registry.SendCommand, and map the ControlAck to the method's error contract (auth → evict + Unauthenticated; unsupported → Unimplemented; offline → FailedPrecondition).
• resolution (internal/domain/miner): new GetActiveFleetNodeForDevice query; GetMinerFromDeviceIdentifier checks fleet-node ownership first and returns the adapter, else falls through to the direct PluginMiner. Wired in fleetd via WithCommandSender.
• node (cmd/fleetnode): handleMinerCommand builds a control device from the descriptor via the plugin driver and runs the action, behind a credential-provider seam.

Scope / boundary

• Works end-to-end now: the no-secret virtual driver (the just dev fake miners).
• Routes correctly, lights up with pairing: authed drivers (proto, antminer) need the node's per-org key to decrypt credentials — that provisioning is the separate pairing effort. Until then those commands reach the miner and fail auth gracefully (UNAUTHENTICATED).
• Deferred (Phase 3): firmware update, log download, password change, unpair (need out-of-band transfer / pairing semantics); read/telemetry methods. The adapter returns Unimplemented for these.

Test plan

• go test -race ./cmd/fleetnode/... ./internal/domain/miner/... — green. Adapter: action encoding for all 8 commands + ack→error mapping + offline + unsupported. Node executor (gomock driver/device): execute+ack, enum conversion, error classification, unknown-driver. Resolution (real DB): a fleet-node-paired device resolves to the remote-node miner and a command reaches the sender.
• Full server build, golangci-lint, pre-push tsc — clean.

Manual end-to-end (virtual driver)

just dev; enroll/confirm a fleet node; discover a virtual device on it; seed device + device_pairing=PAIRED + fleet_node_device (until the pairing flow lands); issue Reboot/Curtail/StartMining and confirm it routes over the ControlStream (node logs control command received, kind=miner_command), executes against the fake miner, and the batch reports SUCCESS. Verify an offline node fails fast and a command during a discovery on the same node still succeeds.

🤖 Generated with Claude Code

[github-actions]

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

• Reviewed pull request diff only (f1ad3dc175e508e9f088fa83780c123127817de4...432a7274be17add48812f5b4cf4b86a30c44cc58, exact PR three-dot diff)
• Model: gpt-5.5

💡 Click "edited" above to see previous reviews for this PR.

---

Review Summary

Overall Risk: HIGH

Findings

[HIGH] Fleet-node commands route authenticated miners without credentials

• Category: Auth
• Location: server/internal/domain/miner/service.go:193
• Description: tryFleetNodeMiner now routes any device paired to a confirmed fleet node through the remote-node adapter, but the descriptor is built without Credential and the node-side default nodeSecretProvider always returns an empty sdk.SecretBundle. The comment in nodeSecretProvider explicitly says authenticated drivers will fail until pairing lands, but there is no gate preventing Antminer/Proto or other credentialed drivers from entering this path.
• Impact: Real fleet-node-paired miners that require basic auth or bearer auth will fail every command with UNAUTHENTICATED, causing retries and eventual command failure. This makes the new remote command path work only for no-secret drivers while appearing enabled for all paired devices.
• Recommendation: Either implement credential delivery/decryption before enabling this path for authenticated drivers, or gate tryFleetNodeMiner to only no-secret-capable drivers and fail unsupported devices before enqueueing remote commands.

[HIGH] Concurrent commands can overwrite and close each other’s plugin handles

• Category: Concurrency
• Location: server/cmd/fleetnode/minercommand.go:72
• Description: Each remote miner command calls driver.NewDevice with the same device_identifier and defers dev.Close, while the control loop allows up to 16 commands to run concurrently. The SDK gRPC plugin server stores device handles by device_id, so two concurrent commands for the same miner can replace the same map entry and then close a handle another command is still using.
• Impact: Concurrent commands to one miner can race, fail nondeterministically, execute against a freshly replaced handle, or close the active handle mid-command.
• Recommendation: Serialize command execution per target device on the fleet node, or introduce a command-scoped/plugin-scoped handle model that does not reuse the logical miner identifier as the transient SDK handle key.

[MEDIUM] Transient offline/busy states are converted into permanent queue failures

• Category: Reliability
• Location: server/internal/domain/miner/remotenode/miner.go:166
• Description: ErrNoActiveStream is mapped to FailedPrecondition, and ACK_CODE_BUSY is also mapped to FailedPrecondition at line 198. The command execution service treats FailedPrecondition as permanently failed, so a fleet node reconnect or temporary command-pool saturation will not be retried.
• Impact: Commands can fail permanently during normal transient conditions such as node reconnects, stream churn, or temporary agent worker exhaustion.
• Recommendation: Map offline/busy outcomes to a retryable error class for queued command execution, or add an explicit temporary fleet-node error type that keeps the queue retry behavior while preserving permanent failures for BAD_REQUEST and UNIMPLEMENTED.

Notes

No hardcoded wallet, pool, stratum, or worker-credential rewrite logic appeared in the scoped diff. The protobuf/sqlc generated outputs appear consistent with the source proto/query changes.

---

_{Generated by Codex Security Review |
Triggered by: @ankitgoswami |
Review workflow run}