Layer 2 — application architecture · 1,820 documents
| ID | Document | Source |
|---|---|---|
| app_invariants__80d27e1a8d45259d | INVARIANT: Incoming channel data is strictly flow-controlled, preventing local buffer overflows. SHADOW: The `channel.handleData` method validates incoming `length` against `maxIncomingPayload` to… | — |
| app_invariants__5eb76d0a99ffc0ae | INVARIANT: Critical key exchange parameters are validated against protocol bounds to prevent cryptographic weaknesses. SHADOW: Diffie-Hellman and ECDH key exchange implementations… | — |
| app_invariants__32fa276d6ae1080c | INVARIANT: Software binaries are replaced atomically only after successful download and integrity verification. SHADOW: The `unpackLinuxTarball` and `distsign.Client.Download` methods ensure that… | — |
| app_invariants__34fa06dd0a690916 | INVARIANT: ACME client operations consistently retrieve and cache CA directory information. SHADOW: The `Client.Discover` method ensures that the ACME directory endpoint is queried only once per… | — |
| app_invariants__cb0778bcf836282a | INVARIANT: ACME client retries are managed with an exponential backoff strategy and nonce invalidation. SHADOW: The `Client.post` and `Client.get` methods, combined with `retryTimer` and… | — |
| app_invariants__d37b3a4af42cdb89 | INVARIANT: Environment variable values are consistently managed across system calls and internal state. SHADOW: The `envknob.Setenv` function updates both the operating system's environment… | — |
| app_invariants__86bdfa2c01f04219 | INVARIANT: Distributed file integrity relies on a verifiable chain of trust from embedded root keys to signing keys to file signatures. SHADOW: The `distsign.Client.signingKeys` method fetches… | — |
| app_invariants__6701fc2f035a013d | INVARIANT: Kubernetes client device state keys are actively maintained for operator readiness signaling. SHADOW: The `state.KeepKeysUpdated` function continuously monitors `ipn.NotifyInitialNetMap`… | — |
| app_invariants__531d649287032494 | INVARIANT: Monotonic time measurements are guaranteed to be non-decreasing for consistent duration tracking. SHADOW: The `mono.Time` type and its associated arithmetic methods (`Add`, `Sub`,… | — |
| app_invariants__bfea44e5bf13f277 | INVARIANT: Token bucket rate limiting strictly controls event frequency and burst capacity. SHADOW: The `rate.Limiter.allow` method, protected by a `sync.Mutex`, implements a token bucket algorithm.… | — |
| app_invariants__ce494f8436430a74 | INVARIANT: SSH agent connections are robustly managed with bidirectional I/O and graceful resource cleanup. SHADOW: The `ForwardAgentConnections` function uses a `sync.WaitGroup` to ensure that both… | — |
| app_invariants__0658287b622daeb0 | INVARIANT: TLS certificate issuance and renewal for HA ingress services are managed continuously with resilience against failures. SHADOW: The `CertManager.runCertLoop` method ensures that TLS… | — |
| app_invariants__6bd7485c892132d7 | INVARIANT: Advertised Tailscale Services are gracefully unadvertised during client shutdown to ensure service continuity. SHADOW: The `services.EnsureServicesNotAdvertised` function explicitly… | — |
| app_invariants__95806d873572f817 | INVARIANT: All critical operations must complete within a pre-defined maximum duration. SHADOW: The system enforces a hard deadline on critical operations. If an operation exceeds this duration, it… | — |
| app_invariants__cd9b7de0618831e1 | INVARIANT: Concurrent access to the in-flight operation tracking map and its associated counter must be fully serialized. SHADOW: Multiple concurrent goroutines could attempt to register or… | — |
| app_invariants__200fea02190576df | INVARIANT: All WireGuard device configuration and OS networking stack updates initiated by `Reconfig` must be serialized and applied as a single atomic transaction. SHADOW: The `Reconfig` method… | — |
| app_invariants__d9169d466ceaafc7 | INVARIANT: WireGuard peers inactive beyond a defined threshold must be dynamically removed from the active configuration to conserve memory and re-added upon activity. SHADOW: To prevent excessive… | — |
| app_invariants__6a1d0a19d67868aa | INVARIANT: The registration, deregistration, and lookup of asynchronous ping response callbacks must be mutex-protected. SHADOW: Ping responses arrive asynchronously and multiple pings can be… | — |
| app_invariants__d580b2eca96b605f | INVARIANT: Peer `DiscoKey` values must be consistently synchronized and communicated via `TSMPDiscoKeyAdvertisement` for direct UDP path establishment and WireGuard session key management. SHADOW:… | — |
| app_invariants__2fff712de2743da1 | INVARIANT: A global lock acquisition hierarchy (`magicsock.Conn.mu` > `wgLock` > `mu`) is stated, but is not consistently enforced between `userspaceEngine.Reconfig` (acquires `wgLock` then `mu`) and… | — |
| app_invariants__4200e69750d7534c | INVARIANT: The number of concurrently in-flight TCP connection attempts within `netstack` must be strictly limited, both globally and on a per-client basis, to prevent resource exhaustion. SHADOW:… | — |
| app_invariants__cdfcdb9b22f2e729 | INVARIANT: Dynamic registration and deregistration of subnet IP addresses on the `gVisor` network stack must be reference-counted and serialized per IP address. SHADOW: Subnet IP addresses are… | — |
| app_invariants__bce55688405097cb | INVARIANT: Core functional IP sets (e.g., local, VIP service IPs) and their backing data structures within `netstack` must be updated and accessed atomically. SHADOW: These IP sets are used for… | — |
| app_invariants__6b014b1f6f849f25 | INVARIANT: The system ensures that operations can be repeated without unintended side effects, often by checking for existing states or using unique identifiers for operations. SHADOW: This is… | — |
| app_invariants__f1aea6225f358504 | INVARIANT: The system's execution state is durably stored and can be restored, allowing for persistence across restarts and graceful recovery. SHADOW: This is essential for maintaining the network's… | — |
| app_invariants__f209600e0930ce70 | INVARIANT: Operations are performed as a single, indivisible unit; either all parts of the operation succeed, or none of them do. SHADOW: This guarantees data integrity. In complex operations… | — |
| app_invariants__30359a8bf4546ff5 | INVARIANT: The system establishes agreement among distributed nodes on the state of the network, often through leader election or quorum-based protocols. SHADOW: This is fundamental for distributed… | — |
| app_invariants__a5094f7ec605e537 | INVARIANT: The system gracefully handles periods of high load or resource contention by slowing down or rejecting requests, preventing overload and maintaining stability. SHADOW: This is vital for… | — |
| app_invariants__6bb5dbff605a3148 | INVARIANT: File writes must be staged in a temporary file and atomically renamed to the target destination to prevent partial reads or corruption during crashes. SHADOW: Ensures that configuration… | — |
| app_invariants__e49aa127e3e04343 | INVARIANT: Log buffers must implement bounded queues and drop incoming entries when capacity is exceeded, recording the drop count to maintain memory safety. SHADOW: Prevents the logging subsystem… | — |
| app_invariants__7ab94e7a915b007d | INVARIANT: Distributed state mutations must be serialized through a Raft-based replicated log, requiring quorum agreement before committing changes. SHADOW: Guarantees strong consistency and fault… | — |
| app_invariants__1faf143bf595f525 | INVARIANT: Ephemeral container instances must persist their identity and routing state into durable external storage (Kubernetes Secrets) to survive pod restarts. SHADOW: Allows stateless pods to… | — |
| app_invariants__d3fdf31fe98f6622 | INVARIANT: Bounded Ingestion via Channel Nullification SHADOW: Prevents memory exhaustion in the event bus by dynamically disabling the input channel when the internal queue reaches its capacity… | — |
| app_invariants__b4756a9def9f1839 | INVARIANT: Synchronous Failure Mirroring in Singleflight SHADOW: Ensures that if a deduplicated function call panics or fails, that exact failure state is captured and re-thrown to every concurrent… | — |
| app_invariants__702cc964a52ea25e | INVARIANT: Differential Persistence Invariant SHADOW: State storage operations must perform a pre-write comparison to suppress redundant I/O when the proposed state is byte-identical to the existing… | — |
| app_invariants__53e96871e28d97fe | INVARIANT: Profile-Identity Synchronization Lock SHADOW: Transitions between user profiles must atomically update the preference view, the active identity, and the health tracker before triggering… | — |
| app_invariants__cfcc7b6eecd2dd8b | INVARIANT: Cardinality-Constrained Resource Throttling SHADOW: Per-key rate limiting must be backed by a fixed-size LRU cache to ensure that tracking millions of unique actors does not result in… | — |
| app_invariants__b29705da9c3d50c9 | INVARIANT: Last-Writer-Active Identity Resolution SHADOW: In DERP relay logic, identity collisions (duplicate keys) are resolved by prioritizing the most recent connection, ensuring the network… | — |
| app_invariants__2e2113dd03d62790 | INVARIANT: Recursive Memory-Safe Deep Hashing SHADOW: Hashing complex structures requires a visit stack to detect and handle recursive pointers, ensuring the hash operation terminates and produces a… | — |
| app_invariants__57ac6c792471cbcc | INVARIANT: State modifications to the ServeConfig must utilize ETag-based optimistic concurrency control to prevent clobbering concurrent updates. SHADOW: In a multi-user or multi-process… | — |
| app_invariants__cb5f9cf0c4f776c7 | INVARIANT: Diagnostic network operations, such as debug dials, must be constrained by a hard-coded context timeout to prevent local API resource exhaustion. SHADOW: Because the LocalAPI is the… | — |
| app_invariants__8075df4068072dd6 | INVARIANT: Path-based service exposure requires a dual-layer authorization: the API actor's permission level and the underlying OS-level administrative privilege (root/sudo/admin). SHADOW: This… | — |
| app_invariants__aaa2699e8a884b57 | INVARIANT: Cryptographic authority (TKA) operations are gated by a combination of build-time feature flags and runtime pricing-plan validation. SHADOW: Ensures that high-security network locking… | — |
| app_invariants__0a2b37acac7be43c | INVARIANT: Component-level debug logging must be transient and time-decaying, requiring an explicit duration to prevent permanent state drift in log verbosity. SHADOW: Prevents the node from being… | — |
| app_invariants__3afc8fe2555904ea | INVARIANT: Strict Orthogonal Bootstrapping Order SHADOW: Services must be initialized in a specific sequence (Matching -> History -> Frontend -> Worker) and terminated in reverse. The Worker depends… | — |
| app_invariants__75f0119b3e4bb979 | INVARIANT: Persisted Metadata Precedence SHADOW: Once cluster metadata (shard counts, cluster names, global namespace status) is committed to the database, static configuration files lose authority.… | — |
| app_invariants__a9f139f4460d5fef | INVARIANT: Fault-Tolerant Schema Evolution SHADOW: Schema update operations must explicitly ignore 'Resource Already Exists' or 'Not Found' errors during execution. This allows for safe retries of… | — |
| app_invariants__eec7e343c366eeaa | INVARIANT: System Namespace Primacy SHADOW: The underlying system namespaces must be fully registered in the persistence layer before any service logic is permitted to start. This prevents… | — |
| app_invariants__d6e52c4ea1151bd9 | INVARIANT: Telemetry Disposal Priority SHADOW: Observability data (traces/spans) is treated as non-critical compared to process termination. Shutdown logic enforces a strict 1-second timeout for… | — |
| app_invariants__8814b097f5768c7f | INVARIANT: Cluster ID Membership Isolation SHADOW: New clusters must enforce membership validation based on a unique Cluster UUID rather than just a name. This prevents two distinct physical… | — |