Adds version 13 (ADD_TRUST_QUORUM) to the Sled Agent API with the following endpoints for trust quorum reconfiguration:

- POST `/trust-quorum/reconfigure` - Initiate a reconfiguration
- POST `/trust-quorum/upgrade-from-lrtq` - Upgrade from low-rent (legacy) trust quorum
- POST `/trust-quorum/commit` - Commit a trust-quorum
- GET `/trust-quorum/coordinator-status` - Get coordinator status
- POST `/trust-quorum/prepare-and-commit` - Prepare and commit a configuration

Types are organized per RFD 619 (via feeding Claude the RFD):

- API types defined in `sled-agent-types-versions/src/add_trust_quorum/`
- Re-exported via `latest.rs` and `sled-agent-types/src/trust_quorum.rs`
- API trait uses `latest::` paths for all trust quorum types

Also exports `EncryptedRackSecrets`, `Salt`, and `Sha3_256Digest` from `trust-quorum-protocol` for use in the `prepare_and_commit` handler.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: plaidfinch

openapi/sled-agent/sled-agent-13.0.0-015e5e.json

@@ -1 +1 @@
-sled-agent-12.0.0-ffacab.json
+sled-agent-13.0.0-015e5e.json

openapi/sled-agent/sled-agent-latest.json

@@ -34,6 +34,7 @@ api_versions!([
     // |  example for the next person.
     // v
     // (next_int, IDENT),
+    (13, ADD_TRUST_QUORUM),
     (12, ADD_SMF_SERVICES_HEALTH_CHECK),
     (11, ADD_DUAL_STACK_EXTERNAL_IP_CONFIG),
     (10, ADD_DUAL_STACK_SHARED_NETWORK_INTERFACES),
@@ -1065,4 +1066,71 @@ pub trait SledAgentApi {
         request_context: RequestContext<Self::Context>,
         path_params: Path<latest::dataset::LocalStoragePathParam>,
     ) -> Result<HttpResponseUpdatedNoContent, HttpError>;
+
+    /// Initiate a trust quorum reconfiguration
+    #[endpoint {
+        method = POST,
+        path = "/trust-quorum/reconfigure",
+        versions = VERSION_ADD_TRUST_QUORUM..,
+    }]
+    async fn trust_quorum_reconfigure(
+        request_context: RequestContext<Self::Context>,
+        body: TypedBody<latest::trust_quorum::TrustQuorumReconfigureRequest>,
+    ) -> Result<HttpResponseUpdatedNoContent, HttpError>;
+
+    /// Initiate an upgrade from LRTQ
+    #[endpoint {
+        method = POST,
+        path = "/trust-quorum/upgrade-from-lrtq",
+        versions = VERSION_ADD_TRUST_QUORUM..,
+    }]
+    async fn trust_quorum_upgrade_from_lrtq(
+        request_context: RequestContext<Self::Context>,
+        body: TypedBody<latest::trust_quorum::TrustQuorumLrtqUpgradeRequest>,
+    ) -> Result<HttpResponseUpdatedNoContent, HttpError>;
+
+    /// Commit a trust quorum configuration
+    #[endpoint {
+        method = POST,
+        path = "/trust-quorum/commit",
+        versions = VERSION_ADD_TRUST_QUORUM..,
+    }]
+    async fn trust_quorum_commit(
+        request_context: RequestContext<Self::Context>,
+        body: TypedBody<latest::trust_quorum::TrustQuorumCommitRequest>,
+    ) -> Result<
+        HttpResponseOk<latest::trust_quorum::TrustQuorumCommitResponse>,
+        HttpError,
+    >;
+
+    /// Get the coordinator status if this node is coordinating a reconfiguration
+    #[endpoint {
+        method = GET,
+        path = "/trust-quorum/coordinator-status",
+        versions = VERSION_ADD_TRUST_QUORUM..,
+    }]
+    async fn trust_quorum_coordinator_status(
+        request_context: RequestContext<Self::Context>,
+    ) -> Result<
+        HttpResponseOk<
+            Option<latest::trust_quorum::TrustQuorumCoordinatorStatus>,
+        >,
+        HttpError,
+    >;
+
+    /// Attempt to prepare and commit a trust quorum configuration
+    #[endpoint {
+        method = POST,
+        path = "/trust-quorum/prepare-and-commit",
+        versions = VERSION_ADD_TRUST_QUORUM..,
+    }]
+    async fn trust_quorum_prepare_and_commit(
+        request_context: RequestContext<Self::Context>,
+        body: TypedBody<
+            latest::trust_quorum::TrustQuorumPrepareAndCommitRequest,
+        >,
+    ) -> Result<
+        HttpResponseOk<latest::trust_quorum::TrustQuorumCommitResponse>,
+        HttpError,
+    >;
 }

sled-agent/api/src/lib.rs

@@ -55,6 +55,12 @@ use sled_agent_types::support_bundle::{
     SupportBundleMetadata, SupportBundlePathParam,
     SupportBundleTransferQueryParams,
 };
+use sled_agent_types::trust_quorum::{
+    TrustQuorumCommitRequest, TrustQuorumCommitResponse,
+    TrustQuorumConfiguration, TrustQuorumCoordinatorStatus,
+    TrustQuorumLrtqUpgradeRequest, TrustQuorumPrepareAndCommitRequest,
+    TrustQuorumReconfigureRequest,
+};
 use sled_agent_types::zone_bundle::{
     BundleUtilization, CleanupContext, CleanupContextUpdate, CleanupCount,
     CleanupPeriod, StorageLimit, ZoneBundleFilter, ZoneBundleId,
@@ -1178,4 +1184,184 @@ impl SledAgentApi for SledAgentImpl {
 
         Ok(HttpResponseUpdatedNoContent())
     }
+
+    async fn trust_quorum_reconfigure(
+        request_context: RequestContext<Self::Context>,
+        body: TypedBody<TrustQuorumReconfigureRequest>,
+    ) -> Result<HttpResponseUpdatedNoContent, HttpError> {
+        let sa = request_context.context();
+        let request = body.into_inner();
+
+        let msg = trust_quorum_protocol::ReconfigureMsg {
+            rack_id: request.rack_id,
+            epoch: trust_quorum_protocol::Epoch(request.epoch),
+            last_committed_epoch: request
+                .last_committed_epoch
+                .map(trust_quorum_protocol::Epoch),
+            members: request.members,
+            threshold: trust_quorum_protocol::Threshold(request.threshold),
+        };
+
+        sa.trust_quorum()
+            .reconfigure(msg)
+            .await
+            .map_err(|e| HttpError::for_internal_error(e.to_string()))?;
+
+        Ok(HttpResponseUpdatedNoContent())
+    }
+
+    async fn trust_quorum_upgrade_from_lrtq(
+        request_context: RequestContext<Self::Context>,
+        body: TypedBody<TrustQuorumLrtqUpgradeRequest>,
+    ) -> Result<HttpResponseUpdatedNoContent, HttpError> {
+        let sa = request_context.context();
+        let request = body.into_inner();
+
+        let msg = trust_quorum_protocol::LrtqUpgradeMsg {
+            rack_id: request.rack_id,
+            epoch: trust_quorum_protocol::Epoch(request.epoch),
+            members: request.members,
+            threshold: trust_quorum_protocol::Threshold(request.threshold),
+        };
+
+        sa.trust_quorum()
+            .upgrade_from_lrtq(msg)
+            .await
+            .map_err(|e| HttpError::for_internal_error(e.to_string()))?;
+
+        Ok(HttpResponseUpdatedNoContent())
+    }
+
+    async fn trust_quorum_commit(
+        request_context: RequestContext<Self::Context>,
+        body: TypedBody<TrustQuorumCommitRequest>,
+    ) -> Result<HttpResponseOk<TrustQuorumCommitResponse>, HttpError> {
+        let sa = request_context.context();
+        let request = body.into_inner();
+
+        let status = sa
+            .trust_quorum()
+            .commit(
+                request.rack_id,
+                trust_quorum_protocol::Epoch(request.epoch),
+            )
+            .await
+            .map_err(|e| HttpError::for_internal_error(e.to_string()))?;
+
+        let response = match status {
+            trust_quorum::CommitStatus::Committed => {
+                TrustQuorumCommitResponse::Committed
+            }
+            trust_quorum::CommitStatus::Pending => {
+                TrustQuorumCommitResponse::Pending
+            }
+        };
+
+        Ok(HttpResponseOk(response))
+    }
+
+    async fn trust_quorum_coordinator_status(
+        request_context: RequestContext<Self::Context>,
+    ) -> Result<HttpResponseOk<Option<TrustQuorumCoordinatorStatus>>, HttpError>
+    {
+        let sa = request_context.context();
+
+        let status = sa
+            .trust_quorum()
+            .coordinator_status()
+            .await
+            .map_err(|e| HttpError::for_internal_error(e.to_string()))?;
+
+        let response = status.map(|s| TrustQuorumCoordinatorStatus {
+            config: TrustQuorumConfiguration {
+                rack_id: s.config.rack_id,
+                epoch: s.config.epoch.0,
+                coordinator: s.config.coordinator,
+                members: s
+                    .config
+                    .members
+                    .into_iter()
+                    .map(|(id, digest)| (id, hex::encode(digest.0)))
+                    .collect(),
+                threshold: s.config.threshold.0,
+            },
+            acked_prepares: s.acked_prepares,
+        });
+
+        Ok(HttpResponseOk(response))
+    }
+
+    async fn trust_quorum_prepare_and_commit(
+        request_context: RequestContext<Self::Context>,
+        body: TypedBody<TrustQuorumPrepareAndCommitRequest>,
+    ) -> Result<HttpResponseOk<TrustQuorumCommitResponse>, HttpError> {
+        let sa = request_context.context();
+        let request = body.into_inner();
+
+        let bad_request = |msg: String| HttpError::for_bad_request(None, msg);
+
+        let parse_digest = |hex: &str| -> Result<[u8; 32], HttpError> {
+            let bytes = hex::decode(hex)
+                .map_err(|e| bad_request(format!("invalid hex: {e}")))?;
+            bytes.try_into().map_err(|v: Vec<u8>| {
+                bad_request(format!("digest must be 32 bytes, got {}", v.len()))
+            })
+        };
+
+        let members = request
+            .members
+            .into_iter()
+            .map(|(id, hex)| {
+                Ok((
+                    id,
+                    trust_quorum_protocol::Sha3_256Digest(parse_digest(&hex)?),
+                ))
+            })
+            .collect::<Result<_, HttpError>>()?;
+
+        let encrypted_rack_secrets = request
+            .encrypted_rack_secrets
+            .map(
+                |ers| -> Result<
+                    trust_quorum_protocol::EncryptedRackSecrets,
+                    HttpError,
+                > {
+                    let salt = parse_digest(&ers.salt)?;
+                    let data = hex::decode(&ers.data).map_err(|e| {
+                        bad_request(format!("invalid hex data: {e}"))
+                    })?;
+                    Ok(trust_quorum_protocol::EncryptedRackSecrets::new(
+                        trust_quorum_protocol::Salt(salt),
+                        data.into_boxed_slice(),
+                    ))
+                },
+            )
+            .transpose()?;
+
+        let config = trust_quorum_protocol::Configuration {
+            rack_id: request.rack_id,
+            epoch: trust_quorum_protocol::Epoch(request.epoch),
+            coordinator: request.coordinator,
+            members,
+            threshold: trust_quorum_protocol::Threshold(request.threshold),
+            encrypted_rack_secrets,
+        };
+
+        let status = sa
+            .trust_quorum()
+            .prepare_and_commit(config)
+            .await
+            .map_err(|e| HttpError::for_internal_error(e.to_string()))?;
+
+        let response = match status {
+            trust_quorum::CommitStatus::Committed => {
+                TrustQuorumCommitResponse::Committed
+            }
+            trust_quorum::CommitStatus::Pending => {
+                TrustQuorumCommitResponse::Pending
+            }
+        };
+
+        Ok(HttpResponseOk(response))
+    }
 }

sled-agent/src/http_entrypoints.rs

@@ -67,6 +67,11 @@ use sled_agent_types::support_bundle::{
     SupportBundleMetadata, SupportBundlePathParam,
     SupportBundleTransferQueryParams,
 };
+use sled_agent_types::trust_quorum::{
+    TrustQuorumCommitRequest, TrustQuorumCommitResponse,
+    TrustQuorumCoordinatorStatus, TrustQuorumLrtqUpgradeRequest,
+    TrustQuorumPrepareAndCommitRequest, TrustQuorumReconfigureRequest,
+};
 use sled_agent_types::zone_bundle::{
     BundleUtilization, CleanupContext, CleanupContextUpdate, CleanupCount,
     ZoneBundleFilter, ZoneBundleId, ZoneBundleMetadata, ZonePathParam,
@@ -922,6 +927,41 @@ impl SledAgentApi for SledAgentSimImpl {
     ) -> Result<HttpResponseUpdatedNoContent, HttpError> {
         Ok(HttpResponseUpdatedNoContent())
     }
+
+    async fn trust_quorum_reconfigure(
+        _request_context: RequestContext<Self::Context>,
+        _body: TypedBody<TrustQuorumReconfigureRequest>,
+    ) -> Result<HttpResponseUpdatedNoContent, HttpError> {
+        method_unimplemented()
+    }
+
+    async fn trust_quorum_upgrade_from_lrtq(
+        _request_context: RequestContext<Self::Context>,
+        _body: TypedBody<TrustQuorumLrtqUpgradeRequest>,
+    ) -> Result<HttpResponseUpdatedNoContent, HttpError> {
+        method_unimplemented()
+    }
+
+    async fn trust_quorum_commit(
+        _request_context: RequestContext<Self::Context>,
+        _body: TypedBody<TrustQuorumCommitRequest>,
+    ) -> Result<HttpResponseOk<TrustQuorumCommitResponse>, HttpError> {
+        method_unimplemented()
+    }
+
+    async fn trust_quorum_coordinator_status(
+        _request_context: RequestContext<Self::Context>,
+    ) -> Result<HttpResponseOk<Option<TrustQuorumCoordinatorStatus>>, HttpError>
+    {
+        method_unimplemented()
+    }
+
+    async fn trust_quorum_prepare_and_commit(
+        _request_context: RequestContext<Self::Context>,
+        _body: TypedBody<TrustQuorumPrepareAndCommitRequest>,
+    ) -> Result<HttpResponseOk<TrustQuorumCommitResponse>, HttpError> {
+        method_unimplemented()
+    }
 }
 
 fn method_unimplemented<T>() -> Result<T, HttpError> {

sled-agent/src/sim/http_entrypoints.rs

@@ -370,6 +370,9 @@ struct SledAgentInner {
     // A handle to the bootstore.
     bootstore: bootstore::NodeHandle,
 
+    // A handle to the trust quorum.
+    trust_quorum: trust_quorum::NodeTaskHandle,
+
     // A handle to the hardware monitor.
     hardware_monitor: HardwareMonitorHandle,
 
@@ -683,6 +686,7 @@ impl SledAgent {
                 rack_network_config,
                 zone_bundler: long_running_task_handles.zone_bundler.clone(),
                 bootstore: long_running_task_handles.bootstore.clone(),
+                trust_quorum: long_running_task_handles.trust_quorum.clone(),
                 hardware_monitor: long_running_task_handles
                     .hardware_monitor
                     .clone(),
@@ -1048,6 +1052,10 @@ impl SledAgent {
         self.inner.bootstore.clone()
     }
 
+    pub fn trust_quorum(&self) -> trust_quorum::NodeTaskHandle {
+        self.inner.trust_quorum.clone()
+    }
+
     pub fn list_vpc_routes(&self) -> Vec<ResolvedVpcRouteState> {
         self.inner.port_manager.vpc_routes_list()
     }

sled-agent/src/sled_agent.rs

@@ -20,5 +20,6 @@ pub mod rack_init;
 pub mod rack_ops;
 pub mod sled;
 pub mod support_bundle;
+pub mod trust_quorum;
 pub mod zone_bundle;
 pub mod zone_images;

sled-agent/types/src/lib.rs

@@ -0,0 +1,7 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Trust quorum types for the Sled Agent API.
+
+pub use sled_agent_types_versions::latest::trust_quorum::*;

sled-agent/types/src/trust_quorum.rs

@@ -0,0 +1,9 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Version `ADD_TRUST_QUORUM` of the Sled Agent API.
+//!
+//! This version adds endpoints for trust quorum reconfiguration.
+
+pub mod trust_quorum;