Phase 1: cluster write-federation - trust multiple writers (edge parse + master-trust script)

[ehsan6sha]

Part of #72.

What this delivers (standalone, verifiable)

Followers can trust more than one cluster writer, so a 2nd cloud writer's pins are accepted network-wide. Additive + backward-compatible - nothing changes until a 2nd writer is actually added and trusted.

Edge (deploys via OTA - no updater script)

File: docker/fxsupport/linux/ipfs-cluster/ipfs-cluster-container-init.d.sh

• Parse the new ipfs-cluster-trustedpeers array from the pool-info endpoint (companion: functionland/join-server#2), falling back to the existing single ipfs-cluster-peerid -> identical to today when the API returns only the legacy field.
• consensus.crdt.trusted_peers is set to the full set; cluster.peer_addresses, the /x/fula-cluster bootstrap and the DNS fallback all use the PRIMARY (first) peer, so single-peer multiaddrs never receive a comma-list (the easy-to-miss wiring bug).
• Rolls out via watchtower + fula.sh once merged.

Server op (non-OTA; master is systemd-managed)

update-scripts/phase-1-master-trust.sh - appends a new writer peer id to CLUSTER_CRDT_TRUSTEDPEERS in the master systemd unit (both Environment= and ExecStart -e), backs up, daemon-reload + restart, verifies. Additive, idempotent, reversible, halts without NEW_WRITER_PEERID. Datastore/identity/pinset untouched.

Tests (pass locally under WSL bash + jq 1.7)

• tests/test-cluster-federation-parse.sh - 7/7 (array to csv, fallback, filter empties, primary=first, split to array, split index 0, single to 1-elem array).
• tests/test-phase-1-master-trust.sh - 6/6 (append to both lines, backup, idempotent no-double-append, halts without peer id, rejects bad id).
• Both scripts bash -n clean; LF line endings (safe on Linux).

Data-safety

Additive trusted_peers only (pebble/pinset/identity/secret untouched); backups + documented rollback; edge change backward-compatible. Validate on one test device before fleet/OTA rollout.

Still pending in #72 (follow-ups, not in this PR)

• New-writer setup script - needs the master ipfs.service unit as a template.
• Master-offline connectivity - a 2nd bootstrap/tunnel so followers reach the new writer when the master is offline (needs per-writer kubo addresses from the pool endpoint + test-device validation). This PR makes followers trust the 2nd writer; full master-offline write-availability is the follow-up.

Generated with Claude Code.

[ehsan6sha]

Phase 1 e2e — real-daemon acceptance: 14/14 PASS

Ran on a clean Ubuntu 24.04 x86 box (isolated test cluster, never touching prod): simulated master (prod-shaped systemd unit, shifted ports) + this PR's real phase-1-setup-writer.sh and phase-1-master-trust.sh + an updated-config follower (trusts master+writer) + an old-config follower (trusts master only).

Drill	Result
D0 4-peer topology converges	✅
D1 pin via master → reaches old AND new followers	✅
D2 master stopped → pin via writer succeeds; updated follower pins it	✅
D2 old follower ignores writer-issued pin but keeps serving existing pins (mixed-fleet/no-forced-upgrade)	✅
D3 master restarts → CRDT reconverges, learns writer-era pin, pinset never shrank	✅
D4 both scripts re-run as no-ops (with daemons running); peerset stable	✅

Fixes the e2e surfaced (in this PR)

1. kubo image double-init — the official image entrypoint auto-inits an empty repo before the CMD, so docker run … init failed; one-shots now use --entrypoint ipfs.
2. repo lock on re-runs — ipfs config one-shots fail while the daemon holds the repo lock; new kubo_cfg routes through the running daemon, and peer id reads use jq on the config file (lock-free).

Finding for a follow-up (not this PR)

docker/fxsupport/linux/.env.cluster sets IPFS_CLUSTER_IPFSPROXY_LISTENMULTIADDRESS — that prefix is not a valid ipfs-cluster env mapping (correct: CLUSTER_IPFSPROXY_LISTENMULTIADDRESS). Harmless today only because the value equals the default.

Unit suites (test-phase-common, test-phase-1-setup-writer, test-phase-1-master-trust): all pass after the fixes.

🤖 Generated with Claude Code