feat: split API into Network Access Devices + Trust Domains (#152)#153
feat: split API into Network Access Devices + Trust Domains (#152)#153clundie-CL wants to merge 2 commits into
Conversation
… + Trust Domains (camaraproject#152) Splits the single network-access-management.yaml spec into two independent CAMARA APIs, per camaraproject#152: - network-access-devices.yaml — /network-access-devices + /reboot-requests (operator equipment info + reboot lifecycle). - trust-domains.yaml — /trust-domains, /trust-domains/{id}/devices, /services (network segments, policy, device registration/onboarding, services). NOTE: "trust-domains" is a PROVISIONAL working name pending naming feedback on camaraproject#152 (candidates: trust-domains, isolated-networks). The two functional halves share no operations and no domain schemas; shared definitions (NAM_Common, CAMARA_common, ServiceSite) stay in code/modules and code/common and are $ref'd + bundled into each spec. Scopes keep the existing network-access-management:* prefix for this draft (rename deferred until names finalize). Each spec gets its own title, server basePath, tag set, and a per-API-scoped info.description (deeper description reconciliation tracked in camaraproject#143). Docs updated: release-plan.yaml (two api entries), code/README.md (folder layout, two-spec lint/bundle), code/Test_definitions/README.md (per-API conventions + two bundle commands), and per-API readiness checklists. Deferred (documented in Test_definitions/README.md): re-prefixing/re-homing the 20 .feature files and their header spec URLs + tag prefixes — mechanical, done once API names are final to avoid churn on a working name. Both specs pass redocly lint. Co-Authored-By: claude-flow <ruv@ruv.net>
… PR) Remove issue references and decision/provisional-naming commentary from the changed files so the diff is strictly the change itself: - release-plan.yaml: drop the explanatory NOTE block (two api entries only). - code/README.md: drop the issue-camaraproject#152 references and "provisional pending naming" qualifiers; keep the factual two-API descriptions. - code/Test_definitions/README.md: remove the "API split in progress" callout, the "current state / pending rename" convention notes, and the "Target API (post-split)" inventory column (reverted to the prior form); keep only the bundle command updated to the two new spec filenames, since the previously referenced network-access-management.yaml is removed. No functional change. Co-Authored-By: claude-flow <ruv@ruv.net>
|
@caubut-charter @benhepworth @hdamker — opening this one up for discussion. 👋 This is a draft PR (not for merge) that splits the current Network Access Management API into two independent APIs: one for operator-supplied devices + reboots, one for the network-segmentation / Trust Domain side. I'd appreciate your eyes for alignment, primarily on naming, before we take it further. The full context, what's changing and the open decisions, is in the PR description. Please start with the " Two things I'm specifically after: Naming. network-access-devices feels settled for the device/reboot API. For the other one I used trust-domains as a working name, but the more I sit with it, the more I think network-access-segments is the better fit. It keeps the network-access-* family lineage alongside network-access-devices, and it lets Trust Domain stay as the core resource/schema rather than the API name (the API's real capability is network-access segmentation). It also reads more cleanly for scopes — e.g. network-access-segments:trust-domains:…. Keen on everyone's take, and open to alternatives. @hdamker: Since the split couples release-plan.yaml (the api_names) with the spec files, the one blocking validation finding is [P-022] (release-plan must change in its own PR). My read is the clean path is a sequenced delivery: (1) a standalone release-plan PR declaring the final names first, then (2) this files/docs PR, but I'd really value your guidance on how you'd like this to proceed from a release-management standpoint before we lock anything in. (The red CI here is expected for that reason.) Mainly want to converge on the naming so the downstream commits, and the validation fix, can follow. Thanks all! |
|
I like your idea of prefixing things with network-access to keep it inline instead of the two discussed on last week's call (network-access-devices / trust-domains). @albertoramosmonagas - is there anything we need to do from an API Backlog perspective when we split this API into two? Both APIs will still be in this repo and are both within the original scope of NetworkAccessManagement - it just makes sense to split into two different yaml files in this repo since some people implementing may want to do one without the other. |
|
@benhepworth Talked some more and think some candidates are: network-access-segments — Pro: "segment" cleanly conveys a bounded grouping that policy can be applied to, which matches how Trust Domains function as containers for connectivity, QoS, and security policy. Con: "segment" is a generic networking term and doesn't signal that the API specifically covers policy-bearing groupings rather than arbitrary partitions. network-access-domains — Pro: aligns naturally with the Trust Domain resource concept, reinforcing a consistent domain-based vocabulary across the API. Con: "domain" is overloaded in networking (DNS, broadcast, security, etc.) and may require disambiguation in docs. network-access-isolation — Pro: outcome-focused and carries continuity with the resource's original "Isolated Networks" naming, so the underlying intent is preserved even as the resource itself was renamed. Con: less natural as a resource-noun, and "isolation" can imply hard separation when the API may express more nuanced access policies. |
|
Hi @benhepworth, My understanding is that this is not a repository split, but an internal split of the API definition within the existing NetworkAccessManagement repository. From an API Backlog perspective, I do not see a need for a new Backlog action as long as both resulting API definitions remain within the originally approved NetworkAccessManagement scope and no new repository or new out-of-scope capability is introduced. The relevant work seems to be on the Release Management side. The two API names should be reflected in So I would only bring this back to API Backlog if the split introduces new scope, a new repository, a change of ownership/lifecycle, or a potential overlap with other CAMARA APIs. CC: @tanjadegroot, @hdamker |
@clundie-CL good question, as this is a hen-egg situation (if you define an API in
Another way you can choose (if the original defined API will be still present):
BTW: even errors are not blocking a PR merge, they block only a release. But it is recommended to keep the main branch free of errors. Another hint: you should delete the legacy API Readiness Checklist ... it is obsolete and creates a warning if present. Happy to support in this special operation if there are further questions! |
P-009 (_check_release_type_consistency) rejects draft APIs while
target_release_type is pre-release-rc ("APIs are not rc/public"). The split
declares the two APIs as draft (so their files can land in camaraproject#153 without a
P-002 error), so the plan must be parked at target_release_type: none for
this phase. The rc-bump PR restores target_release_type: pre-release-rc when
it sets both APIs to rc.
Co-Authored-By: claude-flow <ruv@ruv.net>
P-009 flags a "naming mismatch" (blocking in the released tooling) when a declared draft API has no file AND an unmatched file is present — here the still-present network-access-management.yaml. Declaring network-access-management itself as draft removes the orphan, so the heuristic stays quiet. The restructure PR (camaraproject#153) deletes network-access-management.yaml (leaving a fileless draft with no orphans — still clean), and the rc-bump PR drops this entry and sets the two real APIs to rc. Co-Authored-By: claude-flow <ruv@ruv.net>
4 participants
What type of PR is this?
What this PR does / why we need it:
Splits the single
network-access-management.yamlspec into two independent CAMARA APIs, per #152:code/API_definitions/network-access-devices.yaml/network-access-devices,/reboot-requestscode/API_definitions/trust-domains.yaml/trust-domains,/trust-domains/{id}/devices,/servicesThe two functional halves share no operations and no domain schemas. Shared definitions (
NAM_Common,CAMARA_common, andServiceSite) stay incode/modules/andcode/common/and are$ref'd + bundled into each spec — the same mechanism already used for the other shared modules. Each spec gets its owninfo.title, server basePath (/network-access-devices/vwip,/trust-domains/vwip), tag set, and a per-API-scopedinfo.description. Both passredocly lint.Which issue(s) this PR fixes:
Fixes #152
Does this PR introduce a breaking change?
Splitting the single
network-access-managementAPI into two APIs is breaking by definition: the original API and its server basePath ({apiRoot}/network-access-management/vwip) are removed and replaced by{apiRoot}/network-access-devices/vwipand{apiRoot}/trust-domains/vwip, each with its own spec, scopes, and release lifecycle. Any consumer integrated against the prior API must migrate to the two replacements. (Currently, the only consumer is CableLabs)Special notes for reviewers:
This PR is intentionally not yet mergeable — it exists to align on the split and, specifically, on naming. The items below cascade: each unblocks the next, and the last is what clears the failing check.
Naming — the gating decision.
trust-domainsvsisolated-networks(or other)? Working name in this PR istrust-domains.network-access-devices.What the naming decision drives (subsequent commits to this PR): rename the spec file, server basePath, and
info.title; the readiness-checklist filename; the scope-string prefixes (stillnetwork-access-management:*today); and re-homing the 20.featurefiles (filenames, header spec URLs, tag prefixes).How that clears CI. The only blocking check is [P-022] —
release-plan.yamlmust change in its own PR. A split couplesrelease-plan.yaml(theapi_names) with the spec files, so the green path is a sequenced delivery: (a) a standalone release-plan-only PR declaring the final names, then (b) this PR (files/docs) with norelease-planchange. We can't do (a) until names are locked. Every other finding in the run is a non-blocking warning/hint.TL;DR for reviewers: please weigh in on the naming options (#1). Everything downstream — including making CI green — follows from that.
Docs updated alongside the split:
release-plan.yaml→ twoapis:entries (network-access-devices,trust-domains).code/README.md→ folder diagram, two-spec lint/bundle commands, File Purposes + which modules each API uses (and which are shared).code/Test_definitions/README.md→ bundle command updated to point at the two new specs (the previously referenced network-access-management.yaml is removed).network-access-devices-API-Readiness-Checklist.md+trust-domains-API-Readiness-Checklist.md.Explicitly deferred:
.featurefiles (filenames, header spec URLs,@network_access_management_*tag prefixes) per API — mechanical, deferred until names are final to avoid churning 20 files on a working name. The operation→API mapping is firm — it follows the existing tag groups: Services / Trust Domains / Trust Domain Devices →trust-domains; Network Access Devices / Reboot Requests →network-access-devices.info.descriptionreconciliation (bubbling up embedded schema docs) — tracked in Refactor API Description for RC release #143. This PR only trims the description so each API's prose is coherent for its own scope.misc: rootREADME.mdrelease links point at ther2.1tag (historical, unaffected);CHANGELOGuntouched (gated/historical).Changelog input
Additional documentation
This section can be blank.