feat(enroll): strip master API and frontend from agent tarball

Agents never run the FastAPI master app (decnet/web/) or serve the React frontend (decnet_web/) — they run decnet.agent, decnet.updater, and decnet.forwarder, none of which import decnet.web. Shipping the master tree bloats every enrollment payload and needlessly widens the worker's attack surface. Excluded paths are unreachable on the worker (all cli.py imports of decnet.web are inside master-only command bodies that the agent-mode gate strips). Tests assert neither tree leaks into the tarball.
2026-04-19 18:47:03 -04:00
parent dad29249de
commit ee9ade4cd5
2 changed files with 11 additions and 2 deletions
--- a/decnet/web/router/swarm_mgmt/api_enroll_bundle.py
+++ b/decnet/web/router/swarm_mgmt/api_enroll_bundle.py
@@ -61,8 +61,12 @@ _EXCLUDES: tuple[str, ...] = (
    "tests", "tests/*",
    "development", "development/*",
    "wiki-checkout", "wiki-checkout/*",
-    "decnet_web/node_modules", "decnet_web/node_modules/*",
-    "decnet_web/src", "decnet_web/src/*",
+    # Frontend is master-only; agents never serve UI.
+    "decnet_web", "decnet_web/*", "decnet_web/**",
+    # Master FastAPI app (API, routers, master-side DB) is not run on agents.
+    # The `agent` / `updater` / `forwarder` commands have their own apps under
+    # decnet/agent, decnet/updater — they don't import decnet.web.
+    "decnet/web", "decnet/web/*", "decnet/web/**",
    "decnet-state.json",
    "master.log", "master.json",
    "decnet.tar",