From f347a3a736aaa6899892c2a2d3349641873569d2 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Wed, 29 Apr 2026 00:15:11 -0400
Subject: [PATCH] feat(mutator): live network.connect for apply_attach_decky
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After the DB writes that record the multi-home edge, calls the docker
SDK directly to add an interface to the base container's netns:

  client.networks.get(<topology bridge>).connect(<base>, ipv4_address=ip)

Non-destructive — the base keeps running, no recreate.  Service
containers automatically see the new interface because they share
the base's netns via network_mode: service:<base>.

Idempotency: docker APIError with 'already' / 'endpoint exists' is
logged at info and treated as success.  Other errors log + leave the
DB row in place; an operator retry will hit the same path.
---
 decnet/mutator/ops.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/decnet/mutator/ops.py b/decnet/mutator/ops.py
index 6d469950..434e360c 100644
--- a/decnet/mutator/ops.py
+++ b/decnet/mutator/ops.py
@@ -704,6 +704,16 @@ async def apply_attach_decky(
             "forwards_l3": forwards_l3,
         }
     )
+    # Live materialisation: SDK network.connect on the base container.
+    # Service containers share the base's netns via network_mode:
+    # service:<base>, so they inherit the new interface — only the base
+    # needs the connect.
+    await _materialise_decky_connect(
+        repo, topology_id,
+        decky_name=decky["decky_config"]["name"],
+        lan_name=lan["name"],
+        ipv4_address=ip,
+    )
     await _assert_valid_after(repo, topology_id)