}

func (t *Token) AllowDelegation(action Action, issuer, audience did.DID, topics []Capability, expire uint64, c Capability) bool {
	switch {
	case t.DMS != nil:

}

func (t *DMSToken) AllowDelegation(action Action, issuer, audience did.DID, topics []Capability, expire uint64, c Capability) bool {
	if action == Delegate {
		if !t.verifyDepth(2) {

}

func (t *Token) Delegate(provider did.Provider, subject, audience did.DID, topics []Capability, expire, depth uint64, c []Capability) (*Token, error) {
	switch {
	case t.DMS != nil:

}

func (t *DMSToken) Delegate(provider did.Provider, subject, audience did.DID, topics []Capability, expire, depth uint64, c []Capability) (*DMSToken, error) {
	return t.delegate(Delegate, provider, subject, audience, topics, expire, depth, c)
}

}

func (t *DMSToken) delegate(action Action, provider did.Provider, subject, audience did.DID, topics []Capability, expire, depth uint64, c []Capability) (*DMSToken, error) {
	if t.Action != Delegate {
		return nil, ErrNotAuthorized

}

func (t *Token) DelegateBroadcast(provider did.Provider, subject did.DID, topic Capability, expire uint64, c []Capability) (*Token, error) {
	switch {
	case t.DMS != nil:

}

func (t *DMSToken) DelegateBroadcast(provider did.Provider, subject did.DID, topic Capability, expire uint64, c []Capability) (*DMSToken, error) {
	return t.delegate(Broadcast, provider, subject, did.DID{}, []Capability{topic}, expire, 0, c)
}

package ucan

import (
	"crypto/rand"
	"encoding/json"
	"fmt"
	"slices"
	"time"

	"gitlab.com/nunet/device-management-service/lib/did"
)

type Action string

}

func (t *DMSToken) verify(trust did.TrustContext, now, depth uint64) error {
	if t.ExpireBefore(now) {
		return ErrCapabilityExpired
	}

	if t.Depth > 0 && depth > t.Depth {
		return fmt.Errorf("max token depth exceeded: %w", ErrNotAuthorized)
	}

	if t.Chain != nil {
		if t.Chain.Action() != Delegate {
			return fmt.Errorf("verify: chain does not allow delegation: %w", ErrNotAuthorized)
		}

}

func (t *DMSToken) AllowAction(ot *Token) bool {
	if t.Action != Delegate {
		return false
	}

	if t.ExpireBefore(ot.Expire()) {
		return false
	}

	if !ot.Anchor(t.Subject) {
		return false
	}

var signaturePrefix = []byte("dms:token:")

type Token struct {
	// DMS tokens
	DMS *DMSToken `json:"dms,omitempty"`
	// UCAN standard (when it is done) envelope for BYO anhcors
	UCAN *BYOToken `json:"ucan,omitempty"`
}

type DMSToken struct {

}

func (t *DMSToken) verify(trust did.TrustContext, now, depth uint64) error {
	if t.ExpireBefore(now) {
		return ErrCapabilityExpired
	}

	if t.Depth > 0 && depth > t.Depth {
		return fmt.Errorf("max token depth exceeded: %w", ErrNotAuthorized)
	}

	if t.Chain != nil {
		if t.Chain.Action() != Delegate {
			return fmt.Errorf("verify: chain does not allow delegation: %w", ErrNotAuthorized)
		}

}

func (t *DMSToken) AllowAction(ot *Token) bool {
	if t.Action != Delegate {
		return false
	}

	if t.ExpireBefore(ot.Expire()) {
		return false
	}

	if !ot.Anchor(t.Subject) {
		return false
	}

}

func (t *DMSToken) AllowInvocation(subject, audience did.DID, c Capability) bool {
	if t.Action != Invoke {
		return false
	}

	if !t.Subject.Equal(subject) {
		return false
	}

	if !t.Audience.Empty() && !t.Audience.Equal(audience) {
		return false
	}

}

func (t *DMSToken) AllowBroadcast(subject did.DID, topic Capability, c Capability) bool {
	if t.Action != Broadcast {
		return false
	}

	if !t.Subject.Equal(subject) {
		return false
	}

	if !t.Audience.Empty() {
		return false
	}

}

func (t *DMSToken) allowDelegation(issuer, audience did.DID, topics []Capability, expire uint64, c Capability) bool {
	if t.Action != Delegate {
		return false
	}

	if t.ExpireBefore(expire) {
		return false
	}

	if !t.Subject.Equal(issuer) {
		return false
	}

}

func (t *DMSToken) delegate(action Action, provider did.Provider, subject, audience did.DID, topics []Capability, expire, depth uint64, c []Capability) (*DMSToken, error) {
	if t.Action != Delegate {
		return nil, ErrNotAuthorized
	}

	if action == Delegate {
		if !t.verifyDepth(2) {
			// certificate would be dead end with 1
			return nil, ErrNotAuthorized
		}
	} else {
		if !t.verifyDepth(1) {
			return nil, ErrNotAuthorized

}

func (ctx *BasicCapabilityContext) Grant(action Action, subject, audience did.DID, topics []string, expire, depth uint64, provide []Capability) (TokenList, error) {
	nonce := make([]byte, nonceLength)
	_, err := rand.Read(nonce)

}

func (ctx *BasicCapabilityContext) Delegate(subject, audience did.DID, topics []string, expire, depth uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error) {
	if len(provide) == 0 {
		return TokenList{}, nil

}

func (ctx *BasicCapabilityContext) DelegateBroadcast(subject did.DID, topic string, expire uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error) {
	if len(provide) == 0 {
		return TokenList{}, nil

}

func (ctx *BasicCapabilityContext) delegateBroadcast(tokenList []*Token, anchor did.DID, subject did.DID, topic string, expire uint64, provide []Capability) []*Token {
	topicCap := Capability(topic)
	var result []*Token //nolint

}

func (ctx *BasicCapabilityContext) Provide(target did.DID, subject crypto.ID, audience crypto.ID, expire uint64, invoke []Capability, provide []Capability) ([]byte, error) {
	if len(invoke) == 0 && len(provide) == 0 {
		return nil, fmt.Errorf("no capabilities: %w", ErrNotAuthorized)

package ucan

import (
	"bytes"
	"context"
	"crypto/rand"
	"encoding/json"
	"fmt"
	"slices"
	"sync"
	"time"

	"gitlab.com/nunet/device-management-service/lib/crypto"

}

func (ctx *BasicCapabilityContext) Delegate(subject, audience did.DID, topics []string, expire, depth uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error) {
	if len(provide) == 0 {
		return TokenList{}, nil
	}

	topicCap := make([]Capability, 0, len(topics))
	for _, topic := range topics {
		topicCap = append(topicCap, Capability(topic))
	}

	var result []*Token

	if selfSign == SelfSignOnly {

}

func (ctx *BasicCapabilityContext) Consume(origin did.DID, data []byte) error {
	if len(data) > maxCapabilitySize {
		return ErrTooBig
	}

	var tokens TokenList
	if err := json.Unmarshal(data, &tokens); err != nil {
		return fmt.Errorf("unmarshaling payload: %w", err)
	}

	rootAnchors := ctx.getRoots()
	requireAnchors := ctx.getRequireAnchors()
	now := uint64(time.Now().UnixNano())

}

func (ctx *BasicCapabilityContext) Require(anchor did.DID, subject crypto.ID, audience crypto.ID, cap []Capability) error {
	if len(cap) == 0 {
		return fmt.Errorf("no capabilities: %w", ErrNotAuthorized)
	}

	subjectDID, err := did.FromID(subject)
	if err != nil {
		return fmt.Errorf("DID for subject: %w", err)
	}

	audienceDID, err := did.FromID(audience)
	if err != nil {
		return fmt.Errorf("DID for audience: %w", err)

}

func (ctx *BasicCapabilityContext) RequireBroadcast(anchor did.DID, subject crypto.ID, topic string, require []Capability) error {
	if len(require) == 0 {
		return fmt.Errorf("no capabilities: %w", ErrNotAuthorized)
	}

	subjectDID, err := did.FromID(subject)
	if err != nil {
		return fmt.Errorf("DID for subject: %w", err)
	}

	tokenList := ctx.getSubjectTokens(subjectDID)
	roots := ctx.getRoots()
	requireAnchors := ctx.getRequireAnchors()

}

type BasicCapabilityContext struct {
	mx       sync.Mutex
	provider did.Provider
	trust    did.TrustContext
	roots    map[did.DID]struct{} // our root anchors of trust
	require  map[did.DID][]*Token // our acceptance side-roots
	provide  map[did.DID][]*Token // root capabilities -> tokens
	tokens   map[did.DID][]*Token // our context dependent capabilities; subject ->  tokens

	stop func()
}

var _ CapabilityContext = (*BasicCapabilityContext)(nil)

}

func (ctx *BasicCapabilityContext) Delegate(subject, audience did.DID, topics []string, expire, depth uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error) {
	if len(provide) == 0 {
		return TokenList{}, nil
	}

	topicCap := make([]Capability, 0, len(topics))
	for _, topic := range topics {
		topicCap = append(topicCap, Capability(topic))
	}

	var result []*Token

	if selfSign == SelfSignOnly {

}

func (ctx *BasicCapabilityContext) DelegateInvocation(target, subject, audience did.DID, expire uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error) {
	if len(provide) == 0 {
		return TokenList{}, nil
	}

	var result []*Token

	// first get tokens we have about ourselves and see if any allows delegation to
	// the subject for the audience
	tokenList := ctx.getSubjectTokens(ctx.DID())
	tokens := ctx.delegateInvocation(tokenList, target, subject, audience, expire, provide)
	result = append(result, tokens...)

}

func (ctx *BasicCapabilityContext) DelegateBroadcast(subject did.DID, topic string, expire uint64, provide []Capability, selfSign SelfSignMode) (TokenList, error) {
	if len(provide) == 0 {
		return TokenList{}, nil
	}

	var result []*Token

	if selfSign == SelfSignOnly {
		goto selfsign
	}

	// first we issue tokens chained on our provide anchors as appropriate
	for _, trustAnchor := range ctx.getProvideAnchors() {

}

func (ctx *BasicCapabilityContext) Require(anchor did.DID, subject crypto.ID, audience crypto.ID, cap []Capability) error {
	if len(cap) == 0 {
		return fmt.Errorf("no capabilities: %w", ErrNotAuthorized)
	}

	subjectDID, err := did.FromID(subject)
	if err != nil {
		return fmt.Errorf("DID for subject: %w", err)
	}

	audienceDID, err := did.FromID(audience)
	if err != nil {
		return fmt.Errorf("DID for audience: %w", err)

}

func (ctx *BasicCapabilityContext) RequireBroadcast(anchor did.DID, subject crypto.ID, topic string, require []Capability) error {
	if len(require) == 0 {
		return fmt.Errorf("no capabilities: %w", ErrNotAuthorized)
	}

	subjectDID, err := did.FromID(subject)
	if err != nil {
		return fmt.Errorf("DID for subject: %w", err)
	}

	tokenList := ctx.getSubjectTokens(subjectDID)
	roots := ctx.getRoots()
	requireAnchors := ctx.getRequireAnchors()

}

func (ctx *BasicCapabilityContext) Provide(target did.DID, subject crypto.ID, audience crypto.ID, expire uint64, invoke []Capability, provide []Capability) ([]byte, error) {
	if len(invoke) == 0 && len(provide) == 0 {
		return nil, fmt.Errorf("no capabilities: %w", ErrNotAuthorized)
	}

	subjectDID, err := did.FromID(subject)
	if err != nil {
		return nil, fmt.Errorf("DID for subject: %w", err)
	}

	audienceDID, err := did.FromID(audience)
	if err != nil {
		return nil, fmt.Errorf("DID for audience: %w", err)

}

func (ctx *BasicCapabilityContext) ProvideBroadcast(subject crypto.ID, topic string, expire uint64, provide []Capability) ([]byte, error) {
	if len(provide) == 0 {
		return nil, fmt.Errorf("no capabilities: %w", ErrNotAuthorized)
	}

	subjectDID, err := did.FromID(subject)
	if err != nil {
		return nil, fmt.Errorf("DID for subject: %w", err)
	}

	broadcast, err := ctx.DelegateBroadcast(subjectDID, topic, expire, provide, SelfSignAlso)
	if err != nil {
		return nil, fmt.Errorf("cannot provide broadcast tokens: %w", err)

}

func NewLedgerWalletProvider(acct int) (Provider, error) {
	tmp, err := getLedgerTmpFile()
	if err != nil {
		return nil, err
	}
	defer os.Remove(tmp)

	var output LedgerKeyOutput
	if err := ledgerExec(
		tmp,
		&output,
		"key",
		"-o", tmp,

}

func ledgerExec(tmp string, output interface{}, args ...string) error {
	ledger, err := exec.LookPath(ledgerCLI)
	if err != nil {
		return fmt.Errorf("can't find %s in PATH: %w", ledgerCLI, err)
	}

	cmd := exec.Command(ledger, args...)
	cmd.Stdout = os.Stdout
	cmd.Stderr = os.Stderr

	if err := cmd.Run(); err != nil {
		return fmt.Errorf("get ledger key: %w", err)
	}

}

func (p *LedgerWalletProvider) Sign(data []byte) ([]byte, error) {
	tmp, err := getLedgerTmpFile()
	if err != nil {
		return nil, err
	}
	defer os.Remove(tmp)

	dataHex := hex.EncodeToString(data)

	var output LedgerSignOutput
	if err := ledgerExec(
		tmp,
		&output,

// MarshalToJSON encrypts and marshals a key to json byte array.
func (key *Key) MarshalToJSON(passphrase string) ([]byte, error) {
	if passphrase == "" {
		return nil, ErrEmptyPassphrase
	}
	salt, err := crypto.RandomEntropy(64)
	if err != nil {
		return nil, err
	}
	dk, err := scrypt.Key([]byte(passphrase), salt, scryptN, scryptR, scryptP, scryptKeyLen)
	if err != nil {
		return nil, err
	}
	iv, err := crypto.RandomEntropy(aes.BlockSize)

// UnmarshalKey decrypts and unmarhals the private key
func UnmarshalKey(data []byte, passphrase string) (*Key, error) {
	if passphrase == "" {
		return nil, ErrEmptyPassphrase
	}
	encjson := encryptedKeyJSON{}
	if err := json.Unmarshal(data, &encjson); err != nil {
		return nil, fmt.Errorf("failed to unmarshal key data: %w", err)
	}
	if encjson.Version != ksVersion {
		return nil, ErrVersionMismatch
	}
	if encjson.Crypto.Cipher != ksCipher {
		return nil, ErrCipherMismatch

// MarshalToJSON encrypts and marshals a key to json byte array.
func (key *Key) MarshalToJSON(passphrase string) ([]byte, error) {
	if passphrase == "" {
		return nil, ErrEmptyPassphrase
	}
	salt, err := crypto.RandomEntropy(64)
	if err != nil {
		return nil, err
	}
	dk, err := scrypt.Key([]byte(passphrase), salt, scryptN, scryptR, scryptP, scryptKeyLen)
	if err != nil {
		return nil, err
	}
	iv, err := crypto.RandomEntropy(aes.BlockSize)

// UnmarshalKey decrypts and unmarhals the private key
func UnmarshalKey(data []byte, passphrase string) (*Key, error) {
	if passphrase == "" {
		return nil, ErrEmptyPassphrase
	}
	encjson := encryptedKeyJSON{}
	if err := json.Unmarshal(data, &encjson); err != nil {
		return nil, fmt.Errorf("failed to unmarshal key data: %w", err)
	}
	if encjson.Version != ksVersion {
		return nil, ErrVersionMismatch
	}
	if encjson.Crypto.Cipher != ksCipher {
		return nil, ErrCipherMismatch

}

func newKeyNewCmd(fs afero.Afero) *cobra.Command {
	return &cobra.Command{
		Use:   "new <name>",
		Short: "Generate a key pair",
		Long: `Generate a key pair and save the private key into the user's local keystore.

This command creates a new cryptographic key pair, stores the private key securely, and displays the associated Decentralized Identifier (DID). If a key with the specified name already exists, the user will be prompted to confirm before overwriting it.

Example:
  nunet key new user`,
		Args: cobra.ExactArgs(1),
		RunE: func(cmd *cobra.Command, args []string) error {
			keyStoreDir := filepath.Join(config.GetConfig().General.UserDir, dms.KeystoreDir)

}

func newKeyNewCmd(fs afero.Afero) *cobra.Command {
	return &cobra.Command{
		Use:   "new <name>",
		Short: "Generate a key pair",
		Long: `Generate a key pair and save the private key into the user's local keystore.

This command creates a new cryptographic key pair, stores the private key securely, and displays the associated Decentralized Identifier (DID). If a key with the specified name already exists, the user will be prompted to confirm before overwriting it.

Example:
  nunet key new user`,
		Args: cobra.ExactArgs(1),
		RunE: func(cmd *cobra.Command, args []string) error {
			keyStoreDir := filepath.Join(config.GetConfig().General.UserDir, dms.KeystoreDir)

)

func newRemoveCmd(afs afero.Afero) *cobra.Command {
	var (
		context string
		root    string
		provide string
		require string
	)

	const (
		fnProvide = "provide"
		fnRoot    = "root"
		fnRequire = "require"
	)

)

func newRemoveCmd(afs afero.Afero) *cobra.Command {
	var (
		context string
		root    string
		provide string
		require string
	)

	const (
		fnProvide = "provide"
		fnRoot    = "root"
		fnRequire = "require"
	)

)

func newRemoveCmd(afs afero.Afero) *cobra.Command {
	var (
		context string
		root    string
		provide string
		require string
	)

	const (
		fnProvide = "provide"
		fnRoot    = "root"
		fnRequire = "require"
	)

)

func newListCmd(afs afero.Afero) *cobra.Command {
	var context string

	cmd := &cobra.Command{
		Use:   "list",
		Short: "List capability anchors",
		Long: `List all capability anchors in a capability context

It outputs DIDs and capability tokens set for root, provide and require anchors.`,
		RunE: func(_ *cobra.Command, _ []string) error {
			var trustCtx did.TrustContext
			if IsLedgerContext(context) {
				provider, err := did.NewLedgerWalletProvider(0)

)

func newListCmd(afs afero.Afero) *cobra.Command {
	var context string

	cmd := &cobra.Command{
		Use:   "list",
		Short: "List capability anchors",
		Long: `List all capability anchors in a capability context

It outputs DIDs and capability tokens set for root, provide and require anchors.`,
		RunE: func(_ *cobra.Command, _ []string) error {
			var trustCtx did.TrustContext
			if IsLedgerContext(context) {
				provider, err := did.NewLedgerWalletProvider(0)

)

func newListCmd(afs afero.Afero) *cobra.Command {
	var context string

	cmd := &cobra.Command{
		Use:   "list",
		Short: "List capability anchors",
		Long: `List all capability anchors in a capability context

It outputs DIDs and capability tokens set for root, provide and require anchors.`,
		RunE: func(_ *cobra.Command, _ []string) error {
			var trustCtx did.TrustContext
			if IsLedgerContext(context) {
				provider, err := did.NewLedgerWalletProvider(0)

)

func newDelegateCmd(afs afero.Afero) *cobra.Command {
	var (
		context  string
		caps     []string
		topics   []string
		audience string
		expiry   time.Time
		duration time.Duration
		depth    uint64
		selfSign string
	)

	cmd := &cobra.Command{

)

func newDelegateCmd(afs afero.Afero) *cobra.Command {
	var (
		context  string
		caps     []string
		topics   []string
		audience string
		expiry   time.Time
		duration time.Duration
		depth    uint64
		selfSign string
	)

	cmd := &cobra.Command{

)

func newDelegateCmd(afs afero.Afero) *cobra.Command {
	var (
		context  string
		caps     []string
		topics   []string
		audience string
		expiry   time.Time
		duration time.Duration
		depth    uint64
		selfSign string
	)

	cmd := &cobra.Command{

)

func newGrantCmd(afs afero.Afero) *cobra.Command {
	var (
		context  string
		caps     []string
		topics   []string
		audience string
		expiry   time.Time
		duration time.Duration
		depth    uint64
	)

	cmd := &cobra.Command{
		Use:   "grant <did>",

)

func newGrantCmd(afs afero.Afero) *cobra.Command {
	var (
		context  string
		caps     []string
		topics   []string
		audience string
		expiry   time.Time
		duration time.Duration
		depth    uint64
	)

	cmd := &cobra.Command{
		Use:   "grant <did>",

)

func newGrantCmd(afs afero.Afero) *cobra.Command {
	var (
		context  string
		caps     []string
		topics   []string
		audience string
		expiry   time.Time
		duration time.Duration
		depth    uint64
	)

	cmd := &cobra.Command{
		Use:   "grant <did>",

)

func newAnchorCmd(afs afero.Afero) *cobra.Command {
	var (
		context string
		root    string
		provide string
		require string
	)

	const (
		fnProvide = "provide"
		fnRoot    = "root"
		fnRequire = "require"
	)

)

func newAnchorCmd(afs afero.Afero) *cobra.Command {
	var (
		context string
		root    string
		provide string
		require string
	)

	const (
		fnProvide = "provide"
		fnRoot    = "root"
		fnRequire = "require"
	)

)

func newAnchorCmd(afs afero.Afero) *cobra.Command {
	var (
		context string
		root    string
		provide string
		require string
	)

	const (
		fnProvide = "provide"
		fnRoot    = "root"
		fnRequire = "require"
	)

}

func CreateTrustContextFromKeyStore(afs afero.Afero, contextKey string) (did.TrustContext, crypto.PrivKey, error) {
	keyStoreDir := filepath.Join(config.GetConfig().General.UserDir, dms.KeystoreDir)

	ks, err := keystore.New(afs.Fs, keyStoreDir)
	if err != nil {
		return nil, nil, fmt.Errorf("failed to open keystore: %w", err)
	}

	passphrase := os.Getenv("DMS_PASSPHRASE")
	if passphrase == "" {
		passphrase, err = utils.PromptForPassphrase(false)
		if err != nil {
			return nil, nil, fmt.Errorf("failed to get passphrase: %w", err)

}

func PromptForPassphrase(confirm bool) (string, error) {
	maxTries := 3

	sigChan := make(chan os.Signal, 1)
	signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM)
	done := make(chan bool)

	var passphrase string
	var err error

	// Start a goroutine to handle passphrase input
	go func() {
		defer close(done)

}

func newConfigGetCmd() *cobra.Command {
	cmd := &cobra.Command{
		Use:   "get <key>",
		Short: "Display configuration",
		Long: `Display the value for a configuration key

It reads the value from configuration file, otherwise it return default values

Example:
  nunet config get rest.port`,
		Args: cobra.MaximumNArgs(1),
		RunE: func(cmd *cobra.Command, args []string) error {
			if len(args) == 0 {

// NewActorSendCmd is a constructor for `actor send` subcommand
func newActorSendCmd(client *utils.HTTPClient) *cobra.Command {
	cmd := &cobra.Command{
		Use:   "send <msg>",
		Short: "Send a message",
		Long: `Send a message to an actor

Actors only communicate via messages. For more information on constructing a message, see:

  nunet actor msg --help

The message is encoded into an actor envelope, which then is sent across the network through the API.`,
		Args: cobra.ExactArgs(1),
		RunE: func(cmd *cobra.Command, args []string) error {

}

func newActorCmdCmd(client *dmsUtil.HTTPClient, afs afero.Afero, behavior string, behaviorCfg behaviorConfig) *cobra.Command {
	payload := &Payload{val: nil}
	if behaviorCfg.Payload != nil {
		payload.val = behaviorCfg.Payload()
	}

	cmd := &cobra.Command{
		Use:               fmt.Sprintf("%s [<param> ...]", behavior),
		Short:             fmt.Sprintf("Invoke %s behavior on an actor", behavior),
		ValidArgsFunction: behaviorCfg.ValidArgsFn,
		Args:              behaviorCfg.Args,
		RunE: func(cmd *cobra.Command, _ []string) error {
			timeout, _ := cmd.Flags().GetDuration(fnTimeout)

}

func newActorCmdCmd(client *dmsUtil.HTTPClient, afs afero.Afero, behavior string, behaviorCfg behaviorConfig) *cobra.Command {
	payload := &Payload{val: nil}
	if behaviorCfg.Payload != nil {
		payload.val = behaviorCfg.Payload()
	}

	cmd := &cobra.Command{
		Use:               fmt.Sprintf("%s [<param> ...]", behavior),
		Short:             fmt.Sprintf("Invoke %s behavior on an actor", behavior),
		ValidArgsFunction: behaviorCfg.ValidArgsFn,
		Args:              behaviorCfg.Args,
		RunE: func(cmd *cobra.Command, _ []string) error {
			timeout, _ := cmd.Flags().GetDuration(fnTimeout)

}

func newActorCmdCmd(client *dmsUtil.HTTPClient, afs afero.Afero, behavior string, behaviorCfg behaviorConfig) *cobra.Command {
	payload := &Payload{val: nil}
	if behaviorCfg.Payload != nil {
		payload.val = behaviorCfg.Payload()
	}

	cmd := &cobra.Command{
		Use:               fmt.Sprintf("%s [<param> ...]", behavior),
		Short:             fmt.Sprintf("Invoke %s behavior on an actor", behavior),
		ValidArgsFunction: behaviorCfg.ValidArgsFn,
		Args:              behaviorCfg.Args,
		RunE: func(cmd *cobra.Command, _ []string) error {
			timeout, _ := cmd.Flags().GetDuration(fnTimeout)

)

func newActorMsgCmd(client *dmsUtils.HTTPClient, afs afero.Afero) *cobra.Command {
	fnDest := "dest"
	fnBroadcast := "broadcast"
	fnTimeout := "timeout"
	fnExpiry := "expiry"
	fnInvoke := "invoke"
	fnContextName := "context"

	cmd := &cobra.Command{
		Use:   "msg <behavior> <payload>",
		Short: "Construct a message",
		Long: `Construct and sign a message that can be communicated to an actor.

)

func newActorBroadcastCmd(client *utils.HTTPClient) *cobra.Command {
	cmd := &cobra.Command{
		Use:   "broadcast <msg>",
		Short: "Broadcast a message",
		Long: `Broadcast a message to a topic

If a topic is specified in the message's payload, the message will be published to all subscribers of that topic.`,
		Args: cobra.ExactArgs(1),
		RunE: func(cmd *cobra.Command, args []string) error {
			var msg actor.Envelope

			if err := json.Unmarshal([]byte(args[0]), &msg); err != nil {
				return fmt.Errorf("could not unmarshal message: %w", err)

// NewActorInvokeCmd is a constructor for `actor invoke` subcommand
func newActorInvokeCmd(client *utils.HTTPClient) *cobra.Command {
	cmd := &cobra.Command{
		Use:   "invoke <msg>",
		Short: "Invoke a behaviour in an actor and return the result",
		Args:  cobra.ExactArgs(1),
		RunE: func(cmd *cobra.Command, args []string) error {
			var msg actor.Envelope

			if err := json.Unmarshal([]byte(args[0]), &msg); err != nil {
				return fmt.Errorf("could not unmarshal message: %w", err)
			}

			if msg.Options.ReplyTo == "" {

}

func newActorMessage(fs afero.Afero, dmsHandle actor.Handle, destStr string, topic, behavior string, payload interface{}, timeout time.Duration, expiry time.Time, invocation bool, context string) (actor.Envelope, error) {
	var msg actor.Envelope
	var src actor.Handle

}

func newActorMessage(fs afero.Afero, dmsHandle actor.Handle, destStr string, topic, behavior string, payload interface{}, timeout time.Duration, expiry time.Time, invocation bool, context string) (actor.Envelope, error) {
	var msg actor.Envelope
	var src actor.Handle
	var dest actor.Handle

	sctx, err := newSecurityContext(fs, context)
	if err != nil {
		return msg, fmt.Errorf("failed to create security context: %w", err)
	}

	nonce := sctx.Nonce()
	inbox := fmt.Sprintf("user-%d", nonce)
	src = newUserHandle(sctx.ID(), sctx.DID(), dmsHandle, inbox)

}

func newSecurityContext(fs afero.Afero, context string) (actor.SecurityContext, error) {
	if context == "" {
		context = DefaultUserContextName
	}

	// Generate ephemeral key pair
	privk, pubk, err := crypto.GenerateKeyPair(crypto.Ed25519)
	if err != nil {
		return nil, fmt.Errorf("failed to generate ephemeral key pair: %w", err)
	}

	// Create trust context
	var trustCtx did.TrustContext

}

func handleFromPeerID(dest string) (actor.Handle, error) {
	peerID, err := peer.Decode(dest)
	if err != nil {
		return actor.Handle{}, err
	}

	pubk, err := peerID.ExtractPublicKey()
	if err != nil {
		return actor.Handle{}, err
	}

	if !crypto.AllowedKey(int(pubk.Type())) {
		return actor.Handle{}, fmt.Errorf("unexpected key type: %d", pubk.Type())

}

func handleFromDID(dest string) (actor.Handle, error) {
	actorDID, err := did.FromString(dest)
	if err != nil {
		return actor.Handle{}, err
	}

	pubk, err := did.PublicKeyFromDID(actorDID)
	if err != nil {
		return actor.Handle{}, err
	}

	actorID, err := crypto.IDFromPublicKey(pubk)
	if err != nil {

}

func Set(fs afero.Fs, key string, value interface{}) error {
	v := getViper()
	v.SetFs(fs)

	v.Set(key, value)
	if err := v.UnmarshalExact(&cfg); err != nil {
		return fmt.Errorf("failed to unmarshal config: %w", err)
	}

	loadedConfig, err := json.Marshal(GetConfig())
	if err != nil {
		return fmt.Errorf("could not marshal config: %w", err)
	}

// DecodeSpec decodes a spec config into a firecracker engine spec
// It converts the params into a firecracker EngineSpec struct and validates it
func DecodeSpec(spec *types.SpecConfig) (EngineSpec, error) {
	if !spec.IsType(types.ExecutorTypeFirecracker.String()) {
		return EngineSpec{}, fmt.Errorf(
			"invalid firecracker engine type. expected %s, but received: %s",
			types.ExecutorTypeFirecracker,
			spec.Type,
		)
	}

	inputParams := spec.Params
	if inputParams == nil {
		return EngineSpec{}, fmt.Errorf("invalid firecracker engine params: params cannot be nil")
	}

// DestroyVM destroys the Firecracker VM.
func (c *Client) DestroyVM(
	ctx context.Context,
	m *firecracker.Machine,
	timeout time.Duration,
) error {
	// Get the PID of the Firecracker process and shut down the VM.
	// If the process is still running after the timeout, kill it.
	err := c.ShutdownVM(ctx, m)
	if err != nil {
		return fmt.Errorf("failed to shutdown vm: %w", err)
	}

	pid, _ := m.PID()

// FindVM finds a Firecracker VM by its socket path.
// This implementation checks if the VM is running by sending a request to the Firecracker API.
func (c *Client) FindVM(ctx context.Context, socketPath string) (*firecracker.Machine, error) {
	// Check if the socket file exists.
	if _, err := os.Stat(socketPath); err != nil {
		return nil, fmt.Errorf("VM with socket path %v not found", socketPath)
	}

	// Create a new Firecracker machine instance.
	cmd := firecracker.VMCommandBuilder{}.WithSocketPath(socketPath).Build(ctx)
	machine, err := firecracker.NewMachine(
		ctx,
		firecracker.Config{SocketPath: socketPath},
		firecracker.WithProcessRunner(cmd),
	)

// DecodeSpec decodes a spec config into a docker engine spec
// It converts the params into a docker EngineSpec struct and validates it
func DecodeSpec(spec *types.SpecConfig) (EngineSpec, error) {
	if !spec.IsType(string(types.ExecutorTypeDocker)) {
		return EngineSpec{}, fmt.Errorf(
			"invalid docker engine type. expected %s, but received: %s",
			types.ExecutorTypeDocker,
			spec.Type,
		)
	}

	inputParams := spec.Params
	if inputParams == nil {
		return EngineSpec{}, fmt.Errorf("invalid docker engine params: params cannot be nil")
	}

// CreateContainer creates a new Docker container with the specified configuration.
func (c *Client) CreateContainer(
	ctx context.Context,
	config *container.Config,
	hostConfig *container.HostConfig,
	networkingConfig *network.NetworkingConfig,
	platform *v1.Platform,
	name string,
) (string, error) {
	_, err := c.PullImage(ctx, config.Image)

// run starts the container and handles its execution lifecycle.
func (h *executionHandler) run(ctx context.Context) {
	h.running.Store(true)
	defer func() {
		if err := h.destroy(DestroyTimeout); err != nil {
			zlog.Sugar().Warnf("failed to destroy container: %v\n", err)
		}
		h.running.Store(false)
		close(h.waitCh)
	}()

	if err := h.client.StartContainer(ctx, h.containerID); err != nil {
		h.result = types.NewFailedExecutionResult(fmt.Errorf("failed to start container: %v", err))
		return

// run starts the container and handles its execution lifecycle.
func (h *executionHandler) run(ctx context.Context) {
	h.running.Store(true)
	defer func() {
		if err := h.destroy(DestroyTimeout); err != nil {
			zlog.Sugar().Warnf("failed to destroy container: %v\n", err)
		}
		h.running.Store(false)
		close(h.waitCh)
	}()

	if err := h.client.StartContainer(ctx, h.containerID); err != nil {
		h.result = types.NewFailedExecutionResult(fmt.Errorf("failed to start container: %v", err))
		return

}

func DecodeInputSpec(spec *types.SpecConfig) (InputSource, error) {
	ctx, cancel := st.SpanContext(context.Background(), "s3", "decode_input_spec_duration", "opentelemetry", "log")
	defer cancel()

	if !spec.IsType(types.StorageProviderS3) {
		err := fmt.Errorf("invalid storage source type. Expected %s but received %s", types.StorageProviderS3, spec.Type)
		ctx = context.WithValue(ctx, errorKey, err.Error())
		st.Error(ctx, "decode_input_spec_invalid_type_failure", nil)
		return InputSource{}, err
	}

	inputParams := spec.Params
	if inputParams == nil {

// be careful if managing files with `os` (the volume controller might be
// using an in-memory one)
func (s *Storage) Upload(ctx context.Context, vol types.StorageVolume, destinationSpecs *types.SpecConfig) error {
	ctx, cancel := st.SpanContext(ctx, "s3", "s3_upload_duration", "opentelemetry", "log")
	defer cancel()

	target, err := DecodeInputSpec(destinationSpecs)
	if err != nil {
		ctx = context.WithValue(ctx, errorKey, err.Error())
		st.Error(ctx, "s3_upload_decode_spec_failure", nil)
		return fmt.Errorf("failed to decode input spec: %v", err)
	}

	sanitizedKey := sanitizeKey(target.Key)

// be careful if managing files with `os` (the volume controller might be
// using an in-memory one)
func (s *Storage) Upload(ctx context.Context, vol types.StorageVolume, destinationSpecs *types.SpecConfig) error {
	ctx, cancel := st.SpanContext(ctx, "s3", "s3_upload_duration", "opentelemetry", "log")
	defer cancel()

	target, err := DecodeInputSpec(destinationSpecs)
	if err != nil {
		ctx = context.WithValue(ctx, errorKey, err.Error())
		st.Error(ctx, "s3_upload_decode_spec_failure", nil)
		return fmt.Errorf("failed to decode input spec: %v", err)
	}

	sanitizedKey := sanitizeKey(target.Key)

package libp2p

import (
	"bufio"
	"bytes"
	"context"
	"crypto/sha256"
	"encoding/binary"
	"errors"
	"fmt"
	"io"
	"strings"
	"sync"

// TODO-suggestion: maybe we should call it something else like Libp2pPeer,
// Libp2pHost or just Peer (callers would use libp2p.Peer...)
type Libp2p struct {
	Host   host.Host
	DHT    *dht.IpfsDHT
	PS     peerstore.Peerstore
	pubsub *PubSub

	mx             sync.Mutex
	pubsubAppScore func(peer.ID) float64
	pubsubScore    map[peer.ID]*PeerScoreSnapshot

	topicMux          sync.RWMutex
	pubsubTopics      map[string]*Topic
	topicValidators   map[string]map[uint64]Validator

// OpenStream opens a stream to a remote address and returns the stream for the caller to handle.
func (l *Libp2p) OpenStream(ctx context.Context, addr string, messageType types.MessageType) (network.Stream, error) {
	maddr, err := multiaddr.NewMultiaddr(addr)
	if err != nil {
		return nil, fmt.Errorf("invalid multiaddress: %w", err)
	}

	peerInfo, err := peer.AddrInfoFromP2pAddr(maddr)
	if err != nil {
		return nil, fmt.Errorf("could not resolve peer info: %w", err)
	}

	if err := l.Host.Connect(ctx, *peerInfo); err != nil {
		return nil, fmt.Errorf("failed to connect to peer: %w", err)

// TODO (Return error once): something that was confusing me when using this method is that the error is
// returned twice if any. Once as a field of PingResult and one as a return value.
func (l *Libp2p) Ping(ctx context.Context, peerIDAddress string, timeout time.Duration) (types.PingResult, error) {
	// avoid dial to self attempt
	if peerIDAddress == l.Host.ID().String() {
		err := errors.New("can't ping self")
		return types.PingResult{Success: false, Error: err}, err
	}

	pingCtx, cancel := context.WithTimeout(ctx, timeout)
	defer cancel()

	remotePeer, err := peer.Decode(peerIDAddress)
	if err != nil {
		return types.PingResult{}, err

}

func (l *Libp2p) resolveAddress(ctx context.Context, id string) (peer.AddrInfo, error) {
	pid, err := peer.Decode(id)
	if err != nil {
		return peer.AddrInfo{}, fmt.Errorf("failed to resolve invalid peer: %w", err)
	}

	// resolve ourself
	if l.Host.ID().String() == id {
		addrs, err := l.GetMultiaddr()
		if err != nil {
			return peer.AddrInfo{}, fmt.Errorf("failed to resolve self: %w", err)
		}

// Query return all the advertisements in the network related to a key.
// The network is queried to find providers for the given key, and peers which we aren't connected to can be retrieved.
func (l *Libp2p) Query(ctx context.Context, key string) ([]*commonproto.Advertisement, error) {
	if key == "" {
		return nil, errors.New("advertisement key is empty")
	}

	customCID, err := createCIDFromKey(key)
	if err != nil {
		return nil, fmt.Errorf("failed to create cid for key %s: %w", key, err)
	}

	addrInfo, err := l.DHT.FindProviders(ctx, customCID)
	if err != nil {
		return nil, fmt.Errorf("failed to find providers for key %s: %w", key, err)

// Advertise given data and a key pushes the data to the dht.
func (l *Libp2p) Advertise(ctx context.Context, key string, data []byte) error {
	if key == "" {
		return errors.New("advertisement key is empty")
	}

	pubKeyBytes, err := l.getPublicKey()
	if err != nil {
		return fmt.Errorf("failed to get public key: %w", err)
	}

	envelope := &commonproto.Advertisement{
		PeerId:    l.Host.ID().String(),
		Timestamp: time.Now().Unix(),

}

func (l *Libp2p) sendMessage(ctx context.Context, ai peer.AddrInfo, msg types.MessageEnvelope) error {
	// we are delivering a message to ourself
	// we should use the handler to send the message to the handler directly which has been previously registered.
	if ai.ID.String() == l.Host.ID().String() {
		l.handlerRegistry.SendMessageToLocalHandler(msg.Type, msg.Data)
		return nil
	}

	if err := l.Host.Connect(ctx, ai); err != nil {
		return fmt.Errorf("failed to connect to peer %v: %v", ai.ID, err)
	}

	stream, err := l.Host.NewStream(ctx, ai.ID, protocol.ID(msg.Type))

// NewHost returns a new libp2p host with dht and other related settings.
func NewHost(ctx context.Context, config *types.Libp2pConfig, appScore func(p peer.ID) float64, scoreInspect pubsub.ExtendedPeerScoreInspectFn) (host.Host, *dht.IpfsDHT, *pubsub.PubSub, error) {
	newPeer := make(chan peer.AddrInfo)

	var idht *dht.IpfsDHT
	connmgr, err := connmgr.NewConnManager(
		100,
		400,
		connmgr.WithGracePeriod(time.Duration(config.GracePeriodMs)*time.Millisecond),
	)
	if err != nil {
		return nil, nil, nil, err
	}

// NewHost returns a new libp2p host with dht and other related settings.
func NewHost(ctx context.Context, config *types.Libp2pConfig, appScore func(p peer.ID) float64, scoreInspect pubsub.ExtendedPeerScoreInspectFn) (host.Host, *dht.IpfsDHT, *pubsub.PubSub, error) {
	newPeer := make(chan peer.AddrInfo)

	var idht *dht.IpfsDHT
	connmgr, err := connmgr.NewConnManager(
		100,
		400,
		connmgr.WithGracePeriod(time.Duration(config.GracePeriodMs)*time.Millisecond),
	)
	if err != nil {
		return nil, nil, nil, err
	}

// NewHost returns a new libp2p host with dht and other related settings.
func NewHost(ctx context.Context, config *types.Libp2pConfig, appScore func(p peer.ID) float64, scoreInspect pubsub.ExtendedPeerScoreInspectFn) (host.Host, *dht.IpfsDHT, *pubsub.PubSub, error) {
	newPeer := make(chan peer.AddrInfo)

	var idht *dht.IpfsDHT
	connmgr, err := connmgr.NewConnManager(
		100,
		400,
		connmgr.WithGracePeriod(time.Duration(config.GracePeriodMs)*time.Millisecond),
	)
	if err != nil {
		return nil, nil, nil, err
	}

}

func makeAddrsFactory(announce []string, appendAnnouce []string, noAnnounce []string) func([]multiaddr.Multiaddr) []multiaddr.Multiaddr {
	var err error                     // To assign to the slice in the for loop
	existing := make(map[string]bool) // To avoid duplicates

	annAddrs := make([]multiaddr.Multiaddr, len(announce))
	for i, addr := range announce {
		annAddrs[i], err = multiaddr.NewMultiaddr(addr)
		if err != nil {
			return nil
		}
		existing[addr] = true
	}

}

func makeAddrsFactory(announce []string, appendAnnouce []string, noAnnounce []string) func([]multiaddr.Multiaddr) []multiaddr.Multiaddr {
	var err error                     // To assign to the slice in the for loop
	existing := make(map[string]bool) // To avoid duplicates

	annAddrs := make([]multiaddr.Multiaddr, len(announce))
	for i, addr := range announce {
		annAddrs[i], err = multiaddr.NewMultiaddr(addr)
		if err != nil {
			return nil
		}
		existing[addr] = true
	}

// Validate validates an item placed into the dht.
func (d dhtValidator) Validate(key string, value []byte) error {
	// empty value is considered deleting an item from the dht
	if len(value) == 0 {
		return nil
	}

	if !strings.HasPrefix(key, d.customNamespace) {
		return errors.New("invalid key namespace")
	}

	// verify signature
	var envelope commonproto.Advertisement
	err := proto.Unmarshal(value, &envelope)

// WriteToFile writes data to a file.
func WriteToFile(fs afero.Fs, data []byte, filePath string) (string, error) {
	if err := fs.MkdirAll(filepath.Dir(filePath), os.ModePerm); err != nil {
		return "", fmt.Errorf("failed to open path: %w", err)
	}
	file, err := fs.Create(filePath)
	if err != nil {
		return "", fmt.Errorf("failed to create path: %w", err)
	}
	defer file.Close()
	n, err := file.Write(data)
	if err != nil {
		return "", fmt.Errorf("failed to write data to path: %w", err)
	}

// MakeRequest performs an HTTP request with the given method, path, and body
// It returns the response body, status code, and an error if any
func (c *HTTPClient) MakeRequest(method, relativePath string, body []byte) ([]byte, int, error) {
	url, err := url.Parse(c.BaseURL)
	if err != nil {
		return nil, 0, fmt.Errorf("failed to parse base URL: %v", err)
	}

	url.Path = path.Join(c.APIVersion, relativePath)

	req, err := http.NewRequest(method, url.String(), bytes.NewBuffer(body))
	if err != nil {
		return nil, 0, fmt.Errorf("failed to create request: %v", err)
	}

//		@Failure		500	{object}	object	"failed to send message to destination"
//		@Router			/actor/invoke [post]
func (rs RESTServer) ActorInvoke(c *gin.Context) {
	var msg actor.Envelope
	if err := c.ShouldBindJSON(&msg); err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}

	p2p := rs.config.P2P
	if p2p == nil {
		c.JSON(http.StatusInternalServerError, gin.H{"error": "host node hasn't yet been initialized"})
		return
	}

//				@Failure		500	{object}	object	"failed to publish message"
//				@Router			/actor/broadcast [post]
func (rs RESTServer) ActorBroadcast(c *gin.Context) {
	var msg actor.Envelope
	if err := c.ShouldBindJSON(&msg); err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}

	p2p := rs.config.P2P
	if p2p == nil {
		c.JSON(http.StatusInternalServerError, gin.H{"error": "host node hasn't yet been initialized"})
	}

	if !msg.IsBroadcast() {

// NewConfig is a constructor for Config
func NewConfig(
	fs afero.Afero,
	workDir, dbPath string,
	onboardingRepo repositories.OnboardingParams,
	p2pRepo repositories.Libp2pInfo,
	avResourceRepo repositories.AvailableResources,
	uuidRepo repositories.MachineUUID,
	channels []string,
) *Config {
	return &Config{

// Onboard validates the onboarding params and onboards the machine to the network
// It returns a *types.OnboardingConfig and any error if encountered
func (o *Onboarding) Onboard(ctx context.Context, capacity types.CapacityForNunet) (*types.OnboardingConfig, error) {
	if err := o.validateOnboardingPrerequisites(capacity); err != nil {
		return nil, err
	}

	hostname, err := os.Hostname()
	if err != nil {
		return nil, fmt.Errorf("unable to get hostname: %v", err)
	}

	machineResources, err := o.ResourceManager.SystemSpecs().GetMachineResources()
	if err != nil {
		return nil, fmt.Errorf("cannot get provisioned resources: %w", err)

// ResourceConfig allows changing onboarding parameters
func (o *Onboarding) ResourceConfig(ctx context.Context, capacity types.CapacityForNunet) (*types.OnboardingConfig, error) {
	onboarded, err := o.IsOnboarded(ctx)
	if err != nil {
		return nil, fmt.Errorf("could not check onboard status: %w", err)
	}
	if !onboarded {
		return nil, ErrMachineNotOnboarded
	}

	if err := o.validateCapacityForNunet(capacity); err != nil {
		return nil, fmt.Errorf("could not validate capacity data: %w", err)
	}

// Offboard deletes all onboarding information if already set
// It returns an error
func (o *Onboarding) Offboard(ctx context.Context, force bool) error {
	onboarded, err := o.IsOnboarded(ctx)
	if err != nil && !force {
		return fmt.Errorf("could not retrieve onboard status: %w", err)
	} else if err != nil && force {
		zlog.Sugar().Errorf("problem with onboarding state: %w", err)
		zlog.Info("continuing with offboarding because forced")
	}

	if !onboarded {
		return fmt.Errorf("machine is not onboarded")
	}

}

func (o *Onboarding) validateOnboardingPrerequisites(capacity types.CapacityForNunet) error {
	ok, err := o.Fs.DirExists(o.WorkDir)
	if err != nil {
		return fmt.Errorf("could not check if config directory exists: %w", err)
	}
	if !ok {
		return fmt.Errorf("working directory does not exist")
	}

	if err := utils.ValidateAddress(capacity.PaymentAddress); err != nil {
		return fmt.Errorf("could not validate payment address: %w", err)
	}

// getIntelGPUInfo returns the GPU information for Intel GPUs
func getIntelGPUInfo(metadata []gpuMetadata) ([]types.GPU, error) {
	// Determine the number of discrete Intel GPUs
	cmd := exec.Command("xpu-smi", "health", "-l")
	output, err := cmd.CombinedOutput()
	if err != nil {
		return nil, fmt.Errorf("xpu-smi not installed, initialized, or configured: %s", err)
	}

	outputStr := string(output)
	// fmt.Println("xpu-smi health -l output:\n", outputStr) // Print the output for debugging

	// Use regex to find all instances of Device ID
	deviceIDRegex := regexp.MustCompile(`(?i)\| Device ID\s+\|\s+(\d+)\s+\|`)

// getAMDGPUInfo returns the GPU information for AMD GPUs
func getAMDGPUInfo(metadata []gpuMetadata) ([]types.GPU, error) {
	cmd := exec.Command("rocm-smi", "--showid", "--showproductname", "--showmeminfo", "vram")

	output, err := cmd.CombinedOutput()
	if err != nil {
		return nil, fmt.Errorf("AMD ROCm not installed, initialized, or configured (reboot recommended for newly installed AMD GPU Drivers): %s", err)
	}

	outputStr := string(output)
	// fmt.Println("rocm-smi vram output:\n", outputStr) // Print the output for debugging

	gpuNameRegex := regexp.MustCompile(`GPU\[\d+\]\s+: Card Series:\s+([^\n]+)`)
	totalRegex := regexp.MustCompile(`GPU\[\d+\]\s+: VRAM Total Memory \(B\):\s+(\d+)`)

// getNVIDIAGPUInfo returns the GPU information for NVIDIA GPUs
func getNVIDIAGPUInfo(metadata []gpuMetadata) ([]types.GPU, error) {
	// Initialize NVML
	ret := nvml.Init()
	if !errors.Is(ret, nvml.SUCCESS) {
		return nil, fmt.Errorf("NVIDIA Management Library not installed, initialized or configured (reboot recommended for newly installed NVIDIA GPU drivers): %s", nvml.ErrorString(ret))
	}

	defer func() {
		_ = nvml.Shutdown()
	}()

	// Get the number of GPU devices
	deviceCount, ret := nvml.DeviceGetCount()

// getIntelGPUInfo returns the GPU information for Intel GPUs
func getIntelGPUInfo(metadata []gpuMetadata) ([]types.GPU, error) {
	// Determine the number of discrete Intel GPUs
	cmd := exec.Command("xpu-smi", "health", "-l")
	output, err := cmd.CombinedOutput()
	if err != nil {
		return nil, fmt.Errorf("xpu-smi not installed, initialized, or configured: %s", err)
	}

	outputStr := string(output)
	// fmt.Println("xpu-smi health -l output:\n", outputStr) // Print the output for debugging

	// Use regex to find all instances of Device ID
	deviceIDRegex := regexp.MustCompile(`(?i)\| Device ID\s+\|\s+(\d+)\s+\|`)

}

func (l *linuxSystemSpecs) GetMachineResources() (types.MachineResources, error) {
	var (
		ok               bool
		machineResources types.MachineResources
	)
	l.store.withMachineResourcesRLock(func() {
		if l.store.machineResources != nil {
			machineResources = *l.store.machineResources
			ok = true
		}
	})
	if ok {
		return machineResources, nil

}

func (l *linuxSystemSpecs) GetMachineResources() (types.MachineResources, error) {
	var (
		ok               bool
		machineResources types.MachineResources
	)
	l.store.withMachineResourcesRLock(func() {
		if l.store.machineResources != nil {
			machineResources = *l.store.machineResources
			ok = true
		}
	})
	if ok {
		return machineResources, nil

// AllocateResources allocates resources for a job
func (d *DefaultManager) AllocateResources(ctx context.Context, allocation types.ResourceAllocation) error {
	d.allocationLock.Lock()
	defer d.allocationLock.Unlock()

	// Check if resources are already allocated for the job
	var ok bool
	d.store.withAllocationsRLock(func() {
		_, ok = d.store.allocations[allocation.JobID]
	})
	if ok {
		return fmt.Errorf("resources already allocated for job %s", allocation.JobID)
	}

// DeallocateResources deallocates resources for a job
func (d *DefaultManager) DeallocateResources(ctx context.Context, jobID string) error {
	d.allocationLock.Lock()
	defer d.allocationLock.Unlock()
	// Check if resources are already deallocated for the job
	var (
		allocation types.ResourceAllocation
		ok         bool
	)
	d.store.withAllocationsRLock(func() {
		allocation, ok = d.store.allocations[jobID]
	})
	if !ok {
		return fmt.Errorf("resources not allocated for job %s", jobID)

// UpdateOnboardedResources updates the onboarded resources of the machine in the database
func (d *DefaultManager) UpdateOnboardedResources(ctx context.Context, resources types.OnboardedResources) error {
	if err := d.store.withOnboardedLock(func() error {
		// calculate the new free resources based on the allocations
		totalAllocation, err := d.GetTotalAllocation()
		if err != nil {
			return fmt.Errorf("getting total allocations: %w", err)
		}

		if err := resources.Resources.Subtract(totalAllocation); err != nil {
			return fmt.Errorf("couldn't subtract allocation: %w. Demand too high", err)
		}

		// Potential issue: if the onboarded resources are updated in the db, the free resources should be updated as well

// Run creates the executor based on the execution engine configuration.
func (a *Allocation) Run(ctx context.Context) error {
	a.mx.Lock()
	defer a.mx.Unlock()

	if a.status == running {
		return nil
	}

	resourceAllocation := types.ResourceAllocation{JobID: a.Job.ID, Resources: a.Job.Resources}
	err := a.resourceManager.AllocateResources(ctx, resourceAllocation)
	if err != nil {
		return fmt.Errorf("failed to allocate resources: %w", err)
	}

// transform is a recursive function that applies the transformers to the configuration.
func (t TransformerImpl) transform(root *map[string]interface{}, data any, path tree.Path, transformers map[tree.Path]TransformerFunc) (interface{}, error) {
	var err error
	// Apply transformers that match the current path.
	for pattern, transformer := range transformers {
		if path.Matches(pattern) {
			data, err = transformer(root, data, path)
			if err != nil {
				return nil, err
			}
		}
	}
	// Recursively apply transformers to children.
	if result, ok := data.(map[string]interface{}); ok {

// matchParts checks if the path parts match the pattern parts
func matchParts(pathParts, patternParts []string) bool {
	// If the pattern is longer than the path, it can't match
	if len(pathParts) < len(patternParts) {
		return false
	}
	for i, part := range patternParts {
		switch part {
		case configPathMatchAnyMultiple:
			// if it is the last part of the pattern, it matches
			if i == len(patternParts)-1 {
				return true
			}
			// Otherwise, try to match the rest of the path

// matchParts checks if the path parts match the pattern parts
func matchParts(pathParts, patternParts []string) bool {
	// If the pattern is longer than the path, it can't match
	if len(pathParts) < len(patternParts) {
		return false
	}
	for i, part := range patternParts {
		switch part {
		case configPathMatchAnyMultiple:
			// if it is the last part of the pattern, it matches
			if i == len(patternParts)-1 {
				return true
			}
			// Otherwise, try to match the rest of the path

// TransformNetwork transforms the network configuration
func TransformNetwork(_ *map[string]interface{}, data any, _ tree.Path) (any, error) {
	if data == nil {
		return nil, nil
	}
	config, ok := data.(map[string]any)
	if !ok {
		return nil, fmt.Errorf("invalid network configuration: %v", data)
	}
	ports, _ := transform.ToAnySlice(config["ports"])
	portMap := []map[string]any{}
	for _, port := range ports {
		protocol, host, container := "tcp", 0, 0
		switch v := port.(type) {

}

func (n *Node) handlePeerConnect(msg actor.Envelope) {
	defer msg.Discard()

	var request PeerConnectRequest
	if err := json.Unmarshal(msg.Message, &request); err != nil {
		return
	}

	libp2pNet, ok := n.network.(*libp2p.Libp2p)
	if !ok {
		return
	}

// New creates a new node, attaches an actor to the node.
func New(ctx context.Context, onboarder *onboarding.Onboarding, rootCap ucan.CapabilityContext, hostID string, net network.Network, resourceManager types.ResourceManager, scheduler *bt.Scheduler) (*Node, error) {
	if onboarder == nil {
		return nil, errors.New("onboarder is nil")

// createActor creates an actor.
func createActor(sctx *actor.BasicSecurityContext, limiter actor.RateLimiter, hostID, inboxAddress string, net network.Network, scheduler *bt.Scheduler) (*actor.BasicActor, error) {
	self := actor.Handle{
		ID:  sctx.ID(),

// New creates a new node, attaches an actor to the node.
func New(ctx context.Context, onboarder *onboarding.Onboarding, rootCap ucan.CapabilityContext, hostID string, net network.Network, resourceManager types.ResourceManager, scheduler *bt.Scheduler) (*Node, error) {
	if onboarder == nil {
		return nil, errors.New("onboarder is nil")
	}
	if rootCap == nil {
		return nil, errors.New("root capability context is nil")
	}

	if hostID == "" {
		return nil, errors.New("host id is nil")
	}

	if net == nil {

}

func (n *Node) sayHello(p peer.ID) {
	pubk, err := p.ExtractPublicKey()
	if err != nil {
		log.Debugf("failed to extract public key: %s", err)
		return
	}

	if !crypto.AllowedKey(int(pubk.Type())) {
		log.Debugf("unexpected key type: %d", pubk.Type())
		return
	}

	actorID, err := crypto.IDFromPublicKey(pubk)

// New creates a new node, attaches an actor to the node.
func New(ctx context.Context, onboarder *onboarding.Onboarding, rootCap ucan.CapabilityContext, hostID string, net network.Network, resourceManager types.ResourceManager, scheduler *bt.Scheduler) (*Node, error) {
	if onboarder == nil {
		return nil, errors.New("onboarder is nil")
	}
	if rootCap == nil {
		return nil, errors.New("root capability context is nil")
	}

	if hostID == "" {
		return nil, errors.New("host id is nil")
	}

	if net == nil {

}

func (n *Node) sayHello(p peer.ID) {
	pubk, err := p.ExtractPublicKey()
	if err != nil {
		log.Debugf("failed to extract public key: %s", err)
		return
	}

	if !crypto.AllowedKey(int(pubk.Type())) {
		log.Debugf("unexpected key type: %d", pubk.Type())
		return
	}

	actorID, err := crypto.IDFromPublicKey(pubk)

// New creates a new node, attaches an actor to the node.
func New(ctx context.Context, onboarder *onboarding.Onboarding, rootCap ucan.CapabilityContext, hostID string, net network.Network, resourceManager types.ResourceManager, scheduler *bt.Scheduler) (*Node, error) {
	if onboarder == nil {
		return nil, errors.New("onboarder is nil")
	}
	if rootCap == nil {
		return nil, errors.New("root capability context is nil")
	}

	if hostID == "" {
		return nil, errors.New("host id is nil")
	}

	if net == nil {

// CreateAllocation creates an allocation
func (n *Node) CreateAllocation(job jobs.Job) (*jobs.Allocation, error) {
	// generate random keypair
	priv, pub, err := crypto.GenerateKeyPair(crypto.Ed25519)
	if err != nil {
		return nil, fmt.Errorf("failed to generate random keypair for allocation job %s: %w", job.ID, err)
	}

	security, err := actor.NewBasicSecurityContext(pub, priv, n.rootCap)
	if err != nil {
		return nil, fmt.Errorf("failed to create security context: %w", err)
	}

	allocationInbox, err := uuid.NewUUID()

}

func (n *Node) sayHello(p peer.ID) {
	pubk, err := p.ExtractPublicKey()
	if err != nil {
		log.Debugf("failed to extract public key: %s", err)
		return
	}

	if !crypto.AllowedKey(int(pubk.Type())) {
		log.Debugf("unexpected key type: %d", pubk.Type())
		return
	}

	actorID, err := crypto.IDFromPublicKey(pubk)

}

func (k *Dispatch) dispatch() {
	for {
		select {
		case msg := <-k.vq:
			k.mx.Lock()
			b, ok := k.behaviors[msg.Behavior]

			if !ok {
				k.mx.Unlock()
				log.Debugf("unknown behavior %s", msg.Behavior)
				continue
			}

// Message constructs a new message envelope and applies the options
func Message(src Handle, dest Handle, behavior string, payload interface{}, opt ...MessageOption) (Envelope, error) {
	data, err := json.Marshal(payload)
	if err != nil {

}

func (s *BasicSecurityContext) RequireBroadcast(msg Envelope, topic string, broadcast []Capability) error {
	if !msg.IsBroadcast() {
		return fmt.Errorf("not a broadcast message: %w", ErrInvalidMessage)
	}

	if topic != msg.Options.Topic {
		return fmt.Errorf("broadcast topic mismatch: %w", ErrInvalidMessage)
	}

	// first consume the capability tokens in the envelope
	if err := s.cap.Consume(msg.From.DID, msg.Capability); err != nil {
		return fmt.Errorf("consuming capabilities: %w", err)
	}

}

func (s *BasicSecurityContext) Verify(msg Envelope) error {
	if msg.Expired() {
		return ErrMessageExpired
	}

	pubk, err := crypto.PublicKeyFromID(msg.From.ID)
	if err != nil {
		return fmt.Errorf("public key from id: %w", err)
	}

	data, err := msg.SignatureData()
	if err != nil {
		return fmt.Errorf("signature data: %w", err)

// New creates a new basic actor.
func New(scheduler *bt.Scheduler, net network.Network, security *BasicSecurityContext, limiter RateLimiter, params BasicActorParams, self Handle, opt ...DispatchOption) (*BasicActor, error) {
	if scheduler == nil {
		return nil, errors.New("scheduler is nil")

}

func (a *BasicActor) Send(msg Envelope) error {
	if msg.To.ID.Equal(a.self.ID) {
		return a.Receive(msg)
	}

	if msg.Signature == nil {
		if msg.Nonce == 0 {
			msg.Nonce = a.security.Nonce()
		}

		invoke := []Capability{Capability(msg.Behavior)}
		var delegate []Capability
		if msg.Options.ReplyTo != "" {

}

func (a *BasicActor) Publish(msg Envelope) error {
	if !msg.IsBroadcast() {
		return ErrInvalidMessage
	}

	if msg.Signature == nil {
		if msg.Nonce == 0 {
			msg.Nonce = a.security.Nonce()
		}

		broadcast := []Capability{Capability(msg.Behavior)}
		if err := a.security.ProvideBroadcast(&msg, msg.Options.Topic, broadcast); err != nil {
			return fmt.Errorf("providing behavior capability for %s: %w", msg.Behavior, err)

}

func (a *BasicActor) Subscribe(topic string, setup ...BroadcastSetup) error {
	a.mx.Lock()
	defer a.mx.Unlock()

	_, ok := a.subscriptions[topic]
	if ok {
		return nil
	}

	subID, err := a.network.Subscribe(
		a.Context(),
		topic,
		a.handleBroadcast,

}

func (a *BasicActor) validateBroadcast(topic string, data []byte, validatorData interface{}) (network.ValidationResult, interface{}) {
	var msg Envelope
	if validatorData != nil {
		if _, ok := validatorData.(Envelope); !ok {
			log.Warnf("bogus pubsub validation data: %v", validatorData)
			return network.ValidationReject, nil
		}
		// we have already validated the message, just short-circuit
		return network.ValidationAccept, validatorData
	} else if err := json.Unmarshal(data, &msg); err != nil {
		return network.ValidationReject, nil
	}

	Delegate  Action = "delegate"
	Broadcast Action = "broadcast"
	// Revoke   Action = "revoke" // TODO

	nonceLength = 12 // 96 bits

type BYOToken struct {
	// TODO followup
}

		return t.DMS.SignatureData()
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.Issuer
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.Subject
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.Audience
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.Capability
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.Topic
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.Expire
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.Nonce
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.Action
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.verify(trust, now, depth)
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.AllowAction(ot)
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.Subsumes(ot)
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.AllowInvocation(subject, audience, c)
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.AllowBroadcast(subject, topic, c)
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

		return t.DMS.verifyDepth(depth)
	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

	case t.UCAN != nil:
		// TODO UCAN envelopes for BYO trust; followup
		fallthrough
	default:

	ErrBadContext        = errors.New("bad context")

	ErrTODO = errors.New("TODO")
)

		}

		// TODO validate parts according to spec: https://www.w3.org/TR/did-core/
	}

	ErrHardwareKey      = errors.New("hardware key")

	ErrTODO = errors.New("TODO")
)

// ReadVault
func ReadVault(path string, passphrase string) ([]byte, error) { //nolint:revive // its a todo
	// TODO
	return nil, ErrTODO
}

// WriteVault
func WriteVault(path string, passphrase string, data []byte) error { //nolint:revive // its a todo
	// TODO
	return ErrTODO
}

// BasicKeyStore handles keypair storage.
// TODO: add cache?
type BasicKeyStore struct {
	fs      afero.Fs

	ErrUnsupportedKeyType = errors.New("unsupported key type")

	ErrTODO = errors.New("TODO")
)

				}

				// TODO: validate passphrase (minimum x characters)
				if passphrase == "" {
					return fmt.Errorf("invalid passphrase")

// Version is the version of the Nunet Device Management Service
// TODO: use git describe after this release
var Version = "v0.5.0-boot"

		Long:  `Display information about the current Device Management Service (DMS) version`,
		Run: func(_ *cobra.Command, _ []string) {
			// TODO get the version from git; make a top level version.go file
			fmt.Println("NuNet Device Management Service")
			fmt.Printf("Version: %s\nCommit: %s\n\nGo Version: %s\nBuild Date: %s\n",

type Job struct {
	LogUpdateInterval int    `mapstructure:"log_update_interval"` // in minutes
	TargetPeer        string `mapstructure:"target_peer"`         // specific peer to send deployment requests to - XXX probably not a good idea. Remove after testing stage.
	CleanupInterval   int    `mapstructure:"cleanup_interval"` // docker container and images clean up interval in days
}

type Job struct {
	LogUpdateInterval int    `mapstructure:"log_update_interval" json:"log_update_interval"` // in minutes
	TargetPeer        string `mapstructure:"target_peer" json:"target_peer"`                 // specific peer to send deployment requests to - XXX probably not a good idea. Remove after testing stage.
	CleanupInterval   int    `mapstructure:"cleanup_interval" json:"cleanup_interval"`       // docker container and images clean up interval in days
}

// This implementation currently returns an empty list and should be updated in the future.
func (e *Executor) List() []types.ExecutionListItem {
	// TODO: list dms containers
	return nil
}

	}

	// TODO: Move this code block ( L263-272) to the allocator in future
	// Select the GPU with the highest available free VRAM and choose the GPU vendor for container's host config
	machineResources, err := resources.ManagerInstance.SystemSpecs().GetMachineResources()

// NewDefaultVolumeController returns a new instance of BasicVolumeController
//
// TODO-BugFix [path]: volBasePath might not end with `/`, causing errors when calling methods.
// We need to validate it using the `path` library or just verifying the string.
func NewDefaultVolumeController(repo repositories.StorageVolume, volBasePath string, fs afero.Fs) (*BasicVolumeController, error) {

// where `name` is random.
//
// TODO-maybe [withName]: allow callers to specify custom name for path
func (vc *BasicVolumeController) CreateVolume(volSource storage.VolumeSource, opts ...storage.CreateVolOpt) (types.StorageVolume, error) {
	ctx, cancel := st.SpanContext(context.Background(), "controller", "volume_create_duration", "opentelemetry", "log")

// It optionally can also set the CID and mark the volume as private.
//
// TODO-maybe [CID]: maybe calculate CID of every volume in case WithCID opt is not provided
func (vc *BasicVolumeController) LockVolume(pathToVol string, opts ...storage.LockVolOpt) error {
	ctx, cancel := st.SpanContext(context.Background(), "controller", "volume_lock_duration", "opentelemetry", "log")

// WithCID sets the CID of a given volume if already calculated
//
// TODO [validate]: check if CID provided is valid
func WithCID(cid string) storage.LockVolOpt {
	return func(v *types.StorageVolume) {

// ListVolumes returns a list of all storage volumes stored on the database
//
// TODO [filter]: maybe add opts to filter results by certain values
func (vc *BasicVolumeController) ListVolumes() ([]types.StorageVolume, error) {
	ctx, cancel := st.SpanContext(context.Background(), "controller", "volume_list_duration", "opentelemetry", "log")

// GetSize returns the size of a volume
// TODO-minor: identify which measurement type will be used
func (vc *BasicVolumeController) GetSize(identifier string, idType storage.IDType) (int64, error) {
	ctx, cancel := st.SpanContext(context.Background(), "controller", "volume_get_size_duration", "opentelemetry", "log")

// VolumeController is used to manage storage volumes.
//
// TODO-maybe: is the interface too big? We may have to split it?
type VolumeController interface {
	// CreateVolume creates a directory where data can be stored, and returns a StorageVolume

	// One of the opts may be a CID. Or the implementation might handle the CID calculation
	//
	// TODO-maybe: after volume is locked, callers should not be able to write data to it.
	LockVolume(pathToVol string, opts ...LockVolOpt) error

	// GetSize returns the size of a volume
	// TODO-minor: identify which measurement type will be used
	GetSize(identifier string, idType IDType) (int64, error)

	GetSize(identifier string, idType IDType) (int64, error)

	// TODO-maybe: encrypt/decrypt method might move to an unique EncryptVolume/DecryptVolume interfaces
	// or something else.
	//  - Warning: if moved, EncryptionType field of StorageVolume must be updated somehow by the new interface

// Libp2p contains the configuration for a Libp2p instance.
//
// TODO-suggestion: maybe we should call it something else like Libp2pPeer,
// Libp2pHost or just Peer (callers would use libp2p.Peer...)
type Libp2p struct {

// New creates a libp2p instance.
//
// TODO-Suggestion: move types.Libp2pConfig to here for better readability.
// Unless there is a reason to keep within types.
func New(config *types.Libp2pConfig, fs afero.Fs) (*Libp2p, error) {

	err = l.advertiseForRendezvousDiscovery(context)
	if err != nil {
		// TODO: the error might be misleading as a peer can normally work well if an error
		// is returned here (e.g.: the error is yielded in tests even though all tests pass).
		log.Errorf("failed to start network with randevouz discovery: %v", err)

// Ping the remote address. The remote address is the encoded peer id which will be decoded and used here.
//
// TODO (Return error once): something that was confusing me when using this method is that the error is
// returned twice if any. Once as a field of PingResult and one as a return value.
func (l *Libp2p) Ping(ctx context.Context, peerIDAddress string, timeout time.Duration) (types.PingResult, error) {

	advertisements := make([]*commonproto.Advertisement, 0)
	for _, v := range addrInfo {
		// TODO: use go routines to get the values in parallel.
		bytesAdvertisement, err := l.DHT.GetValue(ctx, l.getCustomNamespace(key, v.ID.String()))
		if err != nil {

				PublishThreshold:            -1000,
				GraylistThreshold:           -2500,
				AcceptPXThreshold:           0, // TODO for public mainnet we should limit to botostrappers and set them up without a mesh
				OpportunisticGraftThreshold: 2.5,
			},

// NewNetwork returns a new network given the configuration.
func NewNetwork(netConfig *types.NetworkConfig, fs afero.Fs) (Network, error) {
	// TODO: probable additional params to receive: DB, FileSystem
	if netConfig == nil {
		return nil, errors.New("network configuration is nil")

func getCustomCorsConfig() cors.Config {
	config := defaultConfig()
	// FIXME: This is a security concern.
	config.AllowOrigins = []string{"http://localhost:9991", "http://localhost:9992"}
	return config

package docs

// TODO this file is here only because the linter configuration breaks
//      it should be removed once that's fixed

		return Worse

		// TODO: this comparator does not take into account options when several job types are available and several job types are required
		// in the same data structure; this is why the test fails;
	}

// created using the VolumeController, there will be no data in it by default.
//
// TODO-maybe [job]: should volumes be related to a job or []job?
//
// TODO-maybe: most of the fields should be private, callers shouldn't be able to altere

// TODO-maybe [job]: should volumes be related to a job or []job?
//
// TODO-maybe: most of the fields should be private, callers shouldn't be able to altere
// the state of the volume except when using certain methods
type StorageVolume struct {

	// EncryptionType might be checked first if needed)
	//
	// TODO-maybe [type]: maybe it should be of type cid.CID
	CID string

	// Size is the size of the storage volume
	//
	// TODO-maybe: if relying on a size field, we would have to be more careful
	// how state is being mutated (and they shouldn't be by the caller)
	//  - Size might be calculated only when locking the volume also

	MessageHashAction    string
	Action               string
	// TODO: Add ContainerType field
}

// Warning: this is just a draft. And it might be moved to an Encryption package
//
// TODO: it must support encryption of files/directories, otherwise we have to
// create another interface for the usecase
type Encryptor interface {

// Warning: this is just a draft. And it might be moved to an Encryption package
//
// TODO: it must support decryption of files/directories, otherwise we have to
// create another interface for the usecase
type Decryptor interface {

func (gpus GPUs) Add(other GPUs) error {
	// TODO: I think this logic needs to change
	// 1. if other gpu is in own gpus, add the total vram
	// 2. if other gpu is not in own gpus, append it to own gpus

	Compute float64

	// TODO: capture the below fields if required
	// Model represents the CPU model, e.g., "Intel Core i7-9700K", "AMD Ryzen 9 5900X"
	Model string

	Size uint64

	// TODO: capture the below fields if required
	// Clock speed in Hz
	ClockSpeed uint64

	Size uint64

	// TODO: capture the below fields if required
	// Model represents the disk model, e.g., "Samsung 970 EVO Plus", "Western Digital Blue SN550"
	Model string

// NetworkInfo represents the network information
// TODO: not yet used, but can be used to capture the network information
type NetworkInfo struct {
	// Bandwidth in bits per second (b/s)

	MessageHashAction    string
	Action               string
	// TODO: Add ContainerType field

}

		return false, nil
	}
	// TODO: validate onboarding params
	return true, nil
}

	}

	// TODO: call the resource manager directly instead
	if err := o.updateAvailableResources(ctx, capacity); err != nil {
		return nil, fmt.Errorf("failed to update available resources: %w", err)

	}

	// TODO: change the way the resources are being onboarded
	// _, err = o.ResourceManager.UpdateFreeResources(ctx)
	// if err != nil {

	}

	// TODO: shutdown routine to stop networking etc... here

	err = o.ParamsRepo.Clear(ctx)

	}

	//nolint:gosec // to be fixed in TODO: 553
	if capacity.Memory > machineResources.RAM.Size*9/10 || capacity.Memory < machineResources.RAM.Size/10 {
		return fmt.Errorf("memory should be between 10%% and 90%% of the available memory (%d and %d)", int64(machineResources.RAM.Size/10), int64(machineResources.RAM.Size*9/10))

		CPUNo:             int(machineResources.CPU.Cores),
		CPUHz:             machineResources.CPU.ClockSpeed,
		PriceCPU:          0, // TODO: Get price of CPU
		RAM:               capacity.Memory,
		PriceRAM:          0, // TODO: Get price of RAM

		PriceCPU:          0, // TODO: Get price of CPU
		RAM:               capacity.Memory,
		PriceRAM:          0, // TODO: Get price of RAM
		Vcpu:              int(float64(capacity.CPU) / machineResources.CPU.ClockSpeed),
		Disk:              0,

// CreatePaymentAddress generates a keypair based on the wallet type. Currently supported types: ethereum, cardano.
// TODO: This should be moved to utils-related package. It's a utility function independent of onboarding
func CreatePaymentAddress(wallet string) (*types.BlockchainAddressPrivKey, error) {
	var (

}

// TODO: move the following functions to the `gpu` sub-package
// https://gitlab.com/nunet/device-management-service/-/issues/546
// assignIndexToGPUs assigns an index to each GPU in the list starting from 0

// fetchGPUMetadata fetches the GPU metadata for the system using `ghw.GPU()`
// TODO: Use one single library to fetch GPU information or improve the match criteria
// https://gitlab.com/nunet/device-management-service/-/issues/548
// TODO: write tests by mocking the gpu snapshot

// TODO: Use one single library to fetch GPU information or improve the match criteria
// https://gitlab.com/nunet/device-management-service/-/issues/548
// TODO: write tests by mocking the gpu snapshot
// https://gitlab.com/nunet/device-management-service/-/issues/534
func (l *linuxSystemSpecs) fetchGPUMetadata() (map[types.GPUVendor][]gpuMetadata, error) {

		l.store.machineResources = &machineResources
	})
	// TODO: do we wanna store it in the db?
	return machineResources, nil
}

)

// TODO: This needs to be initialized in `dms` package and removed from here
// https://gitlab.com/nunet/device-management-service/-/issues/536
// it is being initialized in `dms` package now but there is usage in executor

}

// TODO: move the following functions to the `gpu` sub-package
// https://gitlab.com/nunet/device-management-service/-/issues/546
// assignIndexToGPUs assigns an index to each GPU in the list starting from 0

		l.store.machineResources = &machineResources
	})
	// TODO: do we wanna store it in the db?
	return machineResources, nil
}

// DefaultManager implements the ResourceManager interface
// TODO: Add telemetry for the methods https://gitlab.com/nunet/device-management-service/-/issues/535
type DefaultManager struct {
	usageMonitor types.UsageMonitor

		EngineSpec:  &a.Job.Execution,
		Resources:   &a.Job.Resources,
		// TODO add the following
		Inputs:     []*types.StorageVolumeExecutor{},
		Outputs:    []*types.StorageVolumeExecutor{},

// Deleted now because dependencies such as the docker package have been replaced with executor/docker
func SanityCheck(_ *gorm.DB) {
	// TODO: sanity check of DMS last exit and correction of invalid states

	// resources.CalcFreeResAndUpdateDB()

func HandleFromString(_ string) (Handle, error) {
	// TODO
	return Handle{}, ErrTODO
}

func AddressFromString(_ string) (Address, error) {
	// TODO
	return Address{}, ErrTODO
}

	ErrRateLimitExceeded      = errors.New("rate limited exceeded")

	ErrTODO = errors.New("TODO")
)

outputDir="$projectRoot/dist"

# TODO: Update version number from git describe after release
fullVersion="v0.5.0-boot"
version=$(echo $fullVersion | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')

outputDir="$projectRoot/dist"

# TODO: Update version number from git describe after release
fullVersion="v0.5.0-boot"
version=$(echo $fullVersion | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')