Protocol Definition and Build Pipeline
Palyra uses Protocol Buffers (proto3) as the source of truth for all internal and external service contracts. The schemas are located inschemas/proto/palyra/v1/ schemas/proto/palyra/v1/gateway.proto#1-3.
Supported Services
The system defines several core gRPC services:- GatewayService: Orchestrates sessions, runs, and message routing schemas/proto/palyra/v1/gateway.proto#7-29.
- NodeService: Manages remote device registration and pairing crates/palyra-daemon/src/node_rpc.rs#38-54.
- ApprovalsService: Handles human-in-the-loop authorization schemas/proto/palyra/v1/gateway.proto#31-35.
- VaultService: Provides secret management schemas/proto/palyra/v1/gateway.proto#37-42.
- BrowserService: Interfaces with
palyra-browserdfor automation schemas/generated/rust/protocol_stubs.rs#61-144.
Stub Generation
A multi-platform build pipeline generates language-specific stubs to ensure type safety across the monorepo:- Rust: Generated via
tonicand stored inschemas/generated/rust/protocol_stubs.rsschemas/generated/rust/protocol_stubs.rs#1-7. - Kotlin: Stubs for mobile/Android integration in
schemas/generated/kotlin/ProtocolStubs.ktschemas/generated/kotlin/ProtocolStubs.kt#1-10. - Swift: Stubs for iOS/macOS integration in
schemas/generated/swift/ProtocolStubs.swiftschemas/generated/swift/ProtocolStubs.swift#1-10.
validate-proto.ps1) use protoc to verify schema integrity during CI scripts/protocol/validate-proto.ps1#43-69.
Sources: schemas/proto/palyra/v1/gateway.proto, schemas/generated/rust/protocol_stubs.rs, scripts/protocol/validate-proto.ps1
gRPC Gateway (tonic)
The primary interface for thepalyrad daemon is a gRPC server implemented using the tonic library. It serves as the control plane for the CLI and the desktop application.
Node RPC Implementation
TheNodeRpcServiceImpl handles the registration of remote execution nodes. It enforces security through mandatory mTLS when configured crates/palyra-daemon/src/node_rpc.rs#38-54.
Data Flow: Node Registration
- Transport Validation: The service extracts
TlsConnectInfoto verify the peer’s certificate crates/palyra-daemon/src/node_rpc.rs#60-68. - Revocation Check: Fingerprints are checked against the
IdentityManagerto ensure the certificate hasn’t been revoked crates/palyra-daemon/src/node_rpc.rs#85-96. - Device Binding: The
device_idin the request is validated against the fingerprint bound during the pairing process crates/palyra-daemon/src/node_rpc.rs#116-128.
Node Pairing Handshake
Nodes pair with the daemon using either a PIN or a QR code crates/palyra-daemon/src/node_runtime.rs#26-45. This process generates aVerifiedPairing record and issues a client certificate for subsequent mTLS communication crates/palyra-daemon/src/node_runtime.rs#79-103.
Code Entity Mapping: gRPC Node Service
Sources: crates/palyra-daemon/src/node_rpc.rs#38-128, crates/palyra-daemon/src/node_runtime.rs#17-103QUIC Transport Runtime (quinn)
For low-latency event streaming and robust connectivity over unstable networks, Palyra implements a custom QUIC transport layer using thequinn library.
QuicRuntime
TheQuicRuntime in palyrad manages high-frequency “node events” and health checks. It operates independently of the gRPC gateway to provide a fallback and high-performance telemetry channel crates/palyra-daemon/src/quic_runtime.rs#13-17.
Key Features:
- Connection Limiting: Uses an
Arc<Semaphore>to enforceMAX_CONCURRENT_CONNECTIONS(default 256) crates/palyra-daemon/src/quic_runtime.rs#16-91. - Frame-based Protocol: Implements
read_frameandwrite_framefor structured message passing over QUIC streams crates/palyra-daemon/src/quic_runtime.rs#149-152. - Session Resumption: Supports resuming event streams from a specific sequence number (
resume_from) crates/palyra-daemon/src/quic_runtime.rs#46-181.
Protocol Flow
The QUIC server listens for bidirectional streams. Each stream starts with aQuicRuntimeRequest containing a protocol version and method crates/palyra-daemon/src/quic_runtime.rs#42-47.
Sources: crates/palyra-daemon/src/quic_runtime.rs#42-196, crates/palyra-transport-quic/tests/transport.rs#46-140
mTLS and Security Enforcement
Security for both gRPC and QUIC is anchored in thepalyra-identity crate, which provides a custom ClientCertVerifier capable of real-time revocation checks.
Revocation-Aware Verification
TheRevocationAwareClientVerifier wraps the standard rustls verifier. During the TLS handshake, it extracts the peer’s certificate fingerprint and queries the RevocationIndex crates/palyra-identity/src/mtls.rs#63-105.
mTLS Configuration
The daemon constructs its server configuration using the Gateway CA certificate and aMemoryRevocationIndex crates/palyra-identity/src/mtls.rs#149-164.
- Node RPC: Requires mTLS by default to ensure only paired devices can register crates/palyra-daemon/src/node_rpc.rs#62-84.
- CLI/Desktop: Typically connects via the local loopback, but can use mTLS when acting as a remote operator.
Verification Logic in Code
| Entity | Responsibility | Location |
|---|---|---|
IdentityManager | Manages CA, issues certs, tracks revocation | crates/palyra-identity/src/pairing/manager.rs |
RevocationIndex | Trait for checking if a fingerprint is blacklisted | crates/palyra-identity/src/mtls.rs#23-25 |
QuicServerTlsConfig | Defines TLS material for the QUIC endpoint | crates/palyra-daemon/src/quic_runtime.rs#19-25 |
ChildGuard | Test utility to manage daemon lifecycle in mTLS tests | crates/palyra-daemon/tests/node_rpc_mtls.rs#49-50 |