feat: auto re-auth on node-key expiry instead of going permanently offline

[GeiserX]

Problem

An auth-key-registered node went permanently offline at node-key expiry. When control delivered a self-node whose node key had expired, the runtime flipped to a terminal DeviceState::Expired and never re-registered. Go's ipnlocal instead runs doLogin: it generates a fresh node key, records the prior key as OldNodeKey, and re-registers with the stored auth key, so the node renews itself. This was the highest-value parity gap — a silent permanent failure for a long-lived node (an exit node renews on a schedule; this fork just died).

What this does

On an expired self node-key, if an auth key is retained, auto-reauth is enabled, and Tailnet Lock is not enforcing, the runtime now:

1. sets the new transient DeviceState::Reauthenticating (non-interactive — no browse_to_url),
2. rotates the node key (NodeState::rotate_node_key — fresh node key, prior key recorded as OldNodeKey; disco / machine / network-lock keys are left untouched),
3. re-registers immediately over the live connection with OldNodeKey set, so control links the new key to the existing node identity (same node ID / tailnet IP).

Recovery to Running is automatic — the next good self-node flips it back at the same handler.

No tunnel flap (the SACRED invariant)

Only the node key rotates. The data plane keys WireGuard/disco sessions on the disco, machine, and per-peer keys — never the self node key — so a rotation does not re-key or tear down an established tunnel. The control connection re-registers in place (the netmap stream task is reused, not rebuilt). Verified in review: our_node_key is used only as the claimed-sender identity inside disco pings (sealed with the disco key), so a stale value after rotation is at worst a brief disco-ping re-discovery hiccup that self-heals on the next netmap — never a session teardown. (Refreshing magicsock's copy is a tracked follow-up TODO.)

Safety

• Circuit breaker: a one-shot or rejected auth key can't re-register. Rather than loop forever, after 3 consecutive failed reauth attempts the node settles on terminal Expired (the counter resets on a successful re-register / good self-node). The reauth fires once per transition into Reauthenticating, never per netmap frame.
• OldNodeKey anchor preserved: a second rotation before a register succeeds keeps the original pre-expiry key as the linkage anchor (capture-once); the anchor is cleared on a successful register so the next genuine cycle re-anchors fresh.
• Tailnet Lock gate (mandatory): rotation is gated OFF while lock enforcement is active — an unsigned new key would lock the node out of locked peers. Gated on the same tka_authority cell the peer-trust chokepoint enforces against (single source of truth). TKA re-sign is a separate follow-up.
• No interactive-prompt clobber: the existing MachineNotAuthorized -> NeedsLogin bridge no longer overwrites an in-flight auto-reauth.
• reauth_on_expiry config (default true) lets an embedder opt out. DeviceState is now #[non_exhaustive] to future-proof embedder matches.

Tests

Pure expiry_action decision matrix (incl. the TKA veto), the reauth_circuit_step breaker (fire-once, count, trip-to-Expired-at-cap, reset-on-recovery, full one-shot-key episode), the OldNodeKey anchor lifecycle (two rotations preserve the original; rotation after a clear re-anchors), the bridge no-clobber guard, and Reauthenticating recovery in wait_for_running.

Gates (local, all green)

cargo test -p geiserx_ts_keys -p geiserx_ts_control -p geiserx_ts_runtime (345) · clippy -D warnings (default + --features tun) · cargo fmt --check · cargo doc (broken_intra_doc_links=deny) · cargo run -p checks. Reviewed by an independent correctness+parity and an architecture+safety pass; all findings fixed.

Signed-off-by: Sergio sergio@geiser.cloud

Created using Claude Code (Opus 4.8)

[coderabbitai]

Warning

Review limit reached

@GeiserX, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 47 minutes and 32 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d9595e48-26a3-4927-bb1a-53a2f45112f8

📥 Commits

Reviewing files that changed from the base of the PR and between ffa14a5 and 65b5a82.

📒 Files selected for processing (6)

• src/config.rs
• ts_control/src/config.rs
• ts_control/src/tokio/client.rs
• ts_keys/src/keystate.rs
• ts_runtime/src/control_runner.rs
• ts_runtime/src/device_state.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/tka-reauth-on-key-expiry

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}