Use cases

"Offline" agent provisioning

It should be possible to give an agent permission to join as a device of an identity without a peer being online at the time of activation. This would happen through a managed agent provisioning flow, or when manually provisioning an agent started through the CLI.

In a managed provisioning flow, once the user has granted the permission for a managed hosting provider to create an agent on their behalf, they should not need to remain online for the provider to complete the provisioning flow.

Managed agent migrations

A managed hosting provider should be able to create an agent using some stored credential, which would enable the ability for the hosting provider to destroy and create an agent without maintaining the local storage of an agent.

This could be used when upgrading the software of the agent, migrating the agent's runtime between runtime nodes, or recovering from a corrupted or crashed agent.

The agent can only be admitted by peers that have a device (signing) key that belongs to the same identity (user).

Proposal:

1. Shell panel triggers Agent deployment and shows "provisioning..."
2. Shell can be closed.
3. When Shell is reopened (on any device) it polls the Agent API to get a status.
4. If the status is ready, it requests the public key and the user does a direct admission (writes a credential to the HALO).

Q: Are we using dxRPC for the agent API?