[diag] add agent-side debug RPC over existing QUIC control channel

Adds a long-lived bidirectional nd-json RPC stream from tunnelproxy to
each connected agent on the existing QUIC connection (no new listener,
no new PKI). The agent dispatches incoming Request frames against a
process-scoped Registry of read-only probes; auth is inherited from
the QUIC mTLS to tunnelproxy.

Wire format (pkg/diag/protocol):
  Down (server -> agent): {"id":N, "command":"<name>", "args":{...}}
  Up   (agent -> server): {"id":N, "result":{...}} | {"id":N, "error":{code,message}}
                          | {"id":N, "chunk":{...}} ... {"id":N, "done":true}

Tier-1 commands:
  agent  - version, build, runtime, uptime, flag inventory, manifest of every command
  clock  - wall + monotonic + zone (clock-skew sanity check)

Server-side per-agent Sessions registry exposed via
TunnelServer.DiagSessions(); apoxy-cloud's tunnelproxy reaches it
through TunnelNodeReconciler.DiagSessions() (separate PR).

Wired into both reconciler call sites:
  - pkg/cmd/run/tunnel.go  (embedded-agent path in apiserver/backplane)
  - pkg/cmd/tunnel/run.go  (CLI 'apoxy tunnel run')

Tests: pkg/diag covers protocol round-trip via io.Pipe (TestEndToEnd
exercises Session<->Dispatcher with the real agent + clock commands)
plus dispatcher unit tests for ceiling/busy/streaming/unknown-command.

Author: dilyevsky

pkg/cmd/run/tunnel.go

@@ -35,6 +35,8 @@ import (
 	configv1alpha1 "github.com/apoxy-dev/apoxy/api/config/v1alpha1"
 	corev1alpha "github.com/apoxy-dev/apoxy/api/core/v1alpha"
 	"github.com/apoxy-dev/apoxy/client/versioned"
+	"github.com/apoxy-dev/apoxy/pkg/diag"
+	"github.com/apoxy-dev/apoxy/pkg/diag/commands"
 	"github.com/apoxy-dev/apoxy/pkg/log"
 	"github.com/apoxy-dev/apoxy/pkg/net/dns"
 	"github.com/apoxy-dev/apoxy/pkg/tunnel"
@@ -182,6 +184,9 @@ type runtimeTunnelReconciler struct {
 	lastAddresses    []string
 	lastSelected     string
 
+	// Process-scoped diag command registry, shared across reconnects.
+	diagRegistry *diag.Registry
+
 	// Dial parameters protected by dialMu.
 	dialMu     sync.RWMutex
 	tunnelUID  uuid.UUID
@@ -239,6 +244,9 @@ func (r *runtimeTunnelReconciler) reconcile(ctx context.Context, req ctrl.Reques
 	if len(r.tunCfg.Labels) > 0 {
 		cOpts = append(cOpts, tunnel.WithLabels(r.tunCfg.Labels))
 	}
+	if r.diagRegistry != nil {
+		cOpts = append(cOpts, tunnel.WithDiagRegistry(r.diagRegistry))
+	}
 
 	var srvAddr string
 	if !r.cfg.IsLocalMode {
@@ -497,6 +505,7 @@ func runTunnel(ctx context.Context, cfg *configv1alpha1.Config, tc *configv1alph
 		endpointSelector: selector,
 		tunConns:         make([]*runtimeTunConn, 0),
 		tunDialer:        &tunnel.TunnelDialer{Router: r},
+		diagRegistry:     commands.NewDefaultRegistry(),
 	}
 
 	if err := rec.setupWithManager(mgr, tn.Name); err != nil {

pkg/cmd/tunnel/run.go

@@ -40,6 +40,8 @@ import (
 	"github.com/apoxy-dev/apoxy/config"
 	"github.com/apoxy-dev/apoxy/pkg/cmd/tunnel/tui"
 	"github.com/apoxy-dev/apoxy/pkg/cmd/utils"
+	"github.com/apoxy-dev/apoxy/pkg/diag"
+	"github.com/apoxy-dev/apoxy/pkg/diag/commands"
 	"github.com/apoxy-dev/apoxy/pkg/log"
 	"github.com/apoxy-dev/apoxy/pkg/net/dns"
 	"github.com/apoxy-dev/apoxy/pkg/tunnel"
@@ -116,6 +118,9 @@ type tunnelNodeReconciler struct {
 	// Endpoint selector for choosing tunnel server addresses.
 	endpointSelector endpointselect.Selector
 
+	// Process-scoped diag command registry, shared across reconnects.
+	diagRegistry *diag.Registry
+
 	// Cached endpoint selection — only re-probe when addresses change.
 	lastAddresses []string
 	lastSelected  string
@@ -209,6 +214,7 @@ var tunnelRunCmd = &cobra.Command{
 			cfg:              cfg,
 			a3y:              a3y,
 			endpointSelector: selector,
+			diagRegistry:     commands.NewDefaultRegistry(),
 
 			tunDialerWorkers: make([]*tunConn, 0),
 		}
@@ -442,6 +448,9 @@ func (t *tunnelNodeReconciler) reconcile(ctx context.Context, req ctrl.Request)
 	} else {
 		cOpts = append(cOpts, tunnel.WithAuthToken(tunnelNode.Status.Credentials.Token))
 	}
+	if t.diagRegistry != nil {
+		cOpts = append(cOpts, tunnel.WithDiagRegistry(t.diagRegistry))
+	}
 
 	var srvAddr string
 	var srvAddrs []string

pkg/diag/command.go

@@ -0,0 +1,107 @@
+// Package diag implements the agent-side debug surface that runs over
+// the existing QUIC control channel to tunnelproxy.
+package diag
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"sort"
+)
+
+func sortSpecs(s []Spec) {
+	sort.Slice(s, func(i, j int) bool { return s[i].Name < s[j].Name })
+}
+
+// ArgType is the wire-format token for an argument's type.
+type ArgType string
+
+const (
+	ArgTypeString   ArgType = "string"
+	ArgTypeInt      ArgType = "int"
+	ArgTypeBool     ArgType = "bool"
+	ArgTypeDuration ArgType = "duration"
+)
+
+// ArgSpec describes one argument of a Command. It is serialized into
+// the manifest returned by the built-in `agent` command so an operator
+// can discover the surface with a single GET.
+type ArgSpec struct {
+	Type     ArgType `json:"type"`
+	Required bool    `json:"required,omitempty"`
+	Default  any     `json:"default,omitempty"`
+	Max      any     `json:"max,omitempty"`
+	Min      any     `json:"min,omitempty"`
+	Desc     string  `json:"description,omitempty"`
+}
+
+// Spec is the manifest entry for a single Command.
+type Spec struct {
+	Name      string             `json:"name"`
+	Desc      string             `json:"description,omitempty"`
+	Args      map[string]ArgSpec `json:"args,omitempty"`
+	Streams   bool               `json:"streams,omitempty"`
+	CeilingMs int                `json:"ceiling_ms"`
+}
+
+// Emitter is what a streaming Command writes its chunks to. It is
+// supplied by the dispatcher; Commands MUST NOT retain a reference
+// past their Run call.
+type Emitter interface {
+	// Chunk emits one streaming frame upstream.
+	Chunk(v any) error
+}
+
+// Command is the contract every probe implements. Non-streaming
+// commands return a JSON-serializable Result and ignore the Emitter.
+// Streaming commands return Result == nil and emit chunks via e until
+// Run returns.
+type Command interface {
+	// Spec returns the manifest entry for this command. It is called
+	// once at registration; the result must be safe to share.
+	Spec() Spec
+
+	// Run executes the command. args is the raw `args` field from the
+	// Request; implementations decode it as needed. ctx carries the
+	// dispatcher-imposed wall-clock ceiling and is cancelled when the
+	// stream goes away.
+	Run(ctx context.Context, args json.RawMessage, e Emitter) (result any, err error)
+}
+
+// Registry holds the set of registered commands. It is built once at
+// startup and treated as immutable thereafter.
+type Registry struct {
+	cmds map[string]Command
+}
+
+// NewRegistry returns an empty Registry.
+func NewRegistry() *Registry { return &Registry{cmds: map[string]Command{}} }
+
+// Register adds c to r. Panics on duplicate name — registration is a
+// startup-time operation.
+func (r *Registry) Register(c Command) {
+	name := c.Spec().Name
+	if _, ok := r.cmds[name]; ok {
+		panic(fmt.Sprintf("diag: duplicate command %q", name))
+	}
+	r.cmds[name] = c
+}
+
+// Lookup returns the command with the given name and whether it
+// exists.
+func (r *Registry) Lookup(name string) (Command, bool) {
+	c, ok := r.cmds[name]
+	return c, ok
+}
+
+// Specs returns the manifest entries for every registered command,
+// sorted by name. Used by the built-in `agent` command.
+func (r *Registry) Specs() []Spec {
+	out := make([]Spec, 0, len(r.cmds))
+	for _, c := range r.cmds {
+		out = append(out, c.Spec())
+	}
+	// Stable order so manifest diffs are reviewable.
+	sortSpecs(out)
+	return out
+}

pkg/diag/commands/agent.go

@@ -0,0 +1,74 @@
+// Package commands holds the built-in diag commands. Each file
+// registers one command; the dispatcher composes them into a Registry.
+package commands
+
+import (
+	"context"
+	"encoding/json"
+	"flag"
+	"runtime"
+	"time"
+
+	"github.com/apoxy-dev/apoxy/build"
+	"github.com/apoxy-dev/apoxy/pkg/diag"
+)
+
+// Agent returns a Command that reports static + slow-changing agent
+// state and the manifest of every other command in r. It is the first
+// command an operator runs against an unfamiliar agent.
+func Agent(r *diag.Registry) diag.Command { return &agentCmd{r: r, started: time.Now()} }
+
+type agentCmd struct {
+	r       *diag.Registry
+	started time.Time
+}
+
+func (a *agentCmd) Spec() diag.Spec {
+	return diag.Spec{
+		Name:      "agent",
+		Desc:      "Agent identity, build, runtime, and the manifest of every available diag command.",
+		CeilingMs: 5_000,
+	}
+}
+
+type agentResult struct {
+	Version    string      `json:"version"`
+	BuildDate  string      `json:"build_date"`
+	CommitHash string      `json:"commit_hash"`
+	GoVersion  string      `json:"go_version"`
+	GOOS       string      `json:"goos"`
+	GOARCH     string      `json:"goarch"`
+	NumCPU     int         `json:"num_cpu"`
+	UptimeSec  float64     `json:"uptime_sec"`
+	Flags      []flagState `json:"flags"`
+	Commands   []diag.Spec `json:"commands"`
+}
+
+type flagState struct {
+	Name    string `json:"name"`
+	Value   string `json:"value"`
+	Default string `json:"default"`
+}
+
+func (a *agentCmd) Run(_ context.Context, _ json.RawMessage, _ diag.Emitter) (any, error) {
+	return agentResult{
+		Version:    build.BuildVersion,
+		BuildDate:  build.BuildDate,
+		CommitHash: build.CommitHash,
+		GoVersion:  runtime.Version(),
+		GOOS:       runtime.GOOS,
+		GOARCH:     runtime.GOARCH,
+		NumCPU:     runtime.NumCPU(),
+		UptimeSec:  time.Since(a.started).Seconds(),
+		Flags:      collectFlags(),
+		Commands:   a.r.Specs(),
+	}, nil
+}
+
+func collectFlags() []flagState {
+	var out []flagState
+	flag.VisitAll(func(f *flag.Flag) {
+		out = append(out, flagState{Name: f.Name, Value: f.Value.String(), Default: f.DefValue})
+	})
+	return out
+}

pkg/diag/commands/clock.go

@@ -0,0 +1,49 @@
+package commands
+
+import (
+	"context"
+	"encoding/json"
+	"runtime"
+	"time"
+
+	"github.com/apoxy-dev/apoxy/pkg/diag"
+)
+
+// Clock returns a Command that reports the agent's current notion of
+// time. Useful for diagnosing TLS / JWT failures rooted in clock skew.
+func Clock() diag.Command { return clockCmd{} }
+
+type clockCmd struct{}
+
+func (clockCmd) Spec() diag.Spec {
+	return diag.Spec{
+		Name:      "clock",
+		Desc:      "Wall, monotonic, and runtime-reported time as observed by the agent.",
+		CeilingMs: 1_000,
+	}
+}
+
+type clockResult struct {
+	WallUnixNs    int64  `json:"wall_unix_ns"`
+	WallRFC3339   string `json:"wall_rfc3339"`
+	MonotonicNs   int64  `json:"monotonic_ns"`
+	TimezoneName  string `json:"timezone_name"`
+	TimezoneOffS  int    `json:"timezone_offset_s"`
+	GoVersion     string `json:"go_version"`
+}
+
+func (clockCmd) Run(_ context.Context, _ json.RawMessage, _ diag.Emitter) (any, error) {
+	now := time.Now()
+	zoneName, zoneOff := now.Zone()
+	// time.Since(epoch) yields the monotonic delta; we report it raw so
+	// the caller can compare two reads without trusting the wall clock.
+	mono := time.Since(time.Unix(0, 0))
+	return clockResult{
+		WallUnixNs:   now.UnixNano(),
+		WallRFC3339:  now.UTC().Format(time.RFC3339Nano),
+		MonotonicNs:  int64(mono),
+		TimezoneName: zoneName,
+		TimezoneOffS: zoneOff,
+		GoVersion:    runtime.Version(),
+	}, nil
+}

pkg/diag/commands/register.go

@@ -0,0 +1,22 @@
+package commands
+
+import "github.com/apoxy-dev/apoxy/pkg/diag"
+
+// RegisterAll registers every built-in diag command into r. The agent
+// main calls this once at startup with a fresh registry. New commands
+// just add a single line here.
+//
+// Order does not matter for correctness — Registry sorts the manifest
+// — but listing in dependency order helps reviewers see what's new.
+func RegisterAll(r *diag.Registry) {
+	r.Register(Agent(r))
+	r.Register(Clock())
+}
+
+// NewDefaultRegistry returns a fresh Registry with every built-in
+// command pre-registered. Equivalent to NewRegistry + RegisterAll.
+func NewDefaultRegistry() *diag.Registry {
+	r := diag.NewRegistry()
+	RegisterAll(r)
+	return r
+}