Swarm certification

[k3dz0r]

Summary by CodeRabbit

Release Notes

• Documentation

  • Enhanced CLI guide formatting and clarified expected output for kubectl commands.
  • Simplified DNS configuration instructions for improved clarity.
  • Added new documentation on the Super Swarm Certification System, including node roles, network modes, certificate architecture, and worker node onboarding procedures.

• Chores

  • Updated webpack dependency pinning.

[coderabbitai]

Warning

Rate limit exceeded

@k3dz0r has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 47 minutes and 20 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 47 minutes and 20 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4453de1a-7a1f-4e08-9c36-d73792790933

📥 Commits

Reviewing files that changed from the base of the PR and between 40950c0 and 65cf110.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• docs/cli/Guides/swarm-vllm.md
• docs/fundamentals/swarm-certification.md

Walkthrough

The PR updates CLI guide documentation with formatting improvements and corrected expected output descriptions, introduces comprehensive documentation for the Swarm Certification System covering PKI-based trust and node onboarding workflows, and pins the webpack dependency version to 5.104.1.

Changes

Cohort / File(s)	Summary
CLI Guide Updates docs/cli/Guides/swarm-vllm-s3.md, docs/cli/Guides/swarm-vllm.md	Minor formatting changes: added emphasis styling to key terms, corrected whitespace alignment, and updated expected output descriptions from plural to singular counts. DNS instruction phrasing also adjusted for clarity.
Fundamentals Documentation docs/fundamentals/swarm-certification.md	New comprehensive guide documenting the Super Swarm Certification System, including cryptographic onboarding workflow, PKI-based trust establishment, node roles (bootstrap and worker), network modes (trusted/untrusted), certificate architecture (RSA "Basic" and ECDSA "Lite" chains), and two-phase worker node onboarding process.
Dependency Configuration package.json	Added top-level overrides entry pinning webpack to version 5.104.1 for consistent dependency resolution.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Whiskers twitching with delight,
Docs now gleam with formatted light,
Swarm certs dance in crypto's way,
Webpack pinned to save the day!
Trust and keys, a rabbit's spree, 🔐✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Swarm certification' directly reflects the primary change: adding comprehensive documentation for the Super Swarm Certification System in a new file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 2026-04-20

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/cli/Guides/swarm-vllm.md (1)

135-141: ⚠️ Potential issue | 🟡 Minor

Fix the hostname cardinality mismatch.

Line 135 still says “two hostnames”, but Line 141 now instructs users to configure records for “the hostname”. Given the deployment context shows one Ingress, make Line 135 singular too.

Suggested wording fix

-Back in the Super Swarm dashboard, go to **Ingresses** and note the two hostnames listed there.
+Back in the Super Swarm dashboard, go to **Ingresses** and note the hostname listed there.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/cli/Guides/swarm-vllm.md` around lines 135 - 141, Change the plural “two
hostnames” to singular to match the later sentence and the actual deployment
screenshot: replace the text "two hostnames" with "the hostname" (the two
conflicting phrases are the string "two hostnames" and "the hostname" in the
Swarm vLLM guide near the ingress step; the image referenced is
swarm-ingresses-vllm.png). Ensure the sentence reads consistently (singular) so
the instruction to add a CNAME and TXT record clearly refers to the single
Ingress hostname.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/fundamentals/swarm-certification.md`:
- Line 12: Update the text around swarm-db/swarm-key so it explicitly calls out
that distributing the network private keys to every worker (as currently
described for the bootstrap node generating the swarm-key and workers issuing VM
certificates) makes those workers CA-equivalent and enables certificate minting
if a node is compromised; revise the wording where swarm-db, swarm-key,
bootstrap node, worker, and VM certificates are mentioned (also in the
referenced block around lines 100-109) to either prohibit distribution of CA
private keys or document this as a major operational risk and then enumerate
intended mitigations such as using non-exportable CA keys, short-lived
intermediate certs, threshold signing, and key rotation/revocation (and state
which mitigations are planned vs. recommended).

---

Outside diff comments:
In `@docs/cli/Guides/swarm-vllm.md`:
- Around line 135-141: Change the plural “two hostnames” to singular to match
the later sentence and the actual deployment screenshot: replace the text "two
hostnames" with "the hostname" (the two conflicting phrases are the string "two
hostnames" and "the hostname" in the Swarm vLLM guide near the ingress step; the
image referenced is swarm-ingresses-vllm.png). Ensure the sentence reads
consistently (singular) so the instruction to add a CNAME and TXT record clearly
refers to the single Ingress hostname.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dab4b1d7-b9ad-4561-bb9b-1f502c4f5cae

📥 Commits

Reviewing files that changed from the base of the PR and between 2bc4dd0 and 40950c0.

⛔ Files ignored due to path filters (8)

• docs/cli/images/swarm-ingresses-s3-verified.png is excluded by !**/*.png
• docs/cli/images/swarm-ingresses-s3.png is excluded by !**/*.png
• docs/cli/images/swarm-ingresses-vllm-verified.png is excluded by !**/*.png
• docs/cli/images/swarm-ingresses-vllm.png is excluded by !**/*.png
• docs/cli/images/swarm-policy-rules-grant-access.png is excluded by !**/*.png
• docs/fundamentals/images/swarm-certification-phase1.png is excluded by !**/*.png
• docs/fundamentals/images/swarm-certification-phase2.png is excluded by !**/*.png
• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• docs/cli/Guides/swarm-vllm-s3.md
• docs/cli/Guides/swarm-vllm.md
• docs/fundamentals/swarm-certification.md
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Call out the CA-key replication risk or avoid distributing CA private keys.

The doc states that every worker receives the network’s private keys and can issue VM certificates. That makes any admitted worker CA-equivalent: compromise of one node can mint certificates and distribute secrets to later nodes. If this is current-state behavior, please document it as a major operational limitation and include the intended mitigation path, such as non-exportable CA keys, short-lived intermediates, threshold signing, or key rotation/revocation.

Also applies to: 100-109

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/fundamentals/swarm-certification.md` at line 12, Update the text around
swarm-db/swarm-key so it explicitly calls out that distributing the network
private keys to every worker (as currently described for the bootstrap node
generating the swarm-key and workers issuing VM certificates) makes those
workers CA-equivalent and enables certificate minting if a node is compromised;
revise the wording where swarm-db, swarm-key, bootstrap node, worker, and VM
certificates are mentioned (also in the referenced block around lines 100-109)
to either prohibit distribution of CA private keys or document this as a major
operational risk and then enumerate intended mitigations such as using
non-exportable CA keys, short-lived intermediate certs, threshold signing, and
key rotation/revocation (and state which mitigations are planned vs.
recommended).