Standalone mode for the exporter (#320)

Allow exporters to serve directly over TCP without a controller, and
clients to connect directly without going through a controller

```shell
# exporter
jmp run --tls-grpc-listener [HOST:]PORT [--tls-grpc-insecure]

# client
jmp shell --tls-grpc HOST:PORT [--tls-grpc-insecure]
```

Address #44


Signed-off-by: Benny Zlotnik <bzlotnik@redhat.com>

Author: bennyz

e2e/exporters/exporter-direct-hooks-before.yaml

@@ -0,0 +1,16 @@
+apiVersion: jumpstarter.dev/v1alpha1
+kind: ExporterConfig
+metadata:
+  name: test-exporter-direct-hooks
+  namespace: default
+export:
+  power:
+    type: jumpstarter_driver_power.driver.MockPower
+hooks:
+  beforeLease:
+    script: |
+      echo "BEFORE_HOOK_DIRECT: executed"
+      j power on
+      echo "BEFORE_HOOK_DIRECT: complete"
+    timeout: 60
+    onFailure: warn

e2e/exporters/exporter-direct-hooks-both.yaml

@@ -0,0 +1,19 @@
+apiVersion: jumpstarter.dev/v1alpha1
+kind: ExporterConfig
+metadata:
+  name: test-exporter-direct-hooks
+  namespace: default
+export:
+  power:
+    type: jumpstarter_driver_power.driver.MockPower
+hooks:
+  beforeLease:
+    script: |
+      echo "BEFORE_HOOK_DIRECT: executed"
+    timeout: 60
+    onFailure: warn
+  afterLease:
+    script: |
+      echo "AFTER_HOOK_DIRECT: executed"
+    timeout: 60
+    onFailure: warn

e2e/exporters/exporter-direct-listener.yaml

@@ -0,0 +1,8 @@
+apiVersion: jumpstarter.dev/v1alpha1
+kind: ExporterConfig
+metadata:
+  name: test-exporter-direct
+  namespace: default
+export:
+  power:
+    type: jumpstarter_driver_power.driver.MockPower

e2e/tests-direct-listener.bats

@@ -0,0 +1,173 @@
+#!/usr/bin/env bats
+# E2E tests for direct TCP listener mode (no controller)
+
+SCRIPT_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")" && pwd)"
+EXPORTER_CONFIG="${SCRIPT_DIR}/exporters/exporter-direct-listener.yaml"
+LISTENER_PORT=19090
+LISTENER_PID=""
+
+setup() {
+  bats_load_library bats-support
+  bats_load_library bats-assert
+
+  bats_require_minimum_version 1.5.0
+}
+
+# Start the exporter in the background.
+#   $1 - config file (default: $EXPORTER_CONFIG)
+#   $2 - readiness: "grpc" waits via jmp shell (drains LogStream),
+#                   "port" waits via nc -z (preserves LogStream queue)
+#   $3 - if set, redirect stderr to ${BATS_TEST_TMPDIR}/exporter.log
+#   $4 - passphrase (optional)
+_start_exporter() {
+  local config="${1:-$EXPORTER_CONFIG}"
+  local readiness="${2:-grpc}"
+  local capture_logs="${3:-}"
+  local passphrase="${4:-}"
+
+  local extra_args=()
+  if [ -n "$passphrase" ]; then
+    extra_args+=(--passphrase "$passphrase")
+  fi
+
+  if [ -n "$capture_logs" ]; then
+    jmp run --exporter-config "$config" \
+      --tls-grpc-listener "$LISTENER_PORT" \
+      --tls-grpc-insecure "${extra_args[@]}" 2>"${BATS_TEST_TMPDIR}/exporter.log" &
+  else
+    jmp run --exporter-config "$config" \
+      --tls-grpc-listener "$LISTENER_PORT" \
+      --tls-grpc-insecure "${extra_args[@]}" &
+  fi
+  LISTENER_PID=$!
+  echo "$LISTENER_PID" > "${BATS_TEST_TMPDIR}/exporter.pid"
+
+  local retries=30
+  if [ "$readiness" = "port" ]; then
+    # TCP-only check: doesn't drain the LogStream queue, so hook output
+    # remains buffered for the test command to consume.
+    while ! nc -z 127.0.0.1 "$LISTENER_PORT" 2>/dev/null; do
+      retries=$((retries - 1))
+      if [ "$retries" -le 0 ]; then
+        echo "Port $LISTENER_PORT did not become available" >&2
+        return 1
+      fi
+      sleep 0.5
+    done
+  else
+    # Full gRPC check: ensures exporter is ready for commands.
+    # Drains LogStream queue (unsuitable for hook output tests).
+    local grpc_args=(--tls-grpc "127.0.0.1:${LISTENER_PORT}" --tls-grpc-insecure)
+    if [ -n "$passphrase" ]; then
+      grpc_args+=(--passphrase "$passphrase")
+    fi
+    while ! jmp shell "${grpc_args[@]}" -- j --help >/dev/null 2>&1; do
+      retries=$((retries - 1))
+      if [ "$retries" -le 0 ]; then
+        echo "Exporter did not become ready in time" >&2
+        return 1
+      fi
+      sleep 0.5
+    done
+  fi
+}
+
+start_exporter()              { _start_exporter "$1" grpc; }
+start_exporter_with_logs()    { _start_exporter "$1" grpc logs; }
+start_exporter_bg()           { _start_exporter "$1" port; }
+start_exporter_bg_with_logs() { _start_exporter "$1" port logs; }
+
+start_exporter_with_passphrase() { _start_exporter "${2:-$EXPORTER_CONFIG}" grpc "" "$1"; }
+
+stop_exporter() {
+  if [ -f "${BATS_TEST_TMPDIR}/exporter.pid" ]; then
+    local pid
+    pid=$(cat "${BATS_TEST_TMPDIR}/exporter.pid")
+    if [ -n "$pid" ] && ps -p "$pid" > /dev/null 2>&1; then
+      kill "$pid" 2>/dev/null || true
+      wait "$pid" 2>/dev/null || true
+    fi
+    rm -f "${BATS_TEST_TMPDIR}/exporter.pid"
+  fi
+}
+
+teardown() {
+  stop_exporter
+}
+
+@test "direct listener: exporter starts and client can connect" {
+  start_exporter
+
+  run jmp shell --tls-grpc "127.0.0.1:${LISTENER_PORT}" --tls-grpc-insecure -- j power on
+  assert_success
+}
+
+@test "direct listener: client can call multiple driver methods" {
+  start_exporter
+
+  run jmp shell --tls-grpc "127.0.0.1:${LISTENER_PORT}" --tls-grpc-insecure -- j power on
+  assert_success
+
+  run jmp shell --tls-grpc "127.0.0.1:${LISTENER_PORT}" --tls-grpc-insecure -- j power off
+  assert_success
+}
+
+@test "direct listener: client without --tls-grpc-insecure fails against insecure server" {
+  start_exporter
+
+  run jmp shell --tls-grpc "127.0.0.1:${LISTENER_PORT}" -- j power on
+  assert_failure
+}
+
+@test "direct listener hooks: beforeLease hook executes and j commands work" {
+  # Use start_exporter_bg (TCP-only readiness check) to avoid draining
+  # the LogStream queue before the test command connects.
+  start_exporter_bg "${SCRIPT_DIR}/exporters/exporter-direct-hooks-before.yaml"
+
+  run jmp shell --tls-grpc "127.0.0.1:${LISTENER_PORT}" --tls-grpc-insecure \
+    --exporter-logs -- j power off
+  assert_success
+  assert_output --partial "BEFORE_HOOK_DIRECT: executed"
+  assert_output --partial "BEFORE_HOOK_DIRECT: complete"
+}
+
+@test "direct listener hooks: afterLease hook runs on exporter shutdown" {
+  start_exporter_bg_with_logs "${SCRIPT_DIR}/exporters/exporter-direct-hooks-both.yaml"
+
+  run jmp shell --tls-grpc "127.0.0.1:${LISTENER_PORT}" --tls-grpc-insecure \
+    --exporter-logs -- j power on
+  assert_success
+  assert_output --partial "BEFORE_HOOK_DIRECT: executed"
+
+  # Stop the exporter (SIGTERM triggers _cleanup_after_lease).
+  # stop_exporter waits for the process to exit, so the log is complete.
+  stop_exporter
+
+  # afterLease hook output should appear in the exporter's stderr log
+  run cat "${BATS_TEST_TMPDIR}/exporter.log"
+  assert_output --partial "AFTER_HOOK_DIRECT: executed"
+}
+
+@test "direct listener passphrase: correct passphrase connects" {
+  start_exporter_with_passphrase "my-secret"
+
+  run jmp shell --tls-grpc "127.0.0.1:${LISTENER_PORT}" --tls-grpc-insecure \
+    --passphrase "my-secret" -- j power on
+  assert_success
+}
+
+@test "direct listener passphrase: wrong passphrase is rejected" {
+  start_exporter_with_passphrase "my-secret"
+
+  run jmp shell --tls-grpc "127.0.0.1:${LISTENER_PORT}" --tls-grpc-insecure \
+    --passphrase "wrong" -- j power on
+  assert_failure
+}
+
+@test "direct listener passphrase: missing passphrase is rejected" {
+  start_exporter_with_passphrase "my-secret"
+
+  run jmp shell --tls-grpc "127.0.0.1:${LISTENER_PORT}" --tls-grpc-insecure \
+    -- j power on
+  assert_failure
+}

python/docs/source/getting-started/configuration/files.md

@@ -50,7 +50,7 @@ drivers:
 
 **Environment Variables**:
 
-- `JUMPSTARTER_GRPC_INSECURE` - Set to `1` to disable TLS verification globally
+- `JUMPSTARTER_GRPC_INSECURE` / `JMP_GRPC_INSECURE` - Set to `1` to disable TLS verification globally
 - `JMP_CLIENT_CONFIG` - Path to a client configuration file
 - `JMP_CLIENT` - Name of a registered client config
 - `JMP_NAMESPACE` - Namespace in the controller
@@ -118,7 +118,7 @@ boundaries. See [Hooks](../../introduction/hooks.md) for full details on
 hook configuration, environment variables, and failure handling.
 
 **Environment Variables**:
-- `JUMPSTARTER_GRPC_INSECURE` - Set to `1` to disable TLS verification
+- `JUMPSTARTER_GRPC_INSECURE` / `JMP_GRPC_INSECURE` - Set to `1` to disable TLS verification
 - `JMP_ENDPOINT` - gRPC endpoint (overrides config file)
 - `JMP_TOKEN` - Auth token (overrides config file)
 - `JMP_NAMESPACE` - Namespace in the controller

python/docs/source/getting-started/guides/index.md

@@ -5,6 +5,8 @@ development workflow. The guides cover:
 
 - [Setup Local Mode](setup-local-mode.md): Running Jumpstarter in local mode for
   individual development
+- [Setup Direct Mode](setup-direct-mode.md): Connecting a client directly to an
+  exporter over TCP, without a controller
 - [Setup Distributed Mode](setup-distributed-mode.md): Configuring Jumpstarter
   for team environments with shared resources
 - [Examples](examples.md): Practical examples of Jumpstarter usage in common
@@ -19,6 +21,7 @@ development workflow. The guides cover:
 :maxdepth: 1
 :hidden:
 setup-local-mode.md
+setup-direct-mode.md
 setup-distributed-mode.md
 examples.md
 integration-patterns.md

python/docs/source/getting-started/guides/setup-direct-mode.md

@@ -0,0 +1,95 @@
+# Setup Direct Mode
+
+This guide shows you how to run a Jumpstarter exporter that clients connect to
+directly over TCP — no controller or Kubernetes cluster required.
+
+Direct mode is useful when you want to expose hardware on one machine to clients
+on another, without setting up a controller.
+
+```{note}
+Direct mode skips the controller's lease management. Only one client should
+connect at a time. For shared, multi-user environments use
+[distributed mode](setup-distributed-mode.md) instead.
+```
+
+## Instructions
+
+### Create an Exporter Configuration
+
+Unlike distributed mode, you don't need `endpoint` or `token` fields — there
+is no controller to register with.
+
+Create `example-direct.yaml`:
+
+```yaml
+apiVersion: jumpstarter.dev/v1alpha1
+kind: ExporterConfig
+metadata:
+  namespace: default
+  name: example-direct
+export:
+  power:
+    type: jumpstarter_driver_power.driver.MockPower
+hooks:
+  beforeLease:
+    script: |
+      echo "Exporter ready"
+      j power on
+    timeout: 30
+  afterLease:
+    script: |
+      j power off
+    timeout: 30
+```
+
+The `hooks` section is optional. `beforeLease` runs once when the exporter
+starts (before any client connects), and `afterLease` runs on shutdown. Hook
+scripts can use `j` commands to interact with the drivers.
+
+### Start the Exporter
+
+Run the exporter and tell it to listen on a TCP port with `--tls-grpc-listener`:
+
+```console
+$ jmp run --exporter-config example-direct.yaml \
+    --tls-grpc-listener 0.0.0.0:19090 \
+    --tls-grpc-insecure
+```
+
+The `--tls-grpc-insecure` flag disables TLS, which is convenient for local
+development. For production use, provide `--tls-cert` and `--tls-key` instead.
+
+To require a passphrase from connecting clients, add `--passphrase`:
+
+```console
+$ jmp run --exporter-config example-direct.yaml \
+    --tls-grpc-listener 0.0.0.0:19090 \
+    --tls-grpc-insecure \
+    --passphrase my-secret
+```
+
+### Connect a Client
+
+```console
+$ jmp shell --tls-grpc <HOST>:19090 --tls-grpc-insecure
+```
+
+If the exporter requires a passphrase:
+
+```console
+$ jmp shell --tls-grpc <HOST>:19090 --tls-grpc-insecure --passphrase my-secret
+```
+
+Replace `<HOST>` with the exporter machine's IP address or hostname. Once
+connected, interact with the exporter using `j` commands:
+
+```console
+$ j power on
+$ j power off
+```
+
+You can also pass a command directly without opening an interactive shell:
+
+```console
+$ jmp shell --tls-grpc <HOST>:19090 --tls-grpc-insecure -- j power on
+```