Mark Laing

@tomponline I've marked the JIRA card as blocked as we're waiting for pro API and CLI changes. I've done all I can do on this for now. Feel free to...

This has now been tested manually against the Pro contracts staging environment with the test [Pro client PPA](https://launchpad.net/~orndorffgrant/+archive/ubuntu/pro-client-lxd-testing).

> @markylaing in general, does LXD gracefully degrade/handle situations where the pro client is available but missing the functionality needed? My understanding is that the presence of `/var/lib/ubuntu-advantage/interfaces/lxd-config.json` tells us...

The refactor of the fsmonitor package https://github.com/canonical/lxd/pull/14110 must be merged first.

> This is looking good overall, thanks! > > My two main requests are: > > 1. Move client facing API structs used in /dev/lxd responses into `shared/api/devlxd.go` and rename...

@tomponline this PR now doesn't add any dependencies to the LXD agent, but it is still too large: https://github.com/canonical/lxd/actions/runs/10945290233/job/30389176932?pr=13953#step:16:71 This is from a recent run and we can see there...

I think a security first approach would be to always restrict certificates, and only unrestrict with a flag e.g. `--unrestricted`. However, I don't think this is possible without breaking backwards...

> @MggMuggins @markylaing are there any uses of an identity's projects list when not restricted? No, we only check the project list of restricted certificates. Would it be worth also...

@Regis-Caelum Yes that's where the CLI would process a token if the command were invoked like `lxc remote add `. However in this case the `--token` flag is being passed...

> changes look minor, should i open a pr then? Yes please! Note @roosterfish's comment that when the `--token` flag is used, it is used for specifying the secret. So...