amuleapi REST API + SSE daemon + EC search-lifecycle additions

[got3nks]

Supersedes #132.

Summary

This PR ships a standalone REST API + Server-Sent Events daemon, amuleapi, that talks to amuled as a normal EC client. The API lives at /api/v0/*; the SSE stream is at /api/v0/events. Full per-endpoint contracts live in docs/api/REFERENCE.md; the SSE event catalog with Last-Event-ID reconnect semantics lives in docs/api/EVENTS.md; first-run setup in docs/QUICKSTART-AMULEAPI.md. ETag (snapshot-versioned, memoised on (target, snapshot_at)), CORS (preflight + credentialed origin echo with allowlist), and the SSE framing/reconnect protocol are all documented under those two files.

Why standalone instead of bolting onto amuleweb

The first cut of this work was implemented inside amuleweb. We scrapped it for three reasons.

Stable amuleweb stays untouched. Merging this PR adds a new binary; it does not modify amuleweb. A 3.0.1 bugfix release can ship from master without any regression risk against the amuleweb users have been running for years. amule can ship both binaries side-by-side for a transitional period; whoever wants the REST surface enables amuleapi, whoever's on amuleweb's PHP keeps it. Operators can adopt at their own pace.

Concurrency efficiency. amuleweb runs a single long-lived EC connection too, but every request handles synchronously on the wx event-loop thread (no per-request thread spawn — see src/webserver/src/WebSocket.cpp:282 where ProcessURL is dispatched inline) and each PHP page does its own SendRecvMsg_v2 roundtrips against amuled with no cross-request snapshot cache. Adding a long-lived SSE channel that drains events for the lifetime of an EventSource would pin the event-loop thread, and bolting on the snapshot cache the REST path needs is a non-trivial refactor of the bespoke PHP interpreter. amuleapi takes the opposite shape: one EC connection feeding a 1 s refresher loop that maintains a coherent state snapshot every HTTP handler reads under a shared_timed_mutex, plus an in-process event bus the refresher publishes deltas to for SSE. No bespoke PHP runtime, no per-request EC roundtrip storm, no event-loop thread to tie up.

Modular architecture eases future integration into amuled. The HTTP, SSE, auth, ETag, state-snapshot, and event-bus scaffolding (~6000 LOC across 12 files) is EC-agnostic and ships into any future in-process integration unchanged. The EC plumbing is concentrated in three files (Refresher.cpp, RefresherTick.cpp, App.cpp's entry point) plus every individual mutation and lazy-cache handler in Api.cpp. Inside amuled those become direct model accesses against CamuleApp::theApp() — the code gets simpler (no wire-format walking) but each handler needs touch-up. This is not a deliverable for this PR — just a property the architecture preserves.

Performance model — refresher vs lazy

Two distinct caching paths land in this PR.

Refresher-driven items (every tick, snapshot-coherent). /downloads, /shared, /servers, /clients, /status, /categories are populated by a 1 s loop that runs two EC calls per tick: EC_OP_GET_UPDATE at EC_DETAIL_INC_UPDATE for the four list substructs, plus EC_OP_STAT_REQ for the status envelope. The EC_DETAIL_INC_UPDATE detail level uses amuled's per-client CValueMap to ship field-level deltas — first-encounter rows carry full identity (NAME, HASH, SIZE, ED2K_LINK), subsequent ticks carry only the bytes that actually moved. The EC_DETAIL_INC_UPDATE mechanism itself dates to 2005, but the wave of fixes that landed in 3.0.0 (full-detail emission for unseen ECIDs, the EC skip-unchanged series for per-file change tracking, alive-marker handling) are what make this work cleanly for a fresh subscriber on a cold start. One wire roundtrip per second, packet size proportional to actual change. The refresher then computes a diff against the prior snapshot and publishes one event per changed entity onto the in-process event bus via a single batched PublishBatch call, so SSE subscribers see push notifications within ~1 s. Mutating REST calls (POST/PATCH/DELETE) call RefresherTick synchronously on the way out (under the same m_ec_mtx), so the response and the next GET both reflect post-mutation state.

Lazy-fetched items (TTL-coalesced, mutation-invalidated). /stats/tree, /stats/graphs/{graph}, /logs/serverinfo, and /search/results fetch on demand with a 1 s single-flight TTL cache (CTtlCache::GetOrFetch). The first concurrent request runs the EC roundtrip; every other reader hitting the same endpoint in the same second parks on a condvar inside the cache, then reads the just-stored value — no duplicate roundtrips, no lock held across the EC call (the cache mutex is dropped during fetch so a 30 s amuled stall on /stats/tree doesn't park every reader of unrelated lazy endpoints). Mutation handlers explicitly invalidate the affected lazy cache: POST /search invalidates m_search_cache, DELETE /logs/serverinfo invalidates m_server_info_cache, etc. Smoke tests verify the next read after a mutation sees fresh data, not the pre-mutation snapshot.

The ETag layer caches (target, snapshot_at) → MD5 so safe-method GETs on a snapshot-stable target reuse the validator without re-hashing the body. If-None-Match matches → 304 with the ETag preserved per RFC 7232 §4.1.

Wire-level surface in numbers

• 34 REST endpoints across system / auth / downloads / clients / shared / servers / categories / preferences / network control / Kad / logs / stats / search
• 1 SSE endpoint with 6 channels (downloads, shared, servers, clients, status, logs) and the synthetic always-delivered resync event
• JWT (HS256, 24 h lifetime, mandatory iat, lifetime cap enforced on Verify) via either Authorization: Bearer or an HttpOnly SameSite=Strict cookie
• Two-tier rate limiting: dedicated counter for /auth/login (operator-configurable thresholds) plus a generic 30-failures/60s lockout across every other 401-returning endpoint
• Hard caps at every layer: 16 KiB header section, 1 MiB request body, 32 JSON-nesting levels (DoS defence in front of picojson's recursive descent), 4 KiB JWT length, 32 SSE channel tokens

Testing

Two layers in this PR; both green at the tip.

C++ unit tests via ctest — 21 binaries, including JwtTest (27 cases covering crypto identity, alg/typ/iat invariants, depth-cap rejection, base64url edge cases), AuthTest (rate-limit clock injection so the suite runs in 0.44 s instead of 6.5 s), EventBusTest, EventDiffTest, StateTest (concurrent reader/writer tear-detection at 1000+ observations), RefresherTest, AmuleApiConfigTest (0600 enforcement on POSIX), JsonWriterTest, EtagTest, PathPatternsTest. The suite shapes the binary's contract; CI runs ctest on the same matrix it builds.

End-to-end curl regression matrix — 26 phase scripts under unittests/curl-tests/amuleapi/, 660+ assertions total, driven by run-all.sh. The orchestrator brings up a fresh amuleapi daemon per phase (fresh config dir, fresh rate-limit buckets, fresh state cache) against a configured amuled, runs the phase script, aggregates pass/fail. This is the "does the wire contract actually match the docs" layer — every endpoint, every error path, every method gate, every CORS preflight, every SSE replay scenario.

CI artifacts

Build matrix at https://github.com/got3nks/amule/actions/runs/27831394815 — AppImage (x86_64 + aarch64), Flatpak (x86_64 + aarch64), macOS .app (arm64 + x86_64), Windows portable .zip (arm64 + x64). Reviewers can grab the binary for their platform from the run's artifacts and exercise it against any amuled.

Frontend plan

A separate effort (not in this PR, not by me) will build a plain JS + CSS + HTML SPA that consumes this API. Two-phase rollout:

Development phase — host the SPA separately, CORS at amuleapi. Set AllowCORS=1 and CorsOriginAllowlist=https://your-app-host in amuleapi.conf and serve the SPA from any web server, including python -m http.server against a build directory. The CORS bundle already echoes Access-Control-Allow-Credentials: true so cookie auth works cross-origin out of the box.

Deployment phase — fold static-file serving into amuleapi. Add a [Server]/StaticRoot=/path/to/dist config key and a fallback handler in DispatchToHandler that resolves non-/api/v0 paths against the configured root (with the path-traversal guard LooksMalicious(path) already applies, a MIME-type table, and SPA-history fallback to index.html). The architecture already has the pieces: CHttpServer::Response.body is a std::string, content_type is per-response. This is a future PR; the current scope is "REST + SSE surface ready to serve".

Transitional period

Everything in this PR is in flight in the sense that the API surface is /api/v0/, frozen against breaking changes for the lifetime of v0, but the architecture is up for discussion. If a better design appears mid-3.x, we can pivot — amuleapi is opt-in via BUILD_AMULEAPI=YES and operators not running it are unaffected. The standalone-daemon shape minimises the cost of a rethink relative to what an amuleweb merger would have locked in.

[ngosang]

Great work. It will take me a few days to test everything. The initial impressions are good, but I have a few questions/concerns that I'll leave here.

The first one is related to the workflow. I don't want to be working on huge pull requests for months. I would like a plan so we can gradually merge PRs without blocking bug-fixing releases. The first PRs can be large, but afterwards, I would like to work with small stabilization and bug-fixing PRs.

Another concern I have is about how the event system works. I haven't looked closely at the source code, but I've seen that you make requests using the EC protocol every 1 second. If this is the case, I don't think we have a good architecture. The most common use case will be a low-power NAS server running the AmuleD and AmuleAPI processes 24/7. There is only 1 client and 99% of the time it is not connected to the web interface. It is a waste of resources for AmuleAPI to be continually synchronizing and serializing information when nobody is consuming it. These processes have to be as efficient as possible to spend the CPU/Memory resources on downloads and uploads. We should rethink this use case. I like events, but servers shouldn't waste resources when no one is connected.

Regarding the events, they seem to be working well, but I think we can improve this. I have doubts about the scalability of the solution. My long-term goal is to have a WebUI with all the functionality of Amule / AmuleGUI. As you already know, I am sharing thousands of files, I have more than 100 concurrent uploads all the time... I don't know if the event system is prepared.

• With just 3 files downloading (and 0 uploads) I'm receiving many events.
• Most of the time, the same information is received (for example, the ed2k server doesn't change frequently).
• There are no events with the search results (I have to do polling).

I'm going to need us to add the functionality of serving static resources in AmuleAPI. I have made an implementation here for my tests. => #220
If it sounds good to you, I would include it in this pull request and for now serve an index.html file indicating "AmuleAPI is running.". The goal is for the infrastructure to be ready when I submit my PRs, so that it can be tested by other users and setting up the development environment becomes easier.

I am testing several web technologies to see which one best fits the project. If you want to take a look, it is here, but I will probably throw everything away and start over. => #220

Bugs

In this PR, I see that the curl test files have non-descriptive names. They should be renamed so that they make sense to other developers.

The GET /shared endpoint is not working correctly. I have 3 downloads in progress and shared returns these results.
{"shared":[{"ecid":11,"hash":"8d6d3546ed1eee79559a6c92f59af514","name":"Linux Ubuntu 7.14 Desktop i386.iso","ed2k_link":"ed2k://|file|Linux%20Ubuntu%207.14%20Desktop%20i386.iso|659753388|8D6D3546ED1EEE79559A6C92F59AF514|/","size":659753388,"priority":"high_auto","complete_sources":0,"xfer":{"session":0,"total":0},"requests":{"session":0,"total":0},"accepts":{"session":0,"total":0}},{"ecid":744,"hash":"00000000000000000000000000000000","name":"","ed2k_link":"","size":0,"priority":"","complete_sources":8,"xfer":{"session":0,"total":0},"requests":{"session":0,"total":0},"accepts":{"session":0,"total":0}},{"ecid":755,"hash":"00000000000000000000000000000000","name":"","ed2k_link":"","size":0,"priority":"","complete_sources":0,"xfer":{"session":0,"total":0},"requests":{"session":0,"total":0},"accepts":{"session":0,"total":0}}]}

The GET /categories endpoint behaves strangely. When there are no categories, it returns an empty list. When there is 1 category, it returns 2 elements (category 0 / all and the category I have added). This makes the API inconsistent. I would always return category 0. We need to verify that category 0 cannot be edited.

The GET /search/results endpoint does not work properly. If I call it right after POST /search (global search) I get {"results":[],"progress":{"percent":100,"complete":true}}. If I call it after a few seconds I get many results, but the progress is at 0 progress { percent: 0, complete: false }

The download "parts" are not being sent. It is not necessary in the first version, but it is what is missing to be on par with amuleweb.

[got3nks]

Thanks for the detailed look. Quick triage:

Workflow — agreed. Land amuleapi + the bug fixes below in this PR, then small stabilization PRs after.

Idle polling — you're right that the refresher loops at 1 Hz unconditionally (kTargetCycle = 1s at src/webapi/App.cpp:435), no subscriber-count gating. Before we design the fix, can you measure CPU/memory cost on your production node — top -p $(pgrep amuleapi) for a few minutes against your real workload — and share the numbers? If it's the architectural problem you're worried about, we'll see it. Worth noting: pausing the refresher entirely when no clients are connected would create a thundering-herd on reconnect, since amuled would dump the entire delta the moment we resume. Better path is probably reducing the cadence (e.g. 1 Hz → 0.2 Hz) when idle, keeping the state warm enough that reconnect is cheap.

Event volume / "many events" — 3 downloads × 1 update/sec is normal for a live UI, but coalescing per-tick deltas into a single batched event would cut framing overhead substantially. Will look at this with the idle-poll work.

Event volume / "same info" — the diff path has an Equal() whitelist per resource type; if you're seeing repeated server_updated for fields that didn't change, that's likely a missing field in the comparator or genuine churn (e.g. server users count bumping every poll). If you can capture a few seconds of the SSE stream when you see it, I can pinpoint which field is firing.

Search events — will add a search_finished SSE event so you can react to completion instead of polling /search/results blindly.

GET /shared ghost entries — partial clarification first: a download surfaces in /shared only once it has at least one verified chunk (eD2K shares hashed chunks, so a partfile with no completed parts is correctly absent). So "3 downloads → 3 shared entries" isn't quite the right expectation — it's "downloads with ≥1 completed chunk → shared entries". The two ghost entries with zero hash + empty name ARE bugs regardless — likely partfiles whose first chunk just completed but metadata hasn't propagated. Will filter zero-hash entries unconditionally. Could you send the matching amulecmd status (or equivalent state snapshot) at the moment of repro so I can confirm I'm fixing the right root cause?

GET /categories — quick clarification: amuled EC itself returns nothing when no custom categories exist, and includes category 0 once you add one. So we're faithfully mirroring EC's behaviour, not introducing the inconsistency. That said, normalizing at the API layer to always include category 0 is the right call for client predictability — will add.

GET /search/results — real bug, investigating. The progress.complete=true on an empty fresh result looks like a sticky flag from a previous search.

Download parts — they're shipped, but only on the detail endpoint (GET /downloads/{hash}) — see Api.cpp:1697 (include_parts=true). The list endpoint deliberately omits them because a multi-TiB file's parts array can be 100K+ entries. Will sharpen the REFERENCE.md note so it's clearer.

Curl test file names — true, the phase*.sh naming is a development artifact. Will rename to describe what each phase actually covers.

Static-serve infrastructure — agreed, will fold it into this PR. Taking the implementation from #220 with three hardening fixes: symlink containment (resolve realpath, reject if it escapes static_root), file-size cap (16 MiB), and ETag/If-None-Match so subsequent loads hit 304 instead of full re-read. Default placeholder index.html saying "amuleapi is running" so it's a no-op for API-only deployments and gives your frontend a stable hook.

[got3nks]

Five commits since the last update:

• /categories always includes index 0 (e187b72): amuled's EC suppresses the whole EC_TAG_PREFS_CATEGORIES block when no custom categories exist, even though category 0 (the default incoming dir) is always present in amuled's data structures (GetCatCount() >= 1 always). Normalised at the API layer so clients see the same shape regardless of category count.
• Curl-test rename (cd94269): the phase*.sh naming was a development artifact. The 27 scripts now live as NN-<what-it-covers>.sh — numeric prefix preserves the canonical dependency ordering in run-all.sh (auth before mutations, refresher consolidation before later read smokes, CORS / static-frontend last). ls reads as a feature inventory instead of a commit log.
• Refresher-driven search lifecycle + SSE events (9dc4f36): GET /search/results progress was unreliable — amuled's EC_TAG_SEARCH_STATUS overloads raw=0 ("no search" / "Kad in progress" / "global queue not yet populated" / "global finished, m_searchInProgress just flipped off") and raw=100 ("global queue empty at start" / "global all done briefly before reset"). The lifecycle now lives in the refresher: POST /search marks active, RefresherTick polls and runs a pure state machine (AdvanceSearchProgress) that disambiguates via kind, prior saw_in_progress, results-count, and a 30 s defensive timeout. The timeout is gated by !saw_in_progress, so a healthy global search (which always climbs through raw ∈ [1..99]) excludes it the moment we observe the first non-zero raw — the timeout only catches "no climb, no results" edge cases. Kad's raw stays at 0 for the whole search (only 0xfffe flips it), so saw_in_progress never trips; we bump started_at on each new result instead, which distinguishes a productive Kad search from a stuck one. GET /search/results reads straight from state — no TtlCache. Two new SSE events: search_result_added per new ECID, search_finished on the complete=false→true edge. RefresherTest grows 12 cases covering every state-machine branch.
• Declare the search SSE channel (2c85f7d): the prefix-based event_channel fallback already routed search_* to channel "search" in practice, but the mapping is now explicit so a future event family doesn't drift via the silent fallback. EVENTS.md gains the channel row + per-event payload docs; 26-rfc-followup-endpoints.sh adds positive (?channels=search delivers search_finished) and exclusion checks.
• Unify downloads + shared into one ECID-keyed FileSnapshot (03700a6): bigger structural refactor — m_downloads + m_shared become a single m_files keyed by ECID, with is_downloading / is_shared role flags + sub-blocks for role-specific fields (reset on the true→false transition so /downloads can never serve stale upload stats, and /shared can never serve stale download stats). Both walkers operate on the same unified map; the shared walker no longer needs the dl_identity_fallback workaround introduced in e57cbf9 — identity is already in the entry from whichever walker saw it first. Same wire shape, no client breakage. As a bonus, FindDownload(hash) / FindShared(hash) get a parallel m_hash_to_ecid index that's rebuilt at each Mutate*, so hash lookups are O(1) instead of a linear scan over the map. Mirrors amulegui's CKnownFilesRem::m_items_hash design (amule-remote-gui.cpp:1507). RefresherTest + StateTest migrated to the role-flag model — 22 unit-test suites all pass.

Packaging fired on the fork: https://github.com/got3nks/amule/actions/runs/27907062647

---

Performance numbers, addressing the earlier concerns

Ran CPU + bandwidth measurements on a production node (busy uploader at ~33 MB/s) to put real numbers on the perf discussion:

Metric	Idle (no subscriber)	1 SSE subscriber, full channels
amuleapi CPU	0.20%	0.27%
amuled CPU	62.4%	59.2%
SSE bytes/min	0	2,506 KiB
Events/min	0	4,254

Reading those:

• Idle CPU is negligible — 0.20% is the cost of the 1 s EC poll + diff walk with zero subscribers. The diff still runs (single-publisher invariant requires it), but the EventBus's PublishBatch is a no-op when nobody's draining. On a low-power NAS that's well under any "wasted resource" threshold IMO, but it's worth measuring on actual ARM hardware to confirm.
• Per-subscriber CPU is essentially free — +0.07% for handling 4,254 events/min. The serializer + ring-buffer Drain are doing their job.
• Bandwidth is the only material cost — and only with an active subscriber. ~42 KiB/s on a very busy node (33 MB/s up + many peer-stats churning); on idle / typical nodes this falls dramatically. The client_updated channel is ~70% of the wire traffic in this sample (peer-stats churn for every active upload).

For the cellular-bandwidth concern, the cheap mitigation is HTTP Content-Encoding: gzip on the SSE response. Standard HTTP, transparent to browser EventSource / curl / SDK clients, no wire-format change. Given how repetitive the SSE JSON is (the same key names show up thousands of times), I'd expect 10–15% of original on the wire — roughly 4–6 KiB/s in the worst-case sample above, well into cellular-tolerable territory. Bandwidth is the real cost we should address; deferring to a follow-up issue once this PR and #220 land so we don't expand scope here. Compact / diff-only event formats are a bigger lift (SDK changes for every consumer) and probably never necessary if gzip alone is sufficient.

For the "disconnect amuled state baseline after N min of idle" idea — CPU doesn't look like the bottleneck on this sample (0.20% idle, +0.07% per active subscriber), but I'd want measurements on constrained hardware (low-end ARM NAS) and on a huge library before making a call. A lighter intermediate is to stretch RefresherTick to 5 s while no SSE subscriber is connected instead of pausing entirely — keeps state warm enough that the first reconnecting subscriber sees something close to current, while dropping the per-second EC roundtrip cost to ⅕. That's also a follow-up.

For comparison, amulegui uses the same per-second polling pattern while open (amule-remote-gui.cpp:220, 234, 627 all fire DoRequery(EC_OP_GET_UPDATE, EC_TAG_KNOWNFILE) on a wxTimer tick) — but because amulegui is a user-launched GUI process, the "what happens when nobody's looking" question doesn't exist there: the process closes. amuleapi is a 24/7 daemon, so we own that question.

---

@ngosang — I think we're at a point where this can merge into master once you've verified the fixes + features land cleanly on your side. It's strictly additive — no amuleweb legacy paths touched, the existing REST/SSE wire shape is unchanged, and the bandwidth / idle-tick-rate follow-ups are tracked separately so they don't gate the merge.

[ngosang]

I have rebased my PR on top of this one and it works fine.

• The web server for static files, it seems to be working fine. I have removed the web server I had implemented in my PR and I am using yours.
• The issue with the "shared" files seems to be resolved. I have tried downloading more files and everything seems to be fine. The files appear in shared when the first chunk is downloaded.
• The issue with categories is also resolved. When I only have category 0 (all) it is returned; if I have more, all of them are returned. It works as expected.
• The search issue seems to be resolved as well. I have done several tests with the Global, Local, and Kad search types, and they all seem to work fine. On the frontend, I have implemented polling until the process finishes. Everything is working well.

Just a couple of comments.

I see that some endpoints accept the md4 hash and the ecid as parameters. IMHO, I think the ecid is something internal and should not be exposed in the public API. I think we should work only with the MD4 hashes of the downloads. There are several reasons not to expose the ecid:

• First of all, I think we should make this change to simplify the API.
• On the other hand, to avoid exposing an internal identifier, because I think that this internal identifier might stop working if the backend to amuled or amuleapi is restarted; those identifiers are no longer valid.
• Lastly, because perhaps in the future we won't use the EC protocol and the connection will be directly with amuled.

For all these reasons, I think it would be better to work only with md4 hashes from the beginning and do the conversion in the backend between the hash and the ecid when necessary. I would not accept it as an identifier in the URLs nor would I return it in the body of the responses and events. I would always work with the md4 hash.

Regarding this PR, you can merge it whenever you consider appropriate. As for me, we can continue working without merging. I don't want to merge my PR until I have something more or less stable. I still need to evaluate the best solution to make the design responsive on smartphones, for internationalization, and whether to use a library to render the charts. It's going to take me quite some time, several weeks, to have something I am satisfied enough with to merge. I will surely be asking you for some changes to the APIs. This is a feature meant for the next release, therefore I am not giving it top priority. I am working on other projects at the same time.

[got3nks]

Good point. The ECID exposure was initially load-bearing because ClientSnapshot.upload_file_ecid / download_file_ecid (the correlator fields linking a peer to the file they're uploading from / downloading) surfaced ECIDs as the only key — so a client watching client_updated events couldn't resolve the file without either (a) maintaining its own ECID→hash cache from prior /downloads polls, or (b) calling /downloads/{ecid}. That's why we accepted ECID in URLs and emitted it in event payloads.

After the unified FileSnapshot refactor in 03700a6, the ECID→hash resolution is essentially free on the server side — the unified m_files map is ECID-keyed, so m_files[ecid].hash is one std::map lookup. We can do the conversion at serialization time and never expose the ECID at all. Will fold the ECID-strip into this PR before merge:

• /downloads/{key} and /shared/{key}: hash-only (drop the TryParseEcid disjunction)
• Item bodies in /downloads, /shared, /search/results: strip ecid
• SSE download_* / shared_* / search_result_added payloads: strip ecid
• ClientSnapshot.upload_file_ecid / download_file_ecid → upload_file_hash / download_file_hash, resolved server-side at serialization time
• REFERENCE.md / EVENTS.md, curl test assertions, and RefresherTest cases updated to match

[ngosang]

/downloads/{key}

Instead of calling it "key" or "ecid" or "id" could you call it "hash" or something similar everywhere? I think it's more clear.

[got3nks]

@ngosang — the three follow-up commits just landed:

• 1dd35a67 — dropped file ECIDs from the public API surface (/downloads/{hash}, /shared/{hash}, client.upload_file_hash / download_file_hash)
• 3dc6370f — renamed clients[].ecid → client_ecid (disambiguates it from the file ECIDs that no longer exist on the wire). Heads-up: this changes the wire shape for GET /clients, the client_added / client_updated SSE payloads, and the client_removed payload ({ "client_ecid": N } now). Any front-end path that consumed the old ecid field — REST or SSE — will need a one-line update.
• 898818a5 — switched the internal file cache to unordered_map with an inline hash → ECID index; both find by hash and find by ECID are now O(1) avg, no per-tick rebuild

All path placeholders in docs/api/REFERENCE.md are consistently {hash} now (no more {key} / "hash OR ECID").

Worth rebasing the front-end PR #220 on top — these are architectural changes and the wire format moved (file ECIDs disappeared from /downloads, /shared, client.*_file_*; clients[].ecid is now client_ecid), so a fresh integration pass will surface any consumer paths that still expect the old shape.

Plan from this side: leave PR #201 in draft (no merge) until 3.0.1 ships, which buys breathing room for the front-end testing pass to surface any other bugs / feature requests on amuleapi. Probably worth promoting the API to v1 before the merge, too — the spec is at the point where the v0 label is misleading.

[got3nks]

Two more commits landed on the branch:

• ef0e40d6 — feat(ec): unambiguous search lifecycle tags on EC_OP_SEARCH_PROGRESS. Three additive tags (EC_TAG_SEARCH_LIFECYCLE_STATE, _LIFECYCLE_KIND, _RESULT_COUNT) so consumers can read the lifecycle directly instead of disambiguating the overloaded EC_TAG_SEARCH_STATUS sentinels (raw=0 covering "no search" / "Kad in progress" / "global queue populating" / "global just finished", raw=100 covering "queue empty at start" / "all done briefly", etc.). EC_TAG_SEARCH_STATUS is unchanged on the wire — amulegui / amulecmd / amuleweb keep working without a single line of change. Full build of amule + amuled + amulegui + amulecmd is green.
• 15a02b33 — refactor(amuleapi): consume EC_TAG_SEARCH_LIFECYCLE_STATE directly. Drops the sentinel-disambiguation state machine in Refresher.cpp entirely (the saw_in_progress tracking, the 30 s defensive timeout, the Kad-deadline-bump-on-result trick). Net -201 LOC, -7 legacy tests, +5 trivial tests of the new mapping.

Heads-up for testing: since amuleapi pins the new tags as required, this branch's amuleapi daemon must talk to the patched amuled from the same branch. Stock 3.0.0 or master amuled won't carry the lifecycle tags and amuleapi will sit there with active=true forever.

Cross-platform builds for this branch (amuled + amulegui + amuleapi + amulecmd + amuleweb, plus AppImage / Flatpak / macOS Universal2 / Windows) are running here — artifacts will be downloadable when the run finishes:

https://github.com/got3nks/amule/actions/runs/27984668094

[ngosang]

I updated my PR and I found some errors in the documentation + 1 outdated comment in the code => e134f06

1. Search progress event

The amuleapi SSE search channel currently emits search_result_added and search_finished, but nothing in between carrying the in-progress percent. The only place a client can read progress.percent mid-search is GET /api/v0/search/results (there is no separate /search/progress endpoint — progress is bundled into the results response). As a result, a web client that wants to show a live "Searching… NN%" indicator is forced to keep polling /search/results on a timer, which defeats the purpose of the event channel (the rest of the UI is snapshot-on-mount + stream, no periodic polling).

Request

Expose search progress over SSE so clients can drive the whole search lifecycle from events and drop the periodic GET /search/results poll. Two viable shapes (either works; a dedicated event is cleaner):

• Preferred — a new search_progress event on the search channel, fired when progress.percent (or active) changes between refresher ticks, mirroring status_changed:

  { "percent": 67, "active": true, "kind": "global", "results": 142 }

• Alternative — add percent to the search_result_added payload, so each new result also carries the current progress. Less clean (couples progress to result arrival; no signal when the percent moves but no new result lands).

Why this is cheap to add

The daemon already computes the normalized progress every refresher tick (src/webapi/Refresher.cpp::AdvanceSearchProgress → SearchProgressSnapshot {active, kind, percent, complete}), and src/webapi/EventDiff.cpp already publishes search_result_added / search_finished from that same diff pass. A search_progress diff event would slot in right next to them — emit it when the snapshot's percent/active differs from the previous tick.

2. For KAD search

• Global searches have a meaningful incrementing percent; Kad searches only report 0 → 100.

It's possible to estimate the % based on time? For example, it there is a timeout we can update the progress +10% when time pass.

[got3nks]

Forgot to port the REST API updates over to the SSE events, will do tomorrow.

[got3nks]

Follow-up commits on feature/amuleapi-v0 porting search status to the event channel:

• c866b65c3 feat(ec) — adds EC_TAG_SEARCH_LIFECYCLE_PERCENT to EC_OP_SEARCH_PROGRESS: a daemon-computed 0–100 for every search kind (global = real server-queue %, Kad = a cosmetic time-ramp off the fixed 45 s keyword lifetime, finished → 100). EC_TAG_SEARCH_STATUS is unchanged on the wire, so amulegui/amulecmd/amuleweb are untouched.
• 84afaa2b6 feat(amuleapi) — new search_progress SSE event (running frames + a terminal state:"finished" frame); it supersedes and removes search_finished. GET /search/results's progress object now mirrors the event field-for-field (state/kind/percent).
• d87b0eae8 docs — documents the above and fixes REST/SSE doc drift verified against the JSON writers: kad.network on /status, the full /clients + /servers field sets, /kad detail fields, the /logs/amule + /logs/serverinfo shapes, /stats/tree + /stats/graphs, /search/results entries, plus the log_appended {buffer} and the phantom search_result_added ecid.

⚠️ Breaking for API consumers:

• The search_finished SSE event is removed — subscribe to search_progress instead and treat the terminal state:"finished" frame as completion.
• GET /search/results's progress object drops the complete and active booleans in favor of the canonical state string (running / finished / idle); derive complete = state == "finished", active = state == "running".

Because the EC tag is a wire change, this needs a freshly built amule/amuled — prebuilt binaries (appimage/flatpak/macos/windows) land on the packaging run here once it finishes: https://github.com/got3nks/amule/actions/runs/28018726308

@ngosang — heads-up that your frontend in #220 will need a rebase onto this; and since d87b0eae8 already carries verified-against-code EVENTS.md and REFERENCE.md, you can drop those two files from #220 on the rebase.

[got3nks]

@ngosang — one more ⚠️ Breaking API change on the branch since the summary above: 9e7f98e35 alters the search_result_added event payload your frontend parses.

sources is now a nested {total, complete} object — byte-for-byte identical to a /search/results array entry — instead of the previous flat sources + complete_sources integers:

{ "hash": "…", "name": "…", "size": …, "sources": { "total": 12, "complete": 7 }, "already_have": false, "rating": 0 }

So a single result-rendering function can handle both the GET /search/results array entries and search_result_added events with no special-casing.

Refreshed binaries (built off 9e7f98e35) are on the new packaging run: https://github.com/got3nks/amule/actions/runs/28032209221