Each section of the DSL maps to a control-plane concern:

• serverGroups: defines selectors that hydrate MinecraftNetwork backends (namespace + label + health).
• routePolicies: prioritized routing rules with sticky options and weights.
• accessPolicies, rateLimits, and packetFilters: enforcement layers for tokens, bans, rate limiting, and handshake filtering.

Routing decision order#

1. Global deny checks (IP/ASN blocklists).
2. Rate limits per phase (handshake/login/play).
3. Access policies (bans, tokens, permissions).
4. Route policies (priority, sticky, weights).
5. Fallback behavior (default group or deny).

Control plane components#

• K8s watchers: consume MinecraftServer, MinecraftNetwork, endpoints, and health checks.
• Policy engine: parses the DSL, validates references, and signs every snapshot version.
• API service: exposes /v1/route/resolve, /v1/access/check, /v1/policy/stream, and /v1/telemetry/event for data-plane consumers.
• Audit pipeline: JSONL/DB logs of API calls, policy versions, and routing decisions.
• Metrics + tracing: per-route latency, denies, rate-limit breaches.

Control plane API contracts#

POST /v1/route/resolve#

Response:

POST /v1/access/check#

Response states allow/deny with reasons and TTL.

GET /v1/policy/stream#

Offers SSE or gRPC with PolicySnapshot/PolicyDelta events for data-plane caches.

POST /v1/telemetry/event#

Records connect/disconnect/policy-sync events with metadata.

Persistent schema (Postgres draft)#

The schema tracks versions, selectors, routing parameters, audits, and can be extended with blocklists, auth tokens, and player tags.

Data plane options#

1. Velocity + Go control plane: Velocity plugin polls the control plane for policy snapshots, caches TTLs, and resolves routes locally.
2. Go L4/handshake router + Velocity: A thin Go router handles encryption/compression, then routes newer sessions into Velocity.
3. Full Go proxy: Implements the full Minecraft protocol for maximum control.

Cache/session hints#

Redis stores rate limits (rate_limit:{ip}:{phase}), sessions (session:{player_uuid}), tokens (token:{token_hash}), etc., so decisions stay fast under load.

MVP scope (MVP-B)#

Included features:

• Handshake/login/encryption/compression.
• Velocity modern forwarding.
• Route policy priority/weights/sticky.
• Basic anti-bot defenses (rate limits, blocklists, tokens).
• Kubernetes discovery + health.
• Audit/metrics/tracing.

Excluded: ViaVersion-level compatibility, deep plugin channel inspection, multi-DC session migration (Phase 2+).

Doc verification#

We added mcctl mermaid lint to validate Mermaid blocks across documentation. The command walks Markdown/MDX files, pulls every mermaid` block, and runs @mermaid-js/parser via scripts/mermaid-lint.mjs. If a diagram has invalid syntax, the invocation fails with file/line context so you can fix the diagram before publishing.

Wrap-up#

• The policy DSL defines routing, access control, and packet filters in one place.
• The control plane signs snapshots, exposes route/access APIs, and keeps data planes in sync.