feat: add RTR protocol support for RPKI ROA fetching

[digizeph]

Summary

Add support for fetching ROAs via RTR (RPKI-to-Router) protocol as an alternative to the default Cloudflare JSON API.

ROAs can come from RTR or Cloudflare RPKI portal, but ASPAs always come from Cloudflare RPKI portal (because RTR v1 per RFC 8210 doesn't support ASPA).

Resolves #94

Features

• RTR v1/v0 protocol client with automatic version negotiation
• Configuration via environment variables or CLI flag
• Automatic fallback to Cloudflare on RTR failure (configurable)
• Separate tracking of ROA/ASPA data sources in database metadata
• Support for IPv6 RTR endpoints using bracket notation ([::1]:8282)

Usage Examples

Using CLI flag

# Fetch ROAs via RTR from Cloudflare's RTR server
monocle config db-refresh --rpki --rtr-endpoint rtr.rpki.cloudflare.com:8282

# Validate a prefix (shows data source)
monocle rpki validate 1.1.1.0/24 13335
# Output: Data source: RTR (rtr.rpki.cloudflare.com:8282) (cached at 2026-02-02 13:27:38 UTC, 792831 ROAs)

Using environment variables

# Configure RTR endpoint
export MONOCLE_RPKI_RTR_HOST=rtr.rpki.cloudflare.com
export MONOCLE_RPKI_RTR_PORT=8282

# Optional: set timeout (default 10 seconds)
export MONOCLE_RPKI_RTR_TIMEOUT_SECS=30

# Optional: disable fallback to Cloudflare on RTR failure
export MONOCLE_RPKI_RTR_NO_FALLBACK=true

# Refresh will automatically use RTR
monocle config db-refresh --rpki

Fallback behavior

When RTR fails and fallback is enabled (default):

WARNING: RTR fetch from 192.0.2.1:8282 failed: connection timed out. Falling back to Cloudflare.

When RTR fails and fallback is disabled:

ERROR: RTR fetch from 192.0.2.1:8282 failed: connection timed out

Configuration Options

Environment Variable	CLI Flag	Default	Description
MONOCLE_RPKI_RTR_HOST	--rtr-endpoint	-	RTR server hostname
MONOCLE_RPKI_RTR_PORT	(in endpoint)	8282	RTR server port
MONOCLE_RPKI_RTR_TIMEOUT_SECS	-	10	Connection timeout in seconds
MONOCLE_RPKI_RTR_NO_FALLBACK	-	false	If true, error instead of falling back to Cloudflare

Changes

• Added RtrClient in src/lens/rpki/rtr.rs for RTR protocol communication
• Added RTR configuration options to MonocleConfig
• Added roa_source and aspa_source fields to RpkiCacheMetadata
• Updated CLI to display correct data sources
• Added database migration for existing databases

[Copilot]

Pull request overview

This PR adds support for fetching RPKI ROAs via the RTR (RPKI-to-Router) protocol, wires it into configuration and CLI flows, and tracks ROA/ASPA data sources in the database so downstream tooling can display where data came from.

Changes:

• Introduces an RtrClient implementing RTR v1 with v0 downgrade and converts RTR prefix PDUs into RpkiRoaRecords.
• Extends the RPKI lens, configuration, CLI, and database schema to support RTR-based refreshes, configurable timeouts, and per-type data source metadata for ROAs and ASPAs.
• Updates CLI outputs and changelog to surface the new configuration knobs and to display human-readable RPKI data sources.

Reviewed changes

Copilot reviewed 6 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/lens/rpki/rtr.rs	New RTR client that speaks RFC 8210 (v1 with v0 fallback), connects over TCP with timeouts, and converts Prefix PDUs into ROA records; includes basic unit and ignored integration tests.
src/lens/rpki/mod.rs	Exposes RtrClient, adds RpkiRefreshResult, refactors ROA/ASPA extraction into helpers, adds refresh_with_rtr with configurable fallback behavior, and uses the new store signature with ROA/ASPA sources.
src/database/monocle/rpki.rs	Extends RpkiCacheMetadata with roa_source/aspa_source, adds format_source, updates the rpki_meta schema and store to persist sources, and introduces a lightweight migration plus tests updating all store call sites.
src/database/monocle/mod.rs	Adjusts the RPKI repository test helper to call the new store(&roas, &aspas, roa_source, aspa_source) signature.
src/config.rs	Adds RTR-related config fields (host, port, timeout, no-fallback), parses them from TOML/env, surfaces them in summary(), and updates tests and the default config template.
src/bin/commands/rpki.rs	Switches to using RpkiLens (no direct load_current_rpki), reuses ensure_rpki_cache, and updates validate/roas_from_cache/aspas_from_cache to print a dynamic data source string via meta.format_source().
src/bin/commands/config.rs	Replaces direct RPKI loading with RpkiLens::refresh_with_rtr, adds --rtr-endpoint override, wires effective RTR endpoint/timeout/no-fallback logic, and propagates warnings on RTR failure plus updated summary messages.
CHANGELOG.md	Documents RTR support, including config/env/CLI options, fallback semantics, timeouts, and version negotiation behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.