Skip to main content

RuntimeContext

ai_memory::runtime_context

Struct RuntimeContext 

Source 
pub struct RuntimeContext {
    pub hooks_hmac_secret: RwLock<Option<String>>,
    pub max_decompressed_bytes: RwLock<Option<usize>>,
    pub audit: Arc<AuditState>,
    pub recall_tracker: Arc<SessionRecallTracker>,
    pub keypair_cache: Arc<Mutex<HashMap<String, Keypair>>>,
    pub reranker: OnceLock<Arc<BatchedReranker>>,
}
Expand description

Cross-surface substrate state.

Held as Arc<RuntimeContext> by every long-lived runtime: HTTP daemon AppState, MCP stdio dispatch, CLI command handlers. Fields are read-mostly; mutable-config fields use RwLock for the rare reload path, and the audit chain uses interior Mutex to keep emit ordering atomic across producers (matching the pre-#1192 audit::SINK lock posture).

#1262 — Debug is implemented manually below to redact the hooks_hmac_secret field; the derived impl would have leaked the raw HMAC bytes through any {:?} print. #1258 — the manual Drop impl zeroizes the secret on scope exit.

Fields§

§hooks_hmac_secret: RwLock<Option<String>>

v0.7.0 K7 — resolved webhook HMAC override. None when the operator has not configured [hooks.subscription] hmac_secret, in which case per-subscription secrets carry the signing key. Mutable so the K7 integration tests can flip mid-process; in production this is set once at boot from AppConfig::effective_hooks_hmac_secret.

#1262 — manual Debug impl redacts this to <redacted> when present; #1258 — manual Drop impl zeroizes the secret on scope exit.

§max_decompressed_bytes: RwLock<Option<usize>>

I1 cap (#628 agent-3 follow-up) — per-call transcript decompression cap. None means “use the compiled default” (crate::transcripts::MAX_DECOMPRESSED_BYTES). Operators raise the cap via [transcripts] max_decompressed_bytes = ... and boot writes the resolved value here.

§audit: Arc<AuditState>

V-4 audit chain state — the load-bearing tamper-evidence substrate. See AuditState for the chain invariants the crate::audit::* public surface preserves.

§recall_tracker: Arc<SessionRecallTracker>

Per-session recall tracker (Form 2 #518 / #1091). Tracks the last N memory ids returned to each session_id so the recall hot path can apply a +0.05 boost to repeat candidates. Process- global by design — operator restart clears every session’s recent set.

§keypair_cache: Arc<Mutex<HashMap<String, Keypair>>>

Per-agent X25519 keypair cache. Populated lazily by crate::encryption::get_or_create_keypair on first encrypt / decrypt for an agent_id; persists for the lifetime of the process. A future issue will swap this for an on-disk store; the in-memory shape lets the encryption substrate land without forcing a key-rotation tool design decision in the same patch.

§reranker: OnceLock<Arc<BatchedReranker>>

#1691 — process-global cross-encoder reranker for the autonomous tier. Installed once at serve boot (HTTP daemon) when the resolved tier enables the cross-encoder, so the HTTP recall handler applies the SAME neural rerank stage the MCP/CLI recall paths already run (closing the documented HTTP-skips-rerank drift, formerly the n23 NOTE in handlers/recall.rs). Empty on keyword/semantic/smart tiers and in tests — recall then runs without the rerank stage. Interior OnceLock keeps RuntimeContext: Default so no AppState construction site has to change to carry the handle.

Implementations§

Source§

impl RuntimeContext

Source

pub fn install_global(ctx: RuntimeContext)

Install a custom RuntimeContext as the process-wide singleton. Idempotent in the same sense as OnceLock::set — the first install wins; subsequent calls are silently ignored (the returned Result is suppressed to keep the boot path infallible against an accidental double-install).

Boot code typically does NOT call this — the lazy-init in [global()] is sufficient, and the legacy set_* accessors (crate::config::set_active_hooks_hmac_secret etc.) populate the inner fields via interior mutability. The hook exists for the rare test that wants to pin a non-default starting state.

Source

pub fn global() -> &'static RuntimeContext

Return a borrowed reference to the process-wide RuntimeContext. Seeds the singleton with RuntimeContext::default on first call so callers never see None — same get_or_init semantics as the per-static OnceLocks this struct replaced.

The returned reference is &'static because the singleton Arc<RuntimeContext> lives inside a process-wide OnceLock that itself never drops — once seeded, the Arc (and the RuntimeContext it owns) outlives the entire process.

Source

pub fn global_arc() -> Arc<RuntimeContext>

Return a cloned Arc<RuntimeContext> to the process-wide singleton. Cheap (refcount increment, no allocation). Used by long-lived runtime structs (notably AppState::runtime) that want to keep a typed handle on a field rather than re-grabbing the global via RuntimeContext::global on every access.

Source

pub fn install_reranker(&self, reranker: Arc<BatchedReranker>)

#1691 — install the process-global cross-encoder reranker. First writer wins (OnceLock semantics); subsequent installs are silently ignored. Called once at serve boot via interior mutability on the singleton — the same set_*-on-the-global pattern the other extracted statics use, so no AppState construction site changes.

Source

pub fn reranker(&self) -> Option<&Arc<BatchedReranker>>

#1691 — borrow the installed cross-encoder reranker, if any. None on non-autonomous tiers and in tests, where HTTP recall runs without the neural rerank stage.

Trait Implementations§

Source§

impl Debug for RuntimeContext

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

#1262 — redact hooks_hmac_secret so accidental {:?} prints of the runtime context never leak the HMAC signing key. The remaining fields are non-secret and use their derived Debug.

Source§

impl Default for RuntimeContext

Source§

fn default() -> RuntimeContext

Returns the “default value” for a type. Read more
Source§

impl Drop for RuntimeContext

Source§

fn drop(&mut self)

#1258 — zeroize the resolved hooks_hmac_secret (if any) on scope exit so the HMAC signing key does not linger on the heap past the runtime context’s lifetime.

Source§

fn pin_drop(self: Pin<&mut Self>)

🔬This is a nightly-only experimental API. (pin_ergonomics)
Execute the destructor for this type, but different to Drop::drop, it requires self to be pinned. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> ErasedDestructor for T
where T: 'static,

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more