arcly-http 0.3.1

Enterprise-grade NestJS-inspired web framework on axum: zero-lock DI, declarative controllers, multi-tenant data routing, transactional outbox, ABAC, and a self-documenting OpenAPI surface
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187

//! Event consumer mesh — the inbound half of the event architecture.
//!
//! The transactional outbox (`data::outbox`) made *producing* events safe;
//! this module gives *consuming* them the same framework-grade guarantees,
//! with NestJS-style ergonomics:
//!
//! ```ignore
//! pub struct OrderEventsConsumer;
//!
//! #[EventConsumer]
//! impl OrderEventsConsumer {
//!     #[EventPattern("order.confirmed")]
//!     async fn on_confirmed(ctx: EventContext) -> Result<(), String> {
//!         let evt: OrderConfirmed = ctx.payload()?;
//!         ctx.inject::<InventoryService>().reserve(evt.order_id).await
//!     }
//! }
//! ```
//!
//! ## Guarantees
//!
//! - **Frozen dispatch** — `#[EventPattern]` handlers register through
//!   `inventory` (the same link-time mechanism as `#[Controller]`); the
//!   topic→handler map is built once at runtime start and never mutated.
//! - **At-least-once + dedupe** — when an `IdempotencyStore` is in the DI
//!   container, each `idempotency_key` is consumed exactly once per TTL.
//! - **Bounded retries → DLQ** — a failing message is `nack`ed and retried
//!   up to `max_retries`, then dead-lettered with the failure reason; one
//!   poison message can never wedge a topic.
//! - **Trace continuity** — the envelope's `traceparent` (stamped by the
//!   outbox producer) becomes this hop's parent span; async hops chain in
//!   the trace UI instead of starting orphan roots.
//!
//! The transport (Kafka / AMQP / NATS / in-process bridge) is app-provided
//! via [`MessageTransport`] — the same boundary rule as every other driver.

pub mod event;
pub mod runtime;

pub use runtime::ConsumerRuntime;

use futures::future::BoxFuture;

use crate::core::engine::FrozenDiContainer;
use crate::observability::propagation::TraceContext;

// ─── Envelope ─────────────────────────────────────────────────────────────────

/// One inbound message, transport-agnostic.
#[derive(Clone, Debug)]
pub struct InboundMessage {
    pub topic: String,
    pub payload: serde_json::Value,
    /// Consumers dedupe on this under at-least-once delivery.
    pub idempotency_key: String,
    pub tenant: Option<String>,
    /// W3C trace context stamped by the producer (outbox), if any.
    pub traceparent: Option<String>,
}

// ─── Transport contract ───────────────────────────────────────────────────────

/// App-provided broker adapter (Kafka / AMQP / NATS / in-process bridge).
/// Boxed error for infrastructure trait contracts (transports, sinks,
/// publishers). `String` and `&str` convert via `.into()`, so simple
/// implementations stay simple while real ones keep their source chain.
pub type BoxError = Box<dyn std::error::Error + Send + Sync>;

pub trait MessageTransport: Send + Sync + 'static {
    /// Pull up to `max` messages. An empty Vec means "nothing right now".
    fn poll(&self, max: usize) -> BoxFuture<'_, Result<Vec<InboundMessage>, BoxError>>;
    /// Acknowledge successful processing (message will not be redelivered).
    fn ack<'a>(&'a self, msg: &'a InboundMessage) -> BoxFuture<'a, Result<(), BoxError>>;
    /// Negative-ack: requeue for a later retry.
    fn nack<'a>(&'a self, msg: &'a InboundMessage) -> BoxFuture<'a, Result<(), BoxError>>;
    /// Park a poison message out of band, with the final failure reason.
    fn dead_letter<'a>(
        &'a self,
        msg: &'a InboundMessage,
        reason: &'a str,
    ) -> BoxFuture<'a, Result<(), BoxError>>;
}

// ─── Consumer-side context ────────────────────────────────────────────────────

/// What an `#[EventPattern]` handler receives — DI + payload + trace, no
/// HTTP types anywhere.
#[non_exhaustive]
pub struct EventContext {
    pub message: InboundMessage,
    pub container: &'static FrozenDiContainer,
    /// Continues the producer's trace (or a fresh root when none was carried).
    pub trace: TraceContext,
    /// The envelope's tenant, resolved + validated against the same
    /// `TenantRegistry` as HTTP traffic (suspended tenants never reach
    /// handlers — their events are dead-lettered upstream).
    pub tenant: Option<std::sync::Arc<crate::web::tenant::TenantConfig>>,
}

impl EventContext {
    /// Resolve a singleton service. O(1), no locks. Panics when absent.
    #[inline]
    pub fn inject<T: Send + Sync + 'static>(&self) -> &'static T {
        self.container.get::<T>()
    }

    /// Non-panicking variant of [`Self::inject`].
    #[inline]
    pub fn try_inject<T: Send + Sync + 'static>(&self) -> Option<&'static T> {
        self.container.try_get::<T>()
    }

    /// Deserialize the payload into a typed event.
    ///
    /// A malformed payload is permanent by definition, so the error is
    /// already [`EventError::DeadLetter`] — `ctx.payload()?` does the right
    /// thing without manual mapping.
    pub fn payload<T: serde::de::DeserializeOwned>(&self) -> Result<T, EventError> {
        // By-ref deserialization — no clone of the (possibly large) payload.
        serde::Deserialize::deserialize(&self.message.payload)
            .map_err(|e| EventError::DeadLetter(format!("payload decode failed: {e}")))
    }

    /// `traceparent` for forwarding to the next hop (HTTP call, next queue).
    pub fn traceparent(&self) -> String {
        self.trace.to_traceparent()
    }
}

// ─── Typed handler errors ─────────────────────────────────────────────────────

/// What the mesh should do with a failed message. Handlers may keep
/// returning `Result<(), String>` (strings convert to [`EventError::Retry`])
/// or return `EventError` directly to decide the message's fate:
///
/// ```ignore
/// #[EventPattern("order.confirmed")]
/// async fn on_confirmed(ctx: EventContext) -> Result<(), EventError> {
///     let order: Order = ctx
///         .payload()
///         .map_err(EventError::DeadLetter)?; // malformed: retrying won't help
///     warehouse.reserve(&order).await
///         .map_err(|e| EventError::Retry(e.to_string()))      // transient
/// }
/// ```
#[derive(Debug)]
pub enum EventError {
    /// Transient failure (downstream 5xx, lock contention): nack → bounded
    /// retries → dead-letter at `max_retries`.
    Retry(String),
    /// Permanent failure (malformed payload, violated business invariant):
    /// dead-letter **immediately** — burning the retry budget on a poison
    /// message only delays the alert.
    DeadLetter(String),
}

impl From<String> for EventError {
    fn from(s: String) -> Self {
        Self::Retry(s)
    }
}
impl From<&str> for EventError {
    fn from(s: &str) -> Self {
        Self::Retry(s.to_owned())
    }
}
impl std::fmt::Display for EventError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::Retry(m) => write!(f, "retryable: {m}"),
            Self::DeadLetter(m) => write!(f, "poison: {m}"),
        }
    }
}
impl std::error::Error for EventError {}

// ─── Handler registration (filled in by #[EventConsumer]) ────────────────────

/// Static descriptor emitted by the `#[EventPattern]` expansion and collected
/// at link time — the runtime freezes these into its dispatch map at start.
pub struct EventHandlerDescriptor {
    pub topic: &'static str,
    pub consumer: &'static str,
    pub handler: fn(EventContext) -> BoxFuture<'static, Result<(), EventError>>,
}

inventory::collect!(&'static EventHandlerDescriptor);