asupersync 0.3.4

Spec-first, cancel-correct, capability-secure async runtime for Rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346

//! ATP daemon supervision topology primitives.
//!
//! These types are pure data used by `atpd` to describe its AppSpec-shaped
//! supervision tree before any runtime state is allocated.

use std::collections::{BTreeMap, BTreeSet};
use std::fmt;

/// Region that owns one atpd child.
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub struct AtpdRegionId(u64);

impl AtpdRegionId {
    /// Construct a region id.
    #[must_use]
    pub const fn new(raw: u64) -> Self {
        Self(raw)
    }

    /// Return the raw region id.
    #[must_use]
    pub const fn get(self) -> u64 {
        self.0
    }
}

/// Stable child roles in the atpd root supervisor.
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub enum AtpdChildRole {
    /// Owns local daemon identity, signing keys, and capability roots.
    IdentityManager,
    /// Tracks known peers and authenticated peer metadata.
    PeerDirectory,
    /// Owns path candidates, path selection, and network observation.
    PathManager,
    /// Accepts inbound offers and receive-side grants.
    ReceiveService,
    /// Supervises per-transfer actors.
    TransferSupervisor,
    /// Owns verified cache state and seeding decisions.
    CacheSeeder,
    /// Owns local inbox, encrypted mailbox, and store-and-forward state.
    InboxMailbox,
    /// Exposes local diagnostics and structured health state.
    DiagnosticsEndpoint,
    /// Optional relay role.
    RelayService,
    /// Optional rendezvous role.
    RendezvousService,
}

impl AtpdChildRole {
    /// Stable service name used for name leases and diagnostics.
    #[must_use]
    pub const fn service_name(self) -> &'static str {
        match self {
            Self::IdentityManager => "identity_manager",
            Self::PeerDirectory => "peer_directory",
            Self::PathManager => "path_manager",
            Self::ReceiveService => "receive_service",
            Self::TransferSupervisor => "transfer_supervisor",
            Self::CacheSeeder => "cache_seeder",
            Self::InboxMailbox => "inbox_mailbox",
            Self::DiagnosticsEndpoint => "diagnostics_endpoint",
            Self::RelayService => "relay_service",
            Self::RendezvousService => "rendezvous_service",
        }
    }

    /// Whether this role is optional in the base atpd AppSpec.
    #[must_use]
    pub const fn is_optional(self) -> bool {
        matches!(self, Self::RelayService | Self::RendezvousService)
    }
}

/// Restart policy applied to one atpd child.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum AtpdRestartPolicy {
    /// A failure escalates to the atpd root supervisor.
    CriticalEscalate,
    /// Restart within a bounded window.
    Restart {
        /// Maximum restarts in the configured window.
        max_restarts: u8,
        /// Restart window in seconds.
        window_secs: u64,
    },
    /// Optional child is disabled after failure.
    DisableOptional,
}

/// Name lease attached to a child at start.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct AtpdNameLease {
    /// Stable service name.
    pub name: &'static str,
    /// Lease is scoped to the daemon root.
    pub root_scoped: bool,
}

/// Stop behavior for one child during daemon shutdown.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum AtpdStopAction {
    /// Stop the child after its dependents have stopped.
    StopChild,
    /// Drain live transfer actors and require resume state for unfinished work.
    DrainTransfers {
        /// Resume state must be durable before shutdown can complete.
        require_resume_state: bool,
    },
    /// Release a daemon-local registry/name lease.
    ReleaseNameLease,
}

/// Child specification in the atpd AppSpec-shaped topology.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct AtpdChildSpec {
    /// Child role.
    pub role: AtpdChildRole,
    /// Region that owns the child.
    pub region: AtpdRegionId,
    /// Parent region. Must equal the atpd root region.
    pub parent_region: AtpdRegionId,
    /// Dependencies that must start first.
    pub depends_on: Vec<AtpdChildRole>,
    /// Restart policy for this child.
    pub restart: AtpdRestartPolicy,
    /// Name lease acquired at start.
    pub lease: AtpdNameLease,
    /// Stop actions for this child.
    pub stop_actions: Vec<AtpdStopAction>,
}

impl AtpdChildSpec {
    /// Construct a child spec.
    #[must_use]
    pub fn new(
        role: AtpdChildRole,
        region: AtpdRegionId,
        parent_region: AtpdRegionId,
        depends_on: Vec<AtpdChildRole>,
        restart: AtpdRestartPolicy,
        stop_actions: Vec<AtpdStopAction>,
    ) -> Self {
        Self {
            role,
            region,
            parent_region,
            depends_on,
            restart,
            lease: AtpdNameLease {
                name: role.service_name(),
                root_scoped: true,
            },
            stop_actions,
        }
    }
}

/// Validation errors for the atpd topology.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum AtpdTopologyError {
    /// Child role appeared twice.
    DuplicateRole(AtpdChildRole),
    /// Child region appeared twice.
    DuplicateRegion(AtpdRegionId),
    /// Child parent does not equal the atpd root.
    DetachedChild {
        /// Child role.
        role: AtpdChildRole,
        /// Observed parent.
        parent: AtpdRegionId,
        /// Expected root.
        expected: AtpdRegionId,
    },
    /// Child dependency is missing from the topology.
    MissingDependency {
        /// Child role.
        role: AtpdChildRole,
        /// Missing dependency role.
        dependency: AtpdChildRole,
    },
    /// Required role is absent.
    MissingRequiredRole(AtpdChildRole),
    /// Topology contains a dependency cycle.
    DependencyCycle,
    /// Transfer supervisor is missing drain/resume stop behavior.
    TransferDrainMissing,
}

impl fmt::Display for AtpdTopologyError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::DuplicateRole(role) => write!(f, "duplicate atpd role {role:?}"),
            Self::DuplicateRegion(region) => write!(f, "duplicate atpd region {}", region.get()),
            Self::DetachedChild {
                role,
                parent,
                expected,
            } => write!(
                f,
                "atpd child {role:?} is parented by {}, expected {}",
                parent.get(),
                expected.get()
            ),
            Self::MissingDependency { role, dependency } => {
                write!(f, "atpd child {role:?} depends on missing {dependency:?}")
            }
            Self::MissingRequiredRole(role) => write!(f, "missing required atpd role {role:?}"),
            Self::DependencyCycle => f.write_str("atpd dependency cycle"),
            Self::TransferDrainMissing => {
                f.write_str("transfer supervisor must drain or persist resume state")
            }
        }
    }
}

impl std::error::Error for AtpdTopologyError {}

/// Pure topology used to compile deterministic start/stop plans.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct AtpdTopology {
    /// Root supervisor region.
    pub root_region: AtpdRegionId,
    /// Child specs in declaration order.
    pub children: Vec<AtpdChildSpec>,
}

impl AtpdTopology {
    /// Required daemon roles.
    pub const REQUIRED_ROLES: [AtpdChildRole; 8] = [
        AtpdChildRole::IdentityManager,
        AtpdChildRole::PeerDirectory,
        AtpdChildRole::PathManager,
        AtpdChildRole::ReceiveService,
        AtpdChildRole::TransferSupervisor,
        AtpdChildRole::CacheSeeder,
        AtpdChildRole::InboxMailbox,
        AtpdChildRole::DiagnosticsEndpoint,
    ];

    /// Validate topology invariants.
    pub fn validate(&self) -> Result<(), AtpdTopologyError> {
        let mut roles = BTreeSet::new();
        let mut regions = BTreeSet::new();
        for child in &self.children {
            if !roles.insert(child.role) {
                return Err(AtpdTopologyError::DuplicateRole(child.role));
            }
            if !regions.insert(child.region) {
                return Err(AtpdTopologyError::DuplicateRegion(child.region));
            }
            if child.parent_region != self.root_region {
                return Err(AtpdTopologyError::DetachedChild {
                    role: child.role,
                    parent: child.parent_region,
                    expected: self.root_region,
                });
            }
        }

        for required in Self::REQUIRED_ROLES {
            if !roles.contains(&required) {
                return Err(AtpdTopologyError::MissingRequiredRole(required));
            }
        }

        for child in &self.children {
            for dependency in &child.depends_on {
                if !roles.contains(dependency) {
                    return Err(AtpdTopologyError::MissingDependency {
                        role: child.role,
                        dependency: *dependency,
                    });
                }
            }
        }

        let transfer = self
            .children
            .iter()
            .find(|child| child.role == AtpdChildRole::TransferSupervisor)
            .expect("required role already checked");
        if !transfer
            .stop_actions
            .iter()
            .any(|action| matches!(action, AtpdStopAction::DrainTransfers { .. }))
        {
            return Err(AtpdTopologyError::TransferDrainMissing);
        }

        self.start_order().map(|_| ())
    }

    /// Compute deterministic dependency-respecting start order.
    pub fn start_order(&self) -> Result<Vec<AtpdChildRole>, AtpdTopologyError> {
        let children: BTreeMap<AtpdChildRole, &AtpdChildSpec> = self
            .children
            .iter()
            .map(|child| (child.role, child))
            .collect();
        let mut started = BTreeSet::new();
        let mut order = Vec::with_capacity(self.children.len());

        while order.len() < self.children.len() {
            let before = order.len();
            for child in &self.children {
                if started.contains(&child.role) {
                    continue;
                }
                if child
                    .depends_on
                    .iter()
                    .all(|dependency| started.contains(dependency))
                {
                    if !children.contains_key(&child.role) {
                        return Err(AtpdTopologyError::MissingRequiredRole(child.role));
                    }
                    started.insert(child.role);
                    order.push(child.role);
                }
            }
            if before == order.len() {
                return Err(AtpdTopologyError::DependencyCycle);
            }
        }

        Ok(order)
    }

    /// Deterministic stop order: dependents stop before dependencies.
    pub fn stop_order(&self) -> Result<Vec<AtpdChildRole>, AtpdTopologyError> {
        let mut order = self.start_order()?;
        order.reverse();
        Ok(order)
    }

    /// Return true if every child is rooted under the daemon root region.
    #[must_use]
    pub fn no_detached_children(&self) -> bool {
        self.children
            .iter()
            .all(|child| child.parent_region == self.root_region)
    }
}