engenho-revoada 0.1.4

engenho's distribution layer — dynamic K8s control-plane / worker role shifting via Raft consensus + gossip membership + P2P content sync + BLAKE3 attested transitions. Read docs/DISTRIBUTED.md.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347

//! # InMemoryStore — the shared verb-impl backend
//!
//! Every face needs the same shape of in-memory state to back its
//! 5-verb contract: a HashMap of stored envelopes, a Vec of watch
//! subscribers, and an AdapterRegistry for format conversion. This
//! module ships that shape as one shared helper so all five faces
//! compose with it.
//!
//! Per the prime-directive third-site rule: PureRaftFace shipped
//! verbs first; KubernetesFace + NomadFace + SystemdFace +
//! BareMetalSupervisorFace would have each re-implemented the same
//! ~70-line pattern. Lifting to one helper means each face is
//! 5 lines of delegation + its own lifecycle hooks. Future R6
//! per-face backends (kube-apiserver / nomad HTTP / dbus / etc.)
//! REPLACE the InMemoryStore in their face; the operator-facing
//! contract stays identical.

use std::collections::HashMap;
use std::sync::Mutex;

use crate::face::{
    FaceError, FaceWatchEvent, FaceWatchEventKind, FaceWatchStream, ResourceFormat, ResourceRef,
};
use crate::format::AdapterRegistry;

/// The shared verb backend. Owns the in-memory state +
/// subscribers + adapter registry; honors the same byte-level
/// semantics every face's verb impls promise.
pub struct InMemoryStore {
    /// Face name (used for diagnostic messages in adapter errors).
    face_name: String,
    /// Resource → envelope bytes (CBOR-encoded NativeEnvelope when
    /// applied via Native; raw operator bytes when applied via
    /// Yaml/Json/Hcl — the adapter wraps either case to match
    /// `Native` round-tripping).
    store: Mutex<HashMap<ResourceRef, Vec<u8>>>,
    /// Watch fan-out subscribers. Apply/delete iterate this list +
    /// send to each matching subscriber.
    subscribers: Mutex<Vec<WatchSubscriber>>,
    /// Format adapters supported by this face. Defaults to the
    /// 3-adapter standard set; custom registries land via
    /// [`Self::with_adapters`].
    adapters: AdapterRegistry,
}

struct WatchSubscriber {
    sender: Option<std::sync::mpsc::Sender<FaceWatchEvent>>,
    kind_filter: String,
    namespace_filter: Option<String>,
}

impl InMemoryStore {
    /// Build an empty store with the default adapter registry.
    /// `face_name` flows into adapter error messages so multi-face
    /// federations can identify which face raised an error.
    #[must_use]
    pub fn new(face_name: impl Into<String>) -> Self {
        Self {
            face_name: face_name.into(),
            store: Mutex::new(HashMap::new()),
            subscribers: Mutex::new(Vec::new()),
            adapters: AdapterRegistry::default(),
        }
    }

    /// Replace the adapter registry. Builder hook for tests + for
    /// faces that want a non-default format set.
    pub fn set_adapters(&mut self, adapters: AdapterRegistry) {
        self.adapters = adapters;
    }

    /// Borrow the adapter registry — diagnostics + tests.
    #[must_use]
    pub fn adapters(&self) -> &AdapterRegistry {
        &self.adapters
    }

    /// Helper: select the registered adapter for `format`.
    fn select_adapter(
        &self,
        format: ResourceFormat,
        verb: &'static str,
    ) -> Result<std::sync::Arc<dyn crate::format::FormatAdapter>, FaceError> {
        self.adapters
            .select(format)
            .map_err(|e| FaceError::Unsupported(format!("{verb}: {e}")))
    }

    /// Fan an event to every subscriber whose filter matches.
    fn broadcast(&self, reference: &ResourceRef, event_kind: FaceWatchEventKind, body: Vec<u8>) {
        let mut subs = self.subscribers.lock().expect("subscribers mutex poisoned");
        subs.retain_mut(|sub| {
            if sub.kind_filter != reference.kind {
                return true;
            }
            if let Some(ns) = &sub.namespace_filter
                && reference.namespace.as_deref() != Some(ns.as_str())
            {
                return true;
            }
            let Some(sender) = &sub.sender else { return false };
            let event = FaceWatchEvent {
                kind: event_kind,
                body: body.clone(),
            };
            sender.send(event).is_ok()
        });
    }

    // ── Verb impls ────────────────────────────────────────────────

    /// Apply: adapter extracts ref + converts to envelope; store
    /// + broadcast.
    pub fn apply(&self, format: ResourceFormat, body: &[u8]) -> Result<(), FaceError> {
        let adapter = self.select_adapter(format, "apply_resource")?;
        let reference = adapter
            .extract_ref(format, body)
            .map_err(|e| FaceError::Unsupported(format!("apply_resource: {e}")))?;
        let envelope = adapter
            .to_native(format, body)
            .map_err(|e| FaceError::Unsupported(format!("apply_resource: {e}")))?;
        let mut store = self.store.lock().expect("store mutex poisoned");
        let event_kind = if store.contains_key(&reference) {
            FaceWatchEventKind::Modified
        } else {
            FaceWatchEventKind::Added
        };
        store.insert(reference.clone(), envelope.clone());
        drop(store);
        self.broadcast(&reference, event_kind, envelope);
        Ok(())
    }

    /// Get: lookup + adapter.from_native rendering.
    pub fn get(
        &self,
        reference: &ResourceRef,
        format: ResourceFormat,
    ) -> Result<Vec<u8>, FaceError> {
        let adapter = self.select_adapter(format, "get_resource")?;
        let store = self.store.lock().expect("store mutex poisoned");
        let envelope = store.get(reference).cloned().ok_or_else(|| {
            FaceError::Unsupported(format!(
                "get_resource on {}: no resource at {reference:?}",
                self.face_name
            ))
        })?;
        drop(store);
        adapter
            .from_native(format, &envelope)
            .map_err(|e| FaceError::Unsupported(format!("get_resource: {e}")))
    }

    /// List: filter by kind+namespace; render each via adapter.
    pub fn list(
        &self,
        kind: &str,
        namespace: Option<&str>,
        format: ResourceFormat,
    ) -> Result<Vec<Vec<u8>>, FaceError> {
        let adapter = self.select_adapter(format, "list_resources")?;
        let store = self.store.lock().expect("store mutex poisoned");
        let envelopes: Vec<Vec<u8>> = store
            .iter()
            .filter(|(r, _)| r.kind == kind)
            .filter(|(r, _)| match namespace {
                Some(ns) => r.namespace.as_deref() == Some(ns),
                None => true,
            })
            .map(|(_, bytes)| bytes.clone())
            .collect();
        drop(store);
        let mut out = Vec::with_capacity(envelopes.len());
        for env in envelopes {
            out.push(
                adapter
                    .from_native(format, &env)
                    .map_err(|e| FaceError::Unsupported(format!("list_resources: {e}")))?,
            );
        }
        Ok(out)
    }

    /// Delete: remove from store; broadcast Deleted event with
    /// prior envelope body.
    pub fn delete(&self, reference: &ResourceRef) -> Result<(), FaceError> {
        let mut store = self.store.lock().expect("store mutex poisoned");
        let body = store.remove(reference).ok_or_else(|| {
            FaceError::Unsupported(format!(
                "delete_resource on {}: no resource at {reference:?}",
                self.face_name
            ))
        })?;
        drop(store);
        self.broadcast(reference, FaceWatchEventKind::Deleted, body);
        Ok(())
    }

    // ── Snapshot / Restore ────────────────────────────────────────
    //
    // Deterministic state capture: emit a single CBOR-serialized
    // payload that holds every `ResourceRef` + envelope bytes the
    // store currently owns. Restore replays into a fresh store.
    // Foundation for: backup-on-shutdown, restore-on-startup,
    // in-memory cluster cloning, federation member migration.
    //
    // Pure-data primitive — no I/O. Operators wire to disk / object
    // store / network via the bytes the snapshot returns.

    /// Serialize every (ResourceRef, envelope) pair the store
    /// currently holds into a CBOR-encoded byte buffer. Stable
    /// ordering: entries are sorted by (kind, namespace, name) so
    /// two snapshots of the same logical state produce byte-
    /// identical output.
    ///
    /// # Errors
    ///
    /// Returns [`FaceError::Unsupported`] on CBOR encode failure
    /// (effectively unreachable — `Vec<(ResourceRef, Vec<u8>)>` is
    /// always serializable).
    pub fn snapshot(&self) -> Result<Vec<u8>, FaceError> {
        let store = self.store.lock().expect("store mutex poisoned");
        let mut entries: Vec<(ResourceRef, Vec<u8>)> = store
            .iter()
            .map(|(r, body)| (r.clone(), body.clone()))
            .collect();
        drop(store);
        entries.sort_by(|a, b| {
            a.0.kind
                .cmp(&b.0.kind)
                .then(a.0.namespace.cmp(&b.0.namespace))
                .then(a.0.name.cmp(&b.0.name))
        });
        let mut out = Vec::new();
        ciborium::into_writer(&entries, &mut out).map_err(|e| {
            FaceError::Unsupported(format!("snapshot: cbor encode failed: {e}"))
        })?;
        Ok(out)
    }

    /// Replay a snapshot into this store. **Replaces** the entire
    /// store contents (any existing entries are dropped). Emits no
    /// watch events — restore is a state-resync, not a sequence of
    /// applies.
    ///
    /// # Errors
    ///
    /// Returns [`FaceError::Unsupported`] on CBOR decode failure
    /// (malformed snapshot bytes).
    pub fn restore(&self, snapshot_bytes: &[u8]) -> Result<(), FaceError> {
        let entries: Vec<(ResourceRef, Vec<u8>)> =
            ciborium::from_reader(snapshot_bytes).map_err(|e| {
                FaceError::Unsupported(format!("restore: cbor decode failed: {e}"))
            })?;
        let mut store = self.store.lock().expect("store mutex poisoned");
        store.clear();
        for (r, body) in entries {
            store.insert(r, body);
        }
        Ok(())
    }

    /// Number of resources currently stored. Used by ClusterHealth.
    #[must_use]
    pub fn len(&self) -> usize {
        self.store.lock().map(|s| s.len()).unwrap_or(0)
    }

    /// True iff the store has no resources.
    #[must_use]
    pub fn is_empty(&self) -> bool {
        self.len() == 0
    }

    /// Number of active watch subscribers. Used by ClusterHealth.
    #[must_use]
    pub fn subscriber_count(&self) -> usize {
        self.subscribers.lock().map(|s| s.len()).unwrap_or(0)
    }

    /// Watch: register subscriber, replay current state as Added.
    /// Events emit raw envelope bytes (subscribers adapt as needed).
    pub fn watch(
        &self,
        kind: &str,
        namespace: Option<&str>,
        format: ResourceFormat,
    ) -> Result<Box<dyn FaceWatchStream>, FaceError> {
        // Verify the format is supported (consistent with apply).
        let _ = self.select_adapter(format, "watch_resources")?;
        let (tx, rx) = std::sync::mpsc::channel();
        // Replay current matching state.
        let store = self.store.lock().expect("store mutex poisoned");
        for (r, body) in store.iter() {
            if r.kind != kind {
                continue;
            }
            if let Some(ns) = namespace
                && r.namespace.as_deref() != Some(ns)
            {
                continue;
            }
            let _ = tx.send(FaceWatchEvent {
                kind: FaceWatchEventKind::Added,
                body: body.clone(),
            });
        }
        drop(store);
        let mut subs = self.subscribers.lock().expect("subscribers mutex poisoned");
        subs.push(WatchSubscriber {
            sender: Some(tx),
            kind_filter: kind.to_string(),
            namespace_filter: namespace.map(str::to_string),
        });
        Ok(Box::new(MpscWatchStream { rx }))
    }
}

impl std::fmt::Debug for InMemoryStore {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("InMemoryStore")
            .field("face_name", &self.face_name)
            .field(
                "store_len",
                &self.store.lock().map(|s| s.len()).unwrap_or(0),
            )
            .field(
                "subscriber_count",
                &self.subscribers.lock().map(|s| s.len()).unwrap_or(0),
            )
            .finish()
    }
}

/// mpsc-based watch stream used by every face's `watch_resources`.
struct MpscWatchStream {
    rx: std::sync::mpsc::Receiver<FaceWatchEvent>,
}

impl FaceWatchStream for MpscWatchStream {
    fn next_event(&mut self) -> Result<Option<FaceWatchEvent>, FaceError> {
        match self.rx.recv() {
            Ok(event) => Ok(Some(event)),
            Err(_) => Ok(None),
        }
    }
}