Please check the build logs for more information.
See Builds for ideas on how to fix a failed build, or Metadata for how to configure docs.rs builds.
If you believe this is docs.rs' fault, open an issue.
Holger guards your artifacts at rest
Immutable artifact repository in pure Rust.
- Airgap: transfer from internet, Nexus, Artifactory → immutable znippy archive
- Versioned: atomic transactions, content-addressed (Blake3)
- Extreme performance: Apache Arrow zero-copy, multi-core parallel I/O
- Zero dependencies: no OS packages, no shell, no Python — 100% Rust (even decompressors rewritten from C)
- Embeddable: runs on bare-metal/OS-free devices, 2 MB RSS
Artifact retrieval throughput — Holger vs Nexus 3
Same machine (32 cores, AMD), same artifact types, same dataset size per type.
Nexus 3 (v3.72): container, 32 CPUs, 32 GB RAM, 16 GB heap, 400 Jetty threads, G1GC.
Holger (znippy 0.8.0): in-process, 2 MB RSS.
| Artifact type | Holger (1 thread) | Holger (32 threads) | Nexus (1 client) | Nexus (16 clients) | Nexus (32 clients) |
|---|---|---|---|---|---|
| Rust crates | 417,602 ops/s | 10,084,953 ops/s | 105 ops/s | 1,265 ops/s | 519 ops/s |
| Java JARs | 283,015 ops/s | 7,307,041 ops/s | 87 ops/s | 567 ops/s | 418 ops/s |
| Python wheels | 313,469 ops/s | 7,740,871 ops/s | 91 ops/s | 955 ops/s | 726 ops/s |
Holger is 7,972× faster on Rust crates at Nexus's sweet spot (16 clients).
12,887× faster on Java JARs, 8,106× faster on Python wheels.
Single-threaded Holger still outperforms 32-client Nexus by 805× (Rust), 677× (Java), 432× (Python).
Nexus degrades past 16 clients on all types despite 400 Jetty threads and 16 GB heap.
Holger uses 2 MB RSS vs Nexus's 16 GB heap — 8,000× less memory.
How it works
Each get_file is one pread from a shared fd plus either a zero-copy skip
(pre-compressed .crate/.jar) or an openzl decompress into a reused buffer —
fully parallel across cores, no shared reader thread. Backed by znippy 0.8.0's
N-worker positioned-I/O read path.
Import / Export (holger-agent)
The agent CLI transfers artifacts between any combination of sources and destinations:
┌──────────────────────────────────────────────────────────────────────────────┐
│ holger-agent transfer paths │
├──────────────────────────────────────────────────────────────────────────────┤
│ │
│ Sources (--from) Destinations (--to) │
│ ───────────────── ────────────────── │
│ world (crates.io/PyPI/Maven Central) ──┐ │
│ nexus (Sonatype Nexus, basic auth) ──┤──▶ znippy (.znippy archive)│
│ holger (Holger server, OIDC/mTLS) ──┤──▶ tar-zstd (.tar.zst) │
│ znippy (.znippy archive) ──┤──▶ directory (flat files) │
│ tar-zstd (.tar.zst archive) ──┤──▶ nexus (push to Nexus) │
│ directory (flat .crate/.jar/.whl files) ──┘──▶ holger (push to Holger) │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
Examples
# ── Download from internet → znippy archive ─────────────────────────────────
# Rust crates (from Cargo.lock)
# Python packages (from requirements.txt)
# Python packages (from uv.lock — URLs already embedded)
# ── Download from internet → tar.zst archive ────────────────────────────────
# Rust crates (from Cargo.lock) — standard tar+zstd, no snappy dependency
# Python packages (from requirements.txt) → tar.zst
# Python packages (from uv.lock) → tar.zst
# ── Download from internet → directory ───────────────────────────────────────
# Rust crates to flat directory
# ── Nexus → znippy (mirror/export from Nexus) ──────────────────────────────
# ── Nexus → tar.zst (export from Nexus to standard archive) ─────────────────
# ── Holger → tar.zst (export from Holger server) ────────────────────────────
# ── znippy → Nexus (import into Nexus) ──────────────────────────────────────
# ── tar.zst → Nexus (import standard archive into Nexus) ────────────────────
# ── znippy → Holger server (push to production) ─────────────────────────────
# ── tar.zst → Holger server (push standard archive to production) ────────────
# ── directory → Nexus (push loose files to Nexus) ────────────────────────────
# ── directory → Holger (push loose files to Holger) ──────────────────────────
# ── Nexus → directory (flat file export) ─────────────────────────────────────
# ── Holger → directory (export from Holger to flat files) ────────────────────
Airgap workflow
Internet side │ Airgapped side
│
crates.io ──┐ │
Maven ──────┤ │
PyPI ───────┤──▶ holger-agent │ holger-agent ──▶ holger-server
Nexus ──────┘ --to znippy │ --from znippy (gRPC / Rust fn)
--to tar-zstd │ --from tar-zstd
│ │ ▲
▼ │ │
.znippy file ─┼───────┘ (znippy = max perf, Arrow IPC)
.tar.zst file ┼───────┘ (tar.zst = universal, no snappy)
(USB/media) │
When to use which format:
| Format | Pros | Cons |
|---|---|---|
.znippy |
Fastest (Arrow IPC), queryable by pyarrow/polars, sub-index per repo/pkg_type | Requires znippy/snappy support |
.tar.zst |
Universal (standard tar+zstd), works everywhere, tar can extract |
No sub-indexing, slightly larger |
directory |
Human-inspectable, git-friendly | Many small files, slow on HDD |
Lockfile formats
| Format | Flag | What it resolves |
|---|---|---|
Cargo.lock |
--lockfile-kind cargo (default) |
Crate names + exact versions → downloads from crates.io |
requirements.txt |
--lockfile-kind requirements-txt |
name==version lines → downloads from PyPI |
uv.lock |
--lockfile-kind uv-lock |
Full URLs embedded → downloads directly |
Architecture
┌─────────────────────────────────────────────────────────────────────────┐
│ Holger Ecosystem │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌──────────────────┐ ┌────────────────┐ │
│ │ holger-agent │────▶│ holger-server │────▶│ Storage │ │
│ │ (CLI + daemon) │ │ (gRPC / Rust fn) │ │ (.znippy) │ │
│ │ │ │ │ │ │ │
│ │ --auth oidc │ │ OIDC validation │ │ Immutable │ │
│ └─────────────────┘ └──────────────────┘ │ Blake3 CAS │ │
│ │ │ └────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────┐ ┌──────────────────┐ │
│ │ Nexus/Registry │ │ cargo/mvn │ │
│ │ (connector) │ │ (clients) │ │
│ └─────────────────┘ └──────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Access Modes
Holger exposes two access modes — no HTTP/REST:
1. Rust Function Bindings (embedded mode)
Use holger-server-lib directly in your Rust application:
use ;
use ArtifactId;
let mut holger = read_ron_config.unwrap;
holger.instantiate_backends.unwrap;
wire_holger.unwrap;
// Fetch artifact
let id = ArtifactId ;
let data = holger.fetch.unwrap;
// List repositories
let repos = holger.list_repositories; // ["rust-prod", "maven-staging"]
// Put artifact (write-enabled repos)
holger.put.unwrap;
2. gRPC (network mode)
Configure exposed_endpoints in RON → holger starts a tonic gRPC server automatically.
Services (defined in proto/holger.proto):
| Service | RPCs |
|---|---|
RepositoryService |
FetchArtifact, ListArtifacts, PutArtifact, StreamArtifact (server-streaming) |
ArchiveService |
ListArchiveFiles, ArchiveInfo |
AdminService |
Health, ListRepositories |
3. Apache Arrow Flight (batch mode) — planned
Arrow Flight as a universal artifact service: batch-fetch multiple artifacts (or files within artifacts) in a single call with zero-copy columnar transport.
| Capability | Description |
|---|---|
| Batch artifact fetch | Request N artifacts in one Flight DoGet — server reads from znippy archive (already Arrow IPC), streams back as RecordBatches |
| Files-within-artifact | Fetch specific files from inside a .whl or .jar without downloading the whole archive (uses lzip/ljar filter) |
| Index queries | GetFlightInfo returns archive metadata (file list, sizes, checksums) as Arrow schema — zero parsing on client side |
| Any-language client | Python (pyarrow), Go, Java, Rust, C++ — all get native Flight clients for free |
Why Flight over raw gRPC for batch:
- znippy archives are already Arrow IPC → Flight serves them with near-zero serialization cost
- Columnar format means fetching 1000 small crates is one contiguous memory transfer, not 1000 RPCs
uv/pip/cargoresolve+fetch could use a single Flight batch call instead of N HTTP GETs
Connect with grpcurl:
# Health check
# List repositories
# Fetch artifact
# Stream large artifact (chunked 64KB)
Crates
| Crate | Purpose |
|---|---|
holger-server-lib |
Core server: RON config, wiring engine, gRPC services, auth module |
holger-server-cli |
Server binary (holger-server start --config) |
holger-agent-lib |
Agent logic: connectors, transfer operations |
holger-agent-cli |
Agent binary: airgap, push/pull between registries |
holger-traits |
Shared traits (ConnectorTrait, RepositoryBackendTrait) |
holger-nexus-connector |
Nexus/Artifactory connector (basic auth, OIDC) |
holger-world-connector |
crates.io + PyPI connector (reads Cargo.lock, requirements.txt, uv.lock) |
holger-rust-file-repository |
Rust crate repository backend (filesystem) |
holger-rust-znippy-repository |
Rust/Maven/Pip repository backend (znippy archive) |
holger-mannequin |
Dev daemon: mock PKI, OIDC, Nexus, egui GUI |
holger-distr |
Container/systemd distribution (Dockerfile, .service) |
Configuration (RON)
Holger uses RON for configuration — it can express the graph topology that TOML/YAML cannot.
Rust crate repository (file-backed)
(
repositories: [
(
ron_name: "rust-prod",
ron_repo_type: "rust",
ron_upstreams: [],
ron_in: None,
ron_out: Some((
ron_storage_endpoint: "local-storage",
ron_exposed_endpoint: "grpc",
)),
),
],
exposed_endpoints: [
(
ron_name: "grpc",
ron_url: "0.0.0.0:50051",
),
],
storage_endpoints: [
(
ron_name: "local-storage",
ron_storage_type: "rocksdb",
ron_path: "/var/lib/holger/data",
),
],
)
Rust crate repository (znippy archive)
(
repositories: [
(
ron_name: "rust-airgap",
ron_repo_type: "rust",
ron_archive_path: Some("/var/lib/holger/rust-airgap.znippy"),
ron_upstreams: [],
ron_in: None,
ron_out: Some((
ron_storage_endpoint: "znippy-storage",
ron_exposed_endpoint: "grpc",
)),
),
],
exposed_endpoints: [
(
ron_name: "grpc",
ron_url: "0.0.0.0:50051",
),
],
storage_endpoints: [
(
ron_name: "znippy-storage",
ron_storage_type: "znippy",
ron_path: "/var/lib/holger/rust-airgap",
),
],
)
Python pip repository (znippy archive, PEP 503 simple index)
(
repositories: [
(
ron_name: "pip-internal",
ron_repo_type: "pip",
ron_archive_path: Some("/var/lib/holger/pip.znippy"),
ron_upstreams: [],
ron_in: None,
ron_out: Some((
ron_storage_endpoint: "pip-storage",
ron_exposed_endpoint: "grpc",
)),
),
],
exposed_endpoints: [
(
ron_name: "grpc",
ron_url: "0.0.0.0:50051",
),
],
storage_endpoints: [
(
ron_name: "pip-storage",
ron_storage_type: "znippy",
ron_path: "/var/lib/holger/pip",
),
],
)
The server exposes a PEP 503 simple index at /{repo}/simple/ — point pip or uv directly at it:
Maven repository (znippy archive)
(
repositories: [
(
ron_name: "maven-internal",
ron_repo_type: "maven3",
ron_archive_path: Some("/var/lib/holger/maven.znippy"),
ron_upstreams: [],
ron_in: None,
ron_out: Some((
ron_storage_endpoint: "maven-storage",
ron_exposed_endpoint: "grpc",
)),
),
],
exposed_endpoints: [
(
ron_name: "grpc",
ron_url: "0.0.0.0:50051",
),
],
storage_endpoints: [
(
ron_name: "maven-storage",
ron_storage_type: "znippy",
ron_path: "/var/lib/holger/maven",
),
],
)
Authentication
| Method | How | Use case |
|---|---|---|
| OIDC | Bearer token from token endpoint (Keycloak, AD, etc.) | Human users, CI/CD pipelines |
The agent CLI uses --auth oidc when talking to Holger server. Legacy Nexus connections still use --username/--password (basic auth via connector).
Performance
Holger uses znippy archives (.znippy) as storage. A .znippy file is a valid Arrow IPC File — queryable directly by pyarrow/polars:
# pyarrow
=
=
# relative_path: string, compressed: bool, uncompressed_size: uint64, chunks: list<...>
# polars
=
Znippy archive benchmarks (v0.7.4 — io_uring + Gatling pipeline)
Packing source files into .znippy and extracting back. Files already compressed (.gz, .jar, .zip, etc.) are stored as-is (skipped). .crate files are gzipped tarballs — znippy compresses the source contents inside, not the .crate blob itself:
| Test | In | Out | Ratio | Pack | Unpack |
|---|---|---|---|---|---|
| text 500MB | 500 MB | 0.06 MB | 9,014× | 1,639 MB/s | 2,874 MB/s |
| single file 2GB | 2,048 MB | 0.22 MB | 9,509× | 5,802 MB/s | 3,066 MB/s |
| binary pattern 500MB | 500 MB | 0.07 MB | 7,338× | 2,242 MB/s | 2,976 MB/s |
| 100k small files (10KB) | 977 MB | 17.4 MB | 56× | 4,811 MB/s | 1,957 MB/s |
| random (incompressible) | 500 MB | 500 MB | 1.0× | 105 MB/s | 2,890 MB/s |
| mixed repo 530MB | 530 MB | 530 MB | 1.0× | 3,118 MB/s | 6,310 MB/s |
| Real jars (4730 files, RAID) | 5,124 MB | — | — | 2,527 MB/s | 9,950 MB/s |
Note: "Pack" = archiving + compression into
.znippy. "Unpack" = decompression + extraction. Stream packer (in-memory/HTTP) numbers above; slot packer (io_uring disk reads) hits 678 MB/s on 10k×10KB synthetic. Already-compressed data (.jar, .crate) passes through at full I/O speed without re-compression.
Host decompressors
The host-decompressors feature replaces miniz_oxide with custom parallel decompression:
| Component | Throughput | What it does |
|---|---|---|
| linflate | ~700 MB/s single-core | SIMD DEFLATE decoder (AVX2 match-copy) |
| lgz | 6,100+ MB/s multi-core | Parallel gzip decompression (full-flush segments) |
| lgz (speculative) | 527 MB/s | Two-pass pugz-style for arbitrary gzip streams |
| ljar | Multi-core | Parallel JAR/ZIP extraction (per-entry parallelism) |
| miniz_oxide (replaced) | ~190 MB/s | What most Rust projects use by default |
Single-core path is 3.7× faster than miniz_oxide. Multi-core scales linearly.
GUI Builders
Holger has no built-in web UI. Instead, build your own GUI using either access mode:
Option A: gRPC client (any language)
Use the proto definition (proto/holger.proto) to generate a client in any language.
Getting OIDC tokens and TLS certs from mannequin (for GUI dev):
Start mannequin first — it provides the complete auth infrastructure your GUI needs:
# 1. Start mannequin (mock PKI + OIDC + Nexus)
# 2. Get an OIDC token (accepts any credentials — it's a dev dummy)
TOKEN=
# 3. Get a TLS client certificate (for mTLS to holger-server)
|
|
# 4. Get the CA cert (to verify holger-server's TLS)
# 5. Connect to holger-server with OIDC auth
In your GUI code (Rust + tonic):
use ;
use MetadataValue;
// Get token from mannequin OIDC endpoint
let token_resp: Value = new
.post
.form
.send.await?.json.await?;
let token = token_resp.as_str.unwrap;
// Get CA + client cert from mannequin PKI
let ca_pem = get.await?.bytes.await?;
let client_cert = new
.post
.json
.send.await?..await?;
// Build TLS channel
let tls = new
.ca_certificate
.identity;
let channel = from_static
.tls_config?
.connect.await?;
// Attach OIDC bearer token to every request
let token_str: = format!.parse?;
let mut admin = with_interceptor;
// Now use it
let repos = admin.list_repositories.await?.into_inner;
Plain examples (no auth, local dev):
// Rust (tonic)
use Channel;
let channel = from_static.connect.await?;
let mut admin = new;
let mut repo = new;
// List repositories
let repos = admin.list_repositories.await?.into_inner;
for name in &repos.names
// Fetch artifact
let artifact = repo.fetch_artifact.await?.into_inner;
// Stream large artifact (server sends 64KB chunks)
let mut stream = repo.stream_artifact.await?.into_inner;
while let Some = stream.message.await?
# Python (grpcio)
=
=
=
# List repos
=
# Fetch artifact
=
// Go (google.golang.org/grpc)
conn, _ := grpc.Dial("localhost:50051", grpc.WithInsecure())
admin := pb.NewAdminServiceClient(conn)
repo := pb.NewRepositoryServiceClient(conn)
repos, _ := admin.ListRepositories(ctx, &pb.Empty)
artifact, _ := repo.FetchArtifact(ctx, &pb.FetchRequest)
Option B: Rust function bindings (same process, zero overhead)
For Rust-native GUIs (egui, iced, slint, dioxus), embed holger directly:
use ;
use ArtifactId;
// Initialize once at app startup
let mut holger = read_ron_config.unwrap;
holger.instantiate_backends.unwrap;
wire_holger.unwrap;
// Use from any thread — no serialization, no network
let repos = holger.list_repositories; // Vec<&str>
let id = ArtifactId ;
let data: = holger.fetch.unwrap;
// Upload
holger.put.unwrap;
gRPC services reference
| Service | RPC | Description |
|---|---|---|
AdminService |
Health |
Server health + uptime |
AdminService |
ListRepositories |
All configured repo names |
RepositoryService |
FetchArtifact |
Download artifact (single response) |
RepositoryService |
StreamArtifact |
Download artifact (64KB streaming chunks) |
RepositoryService |
ListArtifacts |
List artifacts in a repository |
RepositoryService |
PutArtifact |
Upload artifact |
ArchiveService |
ListArchiveFiles |
List files in znippy archive |
ArchiveService |
ArchiveInfo |
Archive metadata (size, entry count) |
Development (holger-mannequin)
The holger-mannequin crate provides a full mock environment for development and integration testing:
┌─────────────────────────────────────────────┐
│ holger-mannequin │
├──────────┬──────────┬───────────┬───────────┤
│ PKI │ OIDC │ Nexus │ Auth │
│ │ │ │ │
│ CA mgmt │ /token │ proxy-only│ Users │
│ Issue │ /userinfo│ prod (4) │ Roles │
│ Regen │ Discovery│ upload │ Validate │
└──────────┴──────────┴───────────┴───────────┘
│
▼
egui GUI (--gui flag)
Live system map + request logs
Subsystems:
| Module | What it mocks | Endpoints |
|---|---|---|
| PKI | Certificate Authority | Issue/revoke certs, CA chain |
| OIDC | Keycloak/Azure AD | /token, /userinfo, /.well-known/openid-configuration |
| Nexus | Sonatype Nexus | 3 repos: proxy-only, prod (4 seeded crates), upload |
| Auth | Identity provider | 4 seeded users: admin, reader, writer, ci-agent |
Usage modes:
# As a server (dev environment)
# In-process (integration tests — no network needed)
# CLI (cert generation)
egui GUI features:
- Live system topology map (repositories ↔ storage ↔ endpoints)
- Request traffic visualization (gRPC calls in real-time)
- OIDC token issuer for quick dev testing
- Mock Nexus browser with seeded artifacts
Quick Start
# Build everything
PROTOC=/path/to/protoc
# Run tests
PROTOC=/path/to/protoc
# Start mannequin (dev dummy with mock PKI, OIDC, Nexus + GUI)
# Start holger server (starts gRPC on configured port)
# Agent: see "Import / Export" section above for all transfer examples
Immutable Storage Model
All .artifact files are immutable. Holger can optionally be configured to allow live ingest of artifacts not found in the current archive (DEV mode only).
| Version | Source | Mutability | Use Case |
|---|---|---|---|
| V1 | Initial .artifact import | Immutable | Bootstrap, base snapshot |
| V2 | .artifact + live ingest | Appendable | DEV: allow dynamic additions |
| V3 | Promoted .artifact only | Immutable | PROD: strict airgapped enforcement |
Status
- ✅ RON config + graph wiring engine
- ✅ gRPC server (tonic, 3 services)
- ✅ Rust function bindings API (embedded mode)
- ✅ Rust crate serving (file + znippy backends)
- ✅ Maven artifact serving (znippy backend)
- ✅ Python pip serving (znippy backend, PEP 503 simple index)
- ✅ Python pip airgap agent (requirements.txt + uv.lock → znippy)
- ✅ Airgap agent (world → znippy → nexus/holger)
- ✅ OIDC authentication
- ✅ Nexus connector (list/download/upload)
- ✅ Znippy host-decompressors (lgz, ljar, linflate)
- ✅ Container distribution (Dockerfile + systemd)
- ✅ Dev mannequin with egui system map GUI
- 🚧 Blake3 content-addressable verification
- 🚧 Authorization layer (role-based access on repos)
- 🚧 Go/npm format support
- 🚧 Live ingest proxy mode (DEV)
- 🚧 Promote workflow (DEV → PROD)
- 🚧 egui admin client for holger-server
- 🚧 Audit log (who accessed what, when)
Testing
Test Levels
Holger has three test levels:
- Unit / light integration — no network, no containers, runs in seconds
- Synthetic benchmarks — auto-generated fake data, no network, measures throughput regression
- Heavy / container tests — spins up a real Sonatype Nexus 3 (v3.72.0) container via
testcontainerscrate + Podman, uploads real artifact archives, benchmarks Holger vs Nexus
Unit / Light Integration Tests
These use holger-mannequin as an in-process mock (Nexus API + OIDC + mTLS + PKI). No external services needed.
# All quick tests (no network, no containers):
# Mannequin (mock Nexus/OIDC/mTLS) tests:
# tar.zst round-trip tests (mannequin mock, no network):
Heavy Tests (Real Nexus Container)
These tests start a real Sonatype Nexus 3 container using the testcontainers Rust crate. The container lifecycle is fully managed by the test — it starts Nexus, waits for readiness, creates repositories, runs the benchmark, and tears down automatically.
How it works:
testcontainerspullssonatype/nexus3:3.72.0via Podman (or Docker)- Container starts with port 8081 exposed on a random host port
- Test waits up to 180s for Nexus REST API (
/service/rest/v1/status) to respond - Reads initial admin password from container (
/nexus-data/admin.password) - Changes password to
admin123, creates raw hosted repositories - Uploads cached znippy archives → benchmarks upload throughput (MB/s, files/s)
- Downloads all artifacts back → benchmarks download throughput
- Runs retrieval bombardment (multi-threaded random GETs) on Nexus, then same dataset on Holger znippy for comparison
- Container is stopped and removed automatically
The tail-latency test additionally constrains Nexus to a 512 MB JVM heap (-Xms512m -Xmx512m -XX:+UseG1GC) to provoke GC pauses, measuring p99/p999 latency vs Holger's zero-GC constant-time reads.
Running heavy tests:
# Prerequisite: enable Podman socket (rootless)
# Set DOCKER_HOST so testcontainers finds the Podman socket
# Nexus load test (uploads ~14 GB, benchmarks Holger vs Nexus)
# Tail-latency / GC pressure test (60s bombardment, p99/p999 comparison)
Or run everything via xtask:
Synthetic Benchmarks (No Network)
The bench_znippy_throughput test generates 500K fake crates/JARs/wheels in /tmp/holger_bench_throughput/ — auto-created on first run, cached for subsequent runs. Measures raw get_file() and HTTP handler ops/s for all 3 artifact types (single-thread and multi-thread).
Integration Test Summary
| Test | Container? | Network? | What it does |
|---|---|---|---|
integration_holger |
✗ | ✗ | Mannequin mock: OIDC auth, mTLS auth, upload/download, cert issuance |
integration_pip |
✗ | ✗ | Mannequin mock: Python package resolution and PEP 503 index |
integration_tar_zstd |
✗ | ✗ | tar.zst create → verify → push round-trip (mannequin mock + OIDC) |
bench_znippy_throughput |
✗ | ✗ | 500K synthetic artifacts, throughput regression gate |
integration_znippy_serve |
✗ | first run | Downloads real crates/JARs/wheels from internet, packs znippy, verifies |
integration_nexus_load |
Nexus 3 | ✗¹ | Real Nexus container, upload/download benchmark, bombardment vs Holger |
integration_latency_tail |
Nexus 3 | ✗¹ | Nexus with 512MB heap, p99/p999 latency under GC pressure vs Holger |
¹ Container image must be available locally or pullable. Test data uses pre-cached archives.
Test Cache
Heavy tests cache downloaded artifacts at /home/rickard/work/holger_tests/:
crates/ — 9,162 .crate files (4.2 GB) from crates.io
jars/ — 4,730 .jar files (5.0 GB) from Maven Central
wheels/ — 541 .whl files (5.0 GB) from PyPI
crates_archive.znippy — packed with znippy 0.7.4
jars_archive.znippy — packed with znippy 0.7.4
pip_archive.znippy — packed with znippy 0.7.4
If files don't exist, tests create them automatically — they download from crates.io / Maven Central / PyPI on first run. Subsequent runs reuse the cached archives. If znippy version changes, delete *.znippy and re-run to rebuild.
Requirements
| Requirement | Needed for | Notes |
|---|---|---|
| Podman (or Docker) | Nexus container tests | systemctl --user start podman.socket |
| Network access | First run of integration_znippy_serve |
Downloads ~14 GB from crates.io, Maven, PyPI |
| ~15 GB disk | Test cache | /home/rickard/work/holger_tests/ |
sonatype/nexus3:3.72.0 image |
Heavy tests | Auto-pulled by testcontainers if not present |
Release
Pre-release gate: cargo xtask --heavy
You MUST run cargo xtask --heavy before publishing any crate. This is the full release gate — it runs every test level including a real Nexus 3 container benchmark. If it passes, the code is safe to publish. If it fails, do not release.
# Prerequisites
# THE release command — runs everything:
What cargo xtask --heavy does (in order):
| Step | What runs | Fails if |
|---|---|---|
| 1 | cargo test --workspace |
Any unit/integration test fails |
| 2 | integration_tar_zstd |
tar.zst round-trip broken |
| 3 | bench_znippy_throughput (500K synthetic) |
>20% throughput regression vs bench_history.json |
| 4 | Records benchmark to bench_history.json |
— |
| 5 | Starts Sonatype Nexus 3 container | Container fails to start |
| 6 | Uploads all cached archives, bombardment-tests Nexus vs Holger | Upload/download failures |
| 7 | Tail-latency / GC pressure test (p99/p999) | Latency regression |
cargo xtask (without --heavy) skips steps 5–7 — use it for quick local iteration, but never for release.
Bump versions and publish
# 1. Bump version in all Cargo.toml files (workspace members share versions)
# holger-traits, holger-*-repository, holger-server-*, holger-agent-*
# 2. Run the FULL release gate (mandatory — do not skip)
# 3. Publish crates in dependency order (traits first, then backends, then server/agent)
# 4. Tag and push
&&
Publish order matters
Crates.io requires dependencies to be published first:
holger-traits (no internal deps)
├── holger-rust-file-repository
├── holger-rust-znippy-repository
├── holger-maven-znippy-repository
├── holger-python-znippy-repository
├── holger-nexus-connector
├── holger-world-connector
├── holger-server-lib (depends on traits + all repos)
│ └── holger-server-cli
├── holger-agent-lib (depends on traits + connectors)
│ └── holger-agent-cli
└── holger-mannequin
Fan art
"Allfadern ser varje bit"