net-mesh 0.21.0

High-performance, schema-agnostic, backend-agnostic event bus
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256

//! `MeshOsAction` — the union of outputs the reconcile pass
//! emits. One action per substrate-side change MeshOS wants to
//! see happen; the action executor drains the queue under the
//! backpressure layer (Phase G) and dispatches each action to
//! the subsystem that owns its mechanics.
//!
//! Named `MeshOsAction` (not bare `Action`) to avoid colliding
//! with [`crate::adapter::net::behavior::rules::Action`], which
//! the rules engine already publishes at the behavior plane
//! root.
//!
//! Phase A ships the enum + an `ActionId` allocator + the
//! `#[non_exhaustive]` attribute so later phases add variants
//! without breaking downstream matches. The reconcile pass
//! returns an empty `Vec<MeshOsAction>` until Phase B.

use std::sync::atomic::{AtomicU64, Ordering};
use std::time::{Duration, Instant};

use super::event::{ChainId, DaemonRef, NodeId};

/// Monotonic per-process action id. Allocated by
/// [`AllocateActionId::next`] when reconcile produces an action;
/// used as the snapshot-fold key so Deck can correlate
/// "in-flight" / "pending" / "completed" across the same id.
#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
pub struct ActionId(
    /// Raw monotonic value. Process-local; not stable across
    /// node restarts.
    pub u64,
);

/// Process-global action-id allocator.
#[derive(Debug, Default)]
pub struct AllocateActionId {
    counter: AtomicU64,
}

impl AllocateActionId {
    /// Construct an allocator whose first handed-out id is `1`.
    /// Zero is reserved as a "no action" sentinel for downstream
    /// snapshots.
    pub fn new() -> Self {
        Self {
            counter: AtomicU64::new(1),
        }
    }

    /// Allocate the next id. Threadsafe, lock-free.
    pub fn next(&self) -> ActionId {
        ActionId(self.counter.fetch_add(1, Ordering::Relaxed))
    }
}

/// The action payload. Variants reflect the seven action
/// families the plan calls out (`start_daemon` / `stop_daemon` /
/// `migrate_blob` / `pull_replica` / `reduce_heat` /
/// `mark_avoid` / `apply_backoff`) plus the maintenance-state
/// transitions Phase E drives.
///
/// **`Instant`-typed deadlines are process-local.** `StopDaemon`
/// and `ApplyBackoff` carry `std::time::Instant`, which is
/// monotonic-per-process and not portable across nodes. These
/// actions are produced and consumed inside one MeshOS process;
/// the chain-recorded form (`ActionChainRecord`) flattens
/// deadlines to Unix-epoch ms for cross-node replay. Don't move
/// an in-process `MeshOsAction` over the wire — go through the
/// chain record.
///
/// `#[non_exhaustive]` so phases B–G land their handlers without
/// breaking downstream matches.
#[derive(Clone, Debug, PartialEq)]
#[non_exhaustive]
pub enum MeshOsAction {
    /// Phase B. Start a daemon that should be running on this
    /// node but isn't.
    StartDaemon {
        /// Daemon the supervisor should bring up.
        daemon: DaemonRef,
    },

    /// Phase B. Stop a daemon that's running locally but
    /// shouldn't be. `reason` rides along into the failure /
    /// audit log.
    StopDaemon {
        /// Daemon to shut down.
        daemon: DaemonRef,
        /// Operator-readable reason recorded to the audit log.
        reason: String,
        /// Deadline by which `MeshOsControl::Shutdown` must
        /// produce a clean exit; afterward the supervisor force-
        /// terminates.
        deadline: Instant,
    },

    /// Phase C. Pull a replica this node should hold but
    /// doesn't.
    PullReplica {
        /// Chain whose replica to materialize.
        chain: ChainId,
        /// Peer to pull the bytes from.
        source: NodeId,
    },

    /// Phase C. Drop a stale replica.
    DropReplica {
        /// Chain whose local replica to evict.
        chain: ChainId,
    },

    /// Phase C — leader-only. Ask another node to host a
    /// replica. Emitted by the leader for a chain whose desired
    /// replica count is short.
    RequestPlacement {
        /// Chain whose replica count is short.
        chain: ChainId,
        /// Peers that already hold the chain (or are otherwise
        /// not candidates).
        exclude: Vec<NodeId>,
        /// Operator-pinned placement target. `None` = the
        /// placement scorer picks. `Some(node)` = the operator
        /// has requested the placement land on this specific
        /// node (via the ICE `ForceCutover` admin event); the
        /// dispatcher should honor it without consulting the
        /// scorer. The default-emitting count-driven and
        /// scheduler arms always pass `None`; only the ICE
        /// forced-placement arm sets a `Some`.
        target: Option<NodeId>,
    },

    /// Phase C — leader-only. Ask a peer to drop a replica it
    /// holds (chain over-replicated, or its score has dropped).
    RequestEviction {
        /// Chain whose replica to evict.
        chain: ChainId,
        /// Peer that should drop its copy.
        victim: NodeId,
    },

    /// Phase E. Migrate a blob between holders (Dataforts
    /// movement layer is the muscle; MeshOS owns the trigger).
    MigrateBlob {
        /// Blob id (Dataforts-native).
        blob: u64,
        /// Current holder.
        from: NodeId,
        /// Target holder.
        to: NodeId,
    },

    /// Phase E. Reduce a blob's heat (gravity-driven movement
    /// follows the heat down).
    ReduceHeat {
        /// Blob whose heat counter to decrement.
        blob: u64,
        /// Amount to subtract.
        by: u32,
    },

    /// Phase D. Add a peer to the avoid list for the configured
    /// TTL. RTT-degradation or operator command.
    MarkAvoid {
        /// Peer to deprioritize.
        peer: NodeId,
        /// Why we're avoiding (audit + Deck rendering).
        reason: String,
        /// How long the avoid entry persists before GC.
        ttl: Duration,
    },

    /// Phase G. Apply backoff to a daemon's restart loop after
    /// it crashed. The backoff window is computed by the
    /// supervisor; MeshOS just commits the decision.
    ApplyBackoff {
        /// Daemon whose restart loop to gate.
        daemon: DaemonRef,
        /// Earliest instant a restart may be admitted.
        until: Instant,
    },

    /// Phase E. Commit a maintenance-state transition for a
    /// node. The state machine lives in chain metadata
    /// (`metadata.maintenance_state`); the action is the chain
    /// commit, the metadata write is the effect.
    CommitMaintenanceTransition {
        /// Node whose maintenance state is changing.
        node: NodeId,
        /// Target state.
        target: MaintenanceTransition,
    },
}

/// Phase E. The set of maintenance-state transitions the
/// reconcile pass can commit. Each transition is idempotent —
/// applying it twice is a no-op.
#[derive(Clone, Debug, Eq, PartialEq)]
#[non_exhaustive]
pub enum MaintenanceTransition {
    /// Active → EnteringMaintenance. Triggers replica freeze +
    /// daemon drain.
    EnteringMaintenance,
    /// EnteringMaintenance → Maintenance. Replicas migrated,
    /// daemons drained; node is steady-state isolated.
    Maintenance,
    /// Maintenance → ExitingMaintenance. Operator requested
    /// resume; node restarts daemons + emits fresh capabilities.
    ExitingMaintenance,
    /// EnteringMaintenance → DrainFailed. Deadline elapsed with
    /// replicas / daemons unable to drain; needs operator action.
    /// `reason` carries the deadline / observed-condition message
    /// so the chain commit can record it; the
    /// `MaintenanceTransitionObserved` fold consumes it into
    /// `MaintenanceState::DrainFailed { reason }`.
    DrainFailed {
        /// Operator-readable reason recorded into the chain
        /// commit and the local mirror.
        reason: String,
    },
    /// ExitingMaintenance → Recovery. Ramp-up window active;
    /// node is on the avoid list for new placements.
    Recovery,
    /// Recovery → Active. Ramp-up window complete; node is
    /// fully back in service.
    Active,
}

/// A queued action ready for the action executor to admit. Pairs
/// the action with the id the snapshot fold keys off.
#[derive(Clone, Debug, PartialEq)]
pub struct PendingAction {
    /// Allocated id; stable for the action's full lifetime
    /// (pending → in-flight → completed/failed).
    pub id: ActionId,
    /// The action payload.
    pub action: MeshOsAction,
    /// When reconcile emitted it. Used by Deck to render
    /// queue latency.
    pub emitted_at: Instant,
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn allocator_hands_out_monotonic_unique_ids() {
        let alloc = AllocateActionId::new();
        let a = alloc.next();
        let b = alloc.next();
        let c = alloc.next();
        assert_eq!(a, ActionId(1));
        assert_eq!(b, ActionId(2));
        assert_eq!(c, ActionId(3));
        assert!(a != b && b != c);
    }
}