palladium_plugin_api/

lib.rs

//! C ABI type definitions for the Palladium plugin system.
//!
//! This crate is intentionally dependency-free. All types are `#[repr(C)]`
//! and safe to expose across shared library (`cdylib`) and WASM boundaries.
//!
//! Plugin authors implement the required C exports; the engine host reads
//! plugin metadata and calls actor lifecycle functions through these types.
//!
//! # Required exports (every plugin shared library)
//!
//! ```c
//! PdPluginInfo* pd_plugin_init(void);
//! void          pd_plugin_shutdown(void);
//!
//! void*   pd_actor_create (const char* type_name, uint32_t type_name_len,
//!                          const uint8_t* config,  uint32_t config_len);
//! void    pd_actor_destroy(void* actor);
//! int32_t pd_actor_on_start  (void* actor, PdActorContext* ctx);
//! int32_t pd_actor_on_message(void* actor, PdActorContext* ctx,
//!                             const uint8_t* envelope_bytes,
//!                             const uint8_t* payload, uint32_t payload_len);
//! void    pd_actor_on_stop   (void* actor, PdActorContext* ctx, int32_t reason);
//! ```

#![forbid(unsafe_code)]

use core::ffi::c_void;

// ── ABI Version ───────────────────────────────────────────────────────────────

/// ABI version that every plugin and the engine must agree on at load time.
///
/// Increment this on any breaking change to the structs or function signatures
/// in this crate. The engine rejects plugins whose [`PdPluginInfo::abi_version`]
/// does not match.
pub const PD_ABI_VERSION: u32 = 1;

// ── Error Codes ───────────────────────────────────────────────────────────────

/// Return codes for plugin actor lifecycle functions.
///
/// Plugin-side functions return `PdError::Ok` (0) on success.  Any non-zero
/// value is treated as an error and mapped to the corresponding
/// `palladium_actor::ActorError` variant by the engine.
#[repr(i32)]
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum PdError {
    /// Operation succeeded.
    Ok = 0,
    /// Actor failed to initialize (`on_start` returned an error).
    Init = -1,
    /// Message handler returned an error (`on_message` failed).
    Handler = -2,
    /// Requested actor type or resource was not found.
    NotFound = -3,
}

impl PdError {
    /// Convert an `i32` return code to a `PdError`.
    ///
    /// Returns `None` for unknown negative codes (treated as `Handler`-severity
    /// by the engine).
    pub fn from_i32(v: i32) -> Option<Self> {
        match v {
            0 => Some(Self::Ok),
            -1 => Some(Self::Init),
            -2 => Some(Self::Handler),
            -3 => Some(Self::NotFound),
            _ => None,
        }
    }

    /// Returns `true` if the code represents success.
    pub fn is_ok(self) -> bool {
        self == Self::Ok
    }
}

// ── Envelope ──────────────────────────────────────────────────────────────────

/// Fixed-size C-compatible message header passed to plugin lifecycle hooks.
///
/// The layout is identical to `palladium_actor::Envelope` (80 bytes, `repr(C)`),
/// so the engine can reinterpret Envelope bytes directly without copying.
///
/// All multi-byte fields are **little-endian**.
///
/// Field offsets:
/// ```text
/// offset  0 – 15 : message_id    (u128)
/// offset 16 – 31 : source        (u128, actor AddrHash)
/// offset 32 – 47 : destination   (u128, actor AddrHash)
/// offset 48 – 55 : type_tag      (u64,  message type discriminant)
/// offset 56 – 59 : payload_len   (u32)
/// offset 60 – 63 : flags         (u32,  see FLAG_* constants)
/// offset 64 – 71 : correlation_id(u64)
/// offset 72 – 79 : (implicit repr(C) padding — write as zeros)
/// ```
///
/// Total size: 80 bytes (verified by [`ENVELOPE_SIZE`]).
#[repr(C)]
#[derive(Debug, Clone, Copy)]
pub struct PdEnvelope {
    /// Unique message identifier (engine-assigned).
    pub message_id: u128,
    /// Sender's `AddrHash` (path + generation, packed into a u128).
    pub source: u128,
    /// Recipient's `AddrHash`.
    pub destination: u128,
    /// Message type discriminant (FNV-1a of the fully-qualified type name).
    pub type_tag: u64,
    /// Byte length of the accompanying payload buffer.
    pub payload_len: u32,
    /// Bitfield flags — see `FLAG_RESPONSE` and `FLAG_PRIORITY_MASK`.
    pub flags: u32,
    /// Response correlation: matches the `message_id` of the request.
    pub correlation_id: u64,
    // 8 bytes of implicit repr(C) trailing padding follow here.
}

/// Expected byte size of [`PdEnvelope`] (matches `palladium_actor::Envelope::SIZE`).
pub const ENVELOPE_SIZE: usize = 80;

/// Flag bit: this message is a response to a previous request.
pub const FLAG_RESPONSE: u32 = 1 << 0;
/// Mask for the 2-bit priority field (bits 1–2); higher value = higher priority.
pub const FLAG_PRIORITY_MASK: u32 = 0b11 << 1;

// ── Actor Type Info ───────────────────────────────────────────────────────────

/// Metadata for a single actor type exported by a plugin.
///
/// All string pointers are **not** null-terminated; use the accompanying
/// `_len` field for the byte count.
///
/// `config_schema` is optional: set to a null pointer and `config_schema_len`
/// to 0 if the actor type accepts no configuration.
///
/// The pointed-to data must remain valid for the lifetime of the plugin.
#[repr(C)]
pub struct PdActorTypeInfo {
    /// UTF-8 actor type name (e.g. `b"echo"`) — not null-terminated.
    pub type_name: *const u8,
    /// Byte length of `type_name`.
    pub type_name_len: u32,
    /// Optional UTF-8 JSON Schema for actor configuration, or null.
    pub config_schema: *const u8,
    /// Byte length of `config_schema`, or 0 if null.
    pub config_schema_len: u32,
}

// ── Plugin Info ───────────────────────────────────────────────────────────────

/// Top-level plugin metadata returned by the `pd_plugin_init` export.
///
/// The engine reads this struct immediately after calling `pd_plugin_init`.
/// All pointed-to data must remain valid until `pd_plugin_shutdown` returns.
#[repr(C)]
pub struct PdPluginInfo {
    /// UTF-8 plugin name — not null-terminated.
    pub name: *const u8,
    /// Byte length of `name`.
    pub name_len: u32,
    /// Semantic version — major component.
    pub version_major: u32,
    /// Semantic version — minor component.
    pub version_minor: u32,
    /// Semantic version — patch component.
    pub version_patch: u32,
    /// Must equal [`PD_ABI_VERSION`]; the engine rejects mismatches with
    /// `PluginError::AbiMismatch`.
    pub abi_version: u32,
    /// Number of elements in the `actor_types` array.
    pub actor_type_count: u32,
    /// Pointer to the first element of an array of [`PdActorTypeInfo`].
    pub actor_types: *const PdActorTypeInfo,
}

// ── Host Vtable ───────────────────────────────────────────────────────────────

/// Engine capabilities made available to plugin actors during lifecycle calls.
///
/// The engine allocates and fills this struct before invoking any actor
/// lifecycle function.  Plugin code accesses it via [`PdActorContext::vtable`].
/// All function pointers are guaranteed non-null during lifecycle calls.
#[repr(C)]
pub struct PdHostVtable {
    /// Send a message to another actor.
    ///
    /// `envelope_bytes` must point to exactly [`ENVELOPE_SIZE`] (80) bytes
    /// in [`PdEnvelope`] layout. `payload` points to `payload_len` bytes.
    ///
    /// Returns 0 on success; a negative `PdError` code on failure.
    pub pd_send: Option<
        unsafe extern "C" fn(
            ctx: *mut PdActorContext,
            envelope_bytes: *const u8,
            payload: *const u8,
            payload_len: u32,
        ) -> i32,
    >,

    /// Return the current engine time in microseconds since an arbitrary epoch.
    ///
    /// In production, this is wall-clock time. In simulation (`pd-test`),
    /// this returns the deterministic virtual clock value.
    pub pd_now_micros: Option<unsafe extern "C" fn(ctx: *mut PdActorContext) -> u64>,

    /// Emit a structured log message.
    ///
    /// `level`: 0 = error, 1 = warn, 2 = info, 3 = debug, 4 = trace.
    /// `msg` points to `msg_len` UTF-8 bytes — not null-terminated.
    pub pd_log: Option<
        unsafe extern "C" fn(ctx: *mut PdActorContext, level: i32, msg: *const u8, msg_len: u32),
    >,
}

// ── Actor Context ─────────────────────────────────────────────────────────────

/// Per-call context passed to every plugin actor lifecycle hook.
///
/// Plugin code receives a `*mut PdActorContext` in each lifecycle function.
/// Use the [`vtable`](Self::vtable) to send messages, query time, or log.
///
/// The `engine_cookie` field is an opaque handle owned by the engine;
/// plugins must pass it unchanged to vtable functions and must never free it.
#[repr(C)]
pub struct PdActorContext {
    /// Engine capability table. Always non-null during lifecycle calls.
    pub vtable: *const PdHostVtable,
    /// Opaque per-actor engine handle. Treat as an opaque cookie.
    pub engine_cookie: *mut c_void,
}

// ── Tests ─────────────────────────────────────────────────────────────────────

#[cfg(test)]
mod tests {
    use super::*;
    use core::mem;

    #[test]
    fn pd_envelope_size_matches_engine_envelope() {
        // Must equal palladium_actor::Envelope::SIZE = 80.
        // u128 fields (align 16) cause repr(C) to pad 72 bytes of fields → 80.
        assert_eq!(mem::size_of::<PdEnvelope>(), ENVELOPE_SIZE);
    }

    #[test]
    fn pd_envelope_alignment_is_16() {
        // Driven by the u128 fields; must agree with palladium_actor::Envelope.
        assert_eq!(mem::align_of::<PdEnvelope>(), 16);
    }

    #[test]
    fn pd_error_discriminants() {
        assert_eq!(PdError::Ok as i32, 0);
        assert_eq!(PdError::Init as i32, -1);
        assert_eq!(PdError::Handler as i32, -2);
        assert_eq!(PdError::NotFound as i32, -3);
    }

    #[test]
    fn pd_error_from_i32_roundtrip() {
        assert_eq!(PdError::from_i32(0), Some(PdError::Ok));
        assert_eq!(PdError::from_i32(-1), Some(PdError::Init));
        assert_eq!(PdError::from_i32(-2), Some(PdError::Handler));
        assert_eq!(PdError::from_i32(-3), Some(PdError::NotFound));
        assert_eq!(PdError::from_i32(-99), None);
    }

    #[test]
    fn pd_error_is_ok() {
        assert!(PdError::Ok.is_ok());
        assert!(!PdError::Init.is_ok());
        assert!(!PdError::Handler.is_ok());
    }

    #[test]
    fn pd_actor_context_size() {
        // Two pointers: vtable + engine_cookie.
        assert_eq!(
            mem::size_of::<PdActorContext>(),
            2 * mem::size_of::<usize>()
        );
    }

    #[test]
    fn pd_abi_version_is_nonzero() {
        let version = std::hint::black_box(PD_ABI_VERSION);
        assert!(version > 0);
    }

    #[test]
    fn flag_constants_do_not_overlap() {
        assert_eq!(FLAG_RESPONSE & FLAG_PRIORITY_MASK, 0);
    }
}