running_process/broker/mod.rs
1//! v1 broker module — schemas are FROZEN FOREVER once v1.0 ships.
2//!
3//! Phase 0 of #228: this module exposes the prost-generated wire types
4//! (envelope, manifest, service definition) for every later phase to
5//! depend on. No consumers ship yet — Phases 1+ wire them in.
6//!
7//! See `proto/broker_v1_*.proto` and the parent issue for the rationale
8//! behind every field number and `reserved` range.
9
10pub mod backend_handle;
11pub mod backend_lib;
12pub mod backend_lifecycle;
13pub mod capabilities;
14pub mod client;
15pub mod host_identity;
16pub mod lifecycle;
17pub mod manifest;
18pub mod protocol;
19pub(crate) mod secure_dir;
20pub mod server;
21
22/// Framing byte for every v1 broker connection. Wire layout:
23/// `[u8 framing_version=1][u32 LE body_length][prost body]`.
24///
25/// THIS BYTE is the truly-frozen-forever invariant — see #228
26/// "Frozen-forever commitments" section. A v2 client connecting to a
27/// v1 broker writes `[1][len][v2-shaped Hello]`; the v1 broker reads
28/// the framing byte and decides whether to decode or `Refused` with
29/// `ERROR_VERSION_UNSUPPORTED`.
30pub const FRAMING_VERSION_V1: u8 = 1;
31
32/// Hard ceiling on any single broker frame. Broker disconnects on
33/// overflow. See #228 "Wire-level commitments".
34pub const MAX_FRAME_SIZE_BYTES: usize = 16 * 1024 * 1024;
35
36/// Hard ceiling on the Hello envelope specifically. Broker returns
37/// `Refused` on overflow. See #228 "Wire-level commitments".
38pub const MAX_HELLO_SIZE_BYTES: usize = 64 * 1024;
39
40/// Upper bound on a LifecycleEvent's prost-encoded size, set to the
41/// minimum POSIX `PIPE_BUF` so atomic-append into the event log is
42/// guaranteed on every platform. Linux raises this to 4096 in practice,
43/// but the cross-platform floor is 512.
44pub const LIFECYCLE_EVENT_PIPE_BUF_FLOOR: usize = 512;