varta-watch 0.2.0

Varta observer — receives VLP frames and surfaces stalls.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

#![deny(missing_docs, unsafe_op_in_unsafe_fn, rust_2018_idioms)]
#![forbid(clippy::dbg_macro, clippy::print_stdout)]
// SAFETY: unsafe_code is legitimately required for FFI to kernel interfaces
// (recvmsg/cmsg parsing in peer_cred.rs, umask in listener.rs).  All unsafe
// sites are guarded by compile-time layout assertions and per-block SAFETY
// comments.  The workspace-level deny forces us to explicitly opt in here.
#![allow(unsafe_code)]

//! Varta observer library — receive loop over configurable transport listeners,
//! per-pid tracker, stall surface.
//!
//! This crate is the in-process kernel of `varta-watch`. The binary
//! drives [`Observer::poll`] in a single thread and routes
//! [`Event`] values to exporters and the recovery command. The protocol root
//! is [`varta_vlp`]; nothing else is on the dependency surface.

// Class-A safety-critical builds (`compile-time-config`) intentionally have
// no /metrics endpoint, no HTTP server, no bearer-token loader, and no argv
// parser.  Combining `compile-time-config` with `prometheus-exporter` would
// link the HTTP server back into the binary, defeating the structural
// guarantee that the Class-A profile rests on.  The combination is rejected
// at compile time so a misconfigured build line fails loudly rather than
// producing a binary that silently fails the strings audit at deploy time.
#[cfg(all(feature = "prometheus-exporter", feature = "compile-time-config"))]
compile_error!(
    "`prometheus-exporter` cannot be combined with `compile-time-config` \
     — Class-A safety-critical builds intentionally have no /metrics \
     surface.  See book/src/architecture/safety-profiles.md for the supported \
     feature matrix."
);

#[cfg(all(feature = "libc-signal-mode", feature = "compile-time-config"))]
compile_error!(
    "`libc-signal-mode` cannot be combined with `compile-time-config` \
     — Class-A safety-critical builds intentionally retain end-to-end \
     kernel-ABI ownership via the inline-asm signal-return trampoline. \
     See book/src/architecture/signal-install.md for the supported \
     feature matrix."
);

#[cfg(all(feature = "unsafe-plaintext-udp", feature = "compile-time-config"))]
compile_error!(
    "`unsafe-plaintext-udp` cannot be combined with `compile-time-config` \
     — plaintext UDP has no per-datagram authentication or replay \
     protection, so a network attacker can suppress stall detection by \
     forging beats.  Class-A safety-critical (mission-critical) builds \
     must use `secure-udp` for any UDP transport.  See \
     book/src/architecture/safety-profiles.md for the supported feature \
     matrix."
);

pub mod audit;
pub mod clock;
pub mod config;
pub mod exporter;
pub mod hw_watchdog;
pub mod listener;
pub mod log;
pub mod log_ratelimit;
mod nonblock_fd;
pub mod notify;
pub mod observer;
pub mod peer_cred;
pub mod pid_max;
pub mod signal_install;
// When `fuzzing` is on, bounded-collection modules are exposed as
// public so the `fuzz/` crate can drive them directly through
// `varta_watch::__fuzz_internals::*`. The names stay namespaced under
// `__fuzz_internals` so accidental external use is loud.
#[cfg(all(feature = "prometheus-exporter", not(feature = "fuzzing")))]
mod ip_state_table;
#[cfg(not(feature = "fuzzing"))]
mod outstanding_table;
#[cfg(not(feature = "fuzzing"))]
mod probe_table;
pub mod recovery;

#[cfg(feature = "fuzzing")]
#[path = "ip_state_table.rs"]
pub mod ip_state_table;
#[cfg(feature = "fuzzing")]
#[path = "outstanding_table.rs"]
pub mod outstanding_table;
#[cfg(feature = "fuzzing")]
#[path = "probe_table.rs"]
pub mod probe_table;

/// Test-only: stable namespace for the fuzz-only re-exports.
#[cfg(feature = "fuzzing")]
pub mod __fuzz_internals {
    pub use crate::ip_state_table;
    pub use crate::outstanding_table;
    pub use crate::probe_table;
}

/// Test-only: expose the Linux kernel-ABI signal structs and syscall wrapper
/// so integration tests can consume the *real* definitions instead of
/// maintaining parallel duplicates. Gated to `test-hooks` (which CI always
/// enables for the integration-test binary) or `test` cfg.
///
/// Mirrors the `__fuzz_internals` pattern used for bounded-collection modules.
#[cfg(all(any(test, feature = "test-hooks"), not(feature = "libc-signal-mode")))]
#[doc(hidden)]
pub mod __test_signal_abi {
    #[cfg(target_os = "linux")]
    pub use crate::signal_install::linux::test_abi::*;
}
pub mod tracker;

#[cfg(feature = "secure-udp")]
pub mod secure_listener;

pub use clock::{Clock, ClockError, ClockSource};
pub use config::{Config, ConfigError};
#[cfg(feature = "prometheus-exporter")]
pub use exporter::PromExporter;
pub use exporter::{Exporter, FileExporter};
pub use listener::{BeatListener, PreThreadAttestation, TransportTrust, UdsListener};
pub use observer::{Event, Observer};
pub use peer_cred::BeatOrigin;
pub use recovery::{Recovery, RecoveryOutcome};
pub use tracker::{EvictionPolicy, Slot, Tracker, Update};

#[cfg(feature = "unsafe-plaintext-udp")]
pub use listener::UdpListener;

#[cfg(feature = "secure-udp")]
pub use secure_listener::SecureUdpListener;