A single migration step. Banks store these in source control alongside
the schema; the runner applies any rows in migrations not yet present
in cratestack_migrations. down is recorded but the runner doesn’t
call it — irreversible-by-default is the safe banking posture.
DDL for the audit log table. Banks typically run migrations through their
own tooling — this DDL is exposed so the crate::SqlxRuntime can
idempotently ensure the table exists during bootstrap.
Accessor for a model’s primary key. Implemented by the macro on every
generated model struct so the batch operations can pair returned rows
back to the position of their input PK in the request, producing a
BatchItemResult with the right index and a NotFound entry for any
requested PK that didn’t come back.
Input shape for the upsert primitive — INSERT … ON CONFLICT (<pk>) DO UPDATE …. sql_values() must include the primary-key column (so the
backend can target the conflict), and primary_key_value() exposes the
PK separately so the runtime can issue a SELECT … FOR UPDATE before
the upsert to drive Created vs. Updated event / audit semantics.
Apply every pending migration in the input slice, in order. Each
migration runs inside its own transaction; checksum drift aborts the
whole apply (banks treat drift as a release-process failure to be
resolved by humans, not silently overwritten).
Compute when a record originally captured at created_at will expire.
Pulled out for unit-test reach; the SystemTime arithmetic is otherwise
awkward to assert against without a clock injection point.
Extract the primary-key field from a serialized model snapshot. Used to
stamp audit events with a stable identifier even when the schema doesn’t
surface the PK column verbatim in the response (e.g. policy-stripped).
Begin a transaction at the requested isolation level, run body against
the live transaction, and commit. On 40001 (serialization_failure) or
40P01 (deadlock_detected) the transaction is rolled back and the body
runs again, up to MAX_RETRIES_DEFAULT times. Other errors propagate
immediately.
Same as run_in_isolated_tx but with a caller-chosen retry budget.
Banks running long-tail contended writes sometimes want a higher cap
(5–10); single-row CAS workflows can drop to 1 to fail fast.
Convert a model into the JSON snapshot used by the audit log. Returns
None if the model isn’t serializable; that should never happen for
generated models which derive Serialize, but we degrade gracefully
rather than panic.
Inspect each migration in migrations against cratestack_migrations
and report which are pending / applied / drifted. Use before apply to
surface drift to the operator without changing state.