Expand description
Signal delivery + HMAC secret rotation for the Postgres backend.
Wave 4 Agent D (RFC-v0.7 v0.7 migration-master).
Scope note. The Wave-4 brief asks for an 8-method
suspend+signal family. The actual EngineBackend trait today
exposes 6 of those (suspend, observe_signals,
list_suspended, claim_resumed_execution, deliver_signal,
rotate_waitpoint_hmac_secret_all); try_suspend and the
single-partition rotate_waitpoint_hmac_secret are not on the
trait surface. Extending the trait touches every parallel Wave-4
agent’s compile graph and needs owner adjudication, so this
tranche ships the in-trait method that is fully standalone
(rotate_waitpoint_hmac_secret_all) plus the primitives the
other 5 methods will consume in a follow-up:
hmac_sign/hmac_verify— first Rust-side HMAC code in the workspace. The Valkey backend signs inside Lua; this module owns server-side signing on the Postgres path.SERIALIZABLE_RETRY_BUDGET— the Q11 retry cap used by the suspend / deliver_signal SERIALIZABLE sites when those land.current_active_kid/fetch_kid— keystore helpers.rotate_waitpoint_hmac_secret_all_impl— Q4 single-global- row write + active-flag flip. Wired intoEngineBackendin [crate::lib.rs].
HMAC sign/verify primitives live here (not in ff-core) so the
Cargo.toml delta stays scoped to this crate while parallel Wave-4
agents are churning ff-core. A follow-up can hoist the primitive
into ff_core::waitpoint_hmac once both backends converge.
Enums§
- Hmac
Verify Error - Errors from
hmac_verify. Callers map these ontoEngineError::Validation(InvalidToken)at the trait boundary.
Constants§
- SERIALIZABLE_
RETRY_ BUDGET - Q11 retry budget for SERIALIZABLE transactions. On retry exhaustion
the suspend / deliver_signal call sites are expected to return
EngineError::Contention(LeaseConflict)so the reconciler (or calling worker) reconstructs intent rather than spinning in-process.
Functions§
- current_
active_ kid - Resolve the currently-active HMAC secret (kid + bytes) from
ff_waitpoint_hmac. ReturnsOk(None)when the keystore is empty (bootstrap race); callers treat that as a state error. - fetch_
kid - Fetch a specific kid’s secret. Returns
Ok(None)when the kid is unknown. Includes inactive kids (inside the rotation grace window). - hmac_
sign - HMAC-SHA256 signature over
kid || ":" || message. Returns akid:hextoken. Matches the conceptual shape of the Valkey Lua signer (kid:40hex); SHA256 rather than SHA1 so we use the stdlib-friendly primitive. The two backends never cross-verify tokens. - hmac_
verify - Verify a
kid:hextoken. ReturnsOk(())iff the digest matchessecretovermessage. Constant-time viahmac::Mac::verify_slice. - is_
retryable_ serialization - True iff
erris a retryable serialization/deadlock fault. Exposed for callers that run their own SERIALIZABLE-tx retry loop and need to tell retryable from fatal on sqlx errors. - rotate_
waitpoint_ hmac_ secret_ all_ impl - Implementation of
EngineBackend::rotate_waitpoint_hmac_secret_all. - seed_
waitpoint_ hmac_ secret_ impl - Implementation of
EngineBackend::seed_waitpoint_hmac_secret(issue #280).