Expand description
Environment persistence (A2 of plans/next-gen-deployment.md).
Public surface:
EnvironmentStore— local-FS persistence traitLocalFsStore— concrete impl rooted at~/.greentic/environments/StoreError— typed errorsEnvFlock— RAII per-env exclusive lock (re-exported for transactional callers)atomic_write_json,atomic_write_bytes,copy_to_backup— primitivesmint_revision_id,mint_deployment_id— ULID generators
Re-exports§
pub use atomic_write::AtomicWriteError;pub use atomic_write::atomic_write_bytes;pub use atomic_write::atomic_write_json;pub use atomic_write::copy_to_backup;pub use audit::AUDIT_EVENT_SCHEMA_V1;pub use audit::AuditError;pub use audit::AuditLog;pub use audit::POLICY_LOCAL_OWNER;pub use audit::current_local_actor;pub use bootstrap::EnsureLocalEnvironmentPayload;pub use bootstrap::LocalEnvOutcome;pub use bundle_deployment::BundleDeploymentError;pub use bundle_deployment::RevenuePolicyVersion;pub use bundle_deployment::write_revenue_policy_version;pub use file_lock::EnvFlock;pub use file_lock::LockError;pub use http_store::AuthMethod;pub use http_store::ConstructionError;pub use http_store::HttpEnvironmentStore;pub use lifecycle::LifecycleError;pub use lifecycle::apply_revision_transition;pub use lifecycle::apply_revision_transition_with_health_gate;pub use messaging::MessagingEndpointIndexEntry;pub use messaging::materialize_messaging_index;pub use mutations::EnvironmentMutations;pub use reads::EnvironmentReads;pub use runtime_config::materialize_runtime_config;pub use snapshot::SnapshotId;pub use snapshot::restore_environment;pub use snapshot::snapshot_environment;pub use store::EnvironmentStore;pub use store::LocalFsStore;pub use store::Locked;pub use store::StoreError;pub use trust_root::TRUST_ROOT_FILE;pub use trust_root::TrustRootError;pub use trust_root::add_trusted_key;pub use trust_root::load as load_trust_root;pub use trust_root::remove_trusted_key;pub use trust_root::trust_root_path;
Modules§
- atomic_
write - Atomic file write helpers for the
EnvironmentStore. - audit
- Append-only audit log + local authorization policy (
A7). - bootstrap
- Bootstrap types for [
super::mutations_local::LocalFsStore::ensure_local_environment]. - bundle_
deployment BundleDeploymentlifecycle helpers (B10 ofplans/next-gen-deployment.md).- file_
lock - Per-env exclusive file lock used by
LocalFsStore. - http_
store HttpEnvironmentStore— remote HTTP-backed implementation ofEnvironmentMutations.- lifecycle
- Revision-lifecycle storage guard (A5 of
plans/next-gen-deployment.md). - messaging
- Messaging-endpoint projection producer (
Phase M1.2). - mutations
EnvironmentMutations— typed-verb trait for state mutations on a Greentic environment.- mutations_
local EnvironmentMutations-trait-shaped inherent methods onLocalFsStore.- reads
- Read-only environment views shared by the local and remote stores.
- runtime_
config - Runtime-config producer (B4 of
plans/next-gen-deployment.md). - snapshot
- Whole-environment snapshot/restore (P0b of the Greentic updater).
- store
EnvironmentStoretrait +LocalFsStorefilesystem implementation perplans/next-gen-deployment.mdA2.- trust_
root - Per-environment trust-root persistence (C2 of
plans/next-gen-deployment.md).
Structs§
- Actor
- Who performed the mutation.
kindis a string (one valuelocal-usertoday; A8’s remote path adds service/operator kinds). - AddBundle
Payload - Inputs to
EnvironmentMutations::add_bundle, and the A8POST /environments/{env}/bundlesrequest body. - AddMessaging
Endpoint Payload - Inputs to
EnvironmentMutations::add_messaging_endpoint, and the A8POST /environments/{env}/messagingrequest body. - Apply
Traffic Split Outcome - Outcome of
EnvironmentMutations::set_traffic_split, and the A8 response body. Carries the post-apply split, the generation transition for audit/observability, and the post-mutation env snapshot (the operator CLI emitsTrafficSplitAppliedtelemetry from it — tenant attribution without a re-read, identical local and remote). - Audit
Event - One append-only audit record. Covers every field plan §389 requires.
- Extension
Key (kind_path, instance_id)composite key identifying one extension binding inEnvironment::extensions.kind_pathis the canonicalExtensionKind::path()form (e.g."capability/memory/long-term").- Health
Gate Failure - Why a warm/ready health gate rejected a revision. Shipped by the deployer
CLI inside
WarmRevisionPayload(the gate is evaluated client-side — closures don’t cross the A8 wire) and surfaced insideRevisionLifecycleError::HealthGateFailedafter the transform has flipped the revision’s lifecycle toFailed. - Migrate
Merge Payload - Inputs to
EnvironmentMutations::migrate_merge_bindings, and the A8POST /environments/{env_id}/migrate-bindingsrequest body. - Migrate
Seed Payload - Optional seed payload for
EnvironmentMutations::migrate_merge_bindings. Supplied when the caller wants the impl to atomically create the target env (using these fields) if it doesn’t exist yet, then merge the bindings into it. Mirrors the seed-from-source behavior ofop env migrate-devwhere the source’s host config + policy state ride along onto the freshly created target. - Remove
Bundle Outcome - Outcome of
EnvironmentMutations::remove_bundle, and the A8DELETEresponse body. Surfaces the archived revisions pruned alongside the deployment so the destructive side effect is explicit on the contract — the CLI records the IDs in the audit target, and HTTP backends can apply a separate authorization check against the prune set before committing. - Revenue
Policy Predicate - Predicate body recorded inside the DSSE Statement. Mirrors the
document’s identity fields so a reader of the
.sigenvelope alone can see what the signature covers without openingvN.json. - Revision
Transition Outcome - Outcome of the warm/drain/archive verbs, and the A8 response body for their routes. Carries the post-transition revision, the environment after the mutation, and the starting lifecycle (the archive eviction-vs-retirement discriminator in the deployer CLI’s telemetry emit).
- Rollback
Traffic Split Outcome - Outcome of
EnvironmentMutations::rollback_traffic_split, and the A8 response body. A rollback always advances the generation, so both generations are unconditional. - SetMessaging
Welcome Flow Payload - Inputs to
EnvironmentMutations::set_messaging_welcome_flow, and the A8POST /environments/{env}/messaging/{eid}/welcome-flowrequest body (endpoint_idrides in the body too — the server cross-checks it against the URL segment). - SetTraffic
Split Payload - Inputs to
EnvironmentMutations::set_traffic_split, and the A8POST /environments/{env_id}/trafficrequest body (field set pinned by the PR-3b client’sSetTrafficSplitRequest). The A8 idempotency key is NOT a field — it rides the HTTP header and the engine parameter, because the traffic group persists it intoTrafficSplit::idempotency_key. - Stage
Revision Payload - Inputs to
EnvironmentMutations::stage_revision, and the A8POST /environments/{env_id}/revisionsrequest body. - Trust
Root AddOutcome - Outcome of
EnvironmentMutations::add_trusted_key. The store returns typed data so every backend stays uniform; the CLI shapes the wire JSON (addingenvironment_idfrom the caller’s request context). - Trust
Root Document - Document envelope wrapping the distributor-client trust-root. Identical
shape whether serialized to
trust-root.jsonor a database column. - Trust
Root Remove Outcome - Outcome of
EnvironmentMutations::remove_trusted_key.removed_public_key_pemisNonewhen the key was already absent (silent no-op); the HTTP backend MUST cache the originalSome(pem)against the idempotency key so a retry returns the original PEM rather thanNone. - Trust
Root Seed - Outcome of seeding the bootstrap trust root for an env (the operator signing key for revenue policies and other env-scoped DSSE artifacts).
- Update
Bundle Payload - Inputs to
EnvironmentMutations::update_bundle, and the A8PATCH /environments/{env}/bundles/{deployment_id}request body (deployment_idrides in the body too — the server cross-checks it against the URL segment). - Update
Environment Payload - Optional-field patch for
EnvironmentMutations::update_environment, and the A8PATCH /environments/{env_id}request body. Replaces the earlierset_public_urlandset_configverbs — both were strict subsets of this patch shape, so collapsing them removes two HTTP endpoints and two impl bodies that would drift over time. - Warm
Revision Payload - Inputs to
EnvironmentMutations::warm_revision, and the A8POST /environments/{env_id}/revisions/{rid}/warmrequest body (revision_idrides in the body too — the server cross-checks it against the URL).
Enums§
- Audit
Decision - Authorization (RBAC) decision. Phase A uses the
local-onlypolicy; A8’s remote store returns the same shape from its RBAC engine. - Audit
Result - Outcome of the mutation as recorded in the audit event.
- Field
Update - Tri-state field for
UpdateEnvironmentPayload: callers can keep the existing value, set a new one, or clear an optional field back toNone. - Health
Check Id - Identifies which health-gate check failed in
HealthGateFailure.
Constants§
- POLICY_
LOCAL_ ONLY - Phase A authorization policy identifier (
AuditDecision.policy). - REVENUE_
POLICY_ PREDICATE_ TYPE_ V1 - Predicate type discriminator for the revenue-policy DSSE statement.
- TRUST_
ROOT_ SCHEMA_ V1 - Schema discriminator for the trust-root document.
Functions§
- mint_
deployment_ id - Mint a fresh
DeploymentId(ULID). Wrapper kept here so call sites do not need a direct dependency on the spec crate. - mint_
revision_ id - Mint a fresh
RevisionId(ULID). Wrapper kept here so call sites do not need a direct dependency on the spec crate.