Skip to main content

Module environment

Module environment 

Source
Expand description

Environment persistence (A2 of plans/next-gen-deployment.md).

Public surface:

Re-exports§

pub use atomic_write::AtomicWriteError;
pub use atomic_write::atomic_write_bytes;
pub use atomic_write::atomic_write_json;
pub use atomic_write::copy_to_backup;
pub use audit::AUDIT_EVENT_SCHEMA_V1;
pub use audit::AuditError;
pub use audit::AuditLog;
pub use audit::POLICY_LOCAL_OWNER;
pub use audit::authorize_local_owner;
pub use audit::current_local_actor;
pub use bootstrap::EnsureLocalEnvironmentPayload;
pub use bootstrap::LocalEnvOutcome;
pub use bundle_deployment::BundleDeploymentError;
pub use bundle_deployment::RevenuePolicyVersion;
pub use bundle_deployment::write_revenue_policy_version;
pub use file_lock::EnvFlock;
pub use file_lock::LockError;
pub use http_store::AuthMethod;
pub use http_store::ConstructionError;
pub use http_store::HttpEnvironmentStore;
pub use lifecycle::LifecycleError;
pub use lifecycle::apply_revision_transition;
pub use lifecycle::apply_revision_transition_with_health_gate;
pub use messaging::MessagingEndpointIndexEntry;
pub use messaging::materialize_messaging_index;
pub use mutations::EnvironmentMutations;
pub use reads::EnvironmentReads;
pub use runtime_config::materialize_runtime_config;
pub use snapshot::SnapshotId;
pub use snapshot::restore_environment;
pub use snapshot::snapshot_environment;
pub use store::EnvironmentStore;
pub use store::LocalFsStore;
pub use store::Locked;
pub use store::StoreError;
pub use trust_root::TRUST_ROOT_FILE;
pub use trust_root::TrustRootError;
pub use trust_root::add_trusted_key;
pub use trust_root::load as load_trust_root;
pub use trust_root::remove_trusted_key;
pub use trust_root::trust_root_path;

Modules§

atomic_write
Atomic file write helpers for the EnvironmentStore.
audit
Append-only audit log + local authorization policy (A7).
bootstrap
Bootstrap types for [super::mutations_local::LocalFsStore::ensure_local_environment].
bundle_deployment
BundleDeployment lifecycle helpers (B10 of plans/next-gen-deployment.md).
file_lock
Per-env exclusive file lock used by LocalFsStore.
http_store
HttpEnvironmentStore — remote HTTP-backed implementation of EnvironmentMutations.
lifecycle
Revision-lifecycle storage guard (A5 of plans/next-gen-deployment.md).
messaging
Messaging-endpoint projection producer (Phase M1.2).
mutations
EnvironmentMutations — typed-verb trait for state mutations on a Greentic environment.
mutations_local
EnvironmentMutations-trait-shaped inherent methods on LocalFsStore.
reads
Read-only environment views shared by the local and remote stores.
runtime_config
Runtime-config producer (B4 of plans/next-gen-deployment.md).
snapshot
Whole-environment snapshot/restore (P0b of the Greentic updater).
store
EnvironmentStore trait + LocalFsStore filesystem implementation per plans/next-gen-deployment.md A2.
trust_root
Per-environment trust-root persistence (C2 of plans/next-gen-deployment.md).

Structs§

Actor
Who performed the mutation. kind is a string (one value local-user today; A8’s remote path adds service/operator kinds).
AddBundlePayload
Inputs to EnvironmentMutations::add_bundle, and the A8 POST /environments/{env}/bundles request body.
AddMessagingEndpointPayload
Inputs to EnvironmentMutations::add_messaging_endpoint, and the A8 POST /environments/{env}/messaging request body.
ApplyTrafficSplitOutcome
Outcome of EnvironmentMutations::set_traffic_split, and the A8 response body. Carries the post-apply split, the generation transition for audit/observability, and the post-mutation env snapshot (the operator CLI emits TrafficSplitApplied telemetry from it — tenant attribution without a re-read, identical local and remote).
AuditEvent
One append-only audit record. Covers every field plan §389 requires.
ExtensionKey
(kind_path, instance_id) composite key identifying one extension binding in Environment::extensions. kind_path is the canonical ExtensionKind::path() form (e.g. "capability/memory/long-term").
HealthGateFailure
Why a warm/ready health gate rejected a revision. Shipped by the deployer CLI inside WarmRevisionPayload (the gate is evaluated client-side — closures don’t cross the A8 wire) and surfaced inside RevisionLifecycleError::HealthGateFailed after the transform has flipped the revision’s lifecycle to Failed.
MigrateMergePayload
Inputs to EnvironmentMutations::migrate_merge_bindings, and the A8 POST /environments/{env_id}/migrate-bindings request body.
MigrateSeedPayload
Optional seed payload for EnvironmentMutations::migrate_merge_bindings. Supplied when the caller wants the impl to atomically create the target env (using these fields) if it doesn’t exist yet, then merge the bindings into it. Mirrors the seed-from-source behavior of op env migrate-dev where the source’s host config + policy state ride along onto the freshly created target.
RemoveBundleOutcome
Outcome of EnvironmentMutations::remove_bundle, and the A8 DELETE response body. Surfaces the archived revisions pruned alongside the deployment so the destructive side effect is explicit on the contract — the CLI records the IDs in the audit target, and HTTP backends can apply a separate authorization check against the prune set before committing.
RevenuePolicyPredicate
Predicate body recorded inside the DSSE Statement. Mirrors the document’s identity fields so a reader of the .sig envelope alone can see what the signature covers without opening vN.json.
RevisionTransitionOutcome
Outcome of the warm/drain/archive verbs, and the A8 response body for their routes. Carries the post-transition revision, the environment after the mutation, and the starting lifecycle (the archive eviction-vs-retirement discriminator in the deployer CLI’s telemetry emit).
RollbackTrafficSplitOutcome
Outcome of EnvironmentMutations::rollback_traffic_split, and the A8 response body. A rollback always advances the generation, so both generations are unconditional.
SetMessagingWelcomeFlowPayload
Inputs to EnvironmentMutations::set_messaging_welcome_flow, and the A8 POST /environments/{env}/messaging/{eid}/welcome-flow request body (endpoint_id rides in the body too — the server cross-checks it against the URL segment).
SetTrafficSplitPayload
Inputs to EnvironmentMutations::set_traffic_split, and the A8 POST /environments/{env_id}/traffic request body (field set pinned by the PR-3b client’s SetTrafficSplitRequest). The A8 idempotency key is NOT a field — it rides the HTTP header and the engine parameter, because the traffic group persists it into TrafficSplit::idempotency_key.
StageRevisionPayload
Inputs to EnvironmentMutations::stage_revision, and the A8 POST /environments/{env_id}/revisions request body.
TrustRootAddOutcome
Outcome of EnvironmentMutations::add_trusted_key. The store returns typed data so every backend stays uniform; the CLI shapes the wire JSON (adding environment_id from the caller’s request context).
TrustRootDocument
Document envelope wrapping the distributor-client trust-root. Identical shape whether serialized to trust-root.json or a database column.
TrustRootRemoveOutcome
Outcome of EnvironmentMutations::remove_trusted_key. removed_public_key_pem is None when the key was already absent (silent no-op); the HTTP backend MUST cache the original Some(pem) against the idempotency key so a retry returns the original PEM rather than None.
TrustRootSeed
Outcome of seeding the bootstrap trust root for an env (the operator signing key for revenue policies and other env-scoped DSSE artifacts).
UpdateBundlePayload
Inputs to EnvironmentMutations::update_bundle, and the A8 PATCH /environments/{env}/bundles/{deployment_id} request body (deployment_id rides in the body too — the server cross-checks it against the URL segment).
UpdateEnvironmentPayload
Optional-field patch for EnvironmentMutations::update_environment, and the A8 PATCH /environments/{env_id} request body. Replaces the earlier set_public_url and set_config verbs — both were strict subsets of this patch shape, so collapsing them removes two HTTP endpoints and two impl bodies that would drift over time.
WarmRevisionPayload
Inputs to EnvironmentMutations::warm_revision, and the A8 POST /environments/{env_id}/revisions/{rid}/warm request body (revision_id rides in the body too — the server cross-checks it against the URL).

Enums§

AuditDecision
Authorization (RBAC) decision. Phase A uses the local-only policy; A8’s remote store returns the same shape from its RBAC engine.
AuditResult
Outcome of the mutation as recorded in the audit event.
FieldUpdate
Tri-state field for UpdateEnvironmentPayload: callers can keep the existing value, set a new one, or clear an optional field back to None.
HealthCheckId
Identifies which health-gate check failed in HealthGateFailure.

Constants§

POLICY_LOCAL_ONLY
Phase A authorization policy identifier (AuditDecision.policy).
REVENUE_POLICY_PREDICATE_TYPE_V1
Predicate type discriminator for the revenue-policy DSSE statement.
TRUST_ROOT_SCHEMA_V1
Schema discriminator for the trust-root document.

Functions§

mint_deployment_id
Mint a fresh DeploymentId (ULID). Wrapper kept here so call sites do not need a direct dependency on the spec crate.
mint_revision_id
Mint a fresh RevisionId (ULID). Wrapper kept here so call sites do not need a direct dependency on the spec crate.