Skip to main content

osproxy_control/
lib.rs

1//! Control plane.
2//!
3//! The operator/automation-driven side of the proxy (`docs/06` §5): it owns the
4//! **migration state transitions** and the fleet-safe protocol that flips a
5//! partition's placement without a window where any instance writes to the wrong
6//! cluster. It does not handle request traffic.
7//!
8//! Proxy instances poll the shared placement backend *fresh on every request*
9//! (no cached migration decision), so the backend is the single synchronized
10//! source of truth. The [`ControlPlane`] drives migrations through that backend
11//! (the [`MigrationStore`] seam) and holds a **drain barrier** between cutover
12//! and completion so in-flight writes cannot land after the flip.
13//!
14//! The in-memory backend is the M1
15//! [`PlacementTable`](osproxy_tenancy::PlacementTable); distributed watched
16//! stores (etcd/Consul/Redis/OS index) implement the same [`MigrationStore`]
17//! contract in M7 without changing the control protocol.
18//!
19//! It also owns [`CursorAffinity`], the bounded, TTL'd `cursor_id -> cluster`
20//! map that pins scroll/PIT follow-ups to their creating cluster (`docs/03` §6).
21#![deny(missing_docs)]
22
23mod affinity;
24mod migration;
25
26pub use affinity::{Affinity, CursorAffinity, DEFAULT_CAPACITY, DEFAULT_CURSOR_TTL};
27pub use migration::{ControlError, ControlPlane, MigrationStore, DEFAULT_DRAIN_BARRIER};