running_process/broker/mod.rs
1//! v1 broker module — schemas are FROZEN FOREVER once v1.0 ships.
2//!
3//! Phase 0 of #228: this module exposes the prost-generated wire types
4//! (envelope, manifest, service definition) for every later phase to
5//! depend on. No consumers ship yet — Phases 1+ wire them in.
6//!
7//! See `proto/broker_v1_*.proto` and the parent issue for the rationale
8//! behind every field number and `reserved` range.
9
10pub mod backend_handle;
11pub mod backend_lib;
12pub mod backend_lifecycle;
13pub mod backend_sdk;
14pub mod capabilities;
15pub mod client;
16pub mod doctor;
17pub mod fs_health;
18pub mod host_identity;
19pub mod lifecycle;
20pub mod manifest;
21pub mod protocol;
22pub(crate) mod secure_dir;
23pub mod server;
24
25/// Framing byte for every v1 broker connection. Wire layout:
26/// `[u8 framing_version=1][u32 LE body_length][prost body]`.
27///
28/// THIS BYTE is the truly-frozen-forever invariant — see #228
29/// "Frozen-forever commitments" section. A v2 client connecting to a
30/// v1 broker writes `[1][len][v2-shaped Hello]`; the v1 broker reads
31/// the framing byte and decides whether to decode or `Refused` with
32/// `ERROR_VERSION_UNSUPPORTED`.
33pub const FRAMING_VERSION_V1: u8 = 1;
34
35/// Hard ceiling on any single broker frame. Broker disconnects on
36/// overflow. See #228 "Wire-level commitments".
37pub const MAX_FRAME_SIZE_BYTES: usize = 16 * 1024 * 1024;
38
39/// Hard ceiling on the Hello envelope specifically. Broker returns
40/// `Refused` on overflow. See #228 "Wire-level commitments".
41pub const MAX_HELLO_SIZE_BYTES: usize = 64 * 1024;
42
43/// Upper bound on a LifecycleEvent's prost-encoded size, set to the
44/// minimum POSIX `PIPE_BUF` so atomic-append into the event log is
45/// guaranteed on every platform. Linux raises this to 4096 in practice,
46/// but the cross-platform floor is 512.
47pub const LIFECYCLE_EVENT_PIPE_BUF_FLOOR: usize = 512;