Skip to main content

varta_watch/
lib.rs

1#![deny(missing_docs, unsafe_op_in_unsafe_fn, rust_2018_idioms)]
2#![forbid(clippy::dbg_macro, clippy::print_stdout)]
3// SAFETY: unsafe_code is legitimately required for FFI to kernel interfaces
4// (recvmsg/cmsg parsing in peer_cred.rs, umask in listener.rs).  All unsafe
5// sites are guarded by compile-time layout assertions and per-block SAFETY
6// comments.  The workspace-level deny forces us to explicitly opt in here.
7#![allow(unsafe_code)]
8
9//! Varta observer library — receive loop over configurable transport listeners,
10//! per-pid tracker, stall surface.
11//!
12//! This crate is the in-process kernel of `varta-watch`. The binary
13//! drives [`Observer::poll`] in a single thread and routes
14//! [`Event`] values to exporters and the recovery command. The protocol root
15//! is [`varta_vlp`]; nothing else is on the dependency surface.
16
17// Class-A safety-critical builds (`compile-time-config`) intentionally have
18// no /metrics endpoint, no HTTP server, no bearer-token loader, and no argv
19// parser.  Combining `compile-time-config` with `prometheus-exporter` would
20// link the HTTP server back into the binary, defeating the structural
21// guarantee that the Class-A profile rests on.  The combination is rejected
22// at compile time so a misconfigured build line fails loudly rather than
23// producing a binary that silently fails the strings audit at deploy time.
24#[cfg(all(feature = "prometheus-exporter", feature = "compile-time-config"))]
25compile_error!(
26    "`prometheus-exporter` cannot be combined with `compile-time-config` \
27     — Class-A safety-critical builds intentionally have no /metrics \
28     surface.  See book/src/architecture/safety-profiles.md for the supported \
29     feature matrix."
30);
31
32#[cfg(all(feature = "libc-signal-mode", feature = "compile-time-config"))]
33compile_error!(
34    "`libc-signal-mode` cannot be combined with `compile-time-config` \
35     — Class-A safety-critical builds intentionally retain end-to-end \
36     kernel-ABI ownership via the inline-asm signal-return trampoline. \
37     See book/src/architecture/signal-install.md for the supported \
38     feature matrix."
39);
40
41#[cfg(all(feature = "unsafe-plaintext-udp", feature = "compile-time-config"))]
42compile_error!(
43    "`unsafe-plaintext-udp` cannot be combined with `compile-time-config` \
44     — plaintext UDP has no per-datagram authentication or replay \
45     protection, so a network attacker can suppress stall detection by \
46     forging beats.  Class-A safety-critical (mission-critical) builds \
47     must use `secure-udp` for any UDP transport.  See \
48     book/src/architecture/safety-profiles.md for the supported feature \
49     matrix."
50);
51
52pub mod audit;
53pub mod clock;
54pub mod config;
55pub mod exporter;
56pub mod hw_watchdog;
57pub mod listener;
58pub mod log;
59pub mod log_ratelimit;
60mod nonblock_fd;
61pub mod notify;
62pub mod observer;
63pub mod peer_cred;
64pub mod pid_max;
65pub mod signal_install;
66// When `fuzzing` is on, bounded-collection modules are exposed as
67// public so the `fuzz/` crate can drive them directly through
68// `varta_watch::__fuzz_internals::*`. The names stay namespaced under
69// `__fuzz_internals` so accidental external use is loud.
70#[cfg(all(feature = "prometheus-exporter", not(feature = "fuzzing")))]
71mod ip_state_table;
72#[cfg(not(feature = "fuzzing"))]
73mod outstanding_table;
74#[cfg(not(feature = "fuzzing"))]
75mod probe_table;
76pub mod recovery;
77
78#[cfg(feature = "fuzzing")]
79#[path = "ip_state_table.rs"]
80pub mod ip_state_table;
81#[cfg(feature = "fuzzing")]
82#[path = "outstanding_table.rs"]
83pub mod outstanding_table;
84#[cfg(feature = "fuzzing")]
85#[path = "probe_table.rs"]
86pub mod probe_table;
87
88/// Test-only: stable namespace for the fuzz-only re-exports.
89#[cfg(feature = "fuzzing")]
90pub mod __fuzz_internals {
91    pub use crate::ip_state_table;
92    pub use crate::outstanding_table;
93    pub use crate::probe_table;
94}
95
96/// Test-only: expose the Linux kernel-ABI signal structs and syscall wrapper
97/// so integration tests can consume the *real* definitions instead of
98/// maintaining parallel duplicates. Gated to `test-hooks` (which CI always
99/// enables for the integration-test binary) or `test` cfg.
100///
101/// Mirrors the `__fuzz_internals` pattern used for bounded-collection modules.
102#[cfg(all(any(test, feature = "test-hooks"), not(feature = "libc-signal-mode")))]
103#[doc(hidden)]
104pub mod __test_signal_abi {
105    #[cfg(target_os = "linux")]
106    pub use crate::signal_install::linux::test_abi::*;
107}
108pub mod tracker;
109
110#[cfg(feature = "secure-udp")]
111pub mod secure_listener;
112
113pub use clock::{Clock, ClockError, ClockSource};
114pub use config::{Config, ConfigError};
115#[cfg(feature = "prometheus-exporter")]
116pub use exporter::PromExporter;
117pub use exporter::{Exporter, FileExporter};
118pub use listener::{BeatListener, PreThreadAttestation, TransportTrust, UdsListener};
119pub use observer::{Event, Observer};
120pub use peer_cred::BeatOrigin;
121pub use recovery::{Recovery, RecoveryOutcome};
122pub use tracker::{EvictionPolicy, Slot, Tracker, Update};
123
124#[cfg(feature = "unsafe-plaintext-udp")]
125pub use listener::UdpListener;
126
127#[cfg(feature = "secure-udp")]
128pub use secure_listener::SecureUdpListener;