Module workers 

Workers — the I/O-bearing edges around the agent’s pure reducer.

Each worker is spawned by super::spawn with its own super::ShutdownToken and a clone of the reducer’s input mpsc::Sender<ReducerInput>. Workers never call step() — they translate I/O into super::ReducerInput values and let the reducer task do the actual transitions.

Modules

activation

Activation worker. Receives ActivationIntent from the applier, emits LocalActivationStarted to the reducer, drives the rich activation pipeline (crate::activation), and emits LocalActivationCompleted / LocalActivationFailed based on the pipeline’s outcome.

advance_ticker

Periodic timer that emits super::super::ReducerInput::AgentAdvanceTick at a fixed interval. Mirror of the CP runtime’s PlanTick.

cert_renewal

mTLS cert renewal worker. Reads the cert at cfg.client_cert on a timer, computes the remaining-validity fraction, and POSTs /v1/agent/renew when below cfg.renewal_threshold_fraction. The CSR is signed by the host’s SSH ed25519 key (same key as enrollment per RFC-0003 §2), so the renewed cert’s pubkey is unchanged.

heartbeat

Heartbeat worker: every 60s posts to /v1/agent/heartbeat with current_closure + uptime_secs + last_event_seq_by_rollout. Reads CP’s X-Nixfleet-Replay-From response header; on drift the intent is to walk the durable outbound queue from that seq and re-POST the missed events.

longpoll

Long-poll worker: holds an open GET /v1/agent/dispatch?wait=60 against the CP. On a 200 with a Dispatch body, fetches + verifies the rollout manifest via the disk-backed ManifestCache, asserts the dispatched target_closure matches the manifest’s declaration for this host (RFC-0005 §4.1 advisory-payload contract), then emits LocalActivate into the reducer.

manifest_poll

Periodic agent-side manifest poll. Mirrors CP’s runtime::workers::manifest_poll: every 30s the worker fetches /v1/fleet.resolved + each channel’s /v1/rollouts/{id} from CP, verifies signatures + cross-checks each rollout’s fleet_resolved_hash against the canonical hash of the just-fetched fleet, then emits ReducerInput::ManifestSetUpdated so the reducer’s cached SignedManifestSet reflects the current fleet snapshot.

outbound

Outbound queue drainer. Periodically scans {state_dir}/outbound-queue/ and POSTs each pending event to /v1/agent/events, deleting on success. Acts as the network-side companion to the applier’s LocalEmitEvent writes.

probe

Probe worker (RFC-0007 §8). On each LocalResetProbeCache:

probe_runners

Per-kind probe runners (RFC-0007 §3.1). Each runner consumes a ProbeDecl + returns a RunnerOutcome. Uniform strict-mode semantics: any runtime error → ProbeStatus::Fail with a failure_reason string. Per RFC-0007 §6 there is no Unknown or “swallowed error” class.