Module db 

SQLite persistence: rusqlite + refinery, WAL + FK, single Mutex<Connection>.

Re-exports

pub use tokens::RecordTokenOutcome;

Modules

allowed_nonces

In-memory view of the signed bootstrap-nonces allowlist. Lives in AppState behind a RwLock so the polling task replaces it wholesale per successful verify; readers (enrolment handler) take a read lock and look up by nonce.

dispatch_queue

Pending Dispatch payloads awaiting agent long-poll (RFC-0005 §4.1 + plan 06).

embedded 🔒

event_log

Append-only canonical event log (RFC-0005 §4.3 + the broader log pattern: PlanActions, Effects, gate decisions, verifications, manifest polls all land here too).

host_rollout_records

Persistence for nixfleet_state_machine::HostRolloutState.

probe_failures

Per-(rollout, host) typed denormalization of enforce-mode probe failures. Source of truth is event_log (canonical, append-only); this table is a derived projection providing the indexed columns the compliance-wave gate needs cheaply.

quarantined_closures

Quarantined-closures derived view (RFC-0008 §6.4). Append-only: one row per RollbackComplete event (RFC-0005 §4.2). The applier is the sole writer; the triggering_event_log_seq FK proves the table is re-derivable from event_log (walk RollbackComplete events, group by (channel, target_closure_hash), write one row per group).

revocations

Agent-cert revocation list (hard state); replayed each tick from signed sidecar.

rollouts

Rollouts derived-view table (RFC-0008 §6.3). The applier is the sole writer; every state-mutating method takes an event_log_seq: Option<i64> so the row’s last_transition_event_log_seq FK can be populated.

tokens

Bootstrap-token nonces (soft state); loss bounded by one TTL.

Structs

Db

Functions

lock_conn 🔒

Surfaces mutex poisoning as anyhow rather than panic.

read 🔒

Lock + read. Closure receives a borrowed Connection; lock is held for the closure’s duration.

txn 🔒

Lock + open txn + run closure + commit. label shapes the begin/commit error context. Closure errors abort the txn.