Module applier 

Imperative shell for the pure planner + reducer (RFC-0006 §7.2).

Two entrypoints:

• apply_plan_action executes one PlanAction emitted by nixfleet_reconciler::plan_next. Side effects: DB writes (open rollout, queue dispatch, mark terminal, record gate decision), event_log appends.

• apply_effect executes one Effect emitted by nixfleet_state_machine::step. The CP applier handles the Remote* variants + the three shared variants. Local* variants are agent-only and reaching the CP applier indicates a code defect — the applier logs and drops them rather than panicking, so a malformed event from a broken peer cannot crash the runtime.

Both entrypoints are async because they touch the DB pool. They must not call step() or plan_next() themselves — only the reducer task does that, per the one-MPSC-one-mutator invariant in runtime::mod.

Error policy: per-action errors are logged and swallowed. A single bad DB write must not poison the reducer task; the next plan_next() tick re-emits the same action if its preconditions still hold (the planner is pure of the applier’s failure history).

Event-log routing: every event_log append goes through the bounded MPSC to the super::event_log_writer task. The applier never calls Db::event_log().append() directly — that keeps SQLite latency out of the reducer’s critical section and surfaces writer hiccups as backpressure on the reducer’s input.

Structs

ApplierCtx

Per-call context. Bundles the four borrows every applier path needs so individual handlers stay readable without the parameter-pyramid.

Functions

append_event_log 🔒

Send an entry to the bounded MPSC drained by super::event_log_writer. Backpressure (full channel) blocks the caller via await — that’s the desired propagation per the audit-log no-fail-open contract.

append_rollout_event 🔒

Write a bare rollout_event entry to event_log without going through the reducer. Used for RolloutOpened (creation marker; reducer has nothing to validate) and for any out-of-band rollout-level signal.

apply_effect

Execute one Effect emitted by nixfleet_state_machine::step.

apply_plan_action

Execute one PlanAction. Errors are logged + swallowed: a single bad DB write must not poison the reducer task. The next plan_next() tick will re-emit the same action if its preconditions still hold.

apply_rollout_effect 🔒

defer_dispatch 🔒

effect_kind 🔒

host_state_str 🔒

open_one_rollout_record 🔒

open_rollout 🔒

outbound_event_to_json 🔒

Convert an OutboundAgentEvent to its event_log JSON payload. Schema is the wire-side RFC-0005 §4.2 shape (camelCase). Hand-written because the state-machine crate keeps its types serde-derive-free for now; if Phase 7/8 adds Serialize we collapse this into a single serde_json::to_value.

probe_mode_str 🔒

probe_status_str 🔒

process_rollout_event 🔒

Step the rollout reducer with the given event and apply its effects.

queue_dispatch 🔒

record_halt_lifted 🔒

rollout_event_rollout_id 🔒

rollout_event_to_json 🔒