Module reducer 

Reducer task body: the single mutator of CP-mirror state.

Owns the cached SignedManifestSet, the per-channel quarantine set, and (transiently) the per-rollout HostRolloutState map it loads from the DB. Calls into nixfleet_state_machine::step on every HostEvent input, nixfleet_reconciler::plan_next on ManifestSetUpdated / PlanTick, and the applier (apply_plan_action/apply_effect) for every output.

Invariant 1 from runtime::mod: this is the only place that calls step() or plan_next(). Workers and HTTP route handlers emit ReducerInput values; the applier executes the produced effects.

Structs

ReducerState 🔒

Reducer-task-private state. The DB-backed CP-mirror lives in host_rollout_records; this struct holds only the data the reducer can’t or shouldn’t go back to SQLite for on every input.

ShutdownGuard 🔒

RAII container for per-worker shutdown senders. Holding it in scope ensures workers receive shutdown signal exactly when this task exits.

Constants

PLAN_TICK_INTERVAL 🔒

Safety-net replan cadence. Triggers plan_next even when no event arrives — covers manifest_poll crashes mid-cycle, missed kicks, etc.

Functions

advance_current_waves 🔒

Promote each rollout’s current_wave when every host in the current wave has reached HostState::Converged. The check reads the host list from the verified manifest’s fleet.waves[channel][current_wave] — the same path the wave_promotion gate uses for host_wave, so the bump and the gate stay in lock-step.

build_bootstrap_for_host 🔒

Scan active records for host and produce a HostRolloutSnapshot per record. Called only on boot-recovery-shaped heartbeats (rollout_id=None). Order is deterministic by (rollout_id, hostname) PK in SQL; the agent applies them in arrival order.

build_fleet_state 🔒

Build a fresh FleetState from the DB. Called on every plan tick; at v0.2 scale (≤256 hosts, ≤8 active rollouts) the SELECTs are negligible.

compute_replay_from 🔒

evaluate_synth_gates 🔒

Run the dispatch-gate evaluation against a Pending HRR record so maybe_synthesize_recovery_completion can refuse to fast-forward Pending → Converged when an active gate (channel-edges, wave-promotion, quarantine, etc.) would still hold the host.

handle_heartbeat 🔒

handle_host_event 🔒

handle_input 🔒

host_rollout_state_to_snapshot 🔒

maybe_synthesize_recovery_completion 🔒

Scan active host_rollout_records for host; for each record whose observed closure on the wire identifies a missed transition, synthesize the event chain that advances the row to a state consistent with the agent’s reality. Idempotent: if the state has already advanced (e.g. concurrent agent emit), the record won’t match and the synthesis is a no-op.

resolve_policy 🔒

run 🔒

run_plan 🔒

synthesize_pending_to_converged 🔒

Drive a Pending HRR row through the full lifecycle to Converged when the agent reports current_closure == target. The chain preserves the event-log audit trail (RFC-0004 §1): every transition emits its usual RemoteAppendEventLog effect flagged with the synthesis context via the seq ordering relative to the pre-synthesis last_event_seq.