Struct AppState 

pub struct AppState {

    pub last_tick_at: RwLock<Option<DateTime<Utc>>>,
    pub issuance_paths: RwLock<IssuancePaths>,
    pub ca_signer: RwLock<Option<Arc<dyn CaSigner>>>,
    pub db: Option<Arc<Db>>,
    pub closure_upstream: Option<ClosureUpstream>,
    pub verified_fleet: Arc<RwLock<Option<VerifiedFleetSnapshot>>>,
    pub dispatch_kick: Sender<()>,
    pub confirm_deadline_secs: i64,
    pub rollouts_dir: Option<PathBuf>,
    pub rollouts_source: Option<RolloutsSource>,
    pub channel_refs_source: Option<ChannelRefsSource>,
    pub strict: bool,
    pub agent_cn_suffix: String,
    pub agent_cert_validity: Duration,
    pub artifact_primed: Arc<AtomicBool>,
    pub revocations_primed: Arc<AtomicBool>,
    pub revocations_required: bool,
    pub allowed_nonces: Arc<RwLock<AllowedNoncesView>>,
    pub bootstrap_nonces_primed: Arc<AtomicBool>,
    pub bootstrap_nonces_required: bool,
    pub runtime_input_tx: OnceLock<Sender<ReducerInput>>,
    pub runtime_event_log_tx: OnceLock<EventLogTx>,
}

Fields

last_tick_at: RwLock<Option<DateTime<Utc>>>

issuance_paths: RwLock<IssuancePaths>

ca_signer: RwLock<Option<Arc<dyn CaSigner>>>

Built once at server start from ServeArgs - TpmCaSigner if the TPM flags are set, FileCaSigner otherwise, None if no CA flags supplied (enroll/renew return 500). dyn lets enroll

• renew handlers stay agnostic to signing backend.

db: Option<Arc<Db>>

closure_upstream: Option<ClosureUpstream>

verified_fleet: Arc<RwLock<Option<VerifiedFleetSnapshot>>>

dispatch_kick: Sender<()>

Wake signal for GET /v1/agent/dispatch long-pollers. The applier (via apply_plan_action::QueueDispatch / apply_effect::RemoteQueueDispatch) sends () after every dispatch_queue.upsert. Every parked long-poll wakes and re-checks its own host’s row; false wakes are negligible — peek_for_host is a single COUNT(*) against a covered index.

confirm_deadline_secs: i64

rollouts_dir: Option<PathBuf>

rollouts_source: Option<RolloutsSource>

channel_refs_source: Option<ChannelRefsSource>

Forge URLs + trust path the manifest_poll worker uses to refresh the runtime’s SignedManifestSet cache. Mirrors the legacy channel_refs_poll config so the two pollers can read identical inputs during the 7a → 7c transition (legacy poller dies in 7c once the new runtime is end-to-end-verified).

strict: bool

agent_cn_suffix: String

See ServeArgs::agent_cn_suffix. Captured into AppState so the enroll/renew handlers can canonicalise CNs without going through issuance_paths.

agent_cert_validity: Duration

Validity duration baked into agent certs at enroll + renew. Default AGENT_CERT_VALIDITY (30 days); operators can override via --agent-cert-validity-secs for short-cycle hardware testing.

artifact_primed: Arc<AtomicBool>

Set to true once the channel-refs poll (or build-time prime) has populated verified_fleet with a freshly-verified snapshot. Stays false indefinitely when neither prime path produces a verifiable artifact (operator must provision artifact_path or configure channel_refs.artifact_url). Read by the require_ready middleware to gate /v1/* with 503 until set.

revocations_primed: Arc<AtomicBool>

Set to true once the revocations poll has applied a verified list at least once. Only consulted when revocations_required is true; otherwise the readiness check ignores this flag.

revocations_required: bool

true iff --revocations-{artifact,signature}-url were both set at startup. Captured into AppState so the readiness check stays pure (no need to thread ServeArgs into middleware).

allowed_nonces: Arc<RwLock<AllowedNoncesView>>

In-memory bootstrap-nonces allowlist. Replaced wholesale by the bootstrap_nonces_poll task per successful verify. Read by the /v1/enroll handler under a read-lock.

bootstrap_nonces_primed: Arc<AtomicBool>

Set to true once the bootstrap-nonces poll has applied a verified allowlist at least once. Only consulted when bootstrap_nonces_required is true.

bootstrap_nonces_required: bool

true iff --bootstrap-nonces-{artifact,signature}-url were both set at startup. Captured into AppState so the readiness check stays pure (no need to thread ServeArgs into middleware).

runtime_input_tx: OnceLock<Sender<ReducerInput>>

Reducer-task input channel sender. Populated by serve() once runtime::spawn returns; the new /v1/agent/{events,heartbeat,dispatch} route handlers read it to push ReducerInput values to the reducer without blocking on AppState locks. None ⇒ 503 (runtime not yet spun up — only observable in a narrow startup window before serve() wires it).

runtime_event_log_tx: OnceLock<EventLogTx>

Cloneable sender on the bounded event_log writer channel. Same lifecycle as runtime_input_tx. Routes use this for inbound-event audit-log appends when they want immediate persistence (instead of routing through the reducer’s applier).

Implementations

impl AppState

pub fn is_ready(&self) -> bool

Composite readiness: artifact verified AND (when configured) revocations verified. Strict: full trust footprint loaded before serving agents. See #95.

Trait Implementations

impl Debug for AppState

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for AppState

fn default() -> Self

Returns the “default value” for a type.