Crate nixfleet_proto 

Boundary-contract types. Optional fields serialize null (not omitted) to match the Nix evaluator’s shape so JCS bytes round-trip identically.

Re-exports

pub use agent_event::AgentEvent;

pub use agent_event::AgentEventEnvelope;

pub use agent_event::OnHealthFailureWire;

pub use agent_event::ProbeModeWire;

pub use agent_event::ProbeStatusWire;

pub use agent_event::ProbeSubResultWire;

pub use agent_event::ProbeTopologyEntryWire;

pub use bootstrap_nonces::BootstrapNonceEntry;

pub use bootstrap_nonces::BootstrapNonces;

pub use clock::Clock;

pub use clock::ClockHandle;

pub use clock::FakeClock;

pub use clock::SystemClock;

pub use fleet_resolved::Channel;

pub use fleet_resolved::ChannelEdge;

pub use fleet_resolved::DisruptionBudget;

pub use fleet_resolved::Edge;

pub use fleet_resolved::FleetResolved;

pub use fleet_resolved::HealthGate;

pub use fleet_resolved::Host;

pub use fleet_resolved::Meta;

pub use fleet_resolved::OnHealthFailure;

pub use fleet_resolved::Pin;

pub use fleet_resolved::PolicyWave;

pub use fleet_resolved::RolloutPolicy;

pub use fleet_resolved::STRATEGY_ALL_AT_ONCE;

pub use fleet_resolved::Selector;

pub use fleet_resolved::SystemdFailedUnits;

pub use fleet_resolved::Wave;

pub use fleet_resolved::normalize_rollout_policies;

pub use fleet_view::HostStatusEntry;

pub use fleet_view::HostsResponse;

pub use fleet_view::RolloutEventEntry;

pub use fleet_view::RolloutEvents;

pub use fleet_view::RolloutHostEntry;

pub use fleet_view::RolloutHosts;

pub use host_rollout_state::HostRolloutState;

pub use revocations::RevocationEntry;

pub use revocations::Revocations;

pub use rollout_manifest::HostWave;

pub use rollout_manifest::RolloutBudget;

pub use rollout_manifest::RolloutManifest;

pub use trust::KeySlot;

pub use trust::TrustConfig;

pub use trust::TrustedPubkey;

Modules

agent_event

Wire-format types for POST /v1/agent/events (RFC-0005 §4.2).

agent_wire

Agent ↔ control-plane wire types. LOADBEARING: within a major version, additions must be backwards-compatible (older consumers serde-ignore unknown fields); bump PROTOCOL_MAJOR_VERSION for any breaking change.

bootstrap_nonces

bootstrap-nonces.json - signed sidecar declaring valid bootstrap-token nonces. Same trust class as fleet.resolved.json and revocations.json (signed by ciReleaseKey).

clock

Clock abstraction.

enroll_wire

Bootstrap token + enrollment + renewal wire types. Tokens carry a detached ed25519 signature over JCS-canonical claims, verified against orgRootKey.current from trust.json.

evidence

Consumer-side typed view of the evidence.json wire format produced by compliance-evidence-collector.service.

evidence_signing

Shared signing-payload shapes for host event-stream payloads. Adding a field invalidates existing signatures - bump signing version.

fleet_resolved

fleet.resolved.json types. Produced by CI’s Nix eval, consumed by CP and (fallback path) agents; JCS bytes must round-trip identically across Nix + Rust.

fleet_view

Read-model views served by CP for operator-facing consumers (/v1/hosts, CLI, metrics exporter). Outstanding-event counts apply resolution-by- replacement (events from older rollouts are considered resolved).

host_key

Host SSH key primitives shared by agent enrollment, CP enroll/renew, and mint_token. Kept pure-rust (no ssh-key dep) so the boundary-contract crate stays lean - the canonical bridge from “OpenSSH host key bytes on disk” to “rcgen-usable keypair” and bootstrap-token fingerprints.

host_rollout_state

Wire-side per-host rollout state. Mirrors RFC-0005 §3’s 6-state machine.

revocations

revocations.json - signed agent-cert revocation sidecar. Same trust class as fleet.resolved.json (signed by ciReleaseKey).

rollout_manifest

Signed per-channel rollout manifest (releases/rollouts/<rolloutId>.json). LOADBEARING: per RFC-0008 §6.3, rolloutId is the canonical semantic identifier RolloutId::new(&m.channel, &m.channel_ref) (i.e. "{channel}@{channel_ref}"), not a content hash. Verifiers MUST (1) cryptographically verify the signed sidecar via verify_rollout_manifest, then (2) discriminate the parsed manifest’s reconstructed RolloutId against the advertised identifier they requested. Authenticity comes from the signature; identity-substitution defense comes from the parsed-id equality check. Both checks together replace the prior content-addressed sha256(bytes) == rolloutId tautology, which has no anchor under the semantic identifier.

trust

Trust root declarations. LOADBEARING: algorithm is a property of the key, not the artifact - artifacts MUST NOT carry their own algorithm claim, or an attacker could downgrade by lying about which algo signed the bytes.

Structs

RolloutId

Content-addressed rollout identifier (RFC-0008 §6.3).

Type Aliases

ChannelRef

A signed channel ref (typically a closure hash or a tagged ref name). Shared between reconciler (PlanAction::OpenRollout.target_ref) and state-machine (RolloutEvent::RolloutOpened.target_ref); lives in proto so both pure crates can depend on it without cross-edges (RFC-0008 §7).