Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

nixfleet-reconciler

Role. Pure-function rollout reconciler and sidecar verification layer. Stateless: takes (FleetResolved, Observed, now) and returns a deterministic list of Actions. The control plane wraps it in an Axum server and a SQLite-backed Observed; the agent uses the verify half independently. Carries the “given fleet intent X and observed state Y, exactly what must happen next?” decision contract. No I/O, no clock except the now argument, no randomness - which means every action is auditable from inputs alone.

Key types. Action (the enum of decisions: OpenRollout, Dispatch, Skip, Promote, RotateTrustRoot, …), Observed (snapshot from the CP: channel refs, host state, active rollouts, deferrals, host-probes), Rollout (one open rollout’s view), the planner gates registry (channel_edges, wave_promotion, host_edges, disruption_budget, compliance_wave, quarantine). verify::SignedSidecar and verify::VerifyError cover signature failure modes that the auditor binary reports verbatim. The per-host and per-rollout state-machine reducers live in nixfleet-state-machine; this crate consumes their state via Observed but does not own them.

Surface. Library only, no binary. Public entry points: reconcile(&FleetResolved, &Observed, now) -> Vec<Action> (the canonical decision procedure - RFC-0002), topological_channel_order(...), verify_artifact / verify_rollout_manifest / verify_revocations / verify_signed_sidecar (signature verification with freshness-window enforcement - RFC-0011), compute_canonical_hash, compute_rollout_id_for_channel (canonical {channel}@{channel_ref} identifier per RFC-0008 §6.3), check_trust_rotations (emits RotateTrustRoot actions when a slot’s retire_at has passed and a successor exists), project_manifest (FleetResolved -> per-channel RolloutManifest projection).

Links.