Expand description
fmf-contract — the machine-readable single source of the engine contract (ADR-0018). The prose canon is docs/ARCHITECTURE.md; this crate is its executable form, and every consumer radiates from here:
app(C#: Engine/Generated/EngineContract.g.cs ← gen-contract)
→ IEngineClient → (fmf-ffi | fmf-service → fmf-proto) → fmf-core → fmf-contractAllowed contents — constants, #[repr] types, layout assertions, and
pure byte conversions. No logic (no I/O, no engine types, no serde):
that hard line is what keeps [dependencies] empty, and the empty
dependency list is what lets the cdylib and every rlib share one
definition instead of pinned copies.
Section map (ARCHITECTURE.md → here):
Modules§
- codes
- Status codes — one table shared verbatim by the FFI return values and the pipe frame header (docs/ARCHITECTURE.md error code table).
- counters
- Degradation-counter names — the
snake_casekeys ofMetricsSnapshot.countersin the stats JSON. - events
- Event kinds — FFI callback
FmfEvent.kindand pipe event-push opcodes carry the same values (docs/ARCHITECTURE.md Events section). - limits
- Contractual bounds (docs/ARCHITECTURE.md). These are protocol facts both sides must agree on, not tunables.
- opcodes
- Pipe opcodes (docs/ARCHITECTURE.md opcode table). Event pushes reuse
1..=6 as the event kind with
flags = event— dispatch must branch on the flag before the opcode. - options
- Wire enumerations of
FmfQueryOptionsandFmfVolumeStatus.state(docs/ARCHITECTURE.md opcode table). - pod
#[repr(C)]POD types shared by the FFI (by layout) and the pipe wire (by explicit little-endian serialization in fmf-proto).- versions
- Version pins and the pipe name. An incompatible wire change bumps the
pipe name itself (
-v2), not just a number — see ARCHITECTURE.md. - volume
- Volume label ⇄ 16-byte field — the one implementation of the contract’s
“UTF-8 drive label, zero-padded, not a GUID” rule (used by
FmfEvent,FmfVolumeStatusand the pipe event body).