402 KiB
Architecture Migration Progress
Status values: [ ] not started, [~] in progress, [x] complete, [!] blocked.
Current Context
- Issue:
rustfs/backlog#660 - Branch:
overtrue/arch-iam-global-read-batch - Baseline: completed
C-011/C-012/C-013/API-055/API-059/API-079/API-080/API-081/API-082/API-083/API-084/API-085/API-086/API-087/API-088/API-089/API-090/API-091/API-092/API-093/API-094/API-095/API-096/API-097/API-098/API-099/API-100/API-101/API-102/API-103/API-104/API-105/API-106/API-107/API-108/API-109/API-110/API-111/API-112/API-113/API-114/API-115/API-116/API-117/API-118/API-119/API-120/API-121/API-122/API-123/API-124/API-125/API-126/API-127/API-128/API-129/API-130/API-131/API-132/API-133/API-134/API-135/API-136/API-137/API-138/API-139/API-140/API-141/API-142/API-143/API-144/API-145/API-146/API-147/API-148/API-149/API-150/API-151/API-152/API-153/API-154/API-155/API-156/API-157/API-158/API-159/API-160/API-161/API-162/API-163/API-164/API-165/API-166/API-167/API-168/API-169/API-170/API-171/API-172/API-173/API-174/API-175/API-176/API-177/API-178. - Based on: API-171 through API-177 prepared in PR #3785; this branch batches the next IAM consumer migration on top of that branch.
- PR type for this branch:
consumer-migration - Runtime behavior changes: none.
- Rust code changes: route replication pool, outbound TLS generation, runtime region, KMS encryption service, runtime support handles, S3 Select DB, internode RPC metrics, and IAM authorization/handler reads through AppContext-first resolvers.
- CI/script changes: lock completed owner and test/fuzz boundaries against bare/glob imports, scattered raw ECStore facade subpaths, and startup runtime/root-server/table/S3/app shared/app bucket/app ECStore/admin facade regressions, plus external runtime, test, fuzz, and storage-owner module ECStore compatibility bypasses, plus runtime crate, owner crate, test/fuzz, and storage owner thin bridge regressions, plus app context and notify event-bridge thin module regressions; accept the reviewed AppContext resolver reverse dependencies in the layer baseline.
- Docs changes: record the API-136 through API-178 owner facade cleanup.
Phase 0 Tasks
G-001Refreshmainand record baseline.- Acceptance: baseline commit, title, and branch are recorded.
- Verification:
git fetch upstream main --prune;git rev-parse upstream/main.
G-002Create migration tracking checklist.- Acceptance: this file records task state, context, verification, and handoff.
G-003Classify PR types.- Acceptance:
crate-boundaries.mdlists exactly one allowed PR type per PR.
- Acceptance:
G-004Define re-export and wrapper policy.- Acceptance: temporary compatibility code must use
RUSTFS_COMPAT_TODO.
- Acceptance: temporary compatibility code must use
G-005Add dependency direction guard.- Acceptance:
./scripts/check_layer_dependencies.shpasses on currentupstream/mainwhile still rejecting new unaccepted layer dependencies.
- Acceptance:
G-006Create migration loss-prevention checks.- Completed slices: add a mechanical admin route matrix guard from
admin-route-action-snapshot.mdandrustfs/src/admin/route_registration_test.rs; add migration rules for public storage-api re-export coverage, ECStore compatibility-test coverage, and a production-source guard against reintroducing the removedStorageAPIaggregate facade identifier; add a source guard that rejects directrustfs_ecstoreimports outside compatibility boundary modules; add a guard that rejects production compatibility boundaries hiding unused ECStore re-exports. - Acceptance: architecture migration rules fail if the public storage-api contract re-export surface drifts or if ECStore compile-time compatibility tests for the remaining storage-admin and namespace-lock contracts are removed.
- Completed slices: add a mechanical admin route matrix guard from
G-007Create startup timeline table.- Acceptance:
startup-timeline.mdrecords current binary startup order, side effects, fatal boundaries, and readiness stages.
- Acceptance:
G-008Capture admin route-action snapshot.- Acceptance:
admin-route-action-snapshot.mdrecords current route families, handler ownership, authorization actions, public exceptions, table-catalog routes, and/minio/admincompatibility alias behavior.
- Acceptance:
G-009Enforce pre-push three-expert review.- Acceptance:
crate-boundaries.mdrequires quality/architecture, migration-preservation, and testing/verification review before push.
- Acceptance:
G-010Inventoryecstore::config::{Config, KV, KVS}consumers.- Acceptance:
ecstore-config-consumer-inventory.mdrecords the current model definitions, global accessors, persistence helpers, consumer groups, migration risks, and do-not-change contract.
- Acceptance:
G-011Inventory scheduler baseline.- Acceptance:
scheduler-baseline.mdrecords current owners for request admission, reusable scheduler/backpressure facades, workers, scanner budget, heal admission, and the Tokio runtime builder. - Must preserve: no Rust source changes, no scheduler/controller contract changes, and no runtime behavior changes.
- Acceptance:
C-011-POLICYBridge storage concurrency policies.- Completed slice: add explicit projections from storage object backpressure
and request hang/deadlock policies into the shared
rustfs-concurrencyfacade and reusablerustfs-io-coreconfigs. - Acceptance: storage keeps existing env/default ownership and runtime behavior, while later controller/read-only status work can consume the shared facade policy shape instead of duplicating field mapping.
- Must preserve: no worker start/stop, no object pipe state-machine change, no deadlock detector lifecycle change, no metrics label change, and no S3 I/O behavior change.
- Verification: storage backpressure/deadlock policy tests, compile coverage, formatting, diff hygiene, risk scan, architecture guard, pre-commit quality gate, and three-expert review.
- Completed slice: add explicit projections from storage object backpressure
and request hang/deadlock policies into the shared
C-012-POLICYConsume storage concurrency policy bridges.- Completed slice: route object backpressure threshold derivation and request
hang/deadlock runtime policy reads through the shared
rustfs-concurrencyfacade policies. - Acceptance: storage keeps env/default ownership and local state machines, while threshold and hang-policy consumption is anchored on the shared concurrency policy shapes.
- Must preserve: no worker start/stop, no object pipe state-machine change, no deadlock detector lifecycle change, no metrics label change, and no S3 I/O behavior change.
- Verification: storage backpressure/deadlock consumer tests, compile coverage, formatting, diff hygiene, risk scan, architecture guard, pre-commit quality gate, and three-expert review.
- Completed slice: route object backpressure threshold derivation and request
hang/deadlock runtime policy reads through the shared
C-013-ADMISSIONCompose workload admission providers.- Completed slice: add workload admission registry overlay support, compose the RustFS workload admission provider from the storage concurrency provider plus RustFS runtime owner snapshots, and guard the composition boundary.
- Acceptance: foreground-read admission remains owned by the storage concurrency provider, RustFS runtime owner snapshots overlay metadata, scanner, repair, replication, and foreground-write status, and later controller/status work can consume one provider-composed registry.
- Must preserve: disk-read semaphore acquisition, scanner activity counter, heal task/queue counters, replication worker/queue stats, metadata runtime initialization checks, object write paths, and queue behavior.
- Verification: workload contract tests, RustFS workload admission tests, compile coverage, formatting, diff hygiene, risk scan, architecture guard, pre-commit quality gate, and three-expert review.
API-079Prune root runtime bucket compatibility modules.- Completed slice: collapse RustFS root
storage_compat.rsbucket metadata/quota module passthroughs into explicit notification-config, table-catalog metadata, and quota-error aliases, and guard the boundary against broad module restores. - Acceptance: root runtime consumers use direct compatibility aliases for bucket notification loading, table-catalog metadata checks, and quota error mapping, while app/admin/storage owner-local compatibility modules keep their narrower module paths until their own cleanup slices.
- Must preserve: bucket notification loading, notifier event registration, table-bucket mutation guards, quota error to S3 error mapping, ECStore bucket metadata ownership, and all app/admin/storage compatibility paths.
- Verification: RustFS compile coverage, formatting, diff hygiene, risk scan, architecture guard, pre-commit quality gate, and three-expert review.
- Completed slice: collapse RustFS root
API-080Prune root runtime config and disk compatibility aliases.- Completed slice: replace root config
compassthroughs with explicit config read/write aliases for module switches, expose ECStore config initialization asinit_ecstore_config, split disk endpoint access into an explicitEndpointalias, and guard these root aliases against broad module restores. - Acceptance: startup storage initializes ECStore config through a direct compatibility alias, module switch persistence uses direct config IO aliases, root runtime disk endpoint consumers keep the same endpoint type, and app/admin/storage local compatibility modules remain unchanged for their own cleanup slices.
- Must preserve: startup storage initialization order, global config migration/retry behavior, module switch persistence semantics, endpoint parsing/layout behavior, local disk and lock-client initialization, readiness marking, and all app/admin/storage compatibility paths.
- Verification: RustFS compile coverage, formatting, diff hygiene, risk scan, architecture guard, pre-commit quality gate, and three-expert review.
- Completed slice: replace root config
API-081Prune admin config compatibility aliases.- Completed slice: replace admin config
comandinitpassthroughs with explicit aliases for config object read/write/delete, server-config read/write, storage-class subsystem access, and config-default initialization. - Acceptance: admin config handlers, dynamic KMS/OIDC/audit handlers, site replication state, router notification reads, and dynamic config reload paths use direct admin compatibility aliases while preserving their existing storage keys and config defaults.
- Must preserve: admin auth/authorization behavior, config history object names, KMS/OIDC/audit runtime persistence, site-replication state persistence, storage-class subsystem semantics, and admin route contracts.
- Verification: RustFS compile coverage, admin focused compile coverage, formatting, diff hygiene, risk scan, architecture guard, pre-commit quality gate, and three-expert review.
- Completed slice: replace admin config
API-082Prune storage bucket compatibility aliases.- Completed slice: replace storage
metadata,metadata_sys,object_lock,policy_sys,replication,tagging,utils,versioning,versioning_sys,object_api_utils, and test-onlycompassthroughs with explicit storage compatibility aliases. - Acceptance: storage S3 handlers, access checks, SSE resolution, RPC metadata loading, CORS/object-lock helpers, list-output ETag helpers, and storage tests use direct compatibility aliases while preserving the same bucket metadata keys and ECStore facade APIs.
- Must preserve: bucket metadata update/delete/read semantics, object-lock retention/default behavior, bucket policy/public-access checks, SSE bucket defaults, replication stats lookups, object tag encoding/decoding, S3 list ETag formatting, and test-only storage-class signal constants.
- Verification: RustFS compile coverage, storage compatibility residual scan, formatting, diff hygiene, risk scan, architecture guard, pre-commit quality gate, and three-expert review.
- Completed slice: replace storage
API-083Prune admin/app bucket compatibility aliases.- Completed slice: replace admin and app broad bucket/client/storage-class compatibility passthroughs with explicit local compatibility modules and symbol whitelists.
- Acceptance: admin replication, bucket metadata, quota, tier, site
replication, router, and app bucket/object/multipart/lifecycle consumers
keep their existing call paths while
storage_compat.rsno longer exposes broad upstream modules. - Must preserve: admin bucket target updates, replication status and resync DTOs, site-replication metadata serialization, quota checks, lifecycle transition hooks, bucket metadata IO, object ETag conversion, object-lock checks, and app storage-class behavior.
- Verification: RustFS compile coverage, admin/app compatibility residual scans, formatting, diff hygiene, risk scan, architecture guard, pre-commit quality gate, and three-expert review.
API-084Prune edge compatibility passthrough aliases.- Completed slice: replace scanner grouped bucket compatibility exports, notify broad config/global imports, observability data-usage passthroughs, and e2e grouped RPC passthroughs with explicit edge-local aliases, wrappers, and DTO projections.
- Acceptance: scanner bucket contracts stay explicitly named, notify config persistence routes through local wrappers, observability metrics consume a local data-usage DTO, and e2e RPC helper access stays narrow.
- Must preserve: scanner lifecycle and replication behavior, notification server-config update semantics, observability cluster/bucket usage metrics, and e2e RPC client/interceptor call sites.
- Verification: focused edge crate compile coverage, edge compatibility residual scans, formatting, diff hygiene, risk scan, architecture guard, pre-commit quality gate, and three-expert review.
API-085Prune test and fuzz compatibility passthrough aliases.- Completed slice: replace heal/scanner test and fuzz grouped ECStore compatibility passthroughs with direct type aliases and local wrapper functions.
- Acceptance: test harnesses keep their existing ECStore setup and lifecycle helper call sites while exposing only narrow compatibility symbols, and fuzz targets exercise bucket utility contracts through local wrappers.
- Must preserve: heal test ECStore setup, scanner lifecycle integration setup, local disk initialization, bucket metadata updates, transition enqueue behavior, and fuzz validation semantics.
- Verification: focused heal/scanner compile coverage, test/fuzz compatibility residual scans, formatting, diff hygiene, architecture guard, pre-commit quality gate, and three-expert review.
API-086Prune root runtime compatibility re-exports.- Completed slice: replace root RustFS runtime
storage_compat.rsECStore API re-exports with local constants, type aliases, a minimal disk trait, and wrapper functions. - Acceptance: root runtime startup, metadata, replication admission, topology, notification, RPC, capacity, table-catalog, and shutdown call sites keep their existing local compatibility names while the root boundary no longer re-exports ECStore API symbols directly.
- Must preserve: startup storage initialization order, bucket metadata migration/init, replication runtime startup and admission counts, notification init, RPC signature checks, capacity disk references, topology snapshots, table-catalog metadata access, and shutdown behavior.
- Verification: RustFS compile coverage, root compatibility re-export residual scan, formatting, diff hygiene, architecture guard, pre-commit quality gate, and three-expert review.
- Completed slice: replace root RustFS runtime
API-087Prune storage owner compatibility re-exports.- Completed slice: replace RustFS storage-owner
storage_compat.rsECStore API re-exports for metadata, object-lock, replication stats, tags, XML helpers, RPC globals, metrics, global accessors, tier reloads, and local disk helpers with local aliases and wrappers; keep only temporary trait imports required for method resolution. - Acceptance: storage S3 handlers, ECFS replication metrics, RPC node service, and storage tests keep their existing compatibility names while the storage owner boundary no longer exposes direct ECStore API symbol re-exports for functions, constants, globals, or DTO aliases.
- Must preserve: bucket metadata read/write/delete semantics, object-lock retention checks, replication proxy metrics, object tag encoding/decoding, XML serialization behavior, RPC signature checks, transition-tier reloads, global object-store/lock/region access, and local disk lookup behavior.
- Verification: RustFS compile coverage, storage-owner re-export residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace RustFS storage-owner
API-088Prune admin and app compatibility re-exports.- Completed slice: replace RustFS admin and app
storage_compat.rsECStore API re-exports with local constants, type aliases, proxy statics, and wrapper functions; keep only temporary trait imports required for method resolution. - Acceptance: admin handlers and app object/runtime paths keep their existing compatibility names while the admin and app boundaries no longer expose direct ECStore API symbol re-exports for functions, constants, globals, or DTO aliases.
- Must preserve: admin config reads/writes, bucket metadata access, lifecycle enqueue/restore behavior, replication admission and scheduling, object-lock checks, RIO reader wrapping, data usage accounting, global object-store access, and local disk initialization behavior.
- Verification: RustFS compile coverage, admin/app re-export residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace RustFS admin and app
API-089Prune trait import compatibility re-exports.- Completed slice: remove the remaining direct ECStore API
pub usecompatibility exports from RustFS admin/app/storage and scanner/heal/e2e boundaries, replacing non-trait access with local wrappers and moving method-resolution trait imports into the files that call those methods. - Acceptance: compatibility boundary files no longer expose
pub(crate) use rustfs_ecstore::apisymbols, while scanner, heal, e2e, admin, app, and storage call sites keep their existing behavior through direct trait imports or local wrappers. - Must preserve: scanner lifecycle and replication evaluation, heal local disk scanning, e2e RPC signature setup, app restore/lifecycle/object-lock checks, admin site-replication behavior, storage RPC disk access, and S3 versioning/replication behavior.
- Verification: RustFS and edge crate compile coverage, compatibility re-export residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: remove the remaining direct ECStore API
API-090Prune outer compat object/error facade aliases.- Completed slice: replace app/admin/storage raw ECStore object/error facade
aliases with storage-api associated object aliases and local
StorageErroraliases. - Acceptance: app/admin/storage compatibility boundaries no longer refer to
rustfs_ecstore::api::object::{ObjectInfo,ObjectOptions}orrustfs_ecstore::api::error::{Error,Result}while behavior stays unchanged. - Must preserve: lifecycle restore/options, object-lock deletion checks, replication scheduling decisions, admin/storage config error matching, and storage S3 error mapping.
- Verification: RustFS compile coverage, residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace app/admin/storage raw ECStore object/error facade
aliases with storage-api associated object aliases and local
API-091Prune outer compat signature facade paths.- Completed slice: replace app/admin/storage raw ECStore metadata, object-lock, lifecycle journal, monitor, and notification facade paths in compatibility function signatures with local aliases.
- Acceptance: app/admin/storage compatibility function signatures no longer
expose raw ECStore facade paths for
BucketMetadataSys,ObjectLockBlockReason, lifecycleJentry, bandwidthMonitor, orNotificationSys. - Must preserve: test metadata-system access, object-lock retention checks, lifecycle tier-delete journal persistence, admin bandwidth monitor access, and notification-system access.
- Verification: RustFS compile coverage, signature residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-092Prune storage-owner raw facade paths.- Completed slice: replace scattered raw
rustfs_ecstore::api::...paths in the RustFS storage-owner compatibility boundary with localecstore_*module aliases. - Acceptance:
rustfs/src/storage/storage_compat.rsno longer contains rawrustfs_ecstore::api::...facade paths outside the centralized module alias import. - Must preserve: storage metadata, object-lock, replication stats, tagging, RPC signature, metrics, tier reload, local disk lookup, and object I/O associated type compatibility.
- Verification: RustFS compile coverage, storage-owner raw facade path residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace scattered raw
API-093Prune app/admin raw facade paths.- Completed slice: replace scattered raw
rustfs_ecstore::api::...paths in the RustFS app/admin storage compatibility boundaries with localecstore_*module aliases. - Acceptance:
rustfs/src/app/storage_compat.rsandrustfs/src/admin/storage_compat.rsno longer contain rawrustfs_ecstore::api::...facade paths outside their centralized localecstore_*aliases. - Must preserve: app lifecycle, metadata, object-lock, replication, data usage, notification, tier, layout, compression, admin rebalance, metrics, bucket target, quota, storage class, and server configuration compatibility.
- Verification: RustFS compile coverage, app/admin raw facade path residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace scattered raw
API-094Prune consumer raw facade paths.- Completed slice: replace scattered raw
rustfs_ecstore::api::...paths in peripheral consumer storage compatibility boundaries with localecstore_*module aliases. - Acceptance: IAM, heal, scanner, notify, observability, Swift, S3 Select,
test, and fuzz storage compatibility modules no longer contain raw
rustfs_ecstore::api::...facade paths outside centralized local alias imports. - Must preserve: IAM config and notifications, heal disk lookup, scanner lifecycle and tier helpers, notify server config IO, observability runtime metrics, Swift metadata wrappers, S3 Select error checks, and test/fuzz harness wrappers.
- Verification: RustFS compile coverage, consumer raw facade path residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace scattered raw
API-095Prune root/e2e raw facade paths.- Completed slice: replace scattered raw
rustfs_ecstore::api::...paths in the RustFS root runtime and e2e storage compatibility boundaries with localecstore_*module aliases. - Acceptance:
rustfs/src/storage_compat.rsandcrates/e2e_test/src/storage_compat.rsno longer contain rawrustfs_ecstore::api::...facade paths outside centralized local alias imports. - Must preserve: root runtime metadata/config/global/storage/RPC wrappers and e2e RPC harness aliases.
- Verification: RustFS compile coverage, root/e2e raw facade path residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace scattered raw
API-096Prune bucket trait method imports.- Completed slice: move outer bucket lifecycle, replication, versioning, object-lock, and restore-request method access behind local compatibility traits and wrapper functions in app, admin, storage, and scanner boundaries.
- Acceptance: non-compat RustFS, scanner, and heal sources no longer import ECStore bucket API traits directly; the migration guard only keeps the remaining disk/RPC/warm-backend method-resolution exceptions.
- Must preserve: app replication scheduling and restore validation, admin site replication checks, storage object/versioning behavior, scanner lifecycle and replication scans, and existing disk/RPC method-resolution behavior.
- Verification: RustFS/scanner/heal compile coverage, direct bucket trait import residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-097Prune disk/RPC/warm-backend method imports.- Completed slice: move disk RPC, peer S3 RPC, heal/scanner disk, and warm-backend test method access behind local compatibility traits or aliases in the owning boundaries.
- Acceptance: non-compat RustFS, scanner, heal, and test sources no longer
import ECStore
DiskAPI,PeerS3Client, orWarmBackendtraits directly; the migration guard no longer allowlists those direct imports. - Must preserve: disk RPC request/response behavior, internode HTTP file and walk streams, heal resume and auto-scan disk handling, scanner disk scan behavior, and transition warm-backend test harness behavior.
- Verification: RustFS/scanner/heal/e2e compile coverage, direct disk/RPC/warm-backend trait import residual scan, migration guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-098Prune root runtime capacity/server compat consumers.- Completed slice: move capacity disk access, HTTP RPC signature verification,
event dispatch bridging, module-switch config persistence, and readiness
storage/lock quorum lookups into local
capacityandservercompatibility boundaries. - Acceptance: root runtime
storage_compat.rsno longer owns capacity/server-only ECStore wrapper functions, trait shims, or constants; migration rules reject restoring those wrappers to the root facade. - Must preserve: capacity background refresh disk discovery, internode RPC signature verification, live event dispatch, module-switch persistence, storage readiness, and distributed lock quorum behavior.
- Verification: RustFS test-target compile coverage, capacity/server residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: move capacity disk access, HTTP RPC signature verification,
event dispatch bridging, module-switch config persistence, and readiness
storage/lock quorum lookups into local
API-099Prune root runtime startup compat consumers.- Completed slice: move startup storage bootstrap, bucket metadata migration, notification initialization, global region/port setup, background shutdown, and startup service ECStore aliases into a dedicated startup compatibility boundary.
- Acceptance: startup and init modules no longer consume root
storage_compat.rs; root runtimestorage_compat.rsno longer owns startup-only ECStore wrapper functions or aliases; migration rules reject restoring those wrappers to the root facade. - Must preserve: endpoint parsing, unsupported filesystem policy, local-disk and lock-client initialization, global config migration, bucket metadata migration, IAM migration, notification registration, default-region fallback, background replication, and shutdown behavior.
- Verification: RustFS test-target compile coverage, startup residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-100Retire root runtime storage compatibility consumers.- Completed slice: move table catalog metadata constants and bucket metadata
reads, runtime topology capability mapping, workload admission runtime
state probes, S3 error mapping aliases, and config test disk-layout aliases
into local compatibility boundaries, then remove the root
storage_compat.rsmodule. - Acceptance: no RustFS source consumes
crate::storage_compat; root runtime compatibility file is removed; migration rules still reject direct ECStore imports outside*storage_compat.rsboundaries. - Must preserve: table catalog internal metadata paths, lock timeout lookup, runtime topology snapshots, workload admission status reporting, quota and storage error mapping, and config disk-layout parsing tests.
- Verification: RustFS test-target compile coverage, direct root compatibility consumer residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: move table catalog metadata constants and bucket metadata
reads, runtime topology capability mapping, workload admission runtime
state probes, S3 error mapping aliases, and config test disk-layout aliases
into local compatibility boundaries, then remove the root
API-101Localize owner compatibility consumers.- Completed slice: route admin handler/service/router, app usecase/context,
and storage RPC/S3 API compatibility consumers through local owner
boundary modules instead of their root owner
storage_compat.rsfacades. - Acceptance: selected admin, app, and storage owner consumers no longer
import
crate::admin::storage_compat,crate::app::storage_compat, orcrate::storage::storage_compatdirectly outside local compatibility boundary modules; migration rules reject regressions. - Must preserve: admin config and bucket metadata behavior, replication and heal status mapping, app runtime context wiring, RPC verification and disk lookup behavior, and S3 API ETag conversion.
- Verification: RustFS test-target compile coverage, owner compatibility consumer residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: route admin handler/service/router, app usecase/context,
and storage RPC/S3 API compatibility consumers through local owner
boundary modules instead of their root owner
API-102Localize storage core compatibility consumers.- Completed slice: route storage access, ECFS, ECFS extension, head-prefix,
options, SSE, storage module aliases, and storage tests through
core_storage_compatinstead of the storage ownerstorage_compat.rsfacade. - Acceptance: no non-compat RustFS storage source imports
crate::storage::storage_compatdirectly; migration rules reject regressions acrossrustfs/src/storage. - Must preserve: bucket access validation, ECFS object operations, SSE encryption/decryption setup, storage option mapping, storage object aliases, and storage compatibility tests.
- Verification: RustFS test-target compile coverage, storage compatibility consumer residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: route storage access, ECFS, ECFS extension, head-prefix,
options, SSE, storage module aliases, and storage tests through
API-103Narrow selected local compatibility re-exports.- Completed slice: replace glob re-exports in admin router/service, app context, storage core, and storage RPC local compatibility boundaries with explicit re-export lists.
- Acceptance: narrowed local compatibility boundaries expose only the symbols consumed by their owners; migration rules reject restoring glob re-exports in those files.
- Must preserve: admin route behavior, dynamic config reload behavior, app context startup handles, storage core option/SSE/access behavior, and storage RPC request handling.
- Verification: RustFS test-target compile coverage, narrowed local compatibility glob-export scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-104Narrow remaining local compatibility re-exports.- Completed slice: replace the remaining admin handler and app usecase local compatibility glob re-exports with explicit re-export lists.
- Acceptance: no narrowed RustFS local compatibility boundary restores a glob
re-export from its owner
storage_compat.rsfacade; migration rules reject regressions across all narrowed files. - Must preserve: admin handler config, bucket metadata, site replication, tier, rebalance, metrics, heal, quota, and object-zip behavior; app bucket, object, multipart, admin, lifecycle transition, quota, object-lock, and replication usecase behavior.
- Verification: RustFS test-target compile coverage, narrowed local compatibility glob-export scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-105Guard root compatibility facade aliases.- Completed slice: route the S3 API storage compatibility ETag helper through a local ECStore client module alias and add a repository-wide storage compatibility guard against scattered raw ECStore facade paths.
- Acceptance: storage compatibility boundaries may import ECStore facade
modules as local
ecstore_*aliases, but no compatibility wrapper body or signature may reintroduce a scattered rawrustfs_ecstore::api::...path. - Must preserve: S3 API ETag conversion behavior and all existing compatibility module import boundaries.
- Verification: RustFS test-target compile coverage, full storage compatibility raw-facade residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-106Split compatibility facade imports.- Completed slice: replace grouped
rustfs_ecstore::api::{...}imports across storage compatibility boundaries with explicit per-moduleecstore_*aliases and extend migration guards to reject grouped facade imports. - Acceptance: storage compatibility boundaries keep every ECStore facade
module dependency visible as its own local alias, and wrapper bodies or
signatures still cannot reintroduce scattered raw
rustfs_ecstore::api::...paths. - Must preserve: all compatibility wrapper bodies, public alias names, storage/admin/app/runtime/edge/test/fuzz behavior, and API surface.
- Verification: RustFS test-target compile coverage, grouped-import and raw-facade residual scans, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace grouped
API-107Collapse compatibility facade self references.- Completed slice: replace crate-qualified app/admin
storage_compat::ecstore_*self references with localecstore_*aliases at the root boundary andsuper::ecstore_*paths inside nested compatibility modules. - Acceptance: RustFS app/admin compatibility boundaries no longer route
wrapper bodies and aliases through their own crate-qualified
storage_compat::ecstore_*paths; migration rules reject regressions. - Must preserve: app bucket/lifecycle/object-lock/replication helper behavior, admin bucket metadata/target/replication/tier/config helper behavior, public local compatibility names, and ECStore facade ownership.
- Verification: RustFS test-target compile coverage, local facade self-reference residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace crate-qualified app/admin
API-108Collapse local compatibility bridge self paths.- Completed slice: replace crate-qualified app/admin/storage
storage_compatreferences in local compatibility bridge modules with relativesuper::storage_compatpaths. - Acceptance: RustFS local compatibility bridge modules no longer point back
to their owner
storage_compatfacades through crate-qualified paths; migration rules reject regressions. - Must preserve: all app usecase/context, admin router/handler/service, and storage core/RPC compatibility re-export names and owner facade behavior.
- Verification: RustFS test-target compile coverage, local bridge owner self-path residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace crate-qualified app/admin/storage
API-109Collapse root compatibility consumer paths.- Completed slice: replace crate-qualified root compatibility consumers in
startup/runtime/table/error/workload modules plus selected storage owner
consumers with relative
super::orself::paths. - Acceptance: selected root and storage owner modules no longer point back to local compatibility facades through crate-qualified paths; migration rules reject regressions.
- Must preserve: startup notification/storage/background/service behavior, runtime capability snapshots, workload admission wiring, table catalog helpers, root error aliases, storage SSE/access/ECFS helper behavior, and public storage module aliases.
- Verification: RustFS test-target compile coverage, root/storage owner compatibility consumer residual scans, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: replace crate-qualified root compatibility consumers in
startup/runtime/table/error/workload modules plus selected storage owner
consumers with relative
API-110Collapse RustFS local compatibility consumer paths.- Completed slice: replace crate-qualified app usecase, admin router, and storage ECFS test compatibility consumers with relative owner paths.
- Acceptance: selected RustFS app/admin/storage consumers no longer point back to local compatibility facades through crate-qualified paths; migration rules reject regressions.
- Must preserve: app object/bucket/multipart/admin usecase behavior, lifecycle transition and capacity tests, admin replication/router helpers, and storage ECFS test coverage.
- Verification: RustFS test-target compile coverage, local compatibility consumer residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-111Collapse storage RPC and S3 API local compatibility consumers.- Completed slice: replace crate-qualified storage RPC and S3 API local compatibility consumers with relative owner paths.
- Acceptance: selected storage RPC and S3 API modules no longer point back to local compatibility facades through crate-qualified paths; migration rules reject regressions.
- Must preserve: internode RPC request handling, node service helper tests, S3 list bucket output mapping, multipart listing output mapping, and ETag helper behavior.
- Verification: RustFS test-target compile coverage, storage RPC/S3 API local compatibility consumer residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-112Collapse admin local compatibility consumers.- Completed slice: replace crate-qualified admin handlers/service local compatibility consumers with relative owner paths.
- Acceptance: selected admin handlers and service modules no longer point back to local compatibility facades through crate-qualified paths; migration rules reject regressions.
- Must preserve: admin route contracts, replication/config/rebalance/heal handler behavior, service config reload behavior, and admin test coverage.
- Verification: RustFS test-target compile coverage, admin local compatibility consumer residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-113Collapse app context and server local compatibility consumers.- Completed slice: replace crate-qualified app context and server readiness local compatibility consumers with relative owner paths.
- Acceptance: selected app context and server readiness modules no longer point back to local compatibility facades through crate-qualified paths; migration rules reject regressions.
- Must preserve: app context dependency resolution, startup bootstrap, default interface handles, readiness storage quorum behavior, and readiness test coverage.
- Verification: RustFS test-target compile coverage, app context/server local compatibility consumer residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-114Collapse config, heal, and scanner test compatibility consumers.- Completed slice: replace crate-qualified config test, heal crate, and heal/scanner integration test local compatibility consumers with relative owner paths.
- Acceptance: selected config, heal, and scanner test harnesses no longer point back to local compatibility facades through crate-qualified paths; migration rules reject regressions.
- Must preserve: config layout parsing tests, heal channel/storage test coverage, endpoint index tests, and scanner lifecycle integration coverage.
- Verification: RustFS test-target compile coverage, config/heal/scanner local compatibility consumer residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-115Collapse standalone crate local compatibility consumers.- Completed slice: replace crate-qualified scanner, IAM, observability, S3 Select, and e2e local compatibility consumers with relative owner paths.
- Acceptance: selected standalone crate modules no longer point back to their local compatibility facades through crate-qualified paths; migration rules reject regressions.
- Must preserve: scanner data usage and object IO behavior, IAM storage adapter contracts, observability metric collection, S3 Select object-store reads, and e2e RPC helper coverage.
- Verification: standalone crate compile coverage, standalone local compatibility consumer residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
API-116Collapse fuzz-target local compatibility consumers.- Completed slice: replace crate-qualified bucket-validation and path-containment fuzz-target local compatibility consumers with relative owner paths.
- Acceptance: selected fuzz targets no longer point back to their local compatibility facades through crate-qualified paths; migration rules reject regressions.
- Must preserve: fuzz harness entrypoints, corpus behavior, bucket/object validation coverage, and path-containment assertions.
- Verification: fuzz package compile coverage, fuzz-target local compatibility consumer residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, and three-expert review.
API-117Remove app/admin secondary compatibility bridges.- Completed slice: replace app use-case and admin router consumers of
usecase_storage_compatandrouter_storage_compatwith direct ownerstorage_compatpaths, then delete the secondary bridge modules. - Acceptance: app use-cases, app tests, and the admin router no longer route through a second local compatibility bridge; migration rules reject reintroduced bridge names.
- Must preserve: app object/bucket/multipart use-case behavior, lifecycle
transition test setup, admin route replication/bucket-target contracts, and
existing owner
storage_compataliases. - Verification: RustFS compile coverage, app/admin secondary bridge residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, and three-expert review.
- Completed slice: replace app use-case and admin router consumers of
API-118Remove storage core secondary compatibility bridge.- Completed slice: replace storage owner consumers of
core_storage_compatwith directstorage_compatpaths, then delete the secondary bridge module. - Acceptance: storage owner modules and tests no longer route through a
second local compatibility bridge; migration rules reject reintroduced
core_storage_compatreferences. - Must preserve: ECFS object operations, storage access checks, SSE
encryption helpers, storage option resolution, and existing owner
storage_compataliases. - Verification: RustFS compile coverage, storage secondary bridge residual scan, migration and layer guards, formatting, diff hygiene, path-only risk review, and three-expert review.
- Completed slice: replace storage owner consumers of
API-119Remove nested secondary compatibility bridges.- Completed slice: replace admin service, app context, and storage RPC
consumers of nested
storage_compatbridge modules with direct ownerstorage_compatpaths, then delete the nested bridge modules. - Acceptance: nested service, context, and RPC modules no longer route through a second local compatibility bridge; migration rules reject reintroduced bridge files or module declarations.
- Must preserve: admin dynamic config and site-replication behavior, app
context handle wiring, storage RPC signature and disk lookup behavior, and
existing owner
storage_compataliases. - Verification: RustFS compile coverage, nested secondary bridge residual scan, migration and layer guards, formatting, diff hygiene, path-only risk review, and three-expert review.
- Completed slice: replace admin service, app context, and storage RPC
consumers of nested
API-120Remove admin handlers secondary compatibility bridge.- Completed slice: replace admin handler consumers of
handlers::storage_compatwith direct admin ownerstorage_compatpaths, then delete the handler bridge module. - Acceptance: admin handler modules no longer route through a second local
compatibility bridge; migration rules reject the bridge file, module
declaration, or direct handler-level
super::storage_compatconsumers. - Must preserve: admin handler config, replication, rebalance, quota, tier,
table catalog, metrics, trace, and heal behavior plus existing admin owner
storage_compataliases. - Verification: RustFS admin handler compile coverage, handler secondary bridge residual scan, migration and layer guards, formatting, diff hygiene, path-only risk review, and three-expert review.
- Completed slice: replace admin handler consumers of
API-121Remove runtime local compatibility bridges.- Completed slice: replace capacity, server, and S3 API local compatibility bridge consumers with direct owner APIs, then delete the bridge modules.
- Acceptance: capacity, server, and S3 API modules no longer route through
local
storage_compatbridges; migration rules reject bridge files, module declarations, or bridge consumers. - Must preserve: capacity disk discovery, HTTP RPC signature verification, event dispatch hook wiring, module-switch persistence, readiness quorum checks, and S3 ETag conversion behavior.
- Verification: RustFS compile coverage, runtime local bridge residual scan, migration and layer guards, formatting, diff hygiene, path-only risk review, and three-expert review.
API-122Remove root one-off compatibility bridges.- Completed slice: replace config test, error mapping, runtime capability, table catalog, and workload admission consumers with direct ECStore API imports, then delete the root one-off bridge modules.
- Acceptance: the deleted bridge files and module declarations are gone; migration rules reject reintroduced files, declarations, or bridge references.
- Must preserve: config disk-layout tests, API error mapping, runtime topology snapshots, table-catalog paths and lock behavior, and workload admission snapshots.
- Verification: RustFS compile coverage, root one-off bridge residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, and three-expert review.
API-123Remove startup storage compatibility bridge.- Completed slice: replace startup storage, notification, bucket metadata,
service, shutdown, server, lifecycle, IAM, background, fs guard, and init
consumers with direct ECStore API owner imports, then delete
startup_storage_compat.rs. - Acceptance: startup/init consumers no longer route through the startup compatibility bridge; migration rules reject the deleted file, module declaration, or bridge references.
- Must preserve: endpoint parsing, unsupported filesystem policy, ECStore initialization, global endpoint/erasure registration, local disk and lock client initialization, config migration/retry behavior, metadata/IAM migration, notification startup, background replication, scanner/heal startup and shutdown, and readiness marking.
- Verification: RustFS compile coverage, startup bridge residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, and three-expert review.
- Completed slice: replace startup storage, notification, bucket metadata,
service, shutdown, server, lifecycle, IAM, background, fs guard, and init
consumers with direct ECStore API owner imports, then delete
API-124Remove test and fuzz storage compatibility bridges.- Completed slice: replace heal tests, scanner lifecycle tests, and bucket/path
fuzz targets with direct ECStore API owner imports, then delete their local
storage_compat.rsmodules. - Acceptance: migrated test/fuzz targets no longer route through local storage compatibility bridges; migration rules reject deleted files, module declarations, or bridge references.
- Must preserve: heal endpoint indexing, heal mock storage signatures, lifecycle metadata updates, scanner warm-tier mocks, fuzz target validation invariants, and direct compile coverage for affected crates/targets.
- Verification: heal/scanner test compile coverage, fuzz target compile coverage, test/fuzz bridge residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, and three-expert review.
- Completed slice: replace heal tests, scanner lifecycle tests, and bucket/path
fuzz targets with direct ECStore API owner imports, then delete their local
API-125Remove standalone thin compatibility bridges.- Completed slice: replace e2e tests, IAM store object access, and notify
config persistence consumers with direct owner APIs, then delete their local
storage_compat.rsbridge modules. - Acceptance: e2e, IAM store, and notify no longer route through local thin storage compatibility bridges; migration rules reject deleted files, module declarations, or bridge consumers.
- Must preserve: e2e RPC client behavior, site-replication target contracts, IAM object associated types, notify server-config read/modify/save behavior, and reload-if-changed semantics.
- Verification: affected crate compile coverage, standalone thin bridge residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, and three-expert review.
- Completed slice: replace e2e tests, IAM store object access, and notify
config persistence consumers with direct owner APIs, then delete their local
API-126Remove remaining standalone owner compatibility bridges.- Completed slice: replace OBS metrics, Swift object/container/account, and
S3 Select object-store consumers with direct owner APIs, then delete their
local
storage_compat.rsbridge modules. - Acceptance: OBS, Swift, and S3 Select no longer route through local thin storage compatibility bridges; migration rules reject deleted files, module declarations, or bridge consumers.
- Must preserve: OBS capacity, bucket usage, replication, and ILM metrics; Swift bucket metadata and object IO contracts; S3 Select object reader, error mapping, and default read-buffer behavior.
- Verification: affected crate compile coverage, remaining standalone bridge residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, and three-expert review.
- Completed slice: replace OBS metrics, Swift object/container/account, and
S3 Select object-store consumers with direct owner APIs, then delete their
local
API-127Remove external owner compatibility bridges.- Completed slice: move IAM root, heal, and scanner bridge contracts into
their owner modules, delete their local
storage_compat.rsbridge modules, and update consumers to import owner APIs directly. - Acceptance: IAM root, heal, and scanner no longer route through local storage compatibility bridges; migration rules reject deleted files, module declarations, or bridge consumers.
- Must preserve: IAM config object IO and notification wrappers, heal disk extension behavior and object aliases, scanner lifecycle/replication/disk wrappers, data-usage persistence, and scanner object IO contracts.
- Verification: focused IAM/heal/scanner compile coverage, external owner bridge residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, and three-expert review.
- Completed slice: move IAM root, heal, and scanner bridge contracts into
their owner modules, delete their local
API-128Remove RustFS owner compatibility bridges.- Completed slice: move app, admin, and storage bridge contracts into their
owner modules, delete their local
storage_compat.rsbridge modules, and update consumers to import owner APIs directly. - Acceptance: RustFS app, admin, and storage no longer route through local storage compatibility bridges; migration rules reject deleted files, module declarations, or bridge consumers.
- Must preserve: app object/multipart/bucket behavior, admin route and config contracts, storage access/SSE/RPC behavior, object DTO aliases, bucket metadata helpers, and ECStore facade ownership.
- Verification: focused RustFS compile coverage, RustFS owner bridge residual scan, migration and layer guards, formatting, diff hygiene, Rust risk scan, and three-expert review.
- Completed slice: move app, admin, and storage bridge contracts into their
owner modules, delete their local
G-012Inventory placement and repair invariants.- Acceptance:
placement-repair-invariants.mdrecords object-to-set hashing, pool/set/disk assignment boundaries, set-aware readiness and lock quorum, scanner budget, and heal admission preservation gates. - Must preserve: no placement, repair, scanner, heal, readiness, lock, or storage metadata behavior changes.
- Acceptance:
G-013Inventory profiling and NUMA capabilities.- Acceptance:
profiling-numa-capability-inventory.mdrecords current CPU/memory profiling, cgroup memory sampling, allocator backend, eBPF, and NUMA capability support plus no-op fallback invariants. - Must preserve: no startup, profiling, allocator, runtime, or platform-gate behavior changes.
- Acceptance:
Issue #660 Capability Contract Tasks
-
PR-08/API-013Add observability snapshot contract.- Completed slice: add
CapabilityState,CapabilityStatus,CapabilitySnapshotError,ObservabilitySnapshot,UserspaceProfilingCapability,MemorySamplingState,PlatformSupport, andObservabilitySnapshotProvidertorustfs-storage-api. - Acceptance: runtime telemetry, userspace profiling, memory sampling, and platform support states are representable without runtime, ECStore, admin, profiling, exporter, sidecar, eBPF, or OTEL implementation dependencies.
- Must preserve: no profiling, startup, admin route, exporter, sidecar, eBPF, OTEL, or runtime behavior changes.
- Verification: storage-api contract tests for unknown, unsupported, disabled, and supported capability states; focused storage-api check; migration guard; formatting; diff hygiene; and three-expert review.
- Completed slice: add
-
PR-09/API-014Add topology capability contract.- Completed slice: add
TopologySnapshot,TopologyCapabilities,TopologyPool,TopologySet,TopologyDisk,TopologyLabels,DiskCapabilities, andTopologySnapshotProvidertorustfs-storage-api. - Acceptance: pool, set, and disk identity fields plus optional zone, rack,
node, media, NUMA, and additional labels are representable without
rustfs-ecstore. - Must preserve: no ECStore endpoint/set implementation, placement, membership, NUMA pinning, or runtime behavior changes.
- Verification: storage-api contract tests for missing and additional labels plus supported, unsupported, unknown, and disabled capability states; focused storage-api check; migration guard; formatting; diff hygiene; and three-expert review.
- Completed slice: add
-
PR-05/TEST-SCH-001Add scheduler preservation tests.- Completed slice: pin worker over-release clamping, reusable scheduler default thresholds and priority boundaries, backpressure pipe metadata reads, and get-object queue snapshot saturation/zero-total semantics.
- Acceptance: current reusable scheduling and admission-facing behavior is covered before later read-only snapshot extraction.
- Must preserve: scheduler algorithm, queue capacity, threshold defaults, Tokio runtime settings, request admission, scanner admission, heal admission, replication admission, and background task admission behavior.
- Verification: focused concurrency tests, focused concurrency check, migration guard, formatting, diff hygiene, and three-expert review.
-
PR-07/R-015Add runtime workload class contract.- Completed slice: add
WorkloadClass,AdmissionState,WorkloadAdmissionSnapshot,WorkloadAdmissionRegistrySnapshot, andWorkloadAdmissionSnapshotProvidertorustfs-concurrency. - Acceptance: foreground read, foreground write, metadata, scanner, repair, and replication workload classes are representable through read-only admission registry snapshots without ECStore dependency.
- Must preserve: no SchedulerManager decision logic, Tokio worker defaults, scanner/heal admission behavior, replication admission behavior, cluster scheduling, placement, membership, or business call-site migration.
- Verification: workload contract unit tests, focused concurrency check, migration guard, formatting, diff hygiene, and three-expert review.
- Completed slice: add
-
API-055/SCH-001Expose set-local scheduler admission snapshot.- Completed slice: implement
WorkloadAdmissionSnapshotProviderfor the RustFS storageConcurrencyManagerand expose foreground-read disk-read permit usage through a local read-only workload registry snapshot. - Acceptance: local foreground read admission reports active permit usage, configured limit, and open/saturated/disabled state without ECStore, admin-route, cluster, or scheduler mutation dependencies.
- Must preserve: disk-read semaphore acquisition, priority assignment, buffer sizing, storage media detection, request guards, and queue behavior.
- Verification: storage concurrency tests, focused RustFS library check, migration guard, formatting, diff hygiene, and three-expert review.
- Completed slice: implement
-
API-056/R-016Wire runtime capability snapshot providers.- Completed slice: implement
ObservabilitySnapshotProviderfor RustFS runtime capability state andTopologySnapshotProviderforEndpointServerPoolstopology snapshots. - Acceptance: observability and endpoint topology snapshots are available through the storage-api contracts without admin routes, sidecars, ECStore placement mutation, profiling startup changes, or endpoint behavior changes.
- Must preserve: profiling opt-in behavior, memory and cgroup sampling behavior, endpoint pool/set/disk assignment, placement, readiness, locks, and local path privacy.
- Verification: focused runtime capability tests, focused RustFS library check, migration and layer guards, formatting, diff hygiene, risk scan, and three-expert review.
- Completed slice: implement
-
API-057/R-017Expose heal repair admission snapshot.- Completed slice: implement a RustFS workload admission snapshot provider
that maps existing heal active-task and queue-length counters to the
Repairworkload class. - Acceptance: repair admission state is observable through the
rustfs-concurrencyworkload snapshot contract without changing heal queueing, scheduling, retry, priority merge/drop, or repair behavior. - Must preserve: heal request admission, queue capacity, scheduler wakeups, task retry handling, active-task accounting, and repair execution.
- Verification: focused workload admission tests, focused RustFS library check, migration and layer guards, formatting, diff hygiene, risk scan, and three-expert review.
- Completed slice: implement a RustFS workload admission snapshot provider
that maps existing heal active-task and queue-length counters to the
-
API-058/R-018Expose replication admission snapshot.- Completed slice: extend the RustFS workload admission provider to map
existing replication worker and site queue counters to the
Replicationworkload class. - Acceptance: replication admission pressure is observable through the
rustfs-concurrencyworkload snapshot contract without changing replication queueing, channel capacity, worker resize, MRF, target dispatch, or resync behavior. - Must preserve: replication admission, queue channel capacity, worker resize policy, MRF handling, target dispatch, resync behavior, and queue stats accounting.
- Verification: focused workload admission tests, focused RustFS library check, migration and layer guards, formatting, diff hygiene, risk scan, and three-expert review.
- Completed slice: extend the RustFS workload admission provider to map
existing replication worker and site queue counters to the
-
API-059/R-019Expose RustFS runtime owner admission snapshots.- Completed slice: extend the RustFS workload admission provider to map foreground-read disk permit state, scanner active work units, and bucket metadata runtime initialization into the workload registry.
- Acceptance: RustFS-level workload admission snapshots expose existing foreground-read, scanner, and metadata owner state without changing admission, queueing, scanner scheduling, metadata loading, metadata locks, or object write behavior.
- Must preserve: disk-read semaphore acquisition, scanner cycle scheduling, bucket metadata initialization and loading, object write paths, request guards, and queue behavior.
- Verification: focused workload admission tests, focused RustFS library check, migration and layer guards, formatting, diff hygiene, risk scan, and three-expert review.
-
API-060Remove heal and namespace-lock operation compatibility facades.- Completed slice: remove the old ECStore
store_api::HealOperationsandstore_api::NamespaceLockingcompatibility subtraits after ECStore storage types already implemented the sharedrustfs_storage_apicontracts directly. - Acceptance: internal ECStore bounds and compile-time coverage use the shared storage-api heal and namespace-lock contracts directly, while the remaining object/list/multipart compatibility bindings stay unchanged for their active internal consumers.
- Must preserve: heal operation behavior, namespace-lock acquisition, replication resync locking, rebalance metadata locking, object I/O, multipart, list, and storage hot paths.
- Verification: focused ECStore contract tests, focused ECStore library check, migration and layer guards, formatting, diff hygiene, risk scan, and three-expert review.
- Completed slice: remove the old ECStore
-
API-061Remove public ECStore object operation compatibility facades.- Completed slice: remove the old public ECStore
store_apiobject, list, and multipart operation compatibility subtraits, and keep internal generic bounds on crate-private storage-api contract constraints instead of public downstream compatibility traits. - Acceptance:
store_apino longer exports public operation compatibility traits, ECStore direct storage-api compile-time coverage includes object, object-operation, list, multipart, namespace-lock, heal, and admin contracts, and remaining publicstore_apiexports are DTO/reader compatibility paths only. - Must preserve: object I/O, list/walk behavior, multipart behavior, config persistence, tier config migration, rebalance metadata locking, lifecycle journal handling, replication MRF/resync persistence, and downstream DTO import compatibility.
- Verification: focused ECStore contract tests, focused ECStore library check, migration and layer guards, formatting, diff hygiene, risk scan, and three-expert review.
- Completed slice: remove the old public ECStore
-
API-062Establish explicit ECStore object API boundary.- Completed slice: add
rustfs_ecstore::object_apias the explicit public path for ECStore-owned object DTO and reader contracts, then migrate RustFS, scanner, heal, IAM, Swift, S3 Select, notify, and ECStore integration-test compatibility aliases away from the legacy publicstore_apipath. - Acceptance: external compatibility boundary modules no longer reference
rustfs_ecstore::store_apifor ECStore-owned object DTO and reader aliases, whilestore_apiremains available only as the old internal implementation module pending final compatibility removal. - Must preserve: object metadata shape, option defaults, reader/writer behavior, Swift/scanner/heal/IAM/S3 Select/notify boundary semantics, and all storage hot paths.
- Verification: focused ECStore/RustFS/downstream compile checks, migration guard, formatting, diff hygiene, risk scan, and three-expert review.
- Completed slice: add
-
API-063Make legacy ECStore store API module private.- Completed slice: remove
rustfs_ecstore::store_apifrom the public crate module surface after external compatibility boundaries moved torustfs_ecstore::object_api. - Acceptance: ECStore object DTO and reader compatibility remains available
through
object_api, integration contract tests consume the new public path, and migration rules reject restoringpub mod store_api. - Must preserve: internal ECStore object DTO definitions, reader/writer behavior, storage-api trait bindings, and downstream object/list/multipart compile-time contracts.
- Verification: focused ECStore contract tests, migration guard, formatting, diff hygiene, risk scan, and three-expert review.
- Completed slice: remove
-
API-064Retire the ECStore store API module name.- Completed slice: move ECStore object DTO, reader, and option definitions
from the private
store_apimodule into the publicobject_apimodule, then migrate ECStore internal imports tocrate::object_api. - Acceptance: no ECStore
store_apimodule file or directory remains, public consumers keep usingrustfs_ecstore::object_api, and migration rules reject restoring the retired module path. - Must preserve: object metadata shape, reader/writer behavior, storage-api contract bindings, object/list/multipart behavior, and downstream public object API compatibility.
- Verification: focused ECStore compile checks, migration guard, formatting, diff hygiene, risk scan, and three-expert review.
- Completed slice: move ECStore object DTO, reader, and option definitions
from the private
-
API-065Use storage-api list contracts inside ECStore.- Completed slice: migrate ECStore internal list response, walk options, and
walk result bindings to local aliases over the generic
rustfs-storage-apicontracts, including replication worker trait bounds, while retaining publicrustfs_ecstore::object_apialiases for downstream compatibility. - Acceptance: ECStore implementation modules no longer import list/walk
compatibility aliases from
crate::object_api, and migration rules reject reintroducing those internal imports. - Must preserve: list response shape, walk result item shape, object metadata shape, storage-api trait bindings, and downstream public object API compatibility.
- Verification: focused ECStore compile checks, migration guard, formatting, diff hygiene, risk scan, and three-expert review.
- Completed slice: migrate ECStore internal list response, walk options, and
walk result bindings to local aliases over the generic
-
API-066Prune ECStore object API storage aliases.- Completed slice: remove unused public storage-api passthrough aliases from
ECStore
object_apifor list responses, walk options, walk result items, and delete-object DTOs, then bind the ECStore contract test directly to the genericrustfs-storage-apicontracts. - Acceptance: ECStore
object_apino longer exposes storage-api passthrough aliases, the storage contract test still proves ECStore implements the storage-api traits with the same associated concrete types, and migration rules reject restoring the object_api passthrough aliases. - Must preserve: ECStore-owned object metadata, object options, reader/writer types, storage-api trait associated type bindings, list/delete/walk response shapes, and runtime behavior.
- Verification: focused ECStore compile checks, storage contract test, downstream compile checks, migration and layer guards, formatting, diff hygiene, risk scan, full pre-commit, and three-expert review.
- Completed slice: remove unused public storage-api passthrough aliases from
ECStore
-
API-067Guard remaining external ECStore object API aliases.- Completed slice: add a migration guard that snapshots the exact external
storage_compat.rsaliases still allowed to referencerustfs_ecstore::object_api::{GetObjectReader,ObjectInfo,ObjectOptions,PutObjReader}and rejects new object-api names in compatibility boundaries. - Acceptance: all remaining external
object_apireferences are deliberate compatibility aliases instorage_compat.rsmodules, future additions fail the migration guard, and the API-066 passthrough alias cleanup stays protected. - Must preserve: no runtime code changes, all existing compatibility aliases, object metadata shape, options, and reader/writer ownership.
- Verification: bash syntax check, migration and layer guards, formatting, diff hygiene, full pre-commit, and three-expert review.
- Completed slice: add a migration guard that snapshots the exact external
-
API-068Prune notify ECStore object-info compatibility alias.- Completed slice: remove notify's private
EcstoreObjectInfoalias and ECStore-object conversion implementation, then map ECStore event objects toNotifyObjectInfoinside the RustFS event and operation notification bridges. - Acceptance:
crates/notifyno longer referencesrustfs_ecstore::object_api::ObjectInfo, the remaining object-api alias allowlist shrinks accordingly, and notify event payload fields keep the same serialized values. - Must preserve: live event dispatch behavior, event names, bucket/object fields, version IDs, metadata, restore-completed timestamps, storage class, transitioned tier, host/port parsing, and replication request filtering.
- Verification: focused RustFS event conversion test, focused notify/RustFS compile checks, migration and layer guards, formatting, diff hygiene, full pre-commit, and three-expert review.
- Completed slice: remove notify's private
-
API-069Prune IAM direct ECStore object metadata/options aliases.- Completed slice: replace IAM config and store
ObjectInfo/ObjectOptionscompatibility aliases withIamStoreObjectOperationsassociated types. - Acceptance: IAM no longer names
rustfs_ecstore::object_api::{ObjectInfo,ObjectOptions}directly, the remaining object-api alias allowlist shrinks by four entries, and IAM config read/write metadata and lazy-rewrite precondition behavior are unchanged. - Must preserve: IAM config encryption/decryption, lazy rewrite ETag matching, list walk item/error typing, metadata return shape, storage preconditions, system-path failure classification, and notification peer behavior.
- Verification: focused IAM compile/tests, migration and layer guards, formatting, diff hygiene, full pre-commit, and three-expert review.
- Completed slice: replace IAM config and store
-
API-070Prune consumer direct ECStore object aliases.- Completed slice: replace scanner, s3select, and Swift
GetObjectReader/ObjectInfo/ObjectOptions/PutObjReadercompatibility aliases with concrete storerustfs_storage_apiassociated types. - Acceptance: scanner, s3select, and Swift no longer name
rustfs_ecstore::object_api::{GetObjectReader,ObjectInfo,ObjectOptions,PutObjReader}directly, and the remaining object-api alias allowlist shrinks by eleven entries. - Must preserve: scanner lifecycle/replication IO bounds and config helpers, s3select read buffer/object error handling, Swift bucket metadata helpers, and object reader/writer concrete types exposed through each local compatibility boundary.
- Verification: focused consumer compile/tests, migration and layer guards, formatting, diff hygiene, full pre-commit, and three-expert review.
- Completed slice: replace scanner, s3select, and Swift
-
API-071Prune final direct ECStore object aliases.- Completed slice: replace heal and RustFS storage
GetObjectReader/ObjectInfo/ObjectOptions/PutObjReadercompatibility aliases with concrete storerustfs_storage_apiassociated types. - Acceptance: no external
storage_compat.rsmodule namesrustfs_ecstore::object_api::{GetObjectReader,ObjectInfo,ObjectOptions,PutObjReader}directly, and the external object-api alias allowlist is empty. - Must preserve: heal object metadata and rewrite reader construction, RustFS storage object read/write paths, S3 response metadata semantics, SSE/encryption handling, and storage object option behavior.
- Verification: focused heal/storage compile/tests, migration and layer guards, formatting, diff hygiene, full pre-commit, and three-expert review.
- Completed slice: replace heal and RustFS storage
-
API-072Establish ECStore public facade for outer compatibility.- Completed slice: add
rustfs_ecstore::apifacade groups for layout, storage, admin, metrics, notification, and capacity helper surfaces, then migrate RustFS, scanner, observability, IAM, heal, Swift, S3 Select, heal-test, and scanner-test compatibility boundaries away from direct ECStore module paths for those surfaces. - Acceptance: selected outer
storage_compat.rsboundaries no longer importrustfs_ecstore::{admin_server_info,endpoints,disks_layout,metrics_realtime,notification_sys,pools,store_utils,store}directly, and the migration guard rejects restoring those direct public surface paths. - Must preserve: endpoint and disks-layout types, ECStore owner type and init helpers, admin server-info helpers, local metrics collection, notification peer behavior, capacity helpers, bucket-name helpers, and all runtime storage behavior.
- Verification: affected package test-target compile, migration and layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Completed slice: add
-
API-073Expand ECStore public facade coverage.- Completed slice: add
rustfs_ecstore::apifacade groups for bucket, config, disk, error, event, global, RPC, set-disk, reader, client, tier, data-usage, cache, compression, and rebalance compatibility surfaces, then migrate all outerstorage_compat.rsboundaries to those facade paths. - Acceptance: RustFS, app/admin/storage runtime, scanner, heal, IAM, notify, observability, Swift, S3 Select, e2e, test, and fuzz compatibility boundaries no longer import those ECStore public surfaces through direct pre-facade module paths, and the migration guard rejects restoring them.
- Must preserve: storage owner types, config IO, bucket metadata/lifecycle helpers, disk/RPC/error contracts, global state accessors, reader wrappers, tier helpers, rebalance status DTOs, test/fuzz harness behavior, and all existing runtime behavior.
- Verification: affected package test-target compile, migration and layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Completed slice: add
-
API-074Enforce ECStore API facade for compatibility boundaries.- Completed slice: extend the architecture migration guard so every
non-ECStore
storage_compat.rsimport fromrustfs_ecstoremust route throughrustfs_ecstore::api, not only the previously enumerated public ECStore module paths. - Acceptance: RustFS, app/admin/storage runtime, scanner, heal, IAM, notify, observability, Swift, S3 Select, e2e, test, and fuzz compatibility boundaries cannot reintroduce direct pre-facade ECStore paths through new modules or grouped imports.
- Must preserve: no runtime behavior, type ownership, compatibility alias, or ECStore public facade behavior changes.
- Verification: migration guard, direct old-path scan, formatting, diff hygiene, branch freshness check, pre-commit quality gate, and three-expert review.
- Completed slice: extend the architecture migration guard so every
non-ECStore
-
API-075Prune ECStore legacy layout root modules.- Completed slice: make the legacy ECStore root
endpointsanddisks_layoutcompatibility modules crate-private now that outer compatibility boundaries userustfs_ecstore::api::layout. - Acceptance:
rustfs_ecstore::api::layoutremains the public facade for endpoint pools and disk layout helpers, while migration rules reject restoring the old root layout compatibility modules as public modules. - Must preserve: endpoint layout types, disk layout helper behavior, ECStore internal call sites, and all outer compatibility facade paths.
- Verification: ECStore and affected outer package compile, migration and layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Completed slice: make the legacy ECStore root
-
API-076Prune facade-covered ECStore root modules.- Completed slice: make facade-covered legacy ECStore root modules
crate-private after all in-repo outer compatibility boundaries route
through
rustfs_ecstore::api. - Acceptance:
rustfs_ecstore::api::*remains the public facade for storage, admin, config, metrics, notification, RPC, disk, error, tier, rebalance, and layout helper surfaces, while migration rules reject restoring those legacy root modules as public modules. - Must preserve: ECStore internal module access, public
apifacade paths, object API paths, bitrot and erasure coding test/bench paths, and storage contract compatibility tests. - Verification: ECStore and affected outer package compile, migration and layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Completed slice: make facade-covered legacy ECStore root modules
crate-private after all in-repo outer compatibility boundaries route
through
-
API-077Prune remaining ECStore root compatibility modules.- Completed slice: add explicit
rustfs_ecstore::apifacade groups for bitrot, erasure coding, object DTO/reader, event name, and store-list helper surfaces, then migrate ECStore tests and benches away from the legacy root module paths. - Acceptance:
batch_processor,bitrot,erasure_coding,event,object_api, andstore_list_objectsare no longer public ECStore root modules, and the migration guard rejects restoring them as public modules. - Must preserve: ECStore internal module access, public facade access for compatibility tests/benches, bitrot reader/writer behavior, erasure coding constructors/helpers, object reader/DTO wire shape, and list option semantics.
- Verification: migration guard, ECStore compatibility tests/benches compile coverage, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Completed slice: add explicit
-
API-078Prune ECStore root global re-exports.- Completed slice: remove the remaining
pub use global::*compatibility exports from the ECStore crate root and route internal ECStore users tocrate::globaldirectly. - Acceptance: outer access to ECStore global helpers remains available only
through
rustfs_ecstore::api::global, internal ECStore modules use the real owner path, and the migration guard rejects restoring root global re-exports. - Must preserve: object-store resolver behavior, endpoint/global lock client
publication, erasure-type updates, tier/notification/data-usage metadata
loading, and existing
api::globalfacade names. - Verification: migration guard, ECStore and RustFS compile coverage, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Completed slice: remove the remaining
Phase 5 Cluster Control Plane Tasks
-
C-001Add topology model.- Completed slice: move endpoint-pool topology mapping behind ECStore's
crate-private
clusterowner module and expose it throughrustfs_ecstore::api::cluster. - Acceptance: pool, set, and disk topology snapshots are built from existing endpoint assignments without exposing local disk paths or changing placement, readiness, or endpoint construction.
- Must preserve: endpoint pool/set/disk indexes, local path privacy, storage-api topology contract shape, runtime capability reasons, and existing RustFS topology provider behavior.
- Verification: ECStore topology tests, RustFS runtime topology tests, migration guard, compile coverage, formatting, diff hygiene, risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: move endpoint-pool topology mapping behind ECStore's
crate-private
-
C-002Add membership model.- Completed slice: add a static membership snapshot that groups endpoint drives by node identity and records drive placement without dynamic membership, health checks, control RPC, or hot-path changes.
- Acceptance: URL endpoints group by host:port, path endpoints group under a local node identity, and drive membership carries pool/set/disk placement plus endpoint type/local flags.
- Must preserve: no Raft, no Kubernetes watcher, no peer-health behavior, no dynamic membership, and no object I/O or lock-quorum behavior changes.
- Verification: ECStore membership tests, compile coverage, migration guard, formatting, diff hygiene, risk scan, pre-commit quality gate, and three-expert review.
-
C-003Add read-only control plane facade.- Completed slice: add
ClusterControlPlaneas a read-only facade that combines topology and membership snapshots from existing endpoint pools. - Acceptance: outer crates use
rustfs_ecstore::api::clusterfor the facade, while ECStore rootclusterremains crate-private and migration rules reject restoring it as a public root module. - Must preserve: no worker start/stop, health impact, lock registry mutation, pool state mutation, endpoint publication, or readiness behavior changes.
- Verification: control-plane read-snapshot test, migration guard, compile coverage, formatting, diff hygiene, risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: add
-
C-004Add pool state snapshot.- Completed slice: add a static pool-state snapshot derived from existing
endpoint pools and expose it through
rustfs_ecstore::api::cluster. - Acceptance: pool state records pool index, set count, drives per set, endpoint counts, local/remote drive counts, legacy flag, and endpoint type coverage without reading disks or changing pool ownership.
- Must preserve: no placement change, no pool mutation, no command-line path exposure, and no endpoint publication changes.
- Verification: ECStore pool-state tests, compile coverage, formatting, diff hygiene, risk scan, pre-commit quality gate, and three-expert review.
- Completed slice: add a static pool-state snapshot derived from existing
endpoint pools and expose it through
-
C-005Add local-node storage snapshot.- Completed slice: add a read-only local-node storage projection from static endpoint membership.
- Acceptance: local nodes include only local membership entries and report aggregate path/url drive counts and pool coverage without exposing local disk paths.
- Must preserve: no storage readiness, disk health, lock quorum, or object I/O behavior changes.
- Verification: ECStore local-node storage tests, compile coverage, formatting, diff hygiene, risk scan, pre-commit quality gate, and three-expert review.
-
C-006Add peer health snapshot.- Completed slice: add a static peer-health read model that reports peer identities from membership with unknown health status until real peer health wiring lands.
- Acceptance: peer health is explicitly unknown and read-only; no background health checks, RPC calls, timers, or failure-state mutation are introduced.
- Must preserve: no dynamic membership, no peer health loop, no control RPC, no readiness impact, and no lock/object behavior changes.
- Verification: ECStore peer-health tests, compile coverage, formatting, diff hygiene, risk scan, pre-commit quality gate, and three-expert review.
-
TEST-PRTYPE-001Check PR type enum consistency.- Acceptance:
./scripts/check_architecture_migration_rules.shparses the allowed PR types fromcrate-boundaries.mdand fails whenARCHITECTURE.mdor architecture docs reference an unknown PR type.
- Acceptance:
-
COMPAT-REG-001Check temporary compatibility cleanup consistency.- Acceptance:
./scripts/check_architecture_migration_rules.shfails when a sourceRUSTFS_COMPAT_TODO(<task-id>)marker lacks a cleanup-register entry, when a register entry lacks a source marker, or when a source marker omits a removal condition.
- Acceptance:
Phase 1a Config Model Tasks
CFG-001Inventoryecstore::config::{Config, KV, KVS}consumers.- Acceptance:
ecstore-config-consumer-inventory.mdrecords the current definitions, persistence helpers, global accessors, consumer groups, migration risks, and do-not-change contract.
- Acceptance:
CFG-002Decide model boundary.- Acceptance:
config-model-boundary-adr.mdrecordsrustfs-configas the target package,server_configas the future model module, allowed dependencies, forbidden dependencies, preserved shape, and extraction verification gates.
- Acceptance:
CFG-003Move pure model definitions.- Completed slice:
rustfs/rustfs#3351moved onlyConfig,KV,KVS, and default-registration surface intorustfs-config; persistence helpers and global server-config state remain inecstore. - Must preserve: tuple struct shapes, serde alias behavior, default application, internal JSON shape, and existing persisted config semantics.
- Completed slice:
CFG-004Keep and clean up oldecstore::config::*compatibility path.- Completed slice:
rustfs/rustfs#3351re-exported moved model types and default-registration surface fromrustfs_ecstore::configwithRUSTFS_COMPAT_TODO(CFG-004)and cleanup-register coverage. - Cleanup slice: remove the temporary model re-export and smoke test after
CFG-005/CFG-006/CFG-007 migrated all in-repo consumers to
rustfs_config::server_config.
- Completed slice:
CFG-005Migrate external server-config model consumers.- Current branch: migrate admin handlers, admin services, runtime context,
server audit/event setup, and the audit/notify/targets/iam crates from the
temporary
rustfs_ecstore::config::{Config, KV, KVS}model path torustfs_config::server_config. - Acceptance: external consumers use the model crate for pure config types while still using ECStore for persistence helpers, global server-config accessors, storage-class helpers, and startup initialization.
- Current branch: migrate admin handlers, admin services, runtime context,
server audit/event setup, and the audit/notify/targets/iam crates from the
temporary
CFG-006Migrate ECStore service/default model consumers.- Current branch: migrate ECStore config default modules, shared config
helpers, and store accessor signatures to the
rustfs_configmodel type while preserving ECStore-owned persistence and runtime state. - Acceptance: ECStore internals no longer depend on the old compatibility model import path except the deliberate compatibility smoke test; the old public re-export remains available for downstream callers until CFG-004 is cleaned up.
- Current branch: migrate ECStore config default modules, shared config
helpers, and store accessor signatures to the
CFG-007Migrate scanner runtime-config model consumer.- Current branch: migrate scanner runtime-config parsing and validation from
the temporary
rustfs_ecstore::config::{Config, KVS}model path torustfs_config::server_config. - Acceptance: scanner uses the model crate for pure server-config types while still using ECStore for the global server-config accessor; scanner defaults, env overrides, persisted-config validation, cycle scheduling, bitrot-cycle compatibility, cache timeout, and alert threshold semantics remain unchanged.
- Current branch: migrate scanner runtime-config parsing and validation from
the temporary
CFG-008Move global server-config accessors.- Current branch: move
GLOBAL_SERVER_CONFIG,get_global_server_config, andset_global_server_configtorustfs_config::server_config; migrate in-repo runtime consumers to the new owner. - Compatibility: keep
rustfs_ecstore::config::{get_global_server_config, set_global_server_config}as a temporary re-export withRUSTFS_COMPAT_TODO(CFG-008). - Cleanup slice: remove the temporary accessor re-export after code scans
showed in-repo consumers import accessors from
rustfs_config::server_config. - Acceptance: ECStore still owns
ConfigSys, config persistence helpers, storage-class global state, default registration wiring, and startup initialization; global server-config reads and writes keep the samestd::sync::RwLock<Option<Config>>clone semantics.
- Current branch: move
Phase 1b Context Foundation Tasks
CTX-001Split AppContext files.- Current branch: split
rustfs/src/app/context.rsintointerfaces,handles,global, andcompatsubmodules. - Acceptance: old
crate::app::context::*imports continue to compile via re-exports; context-first and global fallback resolver bodies are moved without semantic changes. - Must preserve: AppContext construction, default adapters, global singleton initialization, resolver fallback order, and all consumer import paths.
- Verification: formatting, compile checks, migration guards, diff hygiene,
Rust risk scan, and full
make pre-commit.
- Current branch: split
CTX-002Add resolver compatibility tests.- Do: test context-first and global fallback for KMS runtime, bucket metadata, object store, endpoints, tier config, server config, and buffer config.
- Acceptance: context wins when present and global fallback works when absent.
- Verification: focused resolver compatibility test, formatting, compile
checks, migration guards, diff hygiene, Rust risk scan, and full
make pre-commit.
CTX-003Add IAM deferred recovery readiness test.- Do: verify IAM degraded recovery can still publish
IamReadyandFullReady. - Acceptance: boot/lifecycle changes cannot lose deferred readiness publication.
- Verification: focused IAM recovery test, formatting, compile checks,
migration guards, diff hygiene, Rust risk scan, and full
make pre-commit.
- Do: verify IAM degraded recovery can still publish
CTX-004Migrate app usecase object-store consumers.- Do: migrate admin, bucket, multipart, and object usecases to resolve the object store from AppContext first.
- Acceptance: usecase object-store lookups use AppContext when present and preserve the existing global object-layer fallback when absent.
- Verification: formatting, compile check, migration guards, diff hygiene,
Rust risk scan, and full
make pre-commit.
CTX-005Migrate admin object-store consumers.- Do: migrate admin handlers, admin services, and admin router helpers to the shared object-store resolver.
- Acceptance: admin object-store lookups use AppContext when present and preserve the existing global object-layer fallback when absent.
- Verification: focused resolver test, formatting, compile check, migration
guards, diff hygiene, Rust risk scan, and full
make pre-commit.
CTX-006Migrate ECFS object-store consumers.- Do: migrate S3 ECFS object operations to the shared object-store resolver.
- Acceptance: ECFS object-store lookups use AppContext when present and preserve the existing global object-layer fallback when absent.
- Must preserve: S3 object/bucket API behavior, object-lock/tagging/metadata semantics, and existing storage error paths.
- Verification: formatting, compile check, migration guards, diff hygiene,
Rust risk scan, and full
make pre-commit.
CTX-007Migrate admin ZIP object-store consumers.- Do: migrate admin object ZIP download object-store lookups to the shared object-store resolver.
- Acceptance: admin ZIP object-store lookups use AppContext when present and preserve the existing global object-layer fallback when absent.
- Must preserve: admin download authorization/preflight behavior, ZIP listing and streaming behavior, and existing storage error paths.
- Verification: formatting, compile check, migration guards, diff hygiene,
Rust risk scan, and full
make pre-commit.
CTX-008Migrate standalone crate object-store consumers.- Do: add an ECStore-owned resolver hook for AppContext-first object-store lookup and migrate Swift, S3 Select, scanner, notify, and observability object-store consumers to that resolver.
- Acceptance: standalone crates can prefer the AppContext-owned object store
without depending on the
rustfsapplication crate and preserve the existing global object-layer fallback. - Must preserve: Swift protocol behavior, S3 Select object reads, scanner cache/scan behavior, notification config persistence, observability stats collection, and existing storage error paths.
- Verification: formatting, compile checks, migration guards, diff hygiene,
Rust risk scan, and full
make pre-commit.
CTX-009Migrate server/storage infra object-store consumers.- Do: migrate server readiness/module-switch and storage access, ecfs extension, and node RPC object-store lookups to the ECStore-owned resolver.
- Acceptance: server/storage infra consumers prefer the AppContext-owned object store after context initialization and preserve the existing global object-layer fallback.
- Must preserve: readiness reporting, module-switch config persistence, storage access authorization checks, ecfs extension validation, node RPC metadata/storage-info/rebalance/tier reload behavior, and existing storage error paths.
- Verification: formatting, compile checks, migration guards, diff hygiene,
Rust risk scan, and full
make pre-commit.
CTX-010Migrate ECStore internal object-store consumers.- Do: migrate ECStore internal/background object-store lookups to the ECStore-owned resolver.
- Acceptance: ECStore metrics realtime, notification, tier config save, decommission, admin server info, bucket metadata, replication decision, lifecycle compensation/expiry, and data-usage cache consumers prefer the AppContext-owned object store after context initialization and preserve the existing global object-layer fallback.
- Must preserve: metrics collection, notification rebalance stop behavior, tier config persistence, decommission startup, admin server info reporting, bucket metadata persistence, replication decisions, lifecycle queueing, data usage cache persistence, and existing storage error paths.
- Verification: formatting, compile checks, migration guards, diff hygiene,
Rust risk scan, and full
make pre-commit.
CTX-011Consolidate app usecase object-store fallback.- Do: migrate app admin, bucket, multipart, and object usecases away from
direct
new_object_layer_fncalls and through an explicit-context resolver helper. - Acceptance: usecase lookups keep their injected AppContext precedence,
preserve
without_context()legacy global object-layer fallback semantics, and avoid consulting the global AppContext when a usecase intentionally has no context. - Must preserve: admin storage/data-usage reads, bucket create/delete/list behavior, multipart object writes, object API reads/writes, lifecycle transition tests, and existing "Not init" error paths.
- Verification: formatting, compile checks, migration guards, diff hygiene,
Rust risk scan, and full
make pre-commit.
- Do: migrate app admin, bucket, multipart, and object usecases away from
direct
Phase 1 Security Governance Tasks
S-001Addcrates/security-governance.- Acceptance: the crate is a workspace member and has no dependency on
rustfs,ecstore, admin handlers, Axum, or runtime state. - Verification:
cargo check -p rustfs-security-governance.
- Acceptance: the crate is a workspace member and has no dependency on
S-002Add admin route matrix core types.- Acceptance:
AdminRouteSpec,AdminRouteAccess,AdminActionRef,PublicRouteKind,RouteRiskLevel, and validation errors model route governance metadata without registering routes or enforcing auth. - Verification:
cargo test -p rustfs-security-governance.
- Acceptance:
S-003Add redaction contract types.- Acceptance:
RedactionRule,RedactionLevel, and validation errors model sensitive field handling without logging, masking, or runtime integration. - Verification:
cargo test -p rustfs-security-governance.
- Acceptance:
S-004Add serde policy marker types.- Acceptance:
SerdePolicy,SerdePolicyKind,UnknownFieldPolicy, and validation errors model strict ingress and compatibility serde contracts without changing deserialization behavior. - Verification:
cargo test -p rustfs-security-governance.
- Acceptance:
S-005Add supply-chain policy contract types.- Acceptance:
ArtifactIntegrityPolicy,ArtifactSourceKind, and validation errors model digest, signature, and provenance requirements without changing release or CI behavior. - Verification:
cargo test -p rustfs-security-governance.
- Acceptance:
S-006Addrustfs/src/admin/route_policy.rsbacked by these contract types, without changing route registration or auth behavior.- Acceptance: direct
AdminRouteSpecentries cover routes with a single stable admin policy action, deferred inventory records routes that need richer contract support, and tests prove the combined inventory covers every registered admin route.
- Acceptance: direct
S-011Add KMS action taxonomy.- Acceptance:
KmsActioncan parse and serialize dedicated configure, service-control, clear-cache, generate-data-key, delete, rotate, list, and describe actions; wildcard matching still works. - Verification:
cargo test -p rustfs-policy action --no-fail-fast.
- Acceptance:
S-012Migrate KMS handlers to dedicated actions.- Acceptance: KMS data-key, delete/cancel-delete, cache, configure,
service-control, list, and describe handlers use dedicated
kms:*actions. - Compatibility: legacy KMS create/status admin actions are retained only as
temporary compatibility paths and registered in
compat-cleanup-register.md. - Verification: focused handler and route policy tests, migration rules,
formatting, and
make pre-commit.
- Acceptance: KMS data-key, delete/cancel-delete, cache, configure,
service-control, list, and describe handlers use dedicated
S-013Apply KMS redaction.- Acceptance: KMS Debug output and admin status response summaries contain no Vault token, AppRole secret ID, or local master key values.
- Must preserve: internal KMS config values remain available to runtime code and persisted config serialization still writes the original secret values.
- Verification: focused KMS redaction/status tests, full KMS tests, migration
guards, Rust quality scan, clippy, and
make pre-commitpassed.
S-014Remove legacy KMS admin action fallbacks.- Acceptance: KMS create, describe, and list-key handlers authorize only the
dedicated
kms:*actions and no longer retain legacy admin grant fallbacks. - Must preserve: legacy KMS endpoint URLs, query aliases, request bodies, and response contracts remain unchanged.
- Verification: focused KMS auth and route-policy tests, migration guards, formatting, diff hygiene, risk scan, full pre-commit, and required three-expert review passed before push.
- Acceptance: KMS create, describe, and list-key handlers authorize only the
dedicated
S-015Remove legacy KMS admin policy action taxonomy.- Acceptance:
admin:KMSCreateKeyandadmin:KMSKeyStatusno longer parse as valid policy actions; KMS key handlers keep using dedicatedkms:*actions. - Must preserve: legacy KMS endpoint URLs, query aliases, request bodies, and response contracts remain unchanged.
- Verification: focused policy and KMS auth tests, route-policy tests, migration guards, formatting, diff hygiene, risk scan, full pre-commit, and required three-expert review passed before push.
- Acceptance:
KMSD-001Inventory KMS development defaults.- Acceptance:
kms-development-defaults-inventory.mdrecords Local and Vault defaults for missing master keys, temp key dirs, HTTP Vault addresses, default dev-token credentials, and skip-TLS behavior. - Must preserve: no KMS runtime behavior, config serialization, authorization, startup order, storage path, or crate boundary changes.
- Verification: docs diff review, migration guards, metrics reference guard,
and
git diff --check.
- Acceptance:
KMSD-002Make Local KMS unsafe defaults explicit dev opt-in.- Acceptance: Local KMS now rejects missing master keys and process-temp key
directories unless
allow_insecure_dev_defaultsis explicitly set. - Compatibility: server CLI/config now accepts
RUSTFS_KMS_LOCAL_MASTER_KEYfor production local encryption andRUSTFS_KMS_ALLOW_INSECURE_DEV_DEFAULTS=truefor development-only local setups.
- Acceptance: Local KMS now rejects missing master keys and process-temp key
directories unless
KMSD-003Make Vault unsafe defaults explicit dev opt-in.- Acceptance: Vault KV2 and Vault Transit now reject HTTP addresses,
dev-token, andskip_tls_verifyunless explicit development opt-in is set. - Compatibility: the KMS env loader and admin configure requests support the same explicit development opt-in.
- Acceptance: Vault KV2 and Vault Transit now reject HTTP addresses,
KMSD-004Add production KMS default tests.- Acceptance: focused tests cover Local and Vault production rejection plus explicit development opt-in paths across config, env loading, admin request conversion, and service-manager validation.
KMSD-005Write KMS compatibility notes.- Acceptance:
kms-development-defaults-inventory.mdnow records the production-safe alternatives and explicit development opt-in behavior for deployments that relied on old defaults.
- Acceptance:
Phase 2 Storage API Tasks
-
API-001Addcrates/storage-api.- Acceptance:
rustfs-storage-apiis a workspace member and remains a dependency-free contract crate. - Verification:
cargo check -p rustfs-storage-api.
- Acceptance:
-
API-002Move public storage error/result contracts.- Current PR:
rustfs/rustfs#3313merged. - Completed slice: add public
StorageErrorCodeandStorageResultcontracts inrustfs-storage-api, then make ECStoreStorageError::to_u32/from_u32consume the shared code table. - Deferred: keep the full ECStore
StorageErrorenum and ECStore-specific conversions inrustfs-ecstoreuntil theDiskError, filemeta, lock, andstd::io::Errordowncast boundary is proven safe. - Acceptance: storage-api contract tests pass, ECStore compatibility tests
prove numeric codes match the new contract, and
cargo check -p rustfs-storage-api -p rustfs-ecstorepasses. - Must preserve: storage error display, conversions, object error mapping,
quorum classification, and reserved code gaps
0x2B/0x2C. - Risk defense: no storage hot-path enum move in this PR; only numeric code mapping uses the new contract.
- Current PR:
-
API-003Move DTOs.- Current PR:
rustfs/rustfs#3314merged. - Cleanup branch:
overtrue/arch-storage-api-dto-compat-cleanup. - Completed slice: move the pure bucket/options DTO subset:
MakeBucketOptions,SRBucketDeleteOp,DeleteBucketOptions,BucketOptions, andBucketInfo. - Cleanup slice: migrate in-repo external consumers to
rustfs_storage_api, keep ECStore implementation use crate-private, and remove the old publicecstore::store_apibucket DTO re-export. - Completed follow-up slice: remove the remaining ECStore-internal bucket DTO
aliases from
store_apiand guard against restoring that compatibility path. - Acceptance:
rustfs-storage-apiexports these DTOs, in-repo external consumers no longer use the oldrustfs_ecstore::store_apiDTO path, andRUSTFS_COMPAT_TODO(API-003)is removed from source and cleanup register. - Must preserve: no
ObjectOptions,ObjectInfo, reader, compression, encryption, filemeta conversion, multipart conversion, route, storage, or runtime behavior changes in this PR.
- Current PR:
-
API-006Add disk inventory/admin trait.- Current PR:
rustfs/rustfs#3330merged. - Completed slice: add
StorageAdminApiandDiskSetSelectortorustfs-storage-api. - Acceptance:
StorageAdminApiexposes backend info, global storage info, local storage info, disk-set inventory, and drive-count surfaces without depending on ECStore implementation types. - Must preserve: no
StorageAPI::get_disksremoval, no ECStore implementation change, no admin/readiness/capacity behavior change. - Risk defense: use associated types for backend/storage/disk DTOs so this
contract slice does not pull
rustfs-madminorrustfs-ecstoreintorustfs-storage-api. - Verification: focused storage-api tests, dependency tree, migration guards, formatting, and diff hygiene.
- Current PR:
-
API-007Dual-routeget_disksconsumers.- Completed first slice:
rustfs/rustfs#3331boundECStoretoStorageAdminApiwhile keeping all consumers unchanged. - Completed second slice:
rustfs/rustfs#3332migrated the admin storage-class config drive-count consumer toStorageAdminApi::set_drive_counts. - Completed third slice:
rustfs/rustfs#3333migratedDefaultAdminUsecasestorage-info reads toStorageAdminApi::storage_info. - Completed fourth slice:
rustfs/rustfs#3334migrated account-infobackend_info, rebalance statusstorage_info, and runtime readinessstorage_info. - Completed fifth slice:
rustfs/rustfs#3335migrated grouped observability, RPC health, server-info, realtime metrics, and notification read-side consumers. - Completed sixth slice:
rustfs/rustfs#3336migrated ECStore internal decommission space, local-storage-info, backend-info, drive-count, and disk-inventory admin handlers away from oldStorageAPImethod calls. - Completed seventh slice:
rustfs/rustfs#3337migrated maintenance and background read-side storage inventory consumers in rebalance metadata initialization, heal resume disk lookup, and scanner local disk scan lookup. - Completion acceptance: admin inventory consumers no longer use old
StorageAPIcalls for backend info, storage info, local storage info, drive-count, or disk-set inventory when the inventory-facingStorageAdminApicontract represents the same read-only operation.
- Completed first slice:
-
API-008Remove duplicate old-path admin surfaces.- Completed slice:
rustfs/rustfs#3340removed duplicate admin-read methods from the oldStorageAPItrait and its ECStore/Sets/SetDisks/test implementations after API-007 migrated their consumers. - Final cleanup slice: remove the old
StorageAPIfacade after all real consumers moved to concrete operation groups. - Loss-prevention cleanup slice: rename the remaining ECStore contract compatibility test away from the old storage-api facade name and guard production ECStore/RustFS source against reintroducing the removed aggregate facade identifier.
- Acceptance: storage operation traits remain available directly while admin
inventory surfaces live only on
StorageAdminApi.
- Completed slice:
-
API-009Narrow metadata helper storage bounds.- Completed slice:
rustfs/rustfs#3343narrowed server config, tier config, rebalance metadata, and startup metadata migration helper bounds away from fullStorageAPIwhen the helper only needsObjectIO,ObjectOperations,BucketOperations,ListOperations, orStorageAdminApi. - Cleanup slice: remove stale full
StorageAPIdependencies from config persistence test support after the server-config persistence helpers moved to their actual object I/O and storage-admin bounds. - Completed cleanup slice:
rustfs/rustfs#3489removed the stale full facade dependency from config persistence test support. - Acceptance: metadata helper contracts express the actual operation group they need, while callers and persistence behavior remain unchanged.
- Completed slice:
-
API-010Narrow replication resync metadata bounds.- Completed slice:
rustfs/rustfs#3345narrowed replication resync status load/save/mark/persist helper bounds away from fullStorageAPIwhen the helper only needsObjectIO. - Acceptance: resync metadata helpers express object-I/O-only persistence requirements, while replication execution, delete replication, multipart replication, object lookups, and scheduling behavior remain on the concrete operation groups they need.
- Completed slice:
-
API-011Narrow scanner cache helper storage bounds.- Completed slice:
rustfs/rustfs#3348narrowed scanner data-usage cache load/save and cache snapshot persistence helper bounds away from fullStorageAPIwhen the helper only needsObjectIO. - Acceptance: scanner cache persistence helpers express object-I/O-only requirements, while scanner cycle orchestration, bucket scanning, local disk selection, cache publication, and storage hot paths remain unchanged.
- Must preserve: data-usage cache wire format, cache object paths, backup cache paths, retry and timeout behavior, cache-save metrics, publish/update channel behavior, scanner cycle scheduling, disk scan concurrency, bucket scan semantics, lifecycle/replication decisions, and storage hot paths.
- Risk defense: do not move traits to
rustfs-storage-api, do not alter helper bodies, and do not narrow scanner paths that need bucket operations, disk inventory, or full storage orchestration. - Verification: focused compile/tests, migration guards, Rust risk scan, and required quality/architecture, migration-preservation, and testing/verification review passed.
- Completed slice:
-
API-012Narrow table catalog object backend bounds.- Completed slice:
rustfs/rustfs#3350added a narrowNamespaceLockingoperation-group trait as a compatibility facade, then narrowedEcStoreTableCatalogObjectBackendfrom fullStorageAPItoObjectIO,ObjectOperations,ListOperations, andNamespaceLocking. - Cleanup slice: migrate the remaining scanner leader-lock and self-copy
object use-case namespace-lock consumers to
NamespaceLocking, implement namespace locking directly on ECStore storage types, and remove the temporary namespace-lock compatibility method from the full storage trait and cleanup register entry. - Completed cleanup slice:
rustfs/rustfs#3477narrowed remaining table catalog backend and rebalance metadata helper consumers away from fullStorageAPIwhere they only need object I/O, object operations, list operations, and namespace locking. - Completed follow-up slice:
rustfs/rustfs#3485narrowed replication pool, resync leader-lock, delete replication, object replication, and multipart replication helpers away from fullStorageAPIwhere they only need object I/O, object operations, list operations, and namespace locking. - Final cleanup slice: remove the unused old
StorageAPIfacade, its implementation blocks, public re-export, and stale guard coverage. - Acceptance: table catalog object backend contracts express the actual
object read/write, metadata/delete, list, and namespace-lock capabilities
they need; namespace-lock consumers depend on
NamespaceLockinginstead of fullStorageAPI; and storage lock behavior remains unchanged. - Must preserve: table catalog object paths, metadata pointer semantics, optimistic write preconditions, object listing pagination, missing-object handling, namespace write-lock acquisition, object APIs, scanner/heal/replication/config persistence, and storage hot paths.
- Risk defense: do not move traits into
rustfs-storage-api, do not change lock implementation code, do not alter table catalog method bodies, and do not leave stale full-facade compatibility coverage after consumers move to concrete operation groups. - Verification: focused compile/tests, migration guards, Rust risk scan, and required quality/architecture, migration-preservation, and testing/verification review passed.
- Completed slice:
-
API-013Move multipart list/result DTO contracts.- Completed slice: move
MultipartUploadResult,PartInfo,MultipartInfo,ListMultipartsInfo, andListPartsInfofrom ECStorestore_apiintorustfs-storage-api; update ECStore traits and RustFS S3 multipart response builders to import these shared contracts directly. - Acceptance:
rustfs-storage-apiexports the multipart DTO contracts, in-repo consumers no longer use the oldrustfs_ecstore::store_apipath for these DTOs, and migration guards reject restoring the old ECStore-owned definitions or re-exports. - Must preserve: multipart upload creation, part listing, multipart upload listing, part metadata, checksum fields, S3 response mapping, and storage operation trait behavior.
- Risk defense: keep
CompletePart,ObjectInfo,ObjectOptions, readers, filemeta conversions, replication state, encryption, compression, and range semantics in ECStore for this slice. - Verification: focused storage-api/ECStore/RustFS compile checks, multipart response tests, migration/layer guards, formatting, diff hygiene, Rust risk scan, and required three-expert review passed.
- Completed slice: move
-
API-014Move bucket operation contract.- Completed slice: move
BucketOperationsfrom ECStorestore_apiintorustfs-storage-api, keep ECStore/Sets/SetDisks implementations in ECStore, and migrate in-repo consumers to import the shared contract path. - Acceptance:
rustfs-storage-apiexports the bucket operation contract, in-repo consumers no longer use the oldrustfs_ecstore::store_apipath forBucketOperations, and migration guards reject restoring the old ECStore-owned definition or re-export. - Must preserve: bucket create/delete/list/info behavior, object store initialization, bucket metadata migration, Swift/admin/storage consumers, and all storage hot paths.
- Risk defense: only the trait contract crosses into
rustfs-storage-api; ECStore errors, object contracts, list contracts, readers, lock handling, and implementation bodies stay in ECStore. - Verification: focused storage-api/ECStore/RustFS/downstream compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, and required three-expert review passed.
- Completed slice: move
-
API-015Move object option helper contracts.- Completed slice: move
CompletePart,HTTPPreconditions, andObjectLockRetentionOptionsfrom ECStorestore_apiintorustfs-storage-api; keepObjectOptions, object/list DTOs, readers, filemeta conversions, and storage implementations in ECStore. - Acceptance:
rustfs-storage-apiexports the moved helper contracts, in-repo consumers no longer use the oldrustfs_ecstore::store_apipath for these helpers, and migration guards reject restoring the old ECStore definitions or public re-exports. - Must preserve: multipart completion mapping, HTTP precondition semantics, object-lock retention fields, object lookup/drop-precondition behavior, storage hot paths, and ECStore-owned implementation-heavy object contracts.
- Risk defense: only pure helper DTOs cross into
rustfs-storage-api; ECStore keepsObjectOptions,ObjectInfo, list contracts, readers, lifecycle/replication/rio/filemeta coupling, errors, and implementation bodies. - Verification: focused storage-api/ECStore/RustFS/downstream compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, and required three-expert review passed.
- Completed slice: move
-
API-016Move HTTP range helper contracts.- Completed slice: move
HTTPRangeSpecandHTTPRangeErrorfrom ECStorestore_api/readers.rsintorustfs-storage-api; keepObjectInfopart adaptation in ECStore and migrate RustFS, ECStore, Swift, scanner, and S3-select consumers to import the shared range contract directly. - Acceptance:
rustfs-storage-apiexports the range helper contracts, in-repo consumers no longer use the oldrustfs_ecstore::store_apipath forHTTPRangeSpec, and migration guards reject restoring old ECStore definitions or public re-exports. - Must preserve: S3 range semantics, suffix ranges, multipart part-range boundaries, SSE/rio/compressed range planning, Swift/S3-select reads, and ECStore-owned object-info/filemeta adaptation.
- Risk defense: only pure range contract behavior crosses into
rustfs-storage-api; ECStore keeps readers,ObjectInfo, part plaintext size selection, encryption/compression planning, lifecycle/replication/rio coupling, and storage implementation bodies. - Verification: focused storage-api/ECStore/RustFS/downstream compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, and required three-expert review passed.
- Completed slice: move
-
API-017Move object list helper contracts.- Completed slice: move
VersionMarkerandWalkVersionsSortOrderfrom ECStorestore_api/types.rsintorustfs-storage-api; keepversions_after_marker,WalkOptions,ObjectInfo, list result DTOs, readers, and storage list/walk implementations in ECStore. - Acceptance:
rustfs-storage-apiexports the list helper contracts, in-repo production code no longer imports them fromrustfs_ecstore::store_api, and migration guards reject restoring old ECStore definitions or public re-exports. - Must preserve: list-object-versions marker parsing, null version markers, version marker application only to the first matching entry, walk sort default, and ECStore-owned filemeta/list implementation behavior.
- Risk defense: only pure marker/sort contracts cross into
rustfs-storage-api; ECStore keeps filemeta conversion, list result DTOs, walk options with filemeta filters, readers, lifecycle/replication coupling, and storage implementation bodies. - Verification: focused storage-api/ECStore/RustFS/downstream compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, and required three-expert review passed.
- Completed slice: move
-
API-018Move object precondition helper contracts.- Completed slice: add
ObjectPreconditionState,ObjectPreconditionPart, andObjectPreconditionErrortorustfs-storage-api; make ECStoreObjectOptions::precondition_checkadaptObjectInfointo the shared pure contract and map the contract result back to the existing ECStore errors. - Acceptance:
rustfs-storage-apiexports the precondition helper contracts, ECStore keepsObjectOptionsandObjectInfo, and migration guards reject dropping the public precondition contract re-export. - Must preserve: requested-part validation, empty condition handling,
If-None-Match/If-Modified-SinceNotModifiedbehavior,If-Match/If-Unmodified-SincePreconditionFailedbehavior, wildcard ETag matching, and ECStore error mapping. - Risk defense: only pure precondition decision state and result contracts
cross into
rustfs-storage-api; ECStore keeps object metadata adaptation, storage error types,ObjectOptions,ObjectInfo, readers, lifecycle/replication coupling, and storage implementation bodies. - Verification: focused storage-api tests, ECStore/RustFS/downstream compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, and required three-expert review passed.
- Completed slice: add
-
API-019Move object list response contracts.- Completed slice: move
ListObjectsInfo,ListObjectsV2Info,ListObjectVersionsInfo, andObjectInfoOrErrfrom ECStorestore_api/types.rsintorustfs-storage-apias generic public contracts, then keep ECStore's old public names as type aliases bound toObjectInfoandError. - Acceptance:
rustfs-storage-apiexports the generic list response contracts, ECStore no longer defines local response structs for these contracts, existing ECStore consumers keep their old import path, and migration guards reject dropping the public storage-api re-export or reintroducing local ECStore definitions. - Must preserve: list v1/v2 truncation and marker fields, list-object-version marker fields, object/prefix vectors, walk item/error channel shape, and ECStore list/walk runtime behavior.
- Risk defense: only generic response containers cross into
rustfs-storage-api; ECStore keepsObjectInfo,ObjectOptions,WalkOptions, filemeta filters, object metadata adaptation, storage errors, readers, lifecycle/replication coupling, and list/walk implementation bodies. - Verification: focused storage-api tests, ECStore/RustFS/downstream compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and required three-expert review passed.
- Completed slice: move
-
API-020Move walk options contract.- Completed slice: move
WalkOptionsfrom ECStorestore_api/types.rsintorustfs-storage-apias a generic public contract over the filter type, then keep ECStore's old publicWalkOptionsname as a type alias bound to the existingfn(&FileInfo) -> boolfilter shape. - Acceptance:
rustfs-storage-apiexportsWalkOptions, ECStore no longer defines a localWalkOptionsstruct, existing ECStore consumers keep their old import path, and migration guards reject dropping the public storage-api re-export or reintroducing a local ECStore definition. - Must preserve: walk filter optionality, marker, latest-only flag, ask-disks string, version sort default, limit semantics, include-free-versions flag, and ECStore list/walk runtime behavior.
- Risk defense: only the generic options container crosses into
rustfs-storage-api; ECStore keeps the concreteFileInfofilter binding, list/walk implementations, metadata conversion, readers, storage errors, lifecycle/replication coupling, and operation traits. - Verification: focused storage-api tests, ECStore/RustFS/downstream compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and required three-expert review passed.
- Completed slice: move
-
API-021Move list operations contract.- Completed slice: move
ListOperationsfrom ECStorestore_api/traits.rsintorustfs-storage-apias a generic public operation contract over list response, walk option, cancellation, sender, and error associated types; keep ECStore's old publicListOperationsname as a fixed associated-type compatibility subtrait. - Acceptance:
rustfs-storage-apiexportsListOperations, ECStore no longer defines local list operation method signatures, existing ECStore generic bounds keep the old import path, and migration guards reject dropping the public storage-api re-export or reintroducing local ECStore list method definitions. - Must preserve: list v2 pagination, list-object-versions pagination, walk channel shape, cancellation token usage, ECStore public compatibility bounds, and all ECStore list/walk runtime behavior.
- Risk defense: only the trait contract crosses into
rustfs-storage-api; ECStore keeps the concrete associated type bindings, response aliases, walk option alias, object metadata conversion, storage errors, lifecycle and replication coupling, and implementation bodies. - Verification: focused storage-api tests, ECStore/RustFS/downstream compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and required three-expert review passed.
- Completed slice: move
-
API-022Move object and multipart operation contracts.- Completed slice: move
ObjectIO,ObjectOperations, andMultipartOperationsfrom ECStorestore_api/traits.rsintorustfs-storage-apias generic public operation contracts over ECStore reader, option, metadata, multipart DTO, file-info, delete, header, range, and error associated types; keep ECStore's old public trait names as fixed associated-type compatibility subtraits. - Acceptance:
rustfs-storage-apiexports the object and multipart operation contracts, ECStore no longer defines local object/multipart method signatures, existing ECStore generic bounds keep the old import path, and migration guards reject dropping the public storage-api re-export or reintroducing local ECStore object/multipart method definitions. - Must preserve: object reader/writer behavior, object metadata/tag/delete behavior, multipart create/copy/part/list/complete/abort behavior, ECStore public compatibility bounds, and all ECStore object/multipart runtime behavior.
- Risk defense: only the trait contracts cross into
rustfs-storage-api; ECStore keeps the concrete associated type bindings, readers,ObjectInfo,ObjectOptions,PutObjReader, filemeta adaptation, storage errors, lifecycle/replication/rio/compression/encryption coupling, and implementation bodies. - Verification: focused storage-api tests, ECStore/RustFS/downstream compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and required three-expert review passed.
- Completed slice: move
-
API-023Move heal and namespace-lock operation contracts.- Completed slice: move
HealOperationsandNamespaceLockingfrom ECStorestore_api/traits.rsintorustfs-storage-apias generic public operation contracts over ECStore heal result/options, namespace-lock wrapper, and error associated types; keep ECStore's old public trait names as fixed associated-type compatibility subtraits. - Acceptance:
rustfs-storage-apiexports the heal and namespace-lock operation contracts, ECStore no longer defines local heal/namespace-lock method signatures, focused consumers use the shared trait for method resolution, and migration guards reject dropping the public storage-api re-export or reintroducing local ECStore method definitions. - Must preserve: heal format/bucket/object behavior, abandoned-part checks, pool/set lookup behavior, namespace-lock acquisition behavior, ECStore public compatibility bounds, and all runtime lock/heal implementation bodies.
- Risk defense: only the trait contracts cross into
rustfs-storage-api; ECStore keeps concrete associated type bindings,HealOpts,HealResultItem,NamespaceLockWrapper, lock implementation, peer heal behavior, set/pool dispatch, and storage error mapping. - Verification: focused storage-api/ECStore/RustFS/heal/scanner compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and required three-expert review passed.
- Completed slice: move
-
API-024Clean shared list operation consumer bounds.- Completed slice: migrate RustFS S3/bucket usecase list response builders from
ECStore
ListObjectVersionsInfo/ListObjectsV2Infoaliases torustfs-storage-apigeneric list response contracts bound to ECStoreObjectInfo; migrate IAM walk channel typing from ECStoreObjectInfoOrErralias to the shared generic item contract. - Acceptance: outer RustFS/IAM consumers use storage-api list response contracts directly, ECStore keeps concrete aliases for internal implementation and compatibility, and migration guards reject restoring the old outer-consumer imports.
- Must preserve: S3 list v2/version output mapping, IAM config walk channel item/error handling, ECStore concrete object metadata shape, walk options inference, and storage error conversion behavior.
- Risk defense: this slice moves only low-coupling generic response/channel
typing; ECStore still owns
ObjectInfo,ObjectOptions, readers, filemeta-bound walk filter type, delete DTOs, and list/walk implementation bodies. - Verification: focused RustFS/IAM compile and tests, migration/layer guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and required three-expert review passed.
- Completed slice: migrate RustFS S3/bucket usecase list response builders from
ECStore
-
API-025Clean external operation consumer bounds.- Completed slice: migrate scanner data-usage cache storage bounds, RustFS
object-usecase namespace-lock helper bounds, and table catalog object
backend storage bounds from ECStore compatibility operation traits to
rustfs-storage-apioperation traits with explicit ECStore concrete associated-type bindings. - Acceptance: outer RustFS/scanner consumers no longer import ECStore operation traits, ECStore keeps compatibility traits for internal implementation and downstream compatibility, and migration guards reject restoring old outer-consumer operation trait imports.
- Must preserve: scanner cache load/save behavior, scanner backend timeout and retry behavior, object self-copy namespace-lock quorum/error mapping, table catalog object read/write/list/lock behavior, ECStore object metadata shape, reader shape, walk filter shape, and storage error conversion.
- Risk defense: this slice changes only generic bounds/import ownership; ECStore still owns concrete object DTOs, readers, delete DTOs, lock wrappers, walk filters, and implementation bodies.
- Verification: focused RustFS/scanner compile and tests, migration/layer guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and required three-expert review passed.
- Completed slice: migrate scanner data-usage cache storage bounds, RustFS
object-usecase namespace-lock helper bounds, and table catalog object
backend storage bounds from ECStore compatibility operation traits to
-
API-026Clean external DTO consumer boundaries.- Current branch:
overtrue/arch-storage-dto-consumer-boundaries. - Completed slice: introduce crate-local semantic aliases for ECStore-owned
object metadata/options/readers/delete DTOs in scanner, heal, notify, Swift,
S3 Select, and RustFS storage/app consumers; update production and affected
test call sites to use those local aliases instead of raw
rustfs_ecstore::store_apiDTO imports. - Acceptance: non-ECStore direct
rustfs_ecstore::store_apireferences are limited to boundary alias definitions, ECStore remains the owner ofObjectInfo,ObjectOptions, object readers, delete DTOs, walk filters, lock wrappers, and implementation behavior, and external consumers express their local semantic dependency through crate-owned names. - Must preserve: object metadata shape, object option defaults, reader/writer behavior, delete replication DTO handling, scanner cache semantics, heal storage metadata semantics, Swift and S3 Select object reads, notification event payloads, S3 response DTO mapping, and storage/app test behavior.
- Risk defense: this slice uses type aliases and import-boundary cleanup only; it does not move DTO definitions, alter serialization, change object-store implementations, or adjust runtime control flow.
- Verification: focused compile/tests, migration/layer guards, formatting, diff hygiene, direct import scan, Rust risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-027Clean remaining external storage DTO imports.- Current branch:
overtrue/arch-storage-compat-contract-cleanup. - Completed slice: move table catalog, IAM object-store, admin zip-download,
capacity dirty-scope tests, heal integration tests, scanner, Swift, S3
Select, and notify event payloads from raw ECStore
store_apiDTO imports to crate-local compatibility aliases/modules. - Acceptance: non-ECStore direct
rustfs_ecstore::store_apireferences are limited to explicit boundary alias points in RustFS storage plus scanner, heal, IAM, notify, Swift, and S3 Select compatibility modules; table catalog, affected tests, and protocol/scanner/notification consumers consume those boundary names instead of raw ECStore DTO paths. - Must preserve: table catalog storage trait bindings, IAM metadata/lazy rewrite behavior, object zip preflight/read semantics, capacity dirty-disk assertions, heal integration object read/write behavior, scanner cache load/save semantics, Swift object read/write/copy/delete behavior, S3 Select object-store reads, notify event payload shape, and ECStore-owned DTO concrete shapes.
- Risk defense: this slice changes import ownership and type aliases only; it does not move DTO definitions, alter serialization, change object-store implementation bodies, or adjust runtime control flow.
- Verification: focused compile/tests, migration/layer guards, formatting, diff hygiene, direct import scan, Rust risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-028Clean Swift ECStore runtime boundary imports.- Current branch:
overtrue/arch-swift-ecstore-boundaries. - Completed slice: move Swift account, container, object, and versioning
access to ECStore object-store resolver and bucket metadata get/set calls
behind the Swift-local
storage_compatmodule. - Acceptance: direct Swift module references to
rustfs_ecstorefor object store resolution, bucket metadata reads, bucket metadata writes, and object DTO aliases are limited toswift::storage_compat; Swift business modules consume Swift-owned compatibility names. - Must preserve: Swift account metadata tags, container metadata tags, versioning location tags, ACL tag storage, object CRUD/copy/range behavior, storage-not-initialized error mapping, and bucket metadata load/save error mapping.
- Risk defense: this slice changes import ownership and thin wrapper boundaries only; it does not move ECStore definitions, alter metadata serialization, change Swift bucket naming, or adjust runtime control flow.
- Verification: focused Swift compile/tests, migration/layer guards, formatting, diff hygiene, direct Swift import scan, Rust risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-029Clean scanner and heal ECStore runtime boundaries.- Current branch:
overtrue/arch-scanner-heal-runtime-boundaries. - Completed slice: move scanner and heal direct ECStore runtime, disk, metadata, lifecycle, replication, config, and error imports behind their crate-local compatibility modules.
- Acceptance: direct
rustfs_ecstorereferences incrates/scanner/srcandcrates/heal/srcare limited to scanner/heal compatibility boundary modules; scanner/heal business modules consume local compatibility names. - Must preserve: scanner cache load/save behavior, lifecycle and replication scan behavior, disk bucket scan inventory lookup, heal object/bucket/format behavior, resume state storage, heal channel test contracts, and existing ECStore-owned concrete types.
- Risk defense: this slice changes import ownership and thin compatibility boundaries only; it does not alter scanner scheduling, heal scheduling, object I/O logic, disk operations, metadata serialization, or error mapping.
- Verification: focused scanner/heal compile/tests, direct import scans, migration/layer guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-030Clean app, storage, and admin ECStore runtime boundaries.- Current branch:
overtrue/arch-app-storage-admin-runtime-boundaries. - Completed slice: add crate-local app, storage, and admin compatibility
boundary modules for ECStore-owned runtime contracts, then migrate direct
rustfs_ecstoreimports inrustfs/src/app,rustfs/src/storage, andrustfs/src/adminthrough those boundary modules. - Acceptance: direct
rustfs_ecstorereferences in app/storage/admin source are limited to the local compatibility boundary modules; app, storage, and admin business/test modules consume local compatibility names. - Must preserve: app object/bucket/multipart/admin usecase behavior, storage ECFS/access/SSE/RPC behavior, admin route/handler/service behavior, metadata serialization, encryption handling, authorization, and existing ECStore-owned concrete type ownership.
- Risk defense: this slice changes import ownership only; it does not move ECStore definitions, alter runtime control flow, adjust route registration, change storage I/O, mutate metadata formats, or alter admin authorization.
- Verification: direct app/storage/admin import scan, RustFS test compile check, migration/layer guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-031Clean runtime, observability, S3 Select, notify, and IAM ECStore runtime boundaries.- Current branch:
overtrue/arch-runtime-observability-select-boundaries. - Completed slice: add RustFS root, obs, and IAM compatibility boundary
modules; extend notify and S3 Select compatibility modules; migrate direct
rustfs_ecstoreimports in RustFS startup/server/runtime/table-catalog code plus obs, notify, S3 Select, and IAM through those local boundaries. - Acceptance: direct
rustfs_ecstorereferences in those source areas are limited to local compatibility boundary modules; runtime and crate business modules consume local compatibility names. - Must preserve: startup ordering, readiness/RPC behavior, capacity metrics, table catalog object I/O behavior, notification config persistence, S3 Select object-store reads, IAM storage/error mapping, and observability metrics collection behavior.
- Risk defense: this slice changes import ownership only; it does not move ECStore definitions, alter runtime control flow, adjust readiness checks, mutate table catalog metadata, change IAM policy behavior, or alter notify, S3 Select, or obs runtime semantics.
- Verification: focused compile, direct import scan, migration/layer guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-032Clean test harness and fuzz ECStore compatibility boundaries.- Current branch:
overtrue/arch-test-harness-fuzz-storage-boundaries. - Completed slice: add scanner/heal integration test, e2e test, and fuzz
target compatibility boundary modules; migrate direct
rustfs_ecstoreimports in those test/fuzz harnesses through local boundaries. - Acceptance: direct
rustfs_ecstorereferences in scanner/heal integration tests, e2e test helpers, and fuzz targets are limited to local compatibility boundary modules; test and fuzz modules consume local compatibility names. - Must preserve: scanner lifecycle integration behavior, heal integration and bug-fix test behavior, e2e node/grpc/replication helpers, fuzz target input shape, and existing ECStore-owned concrete type ownership.
- Risk defense: this slice changes import ownership only; it does not move ECStore definitions, alter test setup semantics, change fuzz inputs, adjust runtime control flow, or mutate metadata formats.
- Verification: focused scanner/heal/e2e compile, fuzz target compile, migration/layer guards, formatting check, diff hygiene, direct import scan, risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-033Narrow ECStore compatibility export surfaces.- Current branch:
overtrue/arch-narrow-storage-compat-exports. - Completed slice: replace local whole-crate ECStore compatibility aliases with explicit re-export modules for RustFS runtime/app/admin/storage, obs, notify, S3 Select, IAM, scanner/heal integration tests, e2e helpers, and fuzz targets.
- Acceptance: local ECStore compatibility boundaries expose only the ECStore
modules/functions required by their consumers; direct
rustfs_ecstorereferences remain limited to compatibility boundary modules. - Must preserve: all runtime, admin, storage, observability, notification, S3 Select, IAM, scanner/heal test, e2e helper, and fuzz behavior from API-031/API-032.
- Risk defense: this slice changes compatibility re-export ownership only; it does not move ECStore definitions, alter runtime control flow, mutate metadata formats, change test setup semantics, or adjust fuzz inputs.
- Verification: focused compile, fuzz target compile, migration/layer guards, formatting check, diff hygiene, direct import scan, risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-034Narrow remaining ECStore compatibility export surfaces.- Current branch:
overtrue/arch-remaining-storage-compat-exports. - Completed slice: narrow the remaining scanner, heal, Swift, and IAM store
ECStore compatibility boundary modules from direct ECStore imports to
explicit local
ecstorere-export surfaces while keeping existing local semantic aliases unchanged; add a migration guard that rejects future directrustfs_ecstoreimports outside compatibility boundary modules. - Acceptance: direct
rustfs_ecstorereferences in non-ECStore source are limited to local compatibility boundary modules; business modules continue to consume crate-local compatibility names, and migration rules reject bypassing those boundaries. - Must preserve: scanner cache/lifecycle/replication behavior, heal storage and disk behavior, Swift object/bucket metadata behavior, IAM object-store metadata behavior, and all ECStore-owned concrete type ownership.
- Risk defense: this slice changes compatibility import ownership only; it does not move ECStore definitions, alter runtime control flow, mutate metadata formats, change Swift/IAM semantics, or adjust scanner/heal scheduling.
- Verification: focused scanner/heal/IAM compile, Swift feature compile, migration/layer guards, formatting check, diff hygiene, direct import scan, risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-035Prune compatibility re-export allowances.- Current branch:
overtrue/arch-compat-reexport-prune. - Current slice: remove unused-import allowances from production and fuzz
ECStore compatibility boundary modules, keep target-specific test harness
exceptions explicit, gate test-only RustFS storage compatibility re-exports
with
cfg(test), and add a migration rule preventing production compatibility boundaries from hiding unused ECStore re-exports. - Acceptance: production and fuzz
storage_compat.rsmodules compile without unused-import allows, test-only compatibility exceptions remain scoped to harnesses with target-specific compile needs, and migration rules reject reintroducing broad unused-import allowances in production compatibility boundaries. - Must preserve: all ECStore-owned concrete types and runtime behavior, startup/storage/admin/app/Swift/scanner/heal/IAM/notify/obs/S3 Select import paths, test harness behavior, and fuzz target behavior.
- Risk defense: this slice changes only compatibility boundary re-export hygiene and migration guard coverage; it does not move definitions, alter runtime control flow, mutate metadata formats, or change storage behavior.
- Verification: focused compile checks, fuzz manifest compile, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-036Move delete-object DTO contracts.- Current branch:
overtrue/arch-delete-object-contracts. - Current slice: move
ObjectToDeleteandDeletedObjectfrom ECStorestore_apiintorustfs-storage-api, keep old ECStore paths as type aliases for compatibility, migrate RustFS/scanner aliases to the storage-api contracts, and guard against reintroducing ECStore-owned delete DTO definitions. - Acceptance: storage-api exports delete-object DTO contracts, ECStore keeps compatibility type aliases without owning the definitions, external RustFS/scanner aliases consume storage-api directly, and migration rules reject restoring ECStore definitions or public re-exports.
- Must preserve: delete-object field names and types, replication-state helper semantics, ECStore object/delete operation associated types, scanner delete selection behavior, RustFS object delete behavior, and old ECStore import compatibility.
- Risk defense: this is a pure DTO ownership move; it does not change deletion control flow, replication decisions, lifecycle expiry behavior, or object metadata persistence.
- Verification: focused compile checks, storage-api tests, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-037Clean delete-object DTO consumers.- Current branch:
overtrue/arch-delete-object-contracts. - Current slice: migrate ECStore internal delete-object DTO consumers from
old
crate::store_apiimports torustfs-storage-apicontracts while keeping public ECStore type aliases for downstream compatibility. - Acceptance: ECStore object, set, lifecycle, and replication internals use storage-api delete DTO contracts directly; public old-path type aliases remain available; migration rules reject reintroducing ECStore internal old-path delete DTO consumers.
- Must preserve: object delete result shape, batch delete error alignment, lifecycle replication scheduling, MRF delete replay, replication retry decisions, and old ECStore public import compatibility.
- Risk defense: this is a consumer import cleanup over identical type definitions; it does not change delete control flow, replication decisions, lifecycle expiry behavior, or object metadata persistence.
- Verification: focused ECStore/RustFS/scanner compile checks, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-038Narrow remainingstore_apicompatibility re-export surfaces.- Current branch:
overtrue/arch-delete-object-contracts. - Current slice: replace whole-module
rustfs_ecstore::store_apicompatibility re-exports in RustFS storage, scanner, heal, Swift, S3 Select, IAM, and notify boundaries with explicit contract type re-exports, and add a migration rule rejecting broadstore_apicompatibility re-exports. - Acceptance: storage compatibility boundaries expose only the concrete
store_apicontracts their consumers use; downstream local aliases keep the same names; migration rules reject reintroducing broadstore_apipassthroughs in production compatibility boundaries. - Must preserve: object info/options reader aliases, storage/list/multipart operation trait bindings, scanner/heal/Swift/S3 Select/IAM/notify behavior, and all ECStore-owned concrete type ownership.
- Risk defense: this is compatibility import surface cleanup only; it does not move definitions, alter storage/runtime control flow, change object metadata conversion, or mutate reader behavior.
- Verification: focused multi-crate compile, migration guard, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-039Collapse nestedstore_apicompatibility modules.- Current branch:
overtrue/arch-compat-boundary-prune. - Current slice: replace nested
store_apicompatibility modules in RustFS storage, scanner, heal, Swift, S3 Select, IAM, and notify boundaries with direct local type aliases, and add a migration rule rejecting nestedstore_apimodules in storage compatibility files. - Acceptance: storage compatibility boundaries no longer recreate
store_apimodule shapes; downstream aliases keep the same concrete contract types; migration rules reject restoring nestedstore_apicompatibility modules outside ECStore and test-only boundaries. - Must preserve: object info/options reader aliases, scanner/heal/Swift/S3 Select/IAM/notify compile-time contracts, storage API compatibility names, and ECStore-owned concrete type ownership.
- Risk defense: this is a local alias-shape cleanup only; it does not move definitions, alter storage/runtime control flow, change object metadata conversion, or mutate reader behavior.
- Verification: focused multi-crate compile, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-040Lock remainingstore_apicompatibility aliases.- Current branch:
overtrue/arch-compat-boundary-prune. - Current slice: add a migration rule that allows the remaining
rustfs_ecstore::store_api::*references in production storage compatibility files only when they are explicit local type aliases to the four ECStore-owned contracts still intentionally kept in ECStore. - Acceptance: production compatibility boundaries can keep only explicit
aliases to
GetObjectReader,ObjectInfo,ObjectOptions, andPutObjReader; any broader import, module recreation, or new rawstore_apicompatibility dependency fails the architecture guard. - Must preserve: existing local alias names and concrete ECStore-owned reader, object info, and object option contract ownership.
- Risk defense: this is a guardrail-only slice; it does not change runtime code, storage behavior, object metadata shape, or reader behavior.
- Verification: migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-041Lock ECStore compatibility passthrough allowlists.- Current branch:
overtrue/arch-compat-passthrough-guards. - Current slice: add a migration rule that snapshots every
rustfs_ecstoremodule/function passthrough exposed from localstorage_compat.rsboundaries across RustFS, scanner, heal, Swift, S3 Select, IAM, notify, observability, e2e, and fuzz harnesses. - Acceptance: compatibility boundaries cannot silently add or remove ECStore passthrough items; future cleanup PRs must update the explicit allowlist when they intentionally shrink or reshape a boundary.
- Must preserve: all existing local compatibility paths, ECStore concrete type ownership, storage behavior, startup behavior, scanner/heal behavior, Swift/S3 Select/IAM/notify behavior, observability reads, and test/fuzz harness behavior.
- Risk defense: this is a loss-prevention guard only; it does not change runtime code, storage APIs, object metadata shape, reader behavior, or worker lifecycle.
- Verification: migration guard, formatting check, diff hygiene, risk scan, focused script check, and full pre-commit required before push.
- Current branch:
-
API-042Split notify event object contract from ECStore ObjectInfo.- Current branch:
overtrue/arch-compat-passthrough-contracts. - Current slice: give
rustfs-notifyits own lightweightNotifyObjectInfoevent DTO, keep ECStore-to-notify conversion private to the notify compatibility boundary, and update RustFS event handoff sites to use the conversion explicitly. - Acceptance: notify no longer publicly re-exports ECStore
ObjectInfoas its event object type; existing RustFS event generation, restore-completed event data, version IDs, object metadata filtering, and ECStore bridge behavior are preserved. - Must preserve: S3 event JSON shape, remove-event metadata suppression, restore-completed glacier data formatting, object key URL encoding, request/response headers, replication request filtering, and existing EventArgsBuilder call sites.
- Risk defense: this is a consumer contract split only; ECStore remains the producer of storage metadata, while notify owns the event-facing DTO.
- Verification: focused notify/RustFS compile, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed.
- Current branch:
-
API-043Remove notify ECStore config passthroughs.- Current branch:
overtrue/arch-compat-passthrough-contracts. - Current slice: replace notify's public compatibility passthroughs for ECStore config/global modules with a crate-local config update boundary, then shrink the passthrough guard snapshot.
- Acceptance: notify config mutation code no longer reaches through ECStore config/global modules directly; the storage compatibility boundary owns ECStore handle resolution, read, save, and error classification.
- Must preserve: target config read-modify-save behavior, unchanged-config no-op handling, storage-not-initialized error wording, read/save error mapping, target reload ordering, and runtime lifecycle logging.
- Risk defense: this keeps persistence semantics unchanged while reducing the compatibility surface visible to notify business logic.
- Verification: focused notify/RustFS compile, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review required before push.
- Current branch:
-
API-044Remove S3 Select ECStore module passthroughs.- Current branch:
overtrue/arch-compat-passthrough-contracts. - Current slice: replace S3 Select's public compatibility passthroughs for ECStore error, store, set-disk, and resolver modules with crate-local aliases/functions, then shrink the passthrough guard snapshot.
- Acceptance: S3 Select object-store code no longer reaches through ECStore modules directly; storage errors, store handle resolution, ECStore store type ownership, and default read-buffer sizing remain behind the local storage compatibility boundary.
- Must preserve: S3 Select object-store initialization, not-found error mapping, scan-range defaults, stream buffer sizing, JSON document handling, CSV conversion streams, and ECStore object reader/info calls.
- Risk defense: this changes import ownership only; S3 Select still uses the same ECStore runtime APIs through narrower local compatibility names.
- Verification: focused S3 Select/notify/RustFS compile, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review required before push.
- Current branch:
-
API-045Remove observability ECStore module passthroughs.- Current branch:
overtrue/arch-compat-passthrough-contracts. - Current slice: replace OBS metrics passthroughs for ECStore bucket, data-usage, global, pools, and object-store resolver modules with crate-local storage compatibility functions and snapshots, then shrink the passthrough guard snapshot.
- Acceptance: OBS metrics collection no longer reaches through ECStore modules directly; object-store resolution, data-usage loading, capacity calculation, quota reads, replication state, bucket bandwidth monitor access, and ILM runtime counters remain behind the OBS compatibility boundary.
- Must preserve: cluster/health metrics, bucket usage metrics, replication and bandwidth metrics, scheduler tombstone behavior, disk/drive metrics, erasure-set metrics, ILM metrics, existing warning paths, and no-data fallback behavior.
- Risk defense: this changes compatibility ownership only; OBS still reads the same ECStore runtime state through narrower local compatibility names.
- Verification: focused OBS/notify/S3 Select/RustFS compile, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review required before push.
- Current branch:
-
API-046Remove IAM and Swift ECStore module passthroughs.- Current branch:
overtrue/arch-compat-iam-swift-boundaries. - Current slice: replace IAM's ECStore config/error/global/notification/store module passthroughs and Swift's ECStore bucket/error/store resolver passthroughs with local compatibility aliases and wrapper functions, then shrink the passthrough guard snapshot.
- Acceptance: IAM store, IAM notification fanout, IAM error conversion, IAM first-node checks, and Swift bucket metadata/object-store access no longer reach through ECStore modules directly from consumer code.
- Must preserve: IAM config prefix layout, IAM config read/write/delete semantics, lazy rewrite precondition behavior, config-not-found mapping, peer notification fanout error logging, first-node initial load behavior, Swift object-store resolution, and Swift bucket metadata get/set behavior.
- Risk defense: this is an import ownership and compatibility-boundary cleanup only; ECStore remains the owner of concrete storage/runtime state while IAM and Swift expose narrower local names to their consumers.
- Verification: focused IAM/Swift compile, IAM unit tests, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review required before push.
- Current branch:
-
API-047Remove heal and scanner production ECStore module passthroughs.- Current branch:
overtrue/arch-heal-scanner-compat-boundaries. - Current slice: replace heal and scanner production compatibility passthrough modules with explicit local aliases and wrapper functions, while leaving test-only ECStore compatibility harnesses for later cleanup.
- Acceptance: heal and scanner production code no longer exposes broad
ECStore module passthroughs for bucket/config/data-usage/disk/error/global,
pools, set-disk, store, or store-utils through
storage_compat.rs. - Must preserve: heal disk/resume/task behavior, scanner config persistence, scanner lifecycle/replication actions, bucket cache scanning, object-store resolution, erasure-mode checks, storage-class accounting, and data-usage memory updates.
- Risk defense: this narrows import ownership only; ECStore remains the owner of concrete storage/runtime state and scanner/heal keep the same local compatibility names for existing call sites.
- Verification: focused heal/scanner compile, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review required before push.
- Current branch:
-
API-048Remove RustFS runtime ECStore module passthroughs.- Current branch:
overtrue/arch-rustfs-runtime-compat-boundaries. - Current slice: replace the RustFS app, admin, storage, and root runtime compatibility passthrough modules with explicit local aliases and nested compatibility exports, while preserving existing consumer paths.
- Acceptance: RustFS runtime compatibility files no longer expose broad ECStore top-level module passthroughs for app/admin/storage/root runtime consumers, and the passthrough guard snapshot keeps only test/fuzz harness allowances.
- Must preserve: startup config/bootstrap behavior, server readiness checks, admin replication/rebalance/tier/config handlers, app object/bucket/ multipart usecases, storage RPC/SSE/access paths, table catalog storage access, and existing test-only harness imports.
- Risk defense: this is an import ownership and compatibility-boundary cleanup only; ECStore remains the owner of concrete storage/runtime state while RustFS runtime modules retain stable local compatibility paths.
- Verification: focused RustFS test compile, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed before push.
- Current branch:
-
API-049Remove test and fuzz ECStore module passthroughs.- Current branch:
overtrue/arch-test-fuzz-compat-boundaries. - Current slice: replace the remaining e2e, heal-test, scanner-test, and fuzz-target ECStore module passthroughs with explicit local compatibility aliases, split fuzz storage compatibility by target, and empty the passthrough guard snapshot.
- Acceptance: no
storage_compat.rsfile may expose broadrustfs_ecstoremodule passthroughs; the migration guard now rejects any new passthrough unless a later slice deliberately adds a reviewed allowlist entry. - Must preserve: e2e bucket target and RPC helper imports, heal test disk and store setup imports, scanner test lifecycle/tier/disk/storage imports, fuzz bucket validation behavior, and fuzz path containment behavior.
- Risk defense: this is test-harness and fuzz-harness import ownership cleanup only; ECStore remains the owner of the same concrete APIs and no production runtime path is changed.
- Verification: focused test/fuzz compiles, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed before push.
- Current branch:
-
API-050Move lifecycle helper DTO contracts.- Current branch:
overtrue/arch-storage-api-lifecycle-contracts. - Current slice: move
ExpirationOptionsandTransitionedObjectinto rustfs-storage-api, update ECStore internal consumers plus notify test coverage to import them directly, and keep ECStore old-path re-exports for downstream compatibility callers. - Acceptance: rustfs-storage-api exports both lifecycle helper DTOs, ECStore no longer owns their concrete struct definitions, ECStore internal consumers and notify coverage use the storage-api contracts directly, old ECStore lifecycle paths remain available as re-exports, and migration rules reject restoring the ECStore definitions or old internal imports.
- Must preserve: lifecycle expiration flags, transitioned object journal metadata, object info construction, notify event conversion, and all old ECStore import paths used by existing callers.
- Risk defense: this is a pure DTO move; no lifecycle scheduling, object I/O, transition journal, replication, or reader behavior is changed.
- Verification: storage-api lifecycle helper unit test, ECStore transitioned lifecycle tests, notify event conversion test, focused compile checks, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed before push.
- Current branch:
-
API-051Flatten test harness storage compatibility aliases.- Current branch:
overtrue/arch-test-harness-compat-aliases. - Current slice: flatten e2e, heal, scanner, and fuzz storage compatibility
harnesses from nested
storage_compat::ecstoremodules into direct crate-local aliases, constants, and function imports. - Acceptance: no e2e, heal-test, scanner-test, or fuzz-target harness file
may expose or consume nested
storage_compat::ecstorepaths, and migration rules reject reintroducing nested test/fuzz ECStore compatibility modules. - Must preserve: e2e bucket target/RPC/disk helper imports, heal ECStore disk and endpoint setup, scanner lifecycle/tier/disk/storage setup, fuzz bucket validation behavior, and fuzz path-containment validation behavior.
- Risk defense: this is test-harness and fuzz-harness import cleanup only; no production runtime behavior, ECStore ownership, storage metadata format, or scanner/heal lifecycle logic is changed.
- Verification: focused e2e/heal/scanner test compile, harness tests, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed before push.
- Current branch:
-
API-052Flatten RustFS runtime storage compatibility aliases.- Current branch:
overtrue/arch-rustfs-storage-compat-aliases. - Current slice: flatten RustFS root, app, admin, and storage runtime
compatibility facades from nested
storage_compat::ecstoremodules into direct crate-local aliases, constants, and function imports. - Acceptance: no RustFS runtime source file may expose or consume nested
storage_compat::ecstorepaths, and migration rules reject reintroducing nested RustFS runtime ECStore compatibility modules. - Must preserve: startup/config/bootstrap behavior, server readiness checks, admin replication/rebalance/tier/config handlers, app object/bucket/ multipart usecases, storage RPC/SSE/access paths, table catalog storage access, and existing local compatibility ownership.
- Risk defense: this is RustFS runtime import cleanup only; no production runtime behavior, ECStore ownership, storage metadata format, object I/O, admin authorization, or readiness semantics are changed.
- Verification: focused RustFS compile, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed before push.
- Current branch:
-
API-053Flatten RustFS runtime scalar storage compatibility aliases.- Current branch:
overtrue/arch-runtime-compat-surface-prune. - Current slice: flatten RustFS root, app, admin, and storage runtime scalar compatibility facades such as store, error, global, endpoints, RPC, metrics, notification, set-disk, and data-usage paths into direct crate-local aliases and functions.
- Acceptance: RustFS runtime source no longer consumes those scalar compatibility surfaces through secondary modules, while higher-coupling bucket/config/rio compatibility modules remain unchanged; migration rules reject restoring the flattened scalar paths.
- Must preserve: startup config/bootstrap behavior, server readiness checks, admin replication/rebalance/tier/config handlers, app object/bucket/ multipart usecases, storage RPC/SSE/access paths, table catalog storage access, and existing ECStore concrete type ownership.
- Risk defense: this is import ownership and facade-shape cleanup only; no production runtime behavior, ECStore ownership, storage metadata format, object I/O, admin authorization, or readiness semantics are changed.
- Verification: focused RustFS compile, migration and layer guards, formatting check, diff hygiene, risk scan, full pre-commit, and required three-expert review passed before push.
- Current branch:
-
API-054Flatten RustFS runtime secondary storage compatibility aliases.- Current branch:
overtrue/arch-runtime-secondary-compat-flatten. - Current slice: flatten RustFS root, app, admin, and storage runtime secondary compatibility modules such as bucket, config, rio, client, tier, compress, disk, and rebalance into direct crate-local aliases, modules, and functions.
- Acceptance: RustFS runtime source no longer consumes those compatibility surfaces through broad secondary modules, the runtime compatibility files no longer define those wrapper modules, and migration rules reject restoring the flattened secondary paths.
- Must preserve: startup config/bootstrap behavior, server module-switch config reads, embedded startup storage initialization, admin bucket/meta/ tier/rebalance/config handlers, app object/bucket/multipart usecases, storage RPC/SSE/access paths, table catalog storage access, and ECStore concrete type ownership.
- Risk defense: this is import ownership and facade-shape cleanup only; no production runtime behavior, ECStore ownership, storage metadata format, object I/O, admin authorization, tier behavior, or readiness semantics are changed.
- Verification: focused RustFS compile, migration and layer guards, formatting check, diff hygiene, risk scan, and required three-expert review passed before push.
- Current branch:
Phase 8 Background Controller Tasks
BGC-001Inventory background services.- Acceptance:
background-services-inventory.mdrecords scanner, heal, lifecycle, replication, config reload, metrics, shutdown, cancellation, and side-effect surfaces before controller work. - Must preserve: no code behavior change and no new controller contract in this PR.
- Verification: docs-only architecture checks and diff hygiene.
- Acceptance:
BGC-002Define minimal controller contract.- Acceptance:
background-controller-contract.mddefines desired/current/status/reconcile vocabulary, status state semantics, service boundaries, and side-effect rules without starting workers or changing scheduling. - Must preserve: no Rust trait, scheduler, service registry, worker start/stop path, storage write, readiness change, peer signal, or runtime behavior change.
- Verification: docs-only architecture checks and diff hygiene.
- Acceptance:
BGC-003Add read-only status snapshot.- Acceptance: memory observability exposes a typed status snapshot that reports service state, metrics enablement, configured interval, cancellation source, and shutdown handle shape.
- Must preserve: no controller framework, admin route, worker lifecycle change, storage write, readiness change, peer signal, or metrics emission behavior change.
- Verification: focused memory observability tests, compile checks, migration guards, formatting, and pre-commit quality gate.
BGC-004Pilot one controller.- Acceptance: memory observability exposes a typed controller snapshot and reconcile plan that compare desired state with current status.
- Must preserve: no admin route, scheduler, service registry, worker lifecycle mutation, storage write, readiness signal, peer signal, or metrics emission behavior change.
- Verification: focused controller tests prove repeated reconcile is idempotent, cancellation state is preserved, and worker mutation remains none.
TEST-BGC-001Add controller harness coverage.- Acceptance: controller tests cover cancellation state, repeated reconcile, paused-time stability, and no worker mutation for the low-risk controller surfaces.
- Must preserve: no worker spawn, start, stop, resize, wakeup, storage write, readiness signal, peer signal, or metrics emission behavior change.
- Verification: focused memory observability and allocator reclaim controller tests.
BGC-005Add allocator reclaim controller/status surface.- Acceptance: allocator reclaim exposes typed desired/status/controller snapshots and a typed reconcile plan that reports backend, effective force, idle interval, runtime cancellation, shutdown handle shape, and no-op worker mutation.
- Must preserve: existing allocator reclaim enablement, backend-specific force handling, idle-streak logic, metrics emission, runtime-token cancellation, and startup call shape.
- Verification: focused allocator reclaim tests, compile checks, formatting, migration guards, Rust risk scan, and pre-commit quality gate.
BGC-006Add metrics runtime controller/status surface.- Acceptance: metrics runtime exposes typed desired/status/controller snapshots and a typed reconcile plan that reports observability enablement, collector task count, configured intervals, runtime cancellation, shutdown handle shape, and no-op worker mutation.
- Must preserve: existing metrics collector grouping, interval parsing, replication bandwidth tombstone cycles, metrics emission, runtime-token cancellation, and startup call shape.
- Verification: focused metrics runtime tests, compile checks, formatting, migration guards, Rust risk scan, and pre-commit quality gate.
TEST-BGC-002Preserve config reload and shutdown assumptions.- Acceptance: dynamic server-config reload reports no worker mutation for scanner/heal runtime config, bucket lifecycle/replication config files are not dynamic server-config reload targets, and background shutdown keeps scanner before AHM while preserving the scanner-implies-AHM dependency.
- Must preserve: no scanner, heal, lifecycle, replication, audit, storage class, peer-signal, readiness, or worker lifecycle behavior change.
- Verification: focused config reload and shutdown tests, compile checks, formatting, diff hygiene, and Rust risk scan.
Phase 9 Startup Bootstrap Tasks
-
R-009Centralize startup IAM readiness publication bootstrap.- Do: move the ReadyInline/Deferred readiness publication decision behind
startup_iam::publish_ready_for_iam_bootstrapand use it from binary and embedded startup. - Acceptance: inline IAM bootstrap still waits for runtime readiness and updates service state, deferred IAM bootstrap does not publish readiness from main or embedded startup, and embedded runtime readiness failures still trigger embedded shutdown error mapping.
- Must preserve: startup ordering, IAM degraded recovery ownership,
IamReady/FullReadypublication semantics, and embedded shutdown behavior. - Verification: focused startup IAM tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, and pre-commit quality gate.
- Do: move the ReadyInline/Deferred readiness publication decision behind
-
R-010Centralize startup optional service bootstrap.- Do: move event notifier, audit startup, and notification system startup
behind
startup_serviceshelpers with caller-owned logging/error policy. - Acceptance: binary still initializes the event notifier before audit, logs audit start/failure through the same startup target, and treats notification init failure as fatal; embedded still treats audit and notification failures as non-fatal warnings.
- Must preserve: startup order, audit non-fatal behavior, notification fatal boundary in binary, embedded warn-and-continue behavior, and event notifier initialization.
- Verification: focused startup service tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, and pre-commit quality gate.
- Do: move event notifier, audit startup, and notification system startup
behind
-
R-011Centralize startup protocol sidecar bootstrap.- Do: move FTP, FTPS, WebDAV, and SFTP startup orchestration behind
startup_protocols::init_protocol_shutdown_senders. - Acceptance: feature-gated protocols still return
Nonewhen not compiled or enabled, started/disabled/failure logging preserves protocol and state fields, and startup failures still abort binary startup with the sameError::othermapping. - Must preserve: protocol feature gates, env-driven enable/disable behavior, startup log event/state/protocol values, shutdown handle ownership, and existing shutdown ordering.
- Verification: focused startup protocol tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, and pre-commit quality gate.
- Do: move FTP, FTPS, WebDAV, and SFTP startup orchestration behind
-
R-012Centralize startup runtime foundation bootstrap.- Do: move dial9 runtime status logging, runtime license status logging,
startup logo logging, profiling setup, trusted-proxy setup, rustls provider
setup, and outbound TLS material publication behind
startup_runtime::init_startup_runtime_foundation. - Acceptance: BOOT-006 order is unchanged, configured TLS material load
remains fatal with the same
Error::other(err.to_string())mapping, TLS generation remains saturating, TLS metrics still initialize only when metrics are enabled and TLS is configured, and profiling/proxy/provider setup remains non-fatal. - Must preserve: dial9/license log event names and fields, startup logo logging, profiling init timing, trusted-proxy init timing, crypto provider already-installed handling, outbound TLS publication, generation metric consumer, TLS metric init condition, and fatal boundaries.
- Verification: focused startup runtime tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: move dial9 runtime status logging, runtime license status logging,
startup logo logging, profiling setup, trusted-proxy setup, rustls provider
setup, and outbound TLS material publication behind
-
R-013Centralize startup server preflight bootstrap.- Do: move external-prefix compatibility reporting, config snapshot
initialization, runtime license initialization, observability guard
initialization/storage, and startup runtime foundation bootstrap behind
startup_preflight::init_startup_server_preflight. - Acceptance: env compatibility is applied before command parsing and reported after observability starts, config snapshot and license init happen before runtime foundation, observability init failure still emits the dedicated fatal stderr and sentinel, guard storage failure still returns the original error, and runtime foundation ordering/fatal boundaries stay unchanged.
- Must preserve: env compat conflict/applied events, observability guard set/failure events, startup order, fatal stderr suppression sentinel, and existing command/subcommand behavior.
- Verification: focused startup preflight tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: move external-prefix compatibility reporting, config snapshot
initialization, runtime license initialization, observability guard
initialization/storage, and startup runtime foundation bootstrap behind
-
R-014Centralize startup listen and HTTP server bootstrap.- Do: move server config logging, readiness creation, region/address setup,
default credential warning, global action credentials, global port/address
publication, capacity management, service state manager setup, and
S3/console HTTP server startup behind
startup_serverhelpers. - Acceptance: endpoint/storage initialization still happens after listen context setup and before HTTP server startup; S3 still disables console mode; console server still starts only when enabled with a non-empty console address; global action credential and address error mappings remain unchanged.
- Must preserve: sanitized config/start/default credential/action credential
log events, region validation, server address/port derivation, global
port/address publication, capacity init timing, service
Startingupdate, S3/console server config shape, and shutdown handle ownership. - Verification: focused startup server tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: move server config logging, readiness creation, region/address setup,
default credential warning, global action credentials, global port/address
publication, capacity management, service state manager setup, and
S3/console HTTP server startup behind
-
R-015Centralize startup storage foundation bootstrap.- Do: move endpoint parsing, unsupported filesystem policy enforcement, global
endpoint publication, erasure type update, local disk initialization, local
disk ID map prewarm, lock client initialization, and storage pool logging
behind a
startup_storagehelper. - Acceptance: storage foundation still runs after listen context setup and
before HTTP server startup; endpoint parse errors and local disk init errors
keep the same logging and
Error::othermappings; global endpoints and erasure type are published before local disk and lock client setup. - Must preserve: endpoint parse start/failure events, unsupported filesystem policy enforcement, global endpoint clone shape, erasure type update timing, local disk init/prewarm order, lock client setup, storage pool formatting/host-risk/debug logs, and endpoint pool ownership for later ECStore startup.
- Verification: focused startup storage tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: move endpoint parsing, unsupported filesystem policy enforcement, global
endpoint publication, erasure type update, local disk initialization, local
disk ID map prewarm, lock client initialization, and storage pool logging
behind a
-
R-016Centralize startup storage runtime bootstrap.- Do: move runtime cancellation token creation, ECStore initialization,
ECStore config initialization, server-config migration attempt, global
config retry loop,
StorageReadystage publication, and background replication startup behind thestartup_storageboundary. - Acceptance: storage runtime still starts after HTTP server startup and
before KMS startup; ECStore init failure keeps the same structured error log
and propagated error; global config init still logs every failed attempt,
sleeps between attempts, and becomes fatal after the 16th failed attempt;
StorageReadyis still marked after global config init succeeds and before background replication startup. - Must preserve: cancellation token ownership for later shutdown, endpoint pool clone ownership for ECStore startup, ECStore config init/migration order, retry count/log fields, fatal error string, readiness stage timing, and non-fatal background replication startup behavior.
- Verification: focused startup storage tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: move runtime cancellation token creation, ECStore initialization,
ECStore config initialization, server-config migration attempt, global
config retry loop,
-
R-017Centralize startup runtime service bootstrap.- Do: move KMS startup, optional protocol shutdown collection, buffer
profiling, event notifier/audit startup, deadlock detector startup, bucket
metadata migration, replication resync, IAM bootstrap, Keystone/OIDC auth
integration startup, notification runtime setup, AHM/heal setup, server info,
update check, allocator reclaim, metrics runtime, memory observability, and
auto-tuner startup behind the
startup_servicesboundary. - Acceptance: startup service initialization still runs after storage runtime
initialization and before the server-ready log;
main.rskeeps ownership of shutdown handling, server-ready publication, global init time, and scanner start;startup_servicesreturns protocol shutdown handles, IAM bootstrap disposition, and scanner enablement. - Must preserve: KMS fatal behavior, protocol fatal/disabled behavior, audit non-fatal behavior, deadlock detector logging, bucket list and replication resync fatal behavior, bucket/IAM metadata migration non-fatal behavior, IAM deferred recovery semantics, Keystone parse fatal and runtime non-fatal behavior, OIDC non-fatal behavior, notification init fatal behavior, scanner-implies-heal behavior, metric-enabled guard, and shutdown token ownership.
- Verification: focused startup services tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: move KMS startup, optional protocol shutdown collection, buffer
profiling, event notifier/audit startup, deadlock detector startup, bucket
metadata migration, replication resync, IAM bootstrap, Keystone/OIDC auth
integration startup, notification runtime setup, AHM/heal setup, server info,
update check, allocator reclaim, metrics runtime, memory observability, and
auto-tuner startup behind the
-
R-018Centralize startup ready, scanner, and shutdown lifecycle.- Do: move server-ready logging, IAM readiness publication, global init time,
scanner start, shutdown signal wait, background shutdown ordering, protocol
shutdown, notifier/audit/profiling shutdown, HTTP shutdown, and final stopped
state logging behind the
startup_servicesboundary. - Acceptance:
main.rsstill initializes listen/storage/runtime services in the same order, then delegates lifecycle completion;startup_servicesowns the shutdown handles, runtime token, readiness handle, store, and service runtime needed for ready/scanner/shutdown orchestration. - Must preserve: server-ready log fields, inline/deferred IAM readiness behavior, global init time timing, scanner start timing, shutdown signal log, runtime token cancellation before service-specific shutdown, scanner before AHM shutdown order, protocol shutdown order, notifier/audit/profiling shutdown order, HTTP shutdown order, stopped service state, and final stopped logs.
- Verification: focused startup services tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: move server-ready logging, IAM readiness publication, global init time,
scanner start, shutdown signal wait, background shutdown ordering, protocol
shutdown, notifier/audit/profiling shutdown, HTTP shutdown, and final stopped
state logging behind the
-
R-019Centralize startup command and bootstrap entrypoint.- Do: move Tokio runtime result handling, command parsing/dispatch, server
preflight error mapping, startup run orchestration, and pre-observability
fatal stderr formatting behind
startup_entrypoint::run_process. - Acceptance:
main.rsonly owns the global allocator declarations and calls the startup entrypoint;startup_entrypointpreserves the existing command, preflight, listen, storage, runtime-service, ready, and shutdown order. - Must preserve: Tokio runtime build fatal
expect, command parse fatal stderr context and exit code, info/TLS subcommand behavior, observability fatal sentinel suppression, server runtime failure log fields, startup stage ordering, readiness publication, and shutdown ownership. - Verification: focused startup entrypoint and observability guardrail tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: move Tokio runtime result handling, command parsing/dispatch, server
preflight error mapping, startup run orchestration, and pre-observability
fatal stderr formatting behind
-
R-020Isolate profiling lifecycle hooks.- Do: route BOOT-006 profiling initialization and STOP-004 profiling shutdown
through
startup_profilinghook functions while keepingprofiling.rsas the CPU/memory profiling implementation and admin dump API owner. - Acceptance: startup still initializes profiling before trusted proxies and outbound TLS material; shutdown still stops profiling after notifier/audit shutdown and before HTTP shutdown; unsupported targets and disabled profiling keep their existing no-op behavior.
- Must preserve: profiling env flags, CPU/memory mode handling, target gates, cancellation-token ownership, admin pprof routes, non-fatal startup behavior, and shutdown ordering.
- Verification: focused startup profiling hook tests, binary/lib compile checks, formatting, migration guards, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: route BOOT-006 profiling initialization and STOP-004 profiling shutdown
through
-
X-012Define ops profiler extension schema contract.- Do: add
ops.profiler.v1capability DTOs for profiler backend status, capability-description mode, profile export redaction requirements, and provenance in the extension schema contract crate. - Acceptance: disabled, unsupported, enabled, and unknown backend states are representable; execution requests are rejected; profile export declarations require local path redaction; provenance records source, collection boundary, and trust level without credentials.
- Must preserve: no plugin execution, no sidecar startup, no profile route or
admin API behavior changes, no exporter/storage/object-path/telemetry
behavior changes, and no dependency edge from
extension-schemato implementation crates. - Verification: extension schema check/tests, formatting, migration/layer guards, diff hygiene, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: add
-
X-013Add ops profiler capability snapshot contract.- Do: add
OpsProfilerCapabilitySnapshotandOpsProfilerRuntimeSnapshotDTOs plus validation for theops.profiler.v1capability, disabled external runtimes, and non-fatal profiler startup behavior. - Acceptance: disabled, unsupported, and enabled profiler backend states round-trip through the snapshot contract; sidecar/Wasm profiler runtimes remain disabled by default; profiler snapshots cannot declare a startup fatal boundary.
- Must preserve: no plugin execution, no sidecar startup, no profile route,
no admin API behavior changes, no runtime startup/shutdown behavior
changes, and no dependency edge from
extension-schemato runtime or storage implementation crates. - Verification: extension schema check/tests, formatting, migration/layer guards, diff hygiene, Rust risk scan, branch freshness check, and pre-commit quality gate.
- Do: add
-
R-021Extract optional runtime shutdown boundary.- Do: add
startup_optional_runtimesand move optional protocol shutdown ownership/logging out ofstartup_services. - Acceptance: optional protocol shutdown plan order stays FTP, FTPS, WebDAV, SFTP; stopping logs remain before event notifier/audit/profiling shutdown; signal/wait remains after S3/console HTTP shutdown; later optional sidecars have an explicit owner without startup behavior changes.
- Must preserve: protocol initialization, protocol shutdown signaling and waiting, shutdown order, profiling/audit/event notifier shutdown, HTTP shutdown, readiness state, and fatal boundaries.
- Verification: focused startup optional runtime/service tests, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: add
-
R-022Extract optional runtime startup boundary.- Do: add
init_optional_runtime_servicesso optional protocol startup is owned bystartup_optional_runtimes, whilestartup_protocolsremains the protocol implementation adapter. - Acceptance: optional protocol startup order stays FTP, FTPS, WebDAV, SFTP; KMS initialization still happens before optional protocol startup; buffer profiling, audit, deadlock detection, metadata, IAM, notification, scanner, heal, and observability startup remain after optional protocol startup.
- Must preserve: protocol feature gates, disabled protocol behavior, protocol startup error mapping, fatal boundary on protocol startup errors, startup order, shutdown order, readiness state, and runtime behavior.
- Verification: focused optional runtime/protocol/startup service tests, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: add
-
R-023Extract startup shutdown lifecycle boundary.- Do: add
startup_shutdownand move runtime token cancellation, service state transitions, background shutdown, notifier/audit/profiling shutdown, HTTP shutdown, and optional runtime wait sequencing out ofstartup_services. - Acceptance: shutdown order stays runtime token cancellation,
Stoppingstate, scanner/AHM shutdown, optional runtime shutdown planning, notifier/audit/profiling shutdown, S3 and console HTTP shutdown, optional runtime waits, thenStoppedstate. - Must preserve: service state transitions, readiness state behavior, scanner/heal enable flag handling, notifier/audit/profiling shutdown logs, HTTP shutdown ordering, optional protocol shutdown ordering, and fatal boundaries.
- Verification: focused shutdown/service/optional runtime tests, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: add
-
R-024Extract startup ready lifecycle boundary.- Do: add
startup_lifecycleand move ready publication, global init time, scanner startup, shutdown-signal wait, shutdown delegation, and final stopped-state logging out ofstartup_services. - Acceptance: lifecycle order stays server-ready log, IAM readiness publication, global init time, optional scanner startup, shutdown wait, shutdown sequence delegation, and final stopped log.
- Must preserve: inline/deferred IAM readiness behavior, scanner start timing, global init-time timing, shutdown signal wait semantics, shutdown ordering, service state reporting, and fatal boundary on readiness publication.
- Verification: focused lifecycle/service/shutdown tests, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: add
-
R-025Extract startup service component boundary.- Do: add
startup_service_componentsand move audit/deadlock, bucket metadata, IAM bootstrap, auth integration, notification, background service, and observability component helpers out ofstartup_services. - Acceptance:
startup_serviceskeeps the same runtime service orchestration order while component helpers own the individual service startup side effects. - Must preserve: KMS before optional runtime startup, buffer profiling before audit, event notifier before audit, bucket metadata before IAM, IAM before auth and notification, notification before background services, and observability startup after background service setup.
- Verification: focused startup service component/service/lifecycle tests, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: add
-
R-026Extract optional runtime sidecar boundary.- Do: add
startup_optional_runtime_sidecarsand move optional runtime sidecar ownership, shutdown planning, shutdown execution, and protocol shutdown order tests out ofstartup_optional_runtimes. - Acceptance: optional protocol startup still happens after KMS and before buffer profiling, while shutdown planning still records FTP, FTPS, WebDAV, then SFTP handles before later shutdown signaling.
- Must preserve: feature-gated protocol startup behavior, disabled-protocol
handling, protocol shutdown ordering, HTTP shutdown before optional protocol
shutdown signaling, and the compatibility
startup_optional_runtimesAPI. - Verification: focused optional runtime sidecar/runtime/shutdown tests, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: add
-
R-027Extract startup runtime hook boundary.- Do: add
startup_runtime_hooksand move startup runtime diagnostics, profiling hook dispatch, shutdown profiling dispatch, and default crypto provider installation out ofstartup_runtimeandstartup_profiling. - Acceptance: BOOT-006 keeps diagnostics, profiling init, trusted proxy init, provider install, and outbound TLS material load in the same order, while STOP-004 still stops profiling through the existing compatibility path.
- Must preserve: startup logo and telemetry/license log behavior, profiling hook dispatch behavior, rustls provider install behavior, trusted proxy init order, outbound TLS fatal boundary, and profiling shutdown call path.
- Verification: focused runtime hook/profiling/runtime/shutdown tests, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: add
-
R-028Extract startup TLS material boundary.- Do: add
startup_tls_materialand move outbound TLS material loading, global TLS publication, generation recording, TLS metrics initialization, and existing TLS path/generation tests out ofstartup_runtime. - Acceptance: BOOT-006 keeps diagnostics, profiling init, trusted proxy init, provider install, and outbound TLS material load in the same order.
- Must preserve: configured TLS material fatal behavior, TLS path trimming, saturating TLS generation behavior, outbound TLS global state publication, generation metric recording, and metrics initialization when observability metrics are enabled.
- Verification: focused TLS material/runtime tests, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: add
-
R-029Reuse startup phase boundaries in embedded mode.- Do: move embedded listen setup, endpoint/local disk setup, ECStore/global config setup, storage readiness publication, and replication startup behind startup server/storage helpers.
- Acceptance: embedded startup keeps its stable-port requirement, global startup guard placement, S3-only HTTP startup, readiness publication, and storage initialization order while sharing the same startup phase owners.
- Must preserve: embedded port 0 rejection, credential/region publication, endpoint and unsupported filesystem validation, local disk and lock client initialization, ECStore fatal shutdown behavior, global config retry limit, and embedded-specific non-fatal KMS/audit/notification behavior.
- Verification: focused embedded/startup storage checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-030Reuse runtime service boundaries in embedded mode.- Do: move embedded KMS/buffer/audit setup, bucket metadata migration, IAM bootstrap, notification setup, and event/audit shutdown cleanup behind startup service/shutdown helpers.
- Acceptance: embedded startup keeps KMS/audit/notification failures non-fatal, preserves bucket metadata and IAM initialization order, and keeps shutdown cleanup behavior unchanged.
- Must preserve: KMS warning-only behavior, buffer profile initialization, audit warning-only behavior, bucket listing failure shutdown, bucket metadata migration before IAM migration, IAM bootstrap fatal behavior, notification warning-only behavior, readiness publication, event notifier shutdown, audit stop warning behavior, and temp directory cleanup.
- Verification: focused embedded/service/shutdown checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-031Reuse lifecycle publication boundaries in embedded mode.- Do: move embedded IAM readiness publication, global init-time publication, and ready-state logging behind startup lifecycle helpers.
- Acceptance: embedded startup still publishes readiness after runtime
service setup, preserves the
runtime readinesserror prefix on failure, records global init time after successful readiness publication, and logs the same ready endpoint message after the server handle is built. - Must preserve: deferred IAM bootstrap readiness behavior, ready-inline runtime readiness publication, startup failure shutdown signaling, global init-time publication ordering, and endpoint-address normalization used by the ready log.
- Verification: focused embedded/lifecycle checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-032Publish ops profiler runtime contract boundaries.- Do: add the builtin ops profiler extension schema/contract to the targets catalog, expose it through the admin extension catalog, and add a read-only registry for profiler backend capability descriptions.
- Acceptance: the catalog advertises
builtin:ops-profilerwithops.profiler.v1, backend capability descriptions validate through the extension-schema contract, and registry access is admin/capability limited without executing profiler collection. - Must preserve: existing
/debug/pprof/*admin behavior, profiling startup and shutdown hooks, disabled external profiler runtime defaults, local path redaction requirements, and no plugin execution or sidecar startup. - Verification: focused targets/admin extension checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-033Expose extension runtime capability snapshots.- Do: add read-only diagnostics/profiler runtime capability snapshots to the admin extension catalog response using existing schema and contract DTOs.
- Acceptance:
/v4/extensions/catalogreports builtin diagnostics and profiler capability contracts with their runtime boundaries, disabled defaults, and non-fatal startup flags while preserving schema validation. - Must preserve: existing extension catalog route/auth, plugin instance listing, profiler/diagnostics execution paths, and external plugin flow status semantics.
- Verification: focused admin catalog and targets runtime checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-034Extract embedded runtime hook boundary.- Do: move embedded observability guard setup, default crypto provider installation, and trusted proxy initialization behind startup runtime hooks.
- Acceptance: embedded startup keeps observability initialization before the global startup guard/listen/storage phases while sharing the runtime hook owner used by normal startup.
- Must preserve:
init_obsandset_global_guarderror prefixes, embedded crypto provider already-installed debug fields, trusted proxy init timing, and no added embedded server runtime behavior. - Verification: focused embedded/runtime hook checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-035Extract embedded shutdown glue boundary.- Do: move embedded async shutdown logging, cancellation, event/audit cleanup, HTTP shutdown, and temporary directory cleanup behind startup shutdown helpers.
- Acceptance: embedded server shutdown preserves the same stopping/stopped
logs, cancellation timing, best-effort audit cleanup, HTTP shutdown, and
temp-dir cleanup behavior while leaving
Dropas a synchronous best-effort fallback. - Must preserve: event notifier shutdown before audit stop, audit stop warning-only behavior, HTTP shutdown after background cancellation, temp directory cleanup warning fields, and final stopped log.
- Verification: focused embedded/shutdown checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-036Extract embedded startup config preparation boundary.- Do: move embedded temporary volume allocation, custom volume directory
creation, and embedded
Configconstruction behind startup server helpers. - Acceptance: embedded builder still creates a temporary volume when none is provided, creates missing custom volume directories, disables console for embedded S3 startup, and keeps the temp-dir guard alive until success.
- Must preserve: temp-dir cleanup-on-failure behavior, configured address, access key, secret key, region, volume ordering, directory creation error text, and no new normal startup behavior.
- Verification: focused startup server and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move embedded temporary volume allocation, custom volume directory
creation, and embedded
-
R-037Extract embedded S3-only HTTP startup boundary.- Do: move embedded S3-only HTTP server startup behind a startup server helper that returns the bound address and shutdown handle.
- Acceptance: embedded startup keeps console disabled for the HTTP server,
keeps using the same readiness object, and preserves the shutdown handle
and bound address used by
RustFSServer. - Must preserve: S3-only embedded HTTP config, readiness sharing, startup error propagation, shutdown signaling, bound endpoint reporting, and no public embedded API behavior changes.
- Verification: focused startup server and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-038Extract embedded process-global startup guard boundary.- Do: move the embedded process-global once guard behind a startup lifecycle helper.
- Acceptance: embedded startup still allows retry before irreversible global initialization, treats repeated marks inside the same startup as idempotent, and rejects a second process-local embedded server after the first irreversible mark.
- Must preserve: startup guard timing after runtime hooks and listen context,
AlreadyStartederror mapping, no reset-after-stop behavior, and no normal startup behavior changes. - Verification: focused startup lifecycle and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-039Extract embedded startup failure shutdown signal boundary.- Do: move the post-HTTP embedded startup failure shutdown signal behind a startup shutdown helper.
- Acceptance: embedded startup still signals the HTTP shutdown handle and cancels the background token before returning initialization errors from storage runtime, service runtime, or readiness publication failures.
- Must preserve: no shutdown signal before HTTP startup exists, signal-then-
cancel ordering,
Initerror mapping, and no public embedded API behavior changes. - Verification: focused startup shutdown and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-040Extract embedded build orchestration owner.- Do: move the embedded build sequence behind a crate-only startup embedded helper.
- Acceptance: embedded startup still runs config preparation, runtime hooks, listen context, process-global guard, storage foundation, HTTP startup, storage runtime, runtime services, and readiness publication in the same order.
- Must preserve: retry-before-global-init behavior, temp-dir guard lifetime, post-HTTP startup failure shutdown signaling, readiness publication error text, and no public embedded API behavior changes.
- Verification: focused embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-041Keep embedded public API as handle assembly.- Do: keep
embedded.rsfocused on public builder inputs,RustFSServerhandle construction, endpoint reporting, shutdown, and drop cleanup. - Acceptance: builder defaults and fluent setters still feed the same startup fields, server accessors still return the configured credentials and region, endpoint normalization stays in the public handle, and shutdown/drop cleanup remains unchanged.
- Must preserve:
ServerErrorvariants and messages,IoversusIniterror mapping, endpoint URL shape, shutdown handle ownership, cancellation token ownership, and temp-dir cleanup path. - Verification: focused embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: keep
-
R-042Extract embedded endpoint normalization.- Do: move unspecified-address endpoint normalization into a crate-only startup lifecycle helper.
- Acceptance: embedded endpoint reporting still rewrites unspecified IPv4 and IPv6 bind addresses to localhost while preserving concrete bound hosts.
- Must preserve: public endpoint URL shape,
address()returning the bound socket address, ready-log endpoint text, and no public embedded API signature changes. - Verification: focused startup lifecycle and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-043Extract embedded drop cleanup boundary.- Do: move synchronous embedded server drop cleanup into a crate-only startup shutdown helper.
- Acceptance: dropping a server still cancels the token, signals the shutdown handle, and best-effort removes the temporary directory.
- Must preserve: explicit async shutdown behavior, shutdown handle ownership, temp-dir cleanup behavior, ignored drop cleanup errors, and no public embedded API signature changes.
- Verification: focused startup shutdown and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-044Keep embedded builder state in startup args.- Do: replace duplicated public builder private fields with crate-only embedded startup arguments while preserving the fluent builder API.
- Acceptance: builder defaults, fluent setters, server credential accessors, region accessors, and startup arguments remain behaviorally unchanged.
- Must preserve: public builder signatures, default address and credentials, volume replacement semantics, region publication, and error mapping.
- Verification: focused embedded/startup-embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-045Move embedded port probing behind startup server.- Do: delegate public embedded available-port probing to a crate-only startup server helper.
- Acceptance:
find_available_portstill returns a bindable localhost TCP port and preserves the same public result type. - Must preserve: public helper signature, localhost bind target, ephemeral port behavior, and no embedded startup side effects.
- Verification: focused startup-server and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-046Encapsulate embedded startup argument mutation.- Do: hide embedded startup argument fields behind crate-only setter methods used by the public builder.
- Acceptance: public builder fluent methods still apply the same address, credential, region, and volume values in the same order.
- Must preserve: builder method signatures, default values,
volumeappend semantics,volumesreplacement semantics, and startup input ownership. - Verification: focused startup-embedded and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-047Return embedded server identity from startup result.- Do: let the crate-only startup result carry the access key, secret key, and region used by the public server handle.
- Acceptance: public server accessors still expose the configured values without the public builder duplicating identity assembly.
- Must preserve: startup error mapping, readiness logging order, endpoint address handling, shutdown handle ownership, and no public API signature changes.
- Verification: focused startup-embedded and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-048Consume embedded builder startup arguments directly.- Do: make public embedded build consume the builder state and pass startup arguments directly into the crate-only startup owner.
- Acceptance: fluent builder behavior, defaults, configured credentials, region, volume ordering, and public build signature remain unchanged.
- Must preserve: startup argument ownership, public builder method chaining, startup error mapping, and no public API signature changes.
- Verification: focused startup-embedded and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-049Keep embedded ready logging with startup completion.- Do: move embedded ready logging to the startup owner once readiness has been published and before the startup result is returned.
- Acceptance: ready log endpoint text and endpoint normalization remain the same while the public builder only converts the startup result to a handle.
- Must preserve: readiness publication order, endpoint address normalization, shutdown handle ownership, and no public API signature changes.
- Verification: focused startup-embedded and embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-050Keep embedded identity with prepared startup config.- Do: return the embedded access key, secret key, and region alongside the prepared startup config so startup result assembly uses one prepared owner.
- Acceptance: public server identity accessors still return configured credentials and region for default, explicit, and generated-volume builds.
- Must preserve: credential initialization inputs, region initialization, startup config ownership, startup error mapping, and no public API signature changes.
- Verification: focused startup-server/startup-embedded/embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-051Remove residual embedded startup argument clone contract.- Do: drop the
Clonederivation from embedded startup arguments now that the public builder consumes startup state directly. - Acceptance: builder chaining, configured volumes, retry-before-global-init behavior, and startup ownership remain unchanged.
- Must preserve: public builder method chaining, prepared config contents, temporary directory cleanup ownership, and no public API signature changes.
- Verification: focused startup-server/startup-embedded/embedded checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: drop the
-
R-052Make IAM AppContext bootstrap outcome explicit.- Do: replace boolean-or-global probing in IAM startup with a crate-private AppContext bootstrap disposition that reports already-available versus initialized context.
- Acceptance: successful inline IAM bootstrap still initializes or reuses AppContext before publishing IAM readiness, while failure still returns an I/O error.
- Must preserve: IAM initialization order, global AppContext singleton behavior, KMS/IAM handle construction, degraded-mode fallback, and readiness stage updates.
- Verification: focused startup IAM checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-053Reuse explicit AppContext bootstrap in IAM recovery.- Do: route degraded IAM recovery finalization through the same AppContext bootstrap result helper as inline startup.
- Acceptance: recovered IAM still marks
IamReadyand publishes runtime readiness only after AppContext is available. - Must preserve: recovery retry/backoff behavior, shutdown-token handling, readiness publication retry behavior, and log semantics.
- Verification: focused startup IAM checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-054Move startup AppContext bootstrap owner into app context.- Do: move the post-IAM AppContext bootstrap helper out of IAM startup and into the app context owner while keeping IAM startup on the existing context boundary.
- Acceptance: inline startup and deferred IAM recovery still initialize or reuse the global AppContext through one owner.
- Must preserve: global AppContext singleton behavior, IAM handle lookup, KMS handle wiring, startup error mapping, and readiness ordering.
- Verification: focused startup checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-055Retire stale startup IAM layer baseline entries.- Do: remove the old direct
get_global_app_contextandinit_global_app_contextstartup IAM baseline entries after the app context owner absorbs those calls. - Acceptance: layer dependency guard reports no new reverse dependencies and no stale baseline entries.
- Must preserve: the existing accepted startup-to-AppContext boundary, AppContext initialization semantics, and no new layer cycles.
- Verification: focused startup checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: remove the old direct
-
R-056Move startup KMS runtime handle owner into app context.- Do: route startup IAM KMS handle resolution through the app context startup boundary while keeping startup service orchestration on the startup IAM API.
- Acceptance: inline and deferred IAM bootstrap use the same KMS manager reuse-or-init path without adding new startup service to app reverse dependencies.
- Must preserve: KMS global singleton behavior, IAM bootstrap call order, degraded recovery KMS handle reuse, readiness publication, and layer guard boundaries.
- Verification: focused startup KMS checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-057Move startup IAM runtime facade into startup IAM.- Do: move the main and embedded IAM runtime facade helpers out of startup service components and into the startup IAM module.
- Acceptance: startup services still call one IAM-facing API for embedded and main startup, while service components no longer own IAM facade wiring.
- Must preserve: embedded versus main state-manager wiring, shutdown token propagation, IAM bootstrap disposition handling, KMS startup handle resolution, and degraded recovery behavior.
- Verification: focused startup IAM/KMS checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-058Move startup bucket metadata runtime owner.- Do: move embedded and main bucket metadata runtime helpers out of startup service components and into a bucket metadata startup module.
- Acceptance: startup services still receive the same bucket list and bucket metadata, replication resync, bucket metadata system, and IAM config migration order stay unchanged.
- Must preserve: embedded list-bucket error text, main list-bucket error mapping, replication resync placement, metadata migration order, and bucket list cloning semantics.
- Verification: focused startup service checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-059Move startup notification runtime owner.- Do: move embedded and main notification runtime helpers out of startup service components and into a notification startup module.
- Acceptance: startup services still configure bucket notification state before notification system initialization and keep embedded notification failures non-fatal while main startup failures remain fatal.
- Must preserve: notification config ordering, embedded skipped-service log fields, main failure log fields, error mapping, and notification init source error behavior.
- Verification: focused startup notification/service checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-060Move startup auth integration owner.- Do: move Keystone and OIDC startup integration wiring out of startup service components and into an auth startup module.
- Acceptance: startup services still initialize auth integrations after IAM bootstrap and before notification setup, with Keystone failures remaining non-fatal and OIDC failures still logged as warnings.
- Must preserve: Keystone env parsing error mapping, Keystone success/failure log fields, OIDC warning fields, and startup ordering.
- Verification: focused startup checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-061Move startup background service owner.- Do: move scanner/heal background runtime setup out of startup service components and into a background startup module.
- Acceptance: startup services still receive the same scanner-enabled flag, while AHM cancellation-token creation, scanner/heal env parsing, heal manager initialization, and disabled-state logging stay unchanged.
- Must preserve: env alias behavior, heal/scanner default enablement, disabled debug log fields, and heal storage ownership.
- Verification: focused startup checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-062Move startup observability runtime owner.- Do: move server-info, update-check, allocator reclaim, metrics, memory observability, and auto-tuner startup wiring out of startup service components and into an observability startup module.
- Acceptance: observability side effects still run after background services, metrics-gated components keep the same guard, and cancellation-token clone behavior stays unchanged.
- Must preserve: server-info/update-check ordering, allocator reclaim initialization, metrics enablement, memory observability setup, and auto-tuner startup.
- Verification: focused startup checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-063Move startup audit runtime owner.- Do: move audit/event-notifier startup wiring and its ordering tests out of startup service components and into an audit startup module.
- Acceptance: startup services still start audit after buffer profiling, and embedded optional startup still shares the same event-notifier-before-audit helper.
- Must preserve: audit started/failed log fields, event notifier ordering, audit source error propagation, and embedded audit skipped-service behavior.
- Verification: focused startup audit checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-064Move startup deadlock detector owner.- Do: move deadlock detector startup wiring out of startup service components and into a deadlock startup module.
- Acceptance: startup services still initialize the detector after audit and before bucket metadata setup, with enabled/disabled states unchanged.
- Must preserve: detector singleton lookup, enabled start behavior, disabled no-op behavior, and log fields.
- Verification: focused startup checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-065Retire startup service components aggregate.- Do: move embedded optional service startup wiring into an embedded optional startup module and remove the now-empty startup service components module.
- Acceptance: startup services import focused owners directly and embedded optional startup keeps KMS, buffer profile, and audit skipped-service handling unchanged.
- Must preserve: embedded KMS skipped-service log fields, buffer profile placement, audit skipped-service log fields, and no public runtime API changes.
- Verification: focused startup checks, RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-066Narrow internal startup owner module visibility.- Do: make focused startup owner modules crate-private after their public aggregate was retired.
- Acceptance: the binary entrypoint and embedded public API still compile through the intended startup entrypoints, while audit/auth/background/bucket metadata/deadlock/embedded optional/notification/observability owner modules are no longer part of the public library surface.
- Must preserve: all startup call order, log fields, readiness behavior, embedded startup behavior, optional runtime behavior, and public embedded builder API.
- Verification: RustFS lib and bin check, focused startup checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-067Narrow startup orchestration module visibility.- Do: make internal startup orchestration modules crate-private while keeping the binary entrypoint and existing compatibility/test-facing startup paths public.
- Acceptance:
startup_entrypoint,startup_iam,startup_profiling, andstartup_optional_runtimeskeep their public paths, while fs-guard, lifecycle, optional-runtime sidecars, preflight, protocols, runtime, runtime hooks, server, services, shutdown, storage, and TLS material modules are no longer public library modules. - Must preserve: binary startup entrypoint access, embedded public API, startup ordering, readiness behavior, optional runtime compatibility, profiling compatibility, IAM test/debug hooks, and all log fields.
- Verification: RustFS lib and bin check, focused startup checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-068Narrow remaining startup compatibility shim visibility.- Do: make the IAM bootstrap startup shim crate-private, remove the unused optional-runtime and profiling forwarding shims, and keep the binary entrypoint public.
- Acceptance:
startup_entrypointremains public forrustfs/src/main.rs, whilestartup_iam,startup_optional_runtimes, andstartup_profilingno longer appear as public library modules; migration rules reject restoring those public shim paths. - Must preserve: binary startup entrypoint access, IAM readiness bootstrap flow, embedded readiness publication, optional runtime shutdown wiring, profiling shutdown behavior, and test-only IAM retry hook behavior.
- Verification: RustFS lib and bin check, focused startup checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
R-069Narrow startup owner item visibility.- Do: make internal items in crate-private startup modules use crate
visibility, and extend the migration guard so only
startup_entrypointcan remain a public startup module. - Acceptance: startup owner modules expose no bare public items outside the public binary entrypoint module, and migration rules reject restoring public startup modules or public items inside crate-private startup files.
- Must preserve: binary startup entrypoint access, embedded public API, startup ordering, IAM readiness bootstrap, optional runtime shutdown, profiling hooks, TLS material initialization, and all log fields.
- Verification: RustFS lib and bin check, focused startup tests, migration/layer/unsafe guards, formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
- Do: make internal items in crate-private startup modules use crate
visibility, and extend the migration guard so only
-
E-001/E-SET-001Add ECStore layout skeleton and set-layout boundary.- Do: create the ECStore internal layout ownership buckets and pin static set
layout versus runtime
Sets/SetDisksorchestration boundaries before any file moves. - Acceptance: the skeleton documents future ownership buckets, static format set distribution is preserved, and runtime flat disk plus per-set lock-host mapping is described by focused tests.
- Must preserve: format distribution, object-to-set hashing owner, local disk
replacement, lock client mapping, existing public module paths, and runtime
Sets/SetDisksbehavior. - Verification: focused ECStore set layout tests, ECStore/RustFS compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: create the ECStore internal layout ownership buckets and pin static set
layout versus runtime
-
E-002/E-LAYOUT-001Move ECStore format and disk-layout owners.- Do: pure-move persisted format ownership and disk-layout expansion into the ECStore layout bucket while keeping compatibility stubs at the old public paths.
- Acceptance:
crate::disk::format::*andcrate::disks_layout::*remain usable,layout::formatownsFormatV3, andlayout::disks_layoutowns CLI volume expansion. - Must preserve: format JSON wire shape, disk UUID lookup, distribution
algorithm,
RUSTFS_ERASURE_SET_DRIVE_COUNThandling, endpoint expansion, and old public module paths. - Verification: focused ECStore format and disks-layout tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
E-003/E-LAYOUT-002Move ECStore endpoint layout owners.- Do: pure-move endpoint parsing and endpoint grouping into the ECStore layout bucket while keeping compatibility stubs at the old public paths.
- Acceptance:
crate::disk::endpoint::*andcrate::endpoints::*remain usable,layout::endpointownsEndpoint, andlayout::endpointsownsEndpointServerPoolsand endpoint grouping. - Must preserve: endpoint string parsing, URL/path validation, local-host detection, pool/set/disk indexes, endpoint grouping, disk independence checks, setup type classification, and old public module paths.
- Verification: focused ECStore endpoint tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
-
E-004/E-LAYOUT-003Move ECStore set-format heal helpers.- Do: move runtime-neutral set-format heal helper logic into the ECStore
layout bucket while keeping disk initialization and
Setsorchestration insets.rs. - Acceptance:
layout::set_healowns drive-info mapping and unformatted format regeneration helpers,Setskeeps the same heal orchestration, and focused tests cover the extracted helper behavior. - Must preserve: disk format heal state mapping, unformatted disk format
regeneration, current disk-info preservation, dry-run behavior, save-format
behavior, and all
Setsruntime control flow. - Verification: focused ECStore set-heal tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move runtime-neutral set-format heal helper logic into the ECStore
layout bucket while keeping disk initialization and
-
E-005/E-LAYOUT-004Move ECStore pool-space selection helpers.- Do: move runtime-neutral pool-space selection helper structs into the
ECStore layout bucket while keeping the old
storeexport path available. - Acceptance:
layout::pool_spaceownsPoolAvailableSpaceandServerPoolsAvailableSpace, rebalance pool selection keeps the same tuple storage access inside the crate, and externalstoreimports remain source-compatible through re-export. - Must preserve: pool index ordering, available-space summation, max-used-percent filtering semantics, excluded-pool zeroing, object placement pool selection, and rebalance pool-space behavior.
- Verification: focused ECStore pool-space tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move runtime-neutral pool-space selection helper structs into the
ECStore layout bucket while keeping the old
-
E-006/E-REBALANCE-001Move ECStore rebalance support helpers.- Do: move rebalance-only helper DTOs, pool lookup error classification, and
delete/latest-object result reducers into
store::rebalance::supportwhile keeping async store orchestration in the existing modules. - Acceptance: rebalance callers keep the same
PoolObjInfo/PoolErraccess insidestore, delete aggregation and latest-object selection keep the same behavior, and the moved helpers remain private to the rebalance boundary. - Must preserve: latest-object tie-breaks, delete result aggregation, pool lookup not-found/version-not-found classification, rebalance disk-set lookup error context, object delete flows, and existing rebalance control flow.
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move rebalance-only helper DTOs, pool lookup error classification, and
delete/latest-object result reducers into
-
E-007/E-LAYOUT-005Move ECStore pool-space builder helpers.- Do: move
has_space_forand server-pool available-space construction into the ECStore layout pool-space owner while keepingstore::has_space_forsource-compatible through re-export. - Acceptance:
layout::pool_spaceowns capacity checks, pool availability construction, filter helpers, and focused tests; rebalance only gathers runtime disk snapshots and calls the layout owner. - Must preserve: unknown-size handling, erasure fill-fraction math, inode/free-space guard behavior, meta-bucket capacity bypass, pool index ordering, available-space summation, and rebalance pool selection.
- Verification: focused ECStore pool-space and rebalance tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move
-
E-008/E-REBALANCE-002Move ECStore rebalance metadata helpers.- Do: move rebalance metadata status, bucket queue, terminal event,
participant, cleanup-warning, metadata merge, and stop-state helpers into
rebalance::metawhile keeping wire structs and ECStore orchestration inrebalance.rs. - Acceptance:
rebalance::metaowns the helper functions,rebalance.rskeeps save/load and object-flow orchestration, and focused rebalance tests keep covering the moved behavior. - Must preserve: metadata wire shape, stopped/completed/failed precedence, bucket queue ordering, cleanup-warning merge semantics, participant resolution, data-usage cache filtering, start/stop validation, and percent-free goal math.
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move rebalance metadata status, bucket queue, terminal event,
participant, cleanup-warning, metadata merge, and stop-state helpers into
-
E-009/E-REBALANCE-003Move ECStore rebalance worker helpers.- Do: move rebalance worker task/result handling, transient retry
classification, retry timing, bucket config loading, source cleanup
decisions, and listing retry wrappers into
rebalance::workerwhile keeping high-level rebalance orchestration inrebalance.rs. - Acceptance:
rebalance::workerowns worker helper functions,rebalance.rskeeps orchestration and wire structs, and focused rebalance tests keep covering the moved behavior. - Must preserve: worker join error context, transient/terminal error classification, retry backoff, missing bucket config handling, delete-marker skip and cleanup decisions, listing retry cancellation behavior, and migration result accounting.
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move rebalance worker task/result handling, transient retry
classification, retry timing, bucket config loading, source cleanup
decisions, and listing retry wrappers into
-
E-010/E-REBALANCE-004Move ECStore rebalance migration helpers.- Do: move migration backend abstraction, migration version result,
delete-marker/remote-tier option builders, and version migration retry flow
into
rebalance::migrationwhile keeping high-level rebalance orchestration inrebalance.rs. - Acceptance:
rebalance::migrationowns migration helper functions and result types,rebalance.rskeeps orchestration and wire structs, and focused rebalance tests keep covering moved behavior. - Must preserve: remote-tier object movement, delete-marker replication state, data-usage cache skip behavior, source read/write retry semantics, transient/non-transient classification, retry backoff, not-found handling, migration stage labels, and cleanup accounting.
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move migration backend abstraction, migration version result,
delete-marker/remote-tier option builders, and version migration retry flow
into
-
E-011/E-REBALANCE-005Move ECStore rebalance state impls.- Do: move
RebalanceStatsupdate helpers,RebalStatusconversions, andRebalanceMetaload/save impls intorebalance::metawhile leaving public wire structs inrebalance.rs. - Acceptance:
rebalance::metaowns metadata/state behavior,rebalance.rskeeps data contracts and ECStore orchestration, and focused rebalance tests keep covering moved behavior. - Must preserve: serialized rebalance metadata header format/version, empty/short/unknown metadata handling, last refresh timestamps, save-skip behavior for empty pool stats, object/version/byte accounting, batch update behavior, status display labels, and legacy status byte mapping.
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move
-
E-012/E-REBALANCE-006Move ECStore rebalance control impls.- Do: move ECStore rebalance metadata save/load/update/init/status/stop
control methods into
rebalance::controlwhile leaving the worker loop and entry migration orchestration inrebalance.rs. - Acceptance:
rebalance::controlowns metadata/control methods,rebalance.rskeeps public data contracts and worker orchestration, and focused rebalance tests keep covering moved behavior. - Must preserve: metadata merge locking, load/save error wrapping, pool stats refresh and extension, init free-space goal, pool stat update behavior, bucket queue done/defer behavior, cleanup warning recording, start/stop status checks, decommission conflict checks, and stop snapshot persistence.
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move ECStore rebalance metadata save/load/update/init/status/stop
control methods into
-
E-013/E-REBALANCE-007Move ECStore rebalance runtime loop.- Do: move
start_rebalance, the pool rebalance worker loop, completion check, and periodic stats save loop intorebalance::runtimewhile leaving entry/object/bucket migration orchestration inrebalance.rs. - Acceptance:
rebalance::runtimeowns start and pool runtime orchestration,rebalance.rskeeps public data contracts and entry/object/bucket migration flow, and focused rebalance tests keep covering moved behavior. - Must preserve: decommission/start validation, duplicate-start skipping, pool-at-goal and empty-queue completion persistence, participant/local endpoint filtering, cancellation handling, deferred-bucket repeated failure guard, bucket done/defer behavior, terminal event application, save-task error precedence, goal completion math, and save option persistence.
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move
-
E-014/E-REBALANCE-008Move ECStore rebalance entry flow.- Do: move the remaining entry, object-transfer, deferred-error, and bucket
entry-scan migration flow into
rebalance::entrywhile leaving public data contracts inrebalance.rs. - Acceptance:
rebalance::entryowns bucket/entry migration flow,rebalance::runtimekeeps pool-level orchestration, and focused rebalance tests keep covering moved behavior. - Must preserve: directory and completed-pool skips, lifecycle-expired filtering, delete-marker skip semantics, data-movement retry flow, deferred transient failure recording, batch stats updates, source cleanup warning recording, entry worker semaphore limits, cancellation handling, listing retry flow, and bucket outcome precedence.
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile checks, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move the remaining entry, object-transfer, deferred-error, and bucket
entry-scan migration flow into
-
E-015/E-REBALANCE-009Split ECStore rebalance unit tests.- Do: move the large inline
rebalance_unit_testsmodule out ofrebalance.rsintorebalance/rebalance_unit_tests.rswhile preserving the module name and test filter path. - Acceptance:
rebalance.rsis reduced to public rebalance data contracts plus submodule wiring, rebalance unit tests remain underrebalance::rebalance_unit_tests, and focused rebalance tests keep covering moved behavior. - Must preserve: test coverage, helper visibility, legacy metadata serialization coverage, migration backend spies, panic-context tests, and every existing rebalance unit-test filter path.
- Verification: focused ECStore rebalance tests, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move the large inline
-
E-016/E-REBALANCE-010Move ECStore rebalance type contracts.- Do: move rebalance stats, status, info, metadata DTOs, and internal
bucket/entry outcomes into
rebalance::typeswhile preserving root re-exports. - Acceptance: public
crate::rebalance::*paths remain stable, internal submodules keepsuper::...access, andrebalance.rsonly wires shared constants, modules, and re-exports. - Must preserve: serde field names/defaults, rebalance metadata wire shape, status/save-option defaults, cancellation/refresh metadata fields, and internal bucket/entry outcome semantics.
- Verification: focused ECStore rebalance tests, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: move rebalance stats, status, info, metadata DTOs, and internal
bucket/entry outcomes into
-
API-129Route RustFS internal ECStore consumers through owner boundary.- Do: expose crate-local ECStore facade module aliases from
rustfs/src/storage/mod.rsand migrate RustFS startup, server, capacity, config, table-catalog, workload admission, and S3 API helper consumers to import those aliases fromcrate::storage. - Acceptance: non-owner RustFS files no longer import
rustfs_ecstore::apidirectly, whileapp,admin, andstorageowner modules remain the only RustFS crate direct ECStore facade import points. - Must preserve: startup sequencing, global endpoint/config side effects, readiness checks, RPC signature verification, notification event dispatch, capacity refresh behavior, table-catalog constants, workload admission snapshots, and S3 ETag conversion behavior.
- Verification: focused RustFS compile, direct import residual scan, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: expose crate-local ECStore facade module aliases from
-
API-130Centralize external ECStore facade alias imports.- Do: replace grouped and raw-subpath
rustfs_ecstore::apiimports in IAM, notify, observability, Swift, S3 Select, e2e helpers, heal/scanner tests, and fuzz targets with per-moduleecstore_*aliases plus local type aliases or module-qualified calls. - Acceptance: non-ECStore source no longer uses grouped
rustfs_ecstore::api::{...}imports or rawrustfs_ecstore::api::<module>::...subpaths, while owner alias imports remain explicit. - Must preserve: IAM config IO, notify config persistence, observability metrics collection, Swift metadata access, S3 Select object-store access, e2e RPC helpers, heal/scanner ECStore test setup, and fuzz validation semantics.
- Verification: focused external crate compile, grouped/raw facade residual scans, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: replace grouped and raw-subpath
-
API-131Route nested external production ECStore imports through owner roots.- Do: expose notify, observability metrics, and S3 Select ECStore facade
aliases from their crate or module owner roots, and migrate nested
production files to import those local aliases instead of importing
rustfs_ecstore::apidirectly. - Acceptance: nested production files under notify, observability, and S3 Select no longer import ECStore facade modules directly, while IAM, scanner, heal, Swift, and owner root files remain the only approved external production direct facade import points.
- Must preserve: notify config persistence, observability metrics collection and scheduler bucket-monitor checks, S3 Select object-store error and storage access behavior, and all public crate APIs.
- Verification: focused notify/obs/S3 Select compile, nested direct-import residual scan, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: expose notify, observability metrics, and S3 Select ECStore facade
aliases from their crate or module owner roots, and migrate nested
production files to import those local aliases instead of importing
-
API-132Replace completed external owner module aliases with symbols.- Do: replace notify, Swift, and S3 Select owner-root
ecstore_*module aliases with explicit local ECStore symbols, type aliases, constants, and wrapper functions. - Acceptance: completed external owner roots no longer expose broad
ecstore_*module aliases, while nested modules keep using owner-local symbols and the remaining larger observability, IAM, scanner, and heal owner roots stay unchanged for later slices. - Must preserve: notify config persistence, Swift bucket metadata access, S3 Select object-store error mapping, object reads, scan buffering, and all public crate APIs.
- Verification: focused notify/Swift/S3 Select compile, completed-owner alias residual scan, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: replace notify, Swift, and S3 Select owner-root
-
API-133Replace scanner owner module aliases with symbols.- Do: replace scanner owner-root
ecstore_*module aliases with explicit local ECStore symbols, type aliases, constants, and wrapper functions. - Acceptance: scanner no longer exposes broad
ecstore_*module aliases, nested scanner modules continue to consume scanner-local symbols, and the migration guard prevents reintroducing scanner owner-root module aliases. - Must preserve: scanner lifecycle config reads, versioning/replication helper traits, disk metadata access, tier listing, erasure checks, replication-heal queueing, config persistence, raw list traversal, and bucket usage replacement behavior.
- Verification: focused scanner compile, completed-owner alias residual scan, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: replace scanner owner-root
-
API-134Replace remaining external owner module aliases with symbols.- Do: replace heal, IAM, and observability owner-root
ecstore_*module aliases with explicit local ECStore symbols, type aliases, constants, and wrapper functions. - Acceptance: heal, IAM, and observability no longer expose broad
ecstore_*module aliases, nested modules continue to consume owner-local symbols, and the migration guard prevents reintroducing these owner-root module aliases. - Must preserve: heal disk metadata and local disk lookup, IAM config persistence and notification fanout, observability storage/data-usage, quota, lifecycle, replication, capacity, and bucket monitor collection.
- Verification: focused heal/IAM/observability compile, completed-owner alias residual scan, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: replace heal, IAM, and observability owner-root
-
API-135Replace test and fuzz owner module aliases with symbols.- Do: replace e2e, heal/scanner integration-test, and fuzz-target
ecstore_*module aliases with explicit ECStore symbols. - Acceptance: the completed test/fuzz files no longer import broad
ecstore_*owner modules, direct symbols preserve the same ECStore facade contracts, and the migration guard prevents reintroducing module aliases in these files. - Must preserve: e2e RPC client construction, replication target tests, heal ECStore setup, scanner lifecycle/tier/transition behavior, and bucket/path fuzz validation semantics.
- Verification: focused e2e/heal/scanner compile, fuzz manifest compile, completed test/fuzz alias residual scan, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: replace e2e, heal/scanner integration-test, and fuzz-target
-
API-136Replace RustFS runtime owner module aliases with symbols.- Do: replace RustFS app/admin/storage owner-root
ecstore_*facade aliases with owner-local curated symbol modules that expose only the ECStore submodules, functions, types, and constants consumed by those runtime boundaries. - Acceptance:
rustfs/src/app/mod.rs,rustfs/src/admin/mod.rs, andrustfs/src/storage/mod.rsno longer import broad ECStore facade modules asecstore_*; migration guards reject reintroducing those broad aliases. - Must preserve: app object/lifecycle/replication helpers, admin config, metrics, tiering, rebalance helpers, storage S3/RPC metadata helpers, and startup/server consumers of the storage owner boundary.
- Verification: focused RustFS compile, runtime owner alias residual scan, migration/layer guards, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit quality gate, and three-expert review.
- Do: replace RustFS app/admin/storage owner-root
-
API-137Guard completed owner facade import shapes.- Do: extend migration rules so completed owner and test/fuzz boundaries
cannot reintroduce bare
rustfs_ecstore::api::<module>imports or glob facade imports. - Acceptance: completed owner roots and completed test/fuzz boundaries keep explicit symbol imports, type aliases, constants, or wrappers; migration guards reject bare module and glob facade imports.
- Must preserve: all API-136 RustFS owner symbol boundaries, API-135 test/fuzz direct symbol imports, and external owner root symbol imports.
- Verification: architecture migration guard, shell syntax check, formatting, diff hygiene, branch freshness check, and three-expert review.
- Do: extend migration rules so completed owner and test/fuzz boundaries
cannot reintroduce bare
-
API-138Centralize completed owner raw facade subpaths.- Do: move completed notify and S3 Select owner wrapper raw ECStore facade calls into explicit import declarations, then guard completed owner and test/fuzz boundaries against raw facade subpaths outside import declarations.
- Acceptance: completed owner and test/fuzz files keep raw ECStore facade subpaths centralized at import declarations; wrapper bodies use local aliases, constants, or functions.
- Must preserve: notify config read/save wrappers, S3 Select object-store handle/error helpers, default read-buffer constant, and all existing public crate APIs.
- Verification: focused notify/S3 Select compile, architecture migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, and three-expert review.
-
API-139Route startup runtime consumers through storage owner symbols.- Do: expose storage-owner aliases and wrappers for startup layout, global
endpoint/region state, local disk initialization, config initialization,
background replication, and notification setup, then migrate startup
runtime files away from
ecstore_*owner-module consumers. - Acceptance:
startup_notification,startup_fs_guard,startup_services,startup_server, andstartup_storageuse storage-owner symbols and wrappers instead ofcrate::storage::ecstore_*modules; migration guards reject restoring those module consumers. - Must preserve: endpoint parsing, unsupported-filesystem policy checks, global endpoint/erasure state setup, local disk and lock-client initialization, config migration/retry behavior, readiness marking, background replication start, region/port registration, and notification initialization.
- Verification: focused RustFS test-target compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, and three-expert review.
- Do: expose storage-owner aliases and wrappers for startup layout, global
endpoint/region state, local disk initialization, config initialization,
background replication, and notification setup, then migrate startup
runtime files away from
-
API-140Route server/capacity/workload consumers through storage owner symbols.- Do: expose storage-owner symbols for local disk enumeration, disk endpoint
labels, RPC signature prefix/verification, bucket metadata runtime state,
replication pool access, and replication queue counts, then migrate
server, capacity, and workload-admission consumers away from
ecstore_*owner modules. - Acceptance:
server/http.rs,capacity/service.rs, andworkload_admission.rsuse storage-owner symbols and wrappers instead ofcrate::storage::ecstore_*modules; migration guards reject restoring those module consumers. - Must preserve: internode RPC signature verification, active HTTP request metrics, capacity manager disk discovery/labels, metadata workload state, replication active/queue counts, and all storage-owner backend calls.
- Verification: focused RustFS test-target compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, and three-expert review.
- Do: expose storage-owner symbols for local disk enumeration, disk endpoint
labels, RPC signature prefix/verification, bucket metadata runtime state,
replication pool access, and replication queue counts, then migrate
server, capacity, and workload-admission consumers away from
-
API-141Route root/server runtime consumers through storage owner symbols.- Do: expose storage-owner aliases and wrappers for notification config,
topology capability mapping, readiness globals, event dispatch hook
installation, module-switch config persistence, endpoint test builders,
and quota/error types, then migrate remaining root/server runtime
consumers away from
ecstore_*owner modules. - Acceptance:
init.rs,runtime_capabilities.rs,server/readiness.rs,server/event.rs,server/module_switch.rs, anderror.rsuse storage-owner symbols and wrappers instead ofcrate::storage::ecstore_*modules; migration guards reject restoring those module consumers. - Must preserve: bucket notification preload behavior, topology capability labels, runtime readiness lock-quorum checks, live event dispatch, module-switch persistence semantics, S3 error conversion, and test endpoint construction.
- Verification: focused RustFS test-target compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, and three-expert review.
- Do: expose storage-owner aliases and wrappers for notification config,
topology capability mapping, readiness globals, event dispatch hook
installation, module-switch config persistence, endpoint test builders,
and quota/error types, then migrate remaining root/server runtime
consumers away from
-
API-142Route table/S3/startup consumers through storage owner symbols.- Do: expose storage-owner constants, aliases, and wrappers for table catalog
metadata roots, catalog path hashing, metadata lookup, lock timeout,
shutdown, bucket metadata migration/init, S3 etag conversion, and config
test disk layout parsing, then migrate the remaining table/S3/startup
consumers away from
ecstore_*owner modules. - Acceptance:
startup_bucket_metadata.rs,startup_shutdown.rs,table_catalog.rs,storage/s3_api/bucket.rs,storage/s3_api/multipart.rs, andconfig/config_test.rsuse storage-owner symbols and wrappers instead ofcrate::storage::ecstore_*modules; migration guards reject restoring those module consumers. - Must preserve: startup bucket metadata and IAM migration order, replication resync initialization, background-service shutdown, S3 ETag rendering, table catalog reserved paths and metadata hash layout, table-bucket mutation guard behavior, catalog lock acquisition timeout, and config test disk-layout parsing.
- Verification: focused RustFS test-target compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, and three-expert review.
- Do: expose storage-owner constants, aliases, and wrappers for table catalog
metadata roots, catalog path hashing, metadata lookup, lock timeout,
shutdown, bucket metadata migration/init, S3 etag conversion, and config
test disk layout parsing, then migrate the remaining table/S3/startup
consumers away from
-
API-143Route app shared runtime facade through storage owner symbols.- Do: expose storage-owner aliases and wrappers for app-shared ECStore, endpoint layout, rio readers, notification access, global object-store resolver, shared error helpers, storage-class validation, and test local disk initialization, then migrate the duplicate app facade entries to delegate to storage-owner symbols.
- Acceptance:
rustfs/src/app/mod.rsdelegates shared IO/error/global/ notification/storage wrappers tocrate::storageowner symbols instead of duplicateecstore_*calls; migration guards reject restoring those duplicate calls. - Must preserve: app context resolution, object-store resolver fallback, notification system access, rio reader boxing/wrapping, lock timeout, storage-class validation, S3 ETag rendering, and app test disk setup.
- Verification: focused RustFS test-target compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, and three-expert review.
-
API-144Route app bucket facade source imports through storage owner re-exports.- Do: expose bucket target/lifecycle/target, client transition API, and
storageclass through storage owner re-exports, then source the app bucket,
client, and config facade entries through
crate::storage. - Acceptance:
rustfs/src/app/mod.rsno longer imports directrustfs_ecstore::api::{bucket,client,config}::source paths; migration guards reject restoring those direct source paths. - Must preserve: bucket target, lifecycle, metadata, object lock, policy/quota/replication/tagging/target/versioning, transition reader, and storageclass compatibility paths.
- Verification: focused RustFS test-target compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: expose bucket target/lifecycle/target, client transition API, and
storageclass through storage owner re-exports, then source the app bucket,
client, and config facade entries through
-
API-145Route remaining app facade ECStore source imports through storage owner re-exports.- Do: expose app-needed admin, capacity, compression, data-usage, global, and
tier modules through storage owner re-exports, then source the remaining
app facade entries through
crate::storage. - Acceptance:
rustfs/src/app/mod.rscontains no directrustfs_ecstore::api::source imports; migration guards reject restoring any direct ECStore API source path in the app facade. - Must preserve: server info, pool capacity summaries, compression checks, bucket usage memory accounting, global tier manager access, and tier config/warm backend compatibility paths.
- Verification: focused RustFS test-target compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: expose app-needed admin, capacity, compression, data-usage, global, and
tier modules through storage owner re-exports, then source the remaining
app facade entries through
-
API-146Route admin facade ECStore source imports through storage owner re-exports.- Do: expose admin-needed bucket, capacity, client, config, data-usage, disk,
error, global, layout, metrics, notification, rebalance, RPC, storage, and
tier symbols through storage owner re-exports, then source the admin facade
through
crate::storage. - Acceptance:
rustfs/src/admin/mod.rscontains no directrustfs_ecstore::api::source imports; migration guards reject restoring any direct ECStore API source path in the admin facade. - Must preserve: admin handler utilities, bucket controls, storage class updates, data usage reads, cluster/global metadata, metrics/notification views, rebalance status, peer RPC, ECStore handle, and tier admin paths.
- Verification: focused RustFS test-target compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: expose admin-needed bucket, capacity, client, config, data-usage, disk,
error, global, layout, metrics, notification, rebalance, RPC, storage, and
tier symbols through storage owner re-exports, then source the admin facade
through
-
API-147Route external runtime crate ECStore source imports through local compatibility boundaries.- Do: move direct ECStore facade source imports in notify, observability
metrics, S3 Select, Swift, IAM, heal, and scanner runtime entry modules
into crate-local
ecstore_compatmodules while preserving existing wrappers and aliases at each crate boundary. - Acceptance: target runtime crate source directories contain no direct
rustfs_ecstore::api::source paths outsideecstore_compat.rs; migration guards reject restoring those bypasses. - Must preserve: notify config persistence and object-store resolution, observability storage/ILM/replication metrics, S3 Select storage error mapping and object reads, Swift metadata/object-store access, IAM config and notification behavior, heal disk wrappers, and scanner lifecycle/disk runtime wrappers.
- Verification: focused external crate compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: move direct ECStore facade source imports in notify, observability
metrics, S3 Select, Swift, IAM, heal, and scanner runtime entry modules
into crate-local
-
API-148Route external test ECStore source imports through local compatibility boundaries.- Do: move direct ECStore facade source imports in heal integration tests,
scanner lifecycle tests, and e2e reliant/replication helpers into local
ecstore_test_compatmodules while preserving existing test aliases and helper call paths. - Acceptance: target external test/e2e paths contain no direct
rustfs_ecstore::api::source paths outsideecstore_test_compat.rs; migration guards reject restoring those bypasses. - Must preserve: heal endpoint setup and resume disk types, scanner lifecycle transition setup, e2e node RPC client helpers, and replication bucket target cleanup behavior.
- Verification: focused test-target compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: move direct ECStore facade source imports in heal integration tests,
scanner lifecycle tests, and e2e reliant/replication helpers into local
-
API-149Route fuzz ECStore source imports through a local compatibility boundary.- Do: move direct ECStore facade source imports in bucket validation and path
containment fuzz targets into
ecstore_fuzz_compatwrapper functions. - Acceptance: fuzz targets contain no direct
rustfs_ecstore::api::source paths outsideecstore_fuzz_compat.rs; migration guards reject restoring those bypasses. - Must preserve: bucket/object validation fuzz semantics, meta bucket compatibility checks, object prefix/path component validation, and root containment assertions.
- Verification: focused fuzz compile, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: move direct ECStore facade source imports in bucket validation and path
containment fuzz targets into
-
API-150Move storage owner ECStore source imports into a compatibility module.- Do: move the storage owner
ecstore_*facade source modules out ofrustfs/src/storage/mod.rsand intorustfs/src/storage/ecstore_compat.rs. - Acceptance:
rustfs/src/storage/mod.rscontains no directrustfs_ecstore::api::source paths, while existingcrate::storage::*aliases and helper functions keep their public shape. - Must preserve: storage owner type aliases, constants, wrapper functions, disk RPC extension traits, bucket metadata helpers, runtime globals, and startup storage wiring.
- Verification: RustFS compile coverage, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: move the storage owner
-
API-151Collapse thin runtime crate ECStore compatibility bridges.- Do: remove the thin
ecstore_compat.rsfiles from notify, obs metrics, Swift, and S3 Select, moving their aliases and wrappers to the owner root modules. - Acceptance: those crates no longer declare local
ecstore_compatmodules, while their public/internal owner-root aliases and wrapper functions keep the same call paths for downstream modules. - Must preserve: notify server-config IO, metrics data/quota/replication reads, S3 Select object-reader/error mapping, and Swift bucket metadata and object reader aliases.
- Verification: focused runtime crate compile coverage, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: remove the thin
-
API-152Collapse thin test and fuzz ECStore compatibility bridges.- Do: remove the thin e2e, heal, scanner, and fuzz ECStore compatibility bridge modules, moving their aliases and wrappers into the owner test/fuzz files that consume them.
- Acceptance: those tests and fuzz targets no longer declare local
ecstore_test_compatorecstore_fuzz_compatmodules, while the same ECStore API symbols remain available to the existing test and fuzz logic. - Must preserve: e2e replication and reliant gRPC clients, heal endpoint and integration fixtures, scanner lifecycle fixtures, bucket validation fuzzing, and path containment fuzzing.
- Verification: focused test/fuzz compile coverage, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
-
API-153Collapse thin owner ECStore compatibility bridges.- Do: remove the thin IAM, heal, and scanner
ecstore_compat.rsmodules, moving their aliases and wrappers into the owner root modules. - Acceptance: those owner crates no longer declare local
ecstore_compatmodules, while their owner-root aliases and wrapper functions keep the same call paths for downstream modules. - Must preserve: IAM config/notification helpers, heal disk/local-map contracts, scanner lifecycle/replication/data-usage helpers, and owner-root storage aliases.
- Verification: focused owner crate compile coverage, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: remove the thin IAM, heal, and scanner
-
API-154Collapse storage owner ECStore compatibility bridge.- Do: remove
rustfs/src/storage/ecstore_compat.rs, moving itsecstore_*source modules intorustfs/src/storage/mod.rs. - Acceptance: no storage owner
ecstore_compatbridge file remains, while existing downstreamcrate::storage::ecstore_*paths keep the same shape. - Must preserve: storage owner type aliases, constants, wrapper functions, disk RPC extension traits, bucket metadata helpers, runtime globals, and startup storage wiring.
- Verification: RustFS compile coverage, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: remove
-
API-155Collapse app context and notify thin compatibility modules.- Do: remove
rustfs/src/app/context/compat.rsby moving resolver helpers intorustfs/src/app/context.rs, and remove the notify event-bridge re-export module by exporting pipeline symbols directly from the notify owner root. - Acceptance: no app context
compatmodule or notifyevent_bridgemodule remains, while existingcrate::app::context::*andrustfs_notify::*public symbols keep the same paths. - Must preserve: AppContext-first resolver precedence, legacy global fallback behavior, bucket metadata/endpoints/tier/server config handles, notify live event history, and notify event bridge type aliases.
- Verification: RustFS and notify compile coverage, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
- Do: remove
-
API-156Route app runtime consumers through AppContext resolvers.- Do: add notify and buffer profile resolver helpers, route bucket/object notification users through the notify resolver, route ECFS buffer sizing through the buffer resolver, and route public health KMS readiness through the KMS runtime resolver.
- Acceptance: selected app/server/storage consumers no longer open-code direct global notifier, buffer config, or KMS service manager fallback when an AppContext resolver already owns the migration boundary.
- Must preserve: context-first behavior when an AppContext exists, legacy global fallback when it does not, notification delivery semantics, buffer opt-in behavior, and public health readiness behavior.
- Verification: RustFS compile coverage, migration guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
-
API-157Route server readiness through AppContext resolvers.- Do: add an IAM readiness resolver, use it for cached and uncached server dependency readiness, and use the endpoints resolver for lock quorum endpoint discovery.
- Acceptance: readiness no longer directly reads global IAM or endpoint state when an AppContext resolver already owns that boundary.
- Must preserve: IAM-ready semantics, distributed lock quorum behavior, storage readiness behavior, and legacy global fallback when AppContext is absent.
- Verification: RustFS compile coverage, targeted readiness/context tests, migration guard, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
-
API-158Route RPC node IAM operations through AppContext resolver.- Do: add an IAM handle resolver and use it for RPC node IAM policy, user, group, and service-account reload/delete operations.
- Acceptance: RPC node IAM operations no longer directly read the global IAM singleton when an AppContext resolver owns that boundary.
- Must preserve: request validation messages,
errServerNotInitializedfallback, IAM operation arguments, and legacy global fallback when AppContext is absent. - Verification: RustFS compile coverage, targeted context resolver tests, migration guard, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
-
API-159Route RPC node lock and identity reads through AppContext.- Do: add lock-client and local-node-name AppContext interfaces, default legacy adapters, resolver helpers, and use them in RPC node lock and health handlers.
- Acceptance: RPC node lock operations and health metric node identity no longer read legacy global state directly when AppContext owns the boundary.
- Must preserve: lock-client initialization error text, health metric node labels, async local-node-name behavior, and legacy global fallback when AppContext is absent.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
-
API-160Route admin runtime reads through AppContext resolvers.- Do: add action-credential and region AppContext interfaces, resolver helpers, default legacy adapters, and use them with the existing server config resolver across admin/server read paths.
- Acceptance: admin handlers and router code no longer directly read action credentials, region, or server config globals when an AppContext resolver owns that boundary.
- Must preserve: admin auth decisions, object-ZIP token signing, object lambda signing region fallback, OIDC restart detection, site replication metadata, and legacy global fallback when AppContext is absent.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
-
API-161Route admin topology reads through AppContext resolvers.- Do: add deployment-id and runtime-port AppContext interfaces, reuse the endpoints resolver, default legacy adapters, and route admin topology consumers through resolvers.
- Acceptance: admin site replication, replication handlers, and router code no longer directly read endpoints, deployment id, or runtime port globals outside AppContext default adapters.
- Must preserve: site replication endpoint inference, console-port fallback, replication same-target validation, stale same-deployment target detection, and legacy global fallback when AppContext is absent.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, formatting, diff hygiene, Rust risk scan, branch freshness check, pre-commit, and three-expert review.
-
API-162Route admin peer-system reads through AppContext resolvers.- Do: add notification-system, bucket-monitor, and replication-pool AppContext interfaces, default legacy adapters, and route admin and app peer-system consumers through resolvers.
- Acceptance: admin tier/rebalance/config/router/site-replication and app bucket metadata reload paths no longer directly read notification system, bucket monitor, or replication pool globals outside AppContext default adapters.
- Must preserve: tier config propagation, dynamic config reload propagation, config snapshot refresh, live event peer listing, replication bandwidth metric collection, replication resync start/status/cancel behavior, rebalance stop fallback, and legacy global fallback when AppContext is absent.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, formatting, diff hygiene, residual global-read scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-163Route admin site-replication IAM reads through AppContext.- Do: replace admin site-replication direct IAM global reads with the AppContext IAM handle resolver.
- Acceptance: site-replication service-account, IAM export, IAM item import, and peer-join service-account paths no longer directly call the IAM global accessor.
- Must preserve: site-replicator service-account lookup/update/create, exported IAM policy/user/group/policy-mapping payloads, imported IAM item reconciliation, peer join service-account upsert, and legacy fallback when AppContext is absent.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, formatting, diff hygiene, residual IAM global-read scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-164Route admin site-replication outbound TLS reads through AppContext.- Do: add an outbound TLS runtime AppContext interface and route site-replication peer-client TLS generation/state reads through resolvers.
- Acceptance: site-replication peer-client cache lookup and client rebuild paths no longer directly call outbound TLS global loaders.
- Must preserve: peer-client cache invalidation by TLS generation, root CA parsing, mTLS identity propagation via the published TLS state, and legacy global fallback when AppContext is absent.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual outbound TLS global-read scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-165Route admin TLS debug outbound TLS reads through AppContext.- Do: route admin TLS debug status outbound TLS generation/state reads through the AppContext outbound TLS runtime resolver.
- Acceptance: TLS debug status no longer directly calls outbound TLS global summary helpers while preserving the same JSON status fields and consumer generation flags.
- Must preserve: profile authorization, TLS source path reporting, reload enable reporting, consumer labels, root CA status, mTLS identity status, and legacy global fallback when AppContext is absent.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual outbound TLS global-read scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-166Route admin replication stats reads through AppContext.- Do: add a replication stats AppContext interface and storage-owner wrapper, then route admin replication metrics, extended replication metrics, and site-replication metrics summary reads through the resolver.
- Acceptance: admin production handlers no longer directly read
GLOBAL_REPLICATION_STATS, while AppContext default adapters keep the existing global fallback. - Must preserve: replication metrics defaults when stats are absent, bucket latest-stat lookup, site-replication node metric mapping, bandwidth report enrichment, runtime-field enrichment, and existing storage owner global initialization.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual replication stats global-read scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-167Route admin status and metrics reads through AppContext.- Do: add AppContext interfaces for boot time, daily tier transition stats, and scanner metrics report reads, then route admin replication uptime, tier stats, and scanner status through those resolvers.
- Acceptance: admin production handlers no longer directly read
GLOBAL_BOOT_TIME,GLOBAL_TransitionState, or scannerglobal_metrics, while AppContext default adapters keep the existing global fallback. - Must preserve: replication metrics uptime defaults, tier stats filtering, scanner status payload shape, scanner runtime-config reporting, and existing storage owner global initialization.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual admin status global-read scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-168Route admin KMS manager initialization through AppContext.- Do: add an AppContext-first KMS runtime resolver that initializes the legacy global manager only after context/default lookup misses, then route admin KMS key, management, and dynamic handlers through it.
- Acceptance: admin production handlers no longer directly initialize the global KMS service manager, while the AppContext default path preserves legacy global initialization fallback.
- Must preserve: KMS key encryption-service lookup, KMS status/config/cache handlers, dynamic KMS configure/start/stop/reconfigure behavior, and existing fallback warning logs.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual admin KMS init scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-169Route admin config publication through AppContext.- Do: add AppContext-first publish helpers for server config and storage class config, then route admin config write/reload publication through those helpers.
- Acceptance: admin production handlers and services no longer directly call
set_global_server_configor the admin storage-class global setter, while AppContext default adapters preserve the legacy global-setter fallback. - Must preserve: config validation, config history persistence, runtime snapshot reload semantics, dynamic subsystem application, storage-class parsing, and store persistence behavior.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual admin config publication scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-170Route action credential reads through AppContext.- Do: route auth validation, protocol storage-client owner checks, and storage audit helper access-key enrichment through the AppContext action-credential resolver.
- Acceptance: production auth/protocol/storage helper paths no longer read action credentials directly from the credentials singleton, while the AppContext default adapter preserves the legacy global fallback.
- Must preserve: owner detection, session-token claim validation, policy principal type derivation, protocol request metadata, and audit access-key enrichment.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual action credential scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-171Route runtime replication pool reads through AppContext.- Do: route bucket metadata startup resync and workload admission replication pool reads through the AppContext replication-pool resolver.
- Acceptance: production startup/workload admission consumers no longer read the replication pool directly from the storage global facade, while the AppContext default adapter preserves the legacy global fallback.
- Must preserve: bucket metadata resync initialization, replication admission active worker counts, queued replication counts, and unknown-runtime reporting.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual replication-pool scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-172Route outbound TLS generation reads through AppContext.- Do: route startup TLS material initialization and TLS reload loop generation reads through the AppContext outbound TLS generation resolver.
- Acceptance: production startup/reload paths no longer read outbound TLS
generation directly from
rustfs_common, while the AppContext default adapter preserves the legacy global fallback. - Must preserve: generation increment semantics, outbound TLS state publish, TLS generation metrics, reload-loop enrichment, and TLS acceptor rebuilds.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual outbound TLS generation scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-173Route runtime region reads through AppContext.- Do: route bucket notification setup and S3 request context region reads through the AppContext region resolver.
- Acceptance: production init/storage request paths no longer read region directly from the storage global facade, while the AppContext default adapter preserves the legacy global fallback.
- Must preserve: notification ARN target mapping fallback region behavior, request context region propagation, auth/policy request construction, and existing startup region setters.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual region scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-174Route KMS encryption service reads through AppContext.- Do: route app bucket encryption defaults and storage SSE managed encryption/decryption provider reads through an AppContext-first KMS encryption service resolver.
- Acceptance: production app/storage paths no longer read the KMS encryption service directly from the global service manager, while the resolver preserves the legacy global fallback.
- Must preserve: default SSE-KMS key population, managed SSE encryption and decryption metadata handling, DEK provider selection, and KMS service initialization fallback semantics.
- Verification: RustFS compile coverage, targeted SSE/KMS tests, migration guard, layer guard, formatting, diff hygiene, residual encryption-service scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-175Route runtime support reads through AppContext.- Do: route runtime readiness lock-client collections, storage concurrency performance metrics, and config-info buffer profile reads through AppContext-first resolvers.
- Acceptance: production readiness, storage concurrency, and config-info paths no longer read those runtime globals directly, while default adapters preserve the legacy global fallbacks.
- Must preserve: distributed readiness lock quorum aggregation, performance metric singleton sharing, workload profile display output, and existing buffer-profile enablement behavior.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual global-read scans, Rust risk scan, branch freshness check, and three-expert review.
-
API-176Route S3 Select DB factory reads through AppContext.- Do: route S3 Select object execution database creation through an AppContext-first S3 Select DB resolver.
- Acceptance: production S3 Select object execution no longer reads the S3 Select DB factory directly, while the default adapter preserves the cached global component behavior.
- Must preserve: request validation, preflight object metadata checks, DataFusion execution flow, output event streaming, and cached S3 Select component reuse.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual S3 Select DB scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-177Route internode RPC metrics through AppContext.- Do: route HTTP and gRPC internode RPC metric recording through an AppContext-first internode metrics resolver.
- Acceptance: production internode HTTP and disk RPC paths no longer read the internode metrics singleton directly, while the default adapter preserves the shared global metrics instance.
- Must preserve: HTTP read/write/walk counters, gRPC read/write counters, byte accounting, classified transport backend labels, and error recording.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual internode metrics scan, Rust risk scan, branch freshness check, and three-expert review.
-
API-178Route IAM runtime reads through AppContext.- Do: route auth, storage authorization, admin auth, admin IAM handlers, STS, and table-catalog credential issuance through an AppContext-first ready IAM resolver.
- Acceptance: production auth/admin/storage request paths no longer call the IAM global getter directly, while the resolver preserves the legacy ready check and global fallback.
- Must preserve: signature secret lookup, access-key validation, S3 policy authorization, table data-plane authorization, admin IAM CRUD, STS temp-user creation, service-account flows, and table credential issuance.
- Verification: RustFS compile coverage, targeted context resolver tests, migration guard, layer guard, formatting, diff hygiene, residual IAM getter scan, Rust risk scan, branch freshness check, and three-expert review.
Next PRs
consumer-migration: continue reducing direct global reads behind AppContext resolver boundaries.
Pre-Push Review Log
| Expert | Status | Notes |
|---|---|---|
| Quality/architecture | pass | API-152 removes thin test/fuzz ECStore bridge files and keeps direct imports in owner test/fuzz files. |
| Migration preservation | pass | E2E, heal, scanner, and fuzz consumers keep the same ECStore API symbols and call paths. |
| Testing/verification | pass | Focused test/fuzz compile, formatting, migration guard, shell syntax, diff hygiene, Rust risk scan, and pre-commit passed for API-152. |
| Quality/architecture | pass | API-153 removes thin owner ECStore bridge files and keeps direct imports at owner roots. |
| Migration preservation | pass | IAM, heal, and scanner owner-root aliases and wrapper functions keep the same call paths. |
| Testing/verification | pass | Focused owner crate compile, formatting, migration guard, shell syntax, diff hygiene, Rust risk scan, and pre-commit passed for API-153. |
| Quality/architecture | pass | API-154 removes the final storage owner ECStore bridge file and keeps direct imports at the storage owner root. |
| Migration preservation | pass | Existing crate::storage::ecstore_* modules, constants, wrappers, and downstream call paths keep the same shape. |
| Testing/verification | pass | RustFS focused compile, formatting, migration guard, shell syntax, diff hygiene, bridge scan, Rust risk scan, and pre-commit passed for API-154. |
| Quality/architecture | pass | API-155 removes app context and notify thin compatibility modules while keeping owner-root exports. |
| Migration preservation | pass | AppContext resolver precedence and notify pipeline public aliases keep the same public call paths. |
| Testing/verification | pass | RustFS/notify focused compile, targeted tests, formatting, migration guard, shell syntax, diff hygiene, bridge scan, Rust risk scan, and pre-commit passed for API-155. |
| Quality/architecture | pass | API-156 centralizes selected app/server/storage runtime fallbacks behind AppContext resolver helpers without adding new abstractions. |
| Migration preservation | pass | KMS readiness, notification dispatch, and ECFS buffer sizing keep existing global fallback semantics when no AppContext is available. |
| Testing/verification | pass | RustFS focused compile, formatting, migration guard, shell syntax, diff hygiene, Rust risk scan, and pre-commit passed for API-156. |
| Quality/architecture | pass | API-157 keeps readiness dependency checks behind AppContext-owned IAM and endpoints resolver boundaries. |
| Migration preservation | pass | IAM readiness and lock quorum endpoint discovery keep legacy global fallback semantics when no AppContext is available. |
| Testing/verification | pass | RustFS focused compile, targeted readiness/context tests, formatting, migration guard, diff hygiene, Rust risk scan, and pre-commit passed for API-157. |
| Quality/architecture | pass | API-158 keeps RPC node IAM operations behind the AppContext-owned IAM handle resolver boundary. |
| Migration preservation | pass | RPC IAM policy, user, group, and service-account operations keep validation, arguments, and legacy fallback behavior. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, Rust risk scan, and pre-commit passed for API-158. |
| Quality/architecture | pass | API-159 keeps RPC node lock client and node identity reads behind AppContext resolver boundaries. |
| Migration preservation | pass | RPC lock initialization errors and health metric node-name inputs keep legacy fallback behavior. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, Rust risk scan, and pre-commit passed for API-159. |
| Quality/architecture | pass | API-160 keeps admin runtime action credentials, region, and server config reads behind AppContext resolver boundaries. |
| Migration preservation | pass | Admin authorization, object-ZIP token encryption, object-lambda signing, OIDC restart detection, and site replication metadata keep legacy fallback behavior. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, Rust risk scan, and pre-commit passed for API-160. |
| Quality/architecture | pass | API-161 keeps admin topology endpoint, deployment id, and runtime port reads behind AppContext resolver boundaries. |
| Migration preservation | pass | Site replication endpoint inference, same-target checks, same-deployment stale target detection, and runtime-port fallback keep legacy behavior. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, Rust risk scan, and pre-commit passed for API-161. |
| Testing/verification | pass | CI follow-up: layer dependency baseline accepts the reviewed AppContext resolver reverse dependencies, and the layer guard passes. |
| Quality/architecture | pass | API-162 keeps admin peer-system notification, bucket-monitor, and replication-pool reads behind AppContext resolver boundaries. |
| Migration preservation | pass | Tier/rebalance/config propagation, live event peers, replication metrics, and resync operations keep legacy fallback behavior. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, residual scan, Rust risk scan, and pre-commit passed for API-162. |
| Quality/architecture | pass | API-163 keeps admin site-replication IAM reads behind the AppContext IAM resolver boundary. |
| Migration preservation | pass | Site-replicator service-account, IAM export/import, and peer-join service-account paths keep legacy fallback behavior. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, residual IAM scan, and Rust risk scan passed for API-163. |
| Quality/architecture | pass | API-164 keeps admin site-replication outbound TLS generation/state reads behind AppContext resolver boundaries. |
| Migration preservation | pass | Peer-client cache invalidation, root CA parsing, and published TLS-state fallback behavior are preserved. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual TLS scan, and Rust risk scan passed for API-164. |
| Quality/architecture | pass | API-165 keeps admin TLS debug outbound TLS status reads behind the AppContext resolver boundary. |
| Migration preservation | pass | TLS debug status JSON fields, consumer labels, reload/env reporting, and legacy fallback behavior are preserved. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual TLS scan, and Rust risk scan passed for API-165. |
| Quality/architecture | pass | API-166 keeps admin replication stats reads behind AppContext resolver boundaries with a storage-owner fallback wrapper. |
| Migration preservation | pass | Admin replication metrics, site-replication summaries, bandwidth enrichment, and missing-stats defaults are preserved. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual stats scan, and Rust risk scan passed for API-166. |
| Quality/architecture | pass | API-167 keeps admin boot-time, tier-transition, and scanner metrics reads behind AppContext resolver boundaries. |
| Migration preservation | pass | Replication uptime enrichment, tier stats filtering, scanner metrics JSON, and scanner runtime-config reporting are preserved. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual admin status scan, and Rust risk scan passed for API-167. |
| Quality/architecture | pass | API-168 keeps admin KMS service-manager initialization behind the AppContext resolver boundary. |
| Migration preservation | pass | KMS key, management, and dynamic handlers preserve legacy initialization fallback and existing fallback logs. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual KMS init scan, and Rust risk scan passed for API-168. |
| Quality/architecture | pass | API-169 keeps admin config runtime publication behind AppContext publish helpers with default global-setter adapters. |
| Migration preservation | pass | Config writes, runtime reload, dynamic subsystem application, and storage-class parsing preserve existing persistence and runtime side effects. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual config publication scan, and Rust risk scan passed for API-169. |
| Quality/architecture | pass | API-170 keeps action-credential reads behind the AppContext action-credential resolver across auth, protocols, and storage helper paths. |
| Migration preservation | pass | Owner checks, claim validation, policy principal classification, protocol metadata, and audit access-key enrichment preserve existing fallback behavior. |
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual action credential scan, and Rust risk scan passed for API-170. |
| Quality/architecture | pass | API-171 keeps replication pool reads behind the AppContext replication-pool resolver in startup and workload admission paths. |
| Migration preservation | pass | Bucket metadata resync, replication worker counts, queue counts, and unknown-runtime reporting preserve existing fallback behavior. |
| Testing/verification | pass | RustFS focused compile, workload admission tests, targeted context tests, formatting, migration/layer guards, diff hygiene, residual replication-pool scan, and Rust risk scan passed for API-171. |
| Quality/architecture | pass | API-172 keeps outbound TLS generation reads behind the AppContext outbound TLS generation resolver in startup and reload paths. |
| Migration preservation | pass | Generation increments, outbound TLS publication, generation metrics, reload enrichment, and acceptor rebuild behavior preserve existing semantics. |
| Testing/verification | pass | RustFS focused compile, TLS generation test, targeted context test, formatting, migration/layer guards, diff hygiene, residual outbound TLS generation scan, and Rust risk scan passed for API-172. |
| Quality/architecture | pass | API-173 keeps region reads behind the AppContext region resolver in notification setup and storage request context paths. |
| Migration preservation | pass | Notification fallback region, request context propagation, auth/policy request construction, and startup setters preserve existing behavior. |
| Testing/verification | pass | RustFS focused compile, targeted context test, formatting, migration/layer guards, diff hygiene, residual region scan, and Rust risk scan passed for API-173. |
| Quality/architecture | pass | API-174 keeps app/storage KMS encryption service reads behind an AppContext-first resolver using the existing KMS runtime manager boundary. |
| Migration preservation | pass | Default SSE-KMS key population, managed SSE metadata handling, DEK provider selection, and legacy global fallback behavior are preserved. |
| Testing/verification | pass | RustFS focused compile, targeted SSE/KMS and bucket encryption tests, formatting, migration/layer guards, diff hygiene, residual encryption-service scan, and Rust risk scan passed for API-174. |
| Quality/architecture | pass | API-175 keeps readiness lock clients, storage performance metrics, and config-info buffer profile reads behind AppContext-first resolvers. |
| Migration preservation | pass | Lock quorum aggregation, performance metrics sharing, workload profile display, and legacy global fallback behavior are preserved. |
| Testing/verification | pass | RustFS focused compile, targeted context resolver test, formatting, migration/layer guards, diff hygiene, residual global-read scans, and Rust risk scan passed for API-175. |
| Quality/architecture | pass | API-176 keeps S3 Select DB factory access behind an AppContext-first resolver in object select execution. |
| Migration preservation | pass | Request validation, object preflight, query execution, event streaming, and cached component fallback behavior are preserved. |
| Testing/verification | pass | RustFS focused compile, targeted context resolver test, formatting, migration/layer guards, diff hygiene, residual S3 Select DB scan, and Rust risk scan passed for API-176. |
| Quality/architecture | pass | API-177 keeps internode RPC metrics behind an AppContext-first resolver across HTTP and gRPC RPC paths. |
| Migration preservation | pass | Request counters, byte accounting, transport backend labels, and error metrics preserve existing global fallback behavior. |
| Testing/verification | pass | RustFS focused compile, targeted context resolver test, formatting, migration/layer guards, diff hygiene, residual internode metrics scan, and Rust risk scan passed for API-177. |
| Quality/architecture | pass | API-178 keeps ready IAM access behind an AppContext-first resolver without widening handler semantics. |
| Migration preservation | pass | Auth, storage authorization, admin IAM handlers, STS, and table credential flows keep existing error mapping and ready-check fallback. |
| Testing/verification | pass | RustFS focused compile, targeted context resolver test, formatting, migration/layer guards, diff hygiene, residual IAM getter scan, Rust risk scan, and pre-commit passed for API-178. |
Verification Notes
Passed before push:
-
Issue #660 API-178 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- IAM getter scan: passed; production auth/admin/storage IAM reads now go through the AppContext ready IAM resolver.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
make pre-commit: passed.
-
Issue #660 API-176 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- S3 Select DB scan: passed; direct production
get_global_dbreads are removed from S3 Select object execution. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-177 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Internode metrics scan: passed; direct production
global_internode_metricsreads are removed from RustFS HTTP and disk RPC paths. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-175 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Runtime support scan: passed; direct production lock-client collection, performance metrics, and config-info buffer profile reads now go through AppContext resolvers.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-174 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs test_kms_sse_dek_provider_uses_latest_reconfigured_service --lib: passed.cargo test -p rustfs test_sse_encryption_fails_closed_without_local_sse_master_key --lib: passed.cargo test -p rustfs execute_put_bucket_encryption_returns_internal_error_when_store_uninitialized --lib: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext KMS encryption service scan: passed; direct production
get_global_encryption_servicereads are removed from app bucket encryption and storage SSE paths. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-173 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext region scan: passed; direct production
get_global_regionreads are removed from notification setup and storage request context paths. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-172 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs next_tls_generation --lib: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext outbound TLS generation scan: passed; direct production
get_global_outbound_tls_generationreads are removed from startup TLS material and TLS reload paths. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-171 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs workload_admission --lib: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext replication pool scan: passed; direct production
get_global_replication_poolreads are removed from bucket metadata startup and workload admission paths. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-170 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext action credential scan: passed; direct production
get_global_action_credandget_global_access_key_optreads are removed from auth, protocol client, and storage helper paths. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-169 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext admin config publication scan: passed; direct admin production
set_global_server_configand storage-class global setter calls are removed. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-164 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext site-replication outbound TLS resolver scan: passed; direct admin site-replication TLS global reads are isolated to tests.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-165 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext outbound TLS resolver scan: passed; direct admin outbound TLS global reads are removed from production handlers.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-166 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext replication stats resolver scan: passed; direct admin production
GLOBAL_REPLICATION_STATSreads are removed. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-167 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext admin status resolver scan: passed; direct admin production
GLOBAL_BOOT_TIME,GLOBAL_TransitionState, and scannerglobal_metricsreads are removed. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-168 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- AppContext admin KMS init resolver scan: passed; direct admin production
init_global_kms_service_managercalls are removed. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-163 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- AppContext site-replication IAM resolver scan: passed; direct admin site-replication IAM global reads are isolated to AppContext fallback plumbing.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-162 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- AppContext peer-system resolver scan: passed; direct admin and app notification-system, bucket-monitor, and replication-pool global reads are isolated to AppContext default adapters.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-161 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed after CI baseline follow-up.make pre-commit: passed.- AppContext admin topology resolver scan: passed; direct admin deployment id, endpoint, and runtime port global reads are isolated to AppContext default adapters.
- Rust risk scan: no new production panic/todo/unsafe/cast risks added; new unwrap/expect hits are resolver fallback plumbing or test assertions.
-
Issue #660 API-160 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- AppContext admin runtime resolver scan: passed; direct admin action credential, server config, and region global reads are isolated to AppContext default adapters or tests.
- Rust risk scan: no new production panic/todo/unsafe/cast risks added; new unwrap/expect hits are resolver fallback plumbing or test assertions.
-
Issue #660 API-159 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- AppContext RPC node resolver scan: passed; direct RPC node lock-client and local-node-name global reads are isolated to AppContext default adapters.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-158 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- AppContext IAM resolver scan: passed; RPC node IAM operations use the IAM handle resolver, with lock clients kept on the legacy global boundary.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-157 current slice:
cargo check --tests -p rustfs: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo test -p rustfs readiness --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- AppContext readiness resolver scan: passed; server readiness uses IAM and endpoints resolver helpers, with lock clients kept on the legacy global boundary.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-156 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- AppContext runtime resolver scan: passed; selected bucket/object notify, ECFS buffer sizing, and public health KMS readiness consumers use resolver helpers.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added.
-
Issue #660 API-155 current slice:
cargo check --tests -p rustfs -p rustfs-notify: passed.cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib: passed.cargo test -p rustfs-notify --lib: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- App context and notify thin bridge scan: passed; no
rustfs/src/app/context/compat.rsorcrates/notify/src/event_bridge.rsremains. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added; changed unwrap/expect matches are moved test setup only.
-
Issue #660 API-154 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Storage ECStore thin bridge scan: passed; no
ecstore_compat.rsfiles remain outsidecrates/ecstore. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added; changes only move storage owner import boundaries.
-
Issue #660 API-153 current slice:
cargo check --tests -p rustfs-heal -p rustfs-scanner -p rustfs-iam: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Owner ECStore thin bridge scan: passed; IAM, heal, and scanner no longer
declare local
ecstore_compatmodules. - Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast risks added; changes only move owner-root import boundaries.
-
Issue #660 API-152 current slice:
cargo check --tests -p rustfs-heal -p rustfs-scanner -p e2e_test: passed.cargo check --manifest-path fuzz/Cargo.toml --bins: passed.cargo fmt --all: passed.cargo fmt --all --manifest-path fuzz/Cargo.toml: passed.cargo fmt --all --check: passed.cargo fmt --all --check --manifest-path fuzz/Cargo.toml: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Test/fuzz thin bridge scan: passed; e2e, heal, scanner, and fuzz targets no
longer declare local
ecstore_test_compatorecstore_fuzz_compatmodules. - Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe, or error-type risks added; changes only move test/fuzz import boundaries.
-
Issue #660 API-140 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe, or error-type risks added; existing capacity metrics casts, HTTP atomic relaxed counters, and HTTP test unwrap/expect calls remain unchanged.
-
Issue #660 API-141 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
or error-type risks added; only import aliases were reported by the textual
asscan.
-
Issue #660 API-142 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
or error-type risks added; only type/import aliases were reported by the
textual
asscan.
-
Issue #660 API-143 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
or error-type risks added; only existing
DiskResult<Vec<String>>textual matches were reported by the broad error-type scan.
-
Issue #660 API-144 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
or error-type risks added; only existing
DiskResult<Vec<String>>textual matches were reported by the broad error-type scan.
-
Issue #660 API-145 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
or error-type risks added; only existing
DiskResult<Vec<String>>textual matches were reported by the broad error-type scan.
-
Issue #660 API-146 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
or error-type risks added; only existing
DiskResult<Vec<String>>textual matches were reported by the broad error-type scan.
-
Issue #660 API-147 current slice:
cargo check -p rustfs-notify -p rustfs-obs -p rustfs-s3select-api -p rustfs-protocols -p rustfs-iam -p rustfs-heal -p rustfs-scanner: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Runtime crate ECStore source bypass scan: passed; target runtime crate
source paths now reference
rustfs_ecstore::api::only insideecstore_compat.rs. - Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe, or error-type risks added; changes only move import/source boundaries.
-
Issue #660 API-148 current slice:
cargo check --tests -p rustfs-heal -p rustfs-scanner -p e2e_test: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- External test ECStore source bypass scan: passed; target test/e2e paths now
reference
rustfs_ecstore::api::only insideecstore_test_compat.rs. - Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe, or error-type risks added; changes only move import/source boundaries.
-
Issue #660 API-149 current slice:
cargo check --manifest-path fuzz/Cargo.toml --bins: passed; Cargo refreshed the stale fuzz lockfile during verification and the generated lockfile change was not retained.cargo fmt --all --manifest-path fuzz/Cargo.toml: passed.cargo fmt --all --check --manifest-path fuzz/Cargo.toml: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Fuzz ECStore source bypass scan: passed; fuzz targets now reference
rustfs_ecstore::api::only insideecstore_fuzz_compat.rs. - Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe, or error-type risks added; changes only move fuzz import/source boundaries.
-
Issue #660 API-150 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.make pre-commit: passed.- Storage owner direct ECStore source scan: passed;
rustfs/src/storage/mod.rscontains no directrustfs_ecstore::api::source path. - Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe, or error-type risks added; changes only move storage owner import/source boundaries.
-
Issue #660 API-139 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
or error-type risks added; existing startup-server test
expectcalls remain test-only and unchanged.
-
Issue #660 API-138 current slice:
cargo check -p rustfs-notify -p rustfs-s3select-api: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
or error-type risks added; existing S3 Select unwrap and Notify
Result<String>wrapper signatures remain unchanged.
-
Issue #660 API-137 current slice:
cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Stacked-base freshness check against
origin/overtrue/arch-test-fuzz-owner-symbols: passed.
-
Issue #660 API-136 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.make pre-commit: passed.- Completed runtime-owner module-alias residual scan: passed.
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or
risky behavior added; existing
Result<Vec<String>>storage trait signatures remain unchanged compatibility surfaces.
-
Issue #660 API-135 current slice:
cargo check --tests -p e2e_test -p rustfs-heal -p rustfs-scanner: passed.cargo check --manifest-path fuzz/Cargo.toml --bins: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.make pre-commit: passed.- Completed test/fuzz module-alias residual scan: passed.
- Rust risk scan: diff-only scan found import and call-target rewrites only; no new production unwrap/expect, panic/todo/unsafe, or risky behavior added.
-
Issue #660 API-134 current slice:
cargo check --tests -p rustfs-heal -p rustfs-iam -p rustfs-obs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.make pre-commit: passed.- Heal/IAM/observability completed-owner module-alias residual scan: passed.
- Rust risk scan: diff-only scan found explicit symbol imports and wrapper calls only; no new unwrap/expect, panic/todo/unsafe, or risky behavior added.
-
Issue #660 API-133 current slice:
cargo check --tests -p rustfs-scanner: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.make pre-commit: passed.- Scanner completed-owner module-alias residual scan: passed.
- Rust risk scan: diff-only scan found explicit symbol imports and wrapper calls only; no new unwrap/expect, panic/todo/unsafe, or risky behavior added.
-
Issue #660 API-132 current slice:
cargo check --tests -p rustfs-notify -p rustfs-s3select-api -p rustfs-protocols --features rustfs-protocols/swift: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.make pre-commit: passed, including clippy, script tests, nextest6518 passed, 111 skipped, and doc-tests.- Completed external owner module-alias residual scan: passed.
- Rust risk scan: diff-only scan found explicit
assymbol imports only; no new unwrap/expect, panic/todo/unsafe, or risky behavior added.
-
Issue #660 API-131 current slice:
cargo check --tests -p rustfs-notify -p rustfs-obs -p rustfs-s3select-api: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.make pre-commit: passed, including clippy, script tests, nextest6518 passed, 111 skipped, and doc-tests.- Nested external production ECStore facade residual scan: passed.
- Rust risk scan: diff-only scan found new
as ecstore_*import aliases only; no new risky behavior added.
-
Issue #660 API-130 current slice:
cargo check --tests -p rustfs-notify -p rustfs-obs -p rustfs-protocols -p rustfs-s3select-api -p e2e_test -p rustfs-heal -p rustfs-scanner -p rustfs-iam: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.make pre-commit: passed, including clippy, script tests, nextest6518 passed, 111 skipped, and doc-tests.- Grouped/raw ECStore facade residual scan outside ECStore: passed.
- Rust risk scan: diff-only scan found path-rewritten existing test unwraps/expects only; no new risky behavior added.
-
Issue #660 API-129 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.make pre-commit: passed, including clippy, script tests, nextest6509 passed, 111 skipped, and doc-tests.- RustFS direct ECStore facade residual scan outside owner modules: passed.
- Rust risk scan: diff-only scan found no new unwrap/expect, panic/todo, debug prints, relaxed ordering, or integer casts.
-
Issue #660 API-128 current slice:
cargo check --tests -p rustfs: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- RustFS owner compatibility bridge residual scan: passed.
- Rust risk scan: diff-only scan found path-rewritten existing test unwraps, test expects, and part-number casts only; no new risky behavior added.
make pre-commit: passed, including 6509 nextest tests passed and 111 skipped.
-
Issue #660 API-127 current slice:
cargo check --tests -p rustfs-iam -p rustfs-heal -p rustfs-scanner: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- External owner compatibility bridge residual scan: passed.
- Rust risk scan: diff-only scan found no new unwrap/expect, numeric casts, string-error public APIs, boxed public errors, println/eprintln, or relaxed ordering.
-
Issue #660 API-126 current slice:
cargo check --tests -p e2e_test -p rustfs-iam -p rustfs-notify -p rustfs-obs -p rustfs-protocols -p rustfs-s3select-api: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Remaining standalone compatibility bridge residual scan: passed.
- Rust risk scan: diff-only scan found no new unwrap/expect, numeric casts, string-error public APIs, boxed public errors, println/eprintln, or relaxed ordering.
-
Issue #660 API-125 current slice:
cargo check --tests -p e2e_test -p rustfs-iam -p rustfs-notify: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Standalone thin compatibility bridge residual scan: passed.
- Rust risk scan: diff-only scan found no new unwrap/expect, numeric casts, string-error public APIs, boxed public errors, println/eprintln, or relaxed ordering.
-
Issue #660 API-124 current slice:
cargo check --tests -p rustfs-heal -p rustfs-scanner: passed.cargo check --manifest-path fuzz/Cargo.toml --bins: passed; transientfuzz/Cargo.lockrefresh was restored to avoid dependency churn.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Test/fuzz compatibility bridge residual scan: passed.
- Rust risk scan: reviewed pre-existing test-only unwrap/expect/panic/unsafe usage; no new production risk.
-
Issue #660 API-123 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Startup compatibility bridge residual scan: passed.
- Rust risk scan: passed.
-
Issue #660 API-122 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Root one-off compatibility bridge residual scan: passed.
- Rust risk scan: passed.
-
Issue #660 API-121 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Runtime local compatibility bridge residual scan: passed.
- Rust risk review on path-only replacements and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-120 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Admin handlers secondary compatibility bridge residual scan: passed.
- Rust risk review on path-only replacements and guard script: passed.
-
Issue #660 API-119 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Nested secondary compatibility bridge residual scan: passed.
- Rust risk review on path-only replacements and guard script: passed.
-
Issue #660 API-118 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Storage secondary compatibility bridge residual scan: passed.
- Rust risk review on path-only replacements and guard script: passed.
-
Issue #660 API-117 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- App/admin secondary compatibility bridge residual scan: passed.
- Rust risk review on path-only replacements and guard script: passed.
-
Issue #660 API-116 current slice:
cargo check --manifest-path fuzz/Cargo.toml --bins: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Fuzz-target local compatibility consumer residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
-
Issue #660 API-115 current slice:
cargo check -p rustfs --tests: passed.cargo check -p rustfs-scanner --tests: passed.cargo check -p rustfs-iam --tests: passed.cargo check -p rustfs-obs --tests: passed.cargo check -p rustfs-s3select-api --tests: passed.cargo check -p e2e_test --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Standalone crate local compatibility consumer residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-111 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Storage RPC/S3 API local compatibility consumer residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-110 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- RustFS local compatibility consumer residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-109 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Root compatibility consumer residual scan: passed.
- Storage owner compatibility consumer residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-108 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Full RustFS local bridge owner self-path residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-107 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Full storage compatibility self-reference residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-106 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Full storage compatibility grouped-import residual scan: passed.
- Full storage compatibility raw-facade residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-105 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Full storage compatibility raw-facade residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-104 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Narrowed local compatibility glob-export scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-103 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Narrowed local compatibility glob-export scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-102 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Storage compatibility consumer residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-101 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Owner compatibility consumer residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-098 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Direct root capacity/server compatibility consumer residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-099 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Startup/init root compatibility consumer residual scan: passed.
- Root startup consumer wrapper residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-100 current slice:
cargo check -p rustfs --tests: passed.cargo fmt --all: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Direct root compatibility consumer residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-097 current slice:
cargo check -p rustfs -p rustfs-scanner -p rustfs-heal -p e2e_test --tests: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Direct non-compat disk/RPC/warm-backend trait import residual scan: passed.
- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-096 current slice:
cargo check -p rustfs -p rustfs-scanner -p rustfs-heal: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Direct non-compat bucket trait import residual scan: passed.
- Added-line Rust risk scan: passed.
make pre-commit: passed; nextest runa18de942-8181-48fa-adf0-e01c2a5d37c3, 6354 passed, 111 skipped; doctests passed.
-
Issue #660 API-095 current slice:
cargo check -p rustfs: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- RustFS root/e2e raw facade path residual scan: passed.
- Rust risk scan on changed Rust files: passed.
make pre-commit: passed; nextest runa1771057-5015-4861-9a38-b856c8abb6f6, 6354 passed, 111 skipped; doctests passed.
-
Issue #660 API-094 current slice:
cargo check -p rustfs: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Consumer raw facade path residual scan: passed.
- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.
-
Issue #660 API-093 current slice:
cargo check -p rustfs: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- RustFS app/admin raw facade path residual scan: passed.
- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.
-
Issue #660 API-092 current slice:
cargo check -p rustfs: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- RustFS storage-owner raw facade path residual scan: passed.
- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-091 current slice:
cargo check -p rustfs: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Outer app/admin/storage raw signature facade path residual scan: passed.
- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-090 current slice:
cargo check -p rustfs: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Outer app/admin/storage object/error facade alias residual scan: passed.
- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-089 current slice:
cargo check -p rustfs -p rustfs-scanner -p rustfs-heal -p e2e_test: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- ECStore API re-export residual scan for compatibility boundaries: passed.
- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-087 current slice:
cargo check -p rustfs: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Storage-owner ECStore API re-export residual scan: passed.
- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-086 current slice:
cargo check -p rustfs: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Root runtime ECStore API re-export residual scan: passed.
- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-085 current slice:
cargo check --tests -p rustfs-heal -p rustfs-scanner: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Test/fuzz grouped compatibility passthrough residual scans: passed.
- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-084 current slice:
cargo check --tests -p rustfs-scanner -p rustfs-notify -p rustfs-obs -p e2e_test: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Scanner/notify/obs/e2e broad compatibility residual scans: passed.
- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-083 current slice:
cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Admin/app broad compatibility export scans: passed.
- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-082 current slice:
cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Storage compatibility residual scan excluding
storage_compat.rs: passed. - Broad storage compatibility export scan: passed.
- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-081 current slice:
cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Admin compatibility residual scan for broad
com, bareinit, and old config IO call paths: passed. - Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-080 current slice:
cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 C-013 current slice:
cargo test -p rustfs-concurrency workload::tests:: -- --nocapture: passed.cargo test -p rustfs --lib workload_admission::tests:: -- --nocapture: passed.cargo check -p rustfs-concurrency: passed.cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust added-line risk scan on changed Rust files: passed.
make pre-commit: passed.
-
Issue #660 API-079 current slice:
cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 C-012 current slice:
cargo test -p rustfs --lib storage::backpressure::tests:: -- --nocapture: passed.cargo test -p rustfs --lib storage::deadlock_detector::tests:: -- --nocapture: passed.cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust added-line risk scan on changed storage Rust files: passed.
make pre-commit: passed.
-
Issue #660 C-011 current slice:
cargo test -p rustfs --lib storage::deadlock_detector::tests::test_request_hang_policy_projects_to_concurrency_and_core_config -- --nocapture: passed.cargo test -p rustfs --lib storage::backpressure::tests::test_backpressure_policy_projects_to_concurrency_and_core_config -- --nocapture: passed.cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust added-line risk scan on changed storage Rust files: passed.
make pre-commit: passed.
-
Issue #660 C-004/C-005/C-006 current slice:
cargo test -p rustfs-ecstore cluster -- --nocapture: passed, 7 tests.cargo check -p rustfs-ecstore --all-targets: passed.cargo check -p rustfs --lib --bins: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust added-line risk scan on changed Rust files: passed.
make pre-commit: passed.
-
Issue #660 C-001/C-002/C-003 current slice:
cargo check -p rustfs-ecstore --all-targets: passed.cargo check -p rustfs --lib --bins: passed.cargo test -p rustfs-ecstore cluster -- --nocapture: passed; 4 tests.cargo test -p rustfs --lib runtime_capabilities -- --nocapture: passed; 3 tests.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-078 current slice:
cargo check -p rustfs-ecstore --all-targets: passed.cargo check -p rustfs --lib --bins: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 R-069 current slice:
cargo check -p rustfs --lib: passed.cargo check -p rustfs --bins: passed.cargo test -p rustfs --lib startup_ -- --nocapture: passed; 53 tests.cargo fmt --all: applied formatting.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Startup public owner scan: passed; only
startup_entrypoint::run_processremains public. - Rust added-line risk scan on changed Rust files and guard script: passed.
make pre-commit: passed.
-
Issue #660 API-077 current slice:
cargo check -p rustfs-ecstore --all-targets: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust added-line risk scan on changed Rust files: passed.
make pre-commit: passed; nextest ran 6340 tests with 6340 passed, 111 skipped, and doctests passed.
-
Issue #660 API-076 current slice:
cargo check --tests -p rustfs-ecstore -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-iam -p rustfs-notify -p rustfs-obs -p rustfs-protocols -p rustfs-s3select-api -p e2e_test: passed.cargo check --benches -p rustfs-ecstore: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
-
Issue #660 API-075 current slice:
cargo check --tests -p rustfs-ecstore -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-iam -p rustfs-notify -p rustfs-obs -p rustfs-protocols -p rustfs-s3select-api -p e2e_test: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
-
Issue #660 API-074 current slice:
bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed.- Direct old ECStore path scan in non-ECStore
storage_compat.rsboundaries: passed. cargo fmt --all --check: passed.git diff --check: passed.make pre-commit: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
-
Issue #660 API-073 current slice:
cargo check --tests -p rustfs-ecstore -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-iam -p rustfs-notify -p rustfs-obs -p rustfs-protocols -p rustfs-s3select-api -p e2e_test: passed.cargo check --manifest-path fuzz/Cargo.toml --all-targets: passed; Cargo refreshed the fuzz lockfile during verification and the generated lockfile change was not retained.cargo fmt --all --check: passed.git diff --check: passed.- Direct old ECStore facade path scan in outer storage compatibility boundaries: passed.
bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
-
Issue #660 R-068 current slice:
cargo check -p rustfs --lib --bins: passed.cargo test -p rustfs --lib startup_ -- --nocapture: passed; 53 tests.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Rust risk scan on changed Rust files and guard script: passed; only existing test-only
expectcalls were present. make pre-commit: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
-
Issue #660 API-072 current slice:
cargo check --tests -p rustfs-ecstore: passed.cargo check --tests -p rustfs -p rustfs-scanner -p rustfs-obs -p rustfs-iam -p rustfs-heal -p rustfs-protocols -p rustfs-s3select-api: passed.cargo fmt --all --check: passed.git diff --check: passed.bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Rust risk scan on changed Rust files and guard script: passed.
make pre-commit: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
-
Issue #660 R-056/R-067 current slice:
cargo test -p rustfs --lib startup_kms -- --nocapture: passed; 2 tests.cargo test -p rustfs --lib startup_iam -- --nocapture: passed; 8 tests.cargo test -p rustfs --lib startup_ -- --nocapture: passed; 53 tests.cargo test -p rustfs --lib startup_audit -- --nocapture: passed; 2 tests.cargo test -p rustfs --lib startup_notification -- --nocapture: passed; 1 test.cargo check -p rustfs --lib --bins: passed.cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Rust risk scan on changed Rust files: passed; only test-only
expectcalls were present. make pre-commit: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
-
Issue #660 R-054/R-055 current slice:
cargo test -p rustfs --lib startup_ -- --nocapture: passed; 51 tests.cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Rust risk scan on changed Rust files: passed; only a test-only
expectcall was present. make pre-commit: passed; nextest ran 6339 tests with 6339 passed, 111 skipped, and doctests passed.
-
Issue #660 R-052/R-053 current slice:
cargo test -p rustfs --lib startup_iam -- --nocapture: passed.cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Rust risk scan on changed Rust files: passed; only a test-only
expectcall was present. make pre-commit: passed; nextest ran 6336 tests with 6336 passed and 111 skipped, and doctests passed.
-
Issue #660 R-050/R-051 current slice:
cargo test -p rustfs --lib startup_server -- --nocapture: passed.cargo test -p rustfs --lib startup_embedded -- --nocapture: passed.cargo test -p rustfs --lib embedded -- --nocapture: passed.cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Rust risk scan on changed Rust files: passed; only test-only
expectcalls were present. make pre-commit: passed; nextest ran 6329 tests with 6329 passed and 111 skipped, and doctests passed.
-
Issue #660 R-048/R-049 current slice:
cargo test -p rustfs --lib startup_embedded -- --nocapture: passed.cargo test -p rustfs --lib embedded -- --nocapture: passed.cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Rust risk scan on changed Rust files: passed; no risky-token matches were present in changed Rust files.
make pre-commit: passed; nextest ran 6329 tests with 6329 passed and 111 skipped, and doctests passed.
-
Issue #660 R-046/R-047 current slice:
cargo test -p rustfs --lib startup_embedded -- --nocapture: passed.cargo test -p rustfs --lib embedded -- --nocapture: passed.cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed../scripts/check_unsafe_code_allowances.sh: passed.- Rust risk scan on changed Rust files: passed; matches were limited to existing embedded doc examples.
make pre-commit: passed; nextest ran 6324 tests with 6324 passed and 111 skipped, and doctests passed.
-
Issue #660 R-044/R-045 current slice:
cargo test -p rustfs --lib embedded -- --nocapture: passed.cargo test -p rustfs --lib startup_embedded -- --nocapture: passed.cargo test -p rustfs --lib startup_server -- --nocapture: passed.cargo check -p rustfs --lib: passed.cargo fmt --all --check: passed.git diff --check: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Rust risk scan on changed Rust files: passed; matches were limited to
existing doc examples and test-only
expectcalls. ./scripts/check_unsafe_code_allowances.sh: passed after avoiding a localpipefailfalse positive whenrg -qfinds nearbySAFETY:comments.make pre-commit: passed.
-
Issue #660 R-042/R-043 current slice:
cargo test -p rustfs --lib startup_lifecycle -- --nocapture: passed.cargo test -p rustfs --lib startup_shutdown -- --nocapture: passed.cargo test -p rustfs --lib embedded -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; the only production risky
token was the intended move of embedded drop
remove_dir_allcleanup from the public embedded handle intostartup_shutdown. ./scripts/check_unsafe_code_allowances.sh: passed.make pre-commit: passed.
-
Issue #660 R-040/R-041 current slice:
cargo test -p rustfs --lib embedded -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; newly added risky-token
matches were empty, and the changed-file scan only matched the existing
embedded
Dropcleanup path. make pre-commit: passed.
-
Issue #660 R-038/R-039 current slice:
cargo test -p rustfs --lib startup_lifecycle -- --nocapture: passed.cargo test -p rustfs --lib startup_shutdown -- --nocapture: passed.cargo test -p rustfs --lib embedded -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: reviewed; newly added risky-token
matches were limited to test-only
expectcalls, and broader changed-file matches were pre-existing lifecycle/doc examples plus cleanup paths. make pre-commit: passed.
-
Issue #660 R-036/R-037 current slice:
cargo test -p rustfs --lib startup_server -- --nocapture: passed.cargo test -p rustfs --lib embedded -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; only test-only
expectcalls and the existing embedded temp-dir cleanup path were present. make pre-commit: passed.
-
Issue #660 R-034/R-035 current slice:
cargo test -p rustfs --lib startup_runtime_hooks -- --nocapture: passed.cargo test -p rustfs --lib embedded -- --nocapture: passed; no matching unit tests currently exist.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; only existing default credential fields and moved temp-dir cleanup paths were present.
make pre-commit: passed.
-
Issue #660 R-031 current slice:
cargo test -p rustfs --lib startup_lifecycle -- --nocapture: passed; no matching unit tests currently exist.cargo test -p rustfs --lib embedded -- --nocapture: passed; no matching unit tests currently exist.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; only existing embedded doc
examples use
Box<dyn Error>/println!. make pre-commit: passed.
-
Issue #660 R-032 current slice:
cargo test -p rustfs-targets ops_profiler -- --nocapture: passed.cargo test -p rustfs-targets builtin_ops_profiler -- --nocapture: passed.cargo test -p rustfs --lib extension_catalog -- --nocapture: passed.cargo check -p rustfs-targets: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; only test-only expectations/assertion paths were present.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 R-033 current slice:
cargo test -p rustfs --lib extension_catalog -- --nocapture: passed.cargo test -p rustfs-targets ops_diagnostics -- --nocapture: passed.cargo test -p rustfs-targets ops_profiler -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; only test-only expectations/assertion paths were present.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-001/E-SET-001 current slice:
cargo test -p rustfs-ecstore test_eset -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; only test-only expectation paths were present.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-002/E-LAYOUT-001 current slice:
cargo test -p rustfs-ecstore format::test -- --nocapture: passed.cargo test -p rustfs-ecstore disks_layout -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; only existing test-only unwrap/println/panic/expect paths were present.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-003/E-LAYOUT-002 current slice:
cargo test -p rustfs-ecstore layout::endpoint -- --nocapture: passed.cargo test -p rustfs-ecstore layout::endpoints -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; only existing endpoint production/test unwrap and expectation paths were moved.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-004/E-LAYOUT-003 current slice:
cargo test -p rustfs-ecstore layout::set_heal -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; only test-only unwrap expectations were added around deterministic helper construction.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-005/E-LAYOUT-004 current slice:
cargo test -p rustfs-ecstore layout::pool_space -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; only existing
store.rstest-onlyexpectcalls and an existingResult<String>method signature were present outside the moved helper body. make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-006/E-REBALANCE-001 current slice:
cargo test -p rustfs-ecstore store::rebalance -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; no risky added lines were introduced.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-007/E-LAYOUT-005 current slice:
cargo test -p rustfs-ecstore layout::pool_space -- --nocapture: passed.cargo test -p rustfs-ecstore store::rebalance -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; added cast lines are moved capacity math from the existing implementation.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-008/E-REBALANCE-002 current slice:
cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-009/E-REBALANCE-003 current slice:
cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-012/E-REBALANCE-006 current slice:
cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; added casts are moved pool-index accounting from the existing implementation and remain guarded.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-013/E-REBALANCE-007 current slice:
cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; moved casts are existing pool completion math and remain guarded.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-014/E-REBALANCE-008 current slice:
cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; moved casts and unwraps are existing test or migration-flow code and remain guarded.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-015/E-REBALANCE-009 current slice:
cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture: passed../scripts/check_unsafe_code_allowances.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; the runtime diff is a test module move plus a SAFETY-comment proximity fix required by the guard.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 E-016/E-REBALANCE-010 current slice:
cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture: passed.cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal: passed../scripts/check_unsafe_code_allowances.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed; production changes are a type-contract move and existing Windows FFI casts remain unchanged.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 X-012 current slice:
cargo test -p rustfs-extension-schema: passed.cargo check -p rustfs-extension-schema: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 X-013 current slice:
cargo test -p rustfs-extension-schema: passed.cargo check -p rustfs-extension-schema: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 R-021 current slice:
cargo test -p rustfs --lib startup_optional_runtimes -- --nocapture: passed.cargo test -p rustfs --lib startup_services -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 R-022 current slice:
cargo test -p rustfs --lib startup_optional_runtimes -- --nocapture: passed.cargo test -p rustfs --lib startup_protocols -- --nocapture: passed.cargo test -p rustfs --lib startup_services -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 R-023 current slice:
cargo test -p rustfs --lib startup_shutdown -- --nocapture: passed.cargo test -p rustfs --lib startup_services -- --nocapture: passed.cargo test -p rustfs --lib startup_optional_runtimes -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 R-024 current slice:
cargo test -p rustfs --lib startup_lifecycle -- --nocapture: passed.cargo test -p rustfs --lib startup_services -- --nocapture: passed.cargo test -p rustfs --lib startup_shutdown -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 R-025 current slice:
cargo test -p rustfs --lib startup_service_components -- --nocapture: passed.cargo test -p rustfs --lib startup_services -- --nocapture: passed.cargo test -p rustfs --lib startup_lifecycle -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 R-026 current slice:
cargo test -p rustfs --lib startup_optional_runtime_sidecars -- --nocapture: passed.cargo test -p rustfs --lib startup_optional_runtimes -- --nocapture: passed.cargo test -p rustfs --lib startup_shutdown -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 R-027 current slice:
cargo test -p rustfs --lib startup_runtime_hooks -- --nocapture: passed.cargo test -p rustfs --lib startup_profiling -- --nocapture: passed.cargo test -p rustfs --lib startup_runtime -- --nocapture: passed.cargo test -p rustfs --lib startup_shutdown -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 R-020 current slice:
cargo test -p rustfs --lib startup_profiling -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan on changed Rust files: passed.
make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 API-056/R-016 current slice:
cargo test -p rustfs --lib runtime_capabilities -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 API-055/SCH-001 current slice:
cargo test -p rustfs --lib storage::concurrency::manager::integration_tests -- --nocapture: passed.cargo check -p rustfs --lib: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 PR-05/PR-07 current slice:
cargo test -p rustfs-concurrency --no-fail-fast: passed.cargo check -p rustfs-concurrency: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.make pre-commit: passed.- Three-expert review: passed.
-
Issue #660 PR-08/PR-09 current slice:
cargo test -p rustfs-storage-api: passed.cargo check -p rustfs-storage-api: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.make pre-commit: passed.- Three-expert review: passed.
-
G-011/G-012/G-013 current slice:
./scripts/check_architecture_migration_rules.sh: passed.git diff --check: passed.- Three-expert review: passed.
- Full
make pre-commit: not run because this slice is documentation-only.
-
API-054 current slice:
cargo check -p rustfs --lib: passed.cargo check --tests -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; only existing import and path rewrites were reviewed, with no new unwrap/expect, panic/todo/unsafe, risky casts, ad-hoc error construction, or sensitive-token handling semantics.
-
API-053 current slice:
cargo check -p rustfs --lib: passed.cargo check --tests -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; only existing import and path rewrites were reviewed, with no new unwrap/expect, panic/todo/unsafe, risky casts, ad-hoc error construction, or sensitive-token handling semantics.
make pre-commit: passed.
-
API-052 current slice:
cargo check -p rustfs --lib: passed.cargo check --tests -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; only existing-semantic path replacement hits were reviewed, with no new unwrap/expect, panic/todo/unsafe, risky casts, ad-hoc error construction, or sensitive-token handling semantics.
make pre-commit: passed, including 6250 nextest tests and doctests.
-
API-050 current slice:
cargo test -p rustfs-storage-api lifecycle_helper_defaults_preserve_existing_contracts --no-fail-fast: passed.cargo check --tests -p rustfs-storage-api -p rustfs-ecstore -p rustfs-notify: passed.cargo test -p rustfs-ecstore transitioned --no-fail-fast: passed.cargo test -p rustfs-notify ecstore_object_info_conversion_preserves_notify_event_fields --no-fail-fast: passed.cargo check --tests -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, panic/todo/unsafe, risky casts, ad-hoc error construction, or sensitive-token handling in added lines.
make pre-commit: passed.
-
API-051 current slice:
cargo check --tests -p e2e_test -p rustfs-heal -p rustfs-scanner: passed.cargo check --manifest-path fuzz/Cargo.toml --all-targets: passed.cargo test -p rustfs-heal --test endpoint_index_test test_endpoint_index_settings --no-fail-fast: passed.cargo test -p rustfs-scanner --test lifecycle_integration_test --no-run: passed.cargo test -p e2e_test --no-run: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; only existing test
unwrapcalls were touched by import path rewrites, with no new unwrap/expect, panic/todo/unsafe, risky casts, ad-hoc error construction, or sensitive-token handling semantics. make pre-commit: passed.
-
S-015 current slice:
cargo test -p rustfs-policy test_legacy_kms_admin_actions_are_rejected --no-fail-fast: passed.cargo test -p rustfs kms_key_auth_actions_use_dedicated_kms_actions --no-fail-fast: passed.cargo test -p rustfs route_policy_records_dedicated_kms_actions --no-fail-fast: passed.cargo test -p rustfs route_policy_rejects_server_info_for_sensitive_kms_actions --no-fail-fast: passed.cargo check --tests -p rustfs-policy -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.make pre-commit: passed.
-
S-014 previous slice:
cargo test -p rustfs kms_key_auth_actions_use_dedicated_kms_actions --no-fail-fast: passed.cargo test -p rustfs route_policy_records_dedicated_kms_actions --no-fail-fast: passed.cargo test -p rustfs route_policy_rejects_server_info_for_sensitive_kms_actions --no-fail-fast: passed.cargo check --tests -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Source marker scan: passed; no non-doc
RUSTFS_COMPAT_TODOmarkers remain. - Rust risk scan: passed; no new unwrap/expect, panic/todo/unsafe, risky casts, ad-hoc error construction, or sensitive-token handling in added lines.
make pre-commit: passed.
-
API-049 current slice:
cargo check --tests -p rustfs-heal -p rustfs-scanner -p e2e_test: passed.cargo check --manifest-path fuzz/Cargo.toml --all-targets: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, panic/todo/unsafe, risky casts, ad-hoc error construction, or sensitive-token handling in added lines.
make pre-commit: passed.
-
API-048 current slice:
cargo check --tests -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.- Rust risk scan: passed; no new unwrap/expect, panic/todo/unsafe, risky casts, ad-hoc error construction, or sensitive-token handling in added lines.
make pre-commit: passed.
-
API-047 current slice:
cargo check --tests -p rustfs-heal -p rustfs-scanner: passed.cargo test -p rustfs-heal -p rustfs-scanner: passed, 290 tests passed and 14 ignored../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; the only match was a test-only scanner config init re-export.
-
API-046 current slice:
cargo check --tests -p rustfs-iam -p rustfs-protos: passed.cargo test -p rustfs-iam: passed, 150 tests../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: reviewed added lines; only existing error-mapping behavior was renamed to IAM-local compatibility aliases.
make pre-commit: passed.
-
API-042 current slice:
cargo check --tests -p rustfs-notify -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error public APIs, boxed public errors, production println/eprintln, or relaxed ordering introduced in changed Rust files.
make pre-commit: passed.
-
API-043 current slice:
cargo test -p rustfs-notify storage_compat::tests::ecstore_object_info_conversion_preserves_notify_event_fields: passed.cargo check --tests -p rustfs-notify -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error public APIs, boxed public errors, production println/eprintln, or relaxed ordering introduced in changed Rust files.
make pre-commit: passed, including 6245 nextest tests passed and 111 skipped.
-
API-044 current slice:
cargo check --tests -p rustfs-s3select-api -p rustfs-notify -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error public APIs, boxed public errors, production println/eprintln, or relaxed ordering introduced in changed Rust files.
make pre-commit: passed, including 6245 nextest tests passed and 111 skipped.
-
API-045 current slice:
cargo check --tests -p rustfs-obs -p rustfs-s3select-api -p rustfs-notify -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error public APIs, boxed public errors, production println/eprintln, or relaxed ordering introduced in changed Rust files.
make pre-commit: passed, including 6245 nextest tests passed and 111 skipped.
-
API-041 current slice:
bash -n scripts/check_architecture_migration_rules.sh: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no Rust code changed.
make pre-commit: passed.
-
API-040 current slice:
./scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error public APIs, boxed public errors, production println/eprintln, or relaxed ordering introduced in changed Rust files.
make pre-commit: passed.
-
API-039 current slice:
cargo check --tests -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-protocols -p rustfs-s3select-api -p rustfs-iam -p rustfs-notify: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error public APIs, boxed public errors, production println/eprintln, or relaxed ordering introduced in changed Rust files.
make pre-commit: passed.
-
API-038 current slice:
cargo check --tests -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-protocols -p rustfs-s3select-api -p rustfs-iam -p rustfs-notify: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error public APIs, boxed public errors, production println/eprintln, or relaxed ordering introduced in changed Rust files.
make pre-commit: passed.
-
API-037 current slice:
cargo check --tests -p rustfs-ecstore -p rustfs -p rustfs-scanner: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error public APIs, boxed public errors, production println/eprintln, or relaxed ordering introduced in changed Rust files.
make pre-commit: passed.
-
API-036 current slice:
cargo test -p rustfs-storage-api: passed.cargo check --tests -p rustfs-storage-api -p rustfs-ecstore -p rustfs-scanner -p rustfs: passed../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error public APIs, boxed public errors, production println/eprintln, or relaxed ordering introduced in changed Rust files.
make pre-commit: passed.
API-035 prior slice:
cargo check --tests -p rustfs-scanner -p rustfs-heal -p rustfs-iam: passed.cargo check --tests -p rustfs-protocols --features swift: passed.cargo check --tests -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-iam -p rustfs-notify -p rustfs-obs -p rustfs-s3select-api -p e2e_test: passed.cargo check --manifest-path fuzz/Cargo.toml --bins: passed.rg -n 'rustfs_ecstore' crates/scanner/src crates/heal/src crates/protocols/src/swift crates/iam/src/store --glob '*.rs': remaining matches are deliberate compatibility boundary definitions../scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error public APIs, boxed public errors, production println/eprintln, or relaxed ordering introduced in changed Rust files.
make pre-commit: passed.
Earlier API-033 verification retained in prior branch/PR:
cargo check --tests -p rustfs -p rustfs-obs -p rustfs-notify -p rustfs-s3select-api -p rustfs-iam: passed.cargo check --manifest-path fuzz/Cargo.toml --bins: passed.rg -n 'rustfs_ecstore' rustfs/src crates/obs/src crates/notify/src crates/s3select-api/src crates/iam/src --glob '*.rs': remaining matches are deliberate compatibility boundary definitions.- Direct import scan for target scanner/heal/e2e/fuzz paths: passed; remaining matches are deliberate compatibility boundary definitions.
./scripts/check_architecture_migration_rules.sh: passed../scripts/check_layer_dependencies.sh: passed.cargo fmt --all --check: passed.git diff --check: passed.- Rust risk scan: reviewed added
.unwrap()matches as preserved test setup unwraps caused by path rewrite formatting; no new risky behavior added. make pre-commit: passed.
Notes:
- This larger slice is based on
origin/mainafterrustfs/rustfs#3572merged. - Direct ECStore imports in the target runtime/obs/notify/S3 Select/IAM and scanner/heal/e2e/fuzz areas now remain only in local compatibility boundary modules.
- The slice does not alter startup behavior, readiness behavior, table catalog object I/O, notification persistence, S3 Select reads, IAM error mapping, observability metrics, test/fuzz semantics, or ECStore definitions.
Handoff Notes
- Continue with larger consumer-migration batches outside the cleaned app/storage/admin/scanner/heal/Swift/runtime/obs/notify/S3 Select/IAM/test and fuzz boundaries; keep ECStore-owned behavior in ECStore until concrete behavior is isolated enough for a pure-move slice.