mirror of
https://github.com/rustfs/rustfs.git
synced 2026-07-02 00:34:41 +08:00
6946 lines
402 KiB
Markdown
6946 lines
402 KiB
Markdown
# Architecture Migration Progress
|
|
|
|
Status values: `[ ]` not started, `[~]` in progress, `[x]` complete, `[!]` blocked.
|
|
|
|
## Current Context
|
|
|
|
- Issue: [`rustfs/backlog#660`](https://github.com/rustfs/backlog/issues/660)
|
|
- Branch: `overtrue/arch-iam-global-read-batch`
|
|
- Baseline: completed `C-011/C-012/C-013/API-055/API-059/API-079/API-080/API-081/API-082/API-083/API-084/API-085/API-086/API-087/API-088/API-089/API-090/API-091/API-092/API-093/API-094/API-095/API-096/API-097/API-098/API-099/API-100/API-101/API-102/API-103/API-104/API-105/API-106/API-107/API-108/API-109/API-110/API-111/API-112/API-113/API-114/API-115/API-116/API-117/API-118/API-119/API-120/API-121/API-122/API-123/API-124/API-125/API-126/API-127/API-128/API-129/API-130/API-131/API-132/API-133/API-134/API-135/API-136/API-137/API-138/API-139/API-140/API-141/API-142/API-143/API-144/API-145/API-146/API-147/API-148/API-149/API-150/API-151/API-152/API-153/API-154/API-155/API-156/API-157/API-158/API-159/API-160/API-161/API-162/API-163/API-164/API-165/API-166/API-167/API-168/API-169/API-170/API-171/API-172/API-173/API-174/API-175/API-176/API-177/API-178`.
|
|
- Based on: API-171 through API-177 prepared in PR #3785; this branch batches
|
|
the next IAM consumer migration on top of that branch.
|
|
- PR type for this branch: `consumer-migration`
|
|
- Runtime behavior changes: none.
|
|
- Rust code changes: route replication pool, outbound TLS generation, runtime
|
|
region, KMS encryption service, runtime support handles, S3 Select DB,
|
|
internode RPC metrics, and IAM authorization/handler reads through
|
|
AppContext-first resolvers.
|
|
- CI/script changes: lock completed owner and test/fuzz boundaries against
|
|
bare/glob imports, scattered raw ECStore facade subpaths, and startup
|
|
runtime/root-server/table/S3/app shared/app bucket/app ECStore/admin facade
|
|
regressions, plus external runtime, test, fuzz, and storage-owner module
|
|
ECStore compatibility bypasses, plus runtime crate, owner crate, test/fuzz,
|
|
and storage owner thin bridge regressions, plus app context and notify
|
|
event-bridge thin module regressions; accept the reviewed AppContext resolver
|
|
reverse dependencies in the layer baseline.
|
|
- Docs changes: record the API-136 through API-178 owner facade cleanup.
|
|
|
|
## Phase 0 Tasks
|
|
|
|
- [x] `G-001` Refresh `main` and record baseline.
|
|
- Acceptance: baseline commit, title, and branch are recorded.
|
|
- Verification: `git fetch upstream main --prune`; `git rev-parse upstream/main`.
|
|
- [x] `G-002` Create migration tracking checklist.
|
|
- Acceptance: this file records task state, context, verification, and handoff.
|
|
- [x] `G-003` Classify PR types.
|
|
- Acceptance: [`crate-boundaries.md`](crate-boundaries.md) lists exactly one
|
|
allowed PR type per PR.
|
|
- [x] `G-004` Define re-export and wrapper policy.
|
|
- Acceptance: temporary compatibility code must use `RUSTFS_COMPAT_TODO`.
|
|
- [x] `G-005` Add dependency direction guard.
|
|
- Acceptance: `./scripts/check_layer_dependencies.sh` passes on current
|
|
`upstream/main` while still rejecting new unaccepted layer dependencies.
|
|
- [x] `G-006` Create migration loss-prevention checks.
|
|
- Completed slices: add a mechanical admin route matrix guard from
|
|
[`admin-route-action-snapshot.md`](admin-route-action-snapshot.md) and
|
|
`rustfs/src/admin/route_registration_test.rs`; add migration rules for
|
|
public storage-api re-export coverage, ECStore compatibility-test coverage,
|
|
and a production-source guard against reintroducing the removed
|
|
`StorageAPI` aggregate facade identifier; add a source guard that rejects
|
|
direct `rustfs_ecstore` imports outside compatibility boundary modules; add
|
|
a guard that rejects production compatibility boundaries hiding unused
|
|
ECStore re-exports.
|
|
- Acceptance: architecture migration rules fail if the public storage-api
|
|
contract re-export surface drifts or if ECStore compile-time compatibility
|
|
tests for the remaining storage-admin and namespace-lock contracts are
|
|
removed.
|
|
- [x] `G-007` Create startup timeline table.
|
|
- Acceptance: [`startup-timeline.md`](startup-timeline.md) records current
|
|
binary startup order, side effects, fatal boundaries, and readiness stages.
|
|
- [x] `G-008` Capture admin route-action snapshot.
|
|
- Acceptance: [`admin-route-action-snapshot.md`](admin-route-action-snapshot.md)
|
|
records current route families, handler ownership, authorization actions,
|
|
public exceptions, table-catalog routes, and `/minio/admin` compatibility
|
|
alias behavior.
|
|
- [x] `G-009` Enforce pre-push three-expert review.
|
|
- Acceptance: [`crate-boundaries.md`](crate-boundaries.md) requires
|
|
quality/architecture, migration-preservation, and testing/verification review
|
|
before push.
|
|
- [x] `G-010` Inventory `ecstore::config::{Config, KV, KVS}` consumers.
|
|
- Acceptance:
|
|
[`ecstore-config-consumer-inventory.md`](ecstore-config-consumer-inventory.md)
|
|
records the current model definitions, global accessors, persistence helpers,
|
|
consumer groups, migration risks, and do-not-change contract.
|
|
- [x] `G-011` Inventory scheduler baseline.
|
|
- Acceptance:
|
|
[`scheduler-baseline.md`](scheduler-baseline.md) records current owners for
|
|
request admission, reusable scheduler/backpressure facades, workers, scanner
|
|
budget, heal admission, and the Tokio runtime builder.
|
|
- Must preserve: no Rust source changes, no scheduler/controller contract
|
|
changes, and no runtime behavior changes.
|
|
- [x] `C-011-POLICY` Bridge storage concurrency policies.
|
|
- Completed slice: add explicit projections from storage object backpressure
|
|
and request hang/deadlock policies into the shared `rustfs-concurrency`
|
|
facade and reusable `rustfs-io-core` configs.
|
|
- Acceptance: storage keeps existing env/default ownership and runtime
|
|
behavior, while later controller/read-only status work can consume the
|
|
shared facade policy shape instead of duplicating field mapping.
|
|
- Must preserve: no worker start/stop, no object pipe state-machine change, no
|
|
deadlock detector lifecycle change, no metrics label change, and no S3 I/O
|
|
behavior change.
|
|
- Verification: storage backpressure/deadlock policy tests, compile coverage,
|
|
formatting, diff hygiene, risk scan, architecture guard, pre-commit quality
|
|
gate, and three-expert review.
|
|
- [x] `C-012-POLICY` Consume storage concurrency policy bridges.
|
|
- Completed slice: route object backpressure threshold derivation and request
|
|
hang/deadlock runtime policy reads through the shared `rustfs-concurrency`
|
|
facade policies.
|
|
- Acceptance: storage keeps env/default ownership and local state machines,
|
|
while threshold and hang-policy consumption is anchored on the shared
|
|
concurrency policy shapes.
|
|
- Must preserve: no worker start/stop, no object pipe state-machine change, no
|
|
deadlock detector lifecycle change, no metrics label change, and no S3 I/O
|
|
behavior change.
|
|
- Verification: storage backpressure/deadlock consumer tests, compile
|
|
coverage, formatting, diff hygiene, risk scan, architecture guard,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `C-013-ADMISSION` Compose workload admission providers.
|
|
- Completed slice: add workload admission registry overlay support, compose
|
|
the RustFS workload admission provider from the storage concurrency
|
|
provider plus RustFS runtime owner snapshots, and guard the composition
|
|
boundary.
|
|
- Acceptance: foreground-read admission remains owned by the storage
|
|
concurrency provider, RustFS runtime owner snapshots overlay metadata,
|
|
scanner, repair, replication, and foreground-write status, and later
|
|
controller/status work can consume one provider-composed registry.
|
|
- Must preserve: disk-read semaphore acquisition, scanner activity counter,
|
|
heal task/queue counters, replication worker/queue stats, metadata runtime
|
|
initialization checks, object write paths, and queue behavior.
|
|
- Verification: workload contract tests, RustFS workload admission tests,
|
|
compile coverage, formatting, diff hygiene, risk scan, architecture guard,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `API-079` Prune root runtime bucket compatibility modules.
|
|
- Completed slice: collapse RustFS root `storage_compat.rs` bucket
|
|
metadata/quota module passthroughs into explicit notification-config,
|
|
table-catalog metadata, and quota-error aliases, and guard the boundary
|
|
against broad module restores.
|
|
- Acceptance: root runtime consumers use direct compatibility aliases for
|
|
bucket notification loading, table-catalog metadata checks, and quota error
|
|
mapping, while app/admin/storage owner-local compatibility modules keep
|
|
their narrower module paths until their own cleanup slices.
|
|
- Must preserve: bucket notification loading, notifier event registration,
|
|
table-bucket mutation guards, quota error to S3 error mapping, ECStore
|
|
bucket metadata ownership, and all app/admin/storage compatibility paths.
|
|
- Verification: RustFS compile coverage, formatting, diff hygiene, risk
|
|
scan, architecture guard, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-080` Prune root runtime config and disk compatibility aliases.
|
|
- Completed slice: replace root config `com` passthroughs with explicit
|
|
config read/write aliases for module switches, expose ECStore config
|
|
initialization as `init_ecstore_config`, split disk endpoint access into an
|
|
explicit `Endpoint` alias, and guard these root aliases against broad
|
|
module restores.
|
|
- Acceptance: startup storage initializes ECStore config through a direct
|
|
compatibility alias, module switch persistence uses direct config IO
|
|
aliases, root runtime disk endpoint consumers keep the same endpoint type,
|
|
and app/admin/storage local compatibility modules remain unchanged for
|
|
their own cleanup slices.
|
|
- Must preserve: startup storage initialization order, global config
|
|
migration/retry behavior, module switch persistence semantics, endpoint
|
|
parsing/layout behavior, local disk and lock-client initialization,
|
|
readiness marking, and all app/admin/storage compatibility paths.
|
|
- Verification: RustFS compile coverage, formatting, diff hygiene, risk
|
|
scan, architecture guard, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-081` Prune admin config compatibility aliases.
|
|
- Completed slice: replace admin config `com` and `init` passthroughs with
|
|
explicit aliases for config object read/write/delete, server-config
|
|
read/write, storage-class subsystem access, and config-default
|
|
initialization.
|
|
- Acceptance: admin config handlers, dynamic KMS/OIDC/audit handlers, site
|
|
replication state, router notification reads, and dynamic config reload
|
|
paths use direct admin compatibility aliases while preserving their
|
|
existing storage keys and config defaults.
|
|
- Must preserve: admin auth/authorization behavior, config history object
|
|
names, KMS/OIDC/audit runtime persistence, site-replication state
|
|
persistence, storage-class subsystem semantics, and admin route contracts.
|
|
- Verification: RustFS compile coverage, admin focused compile coverage,
|
|
formatting, diff hygiene, risk scan, architecture guard, pre-commit quality
|
|
gate, and three-expert review.
|
|
- [x] `API-082` Prune storage bucket compatibility aliases.
|
|
- Completed slice: replace storage `metadata`, `metadata_sys`,
|
|
`object_lock`, `policy_sys`, `replication`, `tagging`, `utils`,
|
|
`versioning`, `versioning_sys`, `object_api_utils`, and test-only `com`
|
|
passthroughs with explicit storage compatibility aliases.
|
|
- Acceptance: storage S3 handlers, access checks, SSE resolution, RPC
|
|
metadata loading, CORS/object-lock helpers, list-output ETag helpers, and
|
|
storage tests use direct compatibility aliases while preserving the same
|
|
bucket metadata keys and ECStore facade APIs.
|
|
- Must preserve: bucket metadata update/delete/read semantics, object-lock
|
|
retention/default behavior, bucket policy/public-access checks, SSE bucket
|
|
defaults, replication stats lookups, object tag encoding/decoding, S3 list
|
|
ETag formatting, and test-only storage-class signal constants.
|
|
- Verification: RustFS compile coverage, storage compatibility residual
|
|
scan, formatting, diff hygiene, risk scan, architecture guard, pre-commit
|
|
quality gate, and three-expert review.
|
|
- [x] `API-083` Prune admin/app bucket compatibility aliases.
|
|
- Completed slice: replace admin and app broad bucket/client/storage-class
|
|
compatibility passthroughs with explicit local compatibility modules and
|
|
symbol whitelists.
|
|
- Acceptance: admin replication, bucket metadata, quota, tier, site
|
|
replication, router, and app bucket/object/multipart/lifecycle consumers
|
|
keep their existing call paths while `storage_compat.rs` no longer exposes
|
|
broad upstream modules.
|
|
- Must preserve: admin bucket target updates, replication status and resync
|
|
DTOs, site-replication metadata serialization, quota checks, lifecycle
|
|
transition hooks, bucket metadata IO, object ETag conversion, object-lock
|
|
checks, and app storage-class behavior.
|
|
- Verification: RustFS compile coverage, admin/app compatibility residual
|
|
scans, formatting, diff hygiene, risk scan, architecture guard, pre-commit
|
|
quality gate, and three-expert review.
|
|
- [x] `API-084` Prune edge compatibility passthrough aliases.
|
|
- Completed slice: replace scanner grouped bucket compatibility exports,
|
|
notify broad config/global imports, observability data-usage passthroughs,
|
|
and e2e grouped RPC passthroughs with explicit edge-local aliases,
|
|
wrappers, and DTO projections.
|
|
- Acceptance: scanner bucket contracts stay explicitly named, notify config
|
|
persistence routes through local wrappers, observability metrics consume a
|
|
local data-usage DTO, and e2e RPC helper access stays narrow.
|
|
- Must preserve: scanner lifecycle and replication behavior, notification
|
|
server-config update semantics, observability cluster/bucket usage metrics,
|
|
and e2e RPC client/interceptor call sites.
|
|
- Verification: focused edge crate compile coverage, edge compatibility
|
|
residual scans, formatting, diff hygiene, risk scan, architecture guard,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `API-085` Prune test and fuzz compatibility passthrough aliases.
|
|
- Completed slice: replace heal/scanner test and fuzz grouped ECStore
|
|
compatibility passthroughs with direct type aliases and local wrapper
|
|
functions.
|
|
- Acceptance: test harnesses keep their existing ECStore setup and lifecycle
|
|
helper call sites while exposing only narrow compatibility symbols, and
|
|
fuzz targets exercise bucket utility contracts through local wrappers.
|
|
- Must preserve: heal test ECStore setup, scanner lifecycle integration setup,
|
|
local disk initialization, bucket metadata updates, transition enqueue
|
|
behavior, and fuzz validation semantics.
|
|
- Verification: focused heal/scanner compile coverage, test/fuzz
|
|
compatibility residual scans, formatting, diff hygiene, architecture guard,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `API-086` Prune root runtime compatibility re-exports.
|
|
- Completed slice: replace root RustFS runtime `storage_compat.rs` ECStore API
|
|
re-exports with local constants, type aliases, a minimal disk trait, and
|
|
wrapper functions.
|
|
- Acceptance: root runtime startup, metadata, replication admission,
|
|
topology, notification, RPC, capacity, table-catalog, and shutdown call
|
|
sites keep their existing local compatibility names while the root boundary
|
|
no longer re-exports ECStore API symbols directly.
|
|
- Must preserve: startup storage initialization order, bucket metadata
|
|
migration/init, replication runtime startup and admission counts,
|
|
notification init, RPC signature checks, capacity disk references,
|
|
topology snapshots, table-catalog metadata access, and shutdown behavior.
|
|
- Verification: RustFS compile coverage, root compatibility re-export
|
|
residual scan, formatting, diff hygiene, architecture guard, pre-commit
|
|
quality gate, and three-expert review.
|
|
- [x] `API-087` Prune storage owner compatibility re-exports.
|
|
- Completed slice: replace RustFS storage-owner `storage_compat.rs` ECStore
|
|
API re-exports for metadata, object-lock, replication stats, tags, XML
|
|
helpers, RPC globals, metrics, global accessors, tier reloads, and local
|
|
disk helpers with local aliases and wrappers; keep only temporary trait
|
|
imports required for method resolution.
|
|
- Acceptance: storage S3 handlers, ECFS replication metrics, RPC node service,
|
|
and storage tests keep their existing compatibility names while the storage
|
|
owner boundary no longer exposes direct ECStore API symbol re-exports for
|
|
functions, constants, globals, or DTO aliases.
|
|
- Must preserve: bucket metadata read/write/delete semantics, object-lock
|
|
retention checks, replication proxy metrics, object tag encoding/decoding,
|
|
XML serialization behavior, RPC signature checks, transition-tier reloads,
|
|
global object-store/lock/region access, and local disk lookup behavior.
|
|
- Verification: RustFS compile coverage, storage-owner re-export residual
|
|
scan, migration guard, formatting, diff hygiene, Rust risk scan,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `API-088` Prune admin and app compatibility re-exports.
|
|
- Completed slice: replace RustFS admin and app `storage_compat.rs` ECStore
|
|
API re-exports with local constants, type aliases, proxy statics, and
|
|
wrapper functions; keep only temporary trait imports required for method
|
|
resolution.
|
|
- Acceptance: admin handlers and app object/runtime paths keep their existing
|
|
compatibility names while the admin and app boundaries no longer expose
|
|
direct ECStore API symbol re-exports for functions, constants, globals, or
|
|
DTO aliases.
|
|
- Must preserve: admin config reads/writes, bucket metadata access, lifecycle
|
|
enqueue/restore behavior, replication admission and scheduling, object-lock
|
|
checks, RIO reader wrapping, data usage accounting, global object-store
|
|
access, and local disk initialization behavior.
|
|
- Verification: RustFS compile coverage, admin/app re-export residual scan,
|
|
migration guard, formatting, diff hygiene, Rust risk scan, pre-commit
|
|
quality gate, and three-expert review.
|
|
- [x] `API-089` Prune trait import compatibility re-exports.
|
|
- Completed slice: remove the remaining direct ECStore API `pub use`
|
|
compatibility exports from RustFS admin/app/storage and scanner/heal/e2e
|
|
boundaries, replacing non-trait access with local wrappers and moving
|
|
method-resolution trait imports into the files that call those methods.
|
|
- Acceptance: compatibility boundary files no longer expose
|
|
`pub(crate) use rustfs_ecstore::api` symbols, while scanner, heal, e2e,
|
|
admin, app, and storage call sites keep their existing behavior through
|
|
direct trait imports or local wrappers.
|
|
- Must preserve: scanner lifecycle and replication evaluation, heal local
|
|
disk scanning, e2e RPC signature setup, app restore/lifecycle/object-lock
|
|
checks, admin site-replication behavior, storage RPC disk access, and S3
|
|
versioning/replication behavior.
|
|
- Verification: RustFS and edge crate compile coverage, compatibility
|
|
re-export residual scan, migration guard, formatting, diff hygiene, Rust
|
|
risk scan, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-090` Prune outer compat object/error facade aliases.
|
|
- Completed slice: replace app/admin/storage raw ECStore object/error facade
|
|
aliases with storage-api associated object aliases and local `StorageError`
|
|
aliases.
|
|
- Acceptance: app/admin/storage compatibility boundaries no longer refer to
|
|
`rustfs_ecstore::api::object::{ObjectInfo,ObjectOptions}` or
|
|
`rustfs_ecstore::api::error::{Error,Result}` while behavior stays
|
|
unchanged.
|
|
- Must preserve: lifecycle restore/options, object-lock deletion checks,
|
|
replication scheduling decisions, admin/storage config error matching, and
|
|
storage S3 error mapping.
|
|
- Verification: RustFS compile coverage, residual scan, migration guard,
|
|
formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
- [x] `API-091` Prune outer compat signature facade paths.
|
|
- Completed slice: replace app/admin/storage raw ECStore metadata,
|
|
object-lock, lifecycle journal, monitor, and notification facade paths in
|
|
compatibility function signatures with local aliases.
|
|
- Acceptance: app/admin/storage compatibility function signatures no longer
|
|
expose raw ECStore facade paths for `BucketMetadataSys`,
|
|
`ObjectLockBlockReason`, lifecycle `Jentry`, bandwidth `Monitor`, or
|
|
`NotificationSys`.
|
|
- Must preserve: test metadata-system access, object-lock retention checks,
|
|
lifecycle tier-delete journal persistence, admin bandwidth monitor access,
|
|
and notification-system access.
|
|
- Verification: RustFS compile coverage, signature residual scan, migration
|
|
guard, formatting, diff hygiene, Rust risk scan, pre-commit quality gate,
|
|
and three-expert review.
|
|
- [x] `API-092` Prune storage-owner raw facade paths.
|
|
- Completed slice: replace scattered raw `rustfs_ecstore::api::...` paths in
|
|
the RustFS storage-owner compatibility boundary with local `ecstore_*`
|
|
module aliases.
|
|
- Acceptance: `rustfs/src/storage/storage_compat.rs` no longer contains raw
|
|
`rustfs_ecstore::api::...` facade paths outside the centralized module alias
|
|
import.
|
|
- Must preserve: storage metadata, object-lock, replication stats, tagging,
|
|
RPC signature, metrics, tier reload, local disk lookup, and object I/O
|
|
associated type compatibility.
|
|
- Verification: RustFS compile coverage, storage-owner raw facade path
|
|
residual scan, migration guard, formatting, diff hygiene, Rust risk scan,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `API-093` Prune app/admin raw facade paths.
|
|
- Completed slice: replace scattered raw `rustfs_ecstore::api::...` paths in
|
|
the RustFS app/admin storage compatibility boundaries with local `ecstore_*`
|
|
module aliases.
|
|
- Acceptance: `rustfs/src/app/storage_compat.rs` and
|
|
`rustfs/src/admin/storage_compat.rs` no longer contain raw
|
|
`rustfs_ecstore::api::...` facade paths outside their centralized local
|
|
`ecstore_*` aliases.
|
|
- Must preserve: app lifecycle, metadata, object-lock, replication, data
|
|
usage, notification, tier, layout, compression, admin rebalance, metrics,
|
|
bucket target, quota, storage class, and server configuration compatibility.
|
|
- Verification: RustFS compile coverage, app/admin raw facade path residual
|
|
scan, migration guard, formatting, diff hygiene, Rust risk scan,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `API-094` Prune consumer raw facade paths.
|
|
- Completed slice: replace scattered raw `rustfs_ecstore::api::...` paths in
|
|
peripheral consumer storage compatibility boundaries with local
|
|
`ecstore_*` module aliases.
|
|
- Acceptance: IAM, heal, scanner, notify, observability, Swift, S3 Select,
|
|
test, and fuzz storage compatibility modules no longer contain raw
|
|
`rustfs_ecstore::api::...` facade paths outside centralized local alias
|
|
imports.
|
|
- Must preserve: IAM config and notifications, heal disk lookup, scanner
|
|
lifecycle and tier helpers, notify server config IO, observability runtime
|
|
metrics, Swift metadata wrappers, S3 Select error checks, and test/fuzz
|
|
harness wrappers.
|
|
- Verification: RustFS compile coverage, consumer raw facade path residual
|
|
scan, migration guard, formatting, diff hygiene, Rust risk scan,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `API-095` Prune root/e2e raw facade paths.
|
|
- Completed slice: replace scattered raw `rustfs_ecstore::api::...` paths in
|
|
the RustFS root runtime and e2e storage compatibility boundaries with local
|
|
`ecstore_*` module aliases.
|
|
- Acceptance: `rustfs/src/storage_compat.rs` and
|
|
`crates/e2e_test/src/storage_compat.rs` no longer contain raw
|
|
`rustfs_ecstore::api::...` facade paths outside centralized local alias
|
|
imports.
|
|
- Must preserve: root runtime metadata/config/global/storage/RPC wrappers and
|
|
e2e RPC harness aliases.
|
|
- Verification: RustFS compile coverage, root/e2e raw facade path residual
|
|
scan, migration guard, formatting, diff hygiene, Rust risk scan,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `API-096` Prune bucket trait method imports.
|
|
- Completed slice: move outer bucket lifecycle, replication, versioning,
|
|
object-lock, and restore-request method access behind local compatibility
|
|
traits and wrapper functions in app, admin, storage, and scanner
|
|
boundaries.
|
|
- Acceptance: non-compat RustFS, scanner, and heal sources no longer import
|
|
ECStore bucket API traits directly; the migration guard only keeps the
|
|
remaining disk/RPC/warm-backend method-resolution exceptions.
|
|
- Must preserve: app replication scheduling and restore validation, admin site
|
|
replication checks, storage object/versioning behavior, scanner lifecycle
|
|
and replication scans, and existing disk/RPC method-resolution behavior.
|
|
- Verification: RustFS/scanner/heal compile coverage, direct bucket trait
|
|
import residual scan, migration guard, formatting, diff hygiene, Rust risk
|
|
scan, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-097` Prune disk/RPC/warm-backend method imports.
|
|
- Completed slice: move disk RPC, peer S3 RPC, heal/scanner disk, and
|
|
warm-backend test method access behind local compatibility traits or
|
|
aliases in the owning boundaries.
|
|
- Acceptance: non-compat RustFS, scanner, heal, and test sources no longer
|
|
import ECStore `DiskAPI`, `PeerS3Client`, or `WarmBackend` traits directly;
|
|
the migration guard no longer allowlists those direct imports.
|
|
- Must preserve: disk RPC request/response behavior, internode HTTP file and
|
|
walk streams, heal resume and auto-scan disk handling, scanner disk scan
|
|
behavior, and transition warm-backend test harness behavior.
|
|
- Verification: RustFS/scanner/heal/e2e compile coverage, direct
|
|
disk/RPC/warm-backend trait import residual scan, migration guard,
|
|
formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
- [x] `API-098` Prune root runtime capacity/server compat consumers.
|
|
- Completed slice: move capacity disk access, HTTP RPC signature verification,
|
|
event dispatch bridging, module-switch config persistence, and readiness
|
|
storage/lock quorum lookups into local `capacity` and `server`
|
|
compatibility boundaries.
|
|
- Acceptance: root runtime `storage_compat.rs` no longer owns
|
|
capacity/server-only ECStore wrapper functions, trait shims, or constants;
|
|
migration rules reject restoring those wrappers to the root facade.
|
|
- Must preserve: capacity background refresh disk discovery, internode RPC
|
|
signature verification, live event dispatch, module-switch persistence,
|
|
storage readiness, and distributed lock quorum behavior.
|
|
- Verification: RustFS test-target compile coverage, capacity/server residual
|
|
scan, migration and layer guards, formatting, diff hygiene, Rust risk scan,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `API-099` Prune root runtime startup compat consumers.
|
|
- Completed slice: move startup storage bootstrap, bucket metadata migration,
|
|
notification initialization, global region/port setup, background shutdown,
|
|
and startup service ECStore aliases into a dedicated startup compatibility
|
|
boundary.
|
|
- Acceptance: startup and init modules no longer consume root
|
|
`storage_compat.rs`; root runtime `storage_compat.rs` no longer owns
|
|
startup-only ECStore wrapper functions or aliases; migration rules reject
|
|
restoring those wrappers to the root facade.
|
|
- Must preserve: endpoint parsing, unsupported filesystem policy,
|
|
local-disk and lock-client initialization, global config migration,
|
|
bucket metadata migration, IAM migration, notification registration,
|
|
default-region fallback, background replication, and shutdown behavior.
|
|
- Verification: RustFS test-target compile coverage, startup residual scan,
|
|
migration and layer guards, formatting, diff hygiene, Rust risk scan,
|
|
pre-commit quality gate, and three-expert review.
|
|
- [x] `API-100` Retire root runtime storage compatibility consumers.
|
|
- Completed slice: move table catalog metadata constants and bucket metadata
|
|
reads, runtime topology capability mapping, workload admission runtime
|
|
state probes, S3 error mapping aliases, and config test disk-layout aliases
|
|
into local compatibility boundaries, then remove the root
|
|
`storage_compat.rs` module.
|
|
- Acceptance: no RustFS source consumes `crate::storage_compat`; root
|
|
runtime compatibility file is removed; migration rules still reject direct
|
|
ECStore imports outside `*storage_compat.rs` boundaries.
|
|
- Must preserve: table catalog internal metadata paths, lock timeout lookup,
|
|
runtime topology snapshots, workload admission status reporting, quota and
|
|
storage error mapping, and config disk-layout parsing tests.
|
|
- Verification: RustFS test-target compile coverage, direct root compatibility
|
|
consumer residual scan, migration and layer guards, formatting, diff
|
|
hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-101` Localize owner compatibility consumers.
|
|
- Completed slice: route admin handler/service/router, app usecase/context,
|
|
and storage RPC/S3 API compatibility consumers through local owner
|
|
boundary modules instead of their root owner `storage_compat.rs` facades.
|
|
- Acceptance: selected admin, app, and storage owner consumers no longer
|
|
import `crate::admin::storage_compat`, `crate::app::storage_compat`, or
|
|
`crate::storage::storage_compat` directly outside local compatibility
|
|
boundary modules; migration rules reject regressions.
|
|
- Must preserve: admin config and bucket metadata behavior, replication and
|
|
heal status mapping, app runtime context wiring, RPC verification and disk
|
|
lookup behavior, and S3 API ETag conversion.
|
|
- Verification: RustFS test-target compile coverage, owner compatibility
|
|
consumer residual scan, migration and layer guards, formatting, diff
|
|
hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-102` Localize storage core compatibility consumers.
|
|
- Completed slice: route storage access, ECFS, ECFS extension, head-prefix,
|
|
options, SSE, storage module aliases, and storage tests through
|
|
`core_storage_compat` instead of the storage owner `storage_compat.rs`
|
|
facade.
|
|
- Acceptance: no non-compat RustFS storage source imports
|
|
`crate::storage::storage_compat` directly; migration rules reject
|
|
regressions across `rustfs/src/storage`.
|
|
- Must preserve: bucket access validation, ECFS object operations, SSE
|
|
encryption/decryption setup, storage option mapping, storage object aliases,
|
|
and storage compatibility tests.
|
|
- Verification: RustFS test-target compile coverage, storage compatibility
|
|
consumer residual scan, migration and layer guards, formatting, diff
|
|
hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-103` Narrow selected local compatibility re-exports.
|
|
- Completed slice: replace glob re-exports in admin router/service, app
|
|
context, storage core, and storage RPC local compatibility boundaries with
|
|
explicit re-export lists.
|
|
- Acceptance: narrowed local compatibility boundaries expose only the symbols
|
|
consumed by their owners; migration rules reject restoring glob re-exports
|
|
in those files.
|
|
- Must preserve: admin route behavior, dynamic config reload behavior, app
|
|
context startup handles, storage core option/SSE/access behavior, and
|
|
storage RPC request handling.
|
|
- Verification: RustFS test-target compile coverage, narrowed local
|
|
compatibility glob-export scan, migration and layer guards, formatting,
|
|
diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert
|
|
review.
|
|
- [x] `API-104` Narrow remaining local compatibility re-exports.
|
|
- Completed slice: replace the remaining admin handler and app usecase local
|
|
compatibility glob re-exports with explicit re-export lists.
|
|
- Acceptance: no narrowed RustFS local compatibility boundary restores a glob
|
|
re-export from its owner `storage_compat.rs` facade; migration rules reject
|
|
regressions across all narrowed files.
|
|
- Must preserve: admin handler config, bucket metadata, site replication,
|
|
tier, rebalance, metrics, heal, quota, and object-zip behavior; app bucket,
|
|
object, multipart, admin, lifecycle transition, quota, object-lock, and
|
|
replication usecase behavior.
|
|
- Verification: RustFS test-target compile coverage, narrowed local
|
|
compatibility glob-export scan, migration and layer guards, formatting,
|
|
diff hygiene, Rust risk scan, pre-commit quality gate, and three-expert
|
|
review.
|
|
- [x] `API-105` Guard root compatibility facade aliases.
|
|
- Completed slice: route the S3 API storage compatibility ETag helper through
|
|
a local ECStore client module alias and add a repository-wide storage
|
|
compatibility guard against scattered raw ECStore facade paths.
|
|
- Acceptance: storage compatibility boundaries may import ECStore facade
|
|
modules as local `ecstore_*` aliases, but no compatibility wrapper body or
|
|
signature may reintroduce a scattered raw `rustfs_ecstore::api::...` path.
|
|
- Must preserve: S3 API ETag conversion behavior and all existing
|
|
compatibility module import boundaries.
|
|
- Verification: RustFS test-target compile coverage, full storage
|
|
compatibility raw-facade residual scan, migration and layer guards,
|
|
formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
- [x] `API-106` Split compatibility facade imports.
|
|
- Completed slice: replace grouped `rustfs_ecstore::api::{...}` imports
|
|
across storage compatibility boundaries with explicit per-module
|
|
`ecstore_*` aliases and extend migration guards to reject grouped facade
|
|
imports.
|
|
- Acceptance: storage compatibility boundaries keep every ECStore facade
|
|
module dependency visible as its own local alias, and wrapper bodies or
|
|
signatures still cannot reintroduce scattered raw
|
|
`rustfs_ecstore::api::...` paths.
|
|
- Must preserve: all compatibility wrapper bodies, public alias names,
|
|
storage/admin/app/runtime/edge/test/fuzz behavior, and API surface.
|
|
- Verification: RustFS test-target compile coverage, grouped-import and
|
|
raw-facade residual scans, migration and layer guards, formatting, diff
|
|
hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-107` Collapse compatibility facade self references.
|
|
- Completed slice: replace crate-qualified app/admin
|
|
`storage_compat::ecstore_*` self references with local `ecstore_*` aliases
|
|
at the root boundary and `super::ecstore_*` paths inside nested
|
|
compatibility modules.
|
|
- Acceptance: RustFS app/admin compatibility boundaries no longer route
|
|
wrapper bodies and aliases through their own crate-qualified
|
|
`storage_compat::ecstore_*` paths; migration rules reject regressions.
|
|
- Must preserve: app bucket/lifecycle/object-lock/replication helper
|
|
behavior, admin bucket metadata/target/replication/tier/config helper
|
|
behavior, public local compatibility names, and ECStore facade ownership.
|
|
- Verification: RustFS test-target compile coverage, local facade
|
|
self-reference residual scan, migration and layer guards, formatting, diff
|
|
hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-108` Collapse local compatibility bridge self paths.
|
|
- Completed slice: replace crate-qualified app/admin/storage
|
|
`storage_compat` references in local compatibility bridge modules with
|
|
relative `super::storage_compat` paths.
|
|
- Acceptance: RustFS local compatibility bridge modules no longer point back
|
|
to their owner `storage_compat` facades through crate-qualified paths;
|
|
migration rules reject regressions.
|
|
- Must preserve: all app usecase/context, admin router/handler/service, and
|
|
storage core/RPC compatibility re-export names and owner facade behavior.
|
|
- Verification: RustFS test-target compile coverage, local bridge owner
|
|
self-path residual scan, migration and layer guards, formatting, diff
|
|
hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-109` Collapse root compatibility consumer paths.
|
|
- Completed slice: replace crate-qualified root compatibility consumers in
|
|
startup/runtime/table/error/workload modules plus selected storage owner
|
|
consumers with relative `super::` or `self::` paths.
|
|
- Acceptance: selected root and storage owner modules no longer point back to
|
|
local compatibility facades through crate-qualified paths; migration rules
|
|
reject regressions.
|
|
- Must preserve: startup notification/storage/background/service behavior,
|
|
runtime capability snapshots, workload admission wiring, table catalog
|
|
helpers, root error aliases, storage SSE/access/ECFS helper behavior, and
|
|
public storage module aliases.
|
|
- Verification: RustFS test-target compile coverage, root/storage owner
|
|
compatibility consumer residual scans, migration and layer guards,
|
|
formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
- [x] `API-110` Collapse RustFS local compatibility consumer paths.
|
|
- Completed slice: replace crate-qualified app usecase, admin router, and
|
|
storage ECFS test compatibility consumers with relative owner paths.
|
|
- Acceptance: selected RustFS app/admin/storage consumers no longer point back
|
|
to local compatibility facades through crate-qualified paths; migration
|
|
rules reject regressions.
|
|
- Must preserve: app object/bucket/multipart/admin usecase behavior,
|
|
lifecycle transition and capacity tests, admin replication/router helpers,
|
|
and storage ECFS test coverage.
|
|
- Verification: RustFS test-target compile coverage, local compatibility
|
|
consumer residual scan, migration and layer guards, formatting, diff
|
|
hygiene, Rust risk scan, pre-commit quality gate, and three-expert review.
|
|
- [x] `API-111` Collapse storage RPC and S3 API local compatibility consumers.
|
|
- Completed slice: replace crate-qualified storage RPC and S3 API local
|
|
compatibility consumers with relative owner paths.
|
|
- Acceptance: selected storage RPC and S3 API modules no longer point back to
|
|
local compatibility facades through crate-qualified paths; migration rules
|
|
reject regressions.
|
|
- Must preserve: internode RPC request handling, node service helper tests,
|
|
S3 list bucket output mapping, multipart listing output mapping, and ETag
|
|
helper behavior.
|
|
- Verification: RustFS test-target compile coverage, storage RPC/S3 API
|
|
local compatibility consumer residual scan, migration and layer guards,
|
|
formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
- [x] `API-112` Collapse admin local compatibility consumers.
|
|
- Completed slice: replace crate-qualified admin handlers/service local
|
|
compatibility consumers with relative owner paths.
|
|
- Acceptance: selected admin handlers and service modules no longer point back
|
|
to local compatibility facades through crate-qualified paths; migration
|
|
rules reject regressions.
|
|
- Must preserve: admin route contracts, replication/config/rebalance/heal
|
|
handler behavior, service config reload behavior, and admin test coverage.
|
|
- Verification: RustFS test-target compile coverage, admin local
|
|
compatibility consumer residual scan, migration and layer guards,
|
|
formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
- [x] `API-113` Collapse app context and server local compatibility consumers.
|
|
- Completed slice: replace crate-qualified app context and server readiness
|
|
local compatibility consumers with relative owner paths.
|
|
- Acceptance: selected app context and server readiness modules no longer
|
|
point back to local compatibility facades through crate-qualified paths;
|
|
migration rules reject regressions.
|
|
- Must preserve: app context dependency resolution, startup bootstrap,
|
|
default interface handles, readiness storage quorum behavior, and readiness
|
|
test coverage.
|
|
- Verification: RustFS test-target compile coverage, app context/server local
|
|
compatibility consumer residual scan, migration and layer guards,
|
|
formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
- [x] `API-114` Collapse config, heal, and scanner test compatibility consumers.
|
|
- Completed slice: replace crate-qualified config test, heal crate, and
|
|
heal/scanner integration test local compatibility consumers with relative
|
|
owner paths.
|
|
- Acceptance: selected config, heal, and scanner test harnesses no longer
|
|
point back to local compatibility facades through crate-qualified paths;
|
|
migration rules reject regressions.
|
|
- Must preserve: config layout parsing tests, heal channel/storage test
|
|
coverage, endpoint index tests, and scanner lifecycle integration coverage.
|
|
- Verification: RustFS test-target compile coverage, config/heal/scanner
|
|
local compatibility consumer residual scan, migration and layer guards,
|
|
formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
- [x] `API-115` Collapse standalone crate local compatibility consumers.
|
|
- Completed slice: replace crate-qualified scanner, IAM, observability,
|
|
S3 Select, and e2e local compatibility consumers with relative owner paths.
|
|
- Acceptance: selected standalone crate modules no longer point back to their
|
|
local compatibility facades through crate-qualified paths; migration rules
|
|
reject regressions.
|
|
- Must preserve: scanner data usage and object IO behavior, IAM storage
|
|
adapter contracts, observability metric collection, S3 Select object-store
|
|
reads, and e2e RPC helper coverage.
|
|
- Verification: standalone crate compile coverage, standalone local
|
|
compatibility consumer residual scan, migration and layer guards,
|
|
formatting, diff hygiene, Rust risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
- [x] `API-116` Collapse fuzz-target local compatibility consumers.
|
|
- Completed slice: replace crate-qualified bucket-validation and
|
|
path-containment fuzz-target local compatibility consumers with relative
|
|
owner paths.
|
|
- Acceptance: selected fuzz targets no longer point back to their local
|
|
compatibility facades through crate-qualified paths; migration rules reject
|
|
regressions.
|
|
- Must preserve: fuzz harness entrypoints, corpus behavior, bucket/object
|
|
validation coverage, and path-containment assertions.
|
|
- Verification: fuzz package compile coverage, fuzz-target local
|
|
compatibility consumer residual scan, migration and layer guards,
|
|
formatting, diff hygiene, Rust risk scan, and three-expert review.
|
|
- [x] `API-117` Remove app/admin secondary compatibility bridges.
|
|
- Completed slice: replace app use-case and admin router consumers of
|
|
`usecase_storage_compat` and `router_storage_compat` with direct owner
|
|
`storage_compat` paths, then delete the secondary bridge modules.
|
|
- Acceptance: app use-cases, app tests, and the admin router no longer route
|
|
through a second local compatibility bridge; migration rules reject
|
|
reintroduced bridge names.
|
|
- Must preserve: app object/bucket/multipart use-case behavior, lifecycle
|
|
transition test setup, admin route replication/bucket-target contracts, and
|
|
existing owner `storage_compat` aliases.
|
|
- Verification: RustFS compile coverage, app/admin secondary bridge residual
|
|
scan, migration and layer guards, formatting, diff hygiene, Rust risk scan,
|
|
and three-expert review.
|
|
- [x] `API-118` Remove storage core secondary compatibility bridge.
|
|
- Completed slice: replace storage owner consumers of `core_storage_compat`
|
|
with direct `storage_compat` paths, then delete the secondary bridge module.
|
|
- Acceptance: storage owner modules and tests no longer route through a
|
|
second local compatibility bridge; migration rules reject reintroduced
|
|
`core_storage_compat` references.
|
|
- Must preserve: ECFS object operations, storage access checks, SSE
|
|
encryption helpers, storage option resolution, and existing owner
|
|
`storage_compat` aliases.
|
|
- Verification: RustFS compile coverage, storage secondary bridge residual
|
|
scan, migration and layer guards, formatting, diff hygiene, path-only risk
|
|
review, and three-expert review.
|
|
- [x] `API-119` Remove nested secondary compatibility bridges.
|
|
- Completed slice: replace admin service, app context, and storage RPC
|
|
consumers of nested `storage_compat` bridge modules with direct owner
|
|
`storage_compat` paths, then delete the nested bridge modules.
|
|
- Acceptance: nested service, context, and RPC modules no longer route
|
|
through a second local compatibility bridge; migration rules reject
|
|
reintroduced bridge files or module declarations.
|
|
- Must preserve: admin dynamic config and site-replication behavior, app
|
|
context handle wiring, storage RPC signature and disk lookup behavior, and
|
|
existing owner `storage_compat` aliases.
|
|
- Verification: RustFS compile coverage, nested secondary bridge residual
|
|
scan, migration and layer guards, formatting, diff hygiene, path-only risk
|
|
review, and three-expert review.
|
|
- [x] `API-120` Remove admin handlers secondary compatibility bridge.
|
|
- Completed slice: replace admin handler consumers of
|
|
`handlers::storage_compat` with direct admin owner `storage_compat` paths,
|
|
then delete the handler bridge module.
|
|
- Acceptance: admin handler modules no longer route through a second local
|
|
compatibility bridge; migration rules reject the bridge file, module
|
|
declaration, or direct handler-level `super::storage_compat` consumers.
|
|
- Must preserve: admin handler config, replication, rebalance, quota, tier,
|
|
table catalog, metrics, trace, and heal behavior plus existing admin owner
|
|
`storage_compat` aliases.
|
|
- Verification: RustFS admin handler compile coverage, handler secondary
|
|
bridge residual scan, migration and layer guards, formatting, diff hygiene,
|
|
path-only risk review, and three-expert review.
|
|
- [x] `API-121` Remove runtime local compatibility bridges.
|
|
- Completed slice: replace capacity, server, and S3 API local compatibility
|
|
bridge consumers with direct owner APIs, then delete the bridge modules.
|
|
- Acceptance: capacity, server, and S3 API modules no longer route through
|
|
local `storage_compat` bridges; migration rules reject bridge files, module
|
|
declarations, or bridge consumers.
|
|
- Must preserve: capacity disk discovery, HTTP RPC signature verification,
|
|
event dispatch hook wiring, module-switch persistence, readiness quorum
|
|
checks, and S3 ETag conversion behavior.
|
|
- Verification: RustFS compile coverage, runtime local bridge residual scan,
|
|
migration and layer guards, formatting, diff hygiene, path-only risk
|
|
review, and three-expert review.
|
|
- [x] `API-122` Remove root one-off compatibility bridges.
|
|
- Completed slice: replace config test, error mapping, runtime capability,
|
|
table catalog, and workload admission consumers with direct ECStore API
|
|
imports, then delete the root one-off bridge modules.
|
|
- Acceptance: the deleted bridge files and module declarations are gone;
|
|
migration rules reject reintroduced files, declarations, or bridge
|
|
references.
|
|
- Must preserve: config disk-layout tests, API error mapping, runtime
|
|
topology snapshots, table-catalog paths and lock behavior, and workload
|
|
admission snapshots.
|
|
- Verification: RustFS compile coverage, root one-off bridge residual scan,
|
|
migration and layer guards, formatting, diff hygiene, Rust risk scan, and
|
|
three-expert review.
|
|
- [x] `API-123` Remove startup storage compatibility bridge.
|
|
- Completed slice: replace startup storage, notification, bucket metadata,
|
|
service, shutdown, server, lifecycle, IAM, background, fs guard, and init
|
|
consumers with direct ECStore API owner imports, then delete
|
|
`startup_storage_compat.rs`.
|
|
- Acceptance: startup/init consumers no longer route through the startup
|
|
compatibility bridge; migration rules reject the deleted file, module
|
|
declaration, or bridge references.
|
|
- Must preserve: endpoint parsing, unsupported filesystem policy, ECStore
|
|
initialization, global endpoint/erasure registration, local disk and lock
|
|
client initialization, config migration/retry behavior, metadata/IAM
|
|
migration, notification startup, background replication, scanner/heal
|
|
startup and shutdown, and readiness marking.
|
|
- Verification: RustFS compile coverage, startup bridge residual scan,
|
|
migration and layer guards, formatting, diff hygiene, Rust risk scan, and
|
|
three-expert review.
|
|
- [x] `API-124` Remove test and fuzz storage compatibility bridges.
|
|
- Completed slice: replace heal tests, scanner lifecycle tests, and bucket/path
|
|
fuzz targets with direct ECStore API owner imports, then delete their local
|
|
`storage_compat.rs` modules.
|
|
- Acceptance: migrated test/fuzz targets no longer route through local
|
|
storage compatibility bridges; migration rules reject deleted files, module
|
|
declarations, or bridge references.
|
|
- Must preserve: heal endpoint indexing, heal mock storage signatures,
|
|
lifecycle metadata updates, scanner warm-tier mocks, fuzz target validation
|
|
invariants, and direct compile coverage for affected crates/targets.
|
|
- Verification: heal/scanner test compile coverage, fuzz target compile
|
|
coverage, test/fuzz bridge residual scan, migration and layer guards,
|
|
formatting, diff hygiene, Rust risk scan, and three-expert review.
|
|
- [x] `API-125` Remove standalone thin compatibility bridges.
|
|
- Completed slice: replace e2e tests, IAM store object access, and notify
|
|
config persistence consumers with direct owner APIs, then delete their local
|
|
`storage_compat.rs` bridge modules.
|
|
- Acceptance: e2e, IAM store, and notify no longer route through local thin
|
|
storage compatibility bridges; migration rules reject deleted files, module
|
|
declarations, or bridge consumers.
|
|
- Must preserve: e2e RPC client behavior, site-replication target contracts,
|
|
IAM object associated types, notify server-config read/modify/save behavior,
|
|
and reload-if-changed semantics.
|
|
- Verification: affected crate compile coverage, standalone thin bridge
|
|
residual scan, migration and layer guards, formatting, diff hygiene, Rust
|
|
risk scan, and three-expert review.
|
|
- [x] `API-126` Remove remaining standalone owner compatibility bridges.
|
|
- Completed slice: replace OBS metrics, Swift object/container/account, and
|
|
S3 Select object-store consumers with direct owner APIs, then delete their
|
|
local `storage_compat.rs` bridge modules.
|
|
- Acceptance: OBS, Swift, and S3 Select no longer route through local thin
|
|
storage compatibility bridges; migration rules reject deleted files, module
|
|
declarations, or bridge consumers.
|
|
- Must preserve: OBS capacity, bucket usage, replication, and ILM metrics;
|
|
Swift bucket metadata and object IO contracts; S3 Select object reader,
|
|
error mapping, and default read-buffer behavior.
|
|
- Verification: affected crate compile coverage, remaining standalone bridge
|
|
residual scan, migration and layer guards, formatting, diff hygiene, Rust
|
|
risk scan, and three-expert review.
|
|
- [x] `API-127` Remove external owner compatibility bridges.
|
|
- Completed slice: move IAM root, heal, and scanner bridge contracts into
|
|
their owner modules, delete their local `storage_compat.rs` bridge modules,
|
|
and update consumers to import owner APIs directly.
|
|
- Acceptance: IAM root, heal, and scanner no longer route through local
|
|
storage compatibility bridges; migration rules reject deleted files, module
|
|
declarations, or bridge consumers.
|
|
- Must preserve: IAM config object IO and notification wrappers, heal disk
|
|
extension behavior and object aliases, scanner lifecycle/replication/disk
|
|
wrappers, data-usage persistence, and scanner object IO contracts.
|
|
- Verification: focused IAM/heal/scanner compile coverage, external owner
|
|
bridge residual scan, migration and layer guards, formatting, diff hygiene,
|
|
Rust risk scan, and three-expert review.
|
|
- [x] `API-128` Remove RustFS owner compatibility bridges.
|
|
- Completed slice: move app, admin, and storage bridge contracts into their
|
|
owner modules, delete their local `storage_compat.rs` bridge modules, and
|
|
update consumers to import owner APIs directly.
|
|
- Acceptance: RustFS app, admin, and storage no longer route through local
|
|
storage compatibility bridges; migration rules reject deleted files, module
|
|
declarations, or bridge consumers.
|
|
- Must preserve: app object/multipart/bucket behavior, admin route and
|
|
config contracts, storage access/SSE/RPC behavior, object DTO aliases,
|
|
bucket metadata helpers, and ECStore facade ownership.
|
|
- Verification: focused RustFS compile coverage, RustFS owner bridge
|
|
residual scan, migration and layer guards, formatting, diff hygiene, Rust
|
|
risk scan, and three-expert review.
|
|
- [x] `G-012` Inventory placement and repair invariants.
|
|
- Acceptance:
|
|
[`placement-repair-invariants.md`](placement-repair-invariants.md) records
|
|
object-to-set hashing, pool/set/disk assignment boundaries, set-aware
|
|
readiness and lock quorum, scanner budget, and heal admission preservation
|
|
gates.
|
|
- Must preserve: no placement, repair, scanner, heal, readiness, lock, or
|
|
storage metadata behavior changes.
|
|
- [x] `G-013` Inventory profiling and NUMA capabilities.
|
|
- Acceptance:
|
|
[`profiling-numa-capability-inventory.md`](profiling-numa-capability-inventory.md)
|
|
records current CPU/memory profiling, cgroup memory sampling, allocator
|
|
backend, eBPF, and NUMA capability support plus no-op fallback invariants.
|
|
- Must preserve: no startup, profiling, allocator, runtime, or platform-gate
|
|
behavior changes.
|
|
|
|
## Issue #660 Capability Contract Tasks
|
|
|
|
- [x] `PR-08/API-013` Add observability snapshot contract.
|
|
- Completed slice: add `CapabilityState`, `CapabilityStatus`,
|
|
`CapabilitySnapshotError`, `ObservabilitySnapshot`,
|
|
`UserspaceProfilingCapability`, `MemorySamplingState`,
|
|
`PlatformSupport`, and `ObservabilitySnapshotProvider` to
|
|
`rustfs-storage-api`.
|
|
- Acceptance: runtime telemetry, userspace profiling, memory sampling, and
|
|
platform support states are representable without runtime, ECStore, admin,
|
|
profiling, exporter, sidecar, eBPF, or OTEL implementation dependencies.
|
|
- Must preserve: no profiling, startup, admin route, exporter, sidecar, eBPF,
|
|
OTEL, or runtime behavior changes.
|
|
- Verification: storage-api contract tests for unknown, unsupported,
|
|
disabled, and supported capability states; focused storage-api check;
|
|
migration guard; formatting; diff hygiene; and three-expert review.
|
|
|
|
- [x] `PR-09/API-014` Add topology capability contract.
|
|
- Completed slice: add `TopologySnapshot`, `TopologyCapabilities`,
|
|
`TopologyPool`, `TopologySet`, `TopologyDisk`, `TopologyLabels`,
|
|
`DiskCapabilities`, and `TopologySnapshotProvider` to
|
|
`rustfs-storage-api`.
|
|
- Acceptance: pool, set, and disk identity fields plus optional zone, rack,
|
|
node, media, NUMA, and additional labels are representable without
|
|
`rustfs-ecstore`.
|
|
- Must preserve: no ECStore endpoint/set implementation, placement,
|
|
membership, NUMA pinning, or runtime behavior changes.
|
|
- Verification: storage-api contract tests for missing and additional labels
|
|
plus supported, unsupported, unknown, and disabled capability states;
|
|
focused storage-api check; migration guard; formatting; diff hygiene; and
|
|
three-expert review.
|
|
|
|
- [x] `PR-05/TEST-SCH-001` Add scheduler preservation tests.
|
|
- Completed slice: pin worker over-release clamping, reusable scheduler
|
|
default thresholds and priority boundaries, backpressure pipe metadata
|
|
reads, and get-object queue snapshot saturation/zero-total semantics.
|
|
- Acceptance: current reusable scheduling and admission-facing behavior is
|
|
covered before later read-only snapshot extraction.
|
|
- Must preserve: scheduler algorithm, queue capacity, threshold defaults,
|
|
Tokio runtime settings, request admission, scanner admission, heal
|
|
admission, replication admission, and background task admission behavior.
|
|
- Verification: focused concurrency tests, focused concurrency check,
|
|
migration guard, formatting, diff hygiene, and three-expert review.
|
|
|
|
- [x] `PR-07/R-015` Add runtime workload class contract.
|
|
- Completed slice: add `WorkloadClass`, `AdmissionState`,
|
|
`WorkloadAdmissionSnapshot`, `WorkloadAdmissionRegistrySnapshot`, and
|
|
`WorkloadAdmissionSnapshotProvider` to `rustfs-concurrency`.
|
|
- Acceptance: foreground read, foreground write, metadata, scanner, repair,
|
|
and replication workload classes are representable through read-only
|
|
admission registry snapshots without ECStore dependency.
|
|
- Must preserve: no SchedulerManager decision logic, Tokio worker defaults,
|
|
scanner/heal admission behavior, replication admission behavior, cluster
|
|
scheduling, placement, membership, or business call-site migration.
|
|
- Verification: workload contract unit tests, focused concurrency check,
|
|
migration guard, formatting, diff hygiene, and three-expert review.
|
|
|
|
- [x] `API-055/SCH-001` Expose set-local scheduler admission snapshot.
|
|
- Completed slice: implement `WorkloadAdmissionSnapshotProvider` for the
|
|
RustFS storage `ConcurrencyManager` and expose foreground-read disk-read
|
|
permit usage through a local read-only workload registry snapshot.
|
|
- Acceptance: local foreground read admission reports active permit usage,
|
|
configured limit, and open/saturated/disabled state without ECStore,
|
|
admin-route, cluster, or scheduler mutation dependencies.
|
|
- Must preserve: disk-read semaphore acquisition, priority assignment,
|
|
buffer sizing, storage media detection, request guards, and queue behavior.
|
|
- Verification: storage concurrency tests, focused RustFS library check,
|
|
migration guard, formatting, diff hygiene, and three-expert review.
|
|
|
|
- [x] `API-056/R-016` Wire runtime capability snapshot providers.
|
|
- Completed slice: implement `ObservabilitySnapshotProvider` for RustFS
|
|
runtime capability state and `TopologySnapshotProvider` for
|
|
`EndpointServerPools` topology snapshots.
|
|
- Acceptance: observability and endpoint topology snapshots are available
|
|
through the storage-api contracts without admin routes, sidecars, ECStore
|
|
placement mutation, profiling startup changes, or endpoint behavior changes.
|
|
- Must preserve: profiling opt-in behavior, memory and cgroup sampling
|
|
behavior, endpoint pool/set/disk assignment, placement, readiness, locks,
|
|
and local path privacy.
|
|
- Verification: focused runtime capability tests, focused RustFS library
|
|
check, migration and layer guards, formatting, diff hygiene, risk scan, and
|
|
three-expert review.
|
|
|
|
- [x] `API-057/R-017` Expose heal repair admission snapshot.
|
|
- Completed slice: implement a RustFS workload admission snapshot provider
|
|
that maps existing heal active-task and queue-length counters to the
|
|
`Repair` workload class.
|
|
- Acceptance: repair admission state is observable through the
|
|
`rustfs-concurrency` workload snapshot contract without changing heal
|
|
queueing, scheduling, retry, priority merge/drop, or repair behavior.
|
|
- Must preserve: heal request admission, queue capacity, scheduler wakeups,
|
|
task retry handling, active-task accounting, and repair execution.
|
|
- Verification: focused workload admission tests, focused RustFS library
|
|
check, migration and layer guards, formatting, diff hygiene, risk scan, and
|
|
three-expert review.
|
|
|
|
- [x] `API-058/R-018` Expose replication admission snapshot.
|
|
- Completed slice: extend the RustFS workload admission provider to map
|
|
existing replication worker and site queue counters to the `Replication`
|
|
workload class.
|
|
- Acceptance: replication admission pressure is observable through the
|
|
`rustfs-concurrency` workload snapshot contract without changing
|
|
replication queueing, channel capacity, worker resize, MRF, target dispatch,
|
|
or resync behavior.
|
|
- Must preserve: replication admission, queue channel capacity, worker resize
|
|
policy, MRF handling, target dispatch, resync behavior, and queue stats
|
|
accounting.
|
|
- Verification: focused workload admission tests, focused RustFS library
|
|
check, migration and layer guards, formatting, diff hygiene, risk scan, and
|
|
three-expert review.
|
|
|
|
- [x] `API-059/R-019` Expose RustFS runtime owner admission snapshots.
|
|
- Completed slice: extend the RustFS workload admission provider to map
|
|
foreground-read disk permit state, scanner active work units, and bucket
|
|
metadata runtime initialization into the workload registry.
|
|
- Acceptance: RustFS-level workload admission snapshots expose existing
|
|
foreground-read, scanner, and metadata owner state without changing
|
|
admission, queueing, scanner scheduling, metadata loading, metadata locks,
|
|
or object write behavior.
|
|
- Must preserve: disk-read semaphore acquisition, scanner cycle scheduling,
|
|
bucket metadata initialization and loading, object write paths, request
|
|
guards, and queue behavior.
|
|
- Verification: focused workload admission tests, focused RustFS library
|
|
check, migration and layer guards, formatting, diff hygiene, risk scan, and
|
|
three-expert review.
|
|
|
|
- [x] `API-060` Remove heal and namespace-lock operation compatibility facades.
|
|
- Completed slice: remove the old ECStore `store_api::HealOperations` and
|
|
`store_api::NamespaceLocking` compatibility subtraits after ECStore storage
|
|
types already implemented the shared `rustfs_storage_api` contracts
|
|
directly.
|
|
- Acceptance: internal ECStore bounds and compile-time coverage use the
|
|
shared storage-api heal and namespace-lock contracts directly, while the
|
|
remaining object/list/multipart compatibility bindings stay unchanged for
|
|
their active internal consumers.
|
|
- Must preserve: heal operation behavior, namespace-lock acquisition,
|
|
replication resync locking, rebalance metadata locking, object I/O,
|
|
multipart, list, and storage hot paths.
|
|
- Verification: focused ECStore contract tests, focused ECStore library
|
|
check, migration and layer guards, formatting, diff hygiene, risk scan, and
|
|
three-expert review.
|
|
|
|
- [x] `API-061` Remove public ECStore object operation compatibility facades.
|
|
- Completed slice: remove the old public ECStore `store_api` object, list,
|
|
and multipart operation compatibility subtraits, and keep internal generic
|
|
bounds on crate-private storage-api contract constraints instead of public
|
|
downstream compatibility traits.
|
|
- Acceptance: `store_api` no longer exports public operation compatibility
|
|
traits, ECStore direct storage-api compile-time coverage includes object,
|
|
object-operation, list, multipart, namespace-lock, heal, and admin
|
|
contracts, and remaining public `store_api` exports are DTO/reader
|
|
compatibility paths only.
|
|
- Must preserve: object I/O, list/walk behavior, multipart behavior, config
|
|
persistence, tier config migration, rebalance metadata locking, lifecycle
|
|
journal handling, replication MRF/resync persistence, and downstream DTO
|
|
import compatibility.
|
|
- Verification: focused ECStore contract tests, focused ECStore library
|
|
check, migration and layer guards, formatting, diff hygiene, risk scan, and
|
|
three-expert review.
|
|
|
|
- [x] `API-062` Establish explicit ECStore object API boundary.
|
|
- Completed slice: add `rustfs_ecstore::object_api` as the explicit public
|
|
path for ECStore-owned object DTO and reader contracts, then migrate
|
|
RustFS, scanner, heal, IAM, Swift, S3 Select, notify, and ECStore
|
|
integration-test compatibility aliases away from the legacy public
|
|
`store_api` path.
|
|
- Acceptance: external compatibility boundary modules no longer reference
|
|
`rustfs_ecstore::store_api` for ECStore-owned object DTO and reader
|
|
aliases, while `store_api` remains available only as the old internal
|
|
implementation module pending final compatibility removal.
|
|
- Must preserve: object metadata shape, option defaults, reader/writer
|
|
behavior, Swift/scanner/heal/IAM/S3 Select/notify boundary semantics, and
|
|
all storage hot paths.
|
|
- Verification: focused ECStore/RustFS/downstream compile checks, migration
|
|
guard, formatting, diff hygiene, risk scan, and three-expert review.
|
|
|
|
- [x] `API-063` Make legacy ECStore store API module private.
|
|
- Completed slice: remove `rustfs_ecstore::store_api` from the public crate
|
|
module surface after external compatibility boundaries moved to
|
|
`rustfs_ecstore::object_api`.
|
|
- Acceptance: ECStore object DTO and reader compatibility remains available
|
|
through `object_api`, integration contract tests consume the new public
|
|
path, and migration rules reject restoring `pub mod store_api`.
|
|
- Must preserve: internal ECStore object DTO definitions, reader/writer
|
|
behavior, storage-api trait bindings, and downstream object/list/multipart
|
|
compile-time contracts.
|
|
- Verification: focused ECStore contract tests, migration guard, formatting,
|
|
diff hygiene, risk scan, and three-expert review.
|
|
|
|
- [x] `API-064` Retire the ECStore store API module name.
|
|
- Completed slice: move ECStore object DTO, reader, and option definitions
|
|
from the private `store_api` module into the public `object_api` module,
|
|
then migrate ECStore internal imports to `crate::object_api`.
|
|
- Acceptance: no ECStore `store_api` module file or directory remains, public
|
|
consumers keep using `rustfs_ecstore::object_api`, and migration rules
|
|
reject restoring the retired module path.
|
|
- Must preserve: object metadata shape, reader/writer behavior, storage-api
|
|
contract bindings, object/list/multipart behavior, and downstream public
|
|
object API compatibility.
|
|
- Verification: focused ECStore compile checks, migration guard, formatting,
|
|
diff hygiene, risk scan, and three-expert review.
|
|
|
|
- [x] `API-065` Use storage-api list contracts inside ECStore.
|
|
- Completed slice: migrate ECStore internal list response, walk options, and
|
|
walk result bindings to local aliases over the generic `rustfs-storage-api`
|
|
contracts, including replication worker trait bounds, while retaining
|
|
public `rustfs_ecstore::object_api` aliases for downstream compatibility.
|
|
- Acceptance: ECStore implementation modules no longer import list/walk
|
|
compatibility aliases from `crate::object_api`, and migration rules reject
|
|
reintroducing those internal imports.
|
|
- Must preserve: list response shape, walk result item shape, object metadata
|
|
shape, storage-api trait bindings, and downstream public object API
|
|
compatibility.
|
|
- Verification: focused ECStore compile checks, migration guard, formatting,
|
|
diff hygiene, risk scan, and three-expert review.
|
|
|
|
- [x] `API-066` Prune ECStore object API storage aliases.
|
|
- Completed slice: remove unused public storage-api passthrough aliases from
|
|
ECStore `object_api` for list responses, walk options, walk result items,
|
|
and delete-object DTOs, then bind the ECStore contract test directly to the
|
|
generic `rustfs-storage-api` contracts.
|
|
- Acceptance: ECStore `object_api` no longer exposes storage-api passthrough
|
|
aliases, the storage contract test still proves ECStore implements the
|
|
storage-api traits with the same associated concrete types, and migration
|
|
rules reject restoring the object_api passthrough aliases.
|
|
- Must preserve: ECStore-owned object metadata, object options, reader/writer
|
|
types, storage-api trait associated type bindings, list/delete/walk response
|
|
shapes, and runtime behavior.
|
|
- Verification: focused ECStore compile checks, storage contract test,
|
|
downstream compile checks, migration and layer guards, formatting, diff
|
|
hygiene, risk scan, full pre-commit, and three-expert review.
|
|
|
|
- [x] `API-067` Guard remaining external ECStore object API aliases.
|
|
- Completed slice: add a migration guard that snapshots the exact external
|
|
`storage_compat.rs` aliases still allowed to reference
|
|
`rustfs_ecstore::object_api::{GetObjectReader,ObjectInfo,ObjectOptions,PutObjReader}`
|
|
and rejects new object-api names in compatibility boundaries.
|
|
- Acceptance: all remaining external `object_api` references are deliberate
|
|
compatibility aliases in `storage_compat.rs` modules, future additions fail
|
|
the migration guard, and the API-066 passthrough alias cleanup stays
|
|
protected.
|
|
- Must preserve: no runtime code changes, all existing compatibility aliases,
|
|
object metadata shape, options, and reader/writer ownership.
|
|
- Verification: bash syntax check, migration and layer guards, formatting,
|
|
diff hygiene, full pre-commit, and three-expert review.
|
|
|
|
- [x] `API-068` Prune notify ECStore object-info compatibility alias.
|
|
- Completed slice: remove notify's private `EcstoreObjectInfo` alias and
|
|
ECStore-object conversion implementation, then map ECStore event objects to
|
|
`NotifyObjectInfo` inside the RustFS event and operation notification
|
|
bridges.
|
|
- Acceptance: `crates/notify` no longer references
|
|
`rustfs_ecstore::object_api::ObjectInfo`, the remaining object-api alias
|
|
allowlist shrinks accordingly, and notify event payload fields keep the
|
|
same serialized values.
|
|
- Must preserve: live event dispatch behavior, event names, bucket/object
|
|
fields, version IDs, metadata, restore-completed timestamps, storage class,
|
|
transitioned tier, host/port parsing, and replication request filtering.
|
|
- Verification: focused RustFS event conversion test, focused notify/RustFS
|
|
compile checks, migration and layer guards, formatting, diff hygiene, full
|
|
pre-commit, and three-expert review.
|
|
|
|
- [x] `API-069` Prune IAM direct ECStore object metadata/options aliases.
|
|
- Completed slice: replace IAM config and store `ObjectInfo`/`ObjectOptions`
|
|
compatibility aliases with `IamStore` `ObjectOperations` associated types.
|
|
- Acceptance: IAM no longer names
|
|
`rustfs_ecstore::object_api::{ObjectInfo,ObjectOptions}` directly, the
|
|
remaining object-api alias allowlist shrinks by four entries, and IAM config
|
|
read/write metadata and lazy-rewrite precondition behavior are unchanged.
|
|
- Must preserve: IAM config encryption/decryption, lazy rewrite ETag matching,
|
|
list walk item/error typing, metadata return shape, storage preconditions,
|
|
system-path failure classification, and notification peer behavior.
|
|
- Verification: focused IAM compile/tests, migration and layer guards,
|
|
formatting, diff hygiene, full pre-commit, and three-expert review.
|
|
|
|
- [x] `API-070` Prune consumer direct ECStore object aliases.
|
|
- Completed slice: replace scanner, s3select, and Swift
|
|
`GetObjectReader`/`ObjectInfo`/`ObjectOptions`/`PutObjReader`
|
|
compatibility aliases with concrete store `rustfs_storage_api` associated
|
|
types.
|
|
- Acceptance: scanner, s3select, and Swift no longer name
|
|
`rustfs_ecstore::object_api::{GetObjectReader,ObjectInfo,ObjectOptions,PutObjReader}`
|
|
directly, and the remaining object-api alias allowlist shrinks by eleven
|
|
entries.
|
|
- Must preserve: scanner lifecycle/replication IO bounds and config helpers,
|
|
s3select read buffer/object error handling, Swift bucket metadata helpers,
|
|
and object reader/writer concrete types exposed through each local
|
|
compatibility boundary.
|
|
- Verification: focused consumer compile/tests, migration and layer guards,
|
|
formatting, diff hygiene, full pre-commit, and three-expert review.
|
|
|
|
- [x] `API-071` Prune final direct ECStore object aliases.
|
|
- Completed slice: replace heal and RustFS storage
|
|
`GetObjectReader`/`ObjectInfo`/`ObjectOptions`/`PutObjReader`
|
|
compatibility aliases with concrete store `rustfs_storage_api` associated
|
|
types.
|
|
- Acceptance: no external `storage_compat.rs` module names
|
|
`rustfs_ecstore::object_api::{GetObjectReader,ObjectInfo,ObjectOptions,PutObjReader}`
|
|
directly, and the external object-api alias allowlist is empty.
|
|
- Must preserve: heal object metadata and rewrite reader construction,
|
|
RustFS storage object read/write paths, S3 response metadata semantics,
|
|
SSE/encryption handling, and storage object option behavior.
|
|
- Verification: focused heal/storage compile/tests, migration and layer
|
|
guards, formatting, diff hygiene, full pre-commit, and three-expert review.
|
|
|
|
- [x] `API-072` Establish ECStore public facade for outer compatibility.
|
|
- Completed slice: add `rustfs_ecstore::api` facade groups for layout,
|
|
storage, admin, metrics, notification, and capacity helper surfaces, then
|
|
migrate RustFS, scanner, observability, IAM, heal, Swift, S3 Select,
|
|
heal-test, and scanner-test compatibility boundaries away from direct
|
|
ECStore module paths for those surfaces.
|
|
- Acceptance: selected outer `storage_compat.rs` boundaries no longer import
|
|
`rustfs_ecstore::{admin_server_info,endpoints,disks_layout,metrics_realtime,notification_sys,pools,store_utils,store}`
|
|
directly, and the migration guard rejects restoring those direct public
|
|
surface paths.
|
|
- Must preserve: endpoint and disks-layout types, ECStore owner type and
|
|
init helpers, admin server-info helpers, local metrics collection,
|
|
notification peer behavior, capacity helpers, bucket-name helpers, and all
|
|
runtime storage behavior.
|
|
- Verification: affected package test-target compile, migration and layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `API-073` Expand ECStore public facade coverage.
|
|
- Completed slice: add `rustfs_ecstore::api` facade groups for bucket,
|
|
config, disk, error, event, global, RPC, set-disk, reader, client, tier,
|
|
data-usage, cache, compression, and rebalance compatibility surfaces, then
|
|
migrate all outer `storage_compat.rs` boundaries to those facade paths.
|
|
- Acceptance: RustFS, app/admin/storage runtime, scanner, heal, IAM, notify,
|
|
observability, Swift, S3 Select, e2e, test, and fuzz compatibility
|
|
boundaries no longer import those ECStore public surfaces through direct
|
|
pre-facade module paths, and the migration guard rejects restoring them.
|
|
- Must preserve: storage owner types, config IO, bucket metadata/lifecycle
|
|
helpers, disk/RPC/error contracts, global state accessors, reader wrappers,
|
|
tier helpers, rebalance status DTOs, test/fuzz harness behavior, and all
|
|
existing runtime behavior.
|
|
- Verification: affected package test-target compile, migration and layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `API-074` Enforce ECStore API facade for compatibility boundaries.
|
|
- Completed slice: extend the architecture migration guard so every
|
|
non-ECStore `storage_compat.rs` import from `rustfs_ecstore` must route
|
|
through `rustfs_ecstore::api`, not only the previously enumerated public
|
|
ECStore module paths.
|
|
- Acceptance: RustFS, app/admin/storage runtime, scanner, heal, IAM, notify,
|
|
observability, Swift, S3 Select, e2e, test, and fuzz compatibility
|
|
boundaries cannot reintroduce direct pre-facade ECStore paths through new
|
|
modules or grouped imports.
|
|
- Must preserve: no runtime behavior, type ownership, compatibility alias, or
|
|
ECStore public facade behavior changes.
|
|
- Verification: migration guard, direct old-path scan, formatting, diff
|
|
hygiene, branch freshness check, pre-commit quality gate, and three-expert
|
|
review.
|
|
|
|
- [x] `API-075` Prune ECStore legacy layout root modules.
|
|
- Completed slice: make the legacy ECStore root `endpoints` and
|
|
`disks_layout` compatibility modules crate-private now that outer
|
|
compatibility boundaries use `rustfs_ecstore::api::layout`.
|
|
- Acceptance: `rustfs_ecstore::api::layout` remains the public facade for
|
|
endpoint pools and disk layout helpers, while migration rules reject
|
|
restoring the old root layout compatibility modules as public modules.
|
|
- Must preserve: endpoint layout types, disk layout helper behavior, ECStore
|
|
internal call sites, and all outer compatibility facade paths.
|
|
- Verification: ECStore and affected outer package compile, migration and
|
|
layer guards, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `API-076` Prune facade-covered ECStore root modules.
|
|
- Completed slice: make facade-covered legacy ECStore root modules
|
|
crate-private after all in-repo outer compatibility boundaries route
|
|
through `rustfs_ecstore::api`.
|
|
- Acceptance: `rustfs_ecstore::api::*` remains the public facade for storage,
|
|
admin, config, metrics, notification, RPC, disk, error, tier, rebalance,
|
|
and layout helper surfaces, while migration rules reject restoring those
|
|
legacy root modules as public modules.
|
|
- Must preserve: ECStore internal module access, public `api` facade paths,
|
|
object API paths, bitrot and erasure coding test/bench paths, and storage
|
|
contract compatibility tests.
|
|
- Verification: ECStore and affected outer package compile, migration and
|
|
layer guards, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `API-077` Prune remaining ECStore root compatibility modules.
|
|
- Completed slice: add explicit `rustfs_ecstore::api` facade groups for
|
|
bitrot, erasure coding, object DTO/reader, event name, and store-list
|
|
helper surfaces, then migrate ECStore tests and benches away from the
|
|
legacy root module paths.
|
|
- Acceptance: `batch_processor`, `bitrot`, `erasure_coding`, `event`,
|
|
`object_api`, and `store_list_objects` are no longer public ECStore root
|
|
modules, and the migration guard rejects restoring them as public modules.
|
|
- Must preserve: ECStore internal module access, public facade access for
|
|
compatibility tests/benches, bitrot reader/writer behavior, erasure coding
|
|
constructors/helpers, object reader/DTO wire shape, and list option
|
|
semantics.
|
|
- Verification: migration guard, ECStore compatibility tests/benches compile
|
|
coverage, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `API-078` Prune ECStore root global re-exports.
|
|
- Completed slice: remove the remaining `pub use global::*` compatibility
|
|
exports from the ECStore crate root and route internal ECStore users to
|
|
`crate::global` directly.
|
|
- Acceptance: outer access to ECStore global helpers remains available only
|
|
through `rustfs_ecstore::api::global`, internal ECStore modules use the
|
|
real owner path, and the migration guard rejects restoring root global
|
|
re-exports.
|
|
- Must preserve: object-store resolver behavior, endpoint/global lock client
|
|
publication, erasure-type updates, tier/notification/data-usage metadata
|
|
loading, and existing `api::global` facade names.
|
|
- Verification: migration guard, ECStore and RustFS compile coverage,
|
|
formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
## Phase 5 Cluster Control Plane Tasks
|
|
|
|
- [x] `C-001` Add topology model.
|
|
- Completed slice: move endpoint-pool topology mapping behind ECStore's
|
|
crate-private `cluster` owner module and expose it through
|
|
`rustfs_ecstore::api::cluster`.
|
|
- Acceptance: pool, set, and disk topology snapshots are built from existing
|
|
endpoint assignments without exposing local disk paths or changing
|
|
placement, readiness, or endpoint construction.
|
|
- Must preserve: endpoint pool/set/disk indexes, local path privacy,
|
|
storage-api topology contract shape, runtime capability reasons, and
|
|
existing RustFS topology provider behavior.
|
|
- Verification: ECStore topology tests, RustFS runtime topology tests,
|
|
migration guard, compile coverage, formatting, diff hygiene, risk scan,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `C-002` Add membership model.
|
|
- Completed slice: add a static membership snapshot that groups endpoint
|
|
drives by node identity and records drive placement without dynamic
|
|
membership, health checks, control RPC, or hot-path changes.
|
|
- Acceptance: URL endpoints group by host:port, path endpoints group under a
|
|
local node identity, and drive membership carries pool/set/disk placement
|
|
plus endpoint type/local flags.
|
|
- Must preserve: no Raft, no Kubernetes watcher, no peer-health behavior, no
|
|
dynamic membership, and no object I/O or lock-quorum behavior changes.
|
|
- Verification: ECStore membership tests, compile coverage, migration guard,
|
|
formatting, diff hygiene, risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
|
|
- [x] `C-003` Add read-only control plane facade.
|
|
- Completed slice: add `ClusterControlPlane` as a read-only facade that
|
|
combines topology and membership snapshots from existing endpoint pools.
|
|
- Acceptance: outer crates use `rustfs_ecstore::api::cluster` for the facade,
|
|
while ECStore root `cluster` remains crate-private and migration rules
|
|
reject restoring it as a public root module.
|
|
- Must preserve: no worker start/stop, health impact, lock registry mutation,
|
|
pool state mutation, endpoint publication, or readiness behavior changes.
|
|
- Verification: control-plane read-snapshot test, migration guard, compile
|
|
coverage, formatting, diff hygiene, risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
|
|
- [x] `C-004` Add pool state snapshot.
|
|
- Completed slice: add a static pool-state snapshot derived from existing
|
|
endpoint pools and expose it through `rustfs_ecstore::api::cluster`.
|
|
- Acceptance: pool state records pool index, set count, drives per set,
|
|
endpoint counts, local/remote drive counts, legacy flag, and endpoint type
|
|
coverage without reading disks or changing pool ownership.
|
|
- Must preserve: no placement change, no pool mutation, no command-line path
|
|
exposure, and no endpoint publication changes.
|
|
- Verification: ECStore pool-state tests, compile coverage, formatting, diff
|
|
hygiene, risk scan, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `C-005` Add local-node storage snapshot.
|
|
- Completed slice: add a read-only local-node storage projection from static
|
|
endpoint membership.
|
|
- Acceptance: local nodes include only local membership entries and report
|
|
aggregate path/url drive counts and pool coverage without exposing local
|
|
disk paths.
|
|
- Must preserve: no storage readiness, disk health, lock quorum, or object I/O
|
|
behavior changes.
|
|
- Verification: ECStore local-node storage tests, compile coverage,
|
|
formatting, diff hygiene, risk scan, pre-commit quality gate, and
|
|
three-expert review.
|
|
|
|
- [x] `C-006` Add peer health snapshot.
|
|
- Completed slice: add a static peer-health read model that reports peer
|
|
identities from membership with unknown health status until real peer health
|
|
wiring lands.
|
|
- Acceptance: peer health is explicitly unknown and read-only; no background
|
|
health checks, RPC calls, timers, or failure-state mutation are introduced.
|
|
- Must preserve: no dynamic membership, no peer health loop, no control RPC,
|
|
no readiness impact, and no lock/object behavior changes.
|
|
- Verification: ECStore peer-health tests, compile coverage, formatting, diff
|
|
hygiene, risk scan, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `TEST-PRTYPE-001` Check PR type enum consistency.
|
|
- Acceptance: `./scripts/check_architecture_migration_rules.sh` parses the
|
|
allowed PR types from [`crate-boundaries.md`](crate-boundaries.md) and fails
|
|
when `ARCHITECTURE.md` or architecture docs reference an unknown PR type.
|
|
- [x] `COMPAT-REG-001` Check temporary compatibility cleanup consistency.
|
|
- Acceptance: `./scripts/check_architecture_migration_rules.sh` fails when a
|
|
source `RUSTFS_COMPAT_TODO(<task-id>)` marker lacks a cleanup-register entry,
|
|
when a register entry lacks a source marker, or when a source marker omits a
|
|
removal condition.
|
|
|
|
## Phase 1a Config Model Tasks
|
|
|
|
- [x] `CFG-001` Inventory `ecstore::config::{Config, KV, KVS}` consumers.
|
|
- Acceptance:
|
|
[`ecstore-config-consumer-inventory.md`](ecstore-config-consumer-inventory.md)
|
|
records the current definitions, persistence helpers, global accessors,
|
|
consumer groups, migration risks, and do-not-change contract.
|
|
- [x] `CFG-002` Decide model boundary.
|
|
- Acceptance:
|
|
[`config-model-boundary-adr.md`](config-model-boundary-adr.md) records
|
|
`rustfs-config` as the target package, `server_config` as the future model
|
|
module, allowed dependencies, forbidden dependencies, preserved shape, and
|
|
extraction verification gates.
|
|
- [x] `CFG-003` Move pure model definitions.
|
|
- Completed slice: `rustfs/rustfs#3351` moved only `Config`, `KV`, `KVS`,
|
|
and default-registration surface into `rustfs-config`; persistence helpers
|
|
and global server-config state remain in `ecstore`.
|
|
- Must preserve: tuple struct shapes, serde alias behavior, default
|
|
application, internal JSON shape, and existing persisted config semantics.
|
|
- [x] `CFG-004` Keep and clean up old `ecstore::config::*` compatibility path.
|
|
- Completed slice: `rustfs/rustfs#3351` re-exported moved model types and
|
|
default-registration surface from `rustfs_ecstore::config` with
|
|
`RUSTFS_COMPAT_TODO(CFG-004)` and cleanup-register coverage.
|
|
- Cleanup slice: remove the temporary model re-export and smoke test after
|
|
CFG-005/CFG-006/CFG-007 migrated all in-repo consumers to
|
|
`rustfs_config::server_config`.
|
|
- [x] `CFG-005` Migrate external server-config model consumers.
|
|
- Current branch: migrate admin handlers, admin services, runtime context,
|
|
server audit/event setup, and the audit/notify/targets/iam crates from the
|
|
temporary `rustfs_ecstore::config::{Config, KV, KVS}` model path to
|
|
`rustfs_config::server_config`.
|
|
- Acceptance: external consumers use the model crate for pure config types
|
|
while still using ECStore for persistence helpers, global server-config
|
|
accessors, storage-class helpers, and startup initialization.
|
|
- [x] `CFG-006` Migrate ECStore service/default model consumers.
|
|
- Current branch: migrate ECStore config default modules, shared config
|
|
helpers, and store accessor signatures to the `rustfs_config` model type
|
|
while preserving ECStore-owned persistence and runtime state.
|
|
- Acceptance: ECStore internals no longer depend on the old compatibility
|
|
model import path except the deliberate compatibility smoke test; the old
|
|
public re-export remains available for downstream callers until CFG-004 is
|
|
cleaned up.
|
|
- [x] `CFG-007` Migrate scanner runtime-config model consumer.
|
|
- Current branch: migrate scanner runtime-config parsing and validation from
|
|
the temporary `rustfs_ecstore::config::{Config, KVS}` model path to
|
|
`rustfs_config::server_config`.
|
|
- Acceptance: scanner uses the model crate for pure server-config types while
|
|
still using ECStore for the global server-config accessor; scanner defaults,
|
|
env overrides, persisted-config validation, cycle scheduling, bitrot-cycle
|
|
compatibility, cache timeout, and alert threshold semantics remain
|
|
unchanged.
|
|
- [x] `CFG-008` Move global server-config accessors.
|
|
- Current branch: move `GLOBAL_SERVER_CONFIG`,
|
|
`get_global_server_config`, and `set_global_server_config` to
|
|
`rustfs_config::server_config`; migrate in-repo runtime consumers to the
|
|
new owner.
|
|
- Compatibility: keep
|
|
`rustfs_ecstore::config::{get_global_server_config,
|
|
set_global_server_config}` as a temporary re-export with
|
|
`RUSTFS_COMPAT_TODO(CFG-008)`.
|
|
- Cleanup slice: remove the temporary accessor re-export after code scans
|
|
showed in-repo consumers import accessors from
|
|
`rustfs_config::server_config`.
|
|
- Acceptance: ECStore still owns `ConfigSys`, config persistence helpers,
|
|
storage-class global state, default registration wiring, and startup
|
|
initialization; global server-config reads and writes keep the same
|
|
`std::sync::RwLock<Option<Config>>` clone semantics.
|
|
|
|
## Phase 1b Context Foundation Tasks
|
|
|
|
- [x] `CTX-001` Split AppContext files.
|
|
- Current branch: split `rustfs/src/app/context.rs` into `interfaces`,
|
|
`handles`, `global`, and `compat` submodules.
|
|
- Acceptance: old `crate::app::context::*` imports continue to compile via
|
|
re-exports; context-first and global fallback resolver bodies are moved
|
|
without semantic changes.
|
|
- Must preserve: AppContext construction, default adapters, global singleton
|
|
initialization, resolver fallback order, and all consumer import paths.
|
|
- Verification: formatting, compile checks, migration guards, diff hygiene,
|
|
Rust risk scan, and full `make pre-commit`.
|
|
- [x] `CTX-002` Add resolver compatibility tests.
|
|
- Do: test context-first and global fallback for KMS runtime, bucket
|
|
metadata, object store, endpoints, tier config, server config, and buffer
|
|
config.
|
|
- Acceptance: context wins when present and global fallback works when absent.
|
|
- Verification: focused resolver compatibility test, formatting, compile
|
|
checks, migration guards, diff hygiene, Rust risk scan, and full
|
|
`make pre-commit`.
|
|
- [x] `CTX-003` Add IAM deferred recovery readiness test.
|
|
- Do: verify IAM degraded recovery can still publish `IamReady` and
|
|
`FullReady`.
|
|
- Acceptance: boot/lifecycle changes cannot lose deferred readiness
|
|
publication.
|
|
- Verification: focused IAM recovery test, formatting, compile checks,
|
|
migration guards, diff hygiene, Rust risk scan, and full
|
|
`make pre-commit`.
|
|
- [x] `CTX-004` Migrate app usecase object-store consumers.
|
|
- Do: migrate admin, bucket, multipart, and object usecases to resolve the
|
|
object store from AppContext first.
|
|
- Acceptance: usecase object-store lookups use AppContext when present and
|
|
preserve the existing global object-layer fallback when absent.
|
|
- Verification: formatting, compile check, migration guards, diff hygiene,
|
|
Rust risk scan, and full `make pre-commit`.
|
|
- [x] `CTX-005` Migrate admin object-store consumers.
|
|
- Do: migrate admin handlers, admin services, and admin router helpers to the
|
|
shared object-store resolver.
|
|
- Acceptance: admin object-store lookups use AppContext when present and
|
|
preserve the existing global object-layer fallback when absent.
|
|
- Verification: focused resolver test, formatting, compile check, migration
|
|
guards, diff hygiene, Rust risk scan, and full `make pre-commit`.
|
|
- [x] `CTX-006` Migrate ECFS object-store consumers.
|
|
- Do: migrate S3 ECFS object operations to the shared object-store resolver.
|
|
- Acceptance: ECFS object-store lookups use AppContext when present and
|
|
preserve the existing global object-layer fallback when absent.
|
|
- Must preserve: S3 object/bucket API behavior, object-lock/tagging/metadata
|
|
semantics, and existing storage error paths.
|
|
- Verification: formatting, compile check, migration guards, diff hygiene,
|
|
Rust risk scan, and full `make pre-commit`.
|
|
- [x] `CTX-007` Migrate admin ZIP object-store consumers.
|
|
- Do: migrate admin object ZIP download object-store lookups to the shared
|
|
object-store resolver.
|
|
- Acceptance: admin ZIP object-store lookups use AppContext when present and
|
|
preserve the existing global object-layer fallback when absent.
|
|
- Must preserve: admin download authorization/preflight behavior, ZIP listing
|
|
and streaming behavior, and existing storage error paths.
|
|
- Verification: formatting, compile check, migration guards, diff hygiene,
|
|
Rust risk scan, and full `make pre-commit`.
|
|
- [x] `CTX-008` Migrate standalone crate object-store consumers.
|
|
- Do: add an ECStore-owned resolver hook for AppContext-first object-store
|
|
lookup and migrate Swift, S3 Select, scanner, notify, and observability
|
|
object-store consumers to that resolver.
|
|
- Acceptance: standalone crates can prefer the AppContext-owned object store
|
|
without depending on the `rustfs` application crate and preserve the
|
|
existing global object-layer fallback.
|
|
- Must preserve: Swift protocol behavior, S3 Select object reads, scanner
|
|
cache/scan behavior, notification config persistence, observability stats
|
|
collection, and existing storage error paths.
|
|
- Verification: formatting, compile checks, migration guards, diff hygiene,
|
|
Rust risk scan, and full `make pre-commit`.
|
|
- [x] `CTX-009` Migrate server/storage infra object-store consumers.
|
|
- Do: migrate server readiness/module-switch and storage access, ecfs
|
|
extension, and node RPC object-store lookups to the ECStore-owned resolver.
|
|
- Acceptance: server/storage infra consumers prefer the AppContext-owned
|
|
object store after context initialization and preserve the existing global
|
|
object-layer fallback.
|
|
- Must preserve: readiness reporting, module-switch config persistence,
|
|
storage access authorization checks, ecfs extension validation, node RPC
|
|
metadata/storage-info/rebalance/tier reload behavior, and existing storage
|
|
error paths.
|
|
- Verification: formatting, compile checks, migration guards, diff hygiene,
|
|
Rust risk scan, and full `make pre-commit`.
|
|
- [x] `CTX-010` Migrate ECStore internal object-store consumers.
|
|
- Do: migrate ECStore internal/background object-store lookups to the
|
|
ECStore-owned resolver.
|
|
- Acceptance: ECStore metrics realtime, notification, tier config save,
|
|
decommission, admin server info, bucket metadata, replication decision,
|
|
lifecycle compensation/expiry, and data-usage cache consumers prefer the
|
|
AppContext-owned object store after context initialization and preserve the
|
|
existing global object-layer fallback.
|
|
- Must preserve: metrics collection, notification rebalance stop behavior,
|
|
tier config persistence, decommission startup, admin server info reporting,
|
|
bucket metadata persistence, replication decisions, lifecycle queueing, data
|
|
usage cache persistence, and existing storage error paths.
|
|
- Verification: formatting, compile checks, migration guards, diff hygiene,
|
|
Rust risk scan, and full `make pre-commit`.
|
|
- [x] `CTX-011` Consolidate app usecase object-store fallback.
|
|
- Do: migrate app admin, bucket, multipart, and object usecases away from
|
|
direct `new_object_layer_fn` calls and through an explicit-context resolver
|
|
helper.
|
|
- Acceptance: usecase lookups keep their injected AppContext precedence,
|
|
preserve `without_context()` legacy global object-layer fallback semantics,
|
|
and avoid consulting the global AppContext when a usecase intentionally has
|
|
no context.
|
|
- Must preserve: admin storage/data-usage reads, bucket create/delete/list
|
|
behavior, multipart object writes, object API reads/writes, lifecycle
|
|
transition tests, and existing "Not init" error paths.
|
|
- Verification: formatting, compile checks, migration guards, diff hygiene,
|
|
Rust risk scan, and full `make pre-commit`.
|
|
|
|
## Phase 1 Security Governance Tasks
|
|
|
|
- [x] `S-001` Add `crates/security-governance`.
|
|
- Acceptance: the crate is a workspace member and has no dependency on
|
|
`rustfs`, `ecstore`, admin handlers, Axum, or runtime state.
|
|
- Verification: `cargo check -p rustfs-security-governance`.
|
|
- [x] `S-002` Add admin route matrix core types.
|
|
- Acceptance: `AdminRouteSpec`, `AdminRouteAccess`, `AdminActionRef`,
|
|
`PublicRouteKind`, `RouteRiskLevel`, and validation errors model route
|
|
governance metadata without registering routes or enforcing auth.
|
|
- Verification: `cargo test -p rustfs-security-governance`.
|
|
- [x] `S-003` Add redaction contract types.
|
|
- Acceptance: `RedactionRule`, `RedactionLevel`, and validation errors model
|
|
sensitive field handling without logging, masking, or runtime integration.
|
|
- Verification: `cargo test -p rustfs-security-governance`.
|
|
- [x] `S-004` Add serde policy marker types.
|
|
- Acceptance: `SerdePolicy`, `SerdePolicyKind`, `UnknownFieldPolicy`, and
|
|
validation errors model strict ingress and compatibility serde contracts
|
|
without changing deserialization behavior.
|
|
- Verification: `cargo test -p rustfs-security-governance`.
|
|
- [x] `S-005` Add supply-chain policy contract types.
|
|
- Acceptance: `ArtifactIntegrityPolicy`, `ArtifactSourceKind`, and validation
|
|
errors model digest, signature, and provenance requirements without changing
|
|
release or CI behavior.
|
|
- Verification: `cargo test -p rustfs-security-governance`.
|
|
- [x] `S-006` Add `rustfs/src/admin/route_policy.rs` backed by these contract
|
|
types, without changing route registration or auth behavior.
|
|
- Acceptance: direct `AdminRouteSpec` entries cover routes with a single
|
|
stable admin policy action, deferred inventory records routes that need
|
|
richer contract support, and tests prove the combined inventory covers every
|
|
registered admin route.
|
|
- [x] `S-011` Add KMS action taxonomy.
|
|
- Acceptance: `KmsAction` can parse and serialize dedicated configure,
|
|
service-control, clear-cache, generate-data-key, delete, rotate, list, and
|
|
describe actions; wildcard matching still works.
|
|
- Verification: `cargo test -p rustfs-policy action --no-fail-fast`.
|
|
- [x] `S-012` Migrate KMS handlers to dedicated actions.
|
|
- Acceptance: KMS data-key, delete/cancel-delete, cache, configure,
|
|
service-control, list, and describe handlers use dedicated `kms:*` actions.
|
|
- Compatibility: legacy KMS create/status admin actions are retained only as
|
|
temporary compatibility paths and registered in
|
|
[`compat-cleanup-register.md`](compat-cleanup-register.md).
|
|
- Verification: focused handler and route policy tests, migration rules,
|
|
formatting, and `make pre-commit`.
|
|
- [x] `S-013` Apply KMS redaction.
|
|
- Acceptance: KMS Debug output and admin status response summaries contain no
|
|
Vault token, AppRole secret ID, or local master key values.
|
|
- Must preserve: internal KMS config values remain available to runtime code
|
|
and persisted config serialization still writes the original secret values.
|
|
- Verification: focused KMS redaction/status tests, full KMS tests, migration
|
|
guards, Rust quality scan, clippy, and `make pre-commit` passed.
|
|
- [x] `S-014` Remove legacy KMS admin action fallbacks.
|
|
- Acceptance: KMS create, describe, and list-key handlers authorize only the
|
|
dedicated `kms:*` actions and no longer retain legacy admin grant fallbacks.
|
|
- Must preserve: legacy KMS endpoint URLs, query aliases, request bodies, and
|
|
response contracts remain unchanged.
|
|
- Verification: focused KMS auth and route-policy tests, migration guards,
|
|
formatting, diff hygiene, risk scan, full pre-commit, and required
|
|
three-expert review passed before push.
|
|
- [x] `S-015` Remove legacy KMS admin policy action taxonomy.
|
|
- Acceptance: `admin:KMSCreateKey` and `admin:KMSKeyStatus` no longer parse as
|
|
valid policy actions; KMS key handlers keep using dedicated `kms:*` actions.
|
|
- Must preserve: legacy KMS endpoint URLs, query aliases, request bodies, and
|
|
response contracts remain unchanged.
|
|
- Verification: focused policy and KMS auth tests, route-policy tests,
|
|
migration guards, formatting, diff hygiene, risk scan, full pre-commit, and
|
|
required three-expert review passed before push.
|
|
- [x] `KMSD-001` Inventory KMS development defaults.
|
|
- Acceptance:
|
|
[`kms-development-defaults-inventory.md`](kms-development-defaults-inventory.md)
|
|
records Local and Vault defaults for missing master keys, temp key dirs,
|
|
HTTP Vault addresses, default dev-token credentials, and skip-TLS behavior.
|
|
- Must preserve: no KMS runtime behavior, config serialization,
|
|
authorization, startup order, storage path, or crate boundary changes.
|
|
- Verification: docs diff review, migration guards, metrics reference guard,
|
|
and `git diff --check`.
|
|
- [x] `KMSD-002` Make Local KMS unsafe defaults explicit dev opt-in.
|
|
- Acceptance: Local KMS now rejects missing master keys and process-temp key
|
|
directories unless `allow_insecure_dev_defaults` is explicitly set.
|
|
- Compatibility: server CLI/config now accepts `RUSTFS_KMS_LOCAL_MASTER_KEY`
|
|
for production local encryption and
|
|
`RUSTFS_KMS_ALLOW_INSECURE_DEV_DEFAULTS=true` for development-only local
|
|
setups.
|
|
- [x] `KMSD-003` Make Vault unsafe defaults explicit dev opt-in.
|
|
- Acceptance: Vault KV2 and Vault Transit now reject HTTP addresses,
|
|
`dev-token`, and `skip_tls_verify` unless explicit development opt-in is set.
|
|
- Compatibility: the KMS env loader and admin configure requests support the
|
|
same explicit development opt-in.
|
|
- [x] `KMSD-004` Add production KMS default tests.
|
|
- Acceptance: focused tests cover Local and Vault production rejection plus
|
|
explicit development opt-in paths across config, env loading, admin request
|
|
conversion, and service-manager validation.
|
|
- [x] `KMSD-005` Write KMS compatibility notes.
|
|
- Acceptance:
|
|
[`kms-development-defaults-inventory.md`](kms-development-defaults-inventory.md)
|
|
now records the production-safe alternatives and explicit development opt-in
|
|
behavior for deployments that relied on old defaults.
|
|
|
|
## Phase 2 Storage API Tasks
|
|
|
|
- [x] `API-001` Add `crates/storage-api`.
|
|
- Acceptance: `rustfs-storage-api` is a workspace member and remains a
|
|
dependency-free contract crate.
|
|
- Verification: `cargo check -p rustfs-storage-api`.
|
|
- [x] `API-002` Move public storage error/result contracts.
|
|
- Current PR: `rustfs/rustfs#3313` merged.
|
|
- Completed slice: add public `StorageErrorCode` and `StorageResult`
|
|
contracts in `rustfs-storage-api`, then make ECStore
|
|
`StorageError::to_u32/from_u32` consume the shared code table.
|
|
- Deferred: keep the full ECStore `StorageError` enum and ECStore-specific
|
|
conversions in `rustfs-ecstore` until the `DiskError`, filemeta, lock, and
|
|
`std::io::Error` downcast boundary is proven safe.
|
|
- Acceptance: storage-api contract tests pass, ECStore compatibility tests
|
|
prove numeric codes match the new contract, and
|
|
`cargo check -p rustfs-storage-api -p rustfs-ecstore` passes.
|
|
- Must preserve: storage error display, conversions, object error mapping,
|
|
quorum classification, and reserved code gaps `0x2B/0x2C`.
|
|
- Risk defense: no storage hot-path enum move in this PR; only numeric code
|
|
mapping uses the new contract.
|
|
- [x] `API-003` Move DTOs.
|
|
- Current PR: `rustfs/rustfs#3314` merged.
|
|
- Cleanup branch: `overtrue/arch-storage-api-dto-compat-cleanup`.
|
|
- Completed slice: move the pure bucket/options DTO subset:
|
|
`MakeBucketOptions`, `SRBucketDeleteOp`, `DeleteBucketOptions`,
|
|
`BucketOptions`, and `BucketInfo`.
|
|
- Cleanup slice: migrate in-repo external consumers to
|
|
`rustfs_storage_api`, keep ECStore implementation use crate-private, and
|
|
remove the old public `ecstore::store_api` bucket DTO re-export.
|
|
- Completed follow-up slice: remove the remaining ECStore-internal bucket DTO
|
|
aliases from `store_api` and guard against restoring that compatibility
|
|
path.
|
|
- Acceptance: `rustfs-storage-api` exports these DTOs, in-repo external
|
|
consumers no longer use the old `rustfs_ecstore::store_api` DTO path, and
|
|
`RUSTFS_COMPAT_TODO(API-003)` is removed from source and cleanup register.
|
|
- Must preserve: no `ObjectOptions`, `ObjectInfo`, reader, compression,
|
|
encryption, filemeta conversion, multipart conversion, route, storage, or
|
|
runtime behavior changes in this PR.
|
|
- [x] `API-006` Add disk inventory/admin trait.
|
|
- Current PR: `rustfs/rustfs#3330` merged.
|
|
- Completed slice: add `StorageAdminApi` and `DiskSetSelector` to
|
|
`rustfs-storage-api`.
|
|
- Acceptance: `StorageAdminApi` exposes backend info, global storage info,
|
|
local storage info, disk-set inventory, and drive-count surfaces without
|
|
depending on ECStore implementation types.
|
|
- Must preserve: no `StorageAPI::get_disks` removal, no ECStore implementation
|
|
change, no admin/readiness/capacity behavior change.
|
|
- Risk defense: use associated types for backend/storage/disk DTOs so this
|
|
contract slice does not pull `rustfs-madmin` or `rustfs-ecstore` into
|
|
`rustfs-storage-api`.
|
|
- Verification: focused storage-api tests, dependency tree, migration guards,
|
|
formatting, and diff hygiene.
|
|
- [x] `API-007` Dual-route `get_disks` consumers.
|
|
- Completed first slice: `rustfs/rustfs#3331` bound `ECStore` to
|
|
`StorageAdminApi` while keeping all consumers unchanged.
|
|
- Completed second slice: `rustfs/rustfs#3332` migrated the admin
|
|
storage-class config drive-count consumer to
|
|
`StorageAdminApi::set_drive_counts`.
|
|
- Completed third slice: `rustfs/rustfs#3333` migrated
|
|
`DefaultAdminUsecase` storage-info reads to
|
|
`StorageAdminApi::storage_info`.
|
|
- Completed fourth slice: `rustfs/rustfs#3334` migrated account-info
|
|
`backend_info`, rebalance status `storage_info`, and runtime readiness
|
|
`storage_info`.
|
|
- Completed fifth slice: `rustfs/rustfs#3335` migrated grouped observability,
|
|
RPC health, server-info, realtime metrics, and notification read-side
|
|
consumers.
|
|
- Completed sixth slice: `rustfs/rustfs#3336` migrated ECStore internal
|
|
decommission space, local-storage-info, backend-info, drive-count, and
|
|
disk-inventory admin handlers away from old `StorageAPI` method calls.
|
|
- Completed seventh slice: `rustfs/rustfs#3337` migrated maintenance and
|
|
background read-side storage inventory consumers in rebalance metadata
|
|
initialization, heal resume disk lookup, and scanner local disk scan lookup.
|
|
- Completion acceptance: admin inventory consumers no longer use old
|
|
`StorageAPI` calls for backend info, storage info, local storage info,
|
|
drive-count, or disk-set inventory when the inventory-facing
|
|
`StorageAdminApi` contract represents the same read-only operation.
|
|
|
|
- [x] `API-008` Remove duplicate old-path admin surfaces.
|
|
- Completed slice: `rustfs/rustfs#3340` removed duplicate admin-read methods
|
|
from the old `StorageAPI` trait and its ECStore/Sets/SetDisks/test
|
|
implementations after API-007 migrated their consumers.
|
|
- Final cleanup slice: remove the old `StorageAPI` facade after all real
|
|
consumers moved to concrete operation groups.
|
|
- Loss-prevention cleanup slice: rename the remaining ECStore contract
|
|
compatibility test away from the old storage-api facade name and guard
|
|
production ECStore/RustFS source against reintroducing the removed
|
|
aggregate facade identifier.
|
|
- Acceptance: storage operation traits remain available directly while admin
|
|
inventory surfaces live only on `StorageAdminApi`.
|
|
|
|
- [x] `API-009` Narrow metadata helper storage bounds.
|
|
- Completed slice: `rustfs/rustfs#3343` narrowed server config, tier config,
|
|
rebalance metadata, and startup metadata migration helper bounds away from
|
|
full `StorageAPI` when the helper only needs `ObjectIO`,
|
|
`ObjectOperations`, `BucketOperations`, `ListOperations`, or
|
|
`StorageAdminApi`.
|
|
- Cleanup slice: remove stale full `StorageAPI` dependencies from config
|
|
persistence test support after the server-config persistence helpers moved
|
|
to their actual object I/O and storage-admin bounds.
|
|
- Completed cleanup slice: `rustfs/rustfs#3489` removed the stale full
|
|
facade dependency from config persistence test support.
|
|
- Acceptance: metadata helper contracts express the actual operation group
|
|
they need, while callers and persistence behavior remain unchanged.
|
|
|
|
- [x] `API-010` Narrow replication resync metadata bounds.
|
|
- Completed slice: `rustfs/rustfs#3345` narrowed replication resync status
|
|
load/save/mark/persist helper bounds away from full `StorageAPI` when the
|
|
helper only needs `ObjectIO`.
|
|
- Acceptance: resync metadata helpers express object-I/O-only persistence
|
|
requirements, while replication execution, delete replication, multipart
|
|
replication, object lookups, and scheduling behavior remain on the concrete
|
|
operation groups they need.
|
|
|
|
- [x] `API-011` Narrow scanner cache helper storage bounds.
|
|
- Completed slice: `rustfs/rustfs#3348` narrowed scanner data-usage cache
|
|
load/save and cache snapshot persistence helper bounds away from full
|
|
`StorageAPI` when the helper only needs `ObjectIO`.
|
|
- Acceptance: scanner cache persistence helpers express object-I/O-only
|
|
requirements, while scanner cycle orchestration, bucket scanning, local disk
|
|
selection, cache publication, and storage hot paths remain unchanged.
|
|
- Must preserve: data-usage cache wire format, cache object paths, backup
|
|
cache paths, retry and timeout behavior, cache-save metrics, publish/update
|
|
channel behavior, scanner cycle scheduling, disk scan concurrency, bucket
|
|
scan semantics, lifecycle/replication decisions, and storage hot paths.
|
|
- Risk defense: do not move traits to `rustfs-storage-api`, do not alter
|
|
helper bodies, and do not narrow scanner paths that need bucket operations,
|
|
disk inventory, or full storage orchestration.
|
|
- Verification: focused compile/tests, migration guards, Rust risk scan, and
|
|
required quality/architecture, migration-preservation, and
|
|
testing/verification review passed.
|
|
|
|
- [x] `API-012` Narrow table catalog object backend bounds.
|
|
- Completed slice: `rustfs/rustfs#3350` added a narrow `NamespaceLocking`
|
|
operation-group trait as a compatibility facade, then narrowed
|
|
`EcStoreTableCatalogObjectBackend` from full `StorageAPI` to `ObjectIO`,
|
|
`ObjectOperations`, `ListOperations`, and `NamespaceLocking`.
|
|
- Cleanup slice: migrate the remaining scanner leader-lock and self-copy
|
|
object use-case namespace-lock consumers to `NamespaceLocking`, implement
|
|
namespace locking directly on ECStore storage types, and remove the
|
|
temporary namespace-lock compatibility method from the full storage trait
|
|
and cleanup register entry.
|
|
- Completed cleanup slice: `rustfs/rustfs#3477` narrowed remaining table
|
|
catalog backend and rebalance metadata helper consumers away from full
|
|
`StorageAPI` where they only need object I/O, object operations, list
|
|
operations, and namespace locking.
|
|
- Completed follow-up slice: `rustfs/rustfs#3485` narrowed replication pool,
|
|
resync leader-lock, delete replication, object replication, and multipart
|
|
replication helpers away from full `StorageAPI` where they only need object
|
|
I/O, object operations, list operations, and namespace locking.
|
|
- Final cleanup slice: remove the unused old `StorageAPI` facade, its
|
|
implementation blocks, public re-export, and stale guard coverage.
|
|
- Acceptance: table catalog object backend contracts express the actual
|
|
object read/write, metadata/delete, list, and namespace-lock capabilities
|
|
they need; namespace-lock consumers depend on `NamespaceLocking` instead of
|
|
full `StorageAPI`; and storage lock behavior remains unchanged.
|
|
- Must preserve: table catalog object paths, metadata pointer semantics,
|
|
optimistic write preconditions, object listing pagination, missing-object
|
|
handling, namespace write-lock acquisition, object APIs,
|
|
scanner/heal/replication/config persistence, and storage hot paths.
|
|
- Risk defense: do not move traits into `rustfs-storage-api`, do not change
|
|
lock implementation code, do not alter table catalog method bodies, and do
|
|
not leave stale full-facade compatibility coverage after consumers move to
|
|
concrete operation groups.
|
|
- Verification: focused compile/tests, migration guards, Rust risk scan, and
|
|
required quality/architecture, migration-preservation, and
|
|
testing/verification review passed.
|
|
|
|
- [x] `API-013` Move multipart list/result DTO contracts.
|
|
- Completed slice: move `MultipartUploadResult`, `PartInfo`,
|
|
`MultipartInfo`, `ListMultipartsInfo`, and `ListPartsInfo` from ECStore
|
|
`store_api` into `rustfs-storage-api`; update ECStore traits and RustFS S3
|
|
multipart response builders to import these shared contracts directly.
|
|
- Acceptance: `rustfs-storage-api` exports the multipart DTO contracts,
|
|
in-repo consumers no longer use the old `rustfs_ecstore::store_api` path
|
|
for these DTOs, and migration guards reject restoring the old ECStore-owned
|
|
definitions or re-exports.
|
|
- Must preserve: multipart upload creation, part listing, multipart upload
|
|
listing, part metadata, checksum fields, S3 response mapping, and storage
|
|
operation trait behavior.
|
|
- Risk defense: keep `CompletePart`, `ObjectInfo`, `ObjectOptions`, readers,
|
|
filemeta conversions, replication state, encryption, compression, and range
|
|
semantics in ECStore for this slice.
|
|
- Verification: focused storage-api/ECStore/RustFS compile checks, multipart
|
|
response tests, migration/layer guards, formatting, diff hygiene, Rust risk
|
|
scan, and required three-expert review passed.
|
|
|
|
- [x] `API-014` Move bucket operation contract.
|
|
- Completed slice: move `BucketOperations` from ECStore `store_api` into
|
|
`rustfs-storage-api`, keep ECStore/Sets/SetDisks implementations in
|
|
ECStore, and migrate in-repo consumers to import the shared contract path.
|
|
- Acceptance: `rustfs-storage-api` exports the bucket operation contract,
|
|
in-repo consumers no longer use the old `rustfs_ecstore::store_api` path
|
|
for `BucketOperations`, and migration guards reject restoring the old
|
|
ECStore-owned definition or re-export.
|
|
- Must preserve: bucket create/delete/list/info behavior, object store
|
|
initialization, bucket metadata migration, Swift/admin/storage consumers,
|
|
and all storage hot paths.
|
|
- Risk defense: only the trait contract crosses into `rustfs-storage-api`;
|
|
ECStore errors, object contracts, list contracts, readers, lock handling,
|
|
and implementation bodies stay in ECStore.
|
|
- Verification: focused storage-api/ECStore/RustFS/downstream compile checks,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, and
|
|
required three-expert review passed.
|
|
|
|
- [x] `API-015` Move object option helper contracts.
|
|
- Completed slice: move `CompletePart`, `HTTPPreconditions`, and
|
|
`ObjectLockRetentionOptions` from ECStore `store_api` into
|
|
`rustfs-storage-api`; keep `ObjectOptions`, object/list DTOs, readers,
|
|
filemeta conversions, and storage implementations in ECStore.
|
|
- Acceptance: `rustfs-storage-api` exports the moved helper contracts,
|
|
in-repo consumers no longer use the old `rustfs_ecstore::store_api` path
|
|
for these helpers, and migration guards reject restoring the old ECStore
|
|
definitions or public re-exports.
|
|
- Must preserve: multipart completion mapping, HTTP precondition semantics,
|
|
object-lock retention fields, object lookup/drop-precondition behavior,
|
|
storage hot paths, and ECStore-owned implementation-heavy object contracts.
|
|
- Risk defense: only pure helper DTOs cross into `rustfs-storage-api`;
|
|
ECStore keeps `ObjectOptions`, `ObjectInfo`, list contracts, readers,
|
|
lifecycle/replication/rio/filemeta coupling, errors, and implementation
|
|
bodies.
|
|
- Verification: focused storage-api/ECStore/RustFS/downstream compile checks,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, and
|
|
required three-expert review passed.
|
|
|
|
- [x] `API-016` Move HTTP range helper contracts.
|
|
- Completed slice: move `HTTPRangeSpec` and `HTTPRangeError` from ECStore
|
|
`store_api/readers.rs` into `rustfs-storage-api`; keep `ObjectInfo` part
|
|
adaptation in ECStore and migrate RustFS, ECStore, Swift, scanner, and
|
|
S3-select consumers to import the shared range contract directly.
|
|
- Acceptance: `rustfs-storage-api` exports the range helper contracts,
|
|
in-repo consumers no longer use the old `rustfs_ecstore::store_api` path
|
|
for `HTTPRangeSpec`, and migration guards reject restoring old ECStore
|
|
definitions or public re-exports.
|
|
- Must preserve: S3 range semantics, suffix ranges, multipart part-range
|
|
boundaries, SSE/rio/compressed range planning, Swift/S3-select reads, and
|
|
ECStore-owned object-info/filemeta adaptation.
|
|
- Risk defense: only pure range contract behavior crosses into
|
|
`rustfs-storage-api`; ECStore keeps readers, `ObjectInfo`, part plaintext
|
|
size selection, encryption/compression planning, lifecycle/replication/rio
|
|
coupling, and storage implementation bodies.
|
|
- Verification: focused storage-api/ECStore/RustFS/downstream compile checks,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, and
|
|
required three-expert review passed.
|
|
|
|
- [x] `API-017` Move object list helper contracts.
|
|
- Completed slice: move `VersionMarker` and `WalkVersionsSortOrder` from
|
|
ECStore `store_api/types.rs` into `rustfs-storage-api`; keep
|
|
`versions_after_marker`, `WalkOptions`, `ObjectInfo`, list result DTOs,
|
|
readers, and storage list/walk implementations in ECStore.
|
|
- Acceptance: `rustfs-storage-api` exports the list helper contracts,
|
|
in-repo production code no longer imports them from
|
|
`rustfs_ecstore::store_api`, and migration guards reject restoring old
|
|
ECStore definitions or public re-exports.
|
|
- Must preserve: list-object-versions marker parsing, null version markers,
|
|
version marker application only to the first matching entry, walk sort
|
|
default, and ECStore-owned filemeta/list implementation behavior.
|
|
- Risk defense: only pure marker/sort contracts cross into
|
|
`rustfs-storage-api`; ECStore keeps filemeta conversion, list result DTOs,
|
|
walk options with filemeta filters, readers, lifecycle/replication coupling,
|
|
and storage implementation bodies.
|
|
- Verification: focused storage-api/ECStore/RustFS/downstream compile checks,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, and
|
|
required three-expert review passed.
|
|
|
|
- [x] `API-018` Move object precondition helper contracts.
|
|
- Completed slice: add `ObjectPreconditionState`,
|
|
`ObjectPreconditionPart`, and `ObjectPreconditionError` to
|
|
`rustfs-storage-api`; make ECStore `ObjectOptions::precondition_check`
|
|
adapt `ObjectInfo` into the shared pure contract and map the contract
|
|
result back to the existing ECStore errors.
|
|
- Acceptance: `rustfs-storage-api` exports the precondition helper contracts,
|
|
ECStore keeps `ObjectOptions` and `ObjectInfo`, and migration guards reject
|
|
dropping the public precondition contract re-export.
|
|
- Must preserve: requested-part validation, empty condition handling,
|
|
`If-None-Match`/`If-Modified-Since` `NotModified` behavior,
|
|
`If-Match`/`If-Unmodified-Since` `PreconditionFailed` behavior, wildcard
|
|
ETag matching, and ECStore error mapping.
|
|
- Risk defense: only pure precondition decision state and result contracts
|
|
cross into `rustfs-storage-api`; ECStore keeps object metadata adaptation,
|
|
storage error types, `ObjectOptions`, `ObjectInfo`, readers,
|
|
lifecycle/replication coupling, and storage implementation bodies.
|
|
- Verification: focused storage-api tests, ECStore/RustFS/downstream compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
and required three-expert review passed.
|
|
|
|
- [x] `API-019` Move object list response contracts.
|
|
- Completed slice: move `ListObjectsInfo`, `ListObjectsV2Info`,
|
|
`ListObjectVersionsInfo`, and `ObjectInfoOrErr` from ECStore
|
|
`store_api/types.rs` into `rustfs-storage-api` as generic public
|
|
contracts, then keep ECStore's old public names as type aliases bound to
|
|
`ObjectInfo` and `Error`.
|
|
- Acceptance: `rustfs-storage-api` exports the generic list response
|
|
contracts, ECStore no longer defines local response structs for these
|
|
contracts, existing ECStore consumers keep their old import path, and
|
|
migration guards reject dropping the public storage-api re-export or
|
|
reintroducing local ECStore definitions.
|
|
- Must preserve: list v1/v2 truncation and marker fields, list-object-version
|
|
marker fields, object/prefix vectors, walk item/error channel shape, and
|
|
ECStore list/walk runtime behavior.
|
|
- Risk defense: only generic response containers cross into
|
|
`rustfs-storage-api`; ECStore keeps `ObjectInfo`, `ObjectOptions`,
|
|
`WalkOptions`, filemeta filters, object metadata adaptation, storage errors,
|
|
readers, lifecycle/replication coupling, and list/walk implementation
|
|
bodies.
|
|
- Verification: focused storage-api tests, ECStore/RustFS/downstream compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
full pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-020` Move walk options contract.
|
|
- Completed slice: move `WalkOptions` from ECStore `store_api/types.rs` into
|
|
`rustfs-storage-api` as a generic public contract over the filter type,
|
|
then keep ECStore's old public `WalkOptions` name as a type alias bound to
|
|
the existing `fn(&FileInfo) -> bool` filter shape.
|
|
- Acceptance: `rustfs-storage-api` exports `WalkOptions`, ECStore no longer
|
|
defines a local `WalkOptions` struct, existing ECStore consumers keep their
|
|
old import path, and migration guards reject dropping the public
|
|
storage-api re-export or reintroducing a local ECStore definition.
|
|
- Must preserve: walk filter optionality, marker, latest-only flag, ask-disks
|
|
string, version sort default, limit semantics, include-free-versions flag,
|
|
and ECStore list/walk runtime behavior.
|
|
- Risk defense: only the generic options container crosses into
|
|
`rustfs-storage-api`; ECStore keeps the concrete `FileInfo` filter binding,
|
|
list/walk implementations, metadata conversion, readers, storage errors,
|
|
lifecycle/replication coupling, and operation traits.
|
|
- Verification: focused storage-api tests, ECStore/RustFS/downstream compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
full pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-021` Move list operations contract.
|
|
- Completed slice: move `ListOperations` from ECStore `store_api/traits.rs`
|
|
into `rustfs-storage-api` as a generic public operation contract over list
|
|
response, walk option, cancellation, sender, and error associated types;
|
|
keep ECStore's old public `ListOperations` name as a fixed associated-type
|
|
compatibility subtrait.
|
|
- Acceptance: `rustfs-storage-api` exports `ListOperations`, ECStore no
|
|
longer defines local list operation method signatures, existing ECStore
|
|
generic bounds keep the old import path, and migration guards reject
|
|
dropping the public storage-api re-export or reintroducing local ECStore
|
|
list method definitions.
|
|
- Must preserve: list v2 pagination, list-object-versions pagination, walk
|
|
channel shape, cancellation token usage, ECStore public compatibility
|
|
bounds, and all ECStore list/walk runtime behavior.
|
|
- Risk defense: only the trait contract crosses into `rustfs-storage-api`;
|
|
ECStore keeps the concrete associated type bindings, response aliases,
|
|
walk option alias, object metadata conversion, storage errors, lifecycle
|
|
and replication coupling, and implementation bodies.
|
|
- Verification: focused storage-api tests, ECStore/RustFS/downstream compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
full pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-022` Move object and multipart operation contracts.
|
|
- Completed slice: move `ObjectIO`, `ObjectOperations`, and
|
|
`MultipartOperations` from ECStore `store_api/traits.rs` into
|
|
`rustfs-storage-api` as generic public operation contracts over ECStore
|
|
reader, option, metadata, multipart DTO, file-info, delete, header, range,
|
|
and error associated types; keep ECStore's old public trait names as fixed
|
|
associated-type compatibility subtraits.
|
|
- Acceptance: `rustfs-storage-api` exports the object and multipart
|
|
operation contracts, ECStore no longer defines local object/multipart method
|
|
signatures, existing ECStore generic bounds keep the old import path, and
|
|
migration guards reject dropping the public storage-api re-export or
|
|
reintroducing local ECStore object/multipart method definitions.
|
|
- Must preserve: object reader/writer behavior, object metadata/tag/delete
|
|
behavior, multipart create/copy/part/list/complete/abort behavior, ECStore
|
|
public compatibility bounds, and all ECStore object/multipart runtime
|
|
behavior.
|
|
- Risk defense: only the trait contracts cross into `rustfs-storage-api`;
|
|
ECStore keeps the concrete associated type bindings, readers,
|
|
`ObjectInfo`, `ObjectOptions`, `PutObjReader`, filemeta adaptation, storage
|
|
errors, lifecycle/replication/rio/compression/encryption coupling, and
|
|
implementation bodies.
|
|
- Verification: focused storage-api tests, ECStore/RustFS/downstream compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
full pre-commit, and required three-expert review passed.
|
|
- [x] `API-023` Move heal and namespace-lock operation contracts.
|
|
- Completed slice: move `HealOperations` and `NamespaceLocking` from ECStore
|
|
`store_api/traits.rs` into `rustfs-storage-api` as generic public
|
|
operation contracts over ECStore heal result/options, namespace-lock
|
|
wrapper, and error associated types; keep ECStore's old public trait names
|
|
as fixed associated-type compatibility subtraits.
|
|
- Acceptance: `rustfs-storage-api` exports the heal and namespace-lock
|
|
operation contracts, ECStore no longer defines local heal/namespace-lock
|
|
method signatures, focused consumers use the shared trait for method
|
|
resolution, and migration guards reject dropping the public storage-api
|
|
re-export or reintroducing local ECStore method definitions.
|
|
- Must preserve: heal format/bucket/object behavior, abandoned-part checks,
|
|
pool/set lookup behavior, namespace-lock acquisition behavior, ECStore
|
|
public compatibility bounds, and all runtime lock/heal implementation
|
|
bodies.
|
|
- Risk defense: only the trait contracts cross into `rustfs-storage-api`;
|
|
ECStore keeps concrete associated type bindings, `HealOpts`,
|
|
`HealResultItem`, `NamespaceLockWrapper`, lock implementation, peer heal
|
|
behavior, set/pool dispatch, and storage error mapping.
|
|
- Verification: focused storage-api/ECStore/RustFS/heal/scanner compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
full pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-024` Clean shared list operation consumer bounds.
|
|
- Completed slice: migrate RustFS S3/bucket usecase list response builders from
|
|
ECStore `ListObjectVersionsInfo`/`ListObjectsV2Info` aliases to
|
|
`rustfs-storage-api` generic list response contracts bound to ECStore
|
|
`ObjectInfo`; migrate IAM walk channel typing from ECStore
|
|
`ObjectInfoOrErr` alias to the shared generic item contract.
|
|
- Acceptance: outer RustFS/IAM consumers use storage-api list response
|
|
contracts directly, ECStore keeps concrete aliases for internal
|
|
implementation and compatibility, and migration guards reject restoring the
|
|
old outer-consumer imports.
|
|
- Must preserve: S3 list v2/version output mapping, IAM config walk channel
|
|
item/error handling, ECStore concrete object metadata shape, walk options
|
|
inference, and storage error conversion behavior.
|
|
- Risk defense: this slice moves only low-coupling generic response/channel
|
|
typing; ECStore still owns `ObjectInfo`, `ObjectOptions`, readers,
|
|
filemeta-bound walk filter type, delete DTOs, and list/walk implementation
|
|
bodies.
|
|
- Verification: focused RustFS/IAM compile and tests, migration/layer guards,
|
|
formatting, diff hygiene, Rust risk scan, full pre-commit, and required
|
|
three-expert review passed.
|
|
|
|
- [x] `API-025` Clean external operation consumer bounds.
|
|
- Completed slice: migrate scanner data-usage cache storage bounds, RustFS
|
|
object-usecase namespace-lock helper bounds, and table catalog object
|
|
backend storage bounds from ECStore compatibility operation traits to
|
|
`rustfs-storage-api` operation traits with explicit ECStore concrete
|
|
associated-type bindings.
|
|
- Acceptance: outer RustFS/scanner consumers no longer import ECStore
|
|
operation traits, ECStore keeps compatibility traits for internal
|
|
implementation and downstream compatibility, and migration guards reject
|
|
restoring old outer-consumer operation trait imports.
|
|
- Must preserve: scanner cache load/save behavior, scanner backend timeout
|
|
and retry behavior, object self-copy namespace-lock quorum/error mapping,
|
|
table catalog object read/write/list/lock behavior, ECStore object metadata
|
|
shape, reader shape, walk filter shape, and storage error conversion.
|
|
- Risk defense: this slice changes only generic bounds/import ownership;
|
|
ECStore still owns concrete object DTOs, readers, delete DTOs, lock wrappers,
|
|
walk filters, and implementation bodies.
|
|
- Verification: focused RustFS/scanner compile and tests, migration/layer
|
|
guards, formatting, diff hygiene, Rust risk scan, full pre-commit, and
|
|
required three-expert review passed.
|
|
|
|
- [x] `API-026` Clean external DTO consumer boundaries.
|
|
- Current branch: `overtrue/arch-storage-dto-consumer-boundaries`.
|
|
- Completed slice: introduce crate-local semantic aliases for ECStore-owned
|
|
object metadata/options/readers/delete DTOs in scanner, heal, notify, Swift,
|
|
S3 Select, and RustFS storage/app consumers; update production and affected
|
|
test call sites to use those local aliases instead of raw
|
|
`rustfs_ecstore::store_api` DTO imports.
|
|
- Acceptance: non-ECStore direct `rustfs_ecstore::store_api` references are
|
|
limited to boundary alias definitions, ECStore remains the owner of
|
|
`ObjectInfo`, `ObjectOptions`, object readers, delete DTOs, walk filters,
|
|
lock wrappers, and implementation behavior, and external consumers express
|
|
their local semantic dependency through crate-owned names.
|
|
- Must preserve: object metadata shape, object option defaults, reader/writer
|
|
behavior, delete replication DTO handling, scanner cache semantics, heal
|
|
storage metadata semantics, Swift and S3 Select object reads, notification
|
|
event payloads, S3 response DTO mapping, and storage/app test behavior.
|
|
- Risk defense: this slice uses type aliases and import-boundary cleanup only;
|
|
it does not move DTO definitions, alter serialization, change object-store
|
|
implementations, or adjust runtime control flow.
|
|
- Verification: focused compile/tests, migration/layer guards, formatting,
|
|
diff hygiene, direct import scan, Rust risk scan, full pre-commit, and
|
|
required three-expert review passed.
|
|
|
|
- [x] `API-027` Clean remaining external storage DTO imports.
|
|
- Current branch: `overtrue/arch-storage-compat-contract-cleanup`.
|
|
- Completed slice: move table catalog, IAM object-store, admin zip-download,
|
|
capacity dirty-scope tests, heal integration tests, scanner, Swift, S3
|
|
Select, and notify event payloads from raw ECStore `store_api` DTO imports
|
|
to crate-local compatibility aliases/modules.
|
|
- Acceptance: non-ECStore direct `rustfs_ecstore::store_api` references are
|
|
limited to explicit boundary alias points in RustFS storage plus scanner,
|
|
heal, IAM, notify, Swift, and S3 Select compatibility modules; table
|
|
catalog, affected tests, and protocol/scanner/notification consumers
|
|
consume those boundary names instead of raw ECStore DTO paths.
|
|
- Must preserve: table catalog storage trait bindings, IAM metadata/lazy
|
|
rewrite behavior, object zip preflight/read semantics, capacity dirty-disk
|
|
assertions, heal integration object read/write behavior, scanner cache
|
|
load/save semantics, Swift object read/write/copy/delete behavior, S3
|
|
Select object-store reads, notify event payload shape, and ECStore-owned DTO
|
|
concrete shapes.
|
|
- Risk defense: this slice changes import ownership and type aliases only; it
|
|
does not move DTO definitions, alter serialization, change object-store
|
|
implementation bodies, or adjust runtime control flow.
|
|
- Verification: focused compile/tests, migration/layer guards, formatting,
|
|
diff hygiene, direct import scan, Rust risk scan, full pre-commit, and
|
|
required three-expert review passed.
|
|
|
|
- [x] `API-028` Clean Swift ECStore runtime boundary imports.
|
|
- Current branch: `overtrue/arch-swift-ecstore-boundaries`.
|
|
- Completed slice: move Swift account, container, object, and versioning
|
|
access to ECStore object-store resolver and bucket metadata get/set calls
|
|
behind the Swift-local `storage_compat` module.
|
|
- Acceptance: direct Swift module references to `rustfs_ecstore` for object
|
|
store resolution, bucket metadata reads, bucket metadata writes, and object
|
|
DTO aliases are limited to `swift::storage_compat`; Swift business modules
|
|
consume Swift-owned compatibility names.
|
|
- Must preserve: Swift account metadata tags, container metadata tags,
|
|
versioning location tags, ACL tag storage, object CRUD/copy/range behavior,
|
|
storage-not-initialized error mapping, and bucket metadata load/save error
|
|
mapping.
|
|
- Risk defense: this slice changes import ownership and thin wrapper
|
|
boundaries only; it does not move ECStore definitions, alter metadata
|
|
serialization, change Swift bucket naming, or adjust runtime control flow.
|
|
- Verification: focused Swift compile/tests, migration/layer guards,
|
|
formatting, diff hygiene, direct Swift import scan, Rust risk scan, full
|
|
pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-029` Clean scanner and heal ECStore runtime boundaries.
|
|
- Current branch: `overtrue/arch-scanner-heal-runtime-boundaries`.
|
|
- Completed slice: move scanner and heal direct ECStore runtime, disk,
|
|
metadata, lifecycle, replication, config, and error imports behind their
|
|
crate-local compatibility modules.
|
|
- Acceptance: direct `rustfs_ecstore` references in `crates/scanner/src` and
|
|
`crates/heal/src` are limited to scanner/heal compatibility boundary
|
|
modules; scanner/heal business modules consume local compatibility names.
|
|
- Must preserve: scanner cache load/save behavior, lifecycle and replication
|
|
scan behavior, disk bucket scan inventory lookup, heal object/bucket/format
|
|
behavior, resume state storage, heal channel test contracts, and existing
|
|
ECStore-owned concrete types.
|
|
- Risk defense: this slice changes import ownership and thin compatibility
|
|
boundaries only; it does not alter scanner scheduling, heal scheduling,
|
|
object I/O logic, disk operations, metadata serialization, or error
|
|
mapping.
|
|
- Verification: focused scanner/heal compile/tests, direct import scans,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, full
|
|
pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-030` Clean app, storage, and admin ECStore runtime boundaries.
|
|
- Current branch: `overtrue/arch-app-storage-admin-runtime-boundaries`.
|
|
- Completed slice: add crate-local app, storage, and admin compatibility
|
|
boundary modules for ECStore-owned runtime contracts, then migrate direct
|
|
`rustfs_ecstore` imports in `rustfs/src/app`, `rustfs/src/storage`, and
|
|
`rustfs/src/admin` through those boundary modules.
|
|
- Acceptance: direct `rustfs_ecstore` references in app/storage/admin source
|
|
are limited to the local compatibility boundary modules; app, storage, and
|
|
admin business/test modules consume local compatibility names.
|
|
- Must preserve: app object/bucket/multipart/admin usecase behavior, storage
|
|
ECFS/access/SSE/RPC behavior, admin route/handler/service behavior,
|
|
metadata serialization, encryption handling, authorization, and existing
|
|
ECStore-owned concrete type ownership.
|
|
- Risk defense: this slice changes import ownership only; it does not move
|
|
ECStore definitions, alter runtime control flow, adjust route registration,
|
|
change storage I/O, mutate metadata formats, or alter admin authorization.
|
|
- Verification: direct app/storage/admin import scan, RustFS test compile
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
full pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-031` Clean runtime, observability, S3 Select, notify, and IAM
|
|
ECStore runtime boundaries.
|
|
- Current branch: `overtrue/arch-runtime-observability-select-boundaries`.
|
|
- Completed slice: add RustFS root, obs, and IAM compatibility boundary
|
|
modules; extend notify and S3 Select compatibility modules; migrate direct
|
|
`rustfs_ecstore` imports in RustFS startup/server/runtime/table-catalog
|
|
code plus obs, notify, S3 Select, and IAM through those local boundaries.
|
|
- Acceptance: direct `rustfs_ecstore` references in those source areas are
|
|
limited to local compatibility boundary modules; runtime and crate business
|
|
modules consume local compatibility names.
|
|
- Must preserve: startup ordering, readiness/RPC behavior, capacity metrics,
|
|
table catalog object I/O behavior, notification config persistence, S3
|
|
Select object-store reads, IAM storage/error mapping, and observability
|
|
metrics collection behavior.
|
|
- Risk defense: this slice changes import ownership only; it does not move
|
|
ECStore definitions, alter runtime control flow, adjust readiness checks,
|
|
mutate table catalog metadata, change IAM policy behavior, or alter notify,
|
|
S3 Select, or obs runtime semantics.
|
|
- Verification: focused compile, direct import scan, migration/layer guards,
|
|
formatting, diff hygiene, Rust risk scan, full pre-commit, and required
|
|
three-expert review passed.
|
|
|
|
- [x] `API-032` Clean test harness and fuzz ECStore compatibility boundaries.
|
|
- Current branch: `overtrue/arch-test-harness-fuzz-storage-boundaries`.
|
|
- Completed slice: add scanner/heal integration test, e2e test, and fuzz
|
|
target compatibility boundary modules; migrate direct `rustfs_ecstore`
|
|
imports in those test/fuzz harnesses through local boundaries.
|
|
- Acceptance: direct `rustfs_ecstore` references in scanner/heal integration
|
|
tests, e2e test helpers, and fuzz targets are limited to local
|
|
compatibility boundary modules; test and fuzz modules consume local
|
|
compatibility names.
|
|
- Must preserve: scanner lifecycle integration behavior, heal integration and
|
|
bug-fix test behavior, e2e node/grpc/replication helpers, fuzz target input
|
|
shape, and existing ECStore-owned concrete type ownership.
|
|
- Risk defense: this slice changes import ownership only; it does not move
|
|
ECStore definitions, alter test setup semantics, change fuzz inputs, adjust
|
|
runtime control flow, or mutate metadata formats.
|
|
- Verification: focused scanner/heal/e2e compile, fuzz target compile,
|
|
migration/layer guards, formatting check, diff hygiene, direct import scan,
|
|
risk scan, full pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-033` Narrow ECStore compatibility export surfaces.
|
|
- Current branch: `overtrue/arch-narrow-storage-compat-exports`.
|
|
- Completed slice: replace local whole-crate ECStore compatibility aliases
|
|
with explicit re-export modules for RustFS runtime/app/admin/storage, obs,
|
|
notify, S3 Select, IAM, scanner/heal integration tests, e2e helpers, and
|
|
fuzz targets.
|
|
- Acceptance: local ECStore compatibility boundaries expose only the ECStore
|
|
modules/functions required by their consumers; direct `rustfs_ecstore`
|
|
references remain limited to compatibility boundary modules.
|
|
- Must preserve: all runtime, admin, storage, observability, notification, S3
|
|
Select, IAM, scanner/heal test, e2e helper, and fuzz behavior from
|
|
API-031/API-032.
|
|
- Risk defense: this slice changes compatibility re-export ownership only; it
|
|
does not move ECStore definitions, alter runtime control flow, mutate
|
|
metadata formats, change test setup semantics, or adjust fuzz inputs.
|
|
- Verification: focused compile, fuzz target compile, migration/layer guards,
|
|
formatting check, diff hygiene, direct import scan, risk scan, full
|
|
pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-034` Narrow remaining ECStore compatibility export surfaces.
|
|
- Current branch: `overtrue/arch-remaining-storage-compat-exports`.
|
|
- Completed slice: narrow the remaining scanner, heal, Swift, and IAM store
|
|
ECStore compatibility boundary modules from direct ECStore imports to
|
|
explicit local `ecstore` re-export surfaces while keeping existing local
|
|
semantic aliases unchanged; add a migration guard that rejects future direct
|
|
`rustfs_ecstore` imports outside compatibility boundary modules.
|
|
- Acceptance: direct `rustfs_ecstore` references in non-ECStore source are
|
|
limited to local compatibility boundary modules; business modules continue
|
|
to consume crate-local compatibility names, and migration rules reject
|
|
bypassing those boundaries.
|
|
- Must preserve: scanner cache/lifecycle/replication behavior, heal storage
|
|
and disk behavior, Swift object/bucket metadata behavior, IAM object-store
|
|
metadata behavior, and all ECStore-owned concrete type ownership.
|
|
- Risk defense: this slice changes compatibility import ownership only; it
|
|
does not move ECStore definitions, alter runtime control flow, mutate
|
|
metadata formats, change Swift/IAM semantics, or adjust scanner/heal
|
|
scheduling.
|
|
- Verification: focused scanner/heal/IAM compile, Swift feature compile,
|
|
migration/layer guards, formatting check, diff hygiene, direct import scan,
|
|
risk scan, full pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-035` Prune compatibility re-export allowances.
|
|
- Current branch: `overtrue/arch-compat-reexport-prune`.
|
|
- Current slice: remove unused-import allowances from production and fuzz
|
|
ECStore compatibility boundary modules, keep target-specific test harness
|
|
exceptions explicit, gate test-only RustFS storage compatibility re-exports
|
|
with `cfg(test)`, and add a migration rule preventing production
|
|
compatibility boundaries from hiding unused ECStore re-exports.
|
|
- Acceptance: production and fuzz `storage_compat.rs` modules compile without
|
|
unused-import allows, test-only compatibility exceptions remain scoped to
|
|
harnesses with target-specific compile needs, and migration rules reject
|
|
reintroducing broad unused-import allowances in production compatibility
|
|
boundaries.
|
|
- Must preserve: all ECStore-owned concrete types and runtime behavior,
|
|
startup/storage/admin/app/Swift/scanner/heal/IAM/notify/obs/S3 Select
|
|
import paths, test harness behavior, and fuzz target behavior.
|
|
- Risk defense: this slice changes only compatibility boundary re-export
|
|
hygiene and migration guard coverage; it does not move definitions, alter
|
|
runtime control flow, mutate metadata formats, or change storage behavior.
|
|
- Verification: focused compile checks, fuzz manifest compile, migration and
|
|
layer guards, formatting check, diff hygiene, risk scan, full pre-commit,
|
|
and required three-expert review passed.
|
|
|
|
- [x] `API-036` Move delete-object DTO contracts.
|
|
- Current branch: `overtrue/arch-delete-object-contracts`.
|
|
- Current slice: move `ObjectToDelete` and `DeletedObject` from ECStore
|
|
`store_api` into `rustfs-storage-api`, keep old ECStore paths as type
|
|
aliases for compatibility, migrate RustFS/scanner aliases to the
|
|
storage-api contracts, and guard against reintroducing ECStore-owned delete
|
|
DTO definitions.
|
|
- Acceptance: storage-api exports delete-object DTO contracts, ECStore keeps
|
|
compatibility type aliases without owning the definitions, external
|
|
RustFS/scanner aliases consume storage-api directly, and migration rules
|
|
reject restoring ECStore definitions or public re-exports.
|
|
- Must preserve: delete-object field names and types, replication-state helper
|
|
semantics, ECStore object/delete operation associated types, scanner delete
|
|
selection behavior, RustFS object delete behavior, and old ECStore import
|
|
compatibility.
|
|
- Risk defense: this is a pure DTO ownership move; it does not change
|
|
deletion control flow, replication decisions, lifecycle expiry behavior, or
|
|
object metadata persistence.
|
|
- Verification: focused compile checks, storage-api tests, migration and layer
|
|
guards, formatting check, diff hygiene, risk scan, full pre-commit, and
|
|
required three-expert review passed.
|
|
|
|
- [x] `API-037` Clean delete-object DTO consumers.
|
|
- Current branch: `overtrue/arch-delete-object-contracts`.
|
|
- Current slice: migrate ECStore internal delete-object DTO consumers from
|
|
old `crate::store_api` imports to `rustfs-storage-api` contracts while
|
|
keeping public ECStore type aliases for downstream compatibility.
|
|
- Acceptance: ECStore object, set, lifecycle, and replication internals use
|
|
storage-api delete DTO contracts directly; public old-path type aliases
|
|
remain available; migration rules reject reintroducing ECStore internal
|
|
old-path delete DTO consumers.
|
|
- Must preserve: object delete result shape, batch delete error alignment,
|
|
lifecycle replication scheduling, MRF delete replay, replication retry
|
|
decisions, and old ECStore public import compatibility.
|
|
- Risk defense: this is a consumer import cleanup over identical type
|
|
definitions; it does not change delete control flow, replication decisions,
|
|
lifecycle expiry behavior, or object metadata persistence.
|
|
- Verification: focused ECStore/RustFS/scanner compile checks, migration and
|
|
layer guards, formatting check, diff hygiene, risk scan, full pre-commit,
|
|
and required three-expert review passed.
|
|
|
|
- [x] `API-038` Narrow remaining `store_api` compatibility re-export surfaces.
|
|
- Current branch: `overtrue/arch-delete-object-contracts`.
|
|
- Current slice: replace whole-module `rustfs_ecstore::store_api`
|
|
compatibility re-exports in RustFS storage, scanner, heal, Swift,
|
|
S3 Select, IAM, and notify boundaries with explicit contract type
|
|
re-exports, and add a migration rule rejecting broad `store_api`
|
|
compatibility re-exports.
|
|
- Acceptance: storage compatibility boundaries expose only the concrete
|
|
`store_api` contracts their consumers use; downstream local aliases keep
|
|
the same names; migration rules reject reintroducing broad `store_api`
|
|
passthroughs in production compatibility boundaries.
|
|
- Must preserve: object info/options reader aliases, storage/list/multipart
|
|
operation trait bindings, scanner/heal/Swift/S3 Select/IAM/notify behavior,
|
|
and all ECStore-owned concrete type ownership.
|
|
- Risk defense: this is compatibility import surface cleanup only; it does
|
|
not move definitions, alter storage/runtime control flow, change object
|
|
metadata conversion, or mutate reader behavior.
|
|
- Verification: focused multi-crate compile, migration guard, formatting
|
|
check, diff hygiene, risk scan, full pre-commit, and required three-expert
|
|
review passed.
|
|
|
|
- [x] `API-039` Collapse nested `store_api` compatibility modules.
|
|
- Current branch: `overtrue/arch-compat-boundary-prune`.
|
|
- Current slice: replace nested `store_api` compatibility modules in RustFS
|
|
storage, scanner, heal, Swift, S3 Select, IAM, and notify boundaries with
|
|
direct local type aliases, and add a migration rule rejecting nested
|
|
`store_api` modules in storage compatibility files.
|
|
- Acceptance: storage compatibility boundaries no longer recreate
|
|
`store_api` module shapes; downstream aliases keep the same concrete
|
|
contract types; migration rules reject restoring nested `store_api`
|
|
compatibility modules outside ECStore and test-only boundaries.
|
|
- Must preserve: object info/options reader aliases, scanner/heal/Swift/S3
|
|
Select/IAM/notify compile-time contracts, storage API compatibility names,
|
|
and ECStore-owned concrete type ownership.
|
|
- Risk defense: this is a local alias-shape cleanup only; it does not move
|
|
definitions, alter storage/runtime control flow, change object metadata
|
|
conversion, or mutate reader behavior.
|
|
- Verification: focused multi-crate compile, migration and layer guards,
|
|
formatting check, diff hygiene, risk scan, full pre-commit, and required
|
|
three-expert review passed.
|
|
|
|
- [x] `API-040` Lock remaining `store_api` compatibility aliases.
|
|
- Current branch: `overtrue/arch-compat-boundary-prune`.
|
|
- Current slice: add a migration rule that allows the remaining
|
|
`rustfs_ecstore::store_api::*` references in production storage
|
|
compatibility files only when they are explicit local type aliases to the
|
|
four ECStore-owned contracts still intentionally kept in ECStore.
|
|
- Acceptance: production compatibility boundaries can keep only explicit
|
|
aliases to `GetObjectReader`, `ObjectInfo`, `ObjectOptions`, and
|
|
`PutObjReader`; any broader import, module recreation, or new raw
|
|
`store_api` compatibility dependency fails the architecture guard.
|
|
- Must preserve: existing local alias names and concrete ECStore-owned reader,
|
|
object info, and object option contract ownership.
|
|
- Risk defense: this is a guardrail-only slice; it does not change runtime
|
|
code, storage behavior, object metadata shape, or reader behavior.
|
|
- Verification: migration and layer guards, formatting check, diff hygiene,
|
|
risk scan, full pre-commit, and required three-expert review passed.
|
|
|
|
- [x] `API-041` Lock ECStore compatibility passthrough allowlists.
|
|
- Current branch: `overtrue/arch-compat-passthrough-guards`.
|
|
- Current slice: add a migration rule that snapshots every
|
|
`rustfs_ecstore` module/function passthrough exposed from local
|
|
`storage_compat.rs` boundaries across RustFS, scanner, heal, Swift,
|
|
S3 Select, IAM, notify, observability, e2e, and fuzz harnesses.
|
|
- Acceptance: compatibility boundaries cannot silently add or remove ECStore
|
|
passthrough items; future cleanup PRs must update the explicit allowlist
|
|
when they intentionally shrink or reshape a boundary.
|
|
- Must preserve: all existing local compatibility paths, ECStore concrete
|
|
type ownership, storage behavior, startup behavior, scanner/heal behavior,
|
|
Swift/S3 Select/IAM/notify behavior, observability reads, and test/fuzz
|
|
harness behavior.
|
|
- Risk defense: this is a loss-prevention guard only; it does not change
|
|
runtime code, storage APIs, object metadata shape, reader behavior, or
|
|
worker lifecycle.
|
|
- Verification: migration guard, formatting check, diff hygiene, risk scan,
|
|
focused script check, and full pre-commit required before push.
|
|
|
|
- [x] `API-042` Split notify event object contract from ECStore ObjectInfo.
|
|
- Current branch: `overtrue/arch-compat-passthrough-contracts`.
|
|
- Current slice: give `rustfs-notify` its own lightweight
|
|
`NotifyObjectInfo` event DTO, keep ECStore-to-notify conversion private to
|
|
the notify compatibility boundary, and update RustFS event handoff sites to
|
|
use the conversion explicitly.
|
|
- Acceptance: notify no longer publicly re-exports ECStore `ObjectInfo` as
|
|
its event object type; existing RustFS event generation, restore-completed
|
|
event data, version IDs, object metadata filtering, and ECStore bridge
|
|
behavior are preserved.
|
|
- Must preserve: S3 event JSON shape, remove-event metadata suppression,
|
|
restore-completed glacier data formatting, object key URL encoding,
|
|
request/response headers, replication request filtering, and existing
|
|
EventArgsBuilder call sites.
|
|
- Risk defense: this is a consumer contract split only; ECStore remains the
|
|
producer of storage metadata, while notify owns the event-facing DTO.
|
|
- Verification: focused notify/RustFS compile, migration and layer guards,
|
|
formatting check, diff hygiene, risk scan, full pre-commit, and required
|
|
three-expert review passed.
|
|
|
|
- [x] `API-043` Remove notify ECStore config passthroughs.
|
|
- Current branch: `overtrue/arch-compat-passthrough-contracts`.
|
|
- Current slice: replace notify's public compatibility passthroughs for
|
|
ECStore config/global modules with a crate-local config update boundary,
|
|
then shrink the passthrough guard snapshot.
|
|
- Acceptance: notify config mutation code no longer reaches through
|
|
ECStore config/global modules directly; the storage compatibility boundary
|
|
owns ECStore handle resolution, read, save, and error classification.
|
|
- Must preserve: target config read-modify-save behavior, unchanged-config
|
|
no-op handling, storage-not-initialized error wording, read/save error
|
|
mapping, target reload ordering, and runtime lifecycle logging.
|
|
- Risk defense: this keeps persistence semantics unchanged while reducing
|
|
the compatibility surface visible to notify business logic.
|
|
- Verification: focused notify/RustFS compile, migration and layer guards,
|
|
formatting check, diff hygiene, risk scan, full pre-commit, and required
|
|
three-expert review required before push.
|
|
|
|
- [x] `API-044` Remove S3 Select ECStore module passthroughs.
|
|
- Current branch: `overtrue/arch-compat-passthrough-contracts`.
|
|
- Current slice: replace S3 Select's public compatibility passthroughs for
|
|
ECStore error, store, set-disk, and resolver modules with crate-local
|
|
aliases/functions, then shrink the passthrough guard snapshot.
|
|
- Acceptance: S3 Select object-store code no longer reaches through ECStore
|
|
modules directly; storage errors, store handle resolution, ECStore store
|
|
type ownership, and default read-buffer sizing remain behind the local
|
|
storage compatibility boundary.
|
|
- Must preserve: S3 Select object-store initialization, not-found error
|
|
mapping, scan-range defaults, stream buffer sizing, JSON document handling,
|
|
CSV conversion streams, and ECStore object reader/info calls.
|
|
- Risk defense: this changes import ownership only; S3 Select still uses the
|
|
same ECStore runtime APIs through narrower local compatibility names.
|
|
- Verification: focused S3 Select/notify/RustFS compile, migration and layer
|
|
guards, formatting check, diff hygiene, risk scan, full pre-commit, and
|
|
required three-expert review required before push.
|
|
|
|
- [x] `API-045` Remove observability ECStore module passthroughs.
|
|
- Current branch: `overtrue/arch-compat-passthrough-contracts`.
|
|
- Current slice: replace OBS metrics passthroughs for ECStore bucket,
|
|
data-usage, global, pools, and object-store resolver modules with
|
|
crate-local storage compatibility functions and snapshots, then shrink the
|
|
passthrough guard snapshot.
|
|
- Acceptance: OBS metrics collection no longer reaches through ECStore
|
|
modules directly; object-store resolution, data-usage loading, capacity
|
|
calculation, quota reads, replication state, bucket bandwidth monitor
|
|
access, and ILM runtime counters remain behind the OBS compatibility
|
|
boundary.
|
|
- Must preserve: cluster/health metrics, bucket usage metrics, replication
|
|
and bandwidth metrics, scheduler tombstone behavior, disk/drive metrics,
|
|
erasure-set metrics, ILM metrics, existing warning paths, and no-data
|
|
fallback behavior.
|
|
- Risk defense: this changes compatibility ownership only; OBS still reads
|
|
the same ECStore runtime state through narrower local compatibility names.
|
|
- Verification: focused OBS/notify/S3 Select/RustFS compile, migration and
|
|
layer guards, formatting check, diff hygiene, risk scan, full pre-commit,
|
|
and required three-expert review required before push.
|
|
|
|
- [x] `API-046` Remove IAM and Swift ECStore module passthroughs.
|
|
- Current branch: `overtrue/arch-compat-iam-swift-boundaries`.
|
|
- Current slice: replace IAM's ECStore config/error/global/notification/store
|
|
module passthroughs and Swift's ECStore bucket/error/store resolver
|
|
passthroughs with local compatibility aliases and wrapper functions, then
|
|
shrink the passthrough guard snapshot.
|
|
- Acceptance: IAM store, IAM notification fanout, IAM error conversion, IAM
|
|
first-node checks, and Swift bucket metadata/object-store access no longer
|
|
reach through ECStore modules directly from consumer code.
|
|
- Must preserve: IAM config prefix layout, IAM config read/write/delete
|
|
semantics, lazy rewrite precondition behavior, config-not-found mapping,
|
|
peer notification fanout error logging, first-node initial load behavior,
|
|
Swift object-store resolution, and Swift bucket metadata get/set behavior.
|
|
- Risk defense: this is an import ownership and compatibility-boundary
|
|
cleanup only; ECStore remains the owner of concrete storage/runtime state
|
|
while IAM and Swift expose narrower local names to their consumers.
|
|
- Verification: focused IAM/Swift compile, IAM unit tests, migration and
|
|
layer guards, formatting check, diff hygiene, risk scan, full pre-commit,
|
|
and required three-expert review required before push.
|
|
|
|
- [x] `API-047` Remove heal and scanner production ECStore module passthroughs.
|
|
- Current branch: `overtrue/arch-heal-scanner-compat-boundaries`.
|
|
- Current slice: replace heal and scanner production compatibility
|
|
passthrough modules with explicit local aliases and wrapper functions,
|
|
while leaving test-only ECStore compatibility harnesses for later cleanup.
|
|
- Acceptance: heal and scanner production code no longer exposes broad
|
|
ECStore module passthroughs for bucket/config/data-usage/disk/error/global,
|
|
pools, set-disk, store, or store-utils through `storage_compat.rs`.
|
|
- Must preserve: heal disk/resume/task behavior, scanner config persistence,
|
|
scanner lifecycle/replication actions, bucket cache scanning, object-store
|
|
resolution, erasure-mode checks, storage-class accounting, and data-usage
|
|
memory updates.
|
|
- Risk defense: this narrows import ownership only; ECStore remains the owner
|
|
of concrete storage/runtime state and scanner/heal keep the same local
|
|
compatibility names for existing call sites.
|
|
- Verification: focused heal/scanner compile, migration and layer guards,
|
|
formatting check, diff hygiene, risk scan, full pre-commit, and required
|
|
three-expert review required before push.
|
|
|
|
- [x] `API-048` Remove RustFS runtime ECStore module passthroughs.
|
|
- Current branch: `overtrue/arch-rustfs-runtime-compat-boundaries`.
|
|
- Current slice: replace the RustFS app, admin, storage, and root runtime
|
|
compatibility passthrough modules with explicit local aliases and nested
|
|
compatibility exports, while preserving existing consumer paths.
|
|
- Acceptance: RustFS runtime compatibility files no longer expose broad
|
|
ECStore top-level module passthroughs for app/admin/storage/root runtime
|
|
consumers, and the passthrough guard snapshot keeps only test/fuzz
|
|
harness allowances.
|
|
- Must preserve: startup config/bootstrap behavior, server readiness checks,
|
|
admin replication/rebalance/tier/config handlers, app object/bucket/
|
|
multipart usecases, storage RPC/SSE/access paths, table catalog storage
|
|
access, and existing test-only harness imports.
|
|
- Risk defense: this is an import ownership and compatibility-boundary
|
|
cleanup only; ECStore remains the owner of concrete storage/runtime state
|
|
while RustFS runtime modules retain stable local compatibility paths.
|
|
- Verification: focused RustFS test compile, migration and layer guards,
|
|
formatting check, diff hygiene, risk scan, full pre-commit, and required
|
|
three-expert review passed before push.
|
|
|
|
- [x] `API-049` Remove test and fuzz ECStore module passthroughs.
|
|
- Current branch: `overtrue/arch-test-fuzz-compat-boundaries`.
|
|
- Current slice: replace the remaining e2e, heal-test, scanner-test, and
|
|
fuzz-target ECStore module passthroughs with explicit local compatibility
|
|
aliases, split fuzz storage compatibility by target, and empty the
|
|
passthrough guard snapshot.
|
|
- Acceptance: no `storage_compat.rs` file may expose broad
|
|
`rustfs_ecstore` module passthroughs; the migration guard now rejects any
|
|
new passthrough unless a later slice deliberately adds a reviewed
|
|
allowlist entry.
|
|
- Must preserve: e2e bucket target and RPC helper imports, heal test disk and
|
|
store setup imports, scanner test lifecycle/tier/disk/storage imports,
|
|
fuzz bucket validation behavior, and fuzz path containment behavior.
|
|
- Risk defense: this is test-harness and fuzz-harness import ownership
|
|
cleanup only; ECStore remains the owner of the same concrete APIs and no
|
|
production runtime path is changed.
|
|
- Verification: focused test/fuzz compiles, migration and layer guards,
|
|
formatting check, diff hygiene, risk scan, full pre-commit, and required
|
|
three-expert review passed before push.
|
|
|
|
- [x] `API-050` Move lifecycle helper DTO contracts.
|
|
- Current branch: `overtrue/arch-storage-api-lifecycle-contracts`.
|
|
- Current slice: move `ExpirationOptions` and `TransitionedObject` into
|
|
rustfs-storage-api, update ECStore internal consumers plus notify test
|
|
coverage to import them directly, and keep ECStore old-path re-exports for
|
|
downstream compatibility callers.
|
|
- Acceptance: rustfs-storage-api exports both lifecycle helper DTOs, ECStore
|
|
no longer owns their concrete struct definitions, ECStore internal
|
|
consumers and notify coverage use the storage-api contracts directly, old
|
|
ECStore lifecycle paths remain available as re-exports, and migration rules
|
|
reject restoring the ECStore definitions or old internal imports.
|
|
- Must preserve: lifecycle expiration flags, transitioned object journal
|
|
metadata, object info construction, notify event conversion, and all old
|
|
ECStore import paths used by existing callers.
|
|
- Risk defense: this is a pure DTO move; no lifecycle scheduling, object I/O,
|
|
transition journal, replication, or reader behavior is changed.
|
|
- Verification: storage-api lifecycle helper unit test, ECStore transitioned
|
|
lifecycle tests, notify event conversion test, focused compile checks,
|
|
migration and layer guards, formatting check, diff hygiene, risk scan, full
|
|
pre-commit, and required three-expert review passed before push.
|
|
|
|
- [x] `API-051` Flatten test harness storage compatibility aliases.
|
|
- Current branch: `overtrue/arch-test-harness-compat-aliases`.
|
|
- Current slice: flatten e2e, heal, scanner, and fuzz storage compatibility
|
|
harnesses from nested `storage_compat::ecstore` modules into direct
|
|
crate-local aliases, constants, and function imports.
|
|
- Acceptance: no e2e, heal-test, scanner-test, or fuzz-target harness file
|
|
may expose or consume nested `storage_compat::ecstore` paths, and migration
|
|
rules reject reintroducing nested test/fuzz ECStore compatibility modules.
|
|
- Must preserve: e2e bucket target/RPC/disk helper imports, heal ECStore disk
|
|
and endpoint setup, scanner lifecycle/tier/disk/storage setup, fuzz bucket
|
|
validation behavior, and fuzz path-containment validation behavior.
|
|
- Risk defense: this is test-harness and fuzz-harness import cleanup only; no
|
|
production runtime behavior, ECStore ownership, storage metadata format, or
|
|
scanner/heal lifecycle logic is changed.
|
|
- Verification: focused e2e/heal/scanner test compile, harness tests,
|
|
migration and layer guards, formatting check, diff hygiene, risk scan, full
|
|
pre-commit, and required three-expert review passed before push.
|
|
|
|
- [x] `API-052` Flatten RustFS runtime storage compatibility aliases.
|
|
- Current branch: `overtrue/arch-rustfs-storage-compat-aliases`.
|
|
- Current slice: flatten RustFS root, app, admin, and storage runtime
|
|
compatibility facades from nested `storage_compat::ecstore` modules into
|
|
direct crate-local aliases, constants, and function imports.
|
|
- Acceptance: no RustFS runtime source file may expose or consume nested
|
|
`storage_compat::ecstore` paths, and migration rules reject reintroducing
|
|
nested RustFS runtime ECStore compatibility modules.
|
|
- Must preserve: startup/config/bootstrap behavior, server readiness checks,
|
|
admin replication/rebalance/tier/config handlers, app object/bucket/
|
|
multipart usecases, storage RPC/SSE/access paths, table catalog storage
|
|
access, and existing local compatibility ownership.
|
|
- Risk defense: this is RustFS runtime import cleanup only; no production
|
|
runtime behavior, ECStore ownership, storage metadata format, object I/O,
|
|
admin authorization, or readiness semantics are changed.
|
|
- Verification: focused RustFS compile, migration and layer guards,
|
|
formatting check, diff hygiene, risk scan, full pre-commit, and required
|
|
three-expert review passed before push.
|
|
|
|
- [x] `API-053` Flatten RustFS runtime scalar storage compatibility aliases.
|
|
- Current branch: `overtrue/arch-runtime-compat-surface-prune`.
|
|
- Current slice: flatten RustFS root, app, admin, and storage runtime scalar
|
|
compatibility facades such as store, error, global, endpoints, RPC,
|
|
metrics, notification, set-disk, and data-usage paths into direct
|
|
crate-local aliases and functions.
|
|
- Acceptance: RustFS runtime source no longer consumes those scalar
|
|
compatibility surfaces through secondary modules, while higher-coupling
|
|
bucket/config/rio compatibility modules remain unchanged; migration rules
|
|
reject restoring the flattened scalar paths.
|
|
- Must preserve: startup config/bootstrap behavior, server readiness checks,
|
|
admin replication/rebalance/tier/config handlers, app object/bucket/
|
|
multipart usecases, storage RPC/SSE/access paths, table catalog storage
|
|
access, and existing ECStore concrete type ownership.
|
|
- Risk defense: this is import ownership and facade-shape cleanup only; no
|
|
production runtime behavior, ECStore ownership, storage metadata format,
|
|
object I/O, admin authorization, or readiness semantics are changed.
|
|
- Verification: focused RustFS compile, migration and layer guards,
|
|
formatting check, diff hygiene, risk scan, full pre-commit, and required
|
|
three-expert review passed before push.
|
|
|
|
- [x] `API-054` Flatten RustFS runtime secondary storage compatibility aliases.
|
|
- Current branch: `overtrue/arch-runtime-secondary-compat-flatten`.
|
|
- Current slice: flatten RustFS root, app, admin, and storage runtime
|
|
secondary compatibility modules such as bucket, config, rio, client, tier,
|
|
compress, disk, and rebalance into direct crate-local aliases, modules, and
|
|
functions.
|
|
- Acceptance: RustFS runtime source no longer consumes those compatibility
|
|
surfaces through broad secondary modules, the runtime compatibility files no
|
|
longer define those wrapper modules, and migration rules reject restoring
|
|
the flattened secondary paths.
|
|
- Must preserve: startup config/bootstrap behavior, server module-switch
|
|
config reads, embedded startup storage initialization, admin bucket/meta/
|
|
tier/rebalance/config handlers, app object/bucket/multipart usecases,
|
|
storage RPC/SSE/access paths, table catalog storage access, and ECStore
|
|
concrete type ownership.
|
|
- Risk defense: this is import ownership and facade-shape cleanup only; no
|
|
production runtime behavior, ECStore ownership, storage metadata format,
|
|
object I/O, admin authorization, tier behavior, or readiness semantics are
|
|
changed.
|
|
- Verification: focused RustFS compile, migration and layer guards,
|
|
formatting check, diff hygiene, risk scan, and required three-expert review
|
|
passed before push.
|
|
|
|
## Phase 8 Background Controller Tasks
|
|
|
|
- [x] `BGC-001` Inventory background services.
|
|
- Acceptance:
|
|
[`background-services-inventory.md`](background-services-inventory.md)
|
|
records scanner, heal, lifecycle, replication, config reload, metrics,
|
|
shutdown, cancellation, and side-effect surfaces before controller work.
|
|
- Must preserve: no code behavior change and no new controller contract in
|
|
this PR.
|
|
- Verification: docs-only architecture checks and diff hygiene.
|
|
- [x] `BGC-002` Define minimal controller contract.
|
|
- Acceptance:
|
|
[`background-controller-contract.md`](background-controller-contract.md)
|
|
defines desired/current/status/reconcile vocabulary, status state
|
|
semantics, service boundaries, and side-effect rules without starting
|
|
workers or changing scheduling.
|
|
- Must preserve: no Rust trait, scheduler, service registry, worker
|
|
start/stop path, storage write, readiness change, peer signal, or runtime
|
|
behavior change.
|
|
- Verification: docs-only architecture checks and diff hygiene.
|
|
- [x] `BGC-003` Add read-only status snapshot.
|
|
- Acceptance: memory observability exposes a typed status snapshot that reports
|
|
service state, metrics enablement, configured interval, cancellation source,
|
|
and shutdown handle shape.
|
|
- Must preserve: no controller framework, admin route, worker lifecycle
|
|
change, storage write, readiness change, peer signal, or metrics emission
|
|
behavior change.
|
|
- Verification: focused memory observability tests, compile checks, migration
|
|
guards, formatting, and pre-commit quality gate.
|
|
- [x] `BGC-004` Pilot one controller.
|
|
- Acceptance: memory observability exposes a typed controller snapshot and
|
|
reconcile plan that compare desired state with current status.
|
|
- Must preserve: no admin route, scheduler, service registry, worker
|
|
lifecycle mutation, storage write, readiness signal, peer signal, or metrics
|
|
emission behavior change.
|
|
- Verification: focused controller tests prove repeated reconcile is
|
|
idempotent, cancellation state is preserved, and worker mutation remains
|
|
none.
|
|
- [x] `TEST-BGC-001` Add controller harness coverage.
|
|
- Acceptance: controller tests cover cancellation state, repeated reconcile,
|
|
paused-time stability, and no worker mutation for the low-risk controller
|
|
surfaces.
|
|
- Must preserve: no worker spawn, start, stop, resize, wakeup, storage write,
|
|
readiness signal, peer signal, or metrics emission behavior change.
|
|
- Verification: focused memory observability and allocator reclaim controller
|
|
tests.
|
|
- [x] `BGC-005` Add allocator reclaim controller/status surface.
|
|
- Acceptance: allocator reclaim exposes typed desired/status/controller
|
|
snapshots and a typed reconcile plan that reports backend, effective force,
|
|
idle interval, runtime cancellation, shutdown handle shape, and no-op worker
|
|
mutation.
|
|
- Must preserve: existing allocator reclaim enablement, backend-specific force
|
|
handling, idle-streak logic, metrics emission, runtime-token cancellation,
|
|
and startup call shape.
|
|
- Verification: focused allocator reclaim tests, compile checks, formatting,
|
|
migration guards, Rust risk scan, and pre-commit quality gate.
|
|
- [x] `BGC-006` Add metrics runtime controller/status surface.
|
|
- Acceptance: metrics runtime exposes typed desired/status/controller
|
|
snapshots and a typed reconcile plan that reports observability enablement,
|
|
collector task count, configured intervals, runtime cancellation, shutdown
|
|
handle shape, and no-op worker mutation.
|
|
- Must preserve: existing metrics collector grouping, interval parsing,
|
|
replication bandwidth tombstone cycles, metrics emission, runtime-token
|
|
cancellation, and startup call shape.
|
|
- Verification: focused metrics runtime tests, compile checks, formatting,
|
|
migration guards, Rust risk scan, and pre-commit quality gate.
|
|
- [x] `TEST-BGC-002` Preserve config reload and shutdown assumptions.
|
|
- Acceptance: dynamic server-config reload reports no worker mutation for
|
|
scanner/heal runtime config, bucket lifecycle/replication config files are
|
|
not dynamic server-config reload targets, and background shutdown keeps
|
|
scanner before AHM while preserving the scanner-implies-AHM dependency.
|
|
- Must preserve: no scanner, heal, lifecycle, replication, audit, storage
|
|
class, peer-signal, readiness, or worker lifecycle behavior change.
|
|
- Verification: focused config reload and shutdown tests, compile checks,
|
|
formatting, diff hygiene, and Rust risk scan.
|
|
|
|
## Phase 9 Startup Bootstrap Tasks
|
|
|
|
- [x] `R-009` Centralize startup IAM readiness publication bootstrap.
|
|
- Do: move the ReadyInline/Deferred readiness publication decision behind
|
|
`startup_iam::publish_ready_for_iam_bootstrap` and use it from binary and
|
|
embedded startup.
|
|
- Acceptance: inline IAM bootstrap still waits for runtime readiness and
|
|
updates service state, deferred IAM bootstrap does not publish readiness
|
|
from main or embedded startup, and embedded runtime readiness failures still
|
|
trigger embedded shutdown error mapping.
|
|
- Must preserve: startup ordering, IAM degraded recovery ownership,
|
|
`IamReady`/`FullReady` publication semantics, and embedded shutdown
|
|
behavior.
|
|
- Verification: focused startup IAM tests, binary/lib compile checks,
|
|
formatting, migration guards, Rust risk scan, and pre-commit quality gate.
|
|
|
|
- [x] `R-010` Centralize startup optional service bootstrap.
|
|
- Do: move event notifier, audit startup, and notification system startup
|
|
behind `startup_services` helpers with caller-owned logging/error policy.
|
|
- Acceptance: binary still initializes the event notifier before audit, logs
|
|
audit start/failure through the same startup target, and treats notification
|
|
init failure as fatal; embedded still treats audit and notification failures
|
|
as non-fatal warnings.
|
|
- Must preserve: startup order, audit non-fatal behavior, notification fatal
|
|
boundary in binary, embedded warn-and-continue behavior, and event notifier
|
|
initialization.
|
|
- Verification: focused startup service tests, binary/lib compile checks,
|
|
formatting, migration guards, Rust risk scan, and pre-commit quality gate.
|
|
|
|
- [x] `R-011` Centralize startup protocol sidecar bootstrap.
|
|
- Do: move FTP, FTPS, WebDAV, and SFTP startup orchestration behind
|
|
`startup_protocols::init_protocol_shutdown_senders`.
|
|
- Acceptance: feature-gated protocols still return `None` when not compiled
|
|
or enabled, started/disabled/failure logging preserves protocol and state
|
|
fields, and startup failures still abort binary startup with the same
|
|
`Error::other` mapping.
|
|
- Must preserve: protocol feature gates, env-driven enable/disable behavior,
|
|
startup log event/state/protocol values, shutdown handle ownership, and
|
|
existing shutdown ordering.
|
|
- Verification: focused startup protocol tests, binary/lib compile checks,
|
|
formatting, migration guards, Rust risk scan, and pre-commit quality gate.
|
|
|
|
- [x] `R-012` Centralize startup runtime foundation bootstrap.
|
|
- Do: move dial9 runtime status logging, runtime license status logging,
|
|
startup logo logging, profiling setup, trusted-proxy setup, rustls provider
|
|
setup, and outbound TLS material publication behind
|
|
`startup_runtime::init_startup_runtime_foundation`.
|
|
- Acceptance: BOOT-006 order is unchanged, configured TLS material load
|
|
remains fatal with the same `Error::other(err.to_string())` mapping, TLS
|
|
generation remains saturating, TLS metrics still initialize only when
|
|
metrics are enabled and TLS is configured, and profiling/proxy/provider
|
|
setup remains non-fatal.
|
|
- Must preserve: dial9/license log event names and fields, startup logo
|
|
logging, profiling init timing, trusted-proxy init timing, crypto provider
|
|
already-installed handling, outbound TLS publication, generation metric
|
|
consumer, TLS metric init condition, and fatal boundaries.
|
|
- Verification: focused startup runtime tests, binary/lib compile checks,
|
|
formatting, migration guards, Rust risk scan, branch freshness check, and
|
|
pre-commit quality gate.
|
|
|
|
- [x] `R-013` Centralize startup server preflight bootstrap.
|
|
- Do: move external-prefix compatibility reporting, config snapshot
|
|
initialization, runtime license initialization, observability guard
|
|
initialization/storage, and startup runtime foundation bootstrap behind
|
|
`startup_preflight::init_startup_server_preflight`.
|
|
- Acceptance: env compatibility is applied before command parsing and reported
|
|
after observability starts, config snapshot and license init happen before
|
|
runtime foundation, observability init failure still emits the dedicated
|
|
fatal stderr and sentinel, guard storage failure still returns the original
|
|
error, and runtime foundation ordering/fatal boundaries stay unchanged.
|
|
- Must preserve: env compat conflict/applied events, observability guard
|
|
set/failure events, startup order, fatal stderr suppression sentinel, and
|
|
existing command/subcommand behavior.
|
|
- Verification: focused startup preflight tests, binary/lib compile checks,
|
|
formatting, migration guards, Rust risk scan, branch freshness check, and
|
|
pre-commit quality gate.
|
|
|
|
- [x] `R-014` Centralize startup listen and HTTP server bootstrap.
|
|
- Do: move server config logging, readiness creation, region/address setup,
|
|
default credential warning, global action credentials, global port/address
|
|
publication, capacity management, service state manager setup, and
|
|
S3/console HTTP server startup behind `startup_server` helpers.
|
|
- Acceptance: endpoint/storage initialization still happens after listen
|
|
context setup and before HTTP server startup; S3 still disables console
|
|
mode; console server still starts only when enabled with a non-empty console
|
|
address; global action credential and address error mappings remain
|
|
unchanged.
|
|
- Must preserve: sanitized config/start/default credential/action credential
|
|
log events, region validation, server address/port derivation, global
|
|
port/address publication, capacity init timing, service `Starting` update,
|
|
S3/console server config shape, and shutdown handle ownership.
|
|
- Verification: focused startup server tests, binary/lib compile checks,
|
|
formatting, migration guards, Rust risk scan, branch freshness check, and
|
|
pre-commit quality gate.
|
|
|
|
- [x] `R-015` Centralize startup storage foundation bootstrap.
|
|
- Do: move endpoint parsing, unsupported filesystem policy enforcement, global
|
|
endpoint publication, erasure type update, local disk initialization, local
|
|
disk ID map prewarm, lock client initialization, and storage pool logging
|
|
behind a `startup_storage` helper.
|
|
- Acceptance: storage foundation still runs after listen context setup and
|
|
before HTTP server startup; endpoint parse errors and local disk init errors
|
|
keep the same logging and `Error::other` mappings; global endpoints and
|
|
erasure type are published before local disk and lock client setup.
|
|
- Must preserve: endpoint parse start/failure events, unsupported filesystem
|
|
policy enforcement, global endpoint clone shape, erasure type update timing,
|
|
local disk init/prewarm order, lock client setup, storage pool
|
|
formatting/host-risk/debug logs, and endpoint pool ownership for later
|
|
ECStore startup.
|
|
- Verification: focused startup storage tests, binary/lib compile checks,
|
|
formatting, migration guards, Rust risk scan, branch freshness check, and
|
|
pre-commit quality gate.
|
|
|
|
- [x] `R-016` Centralize startup storage runtime bootstrap.
|
|
- Do: move runtime cancellation token creation, ECStore initialization,
|
|
ECStore config initialization, server-config migration attempt, global
|
|
config retry loop, `StorageReady` stage publication, and background
|
|
replication startup behind the `startup_storage` boundary.
|
|
- Acceptance: storage runtime still starts after HTTP server startup and
|
|
before KMS startup; ECStore init failure keeps the same structured error log
|
|
and propagated error; global config init still logs every failed attempt,
|
|
sleeps between attempts, and becomes fatal after the 16th failed attempt;
|
|
`StorageReady` is still marked after global config init succeeds and before
|
|
background replication startup.
|
|
- Must preserve: cancellation token ownership for later shutdown, endpoint
|
|
pool clone ownership for ECStore startup, ECStore config init/migration
|
|
order, retry count/log fields, fatal error string, readiness stage timing,
|
|
and non-fatal background replication startup behavior.
|
|
- Verification: focused startup storage tests, binary/lib compile checks,
|
|
formatting, migration guards, Rust risk scan, branch freshness check, and
|
|
pre-commit quality gate.
|
|
|
|
- [x] `R-017` Centralize startup runtime service bootstrap.
|
|
- Do: move KMS startup, optional protocol shutdown collection, buffer
|
|
profiling, event notifier/audit startup, deadlock detector startup, bucket
|
|
metadata migration, replication resync, IAM bootstrap, Keystone/OIDC auth
|
|
integration startup, notification runtime setup, AHM/heal setup, server info,
|
|
update check, allocator reclaim, metrics runtime, memory observability, and
|
|
auto-tuner startup behind the `startup_services` boundary.
|
|
- Acceptance: startup service initialization still runs after storage runtime
|
|
initialization and before the server-ready log; `main.rs` keeps ownership of
|
|
shutdown handling, server-ready publication, global init time, and scanner
|
|
start; `startup_services` returns protocol shutdown handles, IAM bootstrap
|
|
disposition, and scanner enablement.
|
|
- Must preserve: KMS fatal behavior, protocol fatal/disabled behavior, audit
|
|
non-fatal behavior, deadlock detector logging, bucket list and replication
|
|
resync fatal behavior, bucket/IAM metadata migration non-fatal behavior, IAM
|
|
deferred recovery semantics, Keystone parse fatal and runtime non-fatal
|
|
behavior, OIDC non-fatal behavior, notification init fatal behavior,
|
|
scanner-implies-heal behavior, metric-enabled guard, and shutdown token
|
|
ownership.
|
|
- Verification: focused startup services tests, binary/lib compile checks,
|
|
formatting, migration guards, Rust risk scan, branch freshness check, and
|
|
pre-commit quality gate.
|
|
|
|
- [x] `R-018` Centralize startup ready, scanner, and shutdown lifecycle.
|
|
- Do: move server-ready logging, IAM readiness publication, global init time,
|
|
scanner start, shutdown signal wait, background shutdown ordering, protocol
|
|
shutdown, notifier/audit/profiling shutdown, HTTP shutdown, and final stopped
|
|
state logging behind the `startup_services` boundary.
|
|
- Acceptance: `main.rs` still initializes listen/storage/runtime services in
|
|
the same order, then delegates lifecycle completion; `startup_services`
|
|
owns the shutdown handles, runtime token, readiness handle, store, and
|
|
service runtime needed for ready/scanner/shutdown orchestration.
|
|
- Must preserve: server-ready log fields, inline/deferred IAM readiness
|
|
behavior, global init time timing, scanner start timing, shutdown signal log,
|
|
runtime token cancellation before service-specific shutdown, scanner before
|
|
AHM shutdown order, protocol shutdown order, notifier/audit/profiling
|
|
shutdown order, HTTP shutdown order, stopped service state, and final stopped
|
|
logs.
|
|
- Verification: focused startup services tests, binary/lib compile checks,
|
|
formatting, migration guards, Rust risk scan, branch freshness check, and
|
|
pre-commit quality gate.
|
|
|
|
- [x] `R-019` Centralize startup command and bootstrap entrypoint.
|
|
- Do: move Tokio runtime result handling, command parsing/dispatch, server
|
|
preflight error mapping, startup run orchestration, and pre-observability
|
|
fatal stderr formatting behind `startup_entrypoint::run_process`.
|
|
- Acceptance: `main.rs` only owns the global allocator declarations and calls
|
|
the startup entrypoint; `startup_entrypoint` preserves the existing
|
|
command, preflight, listen, storage, runtime-service, ready, and shutdown
|
|
order.
|
|
- Must preserve: Tokio runtime build fatal `expect`, command parse fatal
|
|
stderr context and exit code, info/TLS subcommand behavior, observability
|
|
fatal sentinel suppression, server runtime failure log fields, startup stage
|
|
ordering, readiness publication, and shutdown ownership.
|
|
- Verification: focused startup entrypoint and observability guardrail tests,
|
|
binary/lib compile checks, formatting, migration guards, Rust risk scan,
|
|
branch freshness check, and pre-commit quality gate.
|
|
|
|
- [x] `R-020` Isolate profiling lifecycle hooks.
|
|
- Do: route BOOT-006 profiling initialization and STOP-004 profiling shutdown
|
|
through `startup_profiling` hook functions while keeping `profiling.rs` as
|
|
the CPU/memory profiling implementation and admin dump API owner.
|
|
- Acceptance: startup still initializes profiling before trusted proxies and
|
|
outbound TLS material; shutdown still stops profiling after notifier/audit
|
|
shutdown and before HTTP shutdown; unsupported targets and disabled
|
|
profiling keep their existing no-op behavior.
|
|
- Must preserve: profiling env flags, CPU/memory mode handling, target gates,
|
|
cancellation-token ownership, admin pprof routes, non-fatal startup
|
|
behavior, and shutdown ordering.
|
|
- Verification: focused startup profiling hook tests, binary/lib compile
|
|
checks, formatting, migration guards, Rust risk scan, branch freshness
|
|
check, and pre-commit quality gate.
|
|
|
|
- [x] `X-012` Define ops profiler extension schema contract.
|
|
- Do: add `ops.profiler.v1` capability DTOs for profiler backend status,
|
|
capability-description mode, profile export redaction requirements, and
|
|
provenance in the extension schema contract crate.
|
|
- Acceptance: disabled, unsupported, enabled, and unknown backend states are
|
|
representable; execution requests are rejected; profile export declarations
|
|
require local path redaction; provenance records source, collection
|
|
boundary, and trust level without credentials.
|
|
- Must preserve: no plugin execution, no sidecar startup, no profile route or
|
|
admin API behavior changes, no exporter/storage/object-path/telemetry
|
|
behavior changes, and no dependency edge from `extension-schema` to
|
|
implementation crates.
|
|
- Verification: extension schema check/tests, formatting, migration/layer
|
|
guards, diff hygiene, Rust risk scan, branch freshness check, and
|
|
pre-commit quality gate.
|
|
|
|
- [x] `X-013` Add ops profiler capability snapshot contract.
|
|
- Do: add `OpsProfilerCapabilitySnapshot` and `OpsProfilerRuntimeSnapshot`
|
|
DTOs plus validation for the `ops.profiler.v1` capability, disabled
|
|
external runtimes, and non-fatal profiler startup behavior.
|
|
- Acceptance: disabled, unsupported, and enabled profiler backend states
|
|
round-trip through the snapshot contract; sidecar/Wasm profiler runtimes
|
|
remain disabled by default; profiler snapshots cannot declare a startup
|
|
fatal boundary.
|
|
- Must preserve: no plugin execution, no sidecar startup, no profile route,
|
|
no admin API behavior changes, no runtime startup/shutdown behavior
|
|
changes, and no dependency edge from `extension-schema` to runtime or
|
|
storage implementation crates.
|
|
- Verification: extension schema check/tests, formatting, migration/layer
|
|
guards, diff hygiene, Rust risk scan, branch freshness check, and
|
|
pre-commit quality gate.
|
|
|
|
- [x] `R-021` Extract optional runtime shutdown boundary.
|
|
- Do: add `startup_optional_runtimes` and move optional protocol shutdown
|
|
ownership/logging out of `startup_services`.
|
|
- Acceptance: optional protocol shutdown plan order stays FTP, FTPS, WebDAV,
|
|
SFTP; stopping logs remain before event notifier/audit/profiling shutdown;
|
|
signal/wait remains after S3/console HTTP shutdown; later optional
|
|
sidecars have an explicit owner without startup behavior changes.
|
|
- Must preserve: protocol initialization, protocol shutdown signaling and
|
|
waiting, shutdown order, profiling/audit/event notifier shutdown, HTTP
|
|
shutdown, readiness state, and fatal boundaries.
|
|
- Verification: focused startup optional runtime/service tests, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-022` Extract optional runtime startup boundary.
|
|
- Do: add `init_optional_runtime_services` so optional protocol startup is
|
|
owned by `startup_optional_runtimes`, while `startup_protocols` remains the
|
|
protocol implementation adapter.
|
|
- Acceptance: optional protocol startup order stays FTP, FTPS, WebDAV, SFTP;
|
|
KMS initialization still happens before optional protocol startup; buffer
|
|
profiling, audit, deadlock detection, metadata, IAM, notification, scanner,
|
|
heal, and observability startup remain after optional protocol startup.
|
|
- Must preserve: protocol feature gates, disabled protocol behavior,
|
|
protocol startup error mapping, fatal boundary on protocol startup errors,
|
|
startup order, shutdown order, readiness state, and runtime behavior.
|
|
- Verification: focused optional runtime/protocol/startup service tests,
|
|
RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust
|
|
risk scan, branch freshness check, pre-commit quality gate, and
|
|
three-expert review.
|
|
|
|
- [x] `R-023` Extract startup shutdown lifecycle boundary.
|
|
- Do: add `startup_shutdown` and move runtime token cancellation, service
|
|
state transitions, background shutdown, notifier/audit/profiling shutdown,
|
|
HTTP shutdown, and optional runtime wait sequencing out of
|
|
`startup_services`.
|
|
- Acceptance: shutdown order stays runtime token cancellation, `Stopping`
|
|
state, scanner/AHM shutdown, optional runtime shutdown planning,
|
|
notifier/audit/profiling shutdown, S3 and console HTTP shutdown, optional
|
|
runtime waits, then `Stopped` state.
|
|
- Must preserve: service state transitions, readiness state behavior,
|
|
scanner/heal enable flag handling, notifier/audit/profiling shutdown logs,
|
|
HTTP shutdown ordering, optional protocol shutdown ordering, and fatal
|
|
boundaries.
|
|
- Verification: focused shutdown/service/optional runtime tests, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-024` Extract startup ready lifecycle boundary.
|
|
- Do: add `startup_lifecycle` and move ready publication, global init time,
|
|
scanner startup, shutdown-signal wait, shutdown delegation, and final
|
|
stopped-state logging out of `startup_services`.
|
|
- Acceptance: lifecycle order stays server-ready log, IAM readiness
|
|
publication, global init time, optional scanner startup, shutdown wait,
|
|
shutdown sequence delegation, and final stopped log.
|
|
- Must preserve: inline/deferred IAM readiness behavior, scanner start timing,
|
|
global init-time timing, shutdown signal wait semantics, shutdown ordering,
|
|
service state reporting, and fatal boundary on readiness publication.
|
|
- Verification: focused lifecycle/service/shutdown tests, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-025` Extract startup service component boundary.
|
|
- Do: add `startup_service_components` and move audit/deadlock, bucket
|
|
metadata, IAM bootstrap, auth integration, notification, background service,
|
|
and observability component helpers out of `startup_services`.
|
|
- Acceptance: `startup_services` keeps the same runtime service orchestration
|
|
order while component helpers own the individual service startup side
|
|
effects.
|
|
- Must preserve: KMS before optional runtime startup, buffer profiling before
|
|
audit, event notifier before audit, bucket metadata before IAM, IAM before
|
|
auth and notification, notification before background services, and
|
|
observability startup after background service setup.
|
|
- Verification: focused startup service component/service/lifecycle tests,
|
|
RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust
|
|
risk scan, branch freshness check, pre-commit quality gate, and
|
|
three-expert review.
|
|
|
|
- [x] `R-026` Extract optional runtime sidecar boundary.
|
|
- Do: add `startup_optional_runtime_sidecars` and move optional runtime
|
|
sidecar ownership, shutdown planning, shutdown execution, and protocol
|
|
shutdown order tests out of `startup_optional_runtimes`.
|
|
- Acceptance: optional protocol startup still happens after KMS and before
|
|
buffer profiling, while shutdown planning still records FTP, FTPS, WebDAV,
|
|
then SFTP handles before later shutdown signaling.
|
|
- Must preserve: feature-gated protocol startup behavior, disabled-protocol
|
|
handling, protocol shutdown ordering, HTTP shutdown before optional protocol
|
|
shutdown signaling, and the compatibility `startup_optional_runtimes` API.
|
|
- Verification: focused optional runtime sidecar/runtime/shutdown tests,
|
|
RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust
|
|
risk scan, branch freshness check, pre-commit quality gate, and
|
|
three-expert review.
|
|
|
|
- [x] `R-027` Extract startup runtime hook boundary.
|
|
- Do: add `startup_runtime_hooks` and move startup runtime diagnostics,
|
|
profiling hook dispatch, shutdown profiling dispatch, and default crypto
|
|
provider installation out of `startup_runtime` and `startup_profiling`.
|
|
- Acceptance: BOOT-006 keeps diagnostics, profiling init, trusted proxy init,
|
|
provider install, and outbound TLS material load in the same order, while
|
|
STOP-004 still stops profiling through the existing compatibility path.
|
|
- Must preserve: startup logo and telemetry/license log behavior, profiling
|
|
hook dispatch behavior, rustls provider install behavior, trusted proxy init
|
|
order, outbound TLS fatal boundary, and profiling shutdown call path.
|
|
- Verification: focused runtime hook/profiling/runtime/shutdown tests, RustFS
|
|
lib check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-028` Extract startup TLS material boundary.
|
|
- Do: add `startup_tls_material` and move outbound TLS material loading,
|
|
global TLS publication, generation recording, TLS metrics initialization,
|
|
and existing TLS path/generation tests out of `startup_runtime`.
|
|
- Acceptance: BOOT-006 keeps diagnostics, profiling init, trusted proxy init,
|
|
provider install, and outbound TLS material load in the same order.
|
|
- Must preserve: configured TLS material fatal behavior, TLS path trimming,
|
|
saturating TLS generation behavior, outbound TLS global state publication,
|
|
generation metric recording, and metrics initialization when observability
|
|
metrics are enabled.
|
|
- Verification: focused TLS material/runtime tests, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-029` Reuse startup phase boundaries in embedded mode.
|
|
- Do: move embedded listen setup, endpoint/local disk setup, ECStore/global
|
|
config setup, storage readiness publication, and replication startup behind
|
|
startup server/storage helpers.
|
|
- Acceptance: embedded startup keeps its stable-port requirement, global
|
|
startup guard placement, S3-only HTTP startup, readiness publication, and
|
|
storage initialization order while sharing the same startup phase owners.
|
|
- Must preserve: embedded port 0 rejection, credential/region publication,
|
|
endpoint and unsupported filesystem validation, local disk and lock client
|
|
initialization, ECStore fatal shutdown behavior, global config retry limit,
|
|
and embedded-specific non-fatal KMS/audit/notification behavior.
|
|
- Verification: focused embedded/startup storage checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-030` Reuse runtime service boundaries in embedded mode.
|
|
- Do: move embedded KMS/buffer/audit setup, bucket metadata migration, IAM
|
|
bootstrap, notification setup, and event/audit shutdown cleanup behind
|
|
startup service/shutdown helpers.
|
|
- Acceptance: embedded startup keeps KMS/audit/notification failures
|
|
non-fatal, preserves bucket metadata and IAM initialization order, and
|
|
keeps shutdown cleanup behavior unchanged.
|
|
- Must preserve: KMS warning-only behavior, buffer profile initialization,
|
|
audit warning-only behavior, bucket listing failure shutdown, bucket
|
|
metadata migration before IAM migration, IAM bootstrap fatal behavior,
|
|
notification warning-only behavior, readiness publication, event notifier
|
|
shutdown, audit stop warning behavior, and temp directory cleanup.
|
|
- Verification: focused embedded/service/shutdown checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-031` Reuse lifecycle publication boundaries in embedded mode.
|
|
- Do: move embedded IAM readiness publication, global init-time publication,
|
|
and ready-state logging behind startup lifecycle helpers.
|
|
- Acceptance: embedded startup still publishes readiness after runtime
|
|
service setup, preserves the `runtime readiness` error prefix on failure,
|
|
records global init time after successful readiness publication, and logs
|
|
the same ready endpoint message after the server handle is built.
|
|
- Must preserve: deferred IAM bootstrap readiness behavior, ready-inline
|
|
runtime readiness publication, startup failure shutdown signaling, global
|
|
init-time publication ordering, and endpoint-address normalization used by
|
|
the ready log.
|
|
- Verification: focused embedded/lifecycle checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-032` Publish ops profiler runtime contract boundaries.
|
|
- Do: add the builtin ops profiler extension schema/contract to the targets
|
|
catalog, expose it through the admin extension catalog, and add a read-only
|
|
registry for profiler backend capability descriptions.
|
|
- Acceptance: the catalog advertises `builtin:ops-profiler` with
|
|
`ops.profiler.v1`, backend capability descriptions validate through the
|
|
extension-schema contract, and registry access is admin/capability limited
|
|
without executing profiler collection.
|
|
- Must preserve: existing `/debug/pprof/*` admin behavior, profiling startup
|
|
and shutdown hooks, disabled external profiler runtime defaults, local path
|
|
redaction requirements, and no plugin execution or sidecar startup.
|
|
- Verification: focused targets/admin extension checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-033` Expose extension runtime capability snapshots.
|
|
- Do: add read-only diagnostics/profiler runtime capability snapshots to the
|
|
admin extension catalog response using existing schema and contract DTOs.
|
|
- Acceptance: `/v4/extensions/catalog` reports builtin diagnostics and
|
|
profiler capability contracts with their runtime boundaries, disabled
|
|
defaults, and non-fatal startup flags while preserving schema validation.
|
|
- Must preserve: existing extension catalog route/auth, plugin instance
|
|
listing, profiler/diagnostics execution paths, and external plugin flow
|
|
status semantics.
|
|
- Verification: focused admin catalog and targets runtime checks, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-034` Extract embedded runtime hook boundary.
|
|
- Do: move embedded observability guard setup, default crypto provider
|
|
installation, and trusted proxy initialization behind startup runtime hooks.
|
|
- Acceptance: embedded startup keeps observability initialization before the
|
|
global startup guard/listen/storage phases while sharing the runtime hook
|
|
owner used by normal startup.
|
|
- Must preserve: `init_obs` and `set_global_guard` error prefixes, embedded
|
|
crypto provider already-installed debug fields, trusted proxy init timing,
|
|
and no added embedded server runtime behavior.
|
|
- Verification: focused embedded/runtime hook checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-035` Extract embedded shutdown glue boundary.
|
|
- Do: move embedded async shutdown logging, cancellation, event/audit cleanup,
|
|
HTTP shutdown, and temporary directory cleanup behind startup shutdown
|
|
helpers.
|
|
- Acceptance: embedded server shutdown preserves the same stopping/stopped
|
|
logs, cancellation timing, best-effort audit cleanup, HTTP shutdown, and
|
|
temp-dir cleanup behavior while leaving `Drop` as a synchronous best-effort
|
|
fallback.
|
|
- Must preserve: event notifier shutdown before audit stop, audit stop
|
|
warning-only behavior, HTTP shutdown after background cancellation, temp
|
|
directory cleanup warning fields, and final stopped log.
|
|
- Verification: focused embedded/shutdown checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-036` Extract embedded startup config preparation boundary.
|
|
- Do: move embedded temporary volume allocation, custom volume directory
|
|
creation, and embedded `Config` construction behind startup server helpers.
|
|
- Acceptance: embedded builder still creates a temporary volume when none is
|
|
provided, creates missing custom volume directories, disables console for
|
|
embedded S3 startup, and keeps the temp-dir guard alive until success.
|
|
- Must preserve: temp-dir cleanup-on-failure behavior, configured address,
|
|
access key, secret key, region, volume ordering, directory creation error
|
|
text, and no new normal startup behavior.
|
|
- Verification: focused startup server and embedded checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-037` Extract embedded S3-only HTTP startup boundary.
|
|
- Do: move embedded S3-only HTTP server startup behind a startup server
|
|
helper that returns the bound address and shutdown handle.
|
|
- Acceptance: embedded startup keeps console disabled for the HTTP server,
|
|
keeps using the same readiness object, and preserves the shutdown handle
|
|
and bound address used by `RustFSServer`.
|
|
- Must preserve: S3-only embedded HTTP config, readiness sharing, startup
|
|
error propagation, shutdown signaling, bound endpoint reporting, and no
|
|
public embedded API behavior changes.
|
|
- Verification: focused startup server and embedded checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-038` Extract embedded process-global startup guard boundary.
|
|
- Do: move the embedded process-global once guard behind a startup lifecycle
|
|
helper.
|
|
- Acceptance: embedded startup still allows retry before irreversible global
|
|
initialization, treats repeated marks inside the same startup as idempotent,
|
|
and rejects a second process-local embedded server after the first
|
|
irreversible mark.
|
|
- Must preserve: startup guard timing after runtime hooks and listen context,
|
|
`AlreadyStarted` error mapping, no reset-after-stop behavior, and no normal
|
|
startup behavior changes.
|
|
- Verification: focused startup lifecycle and embedded checks, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-039` Extract embedded startup failure shutdown signal boundary.
|
|
- Do: move the post-HTTP embedded startup failure shutdown signal behind a
|
|
startup shutdown helper.
|
|
- Acceptance: embedded startup still signals the HTTP shutdown handle and
|
|
cancels the background token before returning initialization errors from
|
|
storage runtime, service runtime, or readiness publication failures.
|
|
- Must preserve: no shutdown signal before HTTP startup exists, signal-then-
|
|
cancel ordering, `Init` error mapping, and no public embedded API behavior
|
|
changes.
|
|
- Verification: focused startup shutdown and embedded checks, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-040` Extract embedded build orchestration owner.
|
|
- Do: move the embedded build sequence behind a crate-only startup embedded
|
|
helper.
|
|
- Acceptance: embedded startup still runs config preparation, runtime hooks,
|
|
listen context, process-global guard, storage foundation, HTTP startup,
|
|
storage runtime, runtime services, and readiness publication in the same
|
|
order.
|
|
- Must preserve: retry-before-global-init behavior, temp-dir guard lifetime,
|
|
post-HTTP startup failure shutdown signaling, readiness publication error
|
|
text, and no public embedded API behavior changes.
|
|
- Verification: focused embedded checks, RustFS lib check, migration/layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-041` Keep embedded public API as handle assembly.
|
|
- Do: keep `embedded.rs` focused on public builder inputs, `RustFSServer`
|
|
handle construction, endpoint reporting, shutdown, and drop cleanup.
|
|
- Acceptance: builder defaults and fluent setters still feed the same startup
|
|
fields, server accessors still return the configured credentials and
|
|
region, endpoint normalization stays in the public handle, and shutdown/drop
|
|
cleanup remains unchanged.
|
|
- Must preserve: `ServerError` variants and messages, `Io` versus `Init`
|
|
error mapping, endpoint URL shape, shutdown handle ownership, cancellation
|
|
token ownership, and temp-dir cleanup path.
|
|
- Verification: focused embedded checks, RustFS lib check, migration/layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-042` Extract embedded endpoint normalization.
|
|
- Do: move unspecified-address endpoint normalization into a crate-only
|
|
startup lifecycle helper.
|
|
- Acceptance: embedded endpoint reporting still rewrites unspecified IPv4 and
|
|
IPv6 bind addresses to localhost while preserving concrete bound hosts.
|
|
- Must preserve: public endpoint URL shape, `address()` returning the bound
|
|
socket address, ready-log endpoint text, and no public embedded API
|
|
signature changes.
|
|
- Verification: focused startup lifecycle and embedded checks, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-043` Extract embedded drop cleanup boundary.
|
|
- Do: move synchronous embedded server drop cleanup into a crate-only startup
|
|
shutdown helper.
|
|
- Acceptance: dropping a server still cancels the token, signals the shutdown
|
|
handle, and best-effort removes the temporary directory.
|
|
- Must preserve: explicit async shutdown behavior, shutdown handle ownership,
|
|
temp-dir cleanup behavior, ignored drop cleanup errors, and no public
|
|
embedded API signature changes.
|
|
- Verification: focused startup shutdown and embedded checks, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-044` Keep embedded builder state in startup args.
|
|
- Do: replace duplicated public builder private fields with crate-only
|
|
embedded startup arguments while preserving the fluent builder API.
|
|
- Acceptance: builder defaults, fluent setters, server credential accessors,
|
|
region accessors, and startup arguments remain behaviorally unchanged.
|
|
- Must preserve: public builder signatures, default address and credentials,
|
|
volume replacement semantics, region publication, and error mapping.
|
|
- Verification: focused embedded/startup-embedded checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-045` Move embedded port probing behind startup server.
|
|
- Do: delegate public embedded available-port probing to a crate-only startup
|
|
server helper.
|
|
- Acceptance: `find_available_port` still returns a bindable localhost TCP
|
|
port and preserves the same public result type.
|
|
- Must preserve: public helper signature, localhost bind target, ephemeral
|
|
port behavior, and no embedded startup side effects.
|
|
- Verification: focused startup-server and embedded checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-046` Encapsulate embedded startup argument mutation.
|
|
- Do: hide embedded startup argument fields behind crate-only setter methods
|
|
used by the public builder.
|
|
- Acceptance: public builder fluent methods still apply the same address,
|
|
credential, region, and volume values in the same order.
|
|
- Must preserve: builder method signatures, default values, `volume` append
|
|
semantics, `volumes` replacement semantics, and startup input ownership.
|
|
- Verification: focused startup-embedded and embedded checks, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-047` Return embedded server identity from startup result.
|
|
- Do: let the crate-only startup result carry the access key, secret key, and
|
|
region used by the public server handle.
|
|
- Acceptance: public server accessors still expose the configured values
|
|
without the public builder duplicating identity assembly.
|
|
- Must preserve: startup error mapping, readiness logging order, endpoint
|
|
address handling, shutdown handle ownership, and no public API signature
|
|
changes.
|
|
- Verification: focused startup-embedded and embedded checks, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-048` Consume embedded builder startup arguments directly.
|
|
- Do: make public embedded build consume the builder state and pass startup
|
|
arguments directly into the crate-only startup owner.
|
|
- Acceptance: fluent builder behavior, defaults, configured credentials,
|
|
region, volume ordering, and public build signature remain unchanged.
|
|
- Must preserve: startup argument ownership, public builder method chaining,
|
|
startup error mapping, and no public API signature changes.
|
|
- Verification: focused startup-embedded and embedded checks, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-049` Keep embedded ready logging with startup completion.
|
|
- Do: move embedded ready logging to the startup owner once readiness has
|
|
been published and before the startup result is returned.
|
|
- Acceptance: ready log endpoint text and endpoint normalization remain the
|
|
same while the public builder only converts the startup result to a handle.
|
|
- Must preserve: readiness publication order, endpoint address normalization,
|
|
shutdown handle ownership, and no public API signature changes.
|
|
- Verification: focused startup-embedded and embedded checks, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-050` Keep embedded identity with prepared startup config.
|
|
- Do: return the embedded access key, secret key, and region alongside the
|
|
prepared startup config so startup result assembly uses one prepared owner.
|
|
- Acceptance: public server identity accessors still return configured
|
|
credentials and region for default, explicit, and generated-volume builds.
|
|
- Must preserve: credential initialization inputs, region initialization,
|
|
startup config ownership, startup error mapping, and no public API
|
|
signature changes.
|
|
- Verification: focused startup-server/startup-embedded/embedded checks,
|
|
RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust
|
|
risk scan, branch freshness check, pre-commit quality gate, and
|
|
three-expert review.
|
|
|
|
- [x] `R-051` Remove residual embedded startup argument clone contract.
|
|
- Do: drop the `Clone` derivation from embedded startup arguments now that
|
|
the public builder consumes startup state directly.
|
|
- Acceptance: builder chaining, configured volumes, retry-before-global-init
|
|
behavior, and startup ownership remain unchanged.
|
|
- Must preserve: public builder method chaining, prepared config contents,
|
|
temporary directory cleanup ownership, and no public API signature changes.
|
|
- Verification: focused startup-server/startup-embedded/embedded checks,
|
|
RustFS lib check, migration/layer guards, formatting, diff hygiene, Rust
|
|
risk scan, branch freshness check, pre-commit quality gate, and
|
|
three-expert review.
|
|
|
|
- [x] `R-052` Make IAM AppContext bootstrap outcome explicit.
|
|
- Do: replace boolean-or-global probing in IAM startup with a crate-private
|
|
AppContext bootstrap disposition that reports already-available versus
|
|
initialized context.
|
|
- Acceptance: successful inline IAM bootstrap still initializes or reuses
|
|
AppContext before publishing IAM readiness, while failure still returns an
|
|
I/O error.
|
|
- Must preserve: IAM initialization order, global AppContext singleton
|
|
behavior, KMS/IAM handle construction, degraded-mode fallback, and
|
|
readiness stage updates.
|
|
- Verification: focused startup IAM checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-053` Reuse explicit AppContext bootstrap in IAM recovery.
|
|
- Do: route degraded IAM recovery finalization through the same AppContext
|
|
bootstrap result helper as inline startup.
|
|
- Acceptance: recovered IAM still marks `IamReady` and publishes runtime
|
|
readiness only after AppContext is available.
|
|
- Must preserve: recovery retry/backoff behavior, shutdown-token handling,
|
|
readiness publication retry behavior, and log semantics.
|
|
- Verification: focused startup IAM checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-054` Move startup AppContext bootstrap owner into app context.
|
|
- Do: move the post-IAM AppContext bootstrap helper out of IAM startup and
|
|
into the app context owner while keeping IAM startup on the existing
|
|
context boundary.
|
|
- Acceptance: inline startup and deferred IAM recovery still initialize or
|
|
reuse the global AppContext through one owner.
|
|
- Must preserve: global AppContext singleton behavior, IAM handle lookup,
|
|
KMS handle wiring, startup error mapping, and readiness ordering.
|
|
- Verification: focused startup checks, RustFS lib check, migration/layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-055` Retire stale startup IAM layer baseline entries.
|
|
- Do: remove the old direct `get_global_app_context` and
|
|
`init_global_app_context` startup IAM baseline entries after the app
|
|
context owner absorbs those calls.
|
|
- Acceptance: layer dependency guard reports no new reverse dependencies and
|
|
no stale baseline entries.
|
|
- Must preserve: the existing accepted startup-to-AppContext boundary,
|
|
AppContext initialization semantics, and no new layer cycles.
|
|
- Verification: focused startup checks, RustFS lib check, migration/layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-056` Move startup KMS runtime handle owner into app context.
|
|
- Do: route startup IAM KMS handle resolution through the app context startup
|
|
boundary while keeping startup service orchestration on the startup IAM
|
|
API.
|
|
- Acceptance: inline and deferred IAM bootstrap use the same KMS manager
|
|
reuse-or-init path without adding new startup service to app reverse
|
|
dependencies.
|
|
- Must preserve: KMS global singleton behavior, IAM bootstrap call order,
|
|
degraded recovery KMS handle reuse, readiness publication, and layer guard
|
|
boundaries.
|
|
- Verification: focused startup KMS checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-057` Move startup IAM runtime facade into startup IAM.
|
|
- Do: move the main and embedded IAM runtime facade helpers out of startup
|
|
service components and into the startup IAM module.
|
|
- Acceptance: startup services still call one IAM-facing API for embedded and
|
|
main startup, while service components no longer own IAM facade wiring.
|
|
- Must preserve: embedded versus main state-manager wiring, shutdown token
|
|
propagation, IAM bootstrap disposition handling, KMS startup handle
|
|
resolution, and degraded recovery behavior.
|
|
- Verification: focused startup IAM/KMS checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-058` Move startup bucket metadata runtime owner.
|
|
- Do: move embedded and main bucket metadata runtime helpers out of startup
|
|
service components and into a bucket metadata startup module.
|
|
- Acceptance: startup services still receive the same bucket list and bucket
|
|
metadata, replication resync, bucket metadata system, and IAM config
|
|
migration order stay unchanged.
|
|
- Must preserve: embedded list-bucket error text, main list-bucket error
|
|
mapping, replication resync placement, metadata migration order, and bucket
|
|
list cloning semantics.
|
|
- Verification: focused startup service checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-059` Move startup notification runtime owner.
|
|
- Do: move embedded and main notification runtime helpers out of startup
|
|
service components and into a notification startup module.
|
|
- Acceptance: startup services still configure bucket notification state
|
|
before notification system initialization and keep embedded notification
|
|
failures non-fatal while main startup failures remain fatal.
|
|
- Must preserve: notification config ordering, embedded skipped-service log
|
|
fields, main failure log fields, error mapping, and notification init source
|
|
error behavior.
|
|
- Verification: focused startup notification/service checks, RustFS lib
|
|
check, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-060` Move startup auth integration owner.
|
|
- Do: move Keystone and OIDC startup integration wiring out of startup service
|
|
components and into an auth startup module.
|
|
- Acceptance: startup services still initialize auth integrations after IAM
|
|
bootstrap and before notification setup, with Keystone failures remaining
|
|
non-fatal and OIDC failures still logged as warnings.
|
|
- Must preserve: Keystone env parsing error mapping, Keystone success/failure
|
|
log fields, OIDC warning fields, and startup ordering.
|
|
- Verification: focused startup checks, RustFS lib check, migration/layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-061` Move startup background service owner.
|
|
- Do: move scanner/heal background runtime setup out of startup service
|
|
components and into a background startup module.
|
|
- Acceptance: startup services still receive the same scanner-enabled flag,
|
|
while AHM cancellation-token creation, scanner/heal env parsing, heal
|
|
manager initialization, and disabled-state logging stay unchanged.
|
|
- Must preserve: env alias behavior, heal/scanner default enablement, disabled
|
|
debug log fields, and heal storage ownership.
|
|
- Verification: focused startup checks, RustFS lib check, migration/layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-062` Move startup observability runtime owner.
|
|
- Do: move server-info, update-check, allocator reclaim, metrics, memory
|
|
observability, and auto-tuner startup wiring out of startup service
|
|
components and into an observability startup module.
|
|
- Acceptance: observability side effects still run after background services,
|
|
metrics-gated components keep the same guard, and cancellation-token clone
|
|
behavior stays unchanged.
|
|
- Must preserve: server-info/update-check ordering, allocator reclaim
|
|
initialization, metrics enablement, memory observability setup, and
|
|
auto-tuner startup.
|
|
- Verification: focused startup checks, RustFS lib check, migration/layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-063` Move startup audit runtime owner.
|
|
- Do: move audit/event-notifier startup wiring and its ordering tests out of
|
|
startup service components and into an audit startup module.
|
|
- Acceptance: startup services still start audit after buffer profiling, and
|
|
embedded optional startup still shares the same event-notifier-before-audit
|
|
helper.
|
|
- Must preserve: audit started/failed log fields, event notifier ordering,
|
|
audit source error propagation, and embedded audit skipped-service behavior.
|
|
- Verification: focused startup audit checks, RustFS lib check,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-064` Move startup deadlock detector owner.
|
|
- Do: move deadlock detector startup wiring out of startup service components
|
|
and into a deadlock startup module.
|
|
- Acceptance: startup services still initialize the detector after audit and
|
|
before bucket metadata setup, with enabled/disabled states unchanged.
|
|
- Must preserve: detector singleton lookup, enabled start behavior, disabled
|
|
no-op behavior, and log fields.
|
|
- Verification: focused startup checks, RustFS lib check, migration/layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-065` Retire startup service components aggregate.
|
|
- Do: move embedded optional service startup wiring into an embedded optional
|
|
startup module and remove the now-empty startup service components module.
|
|
- Acceptance: startup services import focused owners directly and embedded
|
|
optional startup keeps KMS, buffer profile, and audit skipped-service
|
|
handling unchanged.
|
|
- Must preserve: embedded KMS skipped-service log fields, buffer profile
|
|
placement, audit skipped-service log fields, and no public runtime API
|
|
changes.
|
|
- Verification: focused startup checks, RustFS lib check, migration/layer
|
|
guards, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-066` Narrow internal startup owner module visibility.
|
|
- Do: make focused startup owner modules crate-private after their public
|
|
aggregate was retired.
|
|
- Acceptance: the binary entrypoint and embedded public API still compile
|
|
through the intended startup entrypoints, while audit/auth/background/bucket
|
|
metadata/deadlock/embedded optional/notification/observability owner
|
|
modules are no longer part of the public library surface.
|
|
- Must preserve: all startup call order, log fields, readiness behavior,
|
|
embedded startup behavior, optional runtime behavior, and public embedded
|
|
builder API.
|
|
- Verification: RustFS lib and bin check, focused startup checks,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-067` Narrow startup orchestration module visibility.
|
|
- Do: make internal startup orchestration modules crate-private while keeping
|
|
the binary entrypoint and existing compatibility/test-facing startup paths
|
|
public.
|
|
- Acceptance: `startup_entrypoint`, `startup_iam`, `startup_profiling`, and
|
|
`startup_optional_runtimes` keep their public paths, while fs-guard,
|
|
lifecycle, optional-runtime sidecars, preflight, protocols, runtime,
|
|
runtime hooks, server, services, shutdown, storage, and TLS material modules
|
|
are no longer public library modules.
|
|
- Must preserve: binary startup entrypoint access, embedded public API,
|
|
startup ordering, readiness behavior, optional runtime compatibility,
|
|
profiling compatibility, IAM test/debug hooks, and all log fields.
|
|
- Verification: RustFS lib and bin check, focused startup checks,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-068` Narrow remaining startup compatibility shim visibility.
|
|
- Do: make the IAM bootstrap startup shim crate-private, remove the unused
|
|
optional-runtime and profiling forwarding shims, and keep the binary
|
|
entrypoint public.
|
|
- Acceptance: `startup_entrypoint` remains public for `rustfs/src/main.rs`,
|
|
while `startup_iam`, `startup_optional_runtimes`, and `startup_profiling`
|
|
no longer appear as public library modules; migration rules reject
|
|
restoring those public shim paths.
|
|
- Must preserve: binary startup entrypoint access, IAM readiness bootstrap
|
|
flow, embedded readiness publication, optional runtime shutdown wiring,
|
|
profiling shutdown behavior, and test-only IAM retry hook behavior.
|
|
- Verification: RustFS lib and bin check, focused startup checks,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `R-069` Narrow startup owner item visibility.
|
|
- Do: make internal items in crate-private startup modules use crate
|
|
visibility, and extend the migration guard so only `startup_entrypoint`
|
|
can remain a public startup module.
|
|
- Acceptance: startup owner modules expose no bare public items outside the
|
|
public binary entrypoint module, and migration rules reject restoring public
|
|
startup modules or public items inside crate-private startup files.
|
|
- Must preserve: binary startup entrypoint access, embedded public API,
|
|
startup ordering, IAM readiness bootstrap, optional runtime shutdown,
|
|
profiling hooks, TLS material initialization, and all log fields.
|
|
- Verification: RustFS lib and bin check, focused startup tests,
|
|
migration/layer/unsafe guards, formatting, diff hygiene, Rust risk scan,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-001/E-SET-001` Add ECStore layout skeleton and set-layout boundary.
|
|
- Do: create the ECStore internal layout ownership buckets and pin static set
|
|
layout versus runtime `Sets`/`SetDisks` orchestration boundaries before any
|
|
file moves.
|
|
- Acceptance: the skeleton documents future ownership buckets, static format
|
|
set distribution is preserved, and runtime flat disk plus per-set lock-host
|
|
mapping is described by focused tests.
|
|
- Must preserve: format distribution, object-to-set hashing owner, local disk
|
|
replacement, lock client mapping, existing public module paths, and runtime
|
|
`Sets`/`SetDisks` behavior.
|
|
- Verification: focused ECStore set layout tests, ECStore/RustFS compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-002/E-LAYOUT-001` Move ECStore format and disk-layout owners.
|
|
- Do: pure-move persisted format ownership and disk-layout expansion into
|
|
the ECStore layout bucket while keeping compatibility stubs at the old
|
|
public paths.
|
|
- Acceptance: `crate::disk::format::*` and `crate::disks_layout::*` remain
|
|
usable, `layout::format` owns `FormatV3`, and `layout::disks_layout` owns
|
|
CLI volume expansion.
|
|
- Must preserve: format JSON wire shape, disk UUID lookup, distribution
|
|
algorithm, `RUSTFS_ERASURE_SET_DRIVE_COUNT` handling, endpoint expansion,
|
|
and old public module paths.
|
|
- Verification: focused ECStore format and disks-layout tests,
|
|
ECStore/RustFS/Heal compile checks, migration/layer guards, formatting,
|
|
diff hygiene, Rust risk scan, branch freshness check, pre-commit quality
|
|
gate, and three-expert review.
|
|
|
|
- [x] `E-003/E-LAYOUT-002` Move ECStore endpoint layout owners.
|
|
- Do: pure-move endpoint parsing and endpoint grouping into the ECStore
|
|
layout bucket while keeping compatibility stubs at the old public paths.
|
|
- Acceptance: `crate::disk::endpoint::*` and `crate::endpoints::*` remain
|
|
usable, `layout::endpoint` owns `Endpoint`, and `layout::endpoints` owns
|
|
`EndpointServerPools` and endpoint grouping.
|
|
- Must preserve: endpoint string parsing, URL/path validation, local-host
|
|
detection, pool/set/disk indexes, endpoint grouping, disk independence
|
|
checks, setup type classification, and old public module paths.
|
|
- Verification: focused ECStore endpoint tests, ECStore/RustFS/Heal compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-004/E-LAYOUT-003` Move ECStore set-format heal helpers.
|
|
- Do: move runtime-neutral set-format heal helper logic into the ECStore
|
|
layout bucket while keeping disk initialization and `Sets` orchestration in
|
|
`sets.rs`.
|
|
- Acceptance: `layout::set_heal` owns drive-info mapping and unformatted
|
|
format regeneration helpers, `Sets` keeps the same heal orchestration, and
|
|
focused tests cover the extracted helper behavior.
|
|
- Must preserve: disk format heal state mapping, unformatted disk format
|
|
regeneration, current disk-info preservation, dry-run behavior, save-format
|
|
behavior, and all `Sets` runtime control flow.
|
|
- Verification: focused ECStore set-heal tests, ECStore/RustFS/Heal compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-005/E-LAYOUT-004` Move ECStore pool-space selection helpers.
|
|
- Do: move runtime-neutral pool-space selection helper structs into the
|
|
ECStore layout bucket while keeping the old `store` export path available.
|
|
- Acceptance: `layout::pool_space` owns `PoolAvailableSpace` and
|
|
`ServerPoolsAvailableSpace`, rebalance pool selection keeps the same tuple
|
|
storage access inside the crate, and external `store` imports remain
|
|
source-compatible through re-export.
|
|
- Must preserve: pool index ordering, available-space summation,
|
|
max-used-percent filtering semantics, excluded-pool zeroing, object
|
|
placement pool selection, and rebalance pool-space behavior.
|
|
- Verification: focused ECStore pool-space tests, ECStore/RustFS/Heal
|
|
compile checks, migration/layer guards, formatting, diff hygiene, Rust risk
|
|
scan, branch freshness check, pre-commit quality gate, and three-expert
|
|
review.
|
|
|
|
- [x] `E-006/E-REBALANCE-001` Move ECStore rebalance support helpers.
|
|
- Do: move rebalance-only helper DTOs, pool lookup error classification, and
|
|
delete/latest-object result reducers into `store::rebalance::support`
|
|
while keeping async store orchestration in the existing modules.
|
|
- Acceptance: rebalance callers keep the same `PoolObjInfo`/`PoolErr`
|
|
access inside `store`, delete aggregation and latest-object selection keep
|
|
the same behavior, and the moved helpers remain private to the rebalance
|
|
boundary.
|
|
- Must preserve: latest-object tie-breaks, delete result aggregation, pool
|
|
lookup not-found/version-not-found classification, rebalance disk-set lookup
|
|
error context, object delete flows, and existing rebalance control flow.
|
|
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-007/E-LAYOUT-005` Move ECStore pool-space builder helpers.
|
|
- Do: move `has_space_for` and server-pool available-space construction into
|
|
the ECStore layout pool-space owner while keeping `store::has_space_for`
|
|
source-compatible through re-export.
|
|
- Acceptance: `layout::pool_space` owns capacity checks, pool availability
|
|
construction, filter helpers, and focused tests; rebalance only gathers
|
|
runtime disk snapshots and calls the layout owner.
|
|
- Must preserve: unknown-size handling, erasure fill-fraction math,
|
|
inode/free-space guard behavior, meta-bucket capacity bypass, pool index
|
|
ordering, available-space summation, and rebalance pool selection.
|
|
- Verification: focused ECStore pool-space and rebalance tests,
|
|
ECStore/RustFS/Heal compile checks, migration/layer guards, formatting,
|
|
diff hygiene, Rust risk scan, branch freshness check, pre-commit quality
|
|
gate, and three-expert review.
|
|
|
|
- [x] `E-008/E-REBALANCE-002` Move ECStore rebalance metadata helpers.
|
|
- Do: move rebalance metadata status, bucket queue, terminal event,
|
|
participant, cleanup-warning, metadata merge, and stop-state helpers into
|
|
`rebalance::meta` while keeping wire structs and ECStore orchestration in
|
|
`rebalance.rs`.
|
|
- Acceptance: `rebalance::meta` owns the helper functions, `rebalance.rs`
|
|
keeps save/load and object-flow orchestration, and focused rebalance tests
|
|
keep covering the moved behavior.
|
|
- Must preserve: metadata wire shape, stopped/completed/failed precedence,
|
|
bucket queue ordering, cleanup-warning merge semantics, participant
|
|
resolution, data-usage cache filtering, start/stop validation, and
|
|
percent-free goal math.
|
|
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-009/E-REBALANCE-003` Move ECStore rebalance worker helpers.
|
|
- Do: move rebalance worker task/result handling, transient retry
|
|
classification, retry timing, bucket config loading, source cleanup
|
|
decisions, and listing retry wrappers into `rebalance::worker` while keeping
|
|
high-level rebalance orchestration in `rebalance.rs`.
|
|
- Acceptance: `rebalance::worker` owns worker helper functions,
|
|
`rebalance.rs` keeps orchestration and wire structs, and focused rebalance
|
|
tests keep covering the moved behavior.
|
|
- Must preserve: worker join error context, transient/terminal error
|
|
classification, retry backoff, missing bucket config handling, delete-marker
|
|
skip and cleanup decisions, listing retry cancellation behavior, and
|
|
migration result accounting.
|
|
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-010/E-REBALANCE-004` Move ECStore rebalance migration helpers.
|
|
- Do: move migration backend abstraction, migration version result,
|
|
delete-marker/remote-tier option builders, and version migration retry flow
|
|
into `rebalance::migration` while keeping high-level rebalance orchestration
|
|
in `rebalance.rs`.
|
|
- Acceptance: `rebalance::migration` owns migration helper functions and
|
|
result types, `rebalance.rs` keeps orchestration and wire structs, and
|
|
focused rebalance tests keep covering moved behavior.
|
|
- Must preserve: remote-tier object movement, delete-marker replication
|
|
state, data-usage cache skip behavior, source read/write retry semantics,
|
|
transient/non-transient classification, retry backoff, not-found handling,
|
|
migration stage labels, and cleanup accounting.
|
|
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-011/E-REBALANCE-005` Move ECStore rebalance state impls.
|
|
- Do: move `RebalanceStats` update helpers, `RebalStatus` conversions, and
|
|
`RebalanceMeta` load/save impls into `rebalance::meta` while leaving public
|
|
wire structs in `rebalance.rs`.
|
|
- Acceptance: `rebalance::meta` owns metadata/state behavior, `rebalance.rs`
|
|
keeps data contracts and ECStore orchestration, and focused rebalance tests
|
|
keep covering moved behavior.
|
|
- Must preserve: serialized rebalance metadata header format/version,
|
|
empty/short/unknown metadata handling, last refresh timestamps, save-skip
|
|
behavior for empty pool stats, object/version/byte accounting, batch update
|
|
behavior, status display labels, and legacy status byte mapping.
|
|
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-012/E-REBALANCE-006` Move ECStore rebalance control impls.
|
|
- Do: move ECStore rebalance metadata save/load/update/init/status/stop
|
|
control methods into `rebalance::control` while leaving the worker loop and
|
|
entry migration orchestration in `rebalance.rs`.
|
|
- Acceptance: `rebalance::control` owns metadata/control methods,
|
|
`rebalance.rs` keeps public data contracts and worker orchestration, and
|
|
focused rebalance tests keep covering moved behavior.
|
|
- Must preserve: metadata merge locking, load/save error wrapping, pool stats
|
|
refresh and extension, init free-space goal, pool stat update behavior,
|
|
bucket queue done/defer behavior, cleanup warning recording, start/stop
|
|
status checks, decommission conflict checks, and stop snapshot persistence.
|
|
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-013/E-REBALANCE-007` Move ECStore rebalance runtime loop.
|
|
- Do: move `start_rebalance`, the pool rebalance worker loop, completion
|
|
check, and periodic stats save loop into `rebalance::runtime` while leaving
|
|
entry/object/bucket migration orchestration in `rebalance.rs`.
|
|
- Acceptance: `rebalance::runtime` owns start and pool runtime orchestration,
|
|
`rebalance.rs` keeps public data contracts and entry/object/bucket
|
|
migration flow, and focused rebalance tests keep covering moved behavior.
|
|
- Must preserve: decommission/start validation, duplicate-start skipping,
|
|
pool-at-goal and empty-queue completion persistence, participant/local
|
|
endpoint filtering, cancellation handling, deferred-bucket repeated failure
|
|
guard, bucket done/defer behavior, terminal event application, save-task
|
|
error precedence, goal completion math, and save option persistence.
|
|
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-014/E-REBALANCE-008` Move ECStore rebalance entry flow.
|
|
- Do: move the remaining entry, object-transfer, deferred-error, and bucket
|
|
entry-scan migration flow into `rebalance::entry` while leaving public data
|
|
contracts in `rebalance.rs`.
|
|
- Acceptance: `rebalance::entry` owns bucket/entry migration flow,
|
|
`rebalance::runtime` keeps pool-level orchestration, and focused rebalance
|
|
tests keep covering moved behavior.
|
|
- Must preserve: directory and completed-pool skips, lifecycle-expired
|
|
filtering, delete-marker skip semantics, data-movement retry flow, deferred
|
|
transient failure recording, batch stats updates, source cleanup warning
|
|
recording, entry worker semaphore limits, cancellation handling, listing
|
|
retry flow, and bucket outcome precedence.
|
|
- Verification: focused ECStore rebalance tests, ECStore/RustFS/Heal compile
|
|
checks, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-015/E-REBALANCE-009` Split ECStore rebalance unit tests.
|
|
- Do: move the large inline `rebalance_unit_tests` module out of
|
|
`rebalance.rs` into `rebalance/rebalance_unit_tests.rs` while preserving
|
|
the module name and test filter path.
|
|
- Acceptance: `rebalance.rs` is reduced to public rebalance data contracts
|
|
plus submodule wiring, rebalance unit tests remain under
|
|
`rebalance::rebalance_unit_tests`, and focused rebalance tests keep covering
|
|
moved behavior.
|
|
- Must preserve: test coverage, helper visibility, legacy metadata
|
|
serialization coverage, migration backend spies, panic-context tests, and
|
|
every existing rebalance unit-test filter path.
|
|
- Verification: focused ECStore rebalance tests, migration/layer guards,
|
|
formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `E-016/E-REBALANCE-010` Move ECStore rebalance type contracts.
|
|
- Do: move rebalance stats, status, info, metadata DTOs, and internal
|
|
bucket/entry outcomes into `rebalance::types` while preserving root
|
|
re-exports.
|
|
- Acceptance: public `crate::rebalance::*` paths remain stable, internal
|
|
submodules keep `super::...` access, and `rebalance.rs` only wires shared
|
|
constants, modules, and re-exports.
|
|
- Must preserve: serde field names/defaults, rebalance metadata wire shape,
|
|
status/save-option defaults, cancellation/refresh metadata fields, and
|
|
internal bucket/entry outcome semantics.
|
|
- Verification: focused ECStore rebalance tests, migration/layer guards,
|
|
formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `API-129` Route RustFS internal ECStore consumers through owner boundary.
|
|
- Do: expose crate-local ECStore facade module aliases from
|
|
`rustfs/src/storage/mod.rs` and migrate RustFS startup, server, capacity,
|
|
config, table-catalog, workload admission, and S3 API helper consumers to
|
|
import those aliases from `crate::storage`.
|
|
- Acceptance: non-owner RustFS files no longer import `rustfs_ecstore::api`
|
|
directly, while `app`, `admin`, and `storage` owner modules remain the only
|
|
RustFS crate direct ECStore facade import points.
|
|
- Must preserve: startup sequencing, global endpoint/config side effects,
|
|
readiness checks, RPC signature verification, notification event dispatch,
|
|
capacity refresh behavior, table-catalog constants, workload admission
|
|
snapshots, and S3 ETag conversion behavior.
|
|
- Verification: focused RustFS compile, direct import residual scan,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `API-130` Centralize external ECStore facade alias imports.
|
|
- Do: replace grouped and raw-subpath `rustfs_ecstore::api` imports in IAM,
|
|
notify, observability, Swift, S3 Select, e2e helpers, heal/scanner tests,
|
|
and fuzz targets with per-module `ecstore_*` aliases plus local type
|
|
aliases or module-qualified calls.
|
|
- Acceptance: non-ECStore source no longer uses grouped
|
|
`rustfs_ecstore::api::{...}` imports or raw
|
|
`rustfs_ecstore::api::<module>::...` subpaths, while owner alias imports
|
|
remain explicit.
|
|
- Must preserve: IAM config IO, notify config persistence, observability
|
|
metrics collection, Swift metadata access, S3 Select object-store access,
|
|
e2e RPC helpers, heal/scanner ECStore test setup, and fuzz validation
|
|
semantics.
|
|
- Verification: focused external crate compile, grouped/raw facade residual
|
|
scans, migration/layer guards, formatting, diff hygiene, Rust risk scan,
|
|
branch freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `API-131` Route nested external production ECStore imports through owner roots.
|
|
- Do: expose notify, observability metrics, and S3 Select ECStore facade
|
|
aliases from their crate or module owner roots, and migrate nested
|
|
production files to import those local aliases instead of importing
|
|
`rustfs_ecstore::api` directly.
|
|
- Acceptance: nested production files under notify, observability, and S3
|
|
Select no longer import ECStore facade modules directly, while IAM,
|
|
scanner, heal, Swift, and owner root files remain the only approved
|
|
external production direct facade import points.
|
|
- Must preserve: notify config persistence, observability metrics collection
|
|
and scheduler bucket-monitor checks, S3 Select object-store error and
|
|
storage access behavior, and all public crate APIs.
|
|
- Verification: focused notify/obs/S3 Select compile, nested direct-import
|
|
residual scan, migration/layer guards, formatting, diff hygiene, Rust risk
|
|
scan, branch freshness check, pre-commit quality gate, and three-expert
|
|
review.
|
|
|
|
- [x] `API-132` Replace completed external owner module aliases with symbols.
|
|
- Do: replace notify, Swift, and S3 Select owner-root `ecstore_*` module
|
|
aliases with explicit local ECStore symbols, type aliases, constants, and
|
|
wrapper functions.
|
|
- Acceptance: completed external owner roots no longer expose broad
|
|
`ecstore_*` module aliases, while nested modules keep using owner-local
|
|
symbols and the remaining larger observability, IAM, scanner, and heal
|
|
owner roots stay unchanged for later slices.
|
|
- Must preserve: notify config persistence, Swift bucket metadata access, S3
|
|
Select object-store error mapping, object reads, scan buffering, and all
|
|
public crate APIs.
|
|
- Verification: focused notify/Swift/S3 Select compile, completed-owner
|
|
alias residual scan, migration/layer guards, formatting, diff hygiene, Rust
|
|
risk scan, branch freshness check, pre-commit quality gate, and
|
|
three-expert review.
|
|
|
|
- [x] `API-133` Replace scanner owner module aliases with symbols.
|
|
- Do: replace scanner owner-root `ecstore_*` module aliases with explicit
|
|
local ECStore symbols, type aliases, constants, and wrapper functions.
|
|
- Acceptance: scanner no longer exposes broad `ecstore_*` module aliases,
|
|
nested scanner modules continue to consume scanner-local symbols, and the
|
|
migration guard prevents reintroducing scanner owner-root module aliases.
|
|
- Must preserve: scanner lifecycle config reads, versioning/replication
|
|
helper traits, disk metadata access, tier listing, erasure checks,
|
|
replication-heal queueing, config persistence, raw list traversal, and
|
|
bucket usage replacement behavior.
|
|
- Verification: focused scanner compile, completed-owner alias residual scan,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `API-134` Replace remaining external owner module aliases with symbols.
|
|
- Do: replace heal, IAM, and observability owner-root `ecstore_*` module
|
|
aliases with explicit local ECStore symbols, type aliases, constants, and
|
|
wrapper functions.
|
|
- Acceptance: heal, IAM, and observability no longer expose broad `ecstore_*`
|
|
module aliases, nested modules continue to consume owner-local symbols, and
|
|
the migration guard prevents reintroducing these owner-root module aliases.
|
|
- Must preserve: heal disk metadata and local disk lookup, IAM config
|
|
persistence and notification fanout, observability storage/data-usage,
|
|
quota, lifecycle, replication, capacity, and bucket monitor collection.
|
|
- Verification: focused heal/IAM/observability compile, completed-owner alias
|
|
residual scan, migration/layer guards, formatting, diff hygiene, Rust risk
|
|
scan, branch freshness check, pre-commit quality gate, and three-expert
|
|
review.
|
|
|
|
- [x] `API-135` Replace test and fuzz owner module aliases with symbols.
|
|
- Do: replace e2e, heal/scanner integration-test, and fuzz-target
|
|
`ecstore_*` module aliases with explicit ECStore symbols.
|
|
- Acceptance: the completed test/fuzz files no longer import broad
|
|
`ecstore_*` owner modules, direct symbols preserve the same ECStore facade
|
|
contracts, and the migration guard prevents reintroducing module aliases in
|
|
these files.
|
|
- Must preserve: e2e RPC client construction, replication target tests, heal
|
|
ECStore setup, scanner lifecycle/tier/transition behavior, and bucket/path
|
|
fuzz validation semantics.
|
|
- Verification: focused e2e/heal/scanner compile, fuzz manifest compile,
|
|
completed test/fuzz alias residual scan, migration/layer guards, formatting,
|
|
diff hygiene, Rust risk scan, branch freshness check, pre-commit quality
|
|
gate, and three-expert review.
|
|
|
|
- [x] `API-136` Replace RustFS runtime owner module aliases with symbols.
|
|
- Do: replace RustFS app/admin/storage owner-root `ecstore_*` facade aliases
|
|
with owner-local curated symbol modules that expose only the ECStore
|
|
submodules, functions, types, and constants consumed by those runtime
|
|
boundaries.
|
|
- Acceptance: `rustfs/src/app/mod.rs`, `rustfs/src/admin/mod.rs`, and
|
|
`rustfs/src/storage/mod.rs` no longer import broad ECStore facade modules
|
|
as `ecstore_*`; migration guards reject reintroducing those broad aliases.
|
|
- Must preserve: app object/lifecycle/replication helpers, admin config,
|
|
metrics, tiering, rebalance helpers, storage S3/RPC metadata helpers, and
|
|
startup/server consumers of the storage owner boundary.
|
|
- Verification: focused RustFS compile, runtime owner alias residual scan,
|
|
migration/layer guards, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit quality gate, and three-expert review.
|
|
|
|
- [x] `API-137` Guard completed owner facade import shapes.
|
|
- Do: extend migration rules so completed owner and test/fuzz boundaries
|
|
cannot reintroduce bare `rustfs_ecstore::api::<module>` imports or glob
|
|
facade imports.
|
|
- Acceptance: completed owner roots and completed test/fuzz boundaries keep
|
|
explicit symbol imports, type aliases, constants, or wrappers; migration
|
|
guards reject bare module and glob facade imports.
|
|
- Must preserve: all API-136 RustFS owner symbol boundaries, API-135 test/fuzz
|
|
direct symbol imports, and external owner root symbol imports.
|
|
- Verification: architecture migration guard, shell syntax check, formatting,
|
|
diff hygiene, branch freshness check, and three-expert review.
|
|
|
|
- [x] `API-138` Centralize completed owner raw facade subpaths.
|
|
- Do: move completed notify and S3 Select owner wrapper raw ECStore facade
|
|
calls into explicit import declarations, then guard completed owner and
|
|
test/fuzz boundaries against raw facade subpaths outside import
|
|
declarations.
|
|
- Acceptance: completed owner and test/fuzz files keep raw ECStore facade
|
|
subpaths centralized at import declarations; wrapper bodies use local
|
|
aliases, constants, or functions.
|
|
- Must preserve: notify config read/save wrappers, S3 Select object-store
|
|
handle/error helpers, default read-buffer constant, and all existing public
|
|
crate APIs.
|
|
- Verification: focused notify/S3 Select compile, architecture migration
|
|
guard, shell syntax check, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, and three-expert review.
|
|
|
|
- [x] `API-139` Route startup runtime consumers through storage owner symbols.
|
|
- Do: expose storage-owner aliases and wrappers for startup layout, global
|
|
endpoint/region state, local disk initialization, config initialization,
|
|
background replication, and notification setup, then migrate startup
|
|
runtime files away from `ecstore_*` owner-module consumers.
|
|
- Acceptance: `startup_notification`, `startup_fs_guard`, `startup_services`,
|
|
`startup_server`, and `startup_storage` use storage-owner symbols and
|
|
wrappers instead of `crate::storage::ecstore_*` modules; migration guards
|
|
reject restoring those module consumers.
|
|
- Must preserve: endpoint parsing, unsupported-filesystem policy checks,
|
|
global endpoint/erasure state setup, local disk and lock-client
|
|
initialization, config migration/retry behavior, readiness marking,
|
|
background replication start, region/port registration, and notification
|
|
initialization.
|
|
- Verification: focused RustFS test-target compile, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, and three-expert review.
|
|
|
|
- [x] `API-140` Route server/capacity/workload consumers through storage owner symbols.
|
|
- Do: expose storage-owner symbols for local disk enumeration, disk endpoint
|
|
labels, RPC signature prefix/verification, bucket metadata runtime state,
|
|
replication pool access, and replication queue counts, then migrate
|
|
server, capacity, and workload-admission consumers away from `ecstore_*`
|
|
owner modules.
|
|
- Acceptance: `server/http.rs`, `capacity/service.rs`, and
|
|
`workload_admission.rs` use storage-owner symbols and wrappers instead of
|
|
`crate::storage::ecstore_*` modules; migration guards reject restoring
|
|
those module consumers.
|
|
- Must preserve: internode RPC signature verification, active HTTP request
|
|
metrics, capacity manager disk discovery/labels, metadata workload state,
|
|
replication active/queue counts, and all storage-owner backend calls.
|
|
- Verification: focused RustFS test-target compile, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, and three-expert review.
|
|
|
|
- [x] `API-141` Route root/server runtime consumers through storage owner symbols.
|
|
- Do: expose storage-owner aliases and wrappers for notification config,
|
|
topology capability mapping, readiness globals, event dispatch hook
|
|
installation, module-switch config persistence, endpoint test builders,
|
|
and quota/error types, then migrate remaining root/server runtime
|
|
consumers away from `ecstore_*` owner modules.
|
|
- Acceptance: `init.rs`, `runtime_capabilities.rs`, `server/readiness.rs`,
|
|
`server/event.rs`, `server/module_switch.rs`, and `error.rs` use
|
|
storage-owner symbols and wrappers instead of
|
|
`crate::storage::ecstore_*` modules; migration guards reject restoring
|
|
those module consumers.
|
|
- Must preserve: bucket notification preload behavior, topology capability
|
|
labels, runtime readiness lock-quorum checks, live event dispatch,
|
|
module-switch persistence semantics, S3 error conversion, and test
|
|
endpoint construction.
|
|
- Verification: focused RustFS test-target compile, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, and three-expert review.
|
|
|
|
- [x] `API-142` Route table/S3/startup consumers through storage owner symbols.
|
|
- Do: expose storage-owner constants, aliases, and wrappers for table catalog
|
|
metadata roots, catalog path hashing, metadata lookup, lock timeout,
|
|
shutdown, bucket metadata migration/init, S3 etag conversion, and config
|
|
test disk layout parsing, then migrate the remaining table/S3/startup
|
|
consumers away from `ecstore_*` owner modules.
|
|
- Acceptance: `startup_bucket_metadata.rs`, `startup_shutdown.rs`,
|
|
`table_catalog.rs`, `storage/s3_api/bucket.rs`,
|
|
`storage/s3_api/multipart.rs`, and `config/config_test.rs` use
|
|
storage-owner symbols and wrappers instead of
|
|
`crate::storage::ecstore_*` modules; migration guards reject restoring
|
|
those module consumers.
|
|
- Must preserve: startup bucket metadata and IAM migration order,
|
|
replication resync initialization, background-service shutdown, S3 ETag
|
|
rendering, table catalog reserved paths and metadata hash layout,
|
|
table-bucket mutation guard behavior, catalog lock acquisition timeout,
|
|
and config test disk-layout parsing.
|
|
- Verification: focused RustFS test-target compile, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, and three-expert review.
|
|
|
|
- [x] `API-143` Route app shared runtime facade through storage owner symbols.
|
|
- Do: expose storage-owner aliases and wrappers for app-shared ECStore,
|
|
endpoint layout, rio readers, notification access, global object-store
|
|
resolver, shared error helpers, storage-class validation, and test local
|
|
disk initialization, then migrate the duplicate app facade entries to
|
|
delegate to storage-owner symbols.
|
|
- Acceptance: `rustfs/src/app/mod.rs` delegates shared IO/error/global/
|
|
notification/storage wrappers to `crate::storage` owner symbols instead
|
|
of duplicate `ecstore_*` calls; migration guards reject restoring those
|
|
duplicate calls.
|
|
- Must preserve: app context resolution, object-store resolver fallback,
|
|
notification system access, rio reader boxing/wrapping, lock timeout,
|
|
storage-class validation, S3 ETag rendering, and app test disk setup.
|
|
- Verification: focused RustFS test-target compile, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, and three-expert review.
|
|
|
|
- [x] `API-144` Route app bucket facade source imports through storage owner re-exports.
|
|
- Do: expose bucket target/lifecycle/target, client transition API, and
|
|
storageclass through storage owner re-exports, then source the app bucket,
|
|
client, and config facade entries through `crate::storage`.
|
|
- Acceptance: `rustfs/src/app/mod.rs` no longer imports direct
|
|
`rustfs_ecstore::api::{bucket,client,config}::` source paths; migration
|
|
guards reject restoring those direct source paths.
|
|
- Must preserve: bucket target, lifecycle, metadata, object lock,
|
|
policy/quota/replication/tagging/target/versioning, transition reader, and
|
|
storageclass compatibility paths.
|
|
- Verification: focused RustFS test-target compile, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-145` Route remaining app facade ECStore source imports through storage owner re-exports.
|
|
- Do: expose app-needed admin, capacity, compression, data-usage, global, and
|
|
tier modules through storage owner re-exports, then source the remaining
|
|
app facade entries through `crate::storage`.
|
|
- Acceptance: `rustfs/src/app/mod.rs` contains no direct
|
|
`rustfs_ecstore::api::` source imports; migration guards reject restoring
|
|
any direct ECStore API source path in the app facade.
|
|
- Must preserve: server info, pool capacity summaries, compression checks,
|
|
bucket usage memory accounting, global tier manager access, and tier
|
|
config/warm backend compatibility paths.
|
|
- Verification: focused RustFS test-target compile, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-146` Route admin facade ECStore source imports through storage owner re-exports.
|
|
- Do: expose admin-needed bucket, capacity, client, config, data-usage, disk,
|
|
error, global, layout, metrics, notification, rebalance, RPC, storage, and
|
|
tier symbols through storage owner re-exports, then source the admin facade
|
|
through `crate::storage`.
|
|
- Acceptance: `rustfs/src/admin/mod.rs` contains no direct
|
|
`rustfs_ecstore::api::` source imports; migration guards reject restoring
|
|
any direct ECStore API source path in the admin facade.
|
|
- Must preserve: admin handler utilities, bucket controls, storage class
|
|
updates, data usage reads, cluster/global metadata, metrics/notification
|
|
views, rebalance status, peer RPC, ECStore handle, and tier admin paths.
|
|
- Verification: focused RustFS test-target compile, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-147` Route external runtime crate ECStore source imports through local compatibility boundaries.
|
|
- Do: move direct ECStore facade source imports in notify, observability
|
|
metrics, S3 Select, Swift, IAM, heal, and scanner runtime entry modules
|
|
into crate-local `ecstore_compat` modules while preserving existing
|
|
wrappers and aliases at each crate boundary.
|
|
- Acceptance: target runtime crate source directories contain no direct
|
|
`rustfs_ecstore::api::` source paths outside `ecstore_compat.rs`; migration
|
|
guards reject restoring those bypasses.
|
|
- Must preserve: notify config persistence and object-store resolution,
|
|
observability storage/ILM/replication metrics, S3 Select storage error
|
|
mapping and object reads, Swift metadata/object-store access, IAM config
|
|
and notification behavior, heal disk wrappers, and scanner lifecycle/disk
|
|
runtime wrappers.
|
|
- Verification: focused external crate compile, migration guard, shell syntax
|
|
check, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit, and three-expert review.
|
|
|
|
- [x] `API-148` Route external test ECStore source imports through local compatibility boundaries.
|
|
- Do: move direct ECStore facade source imports in heal integration tests,
|
|
scanner lifecycle tests, and e2e reliant/replication helpers into local
|
|
`ecstore_test_compat` modules while preserving existing test aliases and
|
|
helper call paths.
|
|
- Acceptance: target external test/e2e paths contain no direct
|
|
`rustfs_ecstore::api::` source paths outside `ecstore_test_compat.rs`;
|
|
migration guards reject restoring those bypasses.
|
|
- Must preserve: heal endpoint setup and resume disk types, scanner
|
|
lifecycle transition setup, e2e node RPC client helpers, and replication
|
|
bucket target cleanup behavior.
|
|
- Verification: focused test-target compile, migration guard, shell syntax
|
|
check, formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit, and three-expert review.
|
|
|
|
- [x] `API-149` Route fuzz ECStore source imports through a local compatibility boundary.
|
|
- Do: move direct ECStore facade source imports in bucket validation and path
|
|
containment fuzz targets into `ecstore_fuzz_compat` wrapper functions.
|
|
- Acceptance: fuzz targets contain no direct `rustfs_ecstore::api::` source
|
|
paths outside `ecstore_fuzz_compat.rs`; migration guards reject restoring
|
|
those bypasses.
|
|
- Must preserve: bucket/object validation fuzz semantics, meta bucket
|
|
compatibility checks, object prefix/path component validation, and root
|
|
containment assertions.
|
|
- Verification: focused fuzz compile, migration guard, shell syntax check,
|
|
formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit, and three-expert review.
|
|
|
|
- [x] `API-150` Move storage owner ECStore source imports into a compatibility module.
|
|
- Do: move the storage owner `ecstore_*` facade source modules out of
|
|
`rustfs/src/storage/mod.rs` and into `rustfs/src/storage/ecstore_compat.rs`.
|
|
- Acceptance: `rustfs/src/storage/mod.rs` contains no direct
|
|
`rustfs_ecstore::api::` source paths, while existing `crate::storage::*`
|
|
aliases and helper functions keep their public shape.
|
|
- Must preserve: storage owner type aliases, constants, wrapper functions,
|
|
disk RPC extension traits, bucket metadata helpers, runtime globals, and
|
|
startup storage wiring.
|
|
- Verification: RustFS compile coverage, migration guard, shell syntax check,
|
|
formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit, and three-expert review.
|
|
|
|
- [x] `API-151` Collapse thin runtime crate ECStore compatibility bridges.
|
|
- Do: remove the thin `ecstore_compat.rs` files from notify, obs metrics,
|
|
Swift, and S3 Select, moving their aliases and wrappers to the owner root
|
|
modules.
|
|
- Acceptance: those crates no longer declare local `ecstore_compat` modules,
|
|
while their public/internal owner-root aliases and wrapper functions keep
|
|
the same call paths for downstream modules.
|
|
- Must preserve: notify server-config IO, metrics data/quota/replication
|
|
reads, S3 Select object-reader/error mapping, and Swift bucket metadata and
|
|
object reader aliases.
|
|
- Verification: focused runtime crate compile coverage, migration guard,
|
|
shell syntax check, formatting, diff hygiene, Rust risk scan, branch
|
|
freshness check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-152` Collapse thin test and fuzz ECStore compatibility bridges.
|
|
- Do: remove the thin e2e, heal, scanner, and fuzz ECStore compatibility
|
|
bridge modules, moving their aliases and wrappers into the owner test/fuzz
|
|
files that consume them.
|
|
- Acceptance: those tests and fuzz targets no longer declare local
|
|
`ecstore_test_compat` or `ecstore_fuzz_compat` modules, while the same
|
|
ECStore API symbols remain available to the existing test and fuzz logic.
|
|
- Must preserve: e2e replication and reliant gRPC clients, heal endpoint and
|
|
integration fixtures, scanner lifecycle fixtures, bucket validation fuzzing,
|
|
and path containment fuzzing.
|
|
- Verification: focused test/fuzz compile coverage, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-153` Collapse thin owner ECStore compatibility bridges.
|
|
- Do: remove the thin IAM, heal, and scanner `ecstore_compat.rs` modules,
|
|
moving their aliases and wrappers into the owner root modules.
|
|
- Acceptance: those owner crates no longer declare local `ecstore_compat`
|
|
modules, while their owner-root aliases and wrapper functions keep the same
|
|
call paths for downstream modules.
|
|
- Must preserve: IAM config/notification helpers, heal disk/local-map
|
|
contracts, scanner lifecycle/replication/data-usage helpers, and owner-root
|
|
storage aliases.
|
|
- Verification: focused owner crate compile coverage, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-154` Collapse storage owner ECStore compatibility bridge.
|
|
- Do: remove `rustfs/src/storage/ecstore_compat.rs`, moving its `ecstore_*`
|
|
source modules into `rustfs/src/storage/mod.rs`.
|
|
- Acceptance: no storage owner `ecstore_compat` bridge file remains, while
|
|
existing downstream `crate::storage::ecstore_*` paths keep the same shape.
|
|
- Must preserve: storage owner type aliases, constants, wrapper functions,
|
|
disk RPC extension traits, bucket metadata helpers, runtime globals, and
|
|
startup storage wiring.
|
|
- Verification: RustFS compile coverage, migration guard, shell syntax check,
|
|
formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit, and three-expert review.
|
|
|
|
- [x] `API-155` Collapse app context and notify thin compatibility modules.
|
|
- Do: remove `rustfs/src/app/context/compat.rs` by moving resolver helpers
|
|
into `rustfs/src/app/context.rs`, and remove the notify event-bridge
|
|
re-export module by exporting pipeline symbols directly from the notify
|
|
owner root.
|
|
- Acceptance: no app context `compat` module or notify `event_bridge` module
|
|
remains, while existing `crate::app::context::*` and `rustfs_notify::*`
|
|
public symbols keep the same paths.
|
|
- Must preserve: AppContext-first resolver precedence, legacy global
|
|
fallback behavior, bucket metadata/endpoints/tier/server config handles,
|
|
notify live event history, and notify event bridge type aliases.
|
|
- Verification: RustFS and notify compile coverage, migration guard, shell
|
|
syntax check, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-156` Route app runtime consumers through AppContext resolvers.
|
|
- Do: add notify and buffer profile resolver helpers, route bucket/object
|
|
notification users through the notify resolver, route ECFS buffer sizing
|
|
through the buffer resolver, and route public health KMS readiness through
|
|
the KMS runtime resolver.
|
|
- Acceptance: selected app/server/storage consumers no longer open-code
|
|
direct global notifier, buffer config, or KMS service manager fallback when
|
|
an AppContext resolver already owns the migration boundary.
|
|
- Must preserve: context-first behavior when an AppContext exists, legacy
|
|
global fallback when it does not, notification delivery semantics, buffer
|
|
opt-in behavior, and public health readiness behavior.
|
|
- Verification: RustFS compile coverage, migration guard, shell syntax check,
|
|
formatting, diff hygiene, Rust risk scan, branch freshness check,
|
|
pre-commit, and three-expert review.
|
|
|
|
- [x] `API-157` Route server readiness through AppContext resolvers.
|
|
- Do: add an IAM readiness resolver, use it for cached and uncached server
|
|
dependency readiness, and use the endpoints resolver for lock quorum
|
|
endpoint discovery.
|
|
- Acceptance: readiness no longer directly reads global IAM or endpoint state
|
|
when an AppContext resolver already owns that boundary.
|
|
- Must preserve: IAM-ready semantics, distributed lock quorum behavior, storage
|
|
readiness behavior, and legacy global fallback when AppContext is absent.
|
|
- Verification: RustFS compile coverage, targeted readiness/context tests,
|
|
migration guard, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-158` Route RPC node IAM operations through AppContext resolver.
|
|
- Do: add an IAM handle resolver and use it for RPC node IAM policy, user,
|
|
group, and service-account reload/delete operations.
|
|
- Acceptance: RPC node IAM operations no longer directly read the global IAM
|
|
singleton when an AppContext resolver owns that boundary.
|
|
- Must preserve: request validation messages, `errServerNotInitialized`
|
|
fallback, IAM operation arguments, and legacy global fallback when
|
|
AppContext is absent.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-159` Route RPC node lock and identity reads through AppContext.
|
|
- Do: add lock-client and local-node-name AppContext interfaces, default
|
|
legacy adapters, resolver helpers, and use them in RPC node lock and health
|
|
handlers.
|
|
- Acceptance: RPC node lock operations and health metric node identity no
|
|
longer read legacy global state directly when AppContext owns the boundary.
|
|
- Must preserve: lock-client initialization error text, health metric node
|
|
labels, async local-node-name behavior, and legacy global fallback when
|
|
AppContext is absent.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-160` Route admin runtime reads through AppContext resolvers.
|
|
- Do: add action-credential and region AppContext interfaces, resolver
|
|
helpers, default legacy adapters, and use them with the existing server
|
|
config resolver across admin/server read paths.
|
|
- Acceptance: admin handlers and router code no longer directly read action
|
|
credentials, region, or server config globals when an AppContext resolver
|
|
owns that boundary.
|
|
- Must preserve: admin auth decisions, object-ZIP token signing, object lambda
|
|
signing region fallback, OIDC restart detection, site replication metadata,
|
|
and legacy global fallback when AppContext is absent.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-161` Route admin topology reads through AppContext resolvers.
|
|
- Do: add deployment-id and runtime-port AppContext interfaces, reuse the
|
|
endpoints resolver, default legacy adapters, and route admin topology
|
|
consumers through resolvers.
|
|
- Acceptance: admin site replication, replication handlers, and router code
|
|
no longer directly read endpoints, deployment id, or runtime port globals
|
|
outside AppContext default adapters.
|
|
- Must preserve: site replication endpoint inference, console-port fallback,
|
|
replication same-target validation, stale same-deployment target detection,
|
|
and legacy global fallback when AppContext is absent.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, formatting, diff hygiene, Rust risk scan, branch freshness
|
|
check, pre-commit, and three-expert review.
|
|
|
|
- [x] `API-162` Route admin peer-system reads through AppContext resolvers.
|
|
- Do: add notification-system, bucket-monitor, and replication-pool
|
|
AppContext interfaces, default legacy adapters, and route admin and app
|
|
peer-system consumers through resolvers.
|
|
- Acceptance: admin tier/rebalance/config/router/site-replication and app
|
|
bucket metadata reload paths no longer directly read notification system,
|
|
bucket monitor, or replication pool globals outside AppContext default
|
|
adapters.
|
|
- Must preserve: tier config propagation, dynamic config reload propagation,
|
|
config snapshot refresh, live event peer listing, replication bandwidth
|
|
metric collection, replication resync start/status/cancel behavior,
|
|
rebalance stop fallback, and legacy global fallback when AppContext is
|
|
absent.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, formatting, diff hygiene, residual global-read scan, Rust
|
|
risk scan, branch freshness check, and three-expert review.
|
|
|
|
- [x] `API-163` Route admin site-replication IAM reads through AppContext.
|
|
- Do: replace admin site-replication direct IAM global reads with the
|
|
AppContext IAM handle resolver.
|
|
- Acceptance: site-replication service-account, IAM export, IAM item import,
|
|
and peer-join service-account paths no longer directly call the IAM global
|
|
accessor.
|
|
- Must preserve: site-replicator service-account lookup/update/create,
|
|
exported IAM policy/user/group/policy-mapping payloads, imported IAM item
|
|
reconciliation, peer join service-account upsert, and legacy fallback when
|
|
AppContext is absent.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, formatting, diff hygiene, residual IAM global-read scan,
|
|
Rust risk scan, branch freshness check, and three-expert review.
|
|
|
|
- [x] `API-164` Route admin site-replication outbound TLS reads through AppContext.
|
|
- Do: add an outbound TLS runtime AppContext interface and route
|
|
site-replication peer-client TLS generation/state reads through resolvers.
|
|
- Acceptance: site-replication peer-client cache lookup and client rebuild
|
|
paths no longer directly call outbound TLS global loaders.
|
|
- Must preserve: peer-client cache invalidation by TLS generation, root CA
|
|
parsing, mTLS identity propagation via the published TLS state, and legacy
|
|
global fallback when AppContext is absent.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual outbound
|
|
TLS global-read scan, Rust risk scan, branch freshness check, and
|
|
three-expert review.
|
|
|
|
- [x] `API-165` Route admin TLS debug outbound TLS reads through AppContext.
|
|
- Do: route admin TLS debug status outbound TLS generation/state reads
|
|
through the AppContext outbound TLS runtime resolver.
|
|
- Acceptance: TLS debug status no longer directly calls outbound TLS global
|
|
summary helpers while preserving the same JSON status fields and consumer
|
|
generation flags.
|
|
- Must preserve: profile authorization, TLS source path reporting, reload
|
|
enable reporting, consumer labels, root CA status, mTLS identity status, and
|
|
legacy global fallback when AppContext is absent.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual outbound
|
|
TLS global-read scan, Rust risk scan, branch freshness check, and
|
|
three-expert review.
|
|
|
|
- [x] `API-166` Route admin replication stats reads through AppContext.
|
|
- Do: add a replication stats AppContext interface and storage-owner wrapper,
|
|
then route admin replication metrics, extended replication metrics, and
|
|
site-replication metrics summary reads through the resolver.
|
|
- Acceptance: admin production handlers no longer directly read
|
|
`GLOBAL_REPLICATION_STATS`, while AppContext default adapters keep the
|
|
existing global fallback.
|
|
- Must preserve: replication metrics defaults when stats are absent, bucket
|
|
latest-stat lookup, site-replication node metric mapping, bandwidth report
|
|
enrichment, runtime-field enrichment, and existing storage owner global
|
|
initialization.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual replication
|
|
stats global-read scan, Rust risk scan, branch freshness check, and
|
|
three-expert review.
|
|
|
|
- [x] `API-167` Route admin status and metrics reads through AppContext.
|
|
- Do: add AppContext interfaces for boot time, daily tier transition stats,
|
|
and scanner metrics report reads, then route admin replication uptime, tier
|
|
stats, and scanner status through those resolvers.
|
|
- Acceptance: admin production handlers no longer directly read
|
|
`GLOBAL_BOOT_TIME`, `GLOBAL_TransitionState`, or scanner `global_metrics`,
|
|
while AppContext default adapters keep the existing global fallback.
|
|
- Must preserve: replication metrics uptime defaults, tier stats filtering,
|
|
scanner status payload shape, scanner runtime-config reporting, and existing
|
|
storage owner global initialization.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual admin
|
|
status global-read scan, Rust risk scan, branch freshness check, and
|
|
three-expert review.
|
|
|
|
- [x] `API-168` Route admin KMS manager initialization through AppContext.
|
|
- Do: add an AppContext-first KMS runtime resolver that initializes the
|
|
legacy global manager only after context/default lookup misses, then route
|
|
admin KMS key, management, and dynamic handlers through it.
|
|
- Acceptance: admin production handlers no longer directly initialize the
|
|
global KMS service manager, while the AppContext default path preserves
|
|
legacy global initialization fallback.
|
|
- Must preserve: KMS key encryption-service lookup, KMS status/config/cache
|
|
handlers, dynamic KMS configure/start/stop/reconfigure behavior, and
|
|
existing fallback warning logs.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual admin KMS
|
|
init scan, Rust risk scan, branch freshness check, and three-expert review.
|
|
|
|
- [x] `API-169` Route admin config publication through AppContext.
|
|
- Do: add AppContext-first publish helpers for server config and storage
|
|
class config, then route admin config write/reload publication through
|
|
those helpers.
|
|
- Acceptance: admin production handlers and services no longer directly call
|
|
`set_global_server_config` or the admin storage-class global setter, while
|
|
AppContext default adapters preserve the legacy global-setter fallback.
|
|
- Must preserve: config validation, config history persistence, runtime
|
|
snapshot reload semantics, dynamic subsystem application, storage-class
|
|
parsing, and store persistence behavior.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual admin
|
|
config publication scan, Rust risk scan, branch freshness check, and
|
|
three-expert review.
|
|
|
|
- [x] `API-170` Route action credential reads through AppContext.
|
|
- Do: route auth validation, protocol storage-client owner checks, and
|
|
storage audit helper access-key enrichment through the AppContext
|
|
action-credential resolver.
|
|
- Acceptance: production auth/protocol/storage helper paths no longer read
|
|
action credentials directly from the credentials singleton, while the
|
|
AppContext default adapter preserves the legacy global fallback.
|
|
- Must preserve: owner detection, session-token claim validation, policy
|
|
principal type derivation, protocol request metadata, and audit access-key
|
|
enrichment.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual action
|
|
credential scan, Rust risk scan, branch freshness check, and three-expert
|
|
review.
|
|
|
|
- [x] `API-171` Route runtime replication pool reads through AppContext.
|
|
- Do: route bucket metadata startup resync and workload admission
|
|
replication pool reads through the AppContext replication-pool resolver.
|
|
- Acceptance: production startup/workload admission consumers no longer read
|
|
the replication pool directly from the storage global facade, while the
|
|
AppContext default adapter preserves the legacy global fallback.
|
|
- Must preserve: bucket metadata resync initialization, replication admission
|
|
active worker counts, queued replication counts, and unknown-runtime
|
|
reporting.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual
|
|
replication-pool scan, Rust risk scan, branch freshness check, and
|
|
three-expert review.
|
|
|
|
- [x] `API-172` Route outbound TLS generation reads through AppContext.
|
|
- Do: route startup TLS material initialization and TLS reload loop
|
|
generation reads through the AppContext outbound TLS generation resolver.
|
|
- Acceptance: production startup/reload paths no longer read outbound TLS
|
|
generation directly from `rustfs_common`, while the AppContext default
|
|
adapter preserves the legacy global fallback.
|
|
- Must preserve: generation increment semantics, outbound TLS state publish,
|
|
TLS generation metrics, reload-loop enrichment, and TLS acceptor rebuilds.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual outbound
|
|
TLS generation scan, Rust risk scan, branch freshness check, and
|
|
three-expert review.
|
|
|
|
- [x] `API-173` Route runtime region reads through AppContext.
|
|
- Do: route bucket notification setup and S3 request context region reads
|
|
through the AppContext region resolver.
|
|
- Acceptance: production init/storage request paths no longer read region
|
|
directly from the storage global facade, while the AppContext default
|
|
adapter preserves the legacy global fallback.
|
|
- Must preserve: notification ARN target mapping fallback region behavior,
|
|
request context region propagation, auth/policy request construction, and
|
|
existing startup region setters.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual region
|
|
scan, Rust risk scan, branch freshness check, and three-expert review.
|
|
|
|
- [x] `API-174` Route KMS encryption service reads through AppContext.
|
|
- Do: route app bucket encryption defaults and storage SSE managed
|
|
encryption/decryption provider reads through an AppContext-first KMS
|
|
encryption service resolver.
|
|
- Acceptance: production app/storage paths no longer read the KMS encryption
|
|
service directly from the global service manager, while the resolver
|
|
preserves the legacy global fallback.
|
|
- Must preserve: default SSE-KMS key population, managed SSE encryption and
|
|
decryption metadata handling, DEK provider selection, and KMS service
|
|
initialization fallback semantics.
|
|
- Verification: RustFS compile coverage, targeted SSE/KMS tests, migration
|
|
guard, layer guard, formatting, diff hygiene, residual encryption-service
|
|
scan, Rust risk scan, branch freshness check, and three-expert review.
|
|
|
|
- [x] `API-175` Route runtime support reads through AppContext.
|
|
- Do: route runtime readiness lock-client collections, storage concurrency
|
|
performance metrics, and config-info buffer profile reads through
|
|
AppContext-first resolvers.
|
|
- Acceptance: production readiness, storage concurrency, and config-info paths
|
|
no longer read those runtime globals directly, while default adapters
|
|
preserve the legacy global fallbacks.
|
|
- Must preserve: distributed readiness lock quorum aggregation, performance
|
|
metric singleton sharing, workload profile display output, and existing
|
|
buffer-profile enablement behavior.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual global-read
|
|
scans, Rust risk scan, branch freshness check, and three-expert review.
|
|
|
|
- [x] `API-176` Route S3 Select DB factory reads through AppContext.
|
|
- Do: route S3 Select object execution database creation through an
|
|
AppContext-first S3 Select DB resolver.
|
|
- Acceptance: production S3 Select object execution no longer reads the
|
|
S3 Select DB factory directly, while the default adapter preserves the
|
|
cached global component behavior.
|
|
- Must preserve: request validation, preflight object metadata checks,
|
|
DataFusion execution flow, output event streaming, and cached S3 Select
|
|
component reuse.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual S3 Select
|
|
DB scan, Rust risk scan, branch freshness check, and three-expert review.
|
|
|
|
- [x] `API-177` Route internode RPC metrics through AppContext.
|
|
- Do: route HTTP and gRPC internode RPC metric recording through an
|
|
AppContext-first internode metrics resolver.
|
|
- Acceptance: production internode HTTP and disk RPC paths no longer read
|
|
the internode metrics singleton directly, while the default adapter
|
|
preserves the shared global metrics instance.
|
|
- Must preserve: HTTP read/write/walk counters, gRPC read/write counters,
|
|
byte accounting, classified transport backend labels, and error recording.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual internode
|
|
metrics scan, Rust risk scan, branch freshness check, and three-expert
|
|
review.
|
|
|
|
- [x] `API-178` Route IAM runtime reads through AppContext.
|
|
- Do: route auth, storage authorization, admin auth, admin IAM handlers, STS,
|
|
and table-catalog credential issuance through an AppContext-first ready IAM
|
|
resolver.
|
|
- Acceptance: production auth/admin/storage request paths no longer call the
|
|
IAM global getter directly, while the resolver preserves the legacy ready
|
|
check and global fallback.
|
|
- Must preserve: signature secret lookup, access-key validation, S3 policy
|
|
authorization, table data-plane authorization, admin IAM CRUD, STS temp-user
|
|
creation, service-account flows, and table credential issuance.
|
|
- Verification: RustFS compile coverage, targeted context resolver tests,
|
|
migration guard, layer guard, formatting, diff hygiene, residual IAM getter
|
|
scan, Rust risk scan, branch freshness check, and three-expert review.
|
|
|
|
## Next PRs
|
|
|
|
1. `consumer-migration`: continue reducing direct global reads behind AppContext resolver boundaries.
|
|
|
|
## Pre-Push Review Log
|
|
|
|
| Expert | Status | Notes |
|
|
|---|---|---|
|
|
| Quality/architecture | pass | API-152 removes thin test/fuzz ECStore bridge files and keeps direct imports in owner test/fuzz files. |
|
|
| Migration preservation | pass | E2E, heal, scanner, and fuzz consumers keep the same ECStore API symbols and call paths. |
|
|
| Testing/verification | pass | Focused test/fuzz compile, formatting, migration guard, shell syntax, diff hygiene, Rust risk scan, and pre-commit passed for API-152. |
|
|
| Quality/architecture | pass | API-153 removes thin owner ECStore bridge files and keeps direct imports at owner roots. |
|
|
| Migration preservation | pass | IAM, heal, and scanner owner-root aliases and wrapper functions keep the same call paths. |
|
|
| Testing/verification | pass | Focused owner crate compile, formatting, migration guard, shell syntax, diff hygiene, Rust risk scan, and pre-commit passed for API-153. |
|
|
| Quality/architecture | pass | API-154 removes the final storage owner ECStore bridge file and keeps direct imports at the storage owner root. |
|
|
| Migration preservation | pass | Existing `crate::storage::ecstore_*` modules, constants, wrappers, and downstream call paths keep the same shape. |
|
|
| Testing/verification | pass | RustFS focused compile, formatting, migration guard, shell syntax, diff hygiene, bridge scan, Rust risk scan, and pre-commit passed for API-154. |
|
|
| Quality/architecture | pass | API-155 removes app context and notify thin compatibility modules while keeping owner-root exports. |
|
|
| Migration preservation | pass | AppContext resolver precedence and notify pipeline public aliases keep the same public call paths. |
|
|
| Testing/verification | pass | RustFS/notify focused compile, targeted tests, formatting, migration guard, shell syntax, diff hygiene, bridge scan, Rust risk scan, and pre-commit passed for API-155. |
|
|
| Quality/architecture | pass | API-156 centralizes selected app/server/storage runtime fallbacks behind AppContext resolver helpers without adding new abstractions. |
|
|
| Migration preservation | pass | KMS readiness, notification dispatch, and ECFS buffer sizing keep existing global fallback semantics when no AppContext is available. |
|
|
| Testing/verification | pass | RustFS focused compile, formatting, migration guard, shell syntax, diff hygiene, Rust risk scan, and pre-commit passed for API-156. |
|
|
| Quality/architecture | pass | API-157 keeps readiness dependency checks behind AppContext-owned IAM and endpoints resolver boundaries. |
|
|
| Migration preservation | pass | IAM readiness and lock quorum endpoint discovery keep legacy global fallback semantics when no AppContext is available. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted readiness/context tests, formatting, migration guard, diff hygiene, Rust risk scan, and pre-commit passed for API-157. |
|
|
| Quality/architecture | pass | API-158 keeps RPC node IAM operations behind the AppContext-owned IAM handle resolver boundary. |
|
|
| Migration preservation | pass | RPC IAM policy, user, group, and service-account operations keep validation, arguments, and legacy fallback behavior. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, Rust risk scan, and pre-commit passed for API-158. |
|
|
| Quality/architecture | pass | API-159 keeps RPC node lock client and node identity reads behind AppContext resolver boundaries. |
|
|
| Migration preservation | pass | RPC lock initialization errors and health metric node-name inputs keep legacy fallback behavior. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, Rust risk scan, and pre-commit passed for API-159. |
|
|
| Quality/architecture | pass | API-160 keeps admin runtime action credentials, region, and server config reads behind AppContext resolver boundaries. |
|
|
| Migration preservation | pass | Admin authorization, object-ZIP token encryption, object-lambda signing, OIDC restart detection, and site replication metadata keep legacy fallback behavior. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, Rust risk scan, and pre-commit passed for API-160. |
|
|
| Quality/architecture | pass | API-161 keeps admin topology endpoint, deployment id, and runtime port reads behind AppContext resolver boundaries. |
|
|
| Migration preservation | pass | Site replication endpoint inference, same-target checks, same-deployment stale target detection, and runtime-port fallback keep legacy behavior. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, Rust risk scan, and pre-commit passed for API-161. |
|
|
| Testing/verification | pass | CI follow-up: layer dependency baseline accepts the reviewed AppContext resolver reverse dependencies, and the layer guard passes. |
|
|
| Quality/architecture | pass | API-162 keeps admin peer-system notification, bucket-monitor, and replication-pool reads behind AppContext resolver boundaries. |
|
|
| Migration preservation | pass | Tier/rebalance/config propagation, live event peers, replication metrics, and resync operations keep legacy fallback behavior. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, residual scan, Rust risk scan, and pre-commit passed for API-162. |
|
|
| Quality/architecture | pass | API-163 keeps admin site-replication IAM reads behind the AppContext IAM resolver boundary. |
|
|
| Migration preservation | pass | Site-replicator service-account, IAM export/import, and peer-join service-account paths keep legacy fallback behavior. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration guard, diff hygiene, residual IAM scan, and Rust risk scan passed for API-163. |
|
|
| Quality/architecture | pass | API-164 keeps admin site-replication outbound TLS generation/state reads behind AppContext resolver boundaries. |
|
|
| Migration preservation | pass | Peer-client cache invalidation, root CA parsing, and published TLS-state fallback behavior are preserved. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual TLS scan, and Rust risk scan passed for API-164. |
|
|
| Quality/architecture | pass | API-165 keeps admin TLS debug outbound TLS status reads behind the AppContext resolver boundary. |
|
|
| Migration preservation | pass | TLS debug status JSON fields, consumer labels, reload/env reporting, and legacy fallback behavior are preserved. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual TLS scan, and Rust risk scan passed for API-165. |
|
|
| Quality/architecture | pass | API-166 keeps admin replication stats reads behind AppContext resolver boundaries with a storage-owner fallback wrapper. |
|
|
| Migration preservation | pass | Admin replication metrics, site-replication summaries, bandwidth enrichment, and missing-stats defaults are preserved. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual stats scan, and Rust risk scan passed for API-166. |
|
|
| Quality/architecture | pass | API-167 keeps admin boot-time, tier-transition, and scanner metrics reads behind AppContext resolver boundaries. |
|
|
| Migration preservation | pass | Replication uptime enrichment, tier stats filtering, scanner metrics JSON, and scanner runtime-config reporting are preserved. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual admin status scan, and Rust risk scan passed for API-167. |
|
|
| Quality/architecture | pass | API-168 keeps admin KMS service-manager initialization behind the AppContext resolver boundary. |
|
|
| Migration preservation | pass | KMS key, management, and dynamic handlers preserve legacy initialization fallback and existing fallback logs. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual KMS init scan, and Rust risk scan passed for API-168. |
|
|
| Quality/architecture | pass | API-169 keeps admin config runtime publication behind AppContext publish helpers with default global-setter adapters. |
|
|
| Migration preservation | pass | Config writes, runtime reload, dynamic subsystem application, and storage-class parsing preserve existing persistence and runtime side effects. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual config publication scan, and Rust risk scan passed for API-169. |
|
|
| Quality/architecture | pass | API-170 keeps action-credential reads behind the AppContext action-credential resolver across auth, protocols, and storage helper paths. |
|
|
| Migration preservation | pass | Owner checks, claim validation, policy principal classification, protocol metadata, and audit access-key enrichment preserve existing fallback behavior. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context tests, formatting, migration/layer guards, diff hygiene, residual action credential scan, and Rust risk scan passed for API-170. |
|
|
| Quality/architecture | pass | API-171 keeps replication pool reads behind the AppContext replication-pool resolver in startup and workload admission paths. |
|
|
| Migration preservation | pass | Bucket metadata resync, replication worker counts, queue counts, and unknown-runtime reporting preserve existing fallback behavior. |
|
|
| Testing/verification | pass | RustFS focused compile, workload admission tests, targeted context tests, formatting, migration/layer guards, diff hygiene, residual replication-pool scan, and Rust risk scan passed for API-171. |
|
|
| Quality/architecture | pass | API-172 keeps outbound TLS generation reads behind the AppContext outbound TLS generation resolver in startup and reload paths. |
|
|
| Migration preservation | pass | Generation increments, outbound TLS publication, generation metrics, reload enrichment, and acceptor rebuild behavior preserve existing semantics. |
|
|
| Testing/verification | pass | RustFS focused compile, TLS generation test, targeted context test, formatting, migration/layer guards, diff hygiene, residual outbound TLS generation scan, and Rust risk scan passed for API-172. |
|
|
| Quality/architecture | pass | API-173 keeps region reads behind the AppContext region resolver in notification setup and storage request context paths. |
|
|
| Migration preservation | pass | Notification fallback region, request context propagation, auth/policy request construction, and startup setters preserve existing behavior. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context test, formatting, migration/layer guards, diff hygiene, residual region scan, and Rust risk scan passed for API-173. |
|
|
| Quality/architecture | pass | API-174 keeps app/storage KMS encryption service reads behind an AppContext-first resolver using the existing KMS runtime manager boundary. |
|
|
| Migration preservation | pass | Default SSE-KMS key population, managed SSE metadata handling, DEK provider selection, and legacy global fallback behavior are preserved. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted SSE/KMS and bucket encryption tests, formatting, migration/layer guards, diff hygiene, residual encryption-service scan, and Rust risk scan passed for API-174. |
|
|
| Quality/architecture | pass | API-175 keeps readiness lock clients, storage performance metrics, and config-info buffer profile reads behind AppContext-first resolvers. |
|
|
| Migration preservation | pass | Lock quorum aggregation, performance metrics sharing, workload profile display, and legacy global fallback behavior are preserved. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context resolver test, formatting, migration/layer guards, diff hygiene, residual global-read scans, and Rust risk scan passed for API-175. |
|
|
| Quality/architecture | pass | API-176 keeps S3 Select DB factory access behind an AppContext-first resolver in object select execution. |
|
|
| Migration preservation | pass | Request validation, object preflight, query execution, event streaming, and cached component fallback behavior are preserved. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context resolver test, formatting, migration/layer guards, diff hygiene, residual S3 Select DB scan, and Rust risk scan passed for API-176. |
|
|
| Quality/architecture | pass | API-177 keeps internode RPC metrics behind an AppContext-first resolver across HTTP and gRPC RPC paths. |
|
|
| Migration preservation | pass | Request counters, byte accounting, transport backend labels, and error metrics preserve existing global fallback behavior. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context resolver test, formatting, migration/layer guards, diff hygiene, residual internode metrics scan, and Rust risk scan passed for API-177. |
|
|
| Quality/architecture | pass | API-178 keeps ready IAM access behind an AppContext-first resolver without widening handler semantics. |
|
|
| Migration preservation | pass | Auth, storage authorization, admin IAM handlers, STS, and table credential flows keep existing error mapping and ready-check fallback. |
|
|
| Testing/verification | pass | RustFS focused compile, targeted context resolver test, formatting, migration/layer guards, diff hygiene, residual IAM getter scan, Rust risk scan, and pre-commit passed for API-178. |
|
|
|
|
## Verification Notes
|
|
|
|
Passed before push:
|
|
|
|
- Issue #660 API-178 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- IAM getter scan: passed; production auth/admin/storage IAM reads now go
|
|
through the AppContext ready IAM resolver.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-176 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- S3 Select DB scan: passed; direct production `get_global_db` reads are
|
|
removed from S3 Select object execution.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-177 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Internode metrics scan: passed; direct production
|
|
`global_internode_metrics` reads are removed from RustFS HTTP and disk RPC
|
|
paths.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-175 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Runtime support scan: passed; direct production lock-client collection,
|
|
performance metrics, and config-info buffer profile reads now go through
|
|
AppContext resolvers.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-174 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs test_kms_sse_dek_provider_uses_latest_reconfigured_service --lib`:
|
|
passed.
|
|
- `cargo test -p rustfs test_sse_encryption_fails_closed_without_local_sse_master_key --lib`:
|
|
passed.
|
|
- `cargo test -p rustfs execute_put_bucket_encryption_returns_internal_error_when_store_uninitialized --lib`:
|
|
passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext KMS encryption service scan: passed; direct production
|
|
`get_global_encryption_service` reads are removed from app bucket
|
|
encryption and storage SSE paths.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-173 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext region scan: passed; direct production `get_global_region`
|
|
reads are removed from notification setup and storage request context
|
|
paths.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-172 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs next_tls_generation --lib`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext outbound TLS generation scan: passed; direct production
|
|
`get_global_outbound_tls_generation` reads are removed from startup TLS
|
|
material and TLS reload paths.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-171 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs workload_admission --lib`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext replication pool scan: passed; direct production
|
|
`get_global_replication_pool` reads are removed from bucket metadata
|
|
startup and workload admission paths.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-170 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext action credential scan: passed; direct production
|
|
`get_global_action_cred` and `get_global_access_key_opt` reads are removed
|
|
from auth, protocol client, and storage helper paths.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-169 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext admin config publication scan: passed; direct admin production
|
|
`set_global_server_config` and storage-class global setter calls are
|
|
removed.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-164 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext site-replication outbound TLS resolver scan: passed; direct admin
|
|
site-replication TLS global reads are isolated to tests.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-165 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext outbound TLS resolver scan: passed; direct admin outbound TLS
|
|
global reads are removed from production handlers.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-166 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext replication stats resolver scan: passed; direct admin production
|
|
`GLOBAL_REPLICATION_STATS` reads are removed.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-167 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext admin status resolver scan: passed; direct admin production
|
|
`GLOBAL_BOOT_TIME`, `GLOBAL_TransitionState`, and scanner `global_metrics`
|
|
reads are removed.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-168 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- AppContext admin KMS init resolver scan: passed; direct admin production
|
|
`init_global_kms_service_manager` calls are removed.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-163 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- AppContext site-replication IAM resolver scan: passed; direct admin
|
|
site-replication IAM global reads are isolated to AppContext fallback
|
|
plumbing.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-162 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- AppContext peer-system resolver scan: passed; direct admin and app
|
|
notification-system, bucket-monitor, and replication-pool global reads are
|
|
isolated to AppContext default adapters.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or cast
|
|
risks added.
|
|
|
|
- Issue #660 API-161 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed after CI baseline
|
|
follow-up.
|
|
- `make pre-commit`: passed.
|
|
- AppContext admin topology resolver scan: passed; direct admin deployment
|
|
id, endpoint, and runtime port global reads are isolated to AppContext
|
|
default adapters.
|
|
- Rust risk scan: no new production panic/todo/unsafe/cast risks added; new
|
|
unwrap/expect hits are resolver fallback plumbing or test assertions.
|
|
|
|
- Issue #660 API-160 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- AppContext admin runtime resolver scan: passed; direct admin action
|
|
credential, server config, and region global reads are isolated to
|
|
AppContext default adapters or tests.
|
|
- Rust risk scan: no new production panic/todo/unsafe/cast risks added; new
|
|
unwrap/expect hits are resolver fallback plumbing or test assertions.
|
|
|
|
- Issue #660 API-159 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- AppContext RPC node resolver scan: passed; direct RPC node lock-client and
|
|
local-node-name global reads are isolated to AppContext default adapters.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or
|
|
cast risks added.
|
|
|
|
- Issue #660 API-158 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- AppContext IAM resolver scan: passed; RPC node IAM operations use the IAM
|
|
handle resolver, with lock clients kept on the legacy global boundary.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or
|
|
cast risks added.
|
|
|
|
- Issue #660 API-157 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo test -p rustfs readiness --lib`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- AppContext readiness resolver scan: passed; server readiness uses IAM and
|
|
endpoints resolver helpers, with lock clients kept on the legacy global
|
|
boundary.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or
|
|
cast risks added.
|
|
|
|
- Issue #660 API-156 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- AppContext runtime resolver scan: passed; selected bucket/object notify,
|
|
ECFS buffer sizing, and public health KMS readiness consumers use resolver
|
|
helpers.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or
|
|
cast risks added.
|
|
|
|
- Issue #660 API-155 current slice:
|
|
- `cargo check --tests -p rustfs -p rustfs-notify`: passed.
|
|
- `cargo test -p rustfs resolver_helpers_are_context_first_and_fallback_when_context_is_absent --lib`:
|
|
passed.
|
|
- `cargo test -p rustfs-notify --lib`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- App context and notify thin bridge scan: passed; no
|
|
`rustfs/src/app/context/compat.rs` or `crates/notify/src/event_bridge.rs`
|
|
remains.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or
|
|
cast risks added; changed unwrap/expect matches are moved test setup only.
|
|
|
|
- Issue #660 API-154 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Storage ECStore thin bridge scan: passed; no `ecstore_compat.rs` files
|
|
remain outside `crates/ecstore`.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or
|
|
cast risks added; changes only move storage owner import boundaries.
|
|
|
|
- Issue #660 API-153 current slice:
|
|
- `cargo check --tests -p rustfs-heal -p rustfs-scanner -p rustfs-iam`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Owner ECStore thin bridge scan: passed; IAM, heal, and scanner no longer
|
|
declare local `ecstore_compat` modules.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or
|
|
cast risks added; changes only move owner-root import boundaries.
|
|
|
|
- Issue #660 API-152 current slice:
|
|
- `cargo check --tests -p rustfs-heal -p rustfs-scanner -p e2e_test`:
|
|
passed.
|
|
- `cargo check --manifest-path fuzz/Cargo.toml --bins`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --manifest-path fuzz/Cargo.toml`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `cargo fmt --all --check --manifest-path fuzz/Cargo.toml`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Test/fuzz thin bridge scan: passed; e2e, heal, scanner, and fuzz targets no
|
|
longer declare local `ecstore_test_compat` or `ecstore_fuzz_compat`
|
|
modules.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; changes only move test/fuzz import boundaries.
|
|
|
|
- Issue #660 API-140 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; existing capacity metrics casts, HTTP atomic
|
|
relaxed counters, and HTTP test unwrap/expect calls remain unchanged.
|
|
|
|
- Issue #660 API-141 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; only import aliases were reported by the textual
|
|
`as` scan.
|
|
|
|
- Issue #660 API-142 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; only type/import aliases were reported by the
|
|
textual `as` scan.
|
|
|
|
- Issue #660 API-143 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; only existing `DiskResult<Vec<String>>`
|
|
textual matches were reported by the broad error-type scan.
|
|
|
|
- Issue #660 API-144 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; only existing `DiskResult<Vec<String>>`
|
|
textual matches were reported by the broad error-type scan.
|
|
|
|
- Issue #660 API-145 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; only existing `DiskResult<Vec<String>>`
|
|
textual matches were reported by the broad error-type scan.
|
|
|
|
- Issue #660 API-146 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; only existing `DiskResult<Vec<String>>`
|
|
textual matches were reported by the broad error-type scan.
|
|
|
|
- Issue #660 API-147 current slice:
|
|
- `cargo check -p rustfs-notify -p rustfs-obs -p rustfs-s3select-api -p rustfs-protocols -p rustfs-iam -p rustfs-heal -p rustfs-scanner`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Runtime crate ECStore source bypass scan: passed; target runtime crate
|
|
source paths now reference `rustfs_ecstore::api::` only inside
|
|
`ecstore_compat.rs`.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; changes only move import/source boundaries.
|
|
|
|
- Issue #660 API-148 current slice:
|
|
- `cargo check --tests -p rustfs-heal -p rustfs-scanner -p e2e_test`:
|
|
passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- External test ECStore source bypass scan: passed; target test/e2e paths now
|
|
reference `rustfs_ecstore::api::` only inside `ecstore_test_compat.rs`.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; changes only move import/source boundaries.
|
|
|
|
- Issue #660 API-149 current slice:
|
|
- `cargo check --manifest-path fuzz/Cargo.toml --bins`: passed; Cargo
|
|
refreshed the stale fuzz lockfile during verification and the generated
|
|
lockfile change was not retained.
|
|
- `cargo fmt --all --manifest-path fuzz/Cargo.toml`: passed.
|
|
- `cargo fmt --all --check --manifest-path fuzz/Cargo.toml`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Fuzz ECStore source bypass scan: passed; fuzz targets now reference
|
|
`rustfs_ecstore::api::` only inside `ecstore_fuzz_compat.rs`.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; changes only move fuzz import/source boundaries.
|
|
|
|
- Issue #660 API-150 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Storage owner direct ECStore source scan: passed; `rustfs/src/storage/mod.rs`
|
|
contains no direct `rustfs_ecstore::api::` source path.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; changes only move storage owner import/source
|
|
boundaries.
|
|
|
|
- Issue #660 API-139 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; existing startup-server test `expect` calls
|
|
remain test-only and unchanged.
|
|
|
|
- Issue #660 API-138 current slice:
|
|
- `cargo check -p rustfs-notify -p rustfs-s3select-api`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust risk scan: no new production unwrap/expect, casts, panic/todo/unsafe,
|
|
or error-type risks added; existing S3 Select unwrap and Notify
|
|
`Result<String>` wrapper signatures remain unchanged.
|
|
|
|
- Issue #660 API-137 current slice:
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Stacked-base freshness check against
|
|
`origin/overtrue/arch-test-fuzz-owner-symbols`: passed.
|
|
|
|
- Issue #660 API-136 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Completed runtime-owner module-alias residual scan: passed.
|
|
- Rust risk scan: no new production unwrap/expect, panic/todo/unsafe, or
|
|
risky behavior added; existing `Result<Vec<String>>` storage trait
|
|
signatures remain unchanged compatibility surfaces.
|
|
|
|
- Issue #660 API-135 current slice:
|
|
- `cargo check --tests -p e2e_test -p rustfs-heal -p rustfs-scanner`: passed.
|
|
- `cargo check --manifest-path fuzz/Cargo.toml --bins`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Completed test/fuzz module-alias residual scan: passed.
|
|
- Rust risk scan: diff-only scan found import and call-target rewrites only;
|
|
no new production unwrap/expect, panic/todo/unsafe, or risky behavior added.
|
|
|
|
- Issue #660 API-134 current slice:
|
|
- `cargo check --tests -p rustfs-heal -p rustfs-iam -p rustfs-obs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Heal/IAM/observability completed-owner module-alias residual scan: passed.
|
|
- Rust risk scan: diff-only scan found explicit symbol imports and wrapper
|
|
calls only; no new unwrap/expect, panic/todo/unsafe, or risky behavior
|
|
added.
|
|
|
|
- Issue #660 API-133 current slice:
|
|
- `cargo check --tests -p rustfs-scanner`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Scanner completed-owner module-alias residual scan: passed.
|
|
- Rust risk scan: diff-only scan found explicit symbol imports and wrapper
|
|
calls only; no new unwrap/expect, panic/todo/unsafe, or risky behavior
|
|
added.
|
|
|
|
- Issue #660 API-132 current slice:
|
|
- `cargo check --tests -p rustfs-notify -p rustfs-s3select-api -p rustfs-protocols --features rustfs-protocols/swift`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `make pre-commit`: passed, including clippy, script tests, nextest
|
|
`6518 passed, 111 skipped`, and doc-tests.
|
|
- Completed external owner module-alias residual scan: passed.
|
|
- Rust risk scan: diff-only scan found explicit `as` symbol imports only; no
|
|
new unwrap/expect, panic/todo/unsafe, or risky behavior added.
|
|
|
|
- Issue #660 API-131 current slice:
|
|
- `cargo check --tests -p rustfs-notify -p rustfs-obs -p rustfs-s3select-api`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `make pre-commit`: passed, including clippy, script tests, nextest
|
|
`6518 passed, 111 skipped`, and doc-tests.
|
|
- Nested external production ECStore facade residual scan: passed.
|
|
- Rust risk scan: diff-only scan found new `as ecstore_*` import aliases
|
|
only; no new risky behavior added.
|
|
|
|
- Issue #660 API-130 current slice:
|
|
- `cargo check --tests -p rustfs-notify -p rustfs-obs -p rustfs-protocols -p rustfs-s3select-api -p e2e_test -p rustfs-heal -p rustfs-scanner -p rustfs-iam`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `make pre-commit`: passed, including clippy, script tests, nextest
|
|
`6518 passed, 111 skipped`, and doc-tests.
|
|
- Grouped/raw ECStore facade residual scan outside ECStore: passed.
|
|
- Rust risk scan: diff-only scan found path-rewritten existing test
|
|
unwraps/expects only; no new risky behavior added.
|
|
|
|
- Issue #660 API-129 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `make pre-commit`: passed, including clippy, script tests, nextest
|
|
`6509 passed, 111 skipped`, and doc-tests.
|
|
- RustFS direct ECStore facade residual scan outside owner modules: passed.
|
|
- Rust risk scan: diff-only scan found no new unwrap/expect, panic/todo,
|
|
debug prints, relaxed ordering, or integer casts.
|
|
|
|
- Issue #660 API-128 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- RustFS owner compatibility bridge residual scan: passed.
|
|
- Rust risk scan: diff-only scan found path-rewritten existing test unwraps,
|
|
test expects, and part-number casts only; no new risky behavior added.
|
|
- `make pre-commit`: passed, including 6509 nextest tests passed and 111
|
|
skipped.
|
|
|
|
- Issue #660 API-127 current slice:
|
|
- `cargo check --tests -p rustfs-iam -p rustfs-heal -p rustfs-scanner`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- External owner compatibility bridge residual scan: passed.
|
|
- Rust risk scan: diff-only scan found no new unwrap/expect, numeric casts,
|
|
string-error public APIs, boxed public errors, println/eprintln, or relaxed
|
|
ordering.
|
|
|
|
- Issue #660 API-126 current slice:
|
|
- `cargo check --tests -p e2e_test -p rustfs-iam -p rustfs-notify -p rustfs-obs -p rustfs-protocols -p rustfs-s3select-api`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Remaining standalone compatibility bridge residual scan: passed.
|
|
- Rust risk scan: diff-only scan found no new unwrap/expect, numeric casts,
|
|
string-error public APIs, boxed public errors, println/eprintln, or relaxed
|
|
ordering.
|
|
|
|
- Issue #660 API-125 current slice:
|
|
- `cargo check --tests -p e2e_test -p rustfs-iam -p rustfs-notify`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Standalone thin compatibility bridge residual scan: passed.
|
|
- Rust risk scan: diff-only scan found no new unwrap/expect, numeric casts,
|
|
string-error public APIs, boxed public errors, println/eprintln, or relaxed
|
|
ordering.
|
|
|
|
- Issue #660 API-124 current slice:
|
|
- `cargo check --tests -p rustfs-heal -p rustfs-scanner`: passed.
|
|
- `cargo check --manifest-path fuzz/Cargo.toml --bins`: passed; transient `fuzz/Cargo.lock` refresh was restored to avoid dependency churn.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Test/fuzz compatibility bridge residual scan: passed.
|
|
- Rust risk scan: reviewed pre-existing test-only unwrap/expect/panic/unsafe usage; no new production risk.
|
|
|
|
- Issue #660 API-123 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Startup compatibility bridge residual scan: passed.
|
|
- Rust risk scan: passed.
|
|
|
|
- Issue #660 API-122 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Root one-off compatibility bridge residual scan: passed.
|
|
- Rust risk scan: passed.
|
|
|
|
- Issue #660 API-121 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Runtime local compatibility bridge residual scan: passed.
|
|
- Rust risk review on path-only replacements and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-120 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Admin handlers secondary compatibility bridge residual scan: passed.
|
|
- Rust risk review on path-only replacements and guard script: passed.
|
|
|
|
- Issue #660 API-119 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Nested secondary compatibility bridge residual scan: passed.
|
|
- Rust risk review on path-only replacements and guard script: passed.
|
|
|
|
- Issue #660 API-118 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Storage secondary compatibility bridge residual scan: passed.
|
|
- Rust risk review on path-only replacements and guard script: passed.
|
|
|
|
- Issue #660 API-117 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- App/admin secondary compatibility bridge residual scan: passed.
|
|
- Rust risk review on path-only replacements and guard script: passed.
|
|
|
|
- Issue #660 API-116 current slice:
|
|
- `cargo check --manifest-path fuzz/Cargo.toml --bins`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Fuzz-target local compatibility consumer residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
|
|
- Issue #660 API-115 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo check -p rustfs-scanner --tests`: passed.
|
|
- `cargo check -p rustfs-iam --tests`: passed.
|
|
- `cargo check -p rustfs-obs --tests`: passed.
|
|
- `cargo check -p rustfs-s3select-api --tests`: passed.
|
|
- `cargo check -p e2e_test --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Standalone crate local compatibility consumer residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-111 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Storage RPC/S3 API local compatibility consumer residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-110 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- RustFS local compatibility consumer residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-109 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Root compatibility consumer residual scan: passed.
|
|
- Storage owner compatibility consumer residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-108 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Full RustFS local bridge owner self-path residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-107 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Full storage compatibility self-reference residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-106 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Full storage compatibility grouped-import residual scan: passed.
|
|
- Full storage compatibility raw-facade residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-105 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Full storage compatibility raw-facade residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-104 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Narrowed local compatibility glob-export scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-103 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Narrowed local compatibility glob-export scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-102 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Storage compatibility consumer residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-101 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Owner compatibility consumer residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-098 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Direct root capacity/server compatibility consumer residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-099 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Startup/init root compatibility consumer residual scan: passed.
|
|
- Root startup consumer wrapper residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-100 current slice:
|
|
- `cargo check -p rustfs --tests`: passed.
|
|
- `cargo fmt --all`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Direct root compatibility consumer residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-097 current slice:
|
|
- `cargo check -p rustfs -p rustfs-scanner -p rustfs-heal -p e2e_test --tests`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Direct non-compat disk/RPC/warm-backend trait import residual scan: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-096 current slice:
|
|
- `cargo check -p rustfs -p rustfs-scanner -p rustfs-heal`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Direct non-compat bucket trait import residual scan: passed.
|
|
- Added-line Rust risk scan: passed.
|
|
- `make pre-commit`: passed; nextest run
|
|
`a18de942-8181-48fa-adf0-e01c2a5d37c3`, 6354 passed, 111 skipped;
|
|
doctests passed.
|
|
|
|
- Issue #660 API-095 current slice:
|
|
- `cargo check -p rustfs`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- RustFS root/e2e raw facade path residual scan: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed; nextest run
|
|
`a1771057-5015-4861-9a38-b856c8abb6f6`, 6354 passed, 111 skipped; doctests
|
|
passed.
|
|
|
|
- Issue #660 API-094 current slice:
|
|
- `cargo check -p rustfs`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Consumer raw facade path residual scan: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-093 current slice:
|
|
- `cargo check -p rustfs`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- RustFS app/admin raw facade path residual scan: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-092 current slice:
|
|
- `cargo check -p rustfs`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- RustFS storage-owner raw facade path residual scan: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-091 current slice:
|
|
- `cargo check -p rustfs`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Outer app/admin/storage raw signature facade path residual scan: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-090 current slice:
|
|
- `cargo check -p rustfs`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Outer app/admin/storage object/error facade alias residual scan: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-089 current slice:
|
|
- `cargo check -p rustfs -p rustfs-scanner -p rustfs-heal -p e2e_test`:
|
|
passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- ECStore API re-export residual scan for compatibility boundaries: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-087 current slice:
|
|
- `cargo check -p rustfs`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Storage-owner ECStore API re-export residual scan: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-086 current slice:
|
|
- `cargo check -p rustfs`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Root runtime ECStore API re-export residual scan: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-085 current slice:
|
|
- `cargo check --tests -p rustfs-heal -p rustfs-scanner`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Test/fuzz grouped compatibility passthrough residual scans: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-084 current slice:
|
|
- `cargo check --tests -p rustfs-scanner -p rustfs-notify -p rustfs-obs -p e2e_test`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Scanner/notify/obs/e2e broad compatibility residual scans: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-083 current slice:
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Admin/app broad compatibility export scans: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-082 current slice:
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Storage compatibility residual scan excluding `storage_compat.rs`: passed.
|
|
- Broad storage compatibility export scan: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-081 current slice:
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Admin compatibility residual scan for broad `com`, bare `init`, and old
|
|
config IO call paths: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-080 current slice:
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 C-013 current slice:
|
|
- `cargo test -p rustfs-concurrency workload::tests:: -- --nocapture`:
|
|
passed.
|
|
- `cargo test -p rustfs --lib workload_admission::tests:: -- --nocapture`:
|
|
passed.
|
|
- `cargo check -p rustfs-concurrency`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust added-line risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-079 current slice:
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 C-012 current slice:
|
|
- `cargo test -p rustfs --lib storage::backpressure::tests:: -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib storage::deadlock_detector::tests:: -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust added-line risk scan on changed storage Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 C-011 current slice:
|
|
- `cargo test -p rustfs --lib storage::deadlock_detector::tests::test_request_hang_policy_projects_to_concurrency_and_core_config -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib storage::backpressure::tests::test_backpressure_policy_projects_to_concurrency_and_core_config -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust added-line risk scan on changed storage Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 C-004/C-005/C-006 current slice:
|
|
- `cargo test -p rustfs-ecstore cluster -- --nocapture`: passed, 7 tests.
|
|
- `cargo check -p rustfs-ecstore --all-targets`: passed.
|
|
- `cargo check -p rustfs --lib --bins`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust added-line risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 C-001/C-002/C-003 current slice:
|
|
- `cargo check -p rustfs-ecstore --all-targets`: passed.
|
|
- `cargo check -p rustfs --lib --bins`: passed.
|
|
- `cargo test -p rustfs-ecstore cluster -- --nocapture`: passed; 4 tests.
|
|
- `cargo test -p rustfs --lib runtime_capabilities -- --nocapture`: passed; 3 tests.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-078 current slice:
|
|
- `cargo check -p rustfs-ecstore --all-targets`: passed.
|
|
- `cargo check -p rustfs --lib --bins`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 R-069 current slice:
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo check -p rustfs --bins`: passed.
|
|
- `cargo test -p rustfs --lib startup_ -- --nocapture`: passed; 53 tests.
|
|
- `cargo fmt --all`: applied formatting.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Startup public owner scan: passed; only `startup_entrypoint::run_process`
|
|
remains public.
|
|
- Rust added-line risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 API-077 current slice:
|
|
- `cargo check -p rustfs-ecstore --all-targets`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust added-line risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed; nextest ran 6340 tests with 6340 passed, 111 skipped, and doctests passed.
|
|
|
|
- Issue #660 API-076 current slice:
|
|
- `cargo check --tests -p rustfs-ecstore -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-iam -p rustfs-notify -p rustfs-obs -p rustfs-protocols -p rustfs-s3select-api -p e2e_test`: passed.
|
|
- `cargo check --benches -p rustfs-ecstore`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
|
|
|
|
- Issue #660 API-075 current slice:
|
|
- `cargo check --tests -p rustfs-ecstore -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-iam -p rustfs-notify -p rustfs-obs -p rustfs-protocols -p rustfs-s3select-api -p e2e_test`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
|
|
|
|
- Issue #660 API-074 current slice:
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- Direct old ECStore path scan in non-ECStore `storage_compat.rs` boundaries: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `make pre-commit`: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
|
|
|
|
- Issue #660 API-073 current slice:
|
|
- `cargo check --tests -p rustfs-ecstore -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-iam -p rustfs-notify -p rustfs-obs -p rustfs-protocols -p rustfs-s3select-api -p e2e_test`: passed.
|
|
- `cargo check --manifest-path fuzz/Cargo.toml --all-targets`: passed; Cargo refreshed the fuzz lockfile during verification and the generated lockfile change was not retained.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Direct old ECStore facade path scan in outer storage compatibility boundaries: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
|
|
|
|
- Issue #660 R-068 current slice:
|
|
- `cargo check -p rustfs --lib --bins`: passed.
|
|
- `cargo test -p rustfs --lib startup_ -- --nocapture`: passed; 53 tests.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed; only existing test-only `expect` calls were present.
|
|
- `make pre-commit`: passed; nextest ran 6341 tests with 6341 passed, 111 skipped, and doctests passed.
|
|
|
|
- Issue #660 API-072 current slice:
|
|
- `cargo check --tests -p rustfs-ecstore`: passed.
|
|
- `cargo check --tests -p rustfs -p rustfs-scanner -p rustfs-obs -p rustfs-iam -p rustfs-heal -p rustfs-protocols -p rustfs-s3select-api`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Rust risk scan on changed Rust files and guard script: passed.
|
|
- `make pre-commit`: passed; nextest ran 6341 tests with 6341 passed,
|
|
111 skipped, and doctests passed.
|
|
|
|
- Issue #660 R-056/R-067 current slice:
|
|
- `cargo test -p rustfs --lib startup_kms -- --nocapture`: passed; 2
|
|
tests.
|
|
- `cargo test -p rustfs --lib startup_iam -- --nocapture`: passed; 8
|
|
tests.
|
|
- `cargo test -p rustfs --lib startup_ -- --nocapture`: passed; 53
|
|
tests.
|
|
- `cargo test -p rustfs --lib startup_audit -- --nocapture`:
|
|
passed; 2 tests.
|
|
- `cargo test -p rustfs --lib startup_notification -- --nocapture`:
|
|
passed; 1 test.
|
|
- `cargo check -p rustfs --lib --bins`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only test-only `expect`
|
|
calls were present.
|
|
- `make pre-commit`: passed; nextest ran 6341 tests with 6341 passed, 111
|
|
skipped, and doctests passed.
|
|
|
|
- Issue #660 R-054/R-055 current slice:
|
|
- `cargo test -p rustfs --lib startup_ -- --nocapture`: passed; 51 tests.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only a test-only `expect`
|
|
call was present.
|
|
- `make pre-commit`: passed; nextest ran 6339 tests with 6339 passed, 111
|
|
skipped, and doctests passed.
|
|
|
|
- Issue #660 R-052/R-053 current slice:
|
|
- `cargo test -p rustfs --lib startup_iam -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only a test-only `expect`
|
|
call was present.
|
|
- `make pre-commit`: passed; nextest ran 6336 tests with 6336 passed and
|
|
111 skipped, and doctests passed.
|
|
|
|
- Issue #660 R-050/R-051 current slice:
|
|
- `cargo test -p rustfs --lib startup_server -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_embedded -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib embedded -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only test-only `expect`
|
|
calls were present.
|
|
- `make pre-commit`: passed; nextest ran 6329 tests with 6329 passed and
|
|
111 skipped, and doctests passed.
|
|
|
|
- Issue #660 R-048/R-049 current slice:
|
|
- `cargo test -p rustfs --lib startup_embedded -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib embedded -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Rust risk scan on changed Rust files: passed; no risky-token matches were
|
|
present in changed Rust files.
|
|
- `make pre-commit`: passed; nextest ran 6329 tests with 6329 passed and
|
|
111 skipped, and doctests passed.
|
|
|
|
- Issue #660 R-046/R-047 current slice:
|
|
- `cargo test -p rustfs --lib startup_embedded -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib embedded -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- Rust risk scan on changed Rust files: passed; matches were limited to
|
|
existing embedded doc examples.
|
|
- `make pre-commit`: passed; nextest ran 6324 tests with 6324 passed and
|
|
111 skipped, and doctests passed.
|
|
|
|
- Issue #660 R-044/R-045 current slice:
|
|
- `cargo test -p rustfs --lib embedded -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_embedded -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_server -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Rust risk scan on changed Rust files: passed; matches were limited to
|
|
existing doc examples and test-only `expect` calls.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed after avoiding a local
|
|
`pipefail` false positive when `rg -q` finds nearby `SAFETY:` comments.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 R-042/R-043 current slice:
|
|
- `cargo test -p rustfs --lib startup_lifecycle -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_shutdown -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib embedded -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; the only production risky
|
|
token was the intended move of embedded drop `remove_dir_all` cleanup from
|
|
the public embedded handle into `startup_shutdown`.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 R-040/R-041 current slice:
|
|
- `cargo test -p rustfs --lib embedded -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; newly added risky-token
|
|
matches were empty, and the changed-file scan only matched the existing
|
|
embedded `Drop` cleanup path.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 R-038/R-039 current slice:
|
|
- `cargo test -p rustfs --lib startup_lifecycle -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_shutdown -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib embedded -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: reviewed; newly added risky-token
|
|
matches were limited to test-only `expect` calls, and broader changed-file
|
|
matches were pre-existing lifecycle/doc examples plus cleanup paths.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 R-036/R-037 current slice:
|
|
- `cargo test -p rustfs --lib startup_server -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib embedded -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only test-only
|
|
`expect` calls and the existing embedded temp-dir cleanup path were
|
|
present.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 R-034/R-035 current slice:
|
|
- `cargo test -p rustfs --lib startup_runtime_hooks -- --nocapture`:
|
|
passed.
|
|
- `cargo test -p rustfs --lib embedded -- --nocapture`: passed; no
|
|
matching unit tests currently exist.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only existing default
|
|
credential fields and moved temp-dir cleanup paths were present.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 R-031 current slice:
|
|
- `cargo test -p rustfs --lib startup_lifecycle -- --nocapture`: passed;
|
|
no matching unit tests currently exist.
|
|
- `cargo test -p rustfs --lib embedded -- --nocapture`: passed; no
|
|
matching unit tests currently exist.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only existing embedded doc
|
|
examples use `Box<dyn Error>` / `println!`.
|
|
- `make pre-commit`: passed.
|
|
|
|
- Issue #660 R-032 current slice:
|
|
- `cargo test -p rustfs-targets ops_profiler -- --nocapture`: passed.
|
|
- `cargo test -p rustfs-targets builtin_ops_profiler -- --nocapture`:
|
|
passed.
|
|
- `cargo test -p rustfs --lib extension_catalog -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-targets`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only test-only
|
|
expectations/assertion paths were present.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 R-033 current slice:
|
|
- `cargo test -p rustfs --lib extension_catalog -- --nocapture`: passed.
|
|
- `cargo test -p rustfs-targets ops_diagnostics -- --nocapture`: passed.
|
|
- `cargo test -p rustfs-targets ops_profiler -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only test-only
|
|
expectations/assertion paths were present.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-001/E-SET-001 current slice:
|
|
- `cargo test -p rustfs-ecstore test_eset -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only test-only
|
|
expectation paths were present.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-002/E-LAYOUT-001 current slice:
|
|
- `cargo test -p rustfs-ecstore format::test -- --nocapture`: passed.
|
|
- `cargo test -p rustfs-ecstore disks_layout -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only existing test-only
|
|
unwrap/println/panic/expect paths were present.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-003/E-LAYOUT-002 current slice:
|
|
- `cargo test -p rustfs-ecstore layout::endpoint -- --nocapture`: passed.
|
|
- `cargo test -p rustfs-ecstore layout::endpoints -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only existing endpoint
|
|
production/test unwrap and expectation paths were moved.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-004/E-LAYOUT-003 current slice:
|
|
- `cargo test -p rustfs-ecstore layout::set_heal -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only test-only unwrap
|
|
expectations were added around deterministic helper construction.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-005/E-LAYOUT-004 current slice:
|
|
- `cargo test -p rustfs-ecstore layout::pool_space -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; only existing `store.rs`
|
|
test-only `expect` calls and an existing `Result<String>` method signature
|
|
were present outside the moved helper body.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-006/E-REBALANCE-001 current slice:
|
|
- `cargo test -p rustfs-ecstore store::rebalance -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; no risky added lines were
|
|
introduced.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-007/E-LAYOUT-005 current slice:
|
|
- `cargo test -p rustfs-ecstore layout::pool_space -- --nocapture`: passed.
|
|
- `cargo test -p rustfs-ecstore store::rebalance -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; added cast lines are moved
|
|
capacity math from the existing implementation.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-008/E-REBALANCE-002 current slice:
|
|
- `cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-009/E-REBALANCE-003 current slice:
|
|
- `cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-012/E-REBALANCE-006 current slice:
|
|
- `cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; added casts are moved
|
|
pool-index accounting from the existing implementation and remain guarded.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-013/E-REBALANCE-007 current slice:
|
|
- `cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; moved casts are existing
|
|
pool completion math and remain guarded.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-014/E-REBALANCE-008 current slice:
|
|
- `cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; moved casts and unwraps are
|
|
existing test or migration-flow code and remain guarded.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-015/E-REBALANCE-009 current slice:
|
|
- `cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; the runtime diff is a test
|
|
module move plus a SAFETY-comment proximity fix required by the guard.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 E-016/E-REBALANCE-010 current slice:
|
|
- `cargo test -p rustfs-ecstore rebalance::rebalance_unit_tests -- --nocapture`: passed.
|
|
- `cargo check -p rustfs-ecstore -p rustfs -p rustfs-heal`: passed.
|
|
- `./scripts/check_unsafe_code_allowances.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed; production changes are a
|
|
type-contract move and existing Windows FFI casts remain unchanged.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 X-012 current slice:
|
|
- `cargo test -p rustfs-extension-schema`: passed.
|
|
- `cargo check -p rustfs-extension-schema`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 X-013 current slice:
|
|
- `cargo test -p rustfs-extension-schema`: passed.
|
|
- `cargo check -p rustfs-extension-schema`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 R-021 current slice:
|
|
- `cargo test -p rustfs --lib startup_optional_runtimes -- --nocapture`:
|
|
passed.
|
|
- `cargo test -p rustfs --lib startup_services -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 R-022 current slice:
|
|
- `cargo test -p rustfs --lib startup_optional_runtimes -- --nocapture`:
|
|
passed.
|
|
- `cargo test -p rustfs --lib startup_protocols -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_services -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 R-023 current slice:
|
|
- `cargo test -p rustfs --lib startup_shutdown -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_services -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_optional_runtimes -- --nocapture`:
|
|
passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 R-024 current slice:
|
|
- `cargo test -p rustfs --lib startup_lifecycle -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_services -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_shutdown -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 R-025 current slice:
|
|
- `cargo test -p rustfs --lib startup_service_components -- --nocapture`:
|
|
passed.
|
|
- `cargo test -p rustfs --lib startup_services -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_lifecycle -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 R-026 current slice:
|
|
- `cargo test -p rustfs --lib startup_optional_runtime_sidecars -- --nocapture`:
|
|
passed.
|
|
- `cargo test -p rustfs --lib startup_optional_runtimes -- --nocapture`:
|
|
passed.
|
|
- `cargo test -p rustfs --lib startup_shutdown -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 R-027 current slice:
|
|
- `cargo test -p rustfs --lib startup_runtime_hooks -- --nocapture`:
|
|
passed.
|
|
- `cargo test -p rustfs --lib startup_profiling -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_runtime -- --nocapture`: passed.
|
|
- `cargo test -p rustfs --lib startup_shutdown -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 R-020 current slice:
|
|
- `cargo test -p rustfs --lib startup_profiling -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan on changed Rust files: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 API-056/R-016 current slice:
|
|
- `cargo test -p rustfs --lib runtime_capabilities -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 API-055/SCH-001 current slice:
|
|
- `cargo test -p rustfs --lib storage::concurrency::manager::integration_tests -- --nocapture`: passed.
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 PR-05/PR-07 current slice:
|
|
- `cargo test -p rustfs-concurrency --no-fail-fast`: passed.
|
|
- `cargo check -p rustfs-concurrency`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- Issue #660 PR-08/PR-09 current slice:
|
|
- `cargo test -p rustfs-storage-api`: passed.
|
|
- `cargo check -p rustfs-storage-api`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `make pre-commit`: passed.
|
|
- Three-expert review: passed.
|
|
|
|
- G-011/G-012/G-013 current slice:
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `git diff --check`: passed.
|
|
- Three-expert review: passed.
|
|
- Full `make pre-commit`: not run because this slice is documentation-only.
|
|
|
|
- API-054 current slice:
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; only existing import and path rewrites were
|
|
reviewed, with no new unwrap/expect, panic/todo/unsafe, risky casts,
|
|
ad-hoc error construction, or sensitive-token handling semantics.
|
|
|
|
- API-053 current slice:
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; only existing import and path rewrites were
|
|
reviewed, with no new unwrap/expect, panic/todo/unsafe, risky casts,
|
|
ad-hoc error construction, or sensitive-token handling semantics.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-052 current slice:
|
|
- `cargo check -p rustfs --lib`: passed.
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; only existing-semantic path replacement hits were
|
|
reviewed, with no new unwrap/expect, panic/todo/unsafe, risky casts,
|
|
ad-hoc error construction, or sensitive-token handling semantics.
|
|
- `make pre-commit`: passed, including 6250 nextest tests and doctests.
|
|
|
|
- API-050 current slice:
|
|
- `cargo test -p rustfs-storage-api lifecycle_helper_defaults_preserve_existing_contracts --no-fail-fast`:
|
|
passed.
|
|
- `cargo check --tests -p rustfs-storage-api -p rustfs-ecstore -p rustfs-notify`:
|
|
passed.
|
|
- `cargo test -p rustfs-ecstore transitioned --no-fail-fast`: passed.
|
|
- `cargo test -p rustfs-notify ecstore_object_info_conversion_preserves_notify_event_fields --no-fail-fast`:
|
|
passed.
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, panic/todo/unsafe, risky
|
|
casts, ad-hoc error construction, or sensitive-token handling in added
|
|
lines.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-051 current slice:
|
|
- `cargo check --tests -p e2e_test -p rustfs-heal -p rustfs-scanner`:
|
|
passed.
|
|
- `cargo check --manifest-path fuzz/Cargo.toml --all-targets`: passed.
|
|
- `cargo test -p rustfs-heal --test endpoint_index_test test_endpoint_index_settings --no-fail-fast`:
|
|
passed.
|
|
- `cargo test -p rustfs-scanner --test lifecycle_integration_test --no-run`:
|
|
passed.
|
|
- `cargo test -p e2e_test --no-run`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; only existing test `unwrap` calls were touched by
|
|
import path rewrites, with no new unwrap/expect, panic/todo/unsafe, risky
|
|
casts, ad-hoc error construction, or sensitive-token handling semantics.
|
|
- `make pre-commit`: passed.
|
|
|
|
- S-015 current slice:
|
|
- `cargo test -p rustfs-policy test_legacy_kms_admin_actions_are_rejected --no-fail-fast`:
|
|
passed.
|
|
- `cargo test -p rustfs kms_key_auth_actions_use_dedicated_kms_actions --no-fail-fast`:
|
|
passed.
|
|
- `cargo test -p rustfs route_policy_records_dedicated_kms_actions --no-fail-fast`:
|
|
passed.
|
|
- `cargo test -p rustfs route_policy_rejects_server_info_for_sensitive_kms_actions --no-fail-fast`:
|
|
passed.
|
|
- `cargo check --tests -p rustfs-policy -p rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- S-014 previous slice:
|
|
- `cargo test -p rustfs kms_key_auth_actions_use_dedicated_kms_actions --no-fail-fast`:
|
|
passed.
|
|
- `cargo test -p rustfs route_policy_records_dedicated_kms_actions --no-fail-fast`:
|
|
passed.
|
|
- `cargo test -p rustfs route_policy_rejects_server_info_for_sensitive_kms_actions --no-fail-fast`:
|
|
passed.
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Source marker scan: passed; no non-doc `RUSTFS_COMPAT_TODO` markers remain.
|
|
- Rust risk scan: passed; no new unwrap/expect, panic/todo/unsafe, risky
|
|
casts, ad-hoc error construction, or sensitive-token handling in added
|
|
lines.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-049 current slice:
|
|
- `cargo check --tests -p rustfs-heal -p rustfs-scanner -p e2e_test`:
|
|
passed.
|
|
- `cargo check --manifest-path fuzz/Cargo.toml --all-targets`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, panic/todo/unsafe, risky
|
|
casts, ad-hoc error construction, or sensitive-token handling in added
|
|
lines.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-048 current slice:
|
|
- `cargo check --tests -p rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, panic/todo/unsafe, risky
|
|
casts, ad-hoc error construction, or sensitive-token handling in added
|
|
lines.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-047 current slice:
|
|
- `cargo check --tests -p rustfs-heal -p rustfs-scanner`: passed.
|
|
- `cargo test -p rustfs-heal -p rustfs-scanner`: passed, 290 tests passed
|
|
and 14 ignored.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; the only match was a test-only scanner config init
|
|
re-export.
|
|
|
|
- API-046 current slice:
|
|
- `cargo check --tests -p rustfs-iam -p rustfs-protos`: passed.
|
|
- `cargo test -p rustfs-iam`: passed, 150 tests.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: reviewed added lines; only existing error-mapping behavior
|
|
was renamed to IAM-local compatibility aliases.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-042 current slice:
|
|
- `cargo check --tests -p rustfs-notify -p rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error
|
|
public APIs, boxed public errors, production println/eprintln, or relaxed
|
|
ordering introduced in changed Rust files.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-043 current slice:
|
|
- `cargo test -p rustfs-notify
|
|
storage_compat::tests::ecstore_object_info_conversion_preserves_notify_event_fields`:
|
|
passed.
|
|
- `cargo check --tests -p rustfs-notify -p rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error
|
|
public APIs, boxed public errors, production println/eprintln, or relaxed
|
|
ordering introduced in changed Rust files.
|
|
- `make pre-commit`: passed, including 6245 nextest tests passed and 111
|
|
skipped.
|
|
|
|
- API-044 current slice:
|
|
- `cargo check --tests -p rustfs-s3select-api -p rustfs-notify -p
|
|
rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error
|
|
public APIs, boxed public errors, production println/eprintln, or relaxed
|
|
ordering introduced in changed Rust files.
|
|
- `make pre-commit`: passed, including 6245 nextest tests passed and 111
|
|
skipped.
|
|
|
|
- API-045 current slice:
|
|
- `cargo check --tests -p rustfs-obs -p rustfs-s3select-api -p
|
|
rustfs-notify -p rustfs`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error
|
|
public APIs, boxed public errors, production println/eprintln, or relaxed
|
|
ordering introduced in changed Rust files.
|
|
- `make pre-commit`: passed, including 6245 nextest tests passed and 111
|
|
skipped.
|
|
|
|
- API-041 current slice:
|
|
- `bash -n scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no Rust code changed.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-040 current slice:
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error
|
|
public APIs, boxed public errors, production println/eprintln, or relaxed
|
|
ordering introduced in changed Rust files.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-039 current slice:
|
|
- `cargo check --tests -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-protocols -p rustfs-s3select-api -p rustfs-iam -p rustfs-notify`:
|
|
passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error
|
|
public APIs, boxed public errors, production println/eprintln, or relaxed
|
|
ordering introduced in changed Rust files.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-038 current slice:
|
|
- `cargo check --tests -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-protocols -p rustfs-s3select-api -p rustfs-iam -p rustfs-notify`:
|
|
passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error
|
|
public APIs, boxed public errors, production println/eprintln, or relaxed
|
|
ordering introduced in changed Rust files.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-037 current slice:
|
|
- `cargo check --tests -p rustfs-ecstore -p rustfs -p rustfs-scanner`:
|
|
passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error
|
|
public APIs, boxed public errors, production println/eprintln, or relaxed
|
|
ordering introduced in changed Rust files.
|
|
- `make pre-commit`: passed.
|
|
|
|
- API-036 current slice:
|
|
- `cargo test -p rustfs-storage-api`: passed.
|
|
- `cargo check --tests -p rustfs-storage-api -p rustfs-ecstore -p rustfs-scanner -p rustfs`:
|
|
passed.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error
|
|
public APIs, boxed public errors, production println/eprintln, or relaxed
|
|
ordering introduced in changed Rust files.
|
|
- `make pre-commit`: passed.
|
|
|
|
API-035 prior slice:
|
|
|
|
- `cargo check --tests -p rustfs-scanner -p rustfs-heal -p rustfs-iam`:
|
|
passed.
|
|
- `cargo check --tests -p rustfs-protocols --features swift`: passed.
|
|
- `cargo check --tests -p rustfs -p rustfs-scanner -p rustfs-heal -p rustfs-iam -p rustfs-notify -p rustfs-obs -p rustfs-s3select-api -p e2e_test`:
|
|
passed.
|
|
- `cargo check --manifest-path fuzz/Cargo.toml --bins`: passed.
|
|
- `rg -n 'rustfs_ecstore' crates/scanner/src crates/heal/src crates/protocols/src/swift crates/iam/src/store --glob '*.rs'`:
|
|
remaining matches are deliberate compatibility boundary definitions.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: passed; no new unwrap/expect, numeric casts, string error
|
|
public APIs, boxed public errors, production println/eprintln, or relaxed
|
|
ordering introduced in changed Rust files.
|
|
- `make pre-commit`: passed.
|
|
|
|
Earlier API-033 verification retained in prior branch/PR:
|
|
|
|
- `cargo check --tests -p rustfs -p rustfs-obs -p rustfs-notify -p rustfs-s3select-api -p rustfs-iam`:
|
|
passed.
|
|
- `cargo check --manifest-path fuzz/Cargo.toml --bins`: passed.
|
|
- `rg -n 'rustfs_ecstore' rustfs/src crates/obs/src crates/notify/src crates/s3select-api/src crates/iam/src --glob '*.rs'`:
|
|
remaining matches are deliberate compatibility boundary definitions.
|
|
- Direct import scan for target scanner/heal/e2e/fuzz paths: passed; remaining
|
|
matches are deliberate compatibility boundary definitions.
|
|
- `./scripts/check_architecture_migration_rules.sh`: passed.
|
|
- `./scripts/check_layer_dependencies.sh`: passed.
|
|
- `cargo fmt --all --check`: passed.
|
|
- `git diff --check`: passed.
|
|
- Rust risk scan: reviewed added `.unwrap()` matches as preserved test setup
|
|
unwraps caused by path rewrite formatting; no new risky behavior added.
|
|
- `make pre-commit`: passed.
|
|
|
|
Notes:
|
|
|
|
- This larger slice is based on `origin/main` after `rustfs/rustfs#3572`
|
|
merged.
|
|
- Direct ECStore imports in the target runtime/obs/notify/S3 Select/IAM and
|
|
scanner/heal/e2e/fuzz areas now remain only in local compatibility boundary
|
|
modules.
|
|
- The slice does not alter startup behavior, readiness behavior, table catalog
|
|
object I/O, notification persistence, S3 Select reads, IAM error mapping,
|
|
observability metrics, test/fuzz semantics, or ECStore definitions.
|
|
|
|
## Handoff Notes
|
|
|
|
- Continue with larger consumer-migration batches outside the cleaned
|
|
app/storage/admin/scanner/heal/Swift/runtime/obs/notify/S3 Select/IAM/test
|
|
and fuzz boundaries; keep ECStore-owned behavior in ECStore until concrete
|
|
behavior is isolated enough for a pure-move slice.
|