Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Lifecycle

A normal lifecycle: at startup, runtime.load(oxbin, policy) returns a Module (Layer 1 tier check synchronously, Layer 2 per-section invariants in the prefix); per request, open_store then query / mutate; at shutdown, Stores drop, then the Module, then the Engine.

A second load returns a new Module. The runtime MAY share the first Module’s Engine if the base schemas are byte-identical (Arc identity), otherwise the new Module gets a fresh Engine. Hot replacement of a live Module is not required by the in-process trait; the serving helper (Serving surface) implements a guarded form that loads the next Module, checks compatibility against live ABox state, and swaps atomically only if compatible. The Engine/Module split is what makes this possible without redesigning Store semantics.