Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

The OxbinRuntime trait surface

A backend implements:

#![allow(unused)]
fn main() {
pub trait OxbinRuntime: Send + Sync {
    type Module: 'static + Send + Sync;
    type Store: 'static + Send + Sync;
    type Error: std::error::Error + Send + Sync;

    /// Load an .oxbin into a Module. Layer 1 validation runs synchronously
    /// here (RP-004 hooks); Layer 2 runs in the prefix before this returns Ok.
    fn load(
        &self,
        oxbin: &Oxbin,
        validation: ValidationPolicy,
    ) -> Result<Self::Module, Self::Error>;

    /// Open a Store for one (tenant, fork). May create the fork if it
    /// doesn't exist (subject to capability checks per the backend's IAM).
    fn open_store(
        &self,
        module: &Self::Module,
        tenant_id: TenantId,
        fork_id: ForkId,
    ) -> Result<Self::Store, Self::Error>;

    /// Run a query at a bitemporal point (default `AsOf::Now`). Standpoint
    /// scope is part of the query, not this argument.
    fn query(
        &self,
        module: &Self::Module,
        store: &Self::Store,
        query: &CoreIRQuery,
        as_of: AsOf,
    ) -> Result<Answer, Self::Error>;

    /// Apply a mutation; returns the TT at which it became effective.
    /// Mutations are transactional; partial mutations are not observable.
    fn mutate(
        &self,
        module: &Self::Module,
        store: &mut Self::Store,
        mutation: &CoreIRMutation,
    ) -> Result<TxTime, Self::Error>;

    /// Fork an existing (tenant, fork) at a given TT. The new fork inherits
    /// parent state up to fork_point_tt; later mutations diverge (CoW, `AsOf` semantics — bitemporal point).
    fn fork(
        &self,
        module: &Self::Module,
        parent: &Self::Store,
        new_fork_name: &str,
        fork_point_tt: TxTime,
    ) -> Result<Self::Store, Self::Error>;

    /// Capability-gated physical erasure (Capability surface). Requires both
    /// `#[allow_forget]` on the target concept and the runtime principal
    /// to hold the `forget` capability.
    fn forget(
        &self,
        module: &Self::Module,
        store: &mut Self::Store,
        targets: &[AxiomId],
        actor: PrincipalId,
        reason: &str,
    ) -> Result<ForgetReceipt, Self::Error>;
}
}

The trait is Send + Sync; a backend’s concurrency discipline is its own concern. The ValidationPolicy argument to load distinguishes sandboxed Strict (any Layer-2 failure refuses the load) from trusted Lenient (Layer-2 failures emit warnings; non-load-bearing issues are tolerated).

AsOf, Capability, and ValidationPolicy are @[language_interface] types mirrored by oxc-protocol::runtime; CI fails on drift.