7.0 KiB
Connector Source Lifecycle
GovOPlaN modules should treat external systems as sources with explicit lifecycle state. A connector profile can consume records from a source, publish records into a source, or do both. The lifecycle below keeps connectors predictable and avoids hidden module imports.
Source Directions
consume: GovOPlaN reads external records, normalizes them, and exposes them to modules as external references, events, or staged imports.publish: GovOPlaN creates or updates external records and stores the external identifiers as immutable references.bidirectional: GovOPlaN supports both directions with conflict detection and reconciliation rules.
Source Data Lifecycle
Connector profiles have operational states, while individual external records or source datasets move through a data lifecycle:
discoveredA source, record, file, feed item, webhook event, or remote object is known but not yet trusted for domain use.connectedGovOPlaN can authenticate and fetch or publish against the source profile.importedMinimal source data has been staged with external id, version/ETag, source timestamp, and provenance.validatedShape, permissions, freshness, and required fields passed connector and domain validation.transformedA dataflow, workflow, or domain module normalized the staged payload into a domain-specific form.publishedGovOPlaN exposed or wrote an output through API, RSS, report, export, or a downstream connector.archivedThe source/output is no longer active but remains available under retention, audit, and external-reference rules.deprecatedThe source/output remains readable for history but must not be used for new workflows.
Every transition must preserve provenance, permissions context, freshness, and audit trace. Domain modules may add stricter states, but they should map back to this lifecycle when a connector publishes status.
Lifecycle States
draftProfile exists but is not used by runtime jobs.configuredRequired endpoint and credential references are present.testedA health/test run succeeded and recorded non-secret diagnostics.activeRuntime jobs may consume or publish data.degradedThe connector is active but health checks or recent jobs show failures.pausedOperators intentionally stop scheduled connector activity.retiringThe connector is being removed from active workflows while references remain readable.retiredNo new runtime activity is allowed. Historical references remain available.
State Transition Gates
| Transition | Required Evidence | Blockers |
|---|---|---|
draft -> configured |
endpoint fields are valid, credential references exist, owner/tenant scope is set | plaintext secret in profile payload, unsupported connector type |
configured -> tested |
latest profile test succeeded and diagnostics were redacted | failed auth, unreachable endpoint, TLS/policy error |
tested -> active |
operator enabled runtime use, required modules/capabilities are present, schedule/webhook is valid | missing module, missing permission, no idempotency strategy for publish jobs |
active -> degraded |
health check or job telemetry reports failures | none; this is automatic diagnostic state |
degraded -> active |
health/test succeeds or failed jobs are reconciled | unresolved conflict or repeated failure threshold |
any running state -> paused |
operator pause request or maintenance preflight | active critical transaction that cannot be interrupted |
paused -> active |
successful re-test when credentials/endpoints changed | failed profile test |
any state -> retiring |
uninstall/disable plan accepted, schedulers/workers stopped | active domain references that require operator decision |
retiring -> retired |
non-destructive retirement complete, references remain readable | destructive retirement requested without provider and backup |
Consume Flow
- Discover changes through polling, webhook, batch upload, or manual operator action.
- Fetch only the minimal remote data required for the declared use case.
- Normalize into a connector-owned staging payload.
- Validate shape, required fields, and source trust level.
- Emit a core-mediated event such as
connector.record_discovered. - Let domain modules claim or transform staged data through capabilities, not imports.
- Store external references with source system, object type, object id, version or ETag, and last-seen timestamp.
Publish Flow
- Domain module requests publish through a core-mediated connector capability.
- Connector validates profile state, permission, idempotency key, and payload shape.
- Connector sends the remote request.
- Connector stores the remote id, version/ETag, and response diagnostics.
- Connector emits
connector.record_publishedorconnector.publish_failed. - Domain module stores only the external-reference DTO and any domain result.
Reconciliation
Every connector that writes to an external system needs a reconciliation story:
- idempotency key for create/update jobs
- remote object version, ETag, or last-modified value where available
- conflict state when local and remote records diverge
- retry policy for temporary failures
- explicit operator action for destructive overwrite or deletion
- audit trace from GovOPlaN record to external request and response summary
Capability Boundary
Domain modules must not import connector implementation packages directly. They should ask core for capabilities such as:
connectors.catalogconnectors.profileTesterconnectors.healthconnectors.externalReferencesconnectors.sourceConsumerconnectors.sourcePublisher
Connector payloads should be DTOs or protocol objects from kernel/core contracts. Protocol-specific clients stay inside the connector module that owns them.
Safety Rules
- Secret values never leave the secret contract and are never stored in test result payloads.
- Runtime jobs must include profile id, connector type, direction, idempotency key, and triggering principal/system actor.
- Profile tests must redact tokens, passwords, cookies, authorization headers, and remote personal data not needed for diagnostics.
- Deactivation must stop schedulers/workers before profile removal.
- Uninstall defaults to non-destructive retirement; domain data and external references remain readable.
- Destructive retirement requires a module-owned retirement provider and an explicit operator choice.
Release Checklist
Before shipping an executable connector type:
- Add catalogue metadata and capability names.
- Add profile schema validation that rejects plaintext secrets.
- Add redaction tests for success and failure diagnostics.
- Add unavailable-optional-module tests for every consuming domain module.
- Add profile test and health status fixtures.
- Add external-reference DTO tests.
- Add lifecycle transition tests for pause, retry, retirement, and uninstall guard behavior.