Sync Repo-docs-MODULE-ARCHITECTURE from project files
@@ -1,4 +1,4 @@
|
|||||||
<!-- codex-wiki-sync:b5012b7cacc0ba3fc59eae7f -->
|
<!-- codex-wiki-sync:1e5412d3886cc08717c3e330 -->
|
||||||
|
|
||||||
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`.
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`.
|
||||||
> Origin: `repository`.
|
> Origin: `repository`.
|
||||||
@@ -380,15 +380,14 @@ Hot enable/disable is a core design principle for every module:
|
|||||||
- Modules can provide `on_activate` and `on_deactivate` hooks for worker,
|
- Modules can provide `on_activate` and `on_deactivate` hooks for worker,
|
||||||
scheduler, cache, or external subscription lifecycle. These hooks must be
|
scheduler, cache, or external subscription lifecycle. These hooks must be
|
||||||
idempotent and must not mutate another module directly.
|
idempotent and must not mutate another module directly.
|
||||||
- Package install/uninstall remains a deployment/operator action unless the
|
- Package install/uninstall is performed by the trusted operator installer, not
|
||||||
runtime provides a trusted package installer and rollback path. The admin UI
|
directly inside FastAPI request handlers. The admin UI can save install plans,
|
||||||
can activate/deactivate installed packages; it must not remove package files
|
show preflight blockers, and activate/deactivate installed packages.
|
||||||
or attempt dependency-manager operations in-process.
|
|
||||||
|
|
||||||
The package install-plan API records operator intent only:
|
The package install-plan API records operator intent only:
|
||||||
|
|
||||||
- `GET /api/v1/admin/system/modules/install-plan` reads the saved plan and
|
- `GET /api/v1/admin/system/modules/install-plan` reads the saved plan,
|
||||||
renders shell commands for the operator.
|
renders shell commands, and returns installer preflight status.
|
||||||
- `PUT /api/v1/admin/system/modules/install-plan` saves planned install or
|
- `PUT /api/v1/admin/system/modules/install-plan` saves planned install or
|
||||||
uninstall rows. Install rows must use tagged package or git references, not
|
uninstall rows. Install rows must use tagged package or git references, not
|
||||||
local `file:`/workspace paths.
|
local `file:`/workspace paths.
|
||||||
@@ -396,12 +395,37 @@ The package install-plan API records operator intent only:
|
|||||||
- `govoplan-module-install-plan --format shell` or
|
- `govoplan-module-install-plan --format shell` or
|
||||||
`python -m govoplan_core.commands.module_install_plan --format shell` renders
|
`python -m govoplan_core.commands.module_install_plan --format shell` renders
|
||||||
the same commands from a server shell.
|
the same commands from a server shell.
|
||||||
|
- `govoplan-module-installer --format shell` runs the same preflight checks from
|
||||||
|
the server shell.
|
||||||
|
- `govoplan-module-installer --apply --build-webui` executes the saved plan
|
||||||
|
after preflight passes, snapshots `pip freeze` and WebUI package files, writes
|
||||||
|
a run record under the runtime installer directory, and marks planned rows as
|
||||||
|
applied after success.
|
||||||
|
- `govoplan-module-installer --rollback <run-id>` restores the saved package
|
||||||
|
snapshots and reruns package installation from the previous freeze file.
|
||||||
|
|
||||||
The running server intentionally reports `install_uninstall_supported=false`
|
The installer preflight is intentionally conservative:
|
||||||
and `package_mutation_supported=false`. This is by design: mutating the
|
|
||||||
interpreter environment, npm dependency graph, frontend bundle, migrations, and
|
- maintenance mode must be active;
|
||||||
worker process set from inside the same running app is not safe without a
|
- uninstalling `tenancy`, `access`, or `admin` is blocked;
|
||||||
separate trusted installer, rollback model, and bundle loader.
|
- uninstalling an active module is blocked;
|
||||||
|
- uninstalling a module still present in desired startup state is blocked;
|
||||||
|
- uninstalling a module with active/desired dependents is blocked;
|
||||||
|
- install refs must be exact versions or tagged git refs;
|
||||||
|
- WebUI package changes require a WebUI root and trigger rebuild/reload status.
|
||||||
|
|
||||||
|
The running FastAPI server still reports `package_mutation_supported=false`
|
||||||
|
because dependency-manager operations are not executed inside request handlers.
|
||||||
|
The trusted mutation boundary is the operator CLI. This keeps the interpreter,
|
||||||
|
npm dependency graph, frontend bundle, migrations, and worker process set under
|
||||||
|
process-supervisor control.
|
||||||
|
|
||||||
|
Frontend module loading currently uses the build-time package graph generated by
|
||||||
|
the core WebUI host. Therefore installing or uninstalling a WebUI package
|
||||||
|
requires `npm install` plus a WebUI rebuild/reload. True remote runtime bundle
|
||||||
|
loading would need signed asset manifests, version compatibility checks, CSP
|
||||||
|
rules, cache invalidation, and rollback at the asset-loader layer; it is a
|
||||||
|
future deployment hardening track, not the default module installer path.
|
||||||
|
|
||||||
## Maintenance Mode
|
## Maintenance Mode
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user