Sync wiki from project files
@@ -1,4 +1,4 @@
|
|||||||
<!-- codex-wiki-sync:d433db8d4ef5105a2d129c83 -->
|
<!-- codex-wiki-sync:81accd6a05d4974fab453c83 -->
|
||||||
|
|
||||||
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`.
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`.
|
||||||
> Origin: `repository`.
|
> Origin: `repository`.
|
||||||
@@ -398,9 +398,14 @@ The package install-plan API records operator intent only:
|
|||||||
|
|
||||||
- `GET /api/v1/admin/system/modules/install-plan` reads the saved plan,
|
- `GET /api/v1/admin/system/modules/install-plan` reads the saved plan,
|
||||||
renders shell commands, and returns installer preflight status.
|
renders shell commands, and returns installer preflight status.
|
||||||
|
- `GET /api/v1/admin/system/modules/install-runs` returns recent installer run
|
||||||
|
summaries and the current installer lock status.
|
||||||
|
- `GET /api/v1/admin/system/modules/install-runs/{run_id}` returns the raw run
|
||||||
|
record for diagnosis.
|
||||||
- `PUT /api/v1/admin/system/modules/install-plan` saves planned install or
|
- `PUT /api/v1/admin/system/modules/install-plan` saves planned install or
|
||||||
uninstall rows. Install rows must use tagged package or git references, not
|
uninstall rows. Install rows must use tagged package or git references, not
|
||||||
local `file:`/workspace paths.
|
local `file:`/workspace paths. Python install rows must also include the
|
||||||
|
distribution package name so rollback can uninstall newly added packages.
|
||||||
- `DELETE /api/v1/admin/system/modules/install-plan` clears the plan.
|
- `DELETE /api/v1/admin/system/modules/install-plan` clears the plan.
|
||||||
- `govoplan-module-install-plan --format shell` or
|
- `govoplan-module-install-plan --format shell` or
|
||||||
`python -m govoplan_core.commands.module_install_plan --format shell` renders
|
`python -m govoplan_core.commands.module_install_plan --format shell` renders
|
||||||
@@ -413,11 +418,13 @@ The package install-plan API records operator intent only:
|
|||||||
applied after success.
|
applied after success.
|
||||||
- `govoplan-module-installer --supervise --migrate --health-url http://127.0.0.1:8000/health --restart-command '<restart govoplan server>'`
|
- `govoplan-module-installer --supervise --migrate --health-url http://127.0.0.1:8000/health --restart-command '<restart govoplan server>'`
|
||||||
is the preferred disruptive-change path. It applies the plan, optionally runs
|
is the preferred disruptive-change path. It applies the plan, optionally runs
|
||||||
migrations in a fresh Python process, runs the restart command if provided,
|
migrations in a fresh Python process after a fresh-process manifest
|
||||||
polls health, and automatically rolls packages back from the run snapshot if
|
verification, runs the restart command if provided, polls health, and
|
||||||
commands, migrations, restart, or health recovery fail.
|
automatically rolls packages back from the run snapshot if commands,
|
||||||
|
migrations, restart, or health recovery fail.
|
||||||
- `govoplan-module-installer --rollback <run-id>` restores the saved package
|
- `govoplan-module-installer --rollback <run-id>` restores the saved package
|
||||||
snapshots and reruns package installation from the previous freeze file.
|
snapshots, restores the captured SQLite database snapshot when present, and
|
||||||
|
reruns package installation from the previous freeze file.
|
||||||
|
|
||||||
The installer preflight is intentionally conservative:
|
The installer preflight is intentionally conservative:
|
||||||
|
|
||||||
@@ -428,9 +435,12 @@ The installer preflight is intentionally conservative:
|
|||||||
- uninstalling an active module is blocked;
|
- uninstalling an active module is blocked;
|
||||||
- uninstalling a module still present in desired startup state is blocked;
|
- uninstalling a module still present in desired startup state is blocked;
|
||||||
- uninstalling a module with active/desired dependents is blocked;
|
- uninstalling a module with active/desired dependents is blocked;
|
||||||
|
- uninstalling a module that owns migrations is blocked until that module
|
||||||
|
explicitly supports migration retirement;
|
||||||
- module-owned uninstall guard providers can veto data/migration/worker unsafe
|
- module-owned uninstall guard providers can veto data/migration/worker unsafe
|
||||||
removals;
|
removals;
|
||||||
- install refs must be exact versions or tagged git refs;
|
- install refs must be exact versions or tagged git refs;
|
||||||
|
- Python install rows must include the package distribution name for rollback;
|
||||||
- WebUI package changes require a WebUI root and trigger rebuild/reload status.
|
- WebUI package changes require a WebUI root and trigger rebuild/reload status.
|
||||||
|
|
||||||
The installer supervisor must run outside the FastAPI server process. A server
|
The installer supervisor must run outside the FastAPI server process. A server
|
||||||
@@ -438,10 +448,12 @@ request handler cannot reliably restart or roll back the process that is
|
|||||||
currently executing the request. The admin UI therefore remains an operator
|
currently executing the request. The admin UI therefore remains an operator
|
||||||
planning surface; the trusted daemon/CLI is the executor.
|
planning surface; the trusted daemon/CLI is the executor.
|
||||||
|
|
||||||
Automatic rollback covers Python and WebUI package state. It does not roll back
|
Automatic rollback covers Python and WebUI package state. For `sqlite:///`
|
||||||
database migrations; production installs must take a database backup before
|
database URLs, `--migrate` also captures a SQLite backup and rollback restores
|
||||||
running `--migrate`, and module uninstall remains blocked until data and
|
it before the supervisor restarts the server. Non-SQLite deployments still need
|
||||||
migration-state retirement rules are satisfied.
|
an external managed backup/restore path before running migrations, and module
|
||||||
|
uninstall remains blocked until data and migration-state retirement rules are
|
||||||
|
satisfied.
|
||||||
|
|
||||||
The running FastAPI server still reports `package_mutation_supported=false`
|
The running FastAPI server still reports `package_mutation_supported=false`
|
||||||
because dependency-manager operations are not executed inside request handlers.
|
because dependency-manager operations are not executed inside request handlers.
|
||||||
@@ -449,12 +461,26 @@ The trusted mutation boundary is the operator CLI. This keeps the interpreter,
|
|||||||
npm dependency graph, frontend bundle, migrations, and worker process set under
|
npm dependency graph, frontend bundle, migrations, and worker process set under
|
||||||
process-supervisor control.
|
process-supervisor control.
|
||||||
|
|
||||||
Frontend module loading currently uses the build-time package graph generated by
|
Frontend module loading primarily uses the build-time package graph generated by
|
||||||
the core WebUI host. Therefore installing or uninstalling a WebUI package
|
the core WebUI host. Installing or uninstalling a WebUI package therefore still
|
||||||
requires `npm install` plus a WebUI rebuild/reload. True remote runtime bundle
|
uses `npm install` plus a WebUI rebuild/reload by default. Core also exposes an
|
||||||
loading would need signed asset manifests, version compatibility checks, CSP
|
experimental hot remote-bundle path for modules that are enabled by the backend
|
||||||
rules, cache invalidation, and rollback at the asset-loader layer; it is a
|
but absent from the local WebUI package graph:
|
||||||
future deployment hardening track, not the default module installer path.
|
|
||||||
|
- `FrontendModule.asset_manifest` points at a JSON remote asset manifest.
|
||||||
|
- `asset_manifest_integrity` is an SRI-style hash for that manifest.
|
||||||
|
- `asset_manifest_signature` and `asset_manifest_public_key_id` allow the shell
|
||||||
|
to verify the manifest when a trusted browser key is registered on
|
||||||
|
`window.__GOVOPLAN_REMOTE_MODULE_KEYS__`.
|
||||||
|
- The remote asset manifest contract version is `1` and contains `moduleId`,
|
||||||
|
`entry`, `entryIntegrity`, and optional `moduleExport`.
|
||||||
|
- The browser fetches and verifies the manifest, fetches and verifies the entry
|
||||||
|
bundle, imports it dynamically, and then applies backend metadata before
|
||||||
|
adding the module's routes/nav/capabilities.
|
||||||
|
|
||||||
|
Unsigned/unhashed remote bundles are skipped. This keeps remote loading a
|
||||||
|
controlled deployment option rather than a replacement for release package
|
||||||
|
builds.
|
||||||
|
|
||||||
## Maintenance Mode
|
## Maintenance Mode
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user