Expand description
CrateStack server facade — Postgres (sqlx) + Axum.
This crate is the server-side slice of the framework. It re-exports the shared schema / parser / policy / SQL surface plus the sqlx (Postgres) runtime, Axum HTTP bindings, and the generated Rust client runtime.
It deliberately does not depend on cratestack-rusqlite. That keeps
libsqlite3-sys out of the dep graph, so consumers can use the official
sqlx umbrella crate (which optionally declares sqlx-sqlite and trips
Cargo’s links = "sqlite3" collision rule) without needing a local
sqlx-shim workaround.
For embedded / mobile / wasm targets, depend on cratestack-sqlite
instead. The two crates are strictly disjoint by design.
Schema macros emit ::cratestack::* paths, so consumers rename this
crate via Cargo’s package = field:
[dependencies]
cratestack = { package = "cratestack-pg", version = "0.4" }Re-exports§
pub use chrono;pub use cratestack_client_rust as client_rust;pub use regex;pub use serde;pub use serde_json;pub use tracing;pub use uuid;pub use cratestack_axum::axum;
Modules§
- audit
- Audit log primitives.
- axum
- axum is an HTTP routing and request-handling library that focuses on ergonomics and modularity.
- batch
- Batch envelope.
- context
- Request-scoped context: authenticated identity, structured
principal, transport extensions, plus the
AuthProvidertrait that auth middlewares implement. - envelope
- Signed envelope (HMAC-SHA-256).
- error
CoolError— the framework’s error type, its 4xx/5xx HTTP mapping, and the public response envelope clients see on failure.- events
- Model-event bus: typed
created/updated/deletedenvelopes that procedure handlers can subscribe to. - headers
- Header helpers used by axum-bound handlers: optimistic-locking ETag
parsing/emission, W3C
traceparentextraction, RFC 7239Forwardedclient-IP extraction, and context enrichment that bundles those. - idempotency
- Idempotency-key middleware.
- json
- Schema-declared
Jsoncolumns need a model-struct field type that’s the same on every backend so the same struct compiles on server and on embedded (includingwasm32-unknown-unknown, which can’t depend on sqlx). - page
- Generic paginated-page envelope used by every
listroute. The shape mirrors what generated clients consume. - projection
- query
- Query-string parsing for axum-bound handlers: percent-decoded pair
extraction and the structured filter expression grammar
(
?where=...) used by macro-generatedlistendpoints. - ratelimit
- Per-principal rate limiting.
- rpc
- Runtime primitives for the
transport rpcgeneration style. - schema
- Schema IR — the parsed shape of a
.cstackfile. Every IR node carries source-span back-pointers so consumers can map errors to positions in the original text. - sqlx
- Compatibility shim that exposes a
sqlx-shaped API by re-exporting fromsqlx-core+sqlx-postgresdirectly. - validators
- Field-level validators.
- value
- Backend-agnostic JSON-shaped value used throughout the framework (auth claims, audit payloads, RPC error details, schema config).
Macros§
- include_
client_ schema - HTTP client schema: model/input/procedure stubs for talking to a server
over the wire. No DB, no router, no FromRow impls. Renamed from
include_client_macro!in 0.3.0. - include_
embedded_ schema - Embedded ORM schema: rusqlite backend only. Compiles to native and to
wasm32-unknown-unknown(viasqlite-wasm-rs). No sqlx, no axum, no procedures. Local apps that don’t need an RPC surface use this. - include_
server_ schema - Full server schema: sqlx Postgres backend,
Cratestackruntime, axum router, procedures, events. Passdb = Postgres(only value currently supported; MySQL / SQLite-via-sqlx will land in a future release).
Structs§
- Aggregate
- Aggregate
Column - Aggregate
Count - Attribute
- Audit
Actor - Audit
Event - Auth
Block - Batch
Item Error - Public, safe-to-expose shape of a per-item failure. Mirrors
crate::CoolErrorResponsewithout the optionaldetailsfield — batch callers asking for per-item detail can repeat the operation singly against the failed item to get the full error envelope. - Batch
Item Result - Per-item result inside a
BatchResponse. Theindexis the item’s position in the original request, so clients can pair results with inputs even after server-side reordering (e.g. parallelbatch_getfetches in the future). - Batch
Request - Wire envelope for
POST /<model>/batch-*request bodies. Holds the items in a single field so the envelope can grow (e.g. a futureclient_request_id) without breaking deserialization. - Batch
Response - Wire envelope returned by every batch route. Always
200 OKat the HTTP layer; inspectsummary.err(or scanresults) to surface per-item failures to the user. - Batch
Summary - Summary counts attached to every
BatchResponseso callers can branch on aggregate status without scanning the result list. - Coalesce
Expr - Left-hand operand of a coalesce-based filter — chain a comparator
method to turn it into a
FilterExpr. - Coalesce
Filter COALESCE(col_a, col_b, ...) <op> <value>— left-hand expression is the first non-null among the listed columns; right-hand side is a bound value via the usualFilterValueenvelope. Lets schemas express the “ranked-fallback compare” pattern that shows up in outbox / scheduler tables, where a single row carries several time columns and the dispatcher wants the earliest non-null one.- Codec
Set - Config
Block - Config
Entry - Cool
Auth Identity - Cool
Context - Cool
Error Response - Cool
Event Bus - Cool
Event Envelope - Create
Default - Create
Record - Datasource
- DbError
Info - Structured information extracted from a driver-level database error.
- Delete
Many - Delete
Record - Enum
Decl - Enum
Variant - Field
- Field
Ref - Filter
- Find
Many - Find
Many With - Find
Unique - Hmac
Envelope - HMAC-SHA-256 backed envelope. Sealed messages are self-describing
CBOR maps: signature recipients can decode the envelope, fetch the
key by
kid, and verify without out-of-band coordination. - InMemory
Nonce Store - In-memory nonce store. One mutex; the working set is bounded by the clock-skew window — a 5-minute skew at 10k req/s caps at ~3M entries, which is fine. Production multi-replica deployments swap in Redis.
- Json
- Json for json and jsonb fields
- Json
Text Path - Left-hand operand of a
json_get_textfilter — chain a comparison method (.eq,.lt,.is_null, …) to produce aFilterExpr. - Migration
- A single migration step. The runner applies any rows not yet
present in
cratestack_migrations.downis recorded but never called — irreversible-by-default is the safe banking posture. - Migration
State - Mixin
Decl - Model
- Model
Column - Model
Delegate - Model
Descriptor - Model
Event - Multicast
Audit Sink - Fan an audit event out to multiple sinks. Errors from any
individual sink are aggregated into
CoolError::Internalso a single failing downstream does not silently swallow problems with the others. - NoEnvelope
- Pass-through envelope used when transport-layer signing is not required.
- Noop
Audit Sink - Default sink that does nothing. The in-database audit table is treated as authoritative; downstream consumers are added by wrapping a different sink (or composing several).
- OpDescriptor
- Wire-shape of a single op in a
transport rpcschema. Seedocs/design/rpc-transport.mdfor the full design — in short, an op is the dispatch unit shared by every RPC binding (HTTP unary, HTTP batch, HTTP stream, WebSocket). The macro emits oneOpDescriptorper CRUD verb and per procedure whenSchema.transport == TransportStyle::Rpc. - Order
Clause - Owned
Schema Summary - Page
- Page
Info - Principal
Context - Principal
Facet - Procedure
- Procedure
Arg - Procedure
Policy - Projected
Find Many - Projected
Find Unique - Projection
- Result of a
.select(...)-projected read. Holds the model with only the selected columns populated — non-selected fields carry their type’sDefault::default()value (""forString,0for integers,NoneforOption<T>, etc.). - Read
Policy - Relation
Filter - Relation
Include - Typed handle for an
.include(...)call on a query builder. Carries everything the runtime needs to issue the side-load query for a to-one relation: a function pointer that extracts the FK value from a parent row, and a static descriptor of the related model. - Request
Context - Route
Transport Capabilities - Wire-level capabilities for one route under a REST binding.
- Route
Transport Descriptor - Schema
- Schema
Error - Schema
Summary - Scoped
Aggregate - Scoped
Aggregate Column - Scoped
Aggregate Count - Scoped
Create Record - Scoped
Delete Many - Scoped
Delete Record - Scoped
Find Many - Scoped
Find Many With - Scoped
Find Unique - Scoped
Model Delegate - Scoped
Projected Find Many - Scoped
Projected Find Unique - Scoped
Update Many - Scoped
Update Many Set - Scoped
Update Record - Scoped
Update Record Set - Sealed
Envelope - Selection
Query - Source
Span - Spatial
Point - Builder returned by
crate::pointfor assembling a spatial filter. Holds nothing but the lat/lng pair until a comparator is chained. - SqlColumn
Value - Sqlx
Idempotency Store - Static
KeyProvider - In-memory
KeyProviderfor tests and single-tenant deployments. Banks running real workloads bring a backed implementation (KMS, Vault, HSM). - Type
Decl - TypeRef
- Update
Many - Update
Many Set - Update
Record - Update
Record Set - View
- View
Delegate - View delegate for views that declared an
@idfield. Exposesfind_many+find_unique(andrefresh()on materialized views). Views declared@@no_uniquegetViewDelegateNoUniqueinstead, which omitsfind_uniqueat the type level so a call likeruntime.views().<v>().find_unique(())is a compile error rather than a runtime “WHERE = $1” footgun. - View
Delegate NoUnique - View delegate for views declared
@@no_unique. Exposes onlyfind_many—find_uniqueandrefresh()are absent at the type level because: - View
Descriptor - View
Source
Enums§
- Audit
Operation - Batch
Item Status - Either a successful per-item outcome (
Ok) or a per-item failure (Error). Serializes as a tagged enum with the discriminant instatus: - Conflict
Target - Conflict target for an upsert. Defaults to the model’s primary key
(matching the previous PK-only behavior).
Columnslets callers upsert on an arbitrary unique tuple — most commonly a natural key that’s distinct from the PK (e.g.(owner_id, provider)on a per-owner-and-provider settings row, or(pairing_id, slot)on a per-slot envelope). - Cool
Error - Create
Default Type - Filter
Expr - Filter
Op - Json
Filter - JSON / JSONB filter predicates. Two flavors:
- Migration
Status - Model
Event Kind - Null
Order - Where NULLs sort relative to non-NULL values. PostgreSQL’s default is
NULLS LASTforASCandNULLS FIRSTforDESC; SQLite’s default isNULLS FIRSTfor both. CrateStack pins the framework default toNULLS LASTso listings stay deterministic across backends and so soft-deleted rows (typedOption<DateTime>that surface asNonefor visible rows) don’t muscle their way to the top of every listing. Override per-clause viaOrderClause::nulls_firstwhen scheduler / outbox queries want fresh-as-null tasks at the head of the queue. - OpKind
- Policy
Expr - Policy
Literal - Procedure
Kind - Procedure
Policy Expr - Procedure
Policy Literal - Procedure
Predicate - Query
Expr - Read
Predicate - Relation
Quantifier - Sort
Direction - Spatial
Filter - PostGIS spatial filter primitives. v1 ships two ops that cover the “is point inside this zone” / “is this point within radius of that zone” cases — the rest of the ST_* surface can land on demand.
- SqlValue
- Transaction
Isolation - Transaction isolation level requested by a procedure via
@isolation(...). Mirrors the PostgreSQL spec: lower variants tolerate more anomalies, higher ones cost more under contention. Banks running multi-row updates (transfers, postings) typically pickSerializableand pair it with retry-on-serialization-failure. - Transport
Style - Wire-shape the schema generates for. Picked once per schema (via
the top-level
transport rest|rpcdirective) so generated servers and clients only carry one binding’s worth of surface. - Type
Arity - Value
Constants§
- AUDIT_
TABLE_ DDL - DDL for the audit log table. Banks typically run migrations
through their own tooling — this DDL is exposed so the
crate::SqlxRuntimecan idempotently ensure the table exists during bootstrap. - BATCH_
MAX_ ITEMS - Default upper bound on items in a single batch request. Server
backends enforce this before any SQL runs and surface
CoolError::Validationon the outerResultwhen exceeded. The cap is identical for all five batch operations; deviating per-op would invite footguns wherebatch_getaccepts a list thatbatch_createof the same length rejects. - CBOR_
SEQUENCE_ CONTENT_ TYPE - MIGRATIONS_
TABLE_ DDL
Traits§
- Audit
Sink - Pluggable audit sink. Implementations fan audit events out to
downstream systems (Kafka topics, Redis pubsub, HTTP webhooks, S3
buckets) for long-term retention or SIEM ingestion. The in-database
audit table written by
cratestack_sqlxremains the canonical record; sinks are best-effort projections. - Auth
Provider - Cool
Codec - Cool
Envelope - Create
Model Input - From
Partial PgRow - Companion to
sqlx::FromRowthat decodes a row projected by.select(...)— i.e. a row where only the named columns are present in the SQLSELECTlist. Non-selected fields populate to their type’sDefault::default()value. - Http
Transport - Into
Column Name - Anything that can name a single SQL column. Lets
coalesceaccept both bare&'static strcolumn names and typedFieldRefhandles, so callers don’t have to choose between schema-rooted typing and ad-hoc strings at the call site. - Into
SqlValue - KeyProvider
- Resolves signing keys by kid (key id). Banks running multi-tenant or rotating keysets implement this so the envelope code never has to know the storage mechanism. Implementations must be constant- time for not-found vs wrong-tenant errors — never use the error message to leak whether a key id exists.
- Model
Primary Key - Accessor for a model’s primary key. Implemented by the macro on every
generated model struct so the batch operations can pair returned rows
back to the position of their input PK in the request, producing a
BatchItemResultwith the rightindexand aNotFoundentry for any requested PK that didn’t come back. - Nonce
Store - Tracks the nonces of sealed envelopes that have already been verified inside the clock-skew window, so a captured-and-replayed request gets rejected the second time. Banks running multi-replica deployments back this with Redis so the rejection holds cluster-wide.
- Procedure
Args - Projection
Decoder - Read
Source - Anything a read-path query builder needs to plan and emit SQL.
- Update
Model Input - Upsert
Model Input - Input shape for the upsert primitive —
INSERT … ON CONFLICT (<pk>) DO UPDATE ….sql_values()must include the primary-key column (so the backend can target the conflict), andprimary_key_value()exposes the PK separately so the runtime can issue aSELECT … FOR UPDATEbefore the upsert to driveCreatedvs.Updatedevent / audit semantics. - Write
Source - Anything a write-path query builder needs on top of
ReadSource— create defaults, update / delete policy slots, audit + retention + versioning state, upsert column list, emitted event topics.
Functions§
- apply_
pending - Apply every pending migration in the input slice in order. Each runs in its own transaction; checksum drift aborts the whole apply (banks treat drift as a release-process failure for humans, not a silent overwrite).
- authorize_
procedure - canonical_
request_ string - Canonical string assembled by the envelope signing path:
METHOD\nPATH\nQUERY\nCONTENT-TYPE\nbody-hex. Both seal and verify reconstruct the same string from the same inputs. - coalesce
- Build a
COALESCE(...)left-hand operand. The returnedCoalesceExprcarries the column list; chain a comparator method (.lte,.eq,.is_null, …) to produce aFilterExprthe query builders can consume. - cool_
error_ from_ sqlx - Convert a
sqlx::ErrortoCoolError, preserving structured database error information when available. - create_
record_ with_ executor - decode_
codec_ request - decode_
transport_ request_ for - encode_
codec_ response - encode_
codec_ result - encode_
codec_ result_ with_ status - encode_
transport_ result - encode_
transport_ result_ with_ status - encode_
transport_ result_ with_ status_ for - encode_
transport_ sequence_ result - encode_
transport_ sequence_ result_ with_ status - encode_
transport_ sequence_ result_ with_ status_ for - enrich_
context_ from_ headers - Enrich a
CoolContextwith the request id (fromtraceparent) and the client IP (fromForwarded/X-Forwarded-For). Malformedtraceparentheaders are silently ignored here — the auth/header-validation layer is the right place to reject them, not the enrichment seam. - ensure_
migrations_ table - event_
topic - find_
duplicate_ position - Detect duplicate keys in a batch input, loud-failing the whole request when found. Returns the first duplicate (by position) so the surfaced error can name a specific offending index. Linear- time, allocation-only in proportion to the input length.
- install_
fips_ crypto_ provider - Crypto provider selection — banks running on FIPS-validated hardware
enable the
crypto-aws-lc-rsfeature. The function below surfaces an error early when the feature is missing so the wrong build can’t slip into a regulated production cluster. - parse_
client_ ip - Extract the most-specific client IP available from the request headers,
falling back to none. Prefers
Forwarded(RFC 7239) over the legacyX-Forwarded-For. Banks running behind a single trusted L7 take the leftmost entry; deeper proxy chains must verify and rewrite at the edge. - parse_
cuid - parse_
emit_ attribute - parse_
filter_ expression - parse_
if_ match_ version - Parse an
If-Matchheader carrying a strong ETag of the form"<int>". ReturnsNoneif the header is absent. Returns an error if the header is present but malformed (weak validators, non-integer payloads, etc.). - parse_
query_ pairs - parse_
schema - parse_
schema_ file - parse_
schema_ named - parse_
traceparent - Extract a W3C
traceparentheader, returning the trace-id portion when the header is present and well-formed. ReturnsOk(None)when absent — callers should mint their own request id in that case so every audit row carries something. The trace-id is the second hyphen-delimited segment per W3C Trace Context; this implementation does not validate the flags/version segments since banks usually rebuild traceparent at the edge anyway. - point
- Geographic point (WGS-84 lng/lat). The naming follows the PostGIS
ST_MakePoint(x, y)convention —lngis the X axis (longitude),latis the Y axis (latitude). Don’t accidentally swap them; the engine has no way to detect it and your filter will silently match points across the world. - run_
in_ isolated_ tx - Begin a transaction at the requested isolation level, run
bodyagainst the live transaction, and commit. On40001(serialization_failure) or40P01(deadlock_detected) the transaction is rolled back and the body runs again, up toMAX_RETRIES_DEFAULTtimes. Other errors propagate immediately. - run_
in_ isolated_ tx_ with_ retries - Same as
run_in_isolated_txbut with a caller-chosen retry budget. Banks running long-tail contended writes sometimes want a higher cap (5–10); single-row CAS workflows can drop to 1 to fail fast. - set_
version_ etag - Insert an
ETagheader onto a response, formatted as a strong validator over the integer optimistic-locking version. - status
- Inspect each migration in
migrationsagainstcratestack_migrationsand report which are pending / applied / drifted. Use beforeapplyto surface drift to the operator without changing state. - update_
record_ with_ executor - validate_
codec_ request_ headers - validate_
codec_ response_ headers - validate_
email - Pragmatic email check: requires exactly one
@, non-empty local and domain parts, at least one.in the domain, and no whitespace. Not a full RFC 5322 grammar — that grammar admits forms (quoted local parts, IP literals) banks rarely accept anyway. Reject early; let real KYC flows do deeper validation. - validate_
iso4217 - ISO 4217 currency codes are 3 ASCII uppercase letters. We do not enforce the registered set here — that table churns and is downstream policy. Banks typically pin allowed currencies via a separate allow-list anyway.
- validate_
length - validate_
range_ decimal - Decimal-typed
@rangeenforcement. The parser accepts integer bounds (@range(min: 0, max: 100)) on both Int and Decimal fields; the i64 bounds are promoted to Decimal here so monetary fields can declare the same shape as integer counters. Banks routinely write things likeamount Decimal @range(min: 0)to forbid negative amounts at the framework layer — without this, the validator silently no-ops and out-of-range values reach the database. - validate_
range_ i64 - validate_
transport_ request_ headers - validate_
transport_ request_ headers_ for - validate_
transport_ response_ headers - validate_
transport_ response_ headers_ for - validate_
uri
Type Aliases§
- Cool
Body - Body bytes carried through the transport layer.
- Cool
Event Future - Decimal