control namespace
Shared control service contracts injected into generic command handlers.
Borrowed management request model produced by control request decoder.
Transport-neutral control exchange orchestration and shared request/response types.
Namespaces
Classes
- struct CommandDescriptor
- One static command table entry consumed by CommandRegistry/Dispatcher.
- class CommandRegistry
- Immutable-like view over currently registered command descriptors.
- struct ControlServices
- Narrow dependency bundle passed into command handlers.
- class Dispatcher
- Stateless command dispatcher over registry + shared services.
- struct ExchangeBuffers
- Caller-owned buffers used by exchange for decode/sign/encode work.
- class ExchangeGuard
- RAII guard representing ownership of the single in-flight exchange lock.
- struct ExchangeRequest
- One inbound transport-neutral management request.
- struct ExchangeResponse
- One outbound transport-neutral management response.
- class ExchangeService
- Transport-agnostic control exchange orchestrator.
- class IClock
- Abstract clock source used by shared control commands.
- class IDeviceIdentity
- Abstract device identity provider used by diagnostics endpoints.
- class IManagementNonceSource
- Rotating nonce source used for signed-write freshness.
- class InterfaceListCommands
- Control adapter that exposes the currently registered interface names.
- class ISystemRebootController
- Abstract reboot controller used by
/system/reboot. - class ISystemStatusSource
- Abstract source for
/system/*payload fields. - struct NonceSnapshot
- Snapshot of current management nonce state.
- struct Request
- Borrowed decoded management request passed to command handlers.
- struct RequestArgView
- One decoded request argument (
key=value). - struct RequestValueView
- Borrowed view of one decoded scalar request value.
- class ResponseWriter
- Streaming CBOR map writer for control responses.
Enums
- enum class AuthPolicy: uint8_t { PublicRead = 0, Signed = 1, AdminOnly = 2 }
- Authorization policy attached to one control command descriptor.
- enum class ErrorCode: uint64_t { InvalidRequest = 1001u, Unauthorized = 1002u, BootstrapRequired = 1101u, InvalidBootstrapCode = 1102u, BootstrapAlreadyCompleted = 1103u, BootstrapKeyFlagsInvalid = 1104u, InvalidBootstrapRequest = 1105u, NonceRequired = 1201u, NonceInvalid = 1202u, NonceStale = 1203u, NotFound = 1404u, Busy = 1429u, ServiceUnavailable = 1503u }
- Logical control-layer error codes encoded into management responses.
- enum class MatchMode: uint8_t { Exact = 0, Prefix = 1 }
- Path matching mode used by dispatcher lookup.
- enum class RequestValueType: uint8_t { Bool = 0, Int64 = 1, UInt64 = 2, Double = 3, String = 4, Bytes = 5 }
- Scalar types accepted by control request argument parser.
- enum class ResponseSigningPolicy: uint8_t { Never = 0, WhenPossible = 1, Required = 2 }
- Policy controlling whether successful responses should be COSE-signed.
- enum class SystemView: uint8_t { Status, Tasks, Memory }
- Named system telemetry views exposed through
/system/*.
Typedefs
-
using HandlerFn = void(*)(const Request&request, ResponseWriter*out_
response, const ControlServices&services, void*user_ctx) - Signature of one control command handler callback.
Functions
-
template<typename Section>auto apply_section_update_wire(const Request& request, const std::string_view path, ResponseWriter*const out_response, Section& section) -> bool
- Applies request update and returns wire
kind=data+30=valuesenvelope. -
auto cbor_to_config_value(const prf::
cbor:: Value& in, const prf:: config:: SectionKeySpec*const key_spec, prf:: config:: ConfigValue*const out) -> bool - Converts a decoded CBOR scalar into the matching config storage value.
-
auto cbor_to_config_value(const prf::
cbor:: Value& in, prf:: config:: ConfigValue*const out) -> bool -
auto config_to_cbor_value(const prf::
config:: ConfigValue& in, const prf:: config:: SectionKeySpec*const key_spec, prf:: cbor:: Value*const out) -> bool - Converts a stored config value into a CBOR value for control replies.
-
auto config_to_cbor_value(const prf::
config:: ConfigValue& in, prf:: cbor:: Value*const out) -> bool -
template<typename Section>auto encode_section(const Section& section, prf::
cbor:: StringKeyValueMap*const out) -> bool - Encodes the current committed view of a config section into a flat CBOR map.
-
template<typename Section>auto encode_section_wire_values(const Section& section, ResponseWriter*const out) -> bool
- Encodes section values into currently-open wire map (
key -> scalar). - auto find_arg(const Request& request, const std::string_view key) -> const RequestValueView*
- Returns a pointer to a decoded request argument by name.
- auto format_indexed_key(std::span<char> buffer, std::string_view prefix, size_t index, std::string_view suffix, std::string_view* out_key) -> bool
- Formats
prefix + index + suffixinto caller scratch buffer. - auto make_default_commands() -> std::array<CommandDescriptor, kDefaultCommandCount>
- Returns the built-in transport-agnostic control commands.
- auto read_bool_optional(const Request& request, const std::string_view key, bool*const out_value, bool*const out_present) -> bool
- Reads an optional boolean argument.
-
template<size_t N>auto read_fixed_bytes_arg(const Request& request, const std::string_view key, std::array<uint8_t, N>*const out) -> bool
- Reads a required byte-string argument into a fixed-size output buffer.
-
auto request_to_config_value(const prf::
control:: RequestValueView& in, const prf:: config:: SectionKeySpec*const key_spec, prf:: config:: ConfigValue*const out) -> bool - Converts a borrowed request scalar into the matching config storage value.
-
auto request_to_config_value(const prf::
control:: RequestValueView& in, prf:: config:: ConfigValue*const out) -> bool - auto to_string(const ErrorCode code) -> const char*
- Converts ErrorCode to stable wire-visible string token.
- auto try_acquire_exchange_guard() -> ExchangeGuard
- Attempts to acquire process-global single-flight exchange lock.
Variables
- size_t kControlMaxCollectionCount constexpr
- Hard safety cap for array-like response collections (schema/list payloads).
- size_t kControlMaxKeyBytes constexpr
- Maximum UTF-8 bytes in one argument key.
- size_t kControlMaxListItemCount constexpr
- Maximum list item count in one list response.
- size_t kControlMaxPathBytes constexpr
- Maximum UTF-8 bytes in
pathfield. - size_t kControlMaxRequestFields constexpr
- Maximum number of decoded request arguments accepted by parser.
- size_t kControlMaxSchemaDescriptorCount constexpr
- Maximum schema descriptor count in one schema catalog response.
- size_t kControlMaxSchemaFieldCount constexpr
- Maximum schema field count in one schema target response.
- size_t kControlMaxTextScratchBytes constexpr
- Generic scratch budget for short formatted keys/text in handlers.
- size_t kControlMaxWireBytes constexpr
- Maximum number of bytes for one inner control payload.
- size_t kDefaultCommandCount constexpr
Enum documentation
enum class prf::
Authorization policy attached to one control command descriptor.
| Enumerators | |
|---|---|
| PublicRead |
Command can be executed without signature. |
| Signed |
Request must be signed by any trusted key. |
| AdminOnly |
Request must be signed by a trusted key with admin role. |
enum class prf::
Logical control-layer error codes encoded into management responses.
| Enumerators | |
|---|---|
| InvalidRequest |
Request cannot be decoded or violates command argument contract. |
| Unauthorized |
Request is authenticated but does not satisfy command authorization policy. |
| BootstrapRequired |
Device is in bootstrap mode and normal owned-runtime command is unavailable. |
| InvalidBootstrapCode |
Bootstrap code did not match current device bootstrap code. |
| BootstrapAlreadyCompleted |
Bootstrap install is no longer allowed because device is already owned. |
| BootstrapKeyFlagsInvalid |
Bootstrap request requested invalid key flags. |
| InvalidBootstrapRequest |
Bootstrap request metadata or signature contract is invalid. |
| NonceRequired |
Signed write request is missing required nonce metadata. |
| NonceInvalid |
Signed request carried malformed nonce metadata. |
| NonceStale |
Signed write request used a stale device nonce. |
| NotFound |
Requested command path does not exist in current registry. |
| Busy |
Another request is currently in-flight and exchange guard rejected this one. |
| ServiceUnavailable |
Dependency/service is unavailable or reply budget was exceeded. |
enum class prf::
Path matching mode used by dispatcher lookup.
| Enumerators | |
|---|---|
| Exact |
Handler is selected only when request path exactly equals descriptor path. |
| Prefix |
Handler is selected when request path starts with descriptor path. |
enum class prf::
Scalar types accepted by control request argument parser.
enum class prf::
Policy controlling whether successful responses should be COSE-signed.
| Enumerators | |
|---|---|
| Never |
Never sign response payloads. |
| WhenPossible |
Sign when input/request context allows signing without overflow. |
| Required |
Require signature, otherwise fail with control error. |
enum class prf::
Named system telemetry views exposed through /system/*.
Typedef documentation
using prf::
Signature of one control command handler callback.
out_response is caller-owned and must be filled only through ResponseWriter.
Function documentation
#include <control/config_helpers.hpp>
template<typename Section>
bool prf::
Applies request update and returns wire kind=data + 30=values envelope.
bool prf::
Converts a decoded CBOR scalar into the matching config storage value.
bool prf::
bool prf::
Converts a stored config value into a CBOR value for control replies.
bool prf::
#include <control/config_helpers.hpp>
template<typename Section>
bool prf::
Encodes the current committed view of a config section into a flat CBOR map.
#include <control/config_helpers.hpp>
template<typename Section>
bool prf::
Encodes section values into currently-open wire map (key -> scalar).
const RequestValueView* prf::
Returns a pointer to a decoded request argument by name.
bool prf::
Formats prefix + index + suffix into caller scratch buffer.
Returns false when output does not fit.
std::array<CommandDescriptor, kDefaultCommandCount> prf::
Returns the built-in transport-agnostic control commands.
These commands expose shared process-level functionality such as schema, healthcheck and reboot, while module-owned command families are registered separately by the scenario.
bool prf::
Reads an optional boolean argument.
Missing arguments are reported via out_present=false and are not treated as an error. Type mismatch returns false.
#include <control/request_args.hpp>
template<size_t N>
bool prf::
Reads a required byte-string argument into a fixed-size output buffer.
Returns false when argument is missing, type does not match, or byte length differs from N.
bool prf::
Converts a borrowed request scalar into the matching config storage value.
Note: string/bytes variants intentionally materialize owning storage. Config layer owns these values by contract, so this boundary keeps control exchange borrowed while allowing config persistence semantics.
bool prf::
const char* prf::
Converts ErrorCode to stable wire-visible string token.
ExchangeGuard prf::
Attempts to acquire process-global single-flight exchange lock.
Returns an empty guard when lock is already held by another request.
Variable documentation
size_t prf::
Hard safety cap for array-like response collections (schema/list payloads).
size_t prf::
Maximum UTF-8 bytes in one argument key.
size_t prf::
Maximum list item count in one list response.
size_t prf::
Maximum UTF-8 bytes in path field.
size_t prf::
Maximum number of decoded request arguments accepted by parser.
size_t prf::
Maximum schema descriptor count in one schema catalog response.
size_t prf::
Maximum schema field count in one schema target response.
size_t prf::
Generic scratch budget for short formatted keys/text in handlers.
size_t prf::
Maximum number of bytes for one inner control payload.
size_t prf::