docs/architecture/crate-boundaries.md
These rules apply to architecture-migration PRs linked to
rustfs/backlog#660.
Every PR must declare exactly one type:
docs-onlytest-onlycontractapi-extractionpure-moveconsumer-migrationdependency-migrationsecurity-changebehavior-changeci-gateDo not mix directory movement, security tightening, and behavior changes in one PR.
Contract crates must stay below implementation crates. Initial forbidden edges:
storage-api -> ecstoresecurity-governance -> rustfsextension-schema -> rustfsextension-schema -> ecstoreExisting migration checks live in:
scripts/check_layer_dependencies.shscripts/check_architecture_migration_rules.shExtend these guardrails instead of adding a parallel system.
Before pushing any PR branch, record three expert reviews in the task notes:
| Expert | Required focus |
|---|---|
| Quality/architecture | Structure, naming, dependency direction, PR type, scope, and over-abstraction risk |
| Migration preservation | Startup order, readiness, quorum, reader semantics, AppContext/global fallback, notify/audit lifecycle, IAM/KMS boundaries, and compatibility |
| Testing/verification | Focused tests, regression tests, commands run, missing coverage, and whether tests are forcing business-logic drift |
Push is allowed only when all three experts return pass or
pass-with-nonblocking-follow-up. Any blocker prevents push until the issue is
fixed and the relevant review is repeated.
Temporary compatibility code that must be removed later must include a searchable source comment and a cleanup-register entry.
Use this source-comment format:
// RUSTFS_COMPAT_TODO(API-005): keep old ecstore::store_api path during storage-api migration. Remove after all consumers use rustfs-storage-api.
Rules:
ecstore::config::{Config, KV, KVS} should move before extension config adapters
or config-schema work. First inventory consumers, then decide whether existing
crates/config is enough or whether a smaller model crate is required.