Enum DatabaseOp 

pub enum DatabaseOp {
    BeginTransaction {
        stores: Vec<String>,
        scope: ReadScope,
    },
    SubmitSignedEntry {
        entry: Box<Entry>,
    },
    GetVerifiedTips,
    GetStoreState {
        store: String,
    },
    GetStoreEntries {
        store: String,
        tips: Vec<ID>,
        scope: ReadScope,
    },
    GetStoreTipsUpToEntries {
        store: String,
        up_to: Vec<ID>,
    },
    ComputeMergeState {
        store: String,
        entry_ids: Vec<ID>,
    },
    GetEntry {
        id: ID,
    },
    GetCachedCrdtState {
        store: String,
        key: ID,
    },
    CacheCrdtState {
        store: String,
        key: ID,
        blob: Vec<u8>,
    },
    SetInstanceMetadata {
        metadata: Box<InstanceMetadata>,
    },
}

Database-level operations the server runs on its local Database.

The target database (root_id) and identity claim travel in AuthenticatedDbRequest; the per-tree gate runs against root_id (Read for begin/get*, Write for submit, Admin-on-_databases for set-metadata) before dispatch.

Variants

BeginTransaction

Acquire everything needed to build+sign a transaction locally for the given stores, with parents drawn from scope’s projection. Gate Read.

Fields

stores: Vec<String>

scope: ReadScope

SubmitSignedEntry

Submit a finished, client-signed entry. The server stores it Unverified and runs its own verification pass — it never trusts a submitted entry’s claimed validity. Submit is verification-gated, not session-gated: it requires only an authenticated connection, and the per-tree permission gate is not applied (the server’s verification pass against the tree’s pinned auth is the boundary). The required_permission() value below is advisory only for this variant.

Fields

entry: Box<Entry>

GetVerifiedTips

The database’s Verified-frontier tips (server runs Database::snapshot on its local instance). Gate Read.

GetStoreState

Server-materialized merged state of an unencrypted store, against the server’s own Verified frontier. Gate Read.

Fields

store: String

GetStoreEntries

Ordered (by subtree height), verified, opaque store entries reachable from tips in scope — the universal primitive, incl. encrypted stores (client decrypts+merges locally). Gate Read.

Fields

store: String

tips: Vec<ID>

scope: ReadScope

GetStoreTipsUpToEntries

Subtree tips reachable from given main-tree entry IDs. Used by Transaction internals to discover store entries.

Fields

store: String

up_to: Vec<ID>

ComputeMergeState

Lowest common ancestor + path to tip entries in a store DAG. Fused to one RPC: the only caller always calls find_merge_base then get_path_from_to in sequence.

Fields

store: String

entry_ids: Vec<ID>

GetEntry

Fetch a single entry by id (gated post-fetch by its owning tree). Gate Read.

Fields

id: ID

GetCachedCrdtState

Look up a cached materialized CRDT state. Server returns the previously CacheCrdtState-submitted blob for (session user, root_id, key, store), or None on miss. Gate Read.

Used by RemoteBackend::get_cached_crdt_state as the second tier of a two-level cache: the client first checks its own per-connection LRU, then falls back to this RPC. The daemon’s cache is the cross-session source of truth.

Fields

store: String

key: ID

CacheCrdtState

Stash a client-computed materialized CRDT state for (session user, root_id, key, store). Gate Read.

Per-user trust model: the daemon stores whatever bytes the authenticated user sends, scoped to their user_uuid. The blob is opaque to the daemon — ciphertext for encrypted stores, plaintext for plain ones — and the daemon performs no verification of the merge result. The trust boundary is the same one the client would have with a local-only cache: only the submitting user can poison their future reads on this slot.

Tip-based natural expiry: keys are derived from tip sets (see create_merge_cache_id), so an entry whose tip set has advanced is simply unreachable — future reads miss against a fresh key. Stale entries fall out of the LRU under memory pressure rather than via explicit invalidation.

Fields

store: String

key: ID

blob: Vec<u8>

SetInstanceMetadata

Rewrite the daemon’s instance metadata (system-DB pointers). Gated by Admin on _databases (a daemon-global system tree, resolved server-side — not the request’s root_id), so the per-tree gate is special-cased for this variant in the dispatcher. Boxed to keep the enum’s stack footprint small — InstanceMetadata dominates its size.

Fields

metadata: Box<InstanceMetadata>

Implementations

impl DatabaseOp

pub fn required_permission(&self) -> Permission

Minimum permission the caller needs against the target database.

Only SubmitSignedEntry mutates; everything else is a read. Every read variant is tree-scoped via the request’s root_id, so the per-tree gate always runs for reads — there is no tree-less fall-through. SubmitSignedEntry is the exception: the server skips the per-tree gate for submit and relies on its own verification pass, so the Write(0) returned here is advisory only for that variant (kept for completeness / non-submit callers that inspect it).

Trait Implementations

impl Clone for DatabaseOp

fn clone(&self) -> DatabaseOp

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for DatabaseOp

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for DatabaseOp

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for DatabaseOp

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.