Experimental, WIP toolkit for on-chain operations built around an event-sourced state machine runtime.
WARNING: Not production-ready. Do not use on mainnet.
flowchart TD
B["bin/cli<br/>bin/rest-api<br/>(transport only)"] --> A["crates/app<br/>(typed assembly)"]
A --> O["crates/ops/*-op<br/>(typed program planning)"]
O --> SH["crates/states/*<br/>(typed executable states)"]
A --> R["crates/kernel/runtime<br/>(typed scheduler)"]
R --> K["crates/kernel/*<br/>(ids, values, spec, events, store, replay)"]
R --> ST["crates/storages/*<br/>(mfm-store implementations)"]
R --> TP["crates/transports/*<br/>(typed capability backends)"]
C["crates/core<br/>(primitives + keystore/crypto)"] --> SH
classDef transport fill:#e8f0ff,stroke:#2f5aa8,color:#0f2d63,stroke-width:1px;
classDef orchestration fill:#eefbe7,stroke:#3a7a2a,color:#1d4d12,stroke-width:1px;
classDef statecore fill:#ffe8cf,stroke:#a84b00,color:#5a2b00,stroke-width:3px;
classDef engine fill:#fff3df,stroke:#a66a00,color:#5a3a00,stroke-width:1px;
classDef storage fill:#f3ebff,stroke:#6d3da8,color:#39136b,stroke-width:1px;
classDef adapter fill:#e9f8f7,stroke:#0d7a77,color:#084645,stroke-width:1px;
class B transport;
class A,O orchestration;
class SH statecore;
class R,K,C engine;
class ST storage;
class TP adapter;
Typed state programs are the semantic executable surface. Ops plan typed programs, the certified typed execution spec is the runtime contract, states execute through typed effect runners and capability backends, and binaries stay transport-only.
- Event-sourced certified typed runs with append-only execution history.
- Crash-resume and replay-aware typed execution semantics.
- Content-addressed manifests, snapshots, facts, and outputs.
- Deterministic typed-state orchestration for ops/pipelines.
- Thin CLI and REST transport layers for stable automation surfaces.
- Security-hardened Ethereum keystore (tamper checks + signing utilities).
- Typed storage backends for run events and artifacts.
Start here:
- Design contract (source of truth):
docs/design.md - One-page overview + invariants:
docs/architecture.md - Current ops/states inventory:
docs/ops-and-states.md - Contribution rules / CI parity:
AGENTS.md - Code quality policy:
docs/code-quality.md
User-facing docs:
- CLI docs + output contract:
bin/cli/README.md - REST API docs:
bin/rest-api/README.md
Crate docs:
- Core primitives (keystore + config models):
crates/core/README.md - Typed runtime:
crates/kernel/runtime/README.md - Typed store contract:
crates/kernel/store/README.md - Typed replay:
crates/kernel/replay/README.md - Ops (proof op):
crates/ops/proof-op/README.md - Storage (typed run events, Postgres):
crates/storages/stream-store-postgres/README.md - Storage (typed artifacts, fs):
crates/storages/artifact-store-fs/README.md
Design notes / planning:
- Nixfied vendoring boundaries:
nixfied/VENDORED.txt - Framework upgrade notes:
docs/UPGRADE.md
Canonical entrypoints:
nix run .#help
nix run .#dev
nix run .#check
nix run .#test
nix run .#ci -- --mode basic --summary
nix run .#ci -- --mode audit --summary
nix run .#ci -- --mode parity --summary
nix run .#ci -- --mode full --summary
nix run .#ci -- --mode <mode> --summary--mode <value>is the canonical interface for workflow mode selection.- Shorthand
--<mode>is only accepted for simple mode names matching[a-z0-9-]+. - Dotted/complex modes must use
--mode(for example--mode parallel.smoke). - Unknown mode errors now print expected modes derived from the compiled model.
- Framework service hooks and model-level service tasks share the same launcher/runtime policy path, but this repo does not currently expose public
service::*::startapps. - Local supervisor wrappers in
nixfied/local/default.nix(up,down,svc-*) are intentional prod-only overrides. mfm::portfolio::snapshotis a strict json app that owns process/bootstrap orchestration, stdout envelope validation, and readiness mediation viaSVC_*hooks while forwarding validatedmfm_clipayloads unchanged.nix run .#helplists exposed core apps; invokemfm::portfolio::snapshotdirectly by name.- CI help/docs metadata comes from task/app metadata in
nixfied/project/module.nix, and is mirrored intoapps.<system>.ci.meta.nixfied.api. - Project scripts should prefer framework policy helpers and
task.ops.ready/task.ops.healthsurfaces over duplicating service policy or readiness logic. nix run .#devintentionally usesstart_service ... --cleanupfor deterministic teardown.
- Explicit shell app classes are now enforced:
typedfor strict text commands (check,test,build,mfm_rest_api,svc-*)jsonfor machine-output workflows (mfm::portfolio::snapshot, and other machine-output apps)batch-runnerforci
- Unknown args are rejected at the shell-contract boundary for typed/json commands before domain execution.
mfm::portfolio::snapshotpreservesmfm_clias the output-contract authority and returns the validatedmfm_clipayload unchanged.- CI now validates command class policies and runtime behavior (including unknown-arg probes and JSON-shape checks) in
shell-app-contracts.
- Runtime visibility:
nix run .#process::statusnix run .#process::status -- --allnix run .#process::runs -- --allnix run .#process::inspect -- <id>nix run .#process::stop -- --run-id <id>nix run .#process::stop -- --run-id <id> --scope slot-envnix run .#process::stop -- --run-id <id> --dry-run
- Service model surfaces:
nix run .#servicesnix run .#ready -- --service postgres --source localnix run .#ready -- --service reth --source localnix run .#health -- --service all
- Policy controls (optional overrides):
SERVICE_OWNER_SCOPE=ephemeral|persistentSERVICE_DISCOVERY_SCOPE=local|global
- Migration note:
SERVICE_REUSE_POLICYandMFM_KEEP_SERVICESare rejected bymfm::portfolio::snapshot.
- Preserve or tear down snapshot-managed services via
SERVICE_*policy envs onmfm::portfolio::snapshot; the direct-task launch and lifecycle handling remain internal.
nix build .#mfm-cli
./result/bin/mfm_cli --help
nix run .#mfm_rest_api
nix run .#mfm::portfolio::snapshot -- <ADDRESS>MIT (see LICENSE).