CommandBroker is the priority queue for tick-deferred commands. It is not the policy enforcement point and it is not the durable audit log.
External callers reach the broker only through iCommandService.submit(...), submit_batch(...), or submit_spawn(...). The gate checks authorization before commands are enqueued.
External caller
|
iCommandService.submit(ctx, world_id, cmd)
| guardrail_allow(cmd, ctx)
| audit accepted/queued state as required
v
iCommandBroker.enqueue(world_id, cmd)
|
SimulationService.step()
|
iCommandService.drain_and_apply(world_id, tick)
|
MutationService / WorldService
For RBAC, roles, and audit emission, see Command Gate and Audit Log.
Priority Queue¶
The broker maintains one priority queue per world, keyed by str(world_id).
Commands are ordered by (tick, priority, seq):
tick: future commands remain queued untildequeue_due(world_id, tick).priority: lower values execute first.seq: creation-order tie breaker.
The Command.__lt__ method defines this ordering.
Queue Methods¶
| Method | Behavior |
|---|---|
enqueue(world_id, cmd) |
Store one command |
enqueue_bulk(world_id, cmds) |
Store multiple commands atomically |
dequeue_due(world_id, tick) |
Pop commands where cmd.tick <= tick |
dequeue(world_id) |
Pop pending commands regardless of tick |
peek(world_id) |
Return pending commands without removing them |
ack(cmd_ids) |
Mark applied commands complete |
remove(world_id, cmd_id) |
Remove a pending command; preserve history/introspection |
get_pending_count(world_id=None) |
Queue depth |
get_history(world_id, limit=100) |
Queue history, not audit history |
clear(world_id=None) |
Clear pending queue state |
get_history is useful for queue diagnostics. User-facing history uses iAuditLog through iCommandService.get_audit_history(...).
Concurrency¶
Broker implementations must be safe for concurrent enqueue/dequeue from multiple coroutines. Bulk enqueue is all-or-nothing at the queue layer; the gate has already authorized the commands before enqueue.
Processor Access¶
Processors are trusted internal code once registered. If a processor needs delayed command scheduling, it may enqueue through a broker resource or another sanctioned internal path. Those internally scheduled commands are not a substitute for external gate enforcement.
When user-facing accountability matters, route the operation through iCommandService so it receives authorization and audit semantics.
Command Model¶
Command is a frozen Pydantic model with fields used by queuing and dispatch:
| Field | Purpose |
|---|---|
id |
command identity |
tick |
target tick |
actor_id |
actor identity for audit/accountability |
type |
command type used by gate permissions and dispatch |
payload |
command-specific data |
priority |
ordering within a tick |
seq |
FIFO tie breaker |
See Service Protocols for the broker protocol.