eclipse-score · PandaeDo · Jun 16, 2026 · Jun 11, 2026 · Jun 15, 2026 · Jun 16, 2026
@@ -31,6 +31,7 @@ Communication (v0.5 beta)
    :titlesonly:
    :hidden:
 
+   dds_gateway/index.rst
    docs/**/index
    ipc/index
    some_ip_gateway/index

@@ -0,0 +1,21 @@
+@startuml
+
+interface IKvs {
+    open
+    flush_on_exit
+    reset
+    get_all_keys
+    key_exists
+    get_value
+    get_default_value
+    has_default_value
+    set_default_value
+    set_value
+    remove_key
+    flush
+    snapshot_count
+    snapshot_max_count
+    snapshot_restore
+}
+
+@enduml
@@ -0,0 +1,47 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+.. _feature_architecture_persistency:
+
+Architecture
+============
+
+.. document:: Persistency KVS Feature Architecture
+   :id: doc__persistency_architecture
+   :status: valid
+   :safety: ASIL_B
+   :security: NO
+   :realizes: wp__feature_arch
+   :tags: persistency
+
+
+.. feat:: Persistency
+   :id: feat__persistency
+   :security: YES
+   :safety: ASIL_B
+   :status: valid
+   :provides: logic_arc_int__persistency__interface
+
+
+Logical Interfaces
+------------------
+
+.. logic_arc_int:: Ikvs
+   :id: logic_arc_int__persistency__interface
+   :security: YES
+   :safety: ASIL_B
+   :fulfils: feat_req__persistency__async_api
+   :status: valid
+
+   .. uml:: _assets/kvs_interface.puml
@@ -12,8 +12,136 @@
    # SPDX-License-Identifier: Apache-2.0
    # *******************************************************************************
 
-Persistency
-===========
+.. _features_persistency:
 
-Complete module documentation can be found in `Persistency <https://github.com/eclipse-score/persistency>`__.
+Persistency (v0.5 beta)
+########################
 
+.. document:: Persistency
+   :id: doc__persistency
+   :status: valid
+   :safety: ASIL_B
+   :security: NO
+   :realizes: wp__feat_request
+   :tags: feature_request, persistency
+
+.. toctree::
+   architecture/index.rst
+   requirements/index.rst
+   requirements/chklst_req_inspection.rst
+
+
+Feature flag
+============
+
+To activate this feature, use the following feature flag:
+
+``persistency``
+
+
+Abstract
+========
+
+Persistency is a critical feature that ensures the long-term storage and
+retrieval of data within S-CORE. It provides a reliable mechanism for
+preserving information, allowing the application to maintain its state and data
+integrity over time. This feature is essential for enabling the system to
+resume operations seamlessly, even in the event of unexpected shutdowns or
+system failures. By implementing robust persistence mechanisms, the application
+can guarantee the persistence of user-generated content, configuration
+settings, and other vital data, ensuring a consistent and reliable user
+experience.
+
+This feature request describes the key-value storage (KVS) that is needed by
+applications to store either temporary or permanent data in an easy way that
+conforms to most programming languages that provide a hash, hashmap, dictionary,
+or similar data structure. Access to the KVS is possible from any supported
+language through language-specific interfaces.
+
+In the scope of S-CORE, an application can range from a system service to an
+end-user visible UI. The application uses the KVS as an external memory store
+to read and persist data as needed. For example, an application that controls
+the air conditioning system in a car could use the KVS to store the current
+temperature setting. When the car is started again, the application can
+retrieve the temperature setting from the persistent KVS storage, providing a
+seamless user experience by restoring the previous state.
+
+
+Motivation
+==========
+
+The current solutions available mostly don't meet the specific needs of the
+S-CORE project like storing specific datatypes without a BASE64 conversion or
+having no rollback/replay feature. Also the integration into analysis tools is
+simpler when the solution grows with the needs instead having to adapt existing
+data structures through wrappers. Especially in the focus of security it will
+be possible to build a system that integrates the layers from scratch and
+provide them as API to any language whilst still using Rust as the backend.
+
+A main USP of the solution will be the integration of a tracing framework that
+allows to understand how events also in the context of other events interact.
+
+A key-value storage is used within many applications to store e.g.
+configuration data and is therefore seen crucial for the Eclipse S-CORE
+platform.
+
+
+Rationale
+=========
+
+1. | Requirement 1: Multiple key-value storages per application
+   | Solution: Allow each application to have multiple key-value storages (KVS) to enable data separation and different levels of security.
+2. | Requirement 2: Update mechanism for KVS versions
+   | Solution: Implement an update mechanism to ensure compatibility through updates and rollbacks of different KVS versions.
+3. | Requirement 3: Language-agnostic KVS interface
+   | Solution: Design a flexible interface that allows the KVS to be read and written from multiple programming languages, including C++, Rust, and others.
+4. | Requirement 4: Default values for KVS
+   | Solution: Configure the KVS to store default values for all keys, returning either the default value or an error if the key needs to be written first.
+5. | Requirement 5: Simple data representation for KVS
+   | Solution: Utilize a simple data representation, such as JSON or Cap'n Proto, that supports versioned up- and downgrading and is easily debuggable by developers.
+6. | Requirement 6: KVS integrity checking
+   | Solution: Ensure the KVS maintains a consistent state, providing either the currently stored data or the previous snapshot if data retrieval is not possible.
+
+
+Backwards Compatibility
+=======================
+
+The API for the specific language tries to represent the language specific
+implementation like hashmaps or dictionaries to be mostly backwards compatible
+to already existing key-value-storage usage cases. Access without a safe error
+handling path, like the array-operator in Rust which can panic, must be
+avoided.
+
+
+Security Impact
+===============
+
+Access to the key-value-storage would allow a malicious user to control the
+behavior of the device, so it must be secured to prevent unauthorized access.
+To achieve this, debug access should only be provided when a debug firmware
+image is installed.
+
+
+Safety Impact
+=============
+
+The expected ASIL level is ASIL-B. To reach this goal we will apply the S-CORE
+development process. Key elements of it are listed in the process descriptions
+of safety management and safety analysis. In the safety analysis we will
+analyze the impact of the feature.
+
+.. :need:`doc__persistency_fmea`
+
+We use an iterative development process and apply results from the next steps
+back to the feature request.
+
+To ensure the freedom of interference the feature key-value storage should not
+be used within different processes.
+
+
+License Impact
+==============
+
+.. note::
+   The key-value storage itself uses the Apache-2.0 license. Licenses of
+   used libraries are need to be checked.
@@ -0,0 +1,153 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+Persistency Requirements Inspection Checklist
+#############################################
+
+.. document:: Persistency Requirements Inspection Checklist
+  :id: doc__feature_persistency_requirements_chklst
+  :status: valid
+  :safety: ASIL_B
+  :security: NO
+  :tags: persistency
+  :realizes: wp__requirements_inspect
+
+**Purpose**
+
+The purpose of this requirement inspection checklist is to collect the topics to be checked during requirements inspection.
+
+**Checklist**
+
+.. list-table:: Persistency Requirements Inspection Checklist
+  :header-rows: 1
+  :widths: 10,30,50,6,6,8
+
+  * - Review ID
+    - Acceptance Criteria
+    - Guidance
+    - Passed
+    - Remarks
+    - Issue link
+  * - REQ_01_01
+    - Is the requirement sentence template used?
+    - see :need:`gd_temp__req_formulation`, this includes the use of "shall".
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_02_01
+    - Is the requirement description *comprehensible* ?
+    - If you think the requirement is hard to understand, comment here.
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_02_02
+    - Is the requirement description *unambiguous* ?
+    - Especially search for "weak words" like "about", "etc.", "relevant" and others (see the internet documentation on this). This check shall be supported by tooling.
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_02_03
+    - Is the requirement description *atomic* ?
+    - A good way to think about this is to consider if the requirement may be tested by one (positive) test case or needs more of these. The sentence template should also avoid being non-atomic already. Note that there are cases where also non-atomic requirements are the better ones, for example if those are better understandable.
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_02_04
+    - Is the requirement description *feasible* ?
+    - Expectation is that at the time of the inspection the requirement has already some implementation. This can be checked via traces, but also :need:`gd_req__req_attr_impl` shows this. In case the requirement is not mature enough at the time of inspection (i.e. not implemented at least as "proof-of-concept"), a development expert should be invited to the Pull-Request review to explicitly check this item.
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_02_05
+    - Is the requirement description *independent from implementation* ?
+    - This checkpoint should improve requirements definition in the sense that the "what" is described and not the "how" - the latter should be described in architecture/design derived from the requirement. But there can also be a good reason for this, for example we would require using a file format like JSON and even specify the formatting standard already on stakeholder requirement level because we want to be compatible. A finding in this checkpoint does not mean there is a safety problem in the requirement.
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_03_01
+    - For stakeholder requirements: Is the *rationale* correct?
+    - Rationales explain why the top level requirements were invented. Do those cover the requirement?
+    - N/A
+    - No stakeholder requirements for Persistency KVS needed.
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_03_02
+    - For other requirements: Is the *linkage to the parent requirement* correct?
+    - Linkage to correct levels and ASIL attributes is checked automatically, but it needs checking if the child requirement implements (at least) a part of the parent requirement.
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_04_01
+    - Is the requirement *internally and externally consistent*?
+    - Does the requirement contradict other requirements within the same or higher levels? One may restrict the search to the feature for component requirements, for features to other features using same components.
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_05_01
+    - Do the software requirements consider *timing constraints of the parent requirement*?
+    - This bullet point encourages to think about timing constraints even if those are not explicitly mentioned in the parent requirement. If the reviewer of a requirement already knows or suspects that the implementation will be time consuming, one should think of the expectation of a "user".
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_06_01
+    - Does the Requirement consider *external interfaces*?
+    - The SW platform's external interfaces (to the user) are defined in the Feature Architecture, so the Feature and Component Requirements should determine the data consumed and set on these interfaces. Are output values completely defined?
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_07_01
+    - Is the *ASIL Attribute* set correctly?
+    - Derived requirements are checked automatically, see :need:`gd_req__req_linkage_safety`. But for the top level requirements this needs to be checked for correctness. Also AoU from external components need check for correct ASIL as those are the "origin" of safety requirements towards the SW platform.
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_07_02
+    - Is the attribute *security* set correctly?
+    - Stakeholder requirements security attribute should be set based on Threat Analysis and Risk Assessment (TARA) (process is TBD). Checklist item is supported by automated check: "Every requirement which satisfies a requirement with security attribute set to YES inherits this". Expectation is that the feature/component requirements/architecture may also be subject to a Software Security Criticality Analysis (process is TBD).
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_08_01
+    - Is the requirement *verifiable*?
+    - Expectation is that at the time of the inspection already tests are created for the requirement. This can be checked via traces, but also :need:`gd_req__req_attr_test_covered` shows this. In case the requirement is not mature enough at the time of inspection (i.e. missing test cases), a test expert should be invited to the Pull-Request review to explicitly check this item.
+    - Yes
+    - No remarks
+    - https://github.com/eclipse-score/score/issues/960
+  * - REQ_09_01
+    - Do the feature requirements defining a safety mechanism contain the error reaction leading to a safe state?
+    - Alternatively to the safe state there could also be "repair" mechanisms. Also do not forget to consider REQ_05_01 for these.
+    -
+    -
+    -
+
+The following requirements in "valid" state and with "inspected" tag set are in the scope of this inspection:
+
+.. needtable::
+   :filter: "feature_name" in docname and "requirements" in docname and docname is not None and status == "valid"
+   :style: table
+   :types: feat_req
+   :tags: persistency
+   :columns: id;status;tags
+   :colwidths: 25,25,25
+   :sort: title
+
+And also the following AoUs in "valid" state and with "inspected" tag set (for these please answer the questions above as if the AoUs are requirements, except questions REQ_03_01 and REQ_03_02):
+
+.. needtable::
+   :filter: "feature_name" in docname and "requirements" in docname and docname is not None and status == "valid"
+   :style: table
+   :types: aou_req
+   :tags: persistency
+   :columns: id;status;tags
+   :colwidths: 25,25,25
+   :sort: title