Providers

A provider owns one or more resource kinds and implements the Provider trait: create, update, delete, read, and an optional configure for the corresponding provider "<name>" { ... } block.

stratum routes a resource to a provider by splitting the kind on the first _ and looking up the prefix:

kind	provider
`system_package`	`system`
`system_service`	`system`
`system_file`	`system`
`system_secret_file`	`system`
`system_ufw_rule`	`system`
`system_dir`	`system`
`ssh_exec`	`ssh`
`ssh_file`	`ssh`
`docker_network`	`docker`
`docker_container`	`docker`
`docker_image`	`docker`
`git_repo`	`git`

Providers are registered at CLI startup in crates/cli/src/main.rs. Adding one means adding a new crate under crates/providers/, wiring it into the registry, and documenting it here.

Configuration block

A provider "<name>" { ... } block is optional. When present, its body is passed to the provider's configure method during apply. No shipped provider reads its block today — the grammar exists but is currently dormant.

Execution

Side effects run when you pass -y to stratum apply. Without -y, apply prints the plan and exits without touching providers. There is no dry-run mode for providers: once -y is set, every create / update / delete call hits the remote host.

For drift detection, every provider also implements read (a non-destructive query). Coverage today:

kind	`read` returns
`system_package`	`Present { state: present\|absent }`
`system_service`	`Present { enabled, state }`
`system_file`	`Present { mode, owner, group, sha256 }` or `Absent`
`system_secret_file`	`Present { mode, owner, group, sha256 }` or `Absent` (content never observed)
`system_ufw_rule`	`Unknown` (parsing punted)
`system_dir`	`Present { file_count, manifest_sha256, manifest }` or `Absent` (or `Unknown` if state's `file_count` > 200)
`ssh_exec`	`Unknown` (no readable identity)
`ssh_file`	`Present { mode, sha256 }` or `Absent`
`docker_network`	`Present { name, driver }` or `Absent`
`docker_container`	`Present { name, image, restart, labels, networks, container_id }` or `Absent`
`docker_image`	`Present { tag, image_id, id }` (echoes prior `build_args` / `context` / `dockerfile` / `target` / `pull_base`) or `Absent`
`git_repo`	`Present { path, url, ref, commit_sha }` or `Absent`

The Unknown cases show up in unreadable counts when you run stratum plan --refresh or after every stratum apply -y. That's intentional for v1.

See each provider's page for the exact attribute schema.