pub enum RevokeState {
Active,
RevokeWarning,
GraceRunning,
CheckpointReported,
ForcedTeardown,
Torndown,
Expired,
Fenced,
FailedClosed,
}Expand description
Phase 218.3 — Typed revoke lifecycle states.
A workload that holds a lease can observe the revoke transitions
described in docs/design/218-tenant-policy-and-lifecycle.md
§ “Revoke State Machine”. The 9 states form a deterministic
state machine: a lease enters via Active, optionally transits
through warning → grace → either cooperative checkpoint or
forced teardown, and lands in one of three terminal states
(Torndown, Fenced, FailedClosed) plus the TTL-driven
Expired (which itself is non-terminal — the spec routes
expired -> failed-closed).
A typed primitive in policy_vocab (not split across leasekit /
runtime / scheduler) so SIEM rules, audit emit, dashboard
renderers, and the operator-facing revoke runbook all use the
same vocabulary. Same discipline as Phase 218.2 Priority /
219.2 RejectionReason / 219 AuditEventKind.
as_str() is the wire-format-grade snake_case label (SIEM rules,
dashboard panel JSONPath selectors, audit-chain markers all alert
off this exact string). human_summary() is the operator-readable
rendering string used by CLI status pages and dashboard tooltips.
They are NOT interchangeable surfaces.
legal_transition_to(next) pins the spec-allowed transition set.
Slice 86 does NOT wire this primitive into the existing revoke
pathway — that integration spans grafos-leasekit,
grafos-runtime, grafos-scheduler-service, and fabricbiosd
and is captured as TODO carry-overs. Slice 86 lands the typed
primitive + discipline methods + legal-transition pin only,
matching the slice-62 / slice-73 / slice-85 “land primitive,
defer integration” pattern.
Variants§
Active
Pre-revoke normal state. Lease is active, no revoke pending.
RevokeWarning
Revoke initiated. Workload has been notified; grace timer started.
GraceRunning
Grace period running. Workload has time to checkpoint cooperatively before forced teardown.
CheckpointReported
Workload reported checkpoint complete during grace. Cooperative teardown can proceed.
ForcedTeardown
Forced teardown initiated. Reachable directly from Active for
hard revokes (no grace) per the spec’s
active -> forced-teardown -> torn-down arrow.
Torndown
Teardown completed successfully (cooperative or forced path). Terminal.
Expired
Lease TTL aged out without operator/tenant-initiated revoke.
Distinct from RevokeWarning. Per the spec’s
active -> expired -> failed-closed arrow this is a
transitional state, not a terminal one.
Fenced
Teardown failed; resource is fenced. No further leases until operator forensic clearing. Terminal.
FailedClosed
Explicit fail-closed terminal. Reachable from Expired per
the spec, and from any non-terminal state when the state
machine encounters an invariant violation (a transition the
legal set rejects). Terminal.
Implementations§
Source§impl RevokeState
impl RevokeState
Sourcepub fn as_str(self) -> &'static str
pub fn as_str(self) -> &'static str
Stable wire / log identifier (snake_case). Wire-format-grade — SIEM rules, dashboard panel selectors, and audit-chain markers all alert off this exact string.
Sourcepub fn human_summary(self) -> &'static str
pub fn human_summary(self) -> &'static str
Operator-readable one-line summary. Distinct surface from
as_str(): this is what a CLI status page or dashboard
tooltip renders so an operator can read the lifecycle
position without consulting documentation. Not localized,
not terminated with punctuation, intentionally short so a
renderer can compose it inline.
Sourcepub fn is_terminal(self) -> bool
pub fn is_terminal(self) -> bool
Returns true for the four terminal states. Torndown,
Fenced, and FailedClosed are explicit terminals. Expired
is included here because once a lease has aged out it cannot
re-enter Active — the spec routes it through
failed-closed, but observers treating Expired as a
terminal-for-display purpose stay correct. The typed legal
transition set still allows Expired -> FailedClosed.
Sourcepub fn legal_transition_to(self, next: RevokeState) -> bool
pub fn legal_transition_to(self, next: RevokeState) -> bool
Returns true if a direct transition from self to next
is allowed by the spec. The legal set is derived from
docs/design/218-tenant-policy-and-lifecycle.md § “Revoke
State Machine”:
active -> revoke-warning -> grace-running
-> checkpoint-reported -> torn-down
-> forced-teardown -> torn-down
active -> forced-teardown -> torn-down
active -> expired -> failed-closed
active -> fencedIn addition to the spec arrows, this implementation allows:
CheckpointReported -> FencedandForcedTeardown -> Fenced: a teardown attempt that fails fences the resource, matching the existingLeaseFencedaudit-event kind (“Lease teardown failed; the resource is fenced”)._ -> FailedClosedfrom any non-terminal state: the spec’sexpired -> failed-closedarrow is one path; the FailedClosed sink is also the explicit landing for any invariant violation, so that an unexpected transition request can be rejected fail-closed without inventing a string default.
Any transition not in this set is either an invariant
violation (use FailedClosed as the landing state) or a
multi-step path (model intermediate transitions explicitly).
Trait Implementations§
Source§impl Clone for RevokeState
impl Clone for RevokeState
Source§fn clone(&self) -> RevokeState
fn clone(&self) -> RevokeState
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more