RevokeState

Enum RevokeState 

Source
pub enum RevokeState {
    Active,
    RevokeWarning,
    GraceRunning,
    CheckpointReported,
    ForcedTeardown,
    Torndown,
    Expired,
    Fenced,
    FailedClosed,
}
Expand description

Phase 218.3 — Typed revoke lifecycle states.

A workload that holds a lease can observe the revoke transitions described in docs/design/218-tenant-policy-and-lifecycle.md § “Revoke State Machine”. The 9 states form a deterministic state machine: a lease enters via Active, optionally transits through warning → grace → either cooperative checkpoint or forced teardown, and lands in one of three terminal states (Torndown, Fenced, FailedClosed) plus the TTL-driven Expired (which itself is non-terminal — the spec routes expired -> failed-closed).

A typed primitive in policy_vocab (not split across leasekit / runtime / scheduler) so SIEM rules, audit emit, dashboard renderers, and the operator-facing revoke runbook all use the same vocabulary. Same discipline as Phase 218.2 Priority / 219.2 RejectionReason / 219 AuditEventKind.

as_str() is the wire-format-grade snake_case label (SIEM rules, dashboard panel JSONPath selectors, audit-chain markers all alert off this exact string). human_summary() is the operator-readable rendering string used by CLI status pages and dashboard tooltips. They are NOT interchangeable surfaces.

legal_transition_to(next) pins the spec-allowed transition set. Slice 86 does NOT wire this primitive into the existing revoke pathway — that integration spans grafos-leasekit, grafos-runtime, grafos-scheduler-service, and fabricbiosd and is captured as TODO carry-overs. Slice 86 lands the typed primitive + discipline methods + legal-transition pin only, matching the slice-62 / slice-73 / slice-85 “land primitive, defer integration” pattern.

Variants§

§

Active

Pre-revoke normal state. Lease is active, no revoke pending.

§

RevokeWarning

Revoke initiated. Workload has been notified; grace timer started.

§

GraceRunning

Grace period running. Workload has time to checkpoint cooperatively before forced teardown.

§

CheckpointReported

Workload reported checkpoint complete during grace. Cooperative teardown can proceed.

§

ForcedTeardown

Forced teardown initiated. Reachable directly from Active for hard revokes (no grace) per the spec’s active -> forced-teardown -> torn-down arrow.

§

Torndown

Teardown completed successfully (cooperative or forced path). Terminal.

§

Expired

Lease TTL aged out without operator/tenant-initiated revoke. Distinct from RevokeWarning. Per the spec’s active -> expired -> failed-closed arrow this is a transitional state, not a terminal one.

§

Fenced

Teardown failed; resource is fenced. No further leases until operator forensic clearing. Terminal.

§

FailedClosed

Explicit fail-closed terminal. Reachable from Expired per the spec, and from any non-terminal state when the state machine encounters an invariant violation (a transition the legal set rejects). Terminal.

Implementations§

Source§

impl RevokeState

Source

pub fn as_str(self) -> &'static str

Stable wire / log identifier (snake_case). Wire-format-grade — SIEM rules, dashboard panel selectors, and audit-chain markers all alert off this exact string.

Source

pub fn human_summary(self) -> &'static str

Operator-readable one-line summary. Distinct surface from as_str(): this is what a CLI status page or dashboard tooltip renders so an operator can read the lifecycle position without consulting documentation. Not localized, not terminated with punctuation, intentionally short so a renderer can compose it inline.

Source

pub fn is_terminal(self) -> bool

Returns true for the four terminal states. Torndown, Fenced, and FailedClosed are explicit terminals. Expired is included here because once a lease has aged out it cannot re-enter Active — the spec routes it through failed-closed, but observers treating Expired as a terminal-for-display purpose stay correct. The typed legal transition set still allows Expired -> FailedClosed.

Source

pub fn legal_transition_to(self, next: RevokeState) -> bool

Returns true if a direct transition from self to next is allowed by the spec. The legal set is derived from docs/design/218-tenant-policy-and-lifecycle.md § “Revoke State Machine”:

active -> revoke-warning -> grace-running
  -> checkpoint-reported -> torn-down
  -> forced-teardown -> torn-down
active -> forced-teardown -> torn-down
active -> expired -> failed-closed
active -> fenced

In addition to the spec arrows, this implementation allows:

  • CheckpointReported -> Fenced and ForcedTeardown -> Fenced: a teardown attempt that fails fences the resource, matching the existing LeaseFenced audit-event kind (“Lease teardown failed; the resource is fenced”).
  • _ -> FailedClosed from any non-terminal state: the spec’s expired -> failed-closed arrow is one path; the FailedClosed sink is also the explicit landing for any invariant violation, so that an unexpected transition request can be rejected fail-closed without inventing a string default.

Any transition not in this set is either an invariant violation (use FailedClosed as the landing state) or a multi-step path (model intermediate transitions explicitly).

Trait Implementations§

Source§

impl Clone for RevokeState

Source§

fn clone(&self) -> RevokeState

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for RevokeState

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for RevokeState

Source§

fn deserialize<__D>( __deserializer: __D, ) -> Result<RevokeState, <__D as Deserializer<'de>>::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Display for RevokeState

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
Source§

impl Hash for RevokeState

Source§

fn hash<__H>(&self, state: &mut __H)
where __H: Hasher,

Feeds this value into the given Hasher. Read more
1.3.0 · Source§

fn hash_slice<H>(data: &[Self], state: &mut H)
where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher. Read more
Source§

impl PartialEq for RevokeState

Source§

fn eq(&self, other: &RevokeState) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for RevokeState

Source§

fn serialize<__S>( &self, __serializer: __S, ) -> Result<<__S as Serializer>::Ok, <__S as Serializer>::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl Copy for RevokeState

Source§

impl Eq for RevokeState

Source§

impl StructuralPartialEq for RevokeState

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,