Module planner_gates

Expand description

Planner gates over &FleetState (the v0.2 shape, replacing the v0.1 &Observed-based gates per RFC-0006 §12).

Two design properties the new shape enforces that the old didn’t:

No fail-open defaults. The old gates carried unwrap_or(true) for missing probe state (see Observed::host_probes_passing docstring). The new gates consult the reducer state — HostRolloutState::probe_observed_first_at etc. — where absence has explicit meaning (probe hasn’t run yet = soak gate fails closed). RFC-0005 §6.
Verified manifests only. Every gate takes &SignedManifestSet. Phase 2’s Verified<T> newtype graduates from “type exists” to “type is required on the dispatch path”.

First-block-wins order matches the old evaluate_for_host: quarantine → channel_edges → wave_promotion → host_edges → disruption_budget → compliance_wave. Quarantine is FIRST: a hash that just rolled back must stop instantly even if other gates would otherwise hold the host — otherwise the agent re-fetches and re- activates the bad closure on every cycle.

Modules§

channel_edges: Channel-edges gate (new-shape).
compliance_wave: Compliance-wave gate. Earlier-wave hosts with outstanding evidence failures hold later-wave dispatch.
disruption_budget: Disruption-budget gate (new-shape). max_in_flight enforced at dispatch time, summed across all active rollouts whose budgets share a selector (matches the old gate’s “max one workstation in flight, ever” cross-rollout semantics).
host_edges: Host-edges gate. Per-host DAG within a single rollout: Edge { gated: A, gates: B } holds A’s dispatch until B is ordering-eligible — Converged (canonical “health-verified at target”) OR Deferred (activation staged, live-switch pending operator reboot per RFC-0005 §3 terminal-for-ordering).
quarantine: Anti-thrash quarantine gate (new-shape). Same predicate as gates::quarantine, just parameterized directly on (channel, target_closure, quarantines) instead of digging through Observed. Phase 6g deletes the old version.
wave_promotion: Wave-promotion gate (new-shape). Host’s wave index must not exceed the rollout’s current_wave. Wave index comes from the verified FleetResolved.waves[channel] (positional). current_wave lives on RolloutSummary and is maintained by the applier.

Enums§

GateBlock: Reason a host can’t be dispatched right now. Variants carry enough detail to render the log line + observability event without re- querying state. The legacy &Observed-shaped gate variants from v0.1 are not represented.

Functions§

evaluate_for_dispatch: First block wins. Cheapest-first; quarantine is FIRST for the anti-thrash property (see module docstring).