nixfleet-state-machine

Role. Pure per-host rollout state-machine reducer (RFC-0005 §3 + RFC-0006 §3). A single step(state, event, now, policy) -> Result<(state, Vec<Effect>), TransitionError> function. No I/O, no clock reads, deterministic. The same crate runs in the agent (drives the host’s local state from worker output) and the CP (mirrors that state from inbound events) — both sides share the reducer by construction.

Key types. HostRolloutState (the 6-state machine: Pending, Activating, Soaking, Soaked / Failed / Reverted / Deferred / Converged variants per RFC-0005 §3), Event (the input vocabulary — Local* variants emitted by the agent, Remote* mirrors synthesized CP-side from wire AgentEvents), Effect (side-effect descriptors the runtime applies — LocalEmitEvent, RemoteAppendEventLog, RunActivation, RunRollback, …), ProbeSubResult (per-control accounting carried on evidence-probe results — RFC-0007 §3.4), RolloutId newtype (canonical {channel}@{channel_ref} per RFC-0008 §6.3).

Surface. Library only. Public entry points: step (the canonical reducer), wire_conversions (bidirectional AgentEvent ↔ Event / OutboundAgentEvent ↔ AgentEvent maps that keep nixfleet-proto free of state-machine awareness per the d013 lift, RFC-0004 §2). Cargo.toml’s dependency list is part of the safety contract — tokio / reqwest / rusqlite are forbidden; CI verifies via cargo tree.

Links.

• Generated rustdoc: api/nixfleet_state_machine/
• Relevant RFCs: RFC-0005, RFC-0006, RFC-0007, RFC-0004, RFC-0008
• Architecture component: §1.4 Control plane, §1.5 Agent