loong-kernel 0.1.2-alpha.1

Internal support crate for Loong: kernel primitives and governance core
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

use crate::{
    contracts::{CapabilityToken, TaskIntent},
    kernel::{KernelDispatch, LoongKernel},
    policy::PolicyEngine,
};
use loong_contracts::{Fault, TaskState};

/// Opt-in wrapper around `execute_task` that enforces FSM transitions.
pub struct TaskSupervisor {
    state: TaskState,
}

impl TaskSupervisor {
    pub fn new(intent: TaskIntent) -> Self {
        Self {
            state: TaskState::Runnable(intent),
        }
    }

    pub fn state(&self) -> &TaskState {
        &self.state
    }

    pub fn is_runnable(&self) -> bool {
        matches!(self.state, TaskState::Runnable(_))
    }

    /// Clone the current state before attempting a guarded transition so
    /// rejected transitions leave the supervisor unchanged.
    fn take_state(&self) -> TaskState {
        self.state.clone()
    }

    /// Execute the task through the kernel, tracking state transitions.
    pub async fn execute<P: PolicyEngine>(
        &mut self,
        kernel: &LoongKernel<P>,
        pack_id: &str,
        token: &CapabilityToken,
    ) -> Result<KernelDispatch, Fault> {
        // Clone the intent before transitioning, since we need it for the
        // kernel call and transition_to_in_send consumes it.
        let intent = match &self.state {
            TaskState::Runnable(intent) => intent.clone(),
            TaskState::InSend { .. }
            | TaskState::InReply { .. }
            | TaskState::Completed(_)
            | TaskState::Faulted(_) => {
                return Err(Fault::ProtocolViolation {
                    detail: "task is not in Runnable state".to_owned(),
                });
            }
        };

        // Runnable -> InSend (guarded transition)
        let taken = self.take_state();
        self.state = taken
            .transition_to_in_send()
            .map_err(|detail| Fault::ProtocolViolation { detail })?;

        // InSend -> InReply (guarded transition)
        let taken = self.take_state();
        self.state = taken
            .transition_to_in_reply()
            .map_err(|detail| Fault::ProtocolViolation { detail })?;

        // Execute through kernel
        match kernel.execute_task(pack_id, token, intent).await {
            Ok(dispatch) => {
                // InReply -> Completed (guarded transition)
                let taken = self.take_state();
                self.state = taken
                    .transition_to_completed(dispatch.outcome.clone())
                    .map_err(|detail| Fault::ProtocolViolation { detail })?;
                Ok(dispatch)
            }
            Err(kernel_err) => {
                let fault = Fault::from_kernel_error(kernel_err);
                // Any non-terminal -> Faulted
                let taken = self.take_state();
                self.state = taken.transition_to_faulted(fault.clone());
                Err(fault)
            }
        }
    }

    /// Force state -- for testing only.
    #[cfg(test)]
    pub fn force_state(&mut self, state: TaskState) {
        self.state = state;
    }
}

#[cfg(test)]
mod tests {
    use std::collections::BTreeSet;

    use serde_json::json;

    use super::TaskSupervisor;
    use crate::contracts::{Capability, TaskIntent};
    use loong_contracts::{Fault, TaskState};

    fn sample_intent() -> TaskIntent {
        TaskIntent {
            task_id: "supervised-guard".to_owned(),
            objective: "exercise guarded transition".to_owned(),
            required_capabilities: BTreeSet::from([Capability::InvokeTool]),
            payload: json!({}),
        }
    }

    #[test]
    fn take_state_does_not_poison_supervisor_when_transition_is_rejected() {
        let supervisor = TaskSupervisor::new(sample_intent());

        let error = supervisor
            .take_state()
            .transition_to_in_reply()
            .expect_err("Runnable cannot transition directly to InReply");

        assert!(error.contains("cannot move to InReply"));
        assert!(matches!(
            supervisor.state(),
            TaskState::Runnable(intent) if intent.task_id == "supervised-guard"
        ));
        assert!(!matches!(
            supervisor.state(),
            TaskState::Faulted(Fault::ProtocolViolation { .. })
        ));
    }
}