Module controller 

RuntimeApiController — channel to VMM + lock-free read mirror + timeout taxonomy.

Per 20-firecracker-api.md § 5:

• ArcSwap<ControllerSnapshot> lock-free read mirror; written by the VMM event loop on every state transition, read by every GET handler.
• tokio::sync::mpsc::Sender<(ApiAction, oneshot::Sender<ApiResponse>)> single-writer channel into the VMM event loop. Bounded (capacity 1024 per CLAUDE.md § Async).
• Per-action-class tokio::time::timeout (D26); on timeout we surface 504 and log the still-pending action at error.

Pre-boot vs post-boot admissibility is checked synchronously against the LifecyclePhase carried in ControllerSnapshot — no VMM round-trip needed for rejection.

Structs

ControllerSnapshot

Lock-free read mirror surfaced via every GET handler.

LimitsSnapshot

Read-only view of LimitsState for callers that want a momentary snapshot.

LimitsState

Cross-field limits that the controller enforces synchronously, before an action is forwarded to the VMM event loop. These are the upper bounds that the per-field Raw* → Validated TryFrom conversions cannot enforce because they need the running machine state (host RAM cap, configured mem_size_mib, running counts).

RuntimeApiController

Controller surfaced to handlers. Written by the VMM event loop, read by every handler.

TimeoutTable

Per-class tokio::time::timeout budget per 70-security.md § 6.

Type Aliases

ActionReceiver

Channel receiver type owned by the VMM event loop.

ActionSender

Channel sender type used by mutating handlers.