Struct RotationStateMachine 

pub struct RotationStateMachine<S: PlatformSigner> { /* private fields */ }

Drives the rotation procedure end-to-end.

One state machine corresponds to one platform deployment. Hold this behind an Arc<Mutex<_>> if multiple operators can drive it concurrently — the type itself is !Sync so the compiler enforces serialized access through the mutex.

Implementations

impl<S: PlatformSigner> RotationStateMachine<S>

pub fn new(current: S) -> Self

Build a fresh state machine seeded with the active key. Phase is RotationPhase::Active.

pub async fn phase(&self) -> RotationPhase

Current phase.

pub async fn last_event(&self) -> Option<RotationEvent>

Most recent rotation event published, if any.

pub async fn begin_handover<N: PlatformSigner>( &self, next: &N, transition_window: Duration, ) -> Result<RotationEvent, RotationError>

Step 1 of the runbook (after the operator has generated the new KMS key out-of-band). Fetches both public keys, asks the current signer to sign the handover, returns the wire event.

Transitions the state machine from RotationPhase::Active to RotationPhase::Transitioning. Refuses to re-fire if a rotation is already in progress — emergency revocation is a distinct call path (see Self::emergency_revoke_current).

transition_window: how long both keys remain trusted. Default per RFC is 30 days (see DEFAULT_TRANSITION_DAYS).

pub async fn retire_old(&self) -> Result<(), RotationError>

Step 2 of the runbook — operator calls this after the transition window has elapsed and the runbook’s manual aws kms disable-key step is complete. Brings the state machine back to RotationPhase::Active.

Note: the state machine does not switch its current signer (this type is generic and immutable). The expectation is that the registry process restarts with the new MOCKFORGE_PLATFORM_SIGNING_KMS_KEY_ID pointing at the new ARN. This method exists for in-memory state hygiene + audit completeness, and is the call site where the PlatformSigningKeyRetired audit event fires.

pub async fn emergency_revoke_current(&self) -> Result<(), RotationError>

Emergency: revoke the current key without a successor. Used when the active key is believed compromised and no new key has been provisioned yet. After this returns, the registry refuses to publish anything signed by the old key.

This does NOT publish a rotation event — there’s no new key to hand over to. The runbook’s “Emergency revocation” section covers the operator-facing process (notify all hosted-mock owners, then run Self::begin_handover with a fresh key once it’s available).