pub enum FrictionDecision {
Proceed,
Pause {
pause: Duration,
level: FrictionLevel,
},
TypedConfirm {
pause: Duration,
level: FrictionLevel,
},
WaitAndReread {
pause: Duration,
level: FrictionLevel,
phrase: String,
},
HardStop {
level: FrictionLevel,
reason: String,
},
}Expand description
How the caller must honor friction for a single risk-increasing command.
Variants§
Proceed
No friction — run the command immediately.
Pause
The operator must observe a visible countdown, then the
command runs. pause is the required duration (3s at L1).
The caller owns the timer and is expected to render the countdown so the operator sees the pause happening — it is not a hidden delay.
TypedConfirm
The operator must type TYPED_CONFIRM_WORD verbatim and
the pause must elapse before the command runs. This is
the TILT friction — ten-second pause + typed-word (§6.2).
The confirm word itself is not serialised — it is fully
determined by the level and always reads as
TYPED_CONFIRM_WORD. Callers read it via
FrictionDecision::confirm_word.
WaitAndReread
M2 §3: L3 friction. The operator must wait out a longer
pause (30 s by default — see
FrictionLevel::pause) and type back the
proximity-disclosure phrase verbatim before the command
re-dispatches.
Unlike Self::TypedConfirm, the phrase here is dynamic
— it embeds the current drawdown / alert numbers so the
operator reads what is happening right now rather than
rote-typing execute. Serialised as-is so JSON consumers
can log the exact phrase shown to the operator.
HardStop
M2 §3: L4 friction — refusal. The command is dropped and no amount of waiting or typing can run it: the engine is halted and the dead-man switch is load-bearing.
Only Reduces commands continue to flow (they take the
un-gated path entirely — see decide_with_risk). The
reason carries the halt-flag label the engine reported
so the TUI can surface “engine halted: global_halt” rather
than a bare refusal.
Implementations§
Source§impl FrictionDecision
impl FrictionDecision
Sourcepub const fn level(&self) -> FrictionLevel
pub const fn level(&self) -> FrictionLevel
The friction level this decision corresponds to. Proceed
maps to L0 — it is a useful value to surface on logs and
JSON so tooling can filter.
Sourcepub const fn pause(&self) -> Duration
pub const fn pause(&self) -> Duration
The required pause. Proceed and HardStop are zero —
HardStop because no pause redeems a refusal.
Sourcepub const fn requires_typed_confirm(&self) -> bool
pub const fn requires_typed_confirm(&self) -> bool
Whether this decision requires a typed confirmation.
True for L2 (TypedConfirm) and L3 (WaitAndReread); false
for L4 (HardStop — refusal cannot be typed past).
Sourcepub fn confirm_word(&self) -> Option<Cow<'_, str>>
pub fn confirm_word(&self) -> Option<Cow<'_, str>>
The string the operator must type verbatim to clear this
decision’s friction. None when no typing is required
(Proceed, Pause, HardStop).
Returns a Cow because L2’s word is a static
(TYPED_CONFIRM_WORD) while L3’s phrase is owned by the
decision itself and varies with engine state.
Sourcepub const fn is_refusal(&self) -> bool
pub const fn is_refusal(&self) -> bool
True for L4 refusals only. The dispatcher consults this to
decide whether a command is allowed to be carried as a
pending_command (it is not — L4 drops the command
entirely, leaving only Reduces commands to flow).
Sourcepub fn refusal_reason(&self) -> Option<&str>
pub fn refusal_reason(&self) -> Option<&str>
The halt reason the engine reported, for HardStop only.
Lets callers render “engine halted: global_halt” rather
than a bare refusal.
Trait Implementations§
Source§impl Clone for FrictionDecision
impl Clone for FrictionDecision
Source§fn clone(&self) -> FrictionDecision
fn clone(&self) -> FrictionDecision
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more