Module friction 

Friction decisions — the runtime half of the risk-asymmetry invariant (ADR-013 / ADR-014, Addendum A §3 and §6.3).

The compile-time half lives in risk.rs: a FrictionGate can only ever be parameterised over Increases. A risk-reducing or neutral command is structurally unable to be friction- wrapped. That’s the guarantee.

This module adds the runtime half: given the operator’s current behavioural label and a command’s RiskDirection, produce a FrictionDecision — Proceed, Pause, or TypedConfirm — that a caller (the TUI, the non-interactive entrypoint, a headless scheduler) can honor.

The decision is purposely stateless. The caller is responsible for the timer (Pause) and the input check (TypedConfirm); we only tell it what the friction shape is.

Invariants

• RiskDirection::Reduces always resolves to FrictionDecision::Proceed. This is tested. A regression here is the “operator can’t /kill at 2 AM” failure mode the architecture exists to prevent.
• RiskDirection::Neutral always resolves to Proceed. Reads, mode switches, log clears never pause.
• RiskDirection::Increases picks Pause or TypedConfirm according to FrictionLevel::from_label (Phase 1: L0/L1/L2 only; L3/L4 are Phase 2).

Enums

FrictionDecision

How the caller must honor friction for a single risk-increasing command.

Constants

FALLBACK_REREAD_PHRASE

The typed re-read phrase the operator must enter verbatim at L3 (TILT + guardrail proximity) when no engine-reported drawdown number is available to tailor a richer sentence.

TYPED_CONFIRM_WORD

The confirmation word the operator must type at TILT (L2) to execute a risk-increasing command. Constant so tests, TUI, and automation key on the same value.

Functions

decide

Compute the friction decision for a command’s risk direction given the operator’s current behavioural label.

decide_with_risk

Compute the friction decision including the M2 §3 L3/L4 escalations, given engine risk context.