stop-machine is a deterministic three-state stop controller (GREEN -> AMBER -> RED).
RED is terminal. No network I/O, no external dependencies in core primitives.
This repo also contains the envelope-gate conformance primitive
(primitives/envelope-gate/), which evaluates structured envelopes against
frozen protocol rules. It is equally deterministic and side-effect-free.
This project is a governance primitive, not a networked service. The primary risks are:
| Risk | Category |
|---|---|
| Misconfiguration of EXIT_ENUM or gate mappings | Governance |
| Drift between docs, EXIT_ENUM, and VALID_EXIT_VALUES | Integrity |
| Unauthorised mutation of terminal state (RED) | Safety |
| Truncated or malformed test files passing CI | Build |
This repo does not handle authentication, transport security, rate limiting, or logging. Integrators must add those layers.
- EXIT_ENUM frozen set:
{ALLOW, HOLD, DENY, SILENCE}(per EXIT_ENUM_ERRATA v0.1) - VALID_EXIT_VALUES must be identical to the set of
Exitenum values _classify_exitmust never emit a value outside that frozen set- RED is terminal:
advance(),transition_to(), andreset()all raiseTerminalStateErrorwhen the machine is in RED - 18 conformance rules in
ALL_RULESare ordered: R0 structural first, then enum validation, then policy
Per CANONICAL.md:
stop_machine@3780882authority_gate@70ed2c9
Any commit that changes runtime semantics must update the canonical pin.
- Non-sensitive bugs: Open a GitHub Issue
- Security-sensitive issues: Use the GitHub Security tab (Security > Advisories > New draft advisory) or email the maintainer directly
Please include:
- Description of the issue
- Steps to reproduce
- Expected vs actual behaviour
- Which invariant (if any) is violated
| Version | Supported |
|---|---|
| main (HEAD) | Yes |
| Tagged releases | Yes |
| Forks | No |
- No guarantees for external services, LLM integrations, or downstream repos
- No promise of uptime or availability (this is a library, not a service)
- No security review of third-party code that imports this primitive