Description
src/incident/containment.rs line ~42 has a TODO: "Implement actual containment effects (Phase 7 T076-T080)". The containment primitives (FreezeHost, QuarantineWorkloadClass, BlockSubmitter, RevokeArtifact, DrainHostPool) create audit records but do not execute real enforcement.
Requirements
- FreezeHost: Send SIGSTOP to all sandbox processes on target host, block new lease assignments
- QuarantineWorkloadClass: Update policy engine to reject jobs of the quarantined class
- BlockSubmitter: Add submitter to ban list, reject new submissions, cancel in-flight jobs
- RevokeArtifact: Remove artifact from approved registry, halt jobs using it
- DrainHostPool: Gracefully migrate all workloads off a set of hosts, block new assignments
- All actions must complete within 60 seconds (per spec)
- All actions produce immutable audit records with actor identity, justification, reversibility
Success Criteria
Testing (Principle V)
- Start real sandbox, trigger FreezeHost, verify processes stopped
- Submit job of quarantined class → rejected
- Block submitter, verify in-flight job cancelled
- Revoke artifact, verify running job using it is halted
Description
src/incident/containment.rsline ~42 has a TODO: "Implement actual containment effects (Phase 7 T076-T080)". The containment primitives (FreezeHost, QuarantineWorkloadClass, BlockSubmitter, RevokeArtifact, DrainHostPool) create audit records but do not execute real enforcement.Requirements
Success Criteria
cargo testpassesTesting (Principle V)