access-controller: clear backoff_until on grant-after-sync

jveski · jveski · commit 65fd81015bb5 · 2026-05-19T15:16:00.000Z
Defensively reset `backoff_until` alongside `failed_attempts` in the
SyncComplete-allowed branch of AccessCore so the two counters stay in
lockstep on a successful grant-after-sync.

The state machine as written cannot currently reach SyncComplete-grant
with a future `backoff_until` (a sync-denial clears pending_recheck
via .take(), and re-arming pending_recheck requires a card outside the
backoff window), so this is not a fix for an observable bug — it's
hygiene against future refactors weakening that invariant.

Strengthens grant_after_sync_resets_failed_attempts to also assert
backoff_until == 0 after the sync-grant.
diff --git a/access-controller/src/core.rs b/access-controller/src/core.rs
@@ -152,12 +152,16 @@ impl AccessCore {
                     let allowed =
                         fobs.iter().any(|&f| f == fob) || fobs.iter().any(|&f| f == nfc);
                     if allowed {
-                        // Mirror main.rs:336-340 — failed_attempts is reset
-                        // to 0 here, but `backoff_until` is intentionally
-                        // *not* cleared. A grant after sync therefore still
-                        // honors any outstanding backoff window for future
-                        // card reads. Tests pin this behavior.
+                        // Defensively clear both failed_attempts and
+                        // backoff_until on a grant-after-sync. The state
+                        // machine currently can't reach SyncComplete-grant
+                        // with a future backoff_until (a sync-denial clears
+                        // pending_recheck, and a card outside backoff is
+                        // required to re-arm it), but keeping the two
+                        // counters in lockstep avoids surprises if that
+                        // invariant ever weakens.
                         self.failed_attempts = 0;
+                        self.backoff_until = 0;
                         let _ = out.push(Effect::Feedback(Outcome::Granted));
                         let _ = out.push(Effect::OpenDoor);
                     } else {
diff --git a/access-controller/tests/access_core.rs b/access-controller/tests/access_core.rs
@@ -268,6 +268,8 @@ fn grant_after_sync_resets_failed_attempts() {
     let eff = s.sync();
     assert!(contains_open_door(&eff));
     assert_eq!(s.core.failed_attempts(), 0);
+    assert_eq!(s.core.backoff_until(), 0,
+        "grant-after-sync must clear backoff_until alongside failed_attempts");
 }
 
 // ---------------------------------------------------------------------------

Original file line number	Diff line number	Diff line change
`@@ -268,6 +268,8 @@ fn grant_after_sync_resets_failed_attempts() {`
`268`	`268`	`let eff = s.sync();`
`269`	`269`	`assert!(contains_open_door(&eff));`
`270`	`270`	`assert_eq!(s.core.failed_attempts(), 0);`
	`271`	`+ assert_eq!(s.core.backoff_until(), 0,`
	`272`	`+ "grant-after-sync must clear backoff_until alongside failed_attempts");`
`271`	`273`	`}`
`272`	`274`
`273`	`275`	`// ---------------------------------------------------------------------------`