Bus health, error frames, and reconnect

The CAN-specific health surface. This cluster :satisfies: CAN (SocketCAN) reference c... (FEAT_0046).

Feature: Bus health, error frames, and reconnect FEAT_0049
status: open
satisfies: FEAT_0046
is satisfied by: REQ_0630, REQ_0631, REQ_0632, REQ_0633, REQ_0634, REQ_0635, REQ_0636, REQ_0643, REQ_0644

The CAN-specific health surface: per-interface state aggregated into the connector’s single externally-visible ConnectorHealth, error-frame consumption driving transitions internally, and ReconnectPolicy-driven socket reopen on bus-off. Health-event semantics inherit from Connection lifecycle (FEAT_0034).
Requirement: ConnectorHealth aggregates per-iface state via worst-of REQ_0630
status: approved
satisfies: FEAT_0049
is refined by: IMPL_0080, ARCH_0062
is implemented by: BB_0072
is verified by: TEST_0507

The single externally-visible ConnectorHealth reported by CanConnector shall be the worst (least-healthy) of the per-interface sub-states held by the gateway: any interface Down shall surface as Degraded while at least one other interface remains Up, and shall surface as Down only when every owned interface is Down. Per-interface reasons shall be carried in the HealthEvent payload (e.g. DegradedReason::IfaceDown { iface: "can1" }).
Requirement: Error frames consumed internally REQ_0631
status: approved
satisfies: FEAT_0049
is refined by: IMPL_0080
is implemented by: BB_0072
is verified by: TEST_0513

The gateway shall enable the CAN_ERR_FLAG error-frame reporting mode on each owned interface via setsockopt(SOL_CAN_RAW, CAN_RAW_ERR_FILTER, CAN_ERR_MASK), consume error frames inside its RX loop, and use them only to drive ConnectorHealth transitions. Error frames shall not reach any plugin-visible channel (re-affirmed by NO plugin-visible error-fra... (REQ_0643)).
Requirement: error-passive transitions to Degraded REQ_0632
status: approved
satisfies: FEAT_0049
is refined by: IMPL_0080, ARCH_0062
is verified by: TEST_0507

When an interface reports an error-passive or error-warning condition via an error frame, the gateway shall transition that interface’s sub-state to Degraded with a reason identifying the interface and the kernel error class (DegradedReason::ErrorPassive { iface }).
Requirement: bus-off transitions to Down and triggers reconnect REQ_0633
status: approved
satisfies: FEAT_0049
is refined by: IMPL_0080, ARCH_0062
is verified by: TEST_0506

When an interface reports a bus-off condition via an error frame, the gateway shall transition that interface’s sub-state to Down, close the underlying socket, and schedule a reopen attempt governed by the connector’s ReconnectPolicy. Once the socket is reopened, the gateway shall re-apply the per-interface filter (Per-interface filter is the... (REQ_0622)) before transitioning back through Connecting.
Requirement: ReconnectPolicy reused; ExponentialBackoff default REQ_0634
status: approved
satisfies: FEAT_0049
is refined by: IMPL_0080, ARCH_0062
is verified by: TEST_0506

The CAN connector shall use the framework-level ReconnectPolicy trait (ReconnectPolicy trait (REQ_0232)) with ExponentialBackoff (ExponentialBackoff default ... (REQ_0233)) as the default implementation, configurable via CanConnectorOptions::reconnect_policy. This is the EtherCAT posture (contrast NO ReconnectPolicy on Zenoh... (REQ_0441) for Zenoh’s stack-internal posture) — SocketCAN exposes raw bus-off events and the gateway owns the reopen.
Requirement: HealthEvent emitted on every transition REQ_0635
status: approved
satisfies: FEAT_0049
is refined by: IMPL_0080, ARCH_0062
is verified by: TEST_0507

Every transition between ConnectorHealth variants — including per-interface sub-state transitions that change the aggregated state per ConnectorHealth aggregates ... (REQ_0630) — shall emit one HealthEvent on the connector’s health channel (re-affirms HealthEvent emitted on ever... (REQ_0234)).
Requirement: Error frames not exposed to plugin REQ_0636
status: approved
satisfies: FEAT_0049
is refined by: IMPL_0080
is verified by: TEST_0513

No ChannelReader<T> shall ever observe a CAN error frame as a Received<T> value. Error-frame visibility is confined to the gateway and surfaced exclusively through ConnectorHealth and HealthEvent. This is the project posture chosen during brainstorming over a plugin-visible error channel; reconsider only if a downstream consumer demonstrates a concrete need.