feat(rust): add execution rings and lifecycle management to Rust SDK

Add two new modules to the agentmesh Rust crate:

- rings.rs: Four-level execution privilege ring model (Admin/Standard/
  Restricted/Sandboxed) with per-agent assignment and per-ring action
  permissions, ported from the Python hypervisor enforcer.

- lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through
  Decommissioned) with validated state transitions and event history,
  matching the lifecycle model used across other SDK languages.

Both modules include comprehensive unit tests and are re-exported from
the crate root. README updated with API tables and usage examples.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

packages/agent-mesh/sdks/rust/agentmesh/README.md

@@ -195,6 +195,70 @@ policies:
     window: "60s"
 ```
 
+### Execution Rings (`rings.rs`)
+
+Four-level privilege model inspired by hardware protection rings.
+
+| Function / Method | Description |
+|---|---|
+| `RingEnforcer::new()` | Create a new enforcer with no assignments |
+| `enforcer.assign(agent_id, ring)` | Assign an agent to a ring |
+| `enforcer.get_ring(agent_id)` | Get assigned ring (if any) |
+| `enforcer.check_access(agent_id, action)` | Check if action is permitted |
+| `enforcer.set_ring_permissions(ring, actions)` | Configure allowed actions for a ring |
+
+Ring levels:
+
+| Ring | Level | Access |
+|------|-------|--------|
+| `Admin` | 0 | All actions allowed |
+| `Standard` | 1 | Configurable actions |
+| `Restricted` | 2 | Configurable actions |
+| `Sandboxed` | 3 | All actions denied |
+
+```rust
+use agentmesh::{RingEnforcer, Ring};
+
+let mut enforcer = RingEnforcer::new();
+enforcer.set_ring_permissions(Ring::Standard, vec!["data.read".into(), "data.write".into()]);
+enforcer.assign("my-agent", Ring::Standard);
+
+assert!(enforcer.check_access("my-agent", "data.read"));
+assert!(!enforcer.check_access("my-agent", "shell:rm"));
+```
+
+### Agent Lifecycle (`lifecycle.rs`)
+
+Eight-state lifecycle model tracking an agent from provisioning through decommissioning.
+
+| Function / Method | Description |
+|---|---|
+| `LifecycleManager::new(agent_id)` | Create a new manager (starts in `Provisioning`) |
+| `manager.state()` | Get current lifecycle state |
+| `manager.events()` | Get recorded transition events |
+| `manager.transition(to, reason, initiated_by)` | Transition to a new state |
+| `manager.can_transition(to)` | Check if a transition is valid |
+| `manager.activate(reason)` | Convenience: transition to `Active` |
+| `manager.suspend(reason)` | Convenience: transition to `Suspended` |
+| `manager.quarantine(reason)` | Convenience: transition to `Quarantined` |
+| `manager.decommission(reason)` | Convenience: transition to `Decommissioning` |
+
+Lifecycle states: `Provisioning` -> `Active` <-> `Suspended` / `Rotating` / `Degraded` -> `Quarantined` -> `Decommissioning` -> `Decommissioned`
+
+```rust
+use agentmesh::{LifecycleManager, LifecycleState};
+
+let mut mgr = LifecycleManager::new("my-agent");
+mgr.activate("initial boot").unwrap();
+assert_eq!(mgr.state(), LifecycleState::Active);
+
+mgr.suspend("maintenance window").unwrap();
+assert_eq!(mgr.state(), LifecycleState::Suspended);
+
+mgr.activate("maintenance complete").unwrap();
+assert_eq!(mgr.events().len(), 3);
+```
+
 ## License
 
 See repository root [LICENSE](../../../../LICENSE).

packages/agent-mesh/sdks/rust/agentmesh/src/lib.rs

@@ -20,15 +20,19 @@
 
 pub mod audit;
 pub mod identity;
+pub mod lifecycle;
 pub mod mcp;
 pub mod policy;
+pub mod rings;
 pub mod trust;
 pub mod types;
 
 pub use audit::AuditLogger;
 pub use identity::{AgentIdentity, PublicIdentity};
+pub use lifecycle::{LifecycleEvent, LifecycleManager, LifecycleState};
 pub use mcp::*;
 pub use policy::{PolicyEngine, PolicyError};
+pub use rings::{Ring, RingEnforcer};
 pub use trust::{TrustConfig, TrustManager};
 pub use types::{
     AuditEntry, AuditFilter, CandidateDecision, ConflictResolutionStrategy, GovernanceResult,