decision_agent 0.1.4 → 0.1.6

data/lib/decision_agent/testing/test_scenario.rb

@@ -0,0 +1,42 @@
+module DecisionAgent
+  module Testing
+    # Represents a single test scenario with context and expected results
+    class TestScenario
+      attr_reader :id, :context, :expected_decision, :expected_confidence, :metadata
+
+      def initialize(id:, context:, expected_decision: nil, expected_confidence: nil, metadata: {})
+        @id = id.to_s.freeze
+        @context = context.is_a?(Hash) ? context.freeze : context
+        @expected_decision = expected_decision&.to_s&.freeze
+        @expected_confidence = expected_confidence&.to_f if expected_confidence
+        @metadata = metadata.is_a?(Hash) ? metadata.freeze : metadata
+
+        freeze
+      end
+
+      def to_h
+        {
+          id: @id,
+          context: @context,
+          expected_decision: @expected_decision,
+          expected_confidence: @expected_confidence,
+          metadata: @metadata
+        }
+      end
+
+      def expected_result?
+        !@expected_decision.nil?
+      end
+
+      def ==(other)
+        other.is_a?(TestScenario) &&
+          @id == other.id &&
+          @context == other.context &&
+          @expected_decision == other.expected_decision &&
+          (@expected_confidence.nil? || other.expected_confidence.nil? ||
+           (@expected_confidence - other.expected_confidence).abs < 0.0001) &&
+          @metadata == other.metadata
+      end
+    end
+  end
+end

data/lib/decision_agent/version.rb

@@ -1,3 +1,12 @@
 module DecisionAgent
-  VERSION = "0.1.4".freeze
+  # Semantic version: MAJOR.MINOR.PATCH
+  # MAJOR: Incremented for incompatible API changes
+  # MINOR: Incremented for backward-compatible functionality additions
+  # PATCH: Incremented for backward-compatible bug fixes
+  VERSION = "0.1.6".freeze
+
+  # Validate version format (semantic versioning)
+  unless VERSION.match?(/\A\d+\.\d+\.\d+(-[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*)?(\+[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*)?\z/)
+    raise ArgumentError, "Invalid version format: #{VERSION}. Must follow semantic versioning (MAJOR.MINOR.PATCH)"
+  end
 end

data/lib/decision_agent/versioning/activerecord_adapter.rb

@@ -91,7 +91,7 @@ module DecisionAgent
           rule_version_class.where(rule_id: version.rule_id, status: "active")
                             .where.not(id: version_id)
                             .find_each do |v|
-            v.update!(status: "archived")
+                              v.update!(status: "archived")
           end
 
           # Activate this version

data/lib/decision_agent/versioning/file_storage_adapter.rb

@@ -88,14 +88,24 @@ module DecisionAgent
 
       def get_version(version_id:)
         # Use index to find rule_id quickly - O(1) instead of O(n)
-        rule_id = get_rule_id_from_index(version_id)
+        begin
+          rule_id = get_rule_id_from_index(version_id)
+        rescue StandardError
+          # If index lookup fails, version doesn't exist
+          return nil
+        end
         return nil unless rule_id
 
         # Now lock on the specific rule
-        with_rule_lock(rule_id) do
-          # Read only this rule's versions
-          versions = list_versions_unsafe(rule_id: rule_id)
-          versions.find { |v| v[:id] == version_id }
+        begin
+          with_rule_lock(rule_id) do
+            # Read only this rule's versions
+            versions = list_versions_unsafe(rule_id: rule_id)
+            versions.find { |v| v[:id] == version_id }
+          end
+        rescue StandardError
+          # If any error occurs during lookup, treat as version not found
+          nil
         end
       end
 
@@ -140,34 +150,85 @@ module DecisionAgent
 
       def delete_version(version_id:)
         # Use index to find rule_id quickly - O(1) instead of O(n)
-        rule_id = get_rule_id_from_index(version_id)
-        raise DecisionAgent::NotFoundError, "Version not found: #{version_id}" unless rule_id
+        begin
+          rule_id = get_rule_id_from_index(version_id)
+        rescue StandardError
+          # If index lookup fails, version doesn't exist
+          raise DecisionAgent::NotFoundError, "Version not found: #{version_id}"
+        end
 
-        # Now lock on the specific rule
-        with_rule_lock(rule_id) do
-          # Read only this rule's versions
-          versions = list_versions_unsafe(rule_id: rule_id)
-          version = versions.find { |v| v[:id] == version_id }
-          raise DecisionAgent::NotFoundError, "Version not found: #{version_id}" unless version
+        # Validate rule_id - must be present and non-empty
+        raise DecisionAgent::NotFoundError, "Version not found: #{version_id}" unless rule_id && !rule_id.to_s.strip.empty?
 
-          # Prevent deletion of active versions
-          if version[:status] == "active"
-            raise DecisionAgent::ValidationError, "Cannot delete active version. Please activate another version first."
+        # Now lock on the specific rule
+        begin
+          with_rule_lock(rule_id) do
+            # Read only this rule's versions
+            versions = list_versions_unsafe(rule_id: rule_id)
+            version = versions.find { |v| v[:id] == version_id || v[:id].to_s == version_id.to_s }
+
+            # If version not in list, check if file exists - might have been manually deleted
+            unless version
+              rule_dir = File.join(@storage_path, sanitize_filename(rule_id))
+              # Try to find the file by checking all version files
+              file_found = false
+              begin
+                Dir.glob(File.join(rule_dir, "*.json")).each do |filepath|
+                  file_data = JSON.parse(File.read(filepath))
+                  if file_data["id"] == version_id || file_data[:id] == version_id ||
+                     file_data["id"].to_s == version_id.to_s || file_data[:id].to_s == version_id.to_s
+                    # File exists but not in versions list - remove from index and return false
+                    file_found = true
+                    remove_from_index(version_id)
+                    return false
+                  end
+                rescue Errno::ENOENT, JSON::ParserError
+                  # File was deleted or corrupted, continue searching
+                  next
+                end
+              rescue Errno::ENOENT
+                # Directory doesn't exist, version not found
+              end
+              # Version not found in list and file doesn't exist - clean up index and return false
+              remove_from_index(version_id)
+              return false
+            end
+
+            # Prevent deletion of active versions
+            if version[:status] == "active"
+              raise DecisionAgent::ValidationError, "Cannot delete active version. Please activate another version first."
+            end
+
+            # Delete the file
+            rule_dir = File.join(@storage_path, sanitize_filename(rule_id))
+            filename = "#{version[:version_number]}.json"
+            filepath = File.join(rule_dir, filename)
+
+            if File.exist?(filepath)
+              File.delete(filepath)
+              # Remove from index
+              remove_from_index(version_id)
+              true
+            else
+              # File already deleted - clean up index and return false
+              remove_from_index(version_id)
+              false
+            end
           end
-
-          # Delete the file
-          rule_dir = File.join(@storage_path, sanitize_filename(rule_id))
-          filename = "#{version[:version_number]}.json"
-          filepath = File.join(rule_dir, filename)
-
-          if File.exist?(filepath)
-            File.delete(filepath)
-            # Remove from index
+        rescue DecisionAgent::ValidationError, DecisionAgent::NotFoundError
+          # Re-raise expected errors
+          raise
+        rescue StandardError
+          # If any unexpected error occurs during the lock operation, treat as version not found
+          # This prevents 500 errors from propagating when version doesn't exist or is in an invalid state
+          # This handles ThreadError (deadlocks, recursive locks), SystemCallError (file system issues), etc.
+          # This is safe because if the version existed and was valid, we would have found it above
+          begin
             remove_from_index(version_id)
-            true
-          else
-            false
+          rescue StandardError
+            nil
           end
+          raise DecisionAgent::NotFoundError, "Version not found: #{version_id}"
         end
       end
 
@@ -181,6 +242,9 @@ module DecisionAgent
 
         Dir.glob(File.join(rule_dir, "*.json")).each do |file|
           versions << JSON.parse(File.read(file), symbolize_names: true)
+        rescue JSON::ParserError, Errno::ENOENT
+          # Skip corrupted or deleted files
+          next
         end
 
         versions.sort_by! { |v| -v[:version_number] }
@@ -249,6 +313,10 @@ module DecisionAgent
       def with_rule_lock(rule_id, &block)
         mutex = @rule_mutexes_lock.synchronize { @rule_mutexes[rule_id] }
         mutex.synchronize(&block)
+      rescue ThreadError => e
+        # Handle potential deadlock or recursive locking issues in Ruby 3.3+
+        # Re-raise as StandardError so it can be caught by callers
+        raise StandardError, "Lock error: #{e.message}"
       end
 
       # Index management methods for O(1) version_id -> rule_id lookups

data/lib/decision_agent/web/middleware/auth_middleware.rb

@@ -0,0 +1,45 @@
+require "rack"
+
+module DecisionAgent
+  module Web
+    module Middleware
+      class AuthMiddleware
+        def initialize(app, authenticator:, access_audit_logger: nil)
+          @app = app
+          @authenticator = authenticator
+          @access_audit_logger = access_audit_logger
+        end
+
+        def call(env)
+          request = Rack::Request.new(env)
+          token = extract_token(request)
+
+          if token
+            auth_result = @authenticator.authenticate(token)
+            if auth_result
+              env["decision_agent.user"] = auth_result[:user]
+              env["decision_agent.session"] = auth_result[:session]
+            end
+          end
+
+          @app.call(env)
+        end
+
+        private
+
+        def extract_token(request)
+          # Check Authorization header: Bearer <token>
+          auth_header = request.get_header("HTTP_AUTHORIZATION")
+          return auth_header[7..] if auth_header&.start_with?("Bearer ")
+
+          # Check session cookie
+          cookie_token = request.cookies["decision_agent_session"]
+          return cookie_token if cookie_token
+
+          # Check query parameter (less secure, but useful for some cases)
+          request.params["token"]
+        end
+      end
+    end
+  end
+end

data/lib/decision_agent/web/middleware/permission_middleware.rb

@@ -0,0 +1,94 @@
+require "rack"
+require "json"
+
+module DecisionAgent
+  module Web
+    module Middleware
+      class PermissionMiddleware
+        def initialize(app, permission_checker:, required_permission: nil, access_audit_logger: nil)
+          @app = app
+          @permission_checker = permission_checker
+          @required_permission = required_permission
+          @access_audit_logger = access_audit_logger
+        end
+
+        def call(env)
+          user = env["decision_agent.user"]
+
+          return unauthorized_response("Authentication required") unless user
+
+          # Check if user is active using the adapter
+          return forbidden_response("User account is not active") unless @permission_checker.active?(user)
+
+          if @required_permission
+            resource_type = extract_resource_type(env)
+            resource_id = extract_resource_id(env)
+
+            granted = @permission_checker.can?(user, @required_permission, nil)
+
+            if @access_audit_logger
+              user_id = @permission_checker.user_id(user)
+              @access_audit_logger.log_permission_check(
+                user_id: user_id,
+                permission: @required_permission,
+                resource_type: resource_type,
+                resource_id: resource_id,
+                granted: granted
+              )
+            end
+
+            return forbidden_response("Permission denied: #{@required_permission}") unless granted
+          end
+
+          @app.call(env)
+        end
+
+        private
+
+        def extract_resource_type(env)
+          request = Rack::Request.new(env)
+          # Try to extract from path, e.g., /api/rules/:id -> "rule"
+          path = request.path
+          if (match = path.match(%r{/api/(\w+)}))
+            # Simple singularize: remove trailing 's'
+            word = match[1]
+            word&.end_with?("s") ? word[0..-2] : word
+          end
+        end
+
+        def extract_resource_id(env)
+          request = Rack::Request.new(env)
+          # Try params first (for query parameters and Sinatra path params)
+          resource_id = request.params["id"] || request.params["rule_id"] || request.params["version_id"]
+
+          # If not in params, try to extract from path (e.g., /api/rules/123 -> 123)
+          unless resource_id
+            path = request.path
+            # Match patterns like /api/rules/123 or /api/versions/v1
+            if (match = path.match(%r{/api/(?:rules|versions)/([^/]+)}))
+              resource_id = match[1]
+            end
+          end
+
+          resource_id
+        end
+
+        def unauthorized_response(message)
+          [
+            401,
+            { "Content-Type" => "application/json" },
+            [{ error: message }.to_json]
+          ]
+        end
+
+        def forbidden_response(message)
+          [
+            403,
+            { "Content-Type" => "application/json" },
+            [{ error: message }.to_json]
+          ]
+        end
+      end
+    end
+  end
+end