grpc 1.81.1-x86_64-linux-gnu → 1.82.0.pre1-x86_64-linux-gnu

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f1229bc1cb7ad91cd9d265e095b21bb1780f867849d1ebfdadf3ec9d6c697ce
-  data.tar.gz: 8a27c576c0a97ae7c8f417e0fa130c3417a5f25a01b600486ad069c540f0ee24
+  metadata.gz: 5881bb63318f3857ae2ce5e34641762b423bb32d9b56bdae2199712a7ec3f134
+  data.tar.gz: 04b0842077a131d977ae3582be631dd6ca0f193519c8ed0ef0e0bab90261feb5
 SHA512:
-  metadata.gz: abfa910f43f34404d25366a5f6c1f5c7fb23fe7d79b4b1ab7b260e1dd105496e83b138ac20ed8e577aede4878c556e9ef20cdb451934ceffc4eb561f3f30a9be
-  data.tar.gz: 660fde59cedd087856d57378354349a27233e80b62890686fa08d66e67f1556bb92905ec6f06a7f27a60788c5956bef6311585ee1607c01609035c3bd509abcb
+  metadata.gz: a8d113a85c9b333084878e443ca590a614d0880369ee26ea494d1682925542fffccadb72057f93ec1b2e7f02e8aec84749acd3fd32f4f4a6e987c8008194119c
+  data.tar.gz: 4ecb955656af24bf55fdc4b859cbc634094245a747c7f08adc0553174825c4f95d74d3c27c2d23d3b3145ce80f5761f9ece4b5b000d7f457edfaf1953b6063a2

data/src/ruby/ext/grpc/rb_byte_buffer.c

@@ -23,6 +23,7 @@
 #include <grpc/byte_buffer_reader.h>
 #include <grpc/grpc.h>
 #include <grpc/slice.h>
+#include <stdbool.h>
 
 #include "rb_grpc.h"
 #include "rb_grpc_imports.generated.h"

data/src/ruby/ext/grpc/rb_call.c

@@ -23,8 +23,11 @@
 #include <grpc/grpc.h>
 #include <grpc/impl/codegen/compression_types.h>
 #include <grpc/support/alloc.h>
+#include <stdbool.h>
 
 #include "rb_byte_buffer.h"
+/* TODO(nnepal): Include grpc/grpc_security.h for pure ruby call
+ * credentials after rb_call_credentials gets removed */
 #include "rb_call_credentials.h"
 #include "rb_completion_queue.h"
 #include "rb_grpc.h"

data/src/ruby/ext/grpc/rb_call_credentials.c

@@ -26,6 +26,7 @@
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 #include <ruby/thread.h>
+#include <stdbool.h>
 
 #include "rb_call.h"
 #include "rb_event_thread.h"

data/src/ruby/ext/grpc/rb_channel.c

@@ -27,6 +27,7 @@
 #include <grpc/support/log.h>
 #include <grpc/support/time.h>
 #include <ruby/thread.h>
+#include <stdbool.h>
 
 #include "rb_byte_buffer.h"
 #include "rb_call.h"

data/src/ruby/ext/grpc/rb_channel_args.c

@@ -23,6 +23,7 @@
 #include <grpc/grpc.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/string_util.h>
+#include <stdbool.h>
 
 #include "rb_grpc.h"
 #include "rb_grpc_imports.generated.h"

data/src/ruby/ext/grpc/rb_channel_credentials.c

@@ -24,6 +24,7 @@
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpc/support/alloc.h>
+#include <stdbool.h>
 #include <string.h>
 
 #include "rb_call_credentials.h"

data/src/ruby/ext/grpc/rb_completion_queue.c

@@ -24,6 +24,7 @@
 #include <grpc/support/log.h>
 #include <grpc/support/time.h>
 #include <ruby/thread.h>
+#include <stdbool.h>
 
 #include "rb_grpc.h"
 #include "rb_grpc_imports.generated.h"

data/src/ruby/ext/grpc/rb_compression_options.c

@@ -26,6 +26,7 @@
 #include <grpc/impl/grpc_types.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/string_util.h>
+#include <stdbool.h>
 #include <string.h>
 
 #include "rb_byte_buffer.h"

data/src/ruby/ext/grpc/rb_grpc_imports.generated.c

@@ -159,9 +159,9 @@ grpc_server_register_method_type grpc_server_register_method_import;
 grpc_server_request_registered_call_type grpc_server_request_registered_call_import;
 grpc_server_create_type grpc_server_create_import;
 grpc_server_register_completion_queue_type grpc_server_register_completion_queue_import;
+grpc_server_config_fetcher_arg_vtable_type grpc_server_config_fetcher_arg_vtable_import;
 grpc_server_config_fetcher_xds_create_type grpc_server_config_fetcher_xds_create_import;
-grpc_server_config_fetcher_destroy_type grpc_server_config_fetcher_destroy_import;
-grpc_server_set_config_fetcher_type grpc_server_set_config_fetcher_import;
+grpc_server_config_fetcher_unref_type grpc_server_config_fetcher_unref_import;
 grpc_server_add_http2_port_type grpc_server_add_http2_port_import;
 grpc_server_start_type grpc_server_start_import;
 grpc_server_shutdown_and_notify_type grpc_server_shutdown_and_notify_import;
@@ -448,9 +448,9 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_server_request_registered_call_import = (grpc_server_request_registered_call_type) GetProcAddress(library, "grpc_server_request_registered_call");
   grpc_server_create_import = (grpc_server_create_type) GetProcAddress(library, "grpc_server_create");
   grpc_server_register_completion_queue_import = (grpc_server_register_completion_queue_type) GetProcAddress(library, "grpc_server_register_completion_queue");
+  grpc_server_config_fetcher_arg_vtable_import = (grpc_server_config_fetcher_arg_vtable_type) GetProcAddress(library, "grpc_server_config_fetcher_arg_vtable");
   grpc_server_config_fetcher_xds_create_import = (grpc_server_config_fetcher_xds_create_type) GetProcAddress(library, "grpc_server_config_fetcher_xds_create");
-  grpc_server_config_fetcher_destroy_import = (grpc_server_config_fetcher_destroy_type) GetProcAddress(library, "grpc_server_config_fetcher_destroy");
-  grpc_server_set_config_fetcher_import = (grpc_server_set_config_fetcher_type) GetProcAddress(library, "grpc_server_set_config_fetcher");
+  grpc_server_config_fetcher_unref_import = (grpc_server_config_fetcher_unref_type) GetProcAddress(library, "grpc_server_config_fetcher_unref");
   grpc_server_add_http2_port_import = (grpc_server_add_http2_port_type) GetProcAddress(library, "grpc_server_add_http2_port");
   grpc_server_start_import = (grpc_server_start_type) GetProcAddress(library, "grpc_server_start");
   grpc_server_shutdown_and_notify_import = (grpc_server_shutdown_and_notify_type) GetProcAddress(library, "grpc_server_shutdown_and_notify");

data/src/ruby/ext/grpc/rb_grpc_imports.generated.h

@@ -453,15 +453,15 @@ extern grpc_server_create_type grpc_server_create_import;
 typedef void(*grpc_server_register_completion_queue_type)(grpc_server* server, grpc_completion_queue* cq, void* reserved);
 extern grpc_server_register_completion_queue_type grpc_server_register_completion_queue_import;
 #define grpc_server_register_completion_queue grpc_server_register_completion_queue_import
+typedef const grpc_arg_pointer_vtable*(*grpc_server_config_fetcher_arg_vtable_type)(void);
+extern grpc_server_config_fetcher_arg_vtable_type grpc_server_config_fetcher_arg_vtable_import;
+#define grpc_server_config_fetcher_arg_vtable grpc_server_config_fetcher_arg_vtable_import
 typedef grpc_server_config_fetcher*(*grpc_server_config_fetcher_xds_create_type)(grpc_server_xds_status_notifier notifier, const grpc_channel_args* args);
 extern grpc_server_config_fetcher_xds_create_type grpc_server_config_fetcher_xds_create_import;
 #define grpc_server_config_fetcher_xds_create grpc_server_config_fetcher_xds_create_import
-typedef void(*grpc_server_config_fetcher_destroy_type)(grpc_server_config_fetcher* config_fetcher);
-extern grpc_server_config_fetcher_destroy_type grpc_server_config_fetcher_destroy_import;
-#define grpc_server_config_fetcher_destroy grpc_server_config_fetcher_destroy_import
-typedef void(*grpc_server_set_config_fetcher_type)(grpc_server* server, grpc_server_config_fetcher* config_fetcher);
-extern grpc_server_set_config_fetcher_type grpc_server_set_config_fetcher_import;
-#define grpc_server_set_config_fetcher grpc_server_set_config_fetcher_import
+typedef void(*grpc_server_config_fetcher_unref_type)(grpc_server_config_fetcher* config_fetcher);
+extern grpc_server_config_fetcher_unref_type grpc_server_config_fetcher_unref_import;
+#define grpc_server_config_fetcher_unref grpc_server_config_fetcher_unref_import
 typedef int(*grpc_server_add_http2_port_type)(grpc_server* server, const char* addr, grpc_server_credentials* creds);
 extern grpc_server_add_http2_port_type grpc_server_add_http2_port_import;
 #define grpc_server_add_http2_port grpc_server_add_http2_port_import

data/src/ruby/ext/grpc/rb_server.c

@@ -25,6 +25,7 @@
 #include <grpc/grpc_security.h>
 #include <grpc/support/atm.h>
 #include <grpc/support/log.h>
+#include <stdbool.h>
 
 #include "rb_byte_buffer.h"
 #include "rb_call.h"

data/src/ruby/ext/grpc/rb_server_credentials.c

@@ -23,6 +23,7 @@
 #include <grpc/credentials.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
+#include <stdbool.h>
 
 #include "rb_grpc.h"
 #include "rb_grpc_imports.generated.h"

data/src/ruby/ext/grpc/rb_xds_channel_credentials.c

@@ -24,6 +24,7 @@
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
 #include <grpc/support/alloc.h>
+#include <stdbool.h>
 #include <string.h>
 
 #include "rb_call_credentials.h"

data/src/ruby/ext/grpc/rb_xds_server_credentials.c

@@ -23,6 +23,7 @@
 #include <grpc/credentials.h>
 #include <grpc/grpc.h>
 #include <grpc/grpc_security.h>
+#include <stdbool.h>
 
 #include "rb_grpc.h"
 #include "rb_grpc_imports.generated.h"

data/src/ruby/lib/grpc/core/call_credentials.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+# Copyright 2026 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module GRPC
+  module Core
+    # CallCredentials represents per-call credentials.
+    class CallCredentials
+      attr_reader :auth_proc
+
+      def initialize(auth_proc = nil, &block)
+        @auth_proc = auth_proc || block
+        fail TypeError, 'Argument to CallCredentials#new must be a proc' unless @auth_proc.is_a?(Proc)
+      end
+
+      def get_metadata(context)
+        @auth_proc.call(context)
+      end
+
+      def composite?
+        false
+      end
+
+      def compose(*others)
+        return self if others.empty?
+        valid_others = validate_credentials_list!(others)
+        CompositeCallCredentials.new([self] + valid_others)
+      end
+
+      private
+
+      def validate_credentials_list!(list)
+        list.flatten.each do |o|
+          fail TypeError, "Argument to compose must be a CallCredentials, got #{o.class}" \
+            unless o.is_a?(CallCredentials)
+        end
+      end
+    end
+
+    class CompositeCallCredentials < CallCredentials
+      def initialize(*creds)
+        flat_creds = creds.flatten.flat_map do |c|
+          c.composite? ? c.creds : c
+        end
+        @creds = flat_creds.uniq
+        super(proc { |context| get_metadata(context) })
+      end
+
+      def composite?
+        true
+      end
+
+      def get_metadata(context)
+        @creds.each_with_object({}) do |c, metadata|
+          creds_metadata = c.get_metadata(context)
+          next unless creds_metadata
+          metadata.merge!(
+            creds_metadata.is_a?(Hash) ? creds_metadata : fail(TypeError, "Call credentials must return Hash or nil, got #{creds_metadata.class}")
+          )
+        end
+      end
+
+      def compose(*others)
+        return self if others.empty?
+        valid_others = validate_credentials_list!(others)
+        CompositeCallCredentials.new(@creds + valid_others)
+      end
+
+      protected
+
+      attr_reader :creds
+    end
+  end
+end

data/src/ruby/lib/grpc/core/channel_credentials.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+# Copyright 2026 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module GRPC
+  module Core
+    # Provides shared #compose logic for channel credential classes.
+    # @api private
+    module ChannelCredentialsComposable
+      def compose(*others)
+        return self if others.empty?
+        flat_others = others.flatten
+
+        flat_others.each do |o|
+          fail TypeError, "Argument to compose must be a CallCredentials, got #{o.class}" \
+            unless o.is_a?(CallCredentials)
+        end
+
+        call_creds = flat_others.size == 1 ? flat_others.first : CompositeCallCredentials.new(flat_others)
+        CompositeChannelCredentials.new(self, call_creds)
+      end
+    end
+
+    class ChannelCredentials
+      prepend ChannelCredentialsComposable
+    end
+
+    class XdsChannelCredentials
+      prepend ChannelCredentialsComposable
+    end
+
+    class CompositeChannelCredentials
+      attr_reader :channel_credentials, :call_credentials
+
+      def initialize(channel_creds, call_creds)
+        @channel_credentials = channel_creds
+        @call_credentials = call_creds
+      end
+
+      def compose(*others)
+        return self if others.empty?
+        flat_others = others.flatten
+
+        flat_others.each do |o|
+          fail TypeError, "Argument to compose must be a CallCredentials, got #{o.class}" \
+            unless o.is_a?(CallCredentials)
+        end
+
+        if @call_credentials
+          CompositeChannelCredentials.new(@channel_credentials, @call_credentials.compose(*flat_others))
+        else
+          CompositeChannelCredentials.new(@channel_credentials, CompositeCallCredentials.new(flat_others))
+        end
+      end
+    end
+  end
+end

data/src/ruby/lib/grpc/core/credentials_helper.rb

@@ -0,0 +1,126 @@
+# Copyright 2026 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module GRPC
+  module Core
+    # Utility methods for resolving and applying call credentials to metadata.
+    # @api private
+    module CallCredentialsHelper
+      VALID_HEADER_KEY_PATTERN = /\A[a-z0-9\-_.]+\z/
+
+      # Composes channel and per-call credentials when both present, otherwise
+      # returns whichever is available.
+      def self.resolve(channel_call_creds, call_credentials)
+        return channel_call_creds.compose(call_credentials) if channel_call_creds && call_credentials
+        channel_call_creds || call_credentials
+      end
+
+      # Returns true if +key+ is a valid gRPC metadata header key.
+      def self.valid_header_key?(key)
+        !key.nil? && !key.empty? && VALID_HEADER_KEY_PATTERN.match?(key)
+      end
+
+      # Parses an RPC method path into [service_url, method_name].
+      # e.g. '/echo.EchoServer/Echo' on 'foo.test.google.fr' gives
+      # ['https://foo.test.google.fr/echo.EchoServer', 'Echo'].
+      def self.parse_method_info(ssl_target, method)
+        return ["https://#{ssl_target}", nil] if method.nil? || method.empty?
+        last_slash = method.rindex('/')
+        service_path = last_slash&.positive? ? method[0, last_slash] : ''
+        [
+          "https://#{ssl_target}#{service_path}",
+          last_slash ? method[(last_slash + 1)..] : nil
+        ]
+      end
+
+      # Merges +creds_metadata+ into +metadata+, validating all keys.
+      # Raises GRPC::Unavailable on invalid type or illegal header keys.
+      def self.merge_creds_metadata!(creds_metadata, metadata)
+        return if creds_metadata.nil?
+        unless creds_metadata.is_a?(Hash)
+          fail GRPC::Unavailable, "Call credentials must return Hash or nil, got #{creds_metadata.class}"
+        end
+        creds_metadata.each do |key, value|
+          key_str = key.to_s
+          unless valid_header_key?(key_str)
+            fail GRPC::Unavailable, "Illegal metadata: '#{key_str}' is an invalid header key"
+          end
+          metadata[key_str] = value.is_a?(Array) ? value.map(&:to_s) : value.to_s
+        end
+      end
+
+      # Calls +credentials.get_metadata+ and merges the result into +metadata+.
+      # No-op when +credentials+ is nil or the channel is insecure.
+      # Raises GRPC::Unavailable on failure.
+      def self.apply(credentials, metadata, ssl_target, channel_creds, method = nil)
+        return unless credentials
+        return if channel_creds == :this_channel_is_insecure
+        service_url, method_name = parse_method_info(ssl_target, method)
+        context = { service_url: service_url, jwt_aud_uri: service_url, method_name: method_name }
+        begin
+          merge_creds_metadata!(credentials.get_metadata(context), metadata)
+        rescue GRPC::BadStatus
+          raise
+        rescue StandardError => e
+          fail GRPC::Unavailable, "Call credentials failed: #{e.message}"
+        end
+      end
+    end
+
+    # Prepended into ClientStub when the pure Ruby credentials path is active.
+    # Handles CompositeChannelCredentials splitting and applies credentials via
+    # metadata injection instead of the C extension set_credentials! path.
+    # @api private
+    module CompositeCredentialsHandler
+      def initialize(host, creds,
+                     channel_override: nil,
+                     timeout: nil,
+                     propagate_mask: nil,
+                     channel_args: {},
+                     interceptors: [])
+        if creds.is_a?(Core::CompositeChannelCredentials)
+          pure_call_creds = creds.call_credentials
+          creds = creds.channel_credentials
+          super(host, creds,
+                channel_override: channel_override,
+                timeout: timeout,
+                propagate_mask: propagate_mask,
+                channel_args: channel_args,
+                interceptors: interceptors)
+          @call_creds = pure_call_creds
+        else
+          super
+        end
+      end
+
+      # credentials is intentionally overridden to nil in super to skip set_credentials!
+      def new_active_call(method, marshal, unmarshal,
+                          deadline: nil,
+                          parent: nil,
+                          credentials: nil) # rubocop:disable Lint/UnusedMethodArgument
+        super(method, marshal, unmarshal,
+              deadline: deadline,
+              parent: parent,
+              credentials: nil)
+      end
+
+      private
+
+      def resolve_call_metadata(metadata, credentials, method)
+        resolved = CallCredentialsHelper.resolve(@call_creds, credentials)
+        metadata.dup.tap { |m| CallCredentialsHelper.apply(resolved, m, @host, @channel_creds, method) }
+      end
+    end
+  end
+end

data/src/ruby/lib/grpc/generic/client_stub.rb

@@ -79,10 +79,9 @@ module GRPC
     # when present, this is the default timeout used for calls
     #
     # @param host [String] the host the stub connects to
-    # @param creds [Core::ChannelCredentials|Symbol] the channel credentials, or
-    #     :this_channel_is_insecure, which explicitly indicates that the client
-    #     should be created with an insecure connection. Note: this argument is
-    #     ignored if the channel_override argument is provided.
+    # @param creds [Core::ChannelCredentials|Core::CallCredentials|Symbol]
+    #     ChannelCredentials, CallCredentials (creates default SSL channel), or
+    #     :this_channel_is_insecure. Ignored if channel_override is provided.
     # @param channel_override [Core::Channel] a pre-created channel
     # @param timeout [Number] the default timeout to use in requests
     # @param propagate_mask [Number] A bitwise combination of flags in
@@ -101,7 +100,18 @@ module GRPC
                    propagate_mask: nil,
                    channel_args: {},
                    interceptors: [])
-      @ch = ClientStub.setup_channel(channel_override, host, creds,
+      # Split credentials: CallCredentials alone create a default secure channel.
+      # CompositeChannelCredentials splitting is handled by Core::CompositeCredentialsHandler
+      # module when the pure Ruby toggle is enabled.
+      if creds.is_a?(Core::CallCredentials)
+        @call_creds    = creds
+        @channel_creds = Core::ChannelCredentials.new
+      else
+        @call_creds    = nil
+        @channel_creds = creds
+      end
+
+      @ch = ClientStub.setup_channel(channel_override, host, @channel_creds,
                                      channel_args.dup)
       alt_host = channel_args[Core::Channel::SSL_TARGET]
       @host = alt_host.nil? ? host : alt_host
@@ -154,30 +164,19 @@ module GRPC
                          credentials: nil,
                          metadata: {})
       c = new_active_call(method, marshal, unmarshal,
-                          deadline: deadline,
-                          parent: parent,
+                          deadline: deadline, parent: parent,
                           credentials: credentials)
-      interception_context = @interceptors.build_context
+
       intercept_args = {
         method: method,
         request: req,
         call: c.interceptable,
         metadata: metadata
       }
-      if return_op
-        # return the operation view of the active_call; define #execute as a
-        # new method for this instance that invokes #request_response.
-        c.merge_metadata_to_send(metadata)
-        op = c.operation
-        op.define_singleton_method(:execute) do
-          interception_context.intercept!(:request_response, intercept_args) do
-            c.request_response(req, metadata: metadata)
-          end
-        end
-        op
-      else
-        interception_context.intercept!(:request_response, intercept_args) do
-          c.request_response(req, metadata: metadata)
+
+      handle_return_op(c, return_op, metadata, credentials, method) do
+        execute_with_interceptors(:request_response, intercept_args, credentials, method, c) do |resolved_md|
+          c.request_response(req, metadata: resolved_md)
         end
       end
     end
@@ -231,30 +230,19 @@ module GRPC
                         credentials: nil,
                         metadata: {})
       c = new_active_call(method, marshal, unmarshal,
-                          deadline: deadline,
-                          parent: parent,
+                          deadline: deadline, parent: parent,
                           credentials: credentials)
-      interception_context = @interceptors.build_context
+
       intercept_args = {
         method: method,
         requests: requests,
         call: c.interceptable,
         metadata: metadata
       }
-      if return_op
-        # return the operation view of the active_call; define #execute as a
-        # new method for this instance that invokes #client_streamer.
-        c.merge_metadata_to_send(metadata)
-        op = c.operation
-        op.define_singleton_method(:execute) do
-          interception_context.intercept!(:client_streamer, intercept_args) do
-            c.client_streamer(requests)
-          end
-        end
-        op
-      else
-        interception_context.intercept!(:client_streamer, intercept_args) do
-          c.client_streamer(requests, metadata: metadata)
+
+      handle_return_op(c, return_op, metadata, credentials, method) do
+        execute_with_interceptors(:client_streamer, intercept_args, credentials, method, c) do |resolved_md|
+          c.client_streamer(requests, metadata: resolved_md)
         end
       end
     end
@@ -323,30 +311,19 @@ module GRPC
                         metadata: {},
                         &blk)
       c = new_active_call(method, marshal, unmarshal,
-                          deadline: deadline,
-                          parent: parent,
+                          deadline: deadline, parent: parent,
                           credentials: credentials)
-      interception_context = @interceptors.build_context
+
       intercept_args = {
         method: method,
         request: req,
         call: c.interceptable,
         metadata: metadata
       }
-      if return_op
-        # return the operation view of the active_call; define #execute
-        # as a new method for this instance that invokes #server_streamer
-        c.merge_metadata_to_send(metadata)
-        op = c.operation
-        op.define_singleton_method(:execute) do
-          interception_context.intercept!(:server_streamer, intercept_args) do
-            c.server_streamer(req, &blk)
-          end
-        end
-        op
-      else
-        interception_context.intercept!(:server_streamer, intercept_args) do
-          c.server_streamer(req, metadata: metadata, &blk)
+
+      handle_return_op(c, return_op, metadata, credentials, method) do
+        execute_with_interceptors(:server_streamer, intercept_args, credentials, method, c) do |resolved_md|
+          c.server_streamer(req, metadata: resolved_md, &blk)
         end
       end
     end
@@ -445,30 +422,19 @@ module GRPC
                       metadata: {},
                       &blk)
       c = new_active_call(method, marshal, unmarshal,
-                          deadline: deadline,
-                          parent: parent,
+                          deadline: deadline, parent: parent,
                           credentials: credentials)
-      interception_context = @interceptors.build_context
+
       intercept_args = {
         method: method,
         requests: requests,
         call: c.interceptable,
         metadata: metadata
       }
-      if return_op
-        # return the operation view of the active_call; define #execute
-        # as a new method for this instance that invokes #bidi_streamer
-        c.merge_metadata_to_send(metadata)
-        op = c.operation
-        op.define_singleton_method(:execute) do
-          interception_context.intercept!(:bidi_streamer, intercept_args) do
-            c.bidi_streamer(requests, &blk)
-          end
-        end
-        op
-      else
-        interception_context.intercept!(:bidi_streamer, intercept_args) do
-          c.bidi_streamer(requests, metadata: metadata, &blk)
+
+      handle_return_op(c, return_op, metadata, credentials, method) do
+        execute_with_interceptors(:bidi_streamer, intercept_args, credentials, method, c) do |resolved_md|
+          c.bidi_streamer(requests, metadata: resolved_md, &blk)
         end
       end
     end
@@ -480,6 +446,7 @@ module GRPC
     # @param method [string] the method being called.
     # @param marshal [Function] f(obj)->string that marshals requests
     # @param unmarshal [Function] f(string)->obj that unmarshals responses
+    # @param deadline [Time] (optional) the time the request should complete
     # @param parent [Grpc::Call] a parent call, available when calls are
     #   made from server
     # @param credentials [Core::CallCredentials] credentials to use when making
@@ -499,5 +466,51 @@ module GRPC
       ActiveCall.new(call, marshal, unmarshal, deadline,
                      started: false)
     end
+
+    # Runs the interceptor chain and resolves metadata/credentials exactly once
+    # at the end of the chain.
+    def execute_with_interceptors(rpc_type, intercept_args, credentials, method, call)
+      interception_context = @interceptors.build_context
+      call_started = false
+      already_finished = !call.status.nil?
+      begin
+        interception_context.intercept!(rpc_type, intercept_args) do
+          resolved_md = resolve_call_metadata(intercept_args[:metadata], credentials, method)
+          call_started = true
+          yield(resolved_md)
+        end
+      rescue StandardError => e
+        call.op_is_done unless call_started || already_finished
+        raise e
+      end
+    end
+
+    # Handles return_op lifecycle branching
+    def handle_return_op(call, return_op, metadata, credentials, method, &block)
+      if return_op
+        stub = self
+        op = call.operation
+        op.define_singleton_method(:execute) do
+          block.call
+        end
+        op.define_singleton_method(:start_call) do |op_metadata = {}|
+          resolved_md = stub.send(:resolve_call_metadata, metadata, credentials, method)
+          call.merge_metadata_to_send(resolved_md.merge(op_metadata))
+          call.send_initial_metadata
+        rescue StandardError => e
+          call.op_is_done unless call.metadata_sent
+          raise e
+        end
+        op
+      else
+        yield
+      end
+    end
+
+    def resolve_call_metadata(metadata, _credentials, _method)
+      metadata
+    end
+
+    private :resolve_call_metadata, :execute_with_interceptors, :handle_return_op
   end
 end

data/src/ruby/lib/grpc/generic/interceptors.rb

@@ -169,7 +169,7 @@ module GRPC
     def intercept!(type, args = {})
       return yield if @interceptors.none?
 
-      i = @interceptors.pop
+      i = @interceptors.shift
       return yield unless i
 
       i.send(type, **args) do

data/src/ruby/lib/grpc/version.rb

@@ -14,5 +14,5 @@
 
 # GRPC contains the General RPC module.
 module GRPC
-  VERSION = '1.81.1'
+  VERSION = '1.82.0.pre1'
 end

data/src/ruby/lib/grpc.rb

@@ -22,6 +22,25 @@ require_relative 'grpc/notifier'
 require_relative 'grpc/version'
 require_relative 'grpc/core/status_codes'
 require_relative 'grpc/core/time_consts'
+
+# Feature toggle: set GRPC_EXPERIMENTS=pure_ruby_call_credentials to enable.
+# Default (false): uses C extension path for backward compatibility.
+# NOTE: must be set before `require 'grpc'` — evaluated once at load time.
+module GRPC
+  PURE_RUBY_CALL_CREDENTIALS_ENABLED =
+    ENV.fetch('GRPC_EXPERIMENTS', '')
+       .split(',')
+       .map(&:strip)
+       .include?('pure_ruby_call_credentials')
+       .freeze
+end
+
+if GRPC::PURE_RUBY_CALL_CREDENTIALS_ENABLED
+  require_relative 'grpc/core/call_credentials'
+  require_relative 'grpc/core/channel_credentials'
+  require_relative 'grpc/core/credentials_helper'
+end
+
 require_relative 'grpc/generic/active_call'
 require_relative 'grpc/generic/client_stub'
 require_relative 'grpc/generic/service'
@@ -35,3 +54,9 @@ begin
 ensure
   file.close
 end
+
+# Prepend CompositeCredentialsHandler if pure Ruby credentials are enabled.
+# This must happen after all credential classes are loaded.
+if GRPC::PURE_RUBY_CALL_CREDENTIALS_ENABLED
+  GRPC::ClientStub.class_eval { prepend GRPC::Core::CompositeCredentialsHandler }
+end

data/src/ruby/spec/call_credentials_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Copyright 2015 gRPC authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,20 +18,35 @@ require 'spec_helper'
 
 describe GRPC::Core::CallCredentials do
   CallCredentials = GRPC::Core::CallCredentials
-
   let(:auth_proc) { proc { { 'plugin_key' => 'plugin_value' } } }
+  let(:auth_proc2) { proc { { 'plugin_key2' => 'plugin_value2' } } }
 
   describe '#new' do
     it 'can successfully create a CallCredentials from a proc' do
       expect { CallCredentials.new(auth_proc) }.not_to raise_error
     end
+
+    context 'pure Ruby path only' do
+      before do
+        skip 'pure Ruby path only: set GRPC_EXPERIMENTS=pure_ruby_call_credentials' \
+          unless GRPC::PURE_RUBY_CALL_CREDENTIALS_ENABLED
+      end
+
+      it 'can successfully create a CallCredentials from a block' do
+        expect { CallCredentials.new { { 'foo' => 'bar' } } }.not_to raise_error
+      end
+    end
+
+    it 'fails if initialized without a proc or block' do
+      expect { CallCredentials.new('not a proc') }.to raise_error(TypeError)
+    end
   end
 
   describe '#compose' do
     it 'can compose with another CallCredentials' do
       creds1 = CallCredentials.new(auth_proc)
       creds2 = CallCredentials.new(auth_proc)
-      expect { creds1.compose creds2 }.not_to raise_error
+      expect { creds1.compose(creds2) }.not_to raise_error
     end
 
     it 'can compose with multiple CallCredentials' do
@@ -38,5 +55,38 @@ describe GRPC::Core::CallCredentials do
       creds3 = CallCredentials.new(auth_proc)
       expect { creds1.compose(creds2, creds3) }.not_to raise_error
     end
+
+    context 'pure Ruby path only' do
+      before do
+        skip 'pure Ruby path only: set GRPC_EXPERIMENTS=pure_ruby_call_credentials' \
+          unless GRPC::PURE_RUBY_CALL_CREDENTIALS_ENABLED
+      end
+
+      it 'returns a CompositeCallCredentials with merged metadata' do
+        creds1 = CallCredentials.new(auth_proc)
+        creds2 = CallCredentials.new(auth_proc2)
+        composite = creds1.compose(creds2)
+        expect(composite).to be_a(GRPC::Core::CompositeCallCredentials)
+        expect(composite.get_metadata(nil))
+          .to eq({ 'plugin_key' => 'plugin_value', 'plugin_key2' => 'plugin_value2' })
+      end
+
+      it 'returns a CompositeCallCredentials when composing multiple' do
+        creds1 = CallCredentials.new(auth_proc)
+        creds2 = CallCredentials.new(auth_proc2)
+        creds3 = CallCredentials.new(proc { { 'plugin_key3' => 'plugin_value3' } })
+        composite = creds1.compose(creds2, creds3)
+        expect(composite).to be_a(GRPC::Core::CompositeCallCredentials)
+        expect(composite.get_metadata(nil))
+          .to eq({ 'plugin_key' => 'plugin_value',
+                   'plugin_key2' => 'plugin_value2',
+                   'plugin_key3' => 'plugin_value3' })
+      end
+
+      it 'fails if composed with non-CallCredentials' do
+        creds1 = CallCredentials.new(auth_proc)
+        expect { creds1.compose('not a cred') }.to raise_error(TypeError)
+      end
+    end
   end
 end

data/src/ruby/spec/credentials_helper_spec.rb

@@ -0,0 +1,80 @@
+# Copyright 2015 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'spec_helper'
+require 'grpc/core/credentials_helper'
+
+describe GRPC::Core::CallCredentialsHelper do
+  before(:each) do
+    skip 'pure Ruby path only: set GRPC_EXPERIMENTS=pure_ruby_call_credentials' \
+      unless GRPC::PURE_RUBY_CALL_CREDENTIALS_ENABLED
+  end
+
+  describe '.resolve' do
+    it 'returns nil if both are nil' do
+      expect(GRPC::Core::CallCredentialsHelper.resolve(nil, nil)).to eq(nil)
+    end
+
+    it 'returns channel creds if call creds are nil' do
+      creds = double('creds')
+      expect(GRPC::Core::CallCredentialsHelper.resolve(creds, nil)).to eq(creds)
+    end
+
+    it 'returns call creds if channel creds are nil' do
+      creds = double('creds')
+      expect(GRPC::Core::CallCredentialsHelper.resolve(nil, creds)).to eq(creds)
+    end
+
+    it 'composes if both are present' do
+      creds1 = double('creds1')
+      creds2 = double('creds2')
+      expect(creds1).to receive(:compose).with(creds2).and_return('composite')
+      expect(GRPC::Core::CallCredentialsHelper.resolve(creds1, creds2)).to eq('composite')
+    end
+  end
+
+  describe '.apply' do
+    let(:metadata) { {} }
+    let(:creds) { double('creds') }
+
+    it 'does nothing if creds are nil' do
+      GRPC::Core::CallCredentialsHelper.apply(nil, metadata, 'host', 'channel_creds')
+      expect(metadata).to eq({})
+    end
+
+    it 'does nothing if channel is insecure' do
+      GRPC::Core::CallCredentialsHelper.apply(creds, metadata, 'host', :this_channel_is_insecure)
+      expect(metadata).to eq({})
+    end
+
+    it 'applies metadata if valid' do
+      expect(creds).to receive(:get_metadata).and_return({ 'foo' => 'bar' })
+      GRPC::Core::CallCredentialsHelper.apply(creds, metadata, 'host', 'secure_channel_creds')
+      expect(metadata).to eq({ 'foo' => 'bar' })
+    end
+
+    it 'handles exceptions' do
+      expect(creds).to receive(:get_metadata).and_raise('error')
+      expect do
+        GRPC::Core::CallCredentialsHelper.apply(creds, metadata, 'host', 'secure_channel_creds')
+      end.to raise_error(GRPC::BadStatus)
+    end
+
+    it 'converts keys and values to strings' do
+      expect(creds).to receive(:get_metadata).and_return({ foo: :bar })
+      GRPC::Core::CallCredentialsHelper.apply(creds, metadata, 'host', 'secure_channel_creds')
+      expect(metadata).to eq({ 'foo' => 'bar' })
+    end
+  end
+end

data/src/ruby/spec/generic/client_stub_spec.rb

@@ -157,6 +157,29 @@ describe 'ClientStub' do  # rubocop:disable Metrics/BlockLength
       end
       expect(&blk).to_not raise_error
     end
+
+    it 'creates secure channel when only CallCredentials provided' do
+      call_creds = GRPC::Core::CallCredentials.new(proc { {} })
+      stub = GRPC::ClientStub.new(fake_host, call_creds)
+      # Verify the internal channel credentials are SSL (not insecure)
+      expect(stub.instance_variable_get(:@channel_creds)).to be_a(GRPC::Core::ChannelCredentials)
+      expect(stub.instance_variable_get(:@call_creds)).to eq(call_creds)
+    end
+
+    context 'with CompositeChannelCredentials (pure Ruby path)' do
+      it 'splits CompositeChannelCredentials into channel + call creds' do
+        skip 'CompositeChannelCredentials requires pure Ruby toggle ON' \
+          unless GRPC::PURE_RUBY_CALL_CREDENTIALS_ENABLED
+        require 'grpc/core/call_credentials'
+        require 'grpc/core/channel_credentials'
+        chan_creds = GRPC::Core::ChannelCredentials.new
+        call_creds = GRPC::Core::CallCredentials.new(proc { {} })
+        composite = chan_creds.compose(call_creds)
+        stub = GRPC::ClientStub.new(fake_host, composite)
+        expect(stub.instance_variable_get(:@channel_creds)).to eq(chan_creds)
+        expect(stub.instance_variable_get(:@call_creds)).to eq(call_creds)
+      end
+    end
   end
 
   describe '#request_response', request_response: true do
@@ -301,7 +324,7 @@ describe 'ClientStub' do  # rubocop:disable Metrics/BlockLength
     describe 'via a call operation' do
       after(:each) do
         # make sure op.wait doesn't freeze, even if there's a bad status
-        @op.wait
+        @op&.wait
       end
       def get_response(stub, run_start_call_first: false, credentials: nil)
         @op = stub.request_response(@method, @sent_msg, noop, noop,
@@ -403,7 +426,7 @@ describe 'ClientStub' do  # rubocop:disable Metrics/BlockLength
     describe 'via a call operation' do
       after(:each) do
         # make sure op.wait doesn't freeze, even if there's a bad status
-        @op.wait
+        @op&.wait
       end
       def get_response(stub, run_start_call_first: false)
         @op = stub.client_streamer(@method, @sent_msgs, noop, noop,
@@ -522,7 +545,7 @@ describe 'ClientStub' do  # rubocop:disable Metrics/BlockLength
 
     describe 'via a call operation' do
       after(:each) do
-        @op.wait # make sure wait doesn't freeze
+        @op&.wait
       end
       def get_responses(stub, run_start_call_first: false, unmarshal: noop)
         @op = stub.server_streamer(@method, @sent_msg, noop, unmarshal,
@@ -841,7 +864,7 @@ describe 'ClientStub' do  # rubocop:disable Metrics/BlockLength
 
     describe 'via a call operation' do
       after(:each) do
-        @op.wait # make sure wait doesn't freeze
+        @op&.wait
       end
       def get_responses(stub, run_start_call_first: false, deadline: nil,
                         marshal_proc: noop)

data/src/ruby/spec/generic/server_interceptors_spec.rb

@@ -84,7 +84,7 @@ describe 'Server Interceptors' do
         run_services_on_server(@server, services: [service]) do
           stub = build_insecure_stub(EchoStub)
           expect_any_instance_of(GRPC::ActiveCall).to(
-            receive(:client_streamer).with(requests)
+            receive(:client_streamer).with(requests, metadata: client_metadata)
               .once.and_call_original
           )
           op = stub.a_client_streaming_rpc(requests, client_call_opts)
@@ -122,7 +122,7 @@ describe 'Server Interceptors' do
         run_services_on_server(@server, services: [service]) do
           stub = build_insecure_stub(EchoStub)
           expect_any_instance_of(GRPC::ActiveCall).to(
-            receive(:server_streamer).with(request)
+            receive(:server_streamer).with(request, metadata: client_metadata)
               .once.and_call_original
           )
           op = stub.a_server_streaming_rpc(request, client_call_opts)
@@ -162,7 +162,7 @@ describe 'Server Interceptors' do
         run_services_on_server(@server, services: [service]) do
           stub = build_insecure_stub(EchoStub)
           expect_any_instance_of(GRPC::ActiveCall).to(
-            receive(:bidi_streamer).with(requests)
+            receive(:bidi_streamer).with(requests, metadata: client_metadata)
               .once.and_call_original
           )
           op = stub.a_bidi_rpc(requests, client_call_opts)
@@ -203,6 +203,20 @@ describe 'Server Interceptors' do
         expect(stub.an_rpc(request)).to be_a(EchoMsg)
       end
     end
+
+    it 'should be invoked in FIFO order', server: true do
+      expect(interceptor).to receive(:request_response).ordered
+        .once.and_call_original
+      expect(interceptor2).to receive(:request_response).ordered
+        .once.and_call_original
+      expect(interceptor3).to receive(:request_response).ordered
+        .once.and_call_original
+
+      run_services_on_server(@server, services: [service]) do
+        stub = build_insecure_stub(EchoStub)
+        expect(stub.an_rpc(request)).to be_a(EchoMsg)
+      end
+    end
   end
 
   context 'when an interceptor is not added' do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: grpc
 version: !ruby/object:Gem::Version
-  version: 1.81.1
+  version: 1.82.0.pre1
 platform: x86_64-linux-gnu
 authors:
 - gRPC Authors
@@ -271,6 +271,9 @@ files:
 - src/ruby/lib/grpc/3.3/grpc_c.so
 - src/ruby/lib/grpc/3.4/grpc_c.so
 - src/ruby/lib/grpc/4.0/grpc_c.so
+- src/ruby/lib/grpc/core/call_credentials.rb
+- src/ruby/lib/grpc/core/channel_credentials.rb
+- src/ruby/lib/grpc/core/credentials_helper.rb
 - src/ruby/lib/grpc/core/status_codes.rb
 - src/ruby/lib/grpc/core/time_consts.rb
 - src/ruby/lib/grpc/errors.rb
@@ -312,6 +315,7 @@ files:
 - src/ruby/spec/client_server_spec.rb
 - src/ruby/spec/compression_options_spec.rb
 - src/ruby/spec/core_spec.rb
+- src/ruby/spec/credentials_helper_spec.rb
 - src/ruby/spec/debug_message_spec.rb
 - src/ruby/spec/error_sanity_spec.rb
 - src/ruby/spec/errors_spec.rb
@@ -371,7 +375,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.3.22
 requirements: []
-rubygems_version: 4.0.13
+rubygems_version: 4.0.14
 specification_version: 4
 summary: GRPC system in Ruby
 test_files:
@@ -387,6 +391,7 @@ test_files:
 - src/ruby/spec/client_server_spec.rb
 - src/ruby/spec/compression_options_spec.rb
 - src/ruby/spec/core_spec.rb
+- src/ruby/spec/credentials_helper_spec.rb
 - src/ruby/spec/debug_message_spec.rb
 - src/ruby/spec/error_sanity_spec.rb
 - src/ruby/spec/errors_spec.rb