igniter_lang 0.1.0.alpha.1

data/lib/igniter_lang/compiler_orchestrator.rb

@@ -0,0 +1,362 @@
+# frozen_string_literal: true
+
+require "fileutils"
+require "json"
+require "pathname"
+
+require_relative "assembler"
+require_relative "classifier"
+require_relative "compilation_report"
+require_relative "compiler_profile_contract_validator"
+require_relative "compiler_result"
+require_relative "parser"
+require_relative "semanticir_emitter"
+require_relative "typechecker"
+
+module IgniterLang
+  class CompilerOrchestrator
+    FORMAT_VERSION = SemanticIREmitter::FORMAT_VERSION
+    STRICT_REQUIREMENT_KIND = "compiler_profile_contract_strict_requirement"
+    STRICT_REQUIREMENT_MODE = "strict_contract_digest"
+    CONTRACT_DIGEST_MISMATCH_CODE =
+      "compiler_profile_contract.contract_digest_mismatch"
+    CONTRACT_DIGEST_REFUSAL_CODE =
+      "compiler_profile_contract_refusal.contract_digest_mismatch"
+    STRICT_REQUIREMENT_MALFORMED_CODE =
+      "compiler_profile_contract_refusal.strict_requirement_malformed"
+    STRICT_REQUIREMENT_SOURCES = ["proof_local_gate", "internal_test_seam"].freeze
+
+    def initialize(
+      classifier: Classifier.new,
+      typechecker: TypeChecker.new,
+      emitter: SemanticIREmitter.new,
+      assembler: Assembler.new,
+      compiler_profile_contract_provider: nil,
+      compiler_profile_contract_strict_requirement: nil
+    )
+      @classifier = classifier
+      @typechecker = typechecker
+      @emitter = emitter
+      @assembler = assembler
+      @compiler_profile_contract_provider = compiler_profile_contract_provider
+      @compiler_profile_contract_strict_requirement = compiler_profile_contract_strict_requirement
+    end
+
+    def compile(
+      source_path:,
+      out_path:,
+      sample_input: nil,
+      sample_input_resolver: nil,
+      runtime_smoke: nil,
+      compiler_profile_source: nil
+    )
+      source_path = Pathname.new(source_path)
+      out_path = Pathname.new(out_path)
+      parsed = ParsedProgram.parse(File.read(source_path), source_path: source_path.to_s).to_h
+      return parse_failure(parsed, source_path, out_path) unless parsed.fetch("parse_errors").empty?
+
+      resolved_sample_input = sample_input || resolve_sample_input(parsed, sample_input_resolver)
+      classified = @classifier.classify(parsed, sample_input: resolved_sample_input)
+      typed = @typechecker.typecheck(classified)
+      compilation = @emitter.emit_typed(typed)
+      report = CompilationReport.enrich(
+        report: compilation.fetch("compilation_report"),
+        parsed: parsed
+      )
+      semantic_ir = compilation.fetch("semantic_ir")
+      report_for_assembly = report
+
+      if report.fetch("pass_result") == "ok"
+        validation = compiler_profile_contract_validation(
+          source_path: source_path,
+          out_path: out_path,
+          parsed_program: parsed,
+          compiler_profile_source: compiler_profile_source
+        )
+        report = CompilationReport.with_compiler_profile_contract_validation(
+          report: report,
+          validation: validation
+        )
+      end
+
+      return refusal(report, source_path, out_path) unless report.fetch("pass_result") == "ok"
+
+      strict_terminal = compiler_profile_contract_strict_terminal(
+        report: report,
+        source_path: source_path
+      )
+      return strict_terminal if strict_terminal
+
+      # PROP-036: compiler_profile_source is passed unchanged to the assembler.
+      # The orchestrator is a transport boundary only — it does not derive, load,
+      # discover, default, finalize, or validate profiles. Assembler validation
+      # remains authoritative. Nil preserves legacy_optional behavior.
+      assembled = @assembler.assemble_artifacts(
+        case_name: case_name_for(source_path, parsed),
+        report: report_for_assembly,
+        semantic_ir: semantic_ir,
+        target_dir: out_path,
+        compiler_profile_source: compiler_profile_source
+      )
+      smoke = runtime_smoke&.call(out_path: out_path, sample_input: resolved_sample_input)
+
+      if smoke && !smoke.fetch("trusted")
+        smoke_report = CompilationReport.runtime_smoke_failure(
+          report: report,
+          smoke: smoke,
+          source_path: source_path
+        )
+        return refusal(smoke_report, source_path, out_path, status: "runtime_smoke_failed")
+      end
+
+      {
+        "status" => "ok",
+        "result" => CompilerResult.ok(
+          format_version: FORMAT_VERSION,
+          semantic_ir: semantic_ir,
+          source_path: source_path,
+          report: report,
+          igapp_path: out_path,
+          contracts: assembled.fetch("contracts"),
+          runtime_smoke: smoke
+        ),
+        "parsed_program" => parsed,
+        "classified_program" => classified,
+        "typed_program" => typed,
+        "semantic_ir" => semantic_ir,
+        "compilation_report" => report,
+        "assembled" => assembled,
+        "sample_input" => resolved_sample_input
+      }
+    rescue AssemblyRefused => e
+      report = CompilationReport.internal_error(
+        format_version: FORMAT_VERSION,
+        source_path: source_path,
+        rule: "assembler_refused",
+        error: e
+      )
+      refusal(report, source_path, out_path, status: "assembler_refused")
+    rescue => e
+      report = CompilationReport.internal_error(
+        format_version: FORMAT_VERSION,
+        source_path: source_path,
+        rule: "compiler_error",
+        error: e
+      )
+      refusal(report, source_path, out_path, status: "error")
+    end
+
+    private
+
+    def parse_failure(parsed, source_path, out_path)
+      report = CompilationReport.parse_failure(
+        format_version: FORMAT_VERSION,
+        parsed: parsed,
+        source_path: source_path
+      )
+      refusal(report, source_path, out_path, status: "error")
+    end
+
+    def refusal(report, source_path, out_path, status: "oof")
+      report_path = report_path_for(out_path)
+      write_json(report_path, report)
+      {
+        "status" => status,
+        "result" => CompilerResult.refusal(
+          format_version: FORMAT_VERSION,
+          status: status,
+          report: report,
+          source_path: source_path,
+          report_path: report_path
+        ),
+        "compilation_report" => report,
+        "report_path" => report_path.to_s
+      }
+    end
+
+    def report_path_for(out_path)
+      raw = out_path.to_s
+      if raw.end_with?(".igapp")
+        Pathname.new(raw.delete_suffix(".igapp") + ".compilation_report.json")
+      else
+        Pathname.new("#{raw}.compilation_report.json")
+      end
+    end
+
+    def write_json(path, value)
+      FileUtils.mkdir_p(Pathname.new(path).dirname)
+      File.write(path, "#{JSON.pretty_generate(value)}\n")
+    end
+
+    def compiler_profile_contract_validation(source_path:, out_path:, parsed_program:, compiler_profile_source:)
+      return nil unless @compiler_profile_contract_provider.respond_to?(:call)
+
+      contract = @compiler_profile_contract_provider.call(
+        source_path: source_path,
+        out_path: out_path,
+        parsed_program: parsed_program,
+        compiler_profile_source: compiler_profile_source
+      )
+      return nil unless contract.is_a?(Hash)
+
+      CompilerProfileContractValidator.validate(contract)
+    rescue
+      nil
+    end
+
+    def compiler_profile_contract_strict_terminal(report:, source_path:)
+      return nil if @compiler_profile_contract_strict_requirement.nil?
+
+      requirement = validate_compiler_profile_contract_strict_requirement(
+        @compiler_profile_contract_strict_requirement
+      )
+      unless requirement.fetch("valid")
+        diagnostic = strict_requirement_malformed_diagnostic(
+          requirement.fetch("reason")
+        )
+        return strict_configuration_error(
+          report: report,
+          source_path: source_path,
+          diagnostic: diagnostic
+        )
+      end
+
+      validation = report.fetch("compiler_profile_contract_validation", nil)
+      return nil unless validation.is_a?(Hash)
+
+      diagnostic_codes = Array(validation["diagnostic_codes"])
+      return nil unless diagnostic_codes.include?(CONTRACT_DIGEST_MISMATCH_CODE)
+
+      strict_refusal(
+        report: report,
+        source_path: source_path,
+        diagnostic: contract_digest_mismatch_refusal_diagnostic
+      )
+    end
+
+    def validate_compiler_profile_contract_strict_requirement(requirement)
+      unless requirement.is_a?(Hash)
+        return invalid_strict_requirement(
+          "expected compiler_profile_contract_strict_requirement hash"
+        )
+      end
+
+      unless requirement["kind"] == STRICT_REQUIREMENT_KIND
+        return invalid_strict_requirement(
+          "expected compiler_profile_contract_strict_requirement kind"
+        )
+      end
+      unless requirement["mode"] == STRICT_REQUIREMENT_MODE
+        return invalid_strict_requirement("unsupported strict requirement mode")
+      end
+
+      source = requirement["source"]
+      unless STRICT_REQUIREMENT_SOURCES.include?(source)
+        return invalid_strict_requirement("unsupported strict validation source")
+      end
+
+      candidates = Array(requirement["refusal_candidates"])
+      unless candidates.include?(CONTRACT_DIGEST_MISMATCH_CODE)
+        return invalid_strict_requirement("missing contract_digest_mismatch refusal candidate")
+      end
+
+      unless requirement["recompute_unavailable_policy"] == "fail_open_report_only"
+        return invalid_strict_requirement("unsupported recompute_unavailable_policy")
+      end
+
+      unless requirement["compile_refusal_authorized"] == false
+        return invalid_strict_requirement("compile_refusal_authorized marker must remain false")
+      end
+
+      { "valid" => true }
+    end
+
+    def invalid_strict_requirement(reason)
+      { "valid" => false, "reason" => reason }
+    end
+
+    def strict_refusal(report:, source_path:, diagnostic:)
+      {
+        "status" => "refused",
+        "result" => CompilerResult.strict_terminal(
+          format_version: FORMAT_VERSION,
+          status: "refused",
+          report: report,
+          source_path: source_path,
+          diagnostics: [diagnostic]
+        ),
+        "compilation_report" => report
+      }
+    end
+
+    def strict_configuration_error(report:, source_path:, diagnostic:)
+      {
+        "status" => "configuration_error",
+        "result" => CompilerResult.strict_terminal(
+          format_version: FORMAT_VERSION,
+          status: "configuration_error",
+          report: report,
+          source_path: source_path,
+          diagnostics: [diagnostic]
+        ),
+        "compilation_report" => report
+      }
+    end
+
+    def contract_digest_mismatch_refusal_diagnostic
+      {
+        "code" => CONTRACT_DIGEST_REFUSAL_CODE,
+        "message" => "Strict compiler profile contract validation refused compilation " \
+                     "because contract_digest does not match canonical contract material.",
+        "path" => "compiler_profile_contract_validation.contract_digest",
+        "evidence_code" => CONTRACT_DIGEST_MISMATCH_CODE
+      }
+    end
+
+    def strict_requirement_malformed_diagnostic(_reason)
+      {
+        "code" => STRICT_REQUIREMENT_MALFORMED_CODE,
+        "message" => "Malformed strict compiler profile contract requirement produced " \
+                     "configuration_error before assembly.",
+        "path" => "compiler_profile_contract_strict_requirement",
+        "evidence_code" => nil
+      }
+    end
+
+    def resolve_sample_input(parsed, sample_input_resolver)
+      return sample_input_resolver.call(parsed) if sample_input_resolver
+
+      default_sample_input(parsed.fetch("contracts").fetch(0, {}))
+    end
+
+    def default_sample_input(contract)
+      contract.fetch("body", []).each_with_object({}) do |node, inputs|
+        next unless node.fetch("kind") == "input"
+
+        inputs[node.fetch("name")] = sample_value_for(node.fetch("type_annotation"))
+      end
+    end
+
+    def sample_value_for(type_annotation)
+      type_name = if type_annotation.is_a?(Hash)
+                    type_annotation.fetch("name", "Unknown")
+                  else
+                    type_annotation.to_s
+                  end
+      case type_name
+      when "Integer" then 1
+      when "Float" then 1.0
+      when "Bool" then true
+      when "String" then "synthetic"
+      else {}
+      end
+    end
+
+    def case_name_for(source_path, parsed)
+      basename = File.basename(source_path.to_s, ".ig")
+      return basename unless basename.empty?
+
+      parsed.fetch("contracts").fetch(0).fetch("name").downcase
+    end
+  end
+end

data/lib/igniter_lang/compiler_profile_contract_validator.rb

@@ -0,0 +1,286 @@
+# frozen_string_literal: true
+
+require "digest"
+require "json"
+require "set"
+
+module IgniterLang
+  module CompilerProfileContractValidator
+    RESULT_KIND = "compiler_profile_contract_validation_result"
+    FORMAT_VERSION = "0.1.0"
+    DEFAULT_DIGEST_REFERENCE_POLICY = :prop038_24_plus
+
+    REQUIRED_SLOTS = %w[core oof_registry fragment_registry escape_boundary].freeze
+    OPTIONAL_SLOTS = %w[
+      contract_modifiers temporal stream olap invariant assumptions evidence_observation pipeline
+    ].freeze
+    ALL_SLOTS = (REQUIRED_SLOTS + OPTIONAL_SLOTS).freeze
+
+    DESCRIPTOR_DIGEST_PATTERN = /\Acompiler_profile_descriptor\/sha256:[0-9a-f]{24,}\z/
+    FINALIZATION_PAYLOAD_DIGEST_PATTERN = /\Asha256:[0-9a-f]{64}\z/
+    CONTRACT_DIGEST_PREFIX = "compiler_profile_contract/sha256:"
+    CONTRACT_DIGEST_PATTERN = /\Acompiler_profile_contract\/sha256:[0-9a-f]{24,}\z/
+    SUPPORTED_DIGEST_REFERENCE_POLICIES = %w[prop038_24_plus].freeze
+    CANONICAL_CONTRACT_FIELDS = %w[
+      kind
+      format_version
+      profile_namespace
+      profile_kind
+      compiler_profile_id
+      descriptor_digest
+      finalization_payload_digest
+      required_slot_schema
+      slot_order
+      slot_assignments
+      strict_registries
+      ordered_rule_graph
+      non_authority
+    ].freeze
+
+    def self.validate(contract, digest_reference_policy: DEFAULT_DIGEST_REFERENCE_POLICY)
+      policy = digest_reference_policy.to_s
+      diagnostics = []
+
+      unless contract.is_a?(Hash)
+        diagnostics << diagnostic("wrong_kind", "expected compiler_profile_contract", "kind")
+        return result(diagnostics, policy)
+      end
+
+      diagnostics << diagnostic("wrong_kind", "expected compiler_profile_contract", "kind") unless contract["kind"] == "compiler_profile_contract"
+      diagnostics << diagnostic("unsupported_format_version", "expected format_version 0.1.0", "format_version") unless contract["format_version"] == FORMAT_VERSION
+      diagnostics << diagnostic("descriptor_digest_invalid", "descriptor_digest must be compiler_profile_descriptor/sha256:<hex>", "descriptor_digest") unless contract["descriptor_digest"].to_s.match?(DESCRIPTOR_DIGEST_PATTERN)
+      diagnostics << diagnostic("finalization_payload_digest_invalid", "finalization_payload_digest must be sha256:<64 hex>", "finalization_payload_digest") unless contract["finalization_payload_digest"].to_s.match?(FINALIZATION_PAYLOAD_DIGEST_PATTERN)
+
+      contract_digest_recomputable = validate_contract_digest_shape(diagnostics, contract, policy)
+
+      slot_order = Array(contract["slot_order"])
+      slot_assignments = contract["slot_assignments"] || {}
+      Array(contract.dig("required_slot_schema", "required_slots")).each do |slot|
+        unless slot_order.include?(slot) && slot_assignments.key?(slot)
+          diagnostics << diagnostic("missing_required_slot", "required slot #{slot.inspect} is missing from slot_order or slot_assignments", "slot_assignments.#{slot}")
+        end
+      end
+
+      strict_registries = contract["strict_registries"] || {}
+      strict_registries.each do |registry_name, entries|
+        seen = {}
+        Array(entries).each do |entry|
+          key = entry["key"]
+          if seen.key?(key)
+            diagnostics << diagnostic("duplicate_strict_key", "strict registry #{registry_name} has duplicate key #{key.inspect}", "strict_registries.#{registry_name}.#{key}")
+          end
+          seen[key] = true
+        end
+      end
+
+      rules = Array(contract.dig("ordered_rule_graph", "rules"))
+      rule_ids = rules.map { |rule| rule["rule_id"] }
+      rules.each do |rule|
+        (Array(rule["before"]) + Array(rule["after"])).each do |ref|
+          unless rule_ids.include?(ref)
+            diagnostics << diagnostic("missing_rule_reference", "ordered rule #{rule["rule_id"]} references missing rule #{ref.inspect}", "ordered_rule_graph.rules.#{rule["rule_id"]}")
+          end
+        end
+      end
+
+      cycle = find_rule_cycle(rules)
+      diagnostics << diagnostic("rule_cycle", "ordered rule graph contains cycle: #{cycle.join(" -> ")}", "ordered_rule_graph.rules") if cycle
+
+      non_authority = contract["non_authority"] || {}
+      diagnostics << diagnostic("runtime_authority_forbidden", "compiler profile contract cannot grant runtime authority", "non_authority.runtime_authority_granted") if non_authority["runtime_authority_granted"]
+      diagnostics << diagnostic("dispatch_migration_forbidden", "compiler profile contract cannot authorize dispatch migration", "non_authority.dispatch_migration_authorized") if non_authority["dispatch_migration_authorized"]
+
+      validate_contract_digest_match(diagnostics, contract) if contract_digest_recomputable
+
+      result(diagnostics, policy)
+    end
+
+    class << self
+      private
+
+      def validate_contract_digest_shape(diagnostics, contract, policy)
+        unless SUPPORTED_DIGEST_REFERENCE_POLICIES.include?(policy)
+          diagnostics << diagnostic(
+            "contract_digest_policy_unsupported",
+            "unsupported contract_digest policy #{policy.inspect}",
+            "digest_reference_policy"
+          )
+          return false
+        end
+
+        unless contract["contract_digest"].to_s.match?(CONTRACT_DIGEST_PATTERN)
+          diagnostics << diagnostic(
+            "contract_digest_invalid",
+            "contract_digest must be compiler_profile_contract/sha256:<24+ lowercase hex>",
+            "contract_digest"
+          )
+          return false
+        end
+
+        true
+      end
+
+      def validate_contract_digest_match(diagnostics, contract)
+        declared_hex = contract["contract_digest"].to_s.delete_prefix(CONTRACT_DIGEST_PREFIX)
+        computed_hex = recomputed_contract_digest_hex(contract)
+        return if computed_hex.start_with?(declared_hex)
+
+        diagnostics << diagnostic(
+          "contract_digest_mismatch",
+          "declared contract_digest does not match recomputed canonical contract digest",
+          "contract_digest"
+        )
+      rescue
+        diagnostics << diagnostic(
+          "contract_digest_recompute_unavailable",
+          "contract digest recompute requested but canonicalization is unavailable",
+          "contract_digest"
+        )
+      end
+
+      def diagnostic(code, message, path = nil)
+        {
+          "code" => "compiler_profile_contract.#{code}",
+          "message" => message,
+          "path" => path
+        }
+      end
+
+      def result(diagnostics, policy)
+        {
+          "kind" => RESULT_KIND,
+          "format_version" => FORMAT_VERSION,
+          "valid" => diagnostics.empty?,
+          "diagnostics" => diagnostics,
+          "diagnostic_codes" => diagnostics.map { |diagnostic| diagnostic.fetch("code") },
+          "digest_reference_policy" => policy,
+          "compiler_integrated" => false,
+          "compile_refusal_authorized" => false
+        }
+      end
+
+      def recomputed_contract_digest_hex(contract)
+        Digest::SHA256.hexdigest(canonical_contract_json(contract))
+      end
+
+      def canonical_contract_json(contract)
+        JSON.generate(canonical_contract_material(contract))
+      end
+
+      def canonical_contract_material(contract)
+        material = CANONICAL_CONTRACT_FIELDS.to_h do |field|
+          [field, canonicalize_for_digest(contract[field])]
+        end
+        material["strict_registries"] = canonical_strict_registries(contract["strict_registries"] || {})
+        material["ordered_rule_graph"] = canonical_ordered_rule_graph(contract["ordered_rule_graph"] || {})
+        canonicalize_for_digest(material)
+      end
+
+      def canonical_strict_registries(registries)
+        unless registries.is_a?(Hash)
+          raise TypeError, "strict_registries must be a Hash for canonicalization"
+        end
+
+        registries.keys.sort_by(&:to_s).to_h do |key|
+          registry_name = key.to_s
+          entries = Array(registries[key]).map { |entry| canonicalize_for_digest(entry) }
+          [
+            registry_name,
+            entries.sort_by do |entry|
+              [
+                entry.fetch("key", "").to_s,
+                entry.fetch("owner_slot", "").to_s,
+                entry.fetch("rule_ref", "").to_s
+              ]
+            end
+          ]
+        end
+      end
+
+      def canonical_ordered_rule_graph(graph)
+        unless graph.is_a?(Hash)
+          raise TypeError, "ordered_rule_graph must be a Hash for canonicalization"
+        end
+
+        rules = Array(graph["rules"]).map do |rule|
+          canonical_rule(rule)
+        end
+        { "rules" => rules.sort_by { |rule| rule.fetch("rule_id", "").to_s } }
+      end
+
+      def canonical_rule(rule)
+        unless rule.is_a?(Hash)
+          raise TypeError, "ordered rule must be a Hash for canonicalization"
+        end
+
+        normalized = rule.keys.sort_by(&:to_s).to_h do |key|
+          key_name = key.to_s
+          value = if key_name == "before" || key_name == "after"
+                    Array(rule[key]).map(&:to_s).uniq.sort
+                  else
+                    canonicalize_for_digest(rule[key])
+                  end
+          [key_name, value]
+        end
+        normalized["before"] = [] unless normalized.key?("before")
+        normalized["after"] = [] unless normalized.key?("after")
+        normalized
+      end
+
+      def canonicalize_for_digest(value)
+        case value
+        when Hash
+          value.keys.sort_by(&:to_s).to_h do |key|
+            [key.to_s, canonicalize_for_digest(value[key])]
+          end
+        when Array
+          value.map { |entry| canonicalize_for_digest(entry) }
+        when String, Integer, Float, TrueClass, FalseClass, NilClass
+          value
+        else
+          raise TypeError, "unsupported canonical contract value #{value.class}"
+        end
+      end
+
+      def find_rule_cycle(rules)
+        ids = rules.map { |rule| rule.fetch("rule_id") }
+        edges = Hash.new { |hash, key| hash[key] = [] }
+        rules.each do |rule|
+          rule.fetch("before", []).each { |target| edges[rule.fetch("rule_id")] << target }
+          rule.fetch("after", []).each { |source| edges[source] << rule.fetch("rule_id") }
+        end
+
+        visiting = Set.new
+        visited = Set.new
+        stack = []
+
+        visit = lambda do |id|
+          return nil if visited.include?(id)
+          if visiting.include?(id)
+            cycle_start = stack.index(id) || 0
+            return stack[cycle_start..] + [id]
+          end
+
+          visiting << id
+          stack << id
+          edges[id].each do |target|
+            next unless ids.include?(target)
+
+            cycle = visit.call(target)
+            return cycle if cycle
+          end
+          stack.pop
+          visiting.delete(id)
+          visited << id
+          nil
+        end
+
+        ids.each do |id|
+          cycle = visit.call(id)
+          return cycle if cycle
+        end
+        nil
+      end
+    end
+  end
+end