textus 0.18.0 → 0.20.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d7915be053bc7e858c821e0e8d8e8cebd3de6acde21dcd8f687ff3fa12db3d1
-  data.tar.gz: 792cd40df3e8046c954be84dc32d4e53a2b47cdfd9a21029c74953d39e182a87
+  metadata.gz: 613e04300389a5f5bf058f4e75c15b5ff19f813fb7ef6102ba38ce53ecd43043
+  data.tar.gz: 97d121b40ac753af1e04893429db1abfe4044f791fff5ea02de33910a4cfa00c
 SHA512:
-  metadata.gz: 457d079d8ebf25922f9389086ec2de99b96808f23fba7f600655fb2ef055a5a987dd1ea63924aaf9904c7f4e600b4aee33a8c2082028bbb9025068aa00de3b0e
-  data.tar.gz: a1192a6027b80582723b0cb4679b870ed78101864e22700ba7630308912f46000e774dbd69c589418516047dff2f8cdbf7a26e69e47d3a7ffcef89f917397a23
+  metadata.gz: 13d11e92b35b952fc9974293544ab49d50dc6055f7ee80771b33a82f511ba534f6cf3fa8c26a84e886778f6b5ee662a3a540d36c7072c23f2b366540a365e066
+  data.tar.gz: 7cbf43d42e37271b73122d5db10a463a1936c39696cc6a5e7eee56646ccdb1c503a645e63b3b40e09bfc911ae531e2258b02d4e715458bcd54a193d9e7ca5b0d

data/ARCHITECTURE.md

@@ -5,90 +5,85 @@
 │  CLI verbs:  ops = Operations.for(store, role:)            │
 │              ops.<name>(...)   # flat methods, one per use │
 │                                # case (put/get/refresh/…)  │
+│                                                            │
+│  Or, for embedders bringing their own ports:               │
+│              Operations.new(ctx:, manifest:, file_store:,  │
+│                             schemas:, audit_log:, bus:,    │
+│                             registry:, root:, store:)      │
 └──────────────────────┬─────────────────────────────────────┘
                        │
 ┌─ Application ────────▼─────────────────────────────────────┐
-│  Context          (per-request: store, role, correlation,  │
-│                    clock, dry_run; can_read?/can_write?;   │
-│                    authorize_read!/authorize_write!; bus;  │
-│                    Context.system(store) for infra path)   │
-│  Operations       (flat facade — memoized use cases)       │
+│  Context          (slim Data: role, correlation_id, now,   │
+│                    dry_run — request state only)           │
+│  Operations       (flat facade; inline use-case factories) │
 │                                                            │
 │  reads/{get,list,where,uid,schema_envelope,deps,rdeps,     │
 │         published,stale,validate_all,freshness,audit,      │
-│         blame,policy_explain}.rb                           │
-│  writes/{put,delete,mv,accept,reject,build,publish}.rb     │
+│         blame,policy_explain,get_or_refresh}.rb            │
+│  writes/{put,delete,mv,accept,reject,build,publish,        │
+│          envelope_io}.rb                                   │
 │  refresh/{worker,orchestrator,all}.rb                      │
+│  policy/{promotion,predicates/{schema_valid,human_accept}} │
 └──────────┬───────────────────────────────┬─────────────────┘
            │ uses domain                   │ uses ports
 ┌─ Domain ─▼─────────────────────────────────────────────────┐
+│  Authorizer         (manifest + role → allow / deny)       │
 │  Permission         (write/read predicate per zone)        │
 │  Freshness::{Policy,Verdict,Evaluator}                     │
 │  Action  Outcome                                           │
-│  Policy::Promotion (proposal accept gates)                 │
+│  Policy::{Promote,Refresh,Matcher,HandlerAllowlist}        │
 └──────────────────────────────────────────┬─────────────────┘
                                            │ implements
 ┌─ Infrastructure ─────────────────────────▼─────────────────┐
-│  Store              (pure adapter — filesystem + hooks)    │
-│    Reader#{get,list,where,uid,deps,rdeps,published,        │
-│            stale,validate_all,read_raw_envelope,           │
-│            schema_envelope}                                │
-│    Writer#{write_envelope_to_disk,delete_envelope_from_    │
-│            disk,existing_uid_for,ensure_uid,               │
-│            enforce_name_match!,serialize_for_put}          │
-│    AuditLog, Staleness, Validator, Sentinel                │
+│  Store              (composition root — wires ports)       │
+│  Storage::FileStore (bytes-only port: read/write/delete/   │
+│                      exists?/etag)                         │
 │  Manifest           (Entry, Rules, Schema, permission_for) │
-│  Hooks::{Registry,Dispatcher,Loader,Dsl,Builtin}           │
+│  Schemas            (eager-load cache)                     │
+│  AuditLog                                                  │
+│  Hooks::{Registry,Dispatcher,Loader,FireReport}            │
 │  Infra::{Publisher,EventBus,Clock,Refresh::Lock,           │
-│          Refresh::Detached}                                │
+│          Refresh::Detached,BuildLock,AuditSubscriber}      │
 │  Entry::{Markdown,Json,Yaml,Text}  (format strategies)     │
 └────────────────────────────────────────────────────────────┘
 
    Dependency rule: arrows point DOWN. Domain has zero outbound
    imports. Application imports Domain + Infra (via ports).
+   Use cases declare their real ports in their constructor.
 ```
 
 ## Read path (`ops.get(key)`)
 
 1. CLI verb (or any external caller) builds `ops = Textus::Operations.for(store, role:)` then `ops.get(key)`.
-2. `Operations#get` delegates to a memoized `Application::Reads::Get.new(ctx:, orchestrator:)` instance bound to the request context.
-3. `Reads::Get#call(key)` reads the bare envelope from disk via `@ctx.store.reader.read_raw_envelope(key)`.
-4. Resolves the manifest rules for the key via `@ctx.store.manifest.rules_for(key)` and extracts the `refresh` policy.
-5. `Domain::Freshness::Evaluator.call(policy, envelope, now:)` returns a `Verdict`.
-6. If fresh → annotate envelope (`stale: false`, `refreshing: false`) and return.
-7. Otherwise `policy.decide(verdict) → Action` (data, not behavior).
-8. `Refresh::Orchestrator#execute(action, key:)` interprets the `Action`:
-   - `Action::Return` → `Outcome::Skipped`
-   - `Action::RefreshSync` → run `Refresh::Worker` inline → `Refreshed | Failed`
-   - `Action::RefreshTimed(budget_ms:)` → race Worker thread vs budget; on timeout, kill thread, fire `:refresh_backgrounded`, fork+detach child, return `Outcome::Detached`
-9. Map outcome → envelope annotations (`stale`, `refreshing`, `refresh_error`) and return.
+2. `Operations#get` constructs `Application::Reads::Get.new(ctx:, manifest:, file_store:)` and calls it.
+3. `Reads::Get#call(key)` resolves the path through `@manifest`, reads bytes via `@file_store`, parses the envelope.
+4. Looks up the refresh policy via `@manifest.rules_for(key)`. If absent, returns the envelope annotated fresh.
+5. Otherwise `Domain::Freshness::Evaluator.call(policy, envelope, now:)` returns a `Verdict`; the envelope is annotated with `stale`, `reason`, `refreshing: false`.
+
+`ops.get_or_refresh(key)` composes `Reads::Get` with `Refresh::Orchestrator` to optionally refresh on stale — same as 0.18.x.
 
 ## Write path (`ops.put(key, ...)`)
 
-1. CLI verb calls `ops = Operations.for(store, role:)` then `ops.put(key, meta:, body:, content:, if_etag:, suppress_events:)`.
-2. `Writes::Put#call` validates the key, resolves the manifest entry, and calls `@ctx.authorize_write!(mentry)` — raises `WriteForbidden` (carrying the zone's writers list) if denied.
-3. Delegates raw I/O to `Store::Writer#write_envelope_to_disk(key, mentry:, payload:, ctx:, if_etag:)`, which:
-   - Resolves the path via `Manifest#resolve`
-   - Serializes via `Entry.for_format(...).serialize(...)`
-   - Validates against schema if declared
-   - Etag-checks if `if_etag:` provided (raises `EtagMismatch` on conflict)
-   - Writes to disk via `File.binwrite`
-   - Appends the audit row
-4. On success, publishes `:entry_put` via `@ctx.bus`, with `store: @ctx.with_role(@ctx.role)`, `key:`, `envelope:`, `correlation_id:`.
+1. CLI verb calls `ops = Operations.for(store, role:)` then `ops.put(key, meta:, body:, content:, if_etag:)`.
+2. `Writes::Put#call` validates the key, resolves the manifest entry, and calls `@authorizer.authorize_write!(mentry, role: @ctx.role)` — raises `WriteForbidden` if denied.
+3. Delegates persistence to `EnvelopeIO#write`, which serializes, schema-validates, etag-checks (raises `EtagMismatch` on conflict), writes via the `FileStore` port, and appends the audit row.
+4. Publishes `:entry_put` via `@bus` with `store: @store`, `key:`, `envelope:`, `role: @ctx.role`, `correlation_id: @ctx.correlation_id`.
+
+`Writes::{Delete,Mv,Accept,Reject,Build,Publish}` follow the same shape: explicit ports, `Authorizer` for authz, `EnvelopeIO` for persistence (where applicable), event published with `store: real Store + role:` in payload.
 
-The same pattern applies to `Writes::{Delete,Mv,Accept,Reject,Build,Publish}`: each takes a `Context`, calls `ctx.authorize_write!` (Mv authorizes both source and destination zones), delegates raw I/O to `Store::Writer` or `Infra::Publisher`, and fires the matching event through `ctx.bus`.
+`Writes::Mv` delegates the file-move + audit to `EnvelopeIO#move`, then publishes `:entry_renamed` itself. UID injection (when the source lacks one) goes through `EnvelopeIO#write` directly — no `Put` bypass.
 
 ## Refresh path (`ops.refresh(key)`)
 
 1. CLI `Verb::Refresh` builds `ops = Operations.for(store, role: "runner")` then calls `ops.refresh(key)`.
 2. `Refresh::Worker#run(key)`:
-   - Resolves the manifest entry, looks up the intake handler via `store.registry.rpc_callable(:resolve_intake, mentry.intake_handler)`.
-   - Publishes `:refresh_started` via the bus.
-   - Invokes the handler under a 30s `Timeout.timeout` budget.
-   - On any error: publishes `:refresh_failed`, then re-raises (or wraps in `UsageError`).
-   - On success: normalizes the return shape, persists via `Application::Writes::Put` with `suppress_events: true`, publishes `:entry_refreshed` (unless the etag is unchanged).
-3. The batch entry point is `Application::Refresh::All.call(ctx, prefix:, zone:)` which lists stale entries via `Application::Reads::Stale`, then runs `Worker#run` per entry, returning a summary envelope `{ refreshed: [...], failed: [...], skipped: [...] }`.
+   - Resolves the manifest entry, looks up the intake handler via `@registry.rpc_callable(:resolve_intake, mentry.intake_handler)`.
+   - Publishes `:refresh_started` with `role:` in the payload.
+   - Invokes the handler under a 30s thread-join deadline.
+   - On any error: publishes `:refresh_failed`, then re-raises.
+   - On success: applies `@authorizer.authorize_write!` and persists via `EnvelopeIO#write` directly (no `Put` round-trip); publishes `:entry_refreshed` unless etag is unchanged.
+3. `ops.refresh_all(prefix:, zone:)` lists stale entries via `Reads::Stale` and runs `Worker#run` per entry; returns `{ refreshed:, failed:, skipped: }`.
 
-## Infrastructure-side hook dispatch
+## Hook payload contract
 
-The hook bus needs an `Application::Context` even when fired from inside `Store#initialize` or other infrastructure-side code paths. `Application::Context.system(store)` returns a Context with `role: "human"` and a fresh correlation_id, designed for exactly this case — see `lib/textus/store.rb` (the `:store_loaded` publish), `lib/textus/doctor.rb` (the doctor-check view), and `lib/textus/projection.rb` (the transform_rows view).
+Hooks/intakes/transforms receive the actual `Textus::Store` (the composition root) as `store:`. Every write/refresh event payload carries `role:` directly so hook authors observe the actor without reaching through `store:`.

data/CHANGELOG.md

@@ -9,6 +9,179 @@ The **gem version** (`0.x.y`) is distinct from the **protocol version**
 bump is a breaking change that requires a store migration; the gem version
 tracks both additive improvements and breaking protocol bumps independently.
 
+## 0.20.0 — architecture redesign (2026-05-27)
+
+**BREAKING (pre-1.0):** Public top-level utility modules removed,
+`Manifest` routing methods extracted into a dedicated resolver,
+`Hooks::Dispatcher`/`Hooks::Registry` collapsed into a single bus, and
+pubsub hook payloads now ship `ctx:` (a `Textus::Hooks::Context`)
+instead of the raw store. External hook files written against the 0.19
+`register(event, name, ...)` API continue to work unchanged; pubsub
+hook bodies must update signatures from `|store:, ...|` to `|ctx:, ...|`
+and use `ctx.put`/`ctx.get`/`ctx.audit`/`ctx.publish_followup` in place
+of direct `store.*` access. RPC events (`transform_rows`, `resolve_intake`,
+`validate`) keep `store:`.
+
+### Added
+- `Textus::Hooks::Context` — narrow handle for user pubsub hooks. Exposes
+  `role`, `correlation_id`, `get`, `list`, `deps`, `freshness`, `put`,
+  `delete`, `audit`, and `publish_followup`. All writes route back through
+  `Operations` so authorization, audit, and validation cannot be bypassed.
+
+### Removed
+- `Textus::Dependencies` — use `Operations#deps`, `#rdeps`, `#published`.
+- `Textus::Refresh` — use `Operations#refresh`. The `normalize_action_result`
+  helper is now a private class method on `Application::Refresh::Worker`.
+- `Textus::Hooks::Dispatcher` and `Textus::Hooks::Registry` classes.
+
+### Changed
+- `Textus::Projection` moved to `Textus::Application::Projection`.
+- `Textus::MigrateKeys` moved to `Textus::Application::Tools::MigrateKeys`.
+- `Manifest#resolve`, `#enumerate`, and `#suggestions_for` removed from
+  the public `Manifest` API. Use `manifest.resolver.resolve(key)` etc.
+  via the new `Manifest::Resolver`. `Manifest` retains the data accessors
+  (`entries`, `zones`, `rules`, `permissions`, `validate_key!`).
+- `Store` constructs one `Hooks::Bus`; `Store#registry` removed (use
+  `Store#bus`). `Hooks::Builtin.register_all(bus)` and
+  `Hooks::Loader.new(bus:)` now take a Bus instead of a Registry.
+  `Operations.for` no longer accepts `registry:`. Use cases
+  (`Refresh::Worker`, `Refresh::All`) take `bus:`.
+- All pubsub events declare `ctx:` instead of `store:` in their kwargs
+  schema. Every `bus.publish` call site passes `ctx: hook_context`.
+  `Operations#hook_context` builds the per-`Operations` `Hooks::Context`.
+- Manifest entries gain a required `kind:` field
+  (`leaf | nested | derived | intake`). Run
+  `textus key normalize --upgrade-manifest` to add it to existing
+  manifests — the inference is deterministic and lossless.
+- Internal: `Manifest::Entry` is now an abstract namespace; concrete
+  classes are `Entry::Leaf`, `Entry::Nested`, `Entry::Derived`,
+  `Entry::Intake`. The fields `projection`, `generator`, `compute`,
+  `intake_handler`, `intake_config` are removed from the entry
+  interface; `Entry::Derived` carries a typed `source`
+  (`Projection` or `External`) and `Entry::Intake` carries `handler`
+  / `config`. Use-case code dispatches on entry type rather than
+  probing optional fields.
+- `Application::Writes::Build` removed. `Application::Writes::Publish` now
+  materializes derived entries (template + projection + external runner)
+  AND copies leaf/nested entries to their publish targets in a single pass.
+  `Operations#build` is gone; use `Operations#publish` — the `textus build`
+  CLI verb is unchanged and produces the same
+  `{protocol, built, published_leaves}` JSON shape.
+
+## 0.19.1 — drop textus/2 migration hint (2026-05-27)
+
+**BREAKING (pre-1.0):** Users on gem ≤0.10 (manifest protocol `textus/2`)
+no longer receive a stepping-stone hint pointing at 0.11.x. The manifest
+parser and `textus doctor` now emit the generic "unsupported version"
+error. Users on ≤0.10 should install 0.11.x first (still on RubyGems)
+to run the migrator, then upgrade to 0.19.1+.
+
+### Changed
+- `Textus::Manifest` no longer special-cases `textus/2`; `TEXTUS_2_HINT`
+  and `version_hint_for` removed.
+- `Doctor::Check::ProtocolVersion` hint/fix text simplified; no longer
+  links to the 0.11.x CHANGELOG anchor.
+
+### Removed
+- Two redundant manifest specs (the `Manifest.load` duplicate and the
+  `textus/2`-specific hint assertion) collapsed into one generic case.
+
+## 0.19.0 — 2026-05-27
+
+### Breaking
+
+- `Application::Context` is now a slim value object (`role`,
+  `correlation_id`, `now`, `dry_run`). Migration table:
+
+  | Was | Now |
+  |-----|-----|
+  | `Application::Context.new(store:, role:)` | `Operations.for(store, role:)` (common case) or `Application::Context.build(role:)` (pure call state) |
+  | `Application::Context.system(store)` | Pass `store` directly to hooks |
+  | `ctx.store` / `ctx.manifest` / `ctx.file_store` etc. | Construct use cases with the explicit port kwargs |
+  | `ctx.authorize_write!(mentry)` | `Domain::Authorizer.new(manifest:).authorize_write!(mentry, role:)` |
+  | `Put.new(ctx:).call(..., suppress_events: true)` | Use `EnvelopeIO#write` directly |
+  | `store.role` inside a hook | Read `role:` from the event payload |
+
+- `Operations.new(ctx:, manifest:, file_store:, schemas:, audit_log:, bus:, registry:, root:, store:)`
+  is the primary constructor. `Operations.for(store, role:)` remains
+  a convenience.
+
+- `Application::Writes::Put#call` no longer accepts `suppress_events:`.
+
+- `Domain::Policy::Predicates::*` moved to `Application::Policy::Predicates::*`.
+  `Domain::Policy::Promotion` moved to `Application::Policy::Promotion`.
+  `Promotion#evaluate` now takes `entry:, schemas:, manifest:, role:`
+  instead of `store:`.
+
+- Hooks/intakes/transforms receive the actual `Store` as `store:`
+  (previously a Context impersonating one). Event payloads
+  (`:entry_put`, `:entry_deleted`, `:entry_renamed`, `:proposal_accepted`,
+  `:proposal_rejected`, `:entry_refreshed`, `:refresh_started`,
+  `:refresh_failed`, `:refresh_backgrounded`, `:file_published`,
+  `:build_completed`) now carry `role:` directly so hooks can observe
+  the actor without reaching through the `store:` handle.
+
+- `Application::Refresh::All` is a class, not a module function. Callers
+  go through `Operations#refresh_all`.
+
+### Added
+
+- `Domain::Authorizer` — single source of truth for permission checks.
+- `Application::Policy::Promotion` and `Application::Policy::Predicates::*` —
+  the policy evaluator and predicates now live with the Application code
+  that loads envelope bytes off disk to evaluate them.
+- `Application::Writes::EnvelopeIO#move` — full move pipeline (replaces
+  the in-`Mv` file move + audit).
+- `Application::Writes::EnvelopeIO#read_envelope(key)` — internal
+  convenience for callers that need to inspect a pre-move envelope.
+
+### Internal
+
+- `Builder::Pipeline` no longer re-enters `Operations.for(store)`; it
+  takes reader/lister callables from the caller.
+- CLI verbs construct `Operations`, never `Context` directly.
+- `Operations` no longer memoizes per-use-case factories; only
+  `envelope_io`, `refresh_worker`, and `orchestrator` are shared.
+- Wire format `textus/3` unchanged. Audit-log NDJSON unchanged.
+
+### Known follow-ups
+
+- CLI verbs `hook run`, `put --fetch`, `hooks list`, and `rule list`
+  still reach into `store.manifest` / `store.registry` directly. A
+  future release adds `Operations` projections (e.g. `manifest_view`,
+  `hooks_view`, `run_intake`) so these verbs route through the
+  Operations boundary.
+- `Application::Writes::Delete#call` retains a `suppress_events:` kwarg
+  (used internally by `Reject`). A future release either lifts the
+  suppression into `EnvelopeIO`-direct usage (matching the `Mv` path)
+  or formalizes per-event suppression as part of the public hook API.
+
+## 0.18.1 — 2026-05-27
+
+### Fixed
+
+- `Hooks::Dispatcher` no longer uses `Timeout.timeout`, which can interrupt a
+  hook mid-syscall or mid-`ensure` and leave Ruby state corrupted. Each
+  subscriber now runs in a worker thread joined with a deadline; on overrun
+  the thread is killed and the hook is recorded as `timed_out` (distinct
+  from `errored`).
+
+### Added
+
+- `Hooks::FireReport` — value object returned from `bus.publish`. Lists
+  `fired`, `errored`, and `timed_out` subscriber names; exposes `#ok?` and
+  `#failures`. Backwards-compatible: callers that ignore the return value
+  (the entire current codebase) keep working.
+- `Hooks::Dispatcher#publish` accepts `strict: true`, which re-raises the
+  first failure after every subscriber has been attempted. Intended for
+  test setups that want loud hooks; default remains `false`.
+
+### Internal
+
+- No public API surface changes. CLI behavior, `Operations` methods, wire
+  format `textus/3`, and the audit-log NDJSON shape are unchanged. Stores
+  written by 0.18.0 round-trip through 0.18.1 byte-for-byte.
+
 ## 0.18.0 — 2026-05-27
 
 Port extraction finishes the hexagonal trajectory. `Store::Reader` and

data/lib/textus/application/context.rb

@@ -2,69 +2,31 @@ require "securerandom"
 
 module Textus
   module Application
-    class Context
-      attr_reader :store, :role, :correlation_id
-
-      def self.system(store)
-        new(store: store, role: "human")
-      end
-
-      def initialize(store:, role:, correlation_id: nil, clock: Time, dry_run: false)
-        @store             = store
-        @role              = role.to_s
-        @correlation_id    = correlation_id || SecureRandom.uuid
-        @clock             = clock
-        @dry_run           = dry_run
-        @now               = nil
-      end
-
-      def now
-        @now ||= @clock.now
-      end
-
-      def dry_run?
-        @dry_run
-      end
-
-      def can_write?(zone)
-        store.manifest.permission_for(zone.to_s).allows_write?(role)
-      end
-
-      def can_read?(zone)
-        store.manifest.permission_for(zone.to_s).allows_read?(role)
-      end
-
-      def bus
-        @store.bus
-      end
-
-      def manifest   = @store.manifest
-      def schemas    = @store.schemas
-      def file_store = @store.file_store
-      def audit_log  = @store.audit_log
-
-      def authorize_write!(mentry)
-        return if can_write?(mentry.zone)
-
-        writers = @store.manifest.zone_writers(mentry.zone)
-        raise WriteForbidden.new(mentry.key, mentry.zone, writers: writers)
+    # A Context describes the call: who is acting (role), what request this
+    # is part of (correlation_id), what time it is (now), and whether
+    # writes should be suppressed (dry_run).
+    #
+    # Collaborators (manifest, file_store, bus, audit log, authorizer) are
+    # never read from Context — use cases declare them as explicit
+    # constructor ports, and Operations wires them in from the Store.
+    Context = Data.define(:role, :correlation_id, :now, :dry_run) do
+      def self.build(role:, correlation_id: nil, now: nil, dry_run: false)
+        new(
+          role: role.to_s,
+          correlation_id: correlation_id || SecureRandom.uuid,
+          now: now || Time.now,
+          dry_run: dry_run,
+        )
       end
 
-      def authorize_read!(mentry)
-        return if can_read?(mentry.zone)
-
-        readers = @store.manifest.zone_readers[mentry.zone]
-        readers = nil if readers == :all
-        raise ReadForbidden.new(mentry.key, mentry.zone, readers: readers)
-      end
+      def dry_run? = dry_run
 
       def with_role(new_role)
         self.class.new(
-          store: @store,
-          role: new_role,
-          correlation_id: @correlation_id,
-          clock: @clock,
-          dry_run: @dry_run,
+          role: new_role.to_s,
+          correlation_id: correlation_id,
+          now: now,
+          dry_run: dry_run,
         )
       end
     end

data/lib/textus/application/policy/predicates/human_accept.rb

@@ -0,0 +1,30 @@
+module Textus
+  module Application
+    module Policy
+      module Predicates
+        class HumanAccept
+          attr_reader :reason
+
+          def name
+            "human_accept"
+          end
+
+          # The role is passed explicitly. In practice, Accept already enforces
+          # role == "human" before reaching the promotion gate, so this predicate
+          # trivially passes. It documents intent and future-proofs multi-actor
+          # accept flows.
+          def call(role:, entry: nil) # rubocop:disable Lint/UnusedMethodArgument
+            role_str = role&.to_s
+            # If we cannot determine the role, trust that Accept has already
+            # checked — allow through.
+            return true if role_str.nil? || role_str.empty?
+
+            ok = (role_str == "human")
+            @reason = "current role is '#{role_str}', expected 'human'" unless ok
+            ok
+          end
+        end
+      end
+    end
+  end
+end

data/lib/textus/{domain → application}/policy/predicates/schema_valid.rb

@@ -1,5 +1,5 @@
 module Textus
-  module Domain
+  module Application
     module Policy
       module Predicates
         class SchemaValid
@@ -9,17 +9,17 @@ module Textus
             "schema_valid"
           end
 
-          def call(entry:, store:) # rubocop:disable Metrics/PerceivedComplexity
-            return true if entry.nil? || store.nil?
+          def call(entry:, schemas:, manifest:) # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity
+            return true if entry.nil? || manifest.nil? || schemas.nil?
 
             target_key = entry.meta&.dig("proposal", "target_key")
             return true unless target_key
 
-            mentry = store.manifest.resolve(target_key).entry
+            mentry = manifest.resolver.resolve(target_key).entry
             schema_ref = mentry&.schema
             return true unless schema_ref
 
-            schema = store.schemas.fetch_or_nil(schema_ref)
+            schema = schemas.fetch_or_nil(schema_ref)
             return true unless schema
 
             frontmatter = entry.meta&.dig("frontmatter") || {}

data/lib/textus/{domain → application}/policy/promotion.rb

@@ -1,8 +1,13 @@
 module Textus
-  module Domain
+  module Application
     module Policy
       # Promotion evaluates a list of named predicates against a pending-proposal
       # entry and returns a Result indicating whether all requirements are met.
+      #
+      # Lives in Application because the predicates it wires up read live state
+      # from explicit ports (schemas, manifest, role). The Domain-side rule
+      # statement ("this policy requires predicates X and Y") is captured by
+      # Textus::Domain::Policy::Promote.
       class Promotion
         Result = Struct.new(:ok?, :reasons, keyword_init: true)
 
@@ -31,14 +36,26 @@ module Textus
           @predicates.map(&:name)
         end
 
-        def evaluate(entry:, store:)
+        def evaluate(entry:, schemas:, manifest:, role:)
           reasons = []
           @predicates.each do |pred|
-            ok = pred.call(entry: entry, store: store)
+            ok = invoke(pred, entry: entry, schemas: schemas, manifest: manifest, role: role)
             reasons << "#{pred.name}: #{pred.reason || "predicate failed"}" unless ok
           end
           Result.new(ok?: reasons.empty?, reasons: reasons)
         end
+
+        private
+
+        def invoke(pred, entry:, schemas:, manifest:, role:)
+          case pred.name
+          when "human_accept"
+            pred.call(role: role, entry: entry)
+          else
+            # Default shape: schema-style predicates that need entry + schemas + manifest.
+            pred.call(entry: entry, schemas: schemas, manifest: manifest)
+          end
+        end
       end
     end
   end

data/lib/textus/application/projection.rb

@@ -0,0 +1,91 @@
+require "time"
+require "timeout"
+
+module Textus
+  module Application
+    class Projection
+      MAX_LIMIT = 1000
+      REDUCER_TIMEOUT_SECONDS = 2
+
+      # `reader` — a callable `->(key) { envelope_or_nil }`. Caller picks
+      #   semantics: pure read (`ops.get`) for materialization paths;
+      #   `ops.get_or_refresh` if you want refresh-on-stale.
+      # `lister` — a callable `->(prefix:) { [ { "key" => ... }, ... ] }`.
+      # `transform_resolver` — a callable `->(name) { callable_or_raise }`.
+      # `transform_context` — `Application::Context` handed to the transform reducer.
+      def initialize(reader:, spec:, lister:, transform_resolver:, transform_context:)
+        @reader             = reader
+        @spec               = spec || {}
+        @lister             = lister
+        @transform_resolver = transform_resolver
+        @transform_context  = transform_context
+        @limit = (@spec["limit"] || MAX_LIMIT).to_i
+        raise InvalidProjection.new("limit #{@limit} exceeds max #{MAX_LIMIT}") if @limit > MAX_LIMIT
+      end
+
+      def run
+        keys = collect_keys
+        explicit_pluck = !@spec["pluck"].nil? && @spec["pluck"] != "*"
+        rows = keys.map do |key|
+          env = @reader.call(key)
+          row = pluck(env.meta, env.body)
+          explicit_pluck ? row : row.merge("_key" => key)
+        end
+        reduced = apply_reducer(rows)
+        # Reducers may return either an Array of rows (legacy / templated builds)
+        # or a Hash that becomes the structured-format payload base. In the Hash
+        # case, downstream sort/limit/position markers don't apply, and the
+        # builder owns `_meta.generated_at` so we don't stamp it here.
+        return reduced if reduced.is_a?(Hash)
+
+        rows = reduced
+        rows = sort(rows)
+        rows = rows.first(@limit)
+        mark_positions(rows)
+        { "entries" => rows, "count" => rows.length, "generated_at" => Time.now.utc.iso8601 }
+      end
+
+      private
+
+      def apply_reducer(rows)
+        name = @spec["transform"] or return rows
+        callable = @transform_resolver.call(name)
+        Timeout.timeout(REDUCER_TIMEOUT_SECONDS) do
+          callable.call(store: @transform_context, rows: rows, config: @spec["transform_config"] || {})
+        end
+      rescue Timeout::Error
+        raise UsageError.new("transform_rows '#{name}' exceeded #{REDUCER_TIMEOUT_SECONDS}s timeout")
+      end
+
+      def collect_keys
+        prefixes = Array(@spec["select"])
+        prefixes.flat_map { |p| @lister.call(prefix: p).map { |row| row["key"] } }.uniq
+      end
+
+      def pluck(frontmatter, _body)
+        fields = @spec["pluck"]
+        if fields.nil? || fields == "*"
+          frontmatter
+        else
+          Array(fields).each_with_object({}) { |f, h| h[f] = frontmatter[f] if frontmatter.key?(f) }
+        end
+      end
+
+      # Adds `_first`, `_last`, and `_index` markers so templates can emit
+      # delimiters (e.g. JSON commas) via {{^_last}},{{/_last}}.
+      def mark_positions(rows)
+        last_idx = rows.length - 1
+        rows.each_with_index do |row, i|
+          row["_index"] = i
+          row["_first"] = i.zero?
+          row["_last"]  = (i == last_idx)
+        end
+      end
+
+      def sort(rows)
+        sb = @spec["sort_by"] or return rows
+        rows.sort_by { |r| r[sb].to_s }
+      end
+    end
+  end
+end

data/lib/textus/application/reads/audit.rb

@@ -8,9 +8,9 @@ module Textus
       # correlation_id, limit. Reads the log file as JSON-Lines (legacy TSV
       # rows produce nil and are skipped).
       class Audit
-        def initialize(ctx:)
-          @ctx = ctx
-          @log_path = File.join(@ctx.store.root, "audit.log")
+        def initialize(manifest:, root:)
+          @manifest = manifest
+          @log_path = File.join(root, "audit.log")
         end
 
         # rubocop:disable Metrics/ParameterLists, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
@@ -58,7 +58,7 @@ module Textus
         end
 
         def key_in_zone?(key, zone)
-          mentry = @ctx.store.manifest.resolve(key).entry
+          mentry = @manifest.resolver.resolve(key).entry
           mentry && mentry.zone == zone
         rescue Textus::Error
           false