RubyGems - textus - Versions diffs - 0.52.0 → 0.53.0 - Mend

textus 0.52.0 → 0.53.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (254) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +25 -0
data/README.md +62 -54
data/SPEC.md +62 -187
data/docs/architecture/README.md +88 -77
data/exe/textus +1 -1
data/lib/textus/action/accept.rb +53 -0
data/lib/textus/action/audit.rb +133 -0
data/lib/textus/action/base.rb +42 -0
data/lib/textus/{read → action}/blame.rb +30 -22
data/lib/textus/action/boot.rb +26 -0
data/lib/textus/action/data_mv.rb +71 -0
data/lib/textus/action/deps.rb +48 -0
data/lib/textus/action/doctor.rb +26 -0
data/lib/textus/action/drain.rb +41 -0
data/lib/textus/action/enqueue.rb +55 -0
data/lib/textus/action/get.rb +80 -0
data/lib/textus/action/jobs.rb +38 -0
data/lib/textus/action/key_delete.rb +46 -0
data/lib/textus/action/key_delete_prefix.rb +46 -0
data/lib/textus/action/key_mv.rb +143 -0
data/lib/textus/action/key_mv_prefix.rb +59 -0
data/lib/textus/action/list.rb +44 -0
data/lib/textus/action/propose.rb +54 -0
data/lib/textus/action/published.rb +26 -0
data/lib/textus/action/pulse/scanner.rb +118 -0
data/lib/textus/action/pulse.rb +87 -0
data/lib/textus/action/put.rb +63 -0
data/lib/textus/action/rdeps.rb +49 -0
data/lib/textus/action/reject.rb +49 -0
data/lib/textus/action/rule_explain.rb +95 -0
data/lib/textus/action/rule_lint.rb +70 -0
data/lib/textus/action/rule_list.rb +46 -0
data/lib/textus/action/schema_envelope.rb +31 -0
data/lib/textus/action/uid.rb +35 -0
data/lib/textus/action/where.rb +38 -0
data/lib/textus/action/write_verb.rb +58 -0
data/lib/textus/background/job/base.rb +27 -0
data/lib/textus/background/job/materialize.rb +31 -0
data/lib/textus/background/job/refresh.rb +22 -0
data/lib/textus/background/job/sweep.rb +31 -0
data/lib/textus/background/job.rb +19 -0
data/lib/textus/background/plan.rb +9 -0
data/lib/textus/background/planner/plan.rb +113 -0
data/lib/textus/{maintenance → background}/retention/apply.rb +7 -9
data/lib/textus/background/worker.rb +67 -0
data/lib/textus/boot.rb +53 -45
data/lib/textus/command.rb +36 -0
data/lib/textus/container.rb +1 -1
data/lib/textus/{domain → core}/duration.rb +1 -1
data/lib/textus/{domain → core}/freshness/evaluator.rb +11 -11
data/lib/textus/{domain → core}/freshness/verdict.rb +2 -2
data/lib/textus/{domain → core}/freshness.rb +2 -2
data/lib/textus/{domain → core}/retention/sweep.rb +7 -7
data/lib/textus/{domain → core}/retention.rb +2 -2
data/lib/textus/{domain → core}/sentinel.rb +1 -1
data/lib/textus/doctor/check/generator_drift.rb +1 -1
data/lib/textus/doctor/check/handler_permit.rb +34 -0
data/lib/textus/doctor/check/hooks.rb +11 -18
data/lib/textus/doctor/check/illegal_keys.rb +1 -1
data/lib/textus/doctor/check/intake_registration.rb +5 -5
data/lib/textus/doctor/check/proposal_targets.rb +3 -3
data/lib/textus/doctor/check/rule_ambiguity.rb +2 -2
data/lib/textus/doctor/check/schema_violations.rb +8 -2
data/lib/textus/doctor/check.rb +12 -9
data/lib/textus/{read → doctor}/validator.rb +22 -13
data/lib/textus/doctor.rb +6 -6
data/lib/textus/envelope/io/writer.rb +65 -36
data/lib/textus/envelope.rb +5 -3
data/lib/textus/errors.rb +17 -9
data/lib/textus/events.rb +21 -0
data/lib/textus/gate/auth.rb +181 -0
data/lib/textus/gate.rb +114 -0
data/lib/textus/init/templates/machine_intake.rb +39 -35
data/lib/textus/init/templates/orientation_reducer.rb +15 -11
data/lib/textus/init.rb +90 -73
data/lib/textus/key/path.rb +9 -2
data/lib/textus/layout.rb +13 -0
data/lib/textus/manifest/data.rb +14 -14
data/lib/textus/manifest/entry/base.rb +15 -11
data/lib/textus/manifest/entry/parser.rb +6 -6
data/lib/textus/manifest/entry/produced.rb +3 -2
data/lib/textus/manifest/entry/publish/mode.rb +1 -1
data/lib/textus/manifest/entry/publish/to_paths.rb +2 -1
data/lib/textus/manifest/entry/validators/events.rb +1 -1
data/lib/textus/{domain/policy/handler_allowlist.rb → manifest/policy/handler_permit.rb} +4 -4
data/lib/textus/{domain → manifest}/policy/matcher.rb +2 -2
data/lib/textus/{domain → manifest}/policy/publish_target.rb +2 -2
data/lib/textus/manifest/policy/react.rb +30 -0
data/lib/textus/{domain → manifest}/policy/retention.rb +3 -3
data/lib/textus/{domain → manifest}/policy/source.rb +24 -19
data/lib/textus/manifest/policy.rb +36 -48
data/lib/textus/manifest/resolver.rb +3 -2
data/lib/textus/manifest/rules.rb +4 -4
data/lib/textus/manifest/schema/keys.rb +17 -11
data/lib/textus/manifest/schema/validator.rb +24 -22
data/lib/textus/manifest/schema/vocabulary.rb +1 -1
data/lib/textus/manifest/schema.rb +2 -2
data/lib/textus/manifest.rb +2 -2
data/lib/textus/{produce → pipeline}/acquire/handler.rb +2 -2
data/lib/textus/{produce → pipeline}/acquire/intake.rb +22 -20
data/lib/textus/{produce → pipeline}/acquire/projection.rb +13 -11
data/lib/textus/{produce → pipeline}/acquire/serializer/json.rb +2 -2
data/lib/textus/{produce → pipeline}/acquire/serializer/text.rb +1 -1
data/lib/textus/{produce → pipeline}/acquire/serializer/yaml.rb +2 -2
data/lib/textus/{produce → pipeline}/acquire/serializer.rb +1 -1
data/lib/textus/{produce → pipeline}/engine.rb +7 -5
data/lib/textus/{produce → pipeline}/render.rb +3 -1
data/lib/textus/ports/audit_log.rb +31 -5
data/lib/textus/ports/audit_subscriber.rb +4 -4
data/lib/textus/{domain/jobs → ports/queue}/job.rb +19 -12
data/lib/textus/ports/queue.rb +1 -1
data/lib/textus/ports/sentinel_store.rb +2 -2
data/lib/textus/ports/watcher_lock.rb +48 -0
data/lib/textus/projection.rb +8 -8
data/lib/textus/schema/tools.rb +4 -3
data/lib/textus/session.rb +6 -3
data/lib/textus/step/base.rb +35 -0
data/lib/textus/step/builtin/csv_fetch.rb +19 -0
data/lib/textus/step/builtin/ical_events_fetch.rb +30 -0
data/lib/textus/step/builtin/json_fetch.rb +18 -0
data/lib/textus/step/builtin/markdown_links_fetch.rb +20 -0
data/lib/textus/step/builtin/rss_fetch.rb +26 -0
data/lib/textus/step/builtin.rb +22 -0
data/lib/textus/{hooks → step}/catalog.rb +3 -3
data/lib/textus/{hooks → step}/context.rb +15 -13
data/lib/textus/step/discovery.rb +24 -0
data/lib/textus/{hooks → step}/error_log.rb +1 -1
data/lib/textus/{hooks → step}/event_bus.rb +15 -16
data/lib/textus/step/fetch.rb +13 -0
data/lib/textus/{hooks → step}/fire_report.rb +1 -1
data/lib/textus/step/loader.rb +108 -0
data/lib/textus/step/observe.rb +31 -0
data/lib/textus/step/registry_store.rb +66 -0
data/lib/textus/{hooks → step}/signature.rb +1 -1
data/lib/textus/step/transform.rb +12 -0
data/lib/textus/step/validate.rb +11 -0
data/lib/textus/step.rb +10 -0
data/lib/textus/store.rb +17 -15
data/lib/textus/surfaces/cli/group/data.rb +11 -0
data/lib/textus/surfaces/cli/group/key.rb +11 -0
data/lib/textus/surfaces/cli/group/mcp.rb +11 -0
data/lib/textus/surfaces/cli/group/rule.rb +11 -0
data/lib/textus/surfaces/cli/group/schema.rb +11 -0
data/lib/textus/surfaces/cli/group.rb +50 -0
data/lib/textus/surfaces/cli/runner.rb +236 -0
data/lib/textus/surfaces/cli/verb/doctor.rb +21 -0
data/lib/textus/surfaces/cli/verb/get.rb +21 -0
data/lib/textus/surfaces/cli/verb/init.rb +20 -0
data/lib/textus/surfaces/cli/verb/mcp_serve.rb +24 -0
data/lib/textus/surfaces/cli/verb/put.rb +30 -0
data/lib/textus/surfaces/cli/verb/schema_diff.rb +17 -0
data/lib/textus/surfaces/cli/verb/schema_init.rb +21 -0
data/lib/textus/surfaces/cli/verb/schema_migrate.rb +21 -0
data/lib/textus/surfaces/cli/verb/watch.rb +19 -0
data/lib/textus/surfaces/cli/verb.rb +111 -0
data/lib/textus/surfaces/cli.rb +148 -0
data/lib/textus/surfaces/mcp/catalog.rb +99 -0
data/lib/textus/surfaces/mcp/errors.rb +34 -0
data/lib/textus/surfaces/mcp/server.rb +145 -0
data/lib/textus/surfaces/mcp/session.rb +9 -0
data/lib/textus/surfaces/mcp/tool_schemas.rb +17 -0
data/lib/textus/surfaces/mcp.rb +8 -0
data/lib/textus/surfaces/role_scope.rb +38 -0
data/lib/textus/surfaces/watcher.rb +38 -0
data/lib/textus/version.rb +1 -1
data/lib/textus.rb +64 -22
metadata +132 -118
data/lib/textus/cli/group/hook.rb +0 -9
data/lib/textus/cli/group/key.rb +0 -9
data/lib/textus/cli/group/mcp.rb +0 -9
data/lib/textus/cli/group/rule.rb +0 -9
data/lib/textus/cli/group/schema.rb +0 -9
data/lib/textus/cli/group/zone.rb +0 -9
data/lib/textus/cli/group.rb +0 -48
data/lib/textus/cli/runner.rb +0 -193
data/lib/textus/cli/verb/doctor.rb +0 -17
data/lib/textus/cli/verb/get.rb +0 -18
data/lib/textus/cli/verb/hook_run.rb +0 -48
data/lib/textus/cli/verb/hooks.rb +0 -50
data/lib/textus/cli/verb/init.rb +0 -18
data/lib/textus/cli/verb/mcp_serve.rb +0 -22
data/lib/textus/cli/verb/put.rb +0 -30
data/lib/textus/cli/verb/schema_diff.rb +0 -15
data/lib/textus/cli/verb/schema_init.rb +0 -19
data/lib/textus/cli/verb/schema_migrate.rb +0 -19
data/lib/textus/cli/verb/serve.rb +0 -19
data/lib/textus/cli/verb.rb +0 -116
data/lib/textus/cli.rb +0 -138
data/lib/textus/dispatcher.rb +0 -54
data/lib/textus/doctor/check/handler_allowlist.rb +0 -34
data/lib/textus/domain/action.rb +0 -9
data/lib/textus/domain/jobs/registry.rb +0 -37
data/lib/textus/domain/permission.rb +0 -7
data/lib/textus/domain/policy/base_guards.rb +0 -25
data/lib/textus/domain/policy/evaluation.rb +0 -15
data/lib/textus/domain/policy/guard.rb +0 -35
data/lib/textus/domain/policy/guard_factory.rb +0 -40
data/lib/textus/domain/policy/predicates/author_held.rb +0 -33
data/lib/textus/domain/policy/predicates/etag_match.rb +0 -32
data/lib/textus/domain/policy/predicates/fresh_within.rb +0 -59
data/lib/textus/domain/policy/predicates/registry.rb +0 -39
data/lib/textus/domain/policy/predicates/schema_valid.rb +0 -61
data/lib/textus/domain/policy/predicates/target_is_canon.rb +0 -33
data/lib/textus/domain/policy/predicates/zone_writable_by.rb +0 -39
data/lib/textus/hooks/builtin.rb +0 -70
data/lib/textus/hooks/loader.rb +0 -54
data/lib/textus/hooks/rpc_registry.rb +0 -43
data/lib/textus/jobs/handlers.rb +0 -62
data/lib/textus/jobs/scheduler.rb +0 -36
data/lib/textus/jobs/seeder.rb +0 -57
data/lib/textus/maintenance/drain.rb +0 -42
data/lib/textus/maintenance/key_delete_prefix.rb +0 -48
data/lib/textus/maintenance/key_mv_prefix.rb +0 -68
data/lib/textus/maintenance/rule_lint.rb +0 -66
data/lib/textus/maintenance/serve.rb +0 -30
data/lib/textus/maintenance/worker.rb +0 -74
data/lib/textus/maintenance/zone_mv.rb +0 -64
data/lib/textus/maintenance.rb +0 -15
data/lib/textus/mcp/catalog.rb +0 -70
data/lib/textus/mcp/errors.rb +0 -32
data/lib/textus/mcp/server.rb +0 -138
data/lib/textus/mcp/session.rb +0 -7
data/lib/textus/mcp/tool_schemas.rb +0 -15
data/lib/textus/mcp.rb +0 -6
data/lib/textus/mustache.rb +0 -117
data/lib/textus/ports/produce_on_write_subscriber.rb +0 -73
data/lib/textus/produce/events.rb +0 -36
data/lib/textus/read/audit.rb +0 -130
data/lib/textus/read/boot.rb +0 -26
data/lib/textus/read/capabilities.rb +0 -70
data/lib/textus/read/deps.rb +0 -38
data/lib/textus/read/doctor.rb +0 -27
data/lib/textus/read/freshness.rb +0 -152
data/lib/textus/read/get.rb +0 -73
data/lib/textus/read/jobs.rb +0 -31
data/lib/textus/read/list.rb +0 -24
data/lib/textus/read/published.rb +0 -22
data/lib/textus/read/pulse.rb +0 -98
data/lib/textus/read/rdeps.rb +0 -39
data/lib/textus/read/rule_explain.rb +0 -96
data/lib/textus/read/rule_list.rb +0 -54
data/lib/textus/read/schema_envelope.rb +0 -25
data/lib/textus/read/uid.rb +0 -29
data/lib/textus/read/validate_all.rb +0 -36
data/lib/textus/read/where.rb +0 -24
data/lib/textus/role_scope.rb +0 -78
data/lib/textus/write/accept.rb +0 -58
data/lib/textus/write/enqueue.rb +0 -50
data/lib/textus/write/key_delete.rb +0 -65
data/lib/textus/write/key_mv.rb +0 -141
data/lib/textus/write/propose.rb +0 -54
data/lib/textus/write/put.rb +0 -74
data/lib/textus/write/reject.rb +0 -68

data/lib/textus/doctor/check.rb CHANGED Viewed

@@ -14,8 +14,9 @@ module Textus
                           .downcase
       end
-      def initialize(container)
+      def initialize(container, role: Textus::Role::DEFAULT)
         @container = container
+        @role      = role
       end
       def call
@@ -26,16 +27,18 @@ module Textus
       def root     = @container.root
       def manifest = @container.manifest
-      def rpc      = @container.rpc
+      def steps    = @container.steps
-      # Dispatch a verb through the single use-case invocation seam (ADR 0026).
+      # Dispatch a verb through Gate.
       def dispatch(verb, *args, **kwargs)
-        Textus::Dispatcher.invoke(
-          verb,
-          container: @container,
-          call: Textus::Call.build(role: Textus::Role::DEFAULT),
-          args: args, kwargs: kwargs
-        )
+        klass = Textus::Action::VERBS[verb]
+        spec = klass.contract if klass.respond_to?(:contract?) && klass.contract?
+        inputs = spec ? Textus::Contract::Binder.inputs_from_ordered(spec, args, kwargs) : kwargs
+        cmd_class = Textus::Gate::VERB_COMMAND.fetch(verb)
+        merged = inputs.merge(role: @role)
+        filled = cmd_class.members.to_h { |m| [m, merged.key?(m) ? merged[m] : nil] }
+        cmd = cmd_class.new(**filled)
+        @container.gate.dispatch(cmd)
       end
     end
   end

data/lib/textus/{read → doctor}/validator.rb RENAMED Viewed

@@ -1,27 +1,31 @@
+# frozen_string_literal: true
 module Textus
-  module Read
+  module Doctor
     class Validator
       def initialize(reader:, manifest:, audit_log:, schema_for:)
-        @reader = reader
-        @manifest = manifest
+        @reader    = reader
+        @manifest  = manifest
         @audit_log = audit_log
         @schema_for = schema_for
       end
-      def call
+      def call(container:, call:)
+        @container = container
+        @call      = call
         violations = []
         check_content_violations(violations)
         check_role_authority_violations(violations)
-        { "protocol" => PROTOCOL, "ok" => violations.empty?, "violations" => violations }
+        { "protocol" => Textus::PROTOCOL, "ok" => violations.empty?, "violations" => violations }
       end
       private
       def check_content_violations(violations)
         @manifest.resolver.enumerate.each do |row|
-          key = row[:key]
+          key    = row[:key]
           mentry = row[:manifest_entry]
-          env = fetch_envelope(key, violations) or next
+          env    = fetch_envelope(key, violations) or next
           schema = mentry.schema && @schema_for.call(mentry.schema)
           next unless schema
@@ -42,7 +46,7 @@ module Textus
           next unless schema
           env = begin
-            @reader.get(row[:key])
+            @reader.call(row[:key], @container, @call)
           rescue StandardError
             next
           end
@@ -54,19 +58,24 @@ module Textus
         last_writer = @audit_log.last_writer_for(key)
         return if last_writer.nil?
-        last_writer_is_authority = @manifest.policy.roles_with_capability("author").include?(last_writer)
+        last_writer_is_authority =
+          @manifest.policy.roles_with_capability("author").include?(last_writer)
         env.meta.each_key do |field|
           owner = schema.maintained_by(field)
           next if owner.nil? || last_writer == owner || last_writer_is_authority
-          violations << { "key" => key, "code" => "role_authority",
-                          "field" => field, "expected" => owner, "last_writer" => last_writer }
+          violations << {
+            "key" => key,
+            "code" => "role_authority",
+            "field" => field,
+            "expected" => owner,
+            "last_writer" => last_writer,
+          }
         end
       end
       def fetch_envelope(key, violations)
-        @reader.get(key)
+        @reader.call(key, @container, @call)
       rescue Textus::Error => e
         violations << { "key" => key, "code" => e.code, "message" => e.message }
         nil

data/lib/textus/doctor.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module Textus
       Check::UnownedSchemaFields,
       Check::SchemaViolations,
       Check::RuleAmbiguity,
-      Check::HandlerAllowlist,
+      Check::HandlerPermit,
       Check::OrphanedPublishTargets,
       Check::PublishTreeIndexOverlap,
       Check::ProposalTargets,
@@ -33,7 +33,7 @@ module Textus
     module_function
-    def build(container:, checks: nil)
+    def build(container:, checks: nil, role: Textus::Role::DEFAULT)
       selected_keys = checks ? Array(checks).map(&:to_s) : ALL_CHECKS
       unknown = selected_keys - ALL_CHECKS
       unless unknown.empty?
@@ -43,7 +43,7 @@ module Textus
       end
       selected = CHECKS.select { |c| selected_keys.include?(c.name_key) }
-      issues = selected.flat_map { |c| c.new(container).call }
+      issues = selected.flat_map { |c| c.new(container, role:).call }
       issues.concat(run_registered_checks(container))
       summary = LEVELS.to_h { |l| [l, issues.count { |i| i["level"] == l }] }
@@ -56,12 +56,12 @@ module Textus
     end
     def run_registered_checks(container)
-      container.rpc.names(:validate).flat_map { |name| invoke_registered_check(container, name) }
+      container.steps.names(:validate).flat_map { |name| invoke_registered_check(container, name) }
     end
     def invoke_registered_check(container, name)
       result = Timeout.timeout(DOCTOR_CHECK_TIMEOUT_SECONDS) do
-        container.rpc.invoke(:validate, name, caps: container)
+        container.steps.invoke(:validate, name, caps: container)
       end
       return result.map { |h| h.transform_keys(&:to_s) } if result.is_a?(Array)
@@ -75,7 +75,7 @@ module Textus
     rescue StandardError => e
       [fail_issue(name, code: "doctor_check.failed",
                         message: "#{e.class}: #{e.message}",
-                        fix: "fix the :validate hook in .textus/hooks/")]
+                        fix: "fix the :validate step in .textus/steps/validate/")]
     end
     def fail_issue(name, code:, message:, fix:)

data/lib/textus/envelope/io/writer.rb CHANGED Viewed

@@ -32,42 +32,15 @@ module Textus
         end
         def put(key, mentry:, payload:, if_etag: nil)
-          path = @manifest.resolver.resolve(key).path
-          meta = payload.meta || {}
-          existing_uid = @reader.existing_uid(key)
-          meta, content = ensure_uid(mentry.format, meta, payload.content, existing_uid)
-          bytes, eff_meta, eff_body, eff_content = serialize_for_put(
-            mentry: mentry, path: path,
-            meta: meta, body: payload.body, content: content
-          )
+          path = resolve_path(key)
+          meta, content = prepare_uid(mentry, payload, key)
+          bytes, eff_meta, eff_body, eff_content = serialize_entry(mentry, path, meta, payload, content)
           enforce_name_match!(path, eff_meta, mentry.format)
-          schema = @schemas.fetch_or_nil(mentry.schema)
-          if schema
-            Entry.for_format(mentry.format).validate_against(
-              schema,
-              { "_meta" => eff_meta, "content" => eff_content },
-            )
-          end
-          etag_before = @file_store.exists?(path) ? @file_store.etag(path) : nil
-          raise EtagMismatch.new(key, if_etag, etag_before) if if_etag && (etag_before != if_etag)
-          @file_store.write(path, bytes)
-          etag_after = Etag.for_bytes(bytes)
-          envelope = Textus::Envelope.build(
-            key: key, mentry: mentry, path: path,
-            meta: eff_meta, body: eff_body, etag: etag_after, content: eff_content
-          )
-          @audit_log.append(
-            role: @call.role, verb: "put", key: key,
-            etag_before: etag_before, etag_after: etag_after,
-            extras: @call.correlation_id ? { "correlation_id" => @call.correlation_id } : nil
-          )
+          validate_schema(mentry, eff_meta, eff_content)
+          etag_before = check_etag!(path, key, if_etag)
+          write_bytes(path, bytes)
+          envelope = build_envelope(key, mentry, path, eff_meta, eff_body, eff_content)
+          audit_put(key, etag_before, envelope.etag)
           envelope
         end
@@ -155,7 +128,7 @@ module Textus
         # The zone directory under which `path` lives (`<root>/zones/<zone>`),
         # or nil if `path` is not under the store's zones tree.
         def zone_floor(path)
-          zones_root = File.join(@manifest.data.root, "zones")
+          zones_root = File.join(@manifest.data.root, "data")
           prefix = "#{zones_root}/"
           return nil unless path.start_with?(prefix)
@@ -176,6 +149,62 @@ module Textus
             meta: meta, body: body, content: content, path: path,
           )
         end
+        def resolve_path(key)
+          @manifest.resolver.resolve(key).path
+        end
+        def prepare_uid(mentry, payload, key)
+          meta = payload.meta || {}
+          existing_uid = @reader.existing_uid(key)
+          ensure_uid(mentry.format, meta, payload.content, existing_uid)
+        end
+        def serialize_entry(mentry, path, meta, payload, content)
+          serialize_for_put(
+            mentry: mentry, path: path,
+            meta: meta, body: payload.body, content: content
+          )
+        end
+        def validate_schema(mentry, eff_meta, eff_content)
+          schema = @schemas.fetch_or_nil(mentry.schema)
+          return unless schema
+          Entry.for_format(mentry.format).validate_against(
+            schema,
+            { "_meta" => eff_meta, "content" => eff_content },
+          )
+        end
+        def check_etag!(path, key, if_etag)
+          etag_before = @file_store.exists?(path) ? @file_store.etag(path) : nil
+          raise EtagMismatch.new(key, if_etag, etag_before) if if_etag && (etag_before != if_etag)
+          etag_before
+        end
+        def write_bytes(path, bytes)
+          @file_store.write(path, bytes)
+        end
+        def build_envelope(key, mentry, path, eff_meta, eff_body, eff_content)
+          Textus::Envelope.build(
+            key: key, mentry: mentry, path: path,
+            meta: eff_meta, body: eff_body,
+            etag: Etag.for_bytes(@file_store.read(path)),
+            content: eff_content
+          )
+        end
+        def audit_put(key, etag_before, etag_after)
+          extras = @call.correlation_id ? { "correlation_id" => @call.correlation_id } : nil
+          @audit_log.append(
+            role: @call.role, verb: "put", key: key,
+            etag_before: etag_before, etag_after: etag_after,
+            extras: extras
+          )
+        end
       end
     end
   end

data/lib/textus/envelope.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 module Textus
   Envelope = Data.define(
-    :protocol, :key, :zone, :owner, :path, :format,
+    :protocol, :key, :lane, :owner, :path, :format,
     :uid, :etag, :schema_ref, :meta, :body, :content, :freshness
   ) do
     # rubocop:disable Metrics/ParameterLists
@@ -11,7 +11,7 @@ module Textus
       new(
         protocol: Textus::PROTOCOL,
         key: key,
-        zone: mentry.zone,
+        lane: mentry.lane,
         owner: mentry.owner,
         path: path,
         format: mentry.format,
@@ -34,7 +34,7 @@ module Textus
       h = {
         "protocol" => protocol,
         "key" => key,
-        "zone" => zone,
+        "lane" => lane,
         "owner" => owner,
         "path" => path,
         "format" => format,
@@ -49,6 +49,8 @@ module Textus
       h
     end
+    alias_method :zone, :lane
     def stale?
       return false if freshness.nil?

data/lib/textus/errors.rb CHANGED Viewed

@@ -1,24 +1,32 @@
 module Textus
+  ErrorInfo = Data.define(:details, :exit_code, :hint) do
+    def self.for(details: {}, exit_code: 1, hint: nil)
+      new(details: details, exit_code: exit_code, hint: hint)
+    end
+  end
   class Error < StandardError
-    attr_reader :code, :details, :exit_code, :hint
+    attr_reader :code
-    def initialize(code, message, details: {}, exit_code: 1, hint: nil)
+    def initialize(code, message, info: nil, details: {}, exit_code: 1, hint: nil)
       super(message)
       @code = code
-      @details = details
-      @exit_code = exit_code
-      @hint = hint
+      @info = info || ErrorInfo.for(details:, exit_code:, hint:)
     end
+    def details = @info.details
+    def exit_code = @info.exit_code
+    def hint = @info.hint
     def to_envelope
       env = {
         "protocol" => Textus::PROTOCOL,
         "ok" => false,
         "code" => @code,
         "message" => message,
-        "details" => @details,
+        "details" => details,
       }
-      env["hint"] = @hint if @hint
+      env["hint"] = hint if hint
       env
     end
   end
@@ -97,7 +105,7 @@ module Textus
         else
           "no declared role"
         end
-      details = { "key" => k, "zone" => z }
+      details = { "key" => k, "lane" => z }
       details["verb"] = verb if verb
       details["holders"] = holders if holders
       super(
@@ -177,7 +185,7 @@ module Textus
   class PublishError < Error
     def initialize(m, target: nil)
       hint =
-        ("file at #{target} wasn't published by textus; back it up and delete it, or move it under .textus/zones/" if target)
+        ("file at #{target} wasn't published by textus; back it up and delete it, or move it under .textus/data/" if target)
       super("publish_error", m, details: target ? { "target" => target } : {}, hint: hint)
     end
   end

data/lib/textus/events.rb ADDED Viewed

@@ -0,0 +1,21 @@
+module Textus
+  module Events
+    ENTRY_WRITTEN   = "entry.written"
+    ENTRY_DELETED   = "entry.deleted"
+    ENTRY_RENAMED   = "entry.renamed"
+    ENTRY_FETCHED   = "entry.fetched"
+    ENTRY_DERIVED   = "entry.derived"
+    ENTRY_VALIDATED = "entry.validated"
+    ENTRY_PUBLISHED = "entry.published"
+    PIPELINE_FAILED = "pipeline.failed"
+    STEP_FETCH_COMPLETE     = "step.fetch.complete"
+    STEP_TRANSFORM_COMPLETE = "step.transform.complete"
+    STEP_VALIDATE_PASSED    = "step.validate.passed"
+    STEP_VALIDATE_FAILED    = "step.validate.failed"
+    STORE_LOADED   = "store.loaded"
+    SESSION_OPENED = "session.opened"
+    SESSION_CLOSED = "session.closed"
+  end
+end

data/lib/textus/gate/auth.rb ADDED Viewed

@@ -0,0 +1,181 @@
+# frozen_string_literal: true
+module Textus
+  class Gate
+    class Auth
+      FLOOR = {
+        put: %w[lane_writable_by],
+        key_delete: %w[lane_writable_by],
+        key_mv: %w[lane_writable_by],
+        accept: %w[author_held],
+        reject: %w[author_held],
+        propose: %w[lane_writable_by],
+        key_mv_prefix: %w[lane_writable_by],
+        key_delete_prefix: %w[lane_writable_by],
+      }.freeze
+      AuthContext = Struct.new(
+        :actor, :actor_caps, :lane_verb,
+        :action, :target, :envelope,
+        :mentry, :manifest,
+        keyword_init: true
+      )
+      def initialize(container)
+        @manifest = container.manifest
+        @schemas = container.schemas
+      end
+      # Command-based check (new Gate path).
+      def check!(cmd)
+        key = extract_key(cmd)
+        return unless key
+        evaluate_predicates(
+          action: command_to_action(cmd),
+          actor: cmd.role.to_s,
+          key: key,
+          envelope: nil,
+          extra: {},
+        )
+      end
+      # Backward-compatible check for inline action auth (accept, put, etc.).
+      def check_action!(action:, actor:, key:, envelope: nil, extra: {})
+        evaluate_predicates(
+          action: action.to_sym,
+          actor: actor,
+          key: key,
+          envelope: envelope,
+          extra: extra,
+        )
+      end
+      def self.command_to_verb
+        @command_to_verb ||= Textus::Gate::VERB_COMMAND.invert.freeze
+      end
+      private
+      def command_to_action(cmd)
+        self.class.command_to_verb.fetch(cmd.class) do
+          raise Textus::UsageError.new("unmapped command: #{cmd.class}")
+        end
+      end
+      def evaluate_predicates(action:, actor:, key:, envelope:, extra:)
+        mentry = @manifest.resolver.resolve(key).entry
+        lane_verb = @manifest.policy.verb_for_lane(mentry.lane.to_s)
+        actor_caps = Set.new(@manifest.data.role_caps.fetch(actor, []))
+        ctx = AuthContext.new(
+          actor:, actor_caps:, lane_verb:,
+          action:, target: key, envelope:,
+          mentry:, manifest: @manifest
+        )
+        failures = []
+        floor_preds = FLOOR.fetch(action, [])
+        rule_preds = rule_declared_predicates(action, key)
+        (floor_preds + rule_preds).uniq.each do |pred|
+          result = evaluate(pred, ctx, extra)
+          next if result[:pass]
+          raise result[:error] if result[:error]
+          failures << [pred, result[:reason]]
+        end
+        raise Textus::GuardFailed.new(failures) unless failures.empty?
+      end
+      def extract_key(cmd)
+        if cmd.respond_to?(:pending_key)
+          cmd.pending_key
+        elsif cmd.respond_to?(:key)
+          cmd.key
+        end
+      end
+      def rule_declared_predicates(action, key)
+        guard_map = @manifest.rules.for(key).guard
+        return [] if guard_map.nil?
+        Array(guard_map[action.to_s])
+      end
+      def evaluate(pred_name, ctx, extra)
+        case pred_name
+        when "lane_writable_by"  then evaluate_lane_writable_by(ctx)
+        when "author_held"       then evaluate_author_held(ctx)
+        when "target_is_canon"   then evaluate_target_is_canon(ctx)
+        when "etag_match"        then evaluate_etag_match(ctx, extra)
+        when "schema_valid"      then evaluate_schema_valid(ctx)
+        when "fresh_within"      then { pass: true }
+        else raise Textus::UsageError.new("unknown predicate '#{pred_name}'")
+        end
+      end
+      def evaluate_lane_writable_by(ctx)
+        pass = ctx.actor_caps.include?(ctx.lane_verb.to_s)
+        return { pass: true } if pass
+        holders = @manifest.policy.roles_with_capability(ctx.lane_verb.to_s)
+        { pass: false, error: Textus::WriteForbidden.new(ctx.mentry.key, ctx.mentry.lane, verb: ctx.lane_verb, holders:) }
+      end
+      def evaluate_author_held(ctx)
+        holders = @manifest.policy.roles_with_capability("author")
+        pass = holders.include?(ctx.actor.to_s)
+        reason = if pass
+                   nil
+                 elsif holders.empty?
+                   "no role holds the 'author' capability; #{ctx.action} is disabled"
+                 else
+                   "role '#{ctx.actor}' lacks the 'author' capability (held by: #{holders.join(", ")})"
+                 end
+        { pass:, reason: }
+      end
+      def evaluate_target_is_canon(ctx)
+        kind = @manifest.policy.declared_kind(ctx.mentry.lane.to_s)
+        pass = kind == :canon
+        { pass:, reason: pass ? nil : "target lane '#{ctx.mentry.lane}' is not canon (kind: #{kind})" }
+      end
+      def evaluate_etag_match(ctx, extra)
+        if_etag = extra[:if_etag]
+        return { pass: true } if if_etag.nil?
+        current = ctx.envelope&.etag
+        pass = current.nil? || current == if_etag
+        { pass:, error: pass ? nil : Textus::EtagMismatch.new(ctx.target, if_etag, current) }
+      end
+      def evaluate_schema_valid(ctx)
+        return { pass: true } unless ctx.envelope
+        schema_ref = ctx.mentry.schema
+        return { pass: true } unless schema_ref
+        schema = @schemas.fetch_or_nil(schema_ref)
+        return { pass: true } unless schema
+        frontmatter = ctx.envelope.meta&.dig("_meta") || ctx.envelope.meta || {}
+        begin
+          schema.validate!(frontmatter)
+          { pass: true }
+        rescue Textus::SchemaViolation => e
+          { pass: false, reason: schema_reason(e) }
+        end
+      end
+      def schema_reason(err)
+        d = err.details
+        return err.message.dup unless d.is_a?(Hash)
+        return "missing required fields: #{Array(d["missing"]).join(", ")}" if d["missing"]
+        return "field '#{d["field"]}': #{d["reason"]}" if d["field"]
+        err.message.dup
+      end
+    end
+  end
+end