domainforge 0.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.cargo/config.toml +6 -0
- package/.claude/settings.local.json +18 -0
- package/.coderabbit.yml +43 -0
- package/.codex/skills/release-management/SKILL.md +151 -0
- package/.codex/skills/release-management/agents/openai.yaml +4 -0
- package/.github/actions/decrypt-secrets/action.yml +121 -0
- package/.github/agents/Coder.agent.md +97 -0
- package/.github/agents/DeepResearch.agent.md +61 -0
- package/.github/chatmodes/tdd.vibepro.chatmode.md +1183 -0
- package/.github/copilot-instructions.md +13 -0
- package/.github/dependabot.yml +68 -0
- package/.github/workflows/README.md +165 -0
- package/.github/workflows/ci.yml +335 -0
- package/.github/workflows/dependabot-automerge.yml +114 -0
- package/.github/workflows/dependency-review.yml +27 -0
- package/.github/workflows/deploy.yml +87 -0
- package/.github/workflows/prepare-release.yml +168 -0
- package/.github/workflows/release-crates.yml +42 -0
- package/.github/workflows/release-npm.yml +137 -0
- package/.github/workflows/release-please.yml +29 -0
- package/.github/workflows/release-pypi.yml +96 -0
- package/.gitkeep +1 -0
- package/.release-please-manifest.json +5 -0
- package/.sea-registry.toml +10 -0
- package/.serena/project.yml +133 -0
- package/.sops.yaml +10 -0
- package/AGENTS.md +216 -0
- package/CHANGELOG.md +400 -0
- package/CLAUDE.md +62 -0
- package/CONTRIBUTING.md +323 -0
- package/Cargo.lock +3612 -0
- package/Cargo.toml +12 -0
- package/LICENSE +201 -0
- package/README.md +660 -0
- package/README_PYTHON.md +256 -0
- package/README_TYPESCRIPT.md +305 -0
- package/README_WASM.md +329 -0
- package/RELEASE_NOTES.md +41 -0
- package/bun.lock +378 -0
- package/bunfig.toml +11 -0
- package/check_output.txt +83 -0
- package/clippy_output.txt +80 -0
- package/commitlint.config.cjs +8 -0
- package/deny.toml +42 -0
- package/devbox.json +14 -0
- package/devbox.lock +76 -0
- package/docs/RELEASE_PROCESS.md +360 -0
- package/docs/diagnostics.md +161 -0
- package/docs/doc_guidelines.md +53 -0
- package/docs/explanations/README.md +21 -0
- package/docs/explanations/architecture-overview.md +109 -0
- package/docs/explanations/cross-language-binding-strategy.md +68 -0
- package/docs/explanations/graph-store-design.md +47 -0
- package/docs/explanations/performance-benchmarks.md +63 -0
- package/docs/explanations/policy-evaluation-logic.md +106 -0
- package/docs/explanations/semantic-modeling-concepts.md +109 -0
- package/docs/explanations/three-valued-logic.md +66 -0
- package/docs/explanations/versioning-strategy.md +45 -0
- package/docs/governance.md +168 -0
- package/docs/how-tos/README.md +46 -0
- package/docs/how-tos/ci-cd-validation.md +93 -0
- package/docs/how-tos/create-custom-units.md +125 -0
- package/docs/how-tos/define-policies.md +119 -0
- package/docs/how-tos/export-to-calm.md +110 -0
- package/docs/how-tos/export-to-protobuf.md +312 -0
- package/docs/how-tos/extend-grammar.md +133 -0
- package/docs/how-tos/generate-rdf-turtle.md +106 -0
- package/docs/how-tos/import-from-calm.md +114 -0
- package/docs/how-tos/import-from-sbvr.md +249 -0
- package/docs/how-tos/install-cli.md +126 -0
- package/docs/how-tos/parse-sea-files.md +132 -0
- package/docs/how-tos/policy-evaluation-modes.md +30 -0
- package/docs/how-tos/run-cross-language-tests.md +115 -0
- package/docs/how-tos/troubleshoot-napi-builds.md +55 -0
- package/docs/how-tos/use-modules-imports.md +285 -0
- package/docs/index.md +13 -0
- package/docs/plans/canonical-normalizer.md +121 -0
- package/docs/plans/cd_improvement.md +112 -0
- package/docs/plans/cli-ast.md +29 -0
- package/docs/plans/expression-bindings-and-normalizer-integration.md +174 -0
- package/docs/plans/protobuf_advanced_features_plan.md +597 -0
- package/docs/plans/protobuf_plan.yml +525 -0
- package/docs/plans/refactor_dsl_architecture.md +131 -0
- package/docs/plans/release-plan.md +163 -0
- package/docs/plans/sea_fmt_implementation_plan.md +516 -0
- package/docs/playbooks/README.md +18 -0
- package/docs/playbooks/adding-new-primitive.md +68 -0
- package/docs/playbooks/debugging-parser-failures.md +42 -0
- package/docs/playbooks/local-release-preparation.md +139 -0
- package/docs/playbooks/migrating-schema-versions.md +43 -0
- package/docs/playbooks/onboarding-contributors.md +64 -0
- package/docs/playbooks/releasing-beta.md +86 -0
- package/docs/playbooks/secret-management.md +64 -0
- package/docs/reference/README.md +199 -0
- package/docs/reference/ast-json-api.md +427 -0
- package/docs/reference/calm-mapping.md +519 -0
- package/docs/reference/cli-commands.md +588 -0
- package/docs/reference/configuration.md +202 -0
- package/docs/reference/error-codes.md +664 -0
- package/docs/reference/generated-artifacts-policy.md +53 -0
- package/docs/reference/grammar-spec.md +255 -0
- package/docs/reference/primitives-api.md +317 -0
- package/docs/reference/protobuf-api.md +426 -0
- package/docs/reference/python-api.md +485 -0
- package/docs/reference/registry.md +50 -0
- package/docs/reference/sea-dsl-ai-cheatsheet.yaml +913 -0
- package/docs/reference/security-model.md +74 -0
- package/docs/reference/typescript-api.md +508 -0
- package/docs/reference/wasm-api.md +420 -0
- package/docs/semantic-pack-review.md +144 -0
- package/docs/semantic-pack-signing.md +234 -0
- package/docs/semantic-packs.md +284 -0
- package/docs/specs/ADR-001-sea-dsl-semantic-source-of-truth.md +33 -0
- package/docs/specs/ADR-002-projection-first-class-construct.md +50 -0
- package/docs/specs/ADR-003-protobuf-projection-target.md +51 -0
- package/docs/specs/ADR-004-projection-compatibility-semantics.md +57 -0
- package/docs/specs/ADR-005-multi-language-support-strategy.md +112 -0
- package/docs/specs/ADR-006-error-handling-strategy.md +115 -0
- package/docs/specs/ADR-007-policy-evaluation-engine.md +95 -0
- package/docs/specs/ADR-008-knowledge-graph-integration.md +90 -0
- package/docs/specs/ADR-009-module-resolution-strategy.md +115 -0
- package/docs/specs/ADR-010-unit-system.md +106 -0
- package/docs/specs/PRD-001-sea-projection-framework.md +155 -0
- package/docs/specs/PRD-002-sea-cli-tooling.md +169 -0
- package/docs/specs/PRD-003-dsl-core-capabilities.md +275 -0
- package/docs/specs/README.md +62 -0
- package/docs/specs/SDS-001-protobuf-projection-engine.md +451 -0
- package/docs/specs/SDS-002-sea-core-architecture.md +268 -0
- package/docs/specs/SDS-003-parser-semantic-graph.md +377 -0
- package/docs/specs/SDS-004-policy-engine-design.md +362 -0
- package/docs/specs/SDS-005-knowledge-graph-module.md +364 -0
- package/docs/specs/SDS-006-calm-integration.md +367 -0
- package/docs/specs/SDS-007-sbvr-import.md +347 -0
- package/docs/templates/template_explanation.md +14 -0
- package/docs/templates/template_howto.md +21 -0
- package/docs/templates/template_playbook.md +21 -0
- package/docs/templates/template_reference.md +17 -0
- package/docs/templates/template_tutorial.md +24 -0
- package/docs/tutorials/README.md +12 -0
- package/docs/tutorials/first-sea-model.md +85 -0
- package/docs/tutorials/getting-started.md +98 -0
- package/docs/tutorials/python-binding-quickstart.md +107 -0
- package/docs/tutorials/typescript-binding-quickstart.md +91 -0
- package/docs/tutorials/wasm-in-browser.md +75 -0
- package/domainforge-core/CHANGELOG.md +138 -0
- package/domainforge-core/Cargo.toml +101 -0
- package/domainforge-core/MIGRATING.md +32 -0
- package/domainforge-core/README.md +197 -0
- package/domainforge-core/benchmark_results.txt +51 -0
- package/domainforge-core/build.rs +6 -0
- package/domainforge-core/deny.toml +31 -0
- package/domainforge-core/docs/specs/projections/sbvr_kg_mapping.md +43 -0
- package/domainforge-core/examples/basic.sea +7 -0
- package/domainforge-core/examples/cli/import_export_workflow.sh +38 -0
- package/domainforge-core/examples/cli/validate_example.sh +30 -0
- package/domainforge-core/examples/evolution_semantics.sea +31 -0
- package/domainforge-core/examples/parser_demo.rs +203 -0
- package/domainforge-core/grammar/sea.pest +408 -0
- package/domainforge-core/schemas/calm-v1.schema.json +170 -0
- package/domainforge-core/schemas/shacl/sea_shapes.ttl +19 -0
- package/domainforge-core/src/authority/compiler.rs +309 -0
- package/domainforge-core/src/authority/environment.rs +203 -0
- package/domainforge-core/src/authority/error.rs +164 -0
- package/domainforge-core/src/authority/fact_resolver.rs +224 -0
- package/domainforge-core/src/authority/mod.rs +25 -0
- package/domainforge-core/src/authority/pack.rs +133 -0
- package/domainforge-core/src/authority/policy.rs +224 -0
- package/domainforge-core/src/authority/resolver.rs +446 -0
- package/domainforge-core/src/authority/trace.rs +217 -0
- package/domainforge-core/src/authority/transform.rs +168 -0
- package/domainforge-core/src/authority/types.rs +617 -0
- package/domainforge-core/src/bin/domainforge.rs +25 -0
- package/domainforge-core/src/calm/export.rs +538 -0
- package/domainforge-core/src/calm/import.rs +1220 -0
- package/domainforge-core/src/calm/mod.rs +9 -0
- package/domainforge-core/src/calm/models.rs +108 -0
- package/domainforge-core/src/calm/sbvr_import.rs +9 -0
- package/domainforge-core/src/cli/authority.rs +149 -0
- package/domainforge-core/src/cli/format.rs +85 -0
- package/domainforge-core/src/cli/import.rs +133 -0
- package/domainforge-core/src/cli/mod.rs +64 -0
- package/domainforge-core/src/cli/normalize.rs +180 -0
- package/domainforge-core/src/cli/pack.rs +904 -0
- package/domainforge-core/src/cli/parse.rs +112 -0
- package/domainforge-core/src/cli/project.rs +294 -0
- package/domainforge-core/src/cli/registry.rs +41 -0
- package/domainforge-core/src/cli/test.rs +12 -0
- package/domainforge-core/src/cli/validate.rs +195 -0
- package/domainforge-core/src/cli/validate_kg.rs +80 -0
- package/domainforge-core/src/concept_id.rs +89 -0
- package/domainforge-core/src/error/diagnostics.rs +426 -0
- package/domainforge-core/src/error/fuzzy.rs +253 -0
- package/domainforge-core/src/error/mod.rs +13 -0
- package/domainforge-core/src/formatter/comments.rs +223 -0
- package/domainforge-core/src/formatter/config.rs +114 -0
- package/domainforge-core/src/formatter/mod.rs +22 -0
- package/domainforge-core/src/formatter/printer.rs +906 -0
- package/domainforge-core/src/graph/mod.rs +858 -0
- package/domainforge-core/src/graph/to_ast.rs +66 -0
- package/domainforge-core/src/kg.rs +1476 -0
- package/domainforge-core/src/kg_import.rs +251 -0
- package/domainforge-core/src/lib.rs +203 -0
- package/domainforge-core/src/module/mod.rs +1 -0
- package/domainforge-core/src/module/resolver.rs +260 -0
- package/domainforge-core/src/parser/ast.rs +2919 -0
- package/domainforge-core/src/parser/ast_convert.rs +494 -0
- package/domainforge-core/src/parser/ast_schema.rs +491 -0
- package/domainforge-core/src/parser/error.rs +291 -0
- package/domainforge-core/src/parser/lint.rs +39 -0
- package/domainforge-core/src/parser/mod.rs +193 -0
- package/domainforge-core/src/parser/printer.rs +702 -0
- package/domainforge-core/src/parser/profiles.rs +71 -0
- package/domainforge-core/src/parser/string_utils.rs +138 -0
- package/domainforge-core/src/patterns.rs +68 -0
- package/domainforge-core/src/policy/core.rs +1148 -0
- package/domainforge-core/src/policy/expression.rs +399 -0
- package/domainforge-core/src/policy/mod.rs +18 -0
- package/domainforge-core/src/policy/normalize.rs +1028 -0
- package/domainforge-core/src/policy/quantifier.rs +940 -0
- package/domainforge-core/src/policy/three_valued.rs +140 -0
- package/domainforge-core/src/policy/three_valued_microbench.rs +104 -0
- package/domainforge-core/src/policy/type_inference.rs +67 -0
- package/domainforge-core/src/policy/violation.rs +36 -0
- package/domainforge-core/src/primitives/concept_change.rs +61 -0
- package/domainforge-core/src/primitives/entity.rs +224 -0
- package/domainforge-core/src/primitives/flow.rs +111 -0
- package/domainforge-core/src/primitives/instance.rs +93 -0
- package/domainforge-core/src/primitives/mapping_contract.rs +50 -0
- package/domainforge-core/src/primitives/metric.rs +79 -0
- package/domainforge-core/src/primitives/mod.rs +25 -0
- package/domainforge-core/src/primitives/projection_contract.rs +50 -0
- package/domainforge-core/src/primitives/quantity.rs +56 -0
- package/domainforge-core/src/primitives/relation.rs +68 -0
- package/domainforge-core/src/primitives/resource.rs +237 -0
- package/domainforge-core/src/primitives/resource_instance.rs +88 -0
- package/domainforge-core/src/primitives/role.rs +49 -0
- package/domainforge-core/src/projection/buf.rs +404 -0
- package/domainforge-core/src/projection/contracts.rs +22 -0
- package/domainforge-core/src/projection/engine.rs +19 -0
- package/domainforge-core/src/projection/mod.rs +16 -0
- package/domainforge-core/src/projection/protobuf.rs +3331 -0
- package/domainforge-core/src/projection/registry.rs +43 -0
- package/domainforge-core/src/python/authority.rs +253 -0
- package/domainforge-core/src/python/error.rs +227 -0
- package/domainforge-core/src/python/formatter.rs +86 -0
- package/domainforge-core/src/python/graph.rs +366 -0
- package/domainforge-core/src/python/mod.rs +9 -0
- package/domainforge-core/src/python/policy.rs +651 -0
- package/domainforge-core/src/python/primitives.rs +796 -0
- package/domainforge-core/src/python/registry.rs +98 -0
- package/domainforge-core/src/python/semantic_pack.rs +619 -0
- package/domainforge-core/src/python/units.rs +96 -0
- package/domainforge-core/src/registry/mod.rs +432 -0
- package/domainforge-core/src/registry/tests.rs +210 -0
- package/domainforge-core/src/sbvr.rs +744 -0
- package/domainforge-core/src/semantic_pack/builder.rs +470 -0
- package/domainforge-core/src/semantic_pack/canonical_json.rs +184 -0
- package/domainforge-core/src/semantic_pack/diagnostics.rs +214 -0
- package/domainforge-core/src/semantic_pack/diff.rs +216 -0
- package/domainforge-core/src/semantic_pack/mod.rs +31 -0
- package/domainforge-core/src/semantic_pack/pack_set.rs +240 -0
- package/domainforge-core/src/semantic_pack/resolver.rs +437 -0
- package/domainforge-core/src/semantic_pack/review.rs +125 -0
- package/domainforge-core/src/semantic_pack/schema.rs +342 -0
- package/domainforge-core/src/semantic_pack/signing.rs +105 -0
- package/domainforge-core/src/semantic_pack/validator.rs +368 -0
- package/domainforge-core/src/semantic_version.rs +140 -0
- package/domainforge-core/src/test_utils.rs +12 -0
- package/domainforge-core/src/typescript/authority.rs +184 -0
- package/domainforge-core/src/typescript/error.rs +146 -0
- package/domainforge-core/src/typescript/formatter.rs +76 -0
- package/domainforge-core/src/typescript/graph.rs +391 -0
- package/domainforge-core/src/typescript/mod.rs +9 -0
- package/domainforge-core/src/typescript/policy.rs +564 -0
- package/domainforge-core/src/typescript/primitives.rs +784 -0
- package/domainforge-core/src/typescript/registry.rs +88 -0
- package/domainforge-core/src/typescript/semantic_pack.rs +470 -0
- package/domainforge-core/src/typescript/units.rs +76 -0
- package/domainforge-core/src/units/mod.rs +462 -0
- package/domainforge-core/src/uuid_module.rs +42 -0
- package/domainforge-core/src/validation_error.rs +818 -0
- package/domainforge-core/src/validation_result.rs +30 -0
- package/domainforge-core/src/wasm/authority.rs +192 -0
- package/domainforge-core/src/wasm/error.rs +145 -0
- package/domainforge-core/src/wasm/formatter.rs +69 -0
- package/domainforge-core/src/wasm/graph.rs +471 -0
- package/domainforge-core/src/wasm/mod.rs +16 -0
- package/domainforge-core/src/wasm/policy.rs +607 -0
- package/domainforge-core/src/wasm/primitives.rs +295 -0
- package/domainforge-core/src/wasm/semantic_pack.rs +471 -0
- package/domainforge-core/src/wasm/units.rs +62 -0
- package/domainforge-core/std/aws.sea +6 -0
- package/domainforge-core/std/core.sea +6 -0
- package/domainforge-core/std/http.sea +27 -0
- package/domainforge-core/tests/aggregation_enhanced_tests.rs +162 -0
- package/domainforge-core/tests/aggregation_eval_tests.rs +248 -0
- package/domainforge-core/tests/aggregation_integration_tests.rs +379 -0
- package/domainforge-core/tests/aggregation_parser_tests.rs +92 -0
- package/domainforge-core/tests/aggregation_tests.rs +102 -0
- package/domainforge-core/tests/authority_conformance_tests.rs +1173 -0
- package/domainforge-core/tests/calm_round_trip_tests.rs +283 -0
- package/domainforge-core/tests/calm_schema_validation_tests.rs +137 -0
- package/domainforge-core/tests/cast_operator_tests.rs +85 -0
- package/domainforge-core/tests/cli_binary_check.rs +37 -0
- package/domainforge-core/tests/cli_import_tests.rs +291 -0
- package/domainforge-core/tests/cli_path_traversal_tests.rs +124 -0
- package/domainforge-core/tests/cli_tests.rs +63 -0
- package/domainforge-core/tests/diagnostics_tests.rs +203 -0
- package/domainforge-core/tests/dimension_unit_tests.rs +80 -0
- package/domainforge-core/tests/entity_tests.rs +69 -0
- package/domainforge-core/tests/evolution_semantics_tests.rs +157 -0
- package/domainforge-core/tests/flow_tests.rs +78 -0
- package/domainforge-core/tests/flow_unit_validation_tests.rs +31 -0
- package/domainforge-core/tests/graph_integration_tests.rs +218 -0
- package/domainforge-core/tests/graph_tests.rs +626 -0
- package/domainforge-core/tests/import_parsing_tests.rs +23 -0
- package/domainforge-core/tests/instance_integration_tests.rs +98 -0
- package/domainforge-core/tests/instance_parsing_tests.rs +58 -0
- package/domainforge-core/tests/instance_tests.rs +61 -0
- package/domainforge-core/tests/kg_uri_encoding_tests.rs +53 -0
- package/domainforge-core/tests/lint_tests.rs +19 -0
- package/domainforge-core/tests/metric_tests.rs +143 -0
- package/domainforge-core/tests/module_resolution_tests.rs +100 -0
- package/domainforge-core/tests/namespace_registry_tests.rs +247 -0
- package/domainforge-core/tests/null_handling_tests.rs +26 -0
- package/domainforge-core/tests/parser_ast_v3.rs +53 -0
- package/domainforge-core/tests/parser_dimension_registry_tests.rs +20 -0
- package/domainforge-core/tests/parser_integration_tests.rs +294 -0
- package/domainforge-core/tests/parser_metadata_tests.rs +97 -0
- package/domainforge-core/tests/parser_resource_domain_only_graph_test.rs +21 -0
- package/domainforge-core/tests/parser_resource_limits_tests.rs +122 -0
- package/domainforge-core/tests/parser_tests.rs +512 -0
- package/domainforge-core/tests/pattern_semantics_tests.rs +87 -0
- package/domainforge-core/tests/phase_14_determinism_tests.rs +166 -0
- package/domainforge-core/tests/phase_15_validation_error_tests.rs +136 -0
- package/domainforge-core/tests/phase_16_unicode_tests.rs +248 -0
- package/domainforge-core/tests/phase_17_export_tests.rs +285 -0
- package/domainforge-core/tests/phase_17_round_trip_tests.rs +264 -0
- package/domainforge-core/tests/policy_tests.rs +635 -0
- package/domainforge-core/tests/primitives_integration_tests.rs +151 -0
- package/domainforge-core/tests/print_rdf_xml.rs +14 -0
- package/domainforge-core/tests/printer_tests.rs +204 -0
- package/domainforge-core/tests/profile_tests.rs +35 -0
- package/domainforge-core/tests/projection_contracts_tests.rs +154 -0
- package/domainforge-core/tests/protobuf_projection_tests.rs +199 -0
- package/domainforge-core/tests/quantity_tests.rs +41 -0
- package/domainforge-core/tests/rdf_xml_typed_literal_tests.rs +105 -0
- package/domainforge-core/tests/registry_schema_tests.rs +33 -0
- package/domainforge-core/tests/resource_tests.rs +50 -0
- package/domainforge-core/tests/resource_unit_tests.rs +24 -0
- package/domainforge-core/tests/roles_relations_tests.rs +61 -0
- package/domainforge-core/tests/round_trip_tests.rs +34 -0
- package/domainforge-core/tests/runtime_toggle_tests.rs +70 -0
- package/domainforge-core/tests/sbvr_fact_schema_tests.rs +60 -0
- package/domainforge-core/tests/sbvr_flow_facts_tests.rs +55 -0
- package/domainforge-core/tests/sbvr_parsing_tests.rs +53 -0
- package/domainforge-core/tests/semantic_pack_alias_resolution.rs +197 -0
- package/domainforge-core/tests/semantic_pack_build.rs +302 -0
- package/domainforge-core/tests/semantic_pack_consumer_smoke.rs +150 -0
- package/domainforge-core/tests/semantic_pack_pack_set.rs +160 -0
- package/domainforge-core/tests/semantic_pack_signing.rs +157 -0
- package/domainforge-core/tests/semantic_pack_three_valued.rs +250 -0
- package/domainforge-core/tests/semantic_pack_validate.rs +196 -0
- package/domainforge-core/tests/std_lib_tests.rs +37 -0
- package/domainforge-core/tests/temporal_evaluation_tests.rs +159 -0
- package/domainforge-core/tests/temporal_semantics_tests.rs +214 -0
- package/domainforge-core/tests/three_valued_quantifiers_tests.rs +164 -0
- package/domainforge-core/tests/turtle_entity_export_tests.rs +38 -0
- package/domainforge-core/tests/turtle_escaping_tests.rs +53 -0
- package/domainforge-core/tests/turtle_resource_export_tests.rs +34 -0
- package/domainforge-core/tests/type_inference_tests.rs +40 -0
- package/domainforge-core/tests/unicode_validation_tests.rs +169 -0
- package/domainforge-core/tests/unit_tests.rs +81 -0
- package/domainforge-core/tests/validate_tests.rs +38 -0
- package/domainforge-core/tests/validation_unit_mismatch_tests.rs +83 -0
- package/domainforge-core/tests/wasm_tests.rs +229 -0
- package/domainforge-python/CHANGELOG-python.md +12 -0
- package/domainforge-python/MIGRATING.md +24 -0
- package/domainforge-python/README.md +256 -0
- package/domainforge-python/domainforge/__init__.py +95 -0
- package/domainforge-python/domainforge/domainforge.pyi +519 -0
- package/domainforge-python/pyproject.toml +36 -0
- package/domainforge-typescript/CHANGELOG-typescript.md +12 -0
- package/domainforge-typescript/LICENSE +201 -0
- package/domainforge-typescript/MIGRATING.md +24 -0
- package/domainforge-typescript/README.md +305 -0
- package/domainforge-typescript/index.d.ts +452 -0
- package/domainforge-typescript/index.js +361 -0
- package/domainforge-typescript/package.json +60 -0
- package/example.js +61 -0
- package/examples/browser.html +366 -0
- package/examples/namespaces/finance/cashflow.sea +5 -0
- package/examples/namespaces/logistics/core.sea +7 -0
- package/examples/observability_metrics.sea +38 -0
- package/fixtures/semantic_packs/acme_procurement/domain/entities.sea +39 -0
- package/fixtures/semantic_packs/acme_procurement/domain/metrics.sea +11 -0
- package/fixtures/semantic_packs/acme_procurement/domain/relations.sea +7 -0
- package/fixtures/semantic_packs/acme_procurement/domain/resources.sea +9 -0
- package/fixtures/semantic_packs/acme_procurement/review/acme.procurement.semantic-review.jsonl +7 -0
- package/fixtures/semantic_packs/acme_procurement/tests/ambiguous_vendor_alias.sea +8 -0
- package/fixtures/semantic_packs/acme_procurement/tests/deprecated_vendor_alias.sea +8 -0
- package/fixtures/semantic_packs/acme_procurement/tests/invalid_relation.sea +3 -0
- package/fixtures/semantic_packs/acme_procurement/tests/proposed_concept.sea +8 -0
- package/fixtures/semantic_packs/acme_procurement/tests/rejected_concept.sea +8 -0
- package/fixtures/semantic_packs/acme_procurement/tests/unit_mismatch.sea +7 -0
- package/fixtures/semantic_packs/acme_procurement/tests/unknown_vendor_policy.sea +8 -0
- package/fixtures/semantic_packs/acme_procurement/tests/valid_purchase_policy.sea +8 -0
- package/index.d.ts +2 -0
- package/index.js +8 -0
- package/justfile +200 -0
- package/lefthook.yml +13 -0
- package/lib/validate_native_exports.d.ts +4 -0
- package/lib/validate_native_exports.js +12 -0
- package/package.json +22 -0
- package/pytest.ini +5 -0
- package/python/tests/test_registry.py +75 -0
- package/python/tests/test_units.py +18 -0
- package/release-please-config.json +49 -0
- package/requirements-dev.txt +3 -0
- package/requirements.txt +3 -0
- package/rust-toolchain.toml +3 -0
- package/schemas/ast-v1.schema.json +72 -0
- package/schemas/ast-v2.schema.json +1200 -0
- package/schemas/ast-v3.schema.json +1200 -0
- package/schemas/sea-registry.schema.json +45 -0
- package/scripts/build-python.sh +37 -0
- package/scripts/build-release.sh +279 -0
- package/scripts/build-typescript.sh +13 -0
- package/scripts/build-wasm.sh +113 -0
- package/scripts/bump-version.sh +245 -0
- package/scripts/check_unused_test_imports.py +85 -0
- package/scripts/ci_tasks.py +379 -0
- package/scripts/clear_debug_test.sh +10 -0
- package/scripts/create-github-release.sh +262 -0
- package/scripts/create-tag.sh +203 -0
- package/scripts/find_and_link_test_binary.sh +70 -0
- package/scripts/generate-changelog.sh +271 -0
- package/scripts/generate-release-notes.sh +205 -0
- package/scripts/lint_release_security.py +96 -0
- package/scripts/lint_release_workflows.py +82 -0
- package/scripts/lint_workflow_gates.py +113 -0
- package/scripts/optimized-wasm-build.sh +61 -0
- package/scripts/patch_napi_types.py +62 -0
- package/scripts/pre-release-check.sh +289 -0
- package/scripts/prepare_rust_debug.sh +52 -0
- package/scripts/release.sh +373 -0
- package/scripts/resolve_rust_binary.py +230 -0
- package/scripts/run_commitlint.sh +29 -0
- package/scripts/test-all.sh +77 -0
- package/scripts/update_launch_program.py +93 -0
- package/secrets/README.md +27 -0
- package/secrets/secrets.yaml +21 -0
- package/test_integration.py +67 -0
- package/tests/test_authority.py +328 -0
- package/tests/test_ci_tasks.py +143 -0
- package/tests/test_expression.py +256 -0
- package/tests/test_golden_payment_flow.py +42 -0
- package/tests/test_graph.py +127 -0
- package/tests/test_instance.py +136 -0
- package/tests/test_parser.py +82 -0
- package/tests/test_primitives.py +68 -0
- package/tests/test_role_relation_parity.py +56 -0
- package/tests/test_runtime_toggle.py +156 -0
- package/tests/test_semantic_pack.py +639 -0
- package/tests/test_three_valued_eval.py +159 -0
- package/tsconfig.json +30 -0
- package/typescript-tests/advanced.test.ts +165 -0
- package/typescript-tests/authority.test.ts +216 -0
- package/typescript-tests/expression.test.ts +228 -0
- package/typescript-tests/golden-payment-flow.test.ts +51 -0
- package/typescript-tests/graph.test.ts +142 -0
- package/typescript-tests/native-binding.test.ts +20 -0
- package/typescript-tests/primitives.test.ts +88 -0
- package/typescript-tests/registry.test.ts +122 -0
- package/typescript-tests/role_relation.test.ts +63 -0
- package/typescript-tests/runtime_toggle.test.ts +141 -0
- package/typescript-tests/semantic-pack.test.ts +556 -0
- package/typescript-tests/three_valued_eval.test.ts +135 -0
- package/typescript-tests/units.test.ts +36 -0
- package/vitest.config.ts +13 -0
- package/wasm_demo.html +225 -0
|
@@ -0,0 +1,309 @@
|
|
|
1
|
+
use serde::{Deserialize, Serialize};
|
|
2
|
+
use std::collections::HashMap;
|
|
3
|
+
|
|
4
|
+
use super::error::AuthorityError;
|
|
5
|
+
use super::policy::*;
|
|
6
|
+
use super::types::*;
|
|
7
|
+
|
|
8
|
+
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
9
|
+
pub struct CompatibilityExpression {
|
|
10
|
+
pub expression: String,
|
|
11
|
+
pub location: Option<String>,
|
|
12
|
+
}
|
|
13
|
+
|
|
14
|
+
pub struct PolicyCompiler {
|
|
15
|
+
semantics_version: String,
|
|
16
|
+
compatibility_version: String,
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
impl PolicyCompiler {
|
|
20
|
+
pub fn new(semantics_version: String, compatibility_version: String) -> Self {
|
|
21
|
+
Self {
|
|
22
|
+
semantics_version,
|
|
23
|
+
compatibility_version,
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
pub fn compile(
|
|
28
|
+
&self,
|
|
29
|
+
raw_policies: Vec<RawPolicy>,
|
|
30
|
+
) -> Result<Vec<AuthorityPolicy>, AuthorityError> {
|
|
31
|
+
let mut compiled = Vec::new();
|
|
32
|
+
for raw in raw_policies {
|
|
33
|
+
let policy = self.compile_one(raw)?;
|
|
34
|
+
compiled.push(policy);
|
|
35
|
+
}
|
|
36
|
+
Ok(compiled)
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
pub fn semantics_version(&self) -> &str {
|
|
40
|
+
&self.semantics_version
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
pub fn compatibility_version(&self) -> &str {
|
|
44
|
+
&self.compatibility_version
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
fn compile_one(&self, raw: RawPolicy) -> Result<AuthorityPolicy, AuthorityError> {
|
|
48
|
+
let applies_to = self.parse_structural_predicates(&raw.applies_to)?;
|
|
49
|
+
let when = if raw.when.is_empty() {
|
|
50
|
+
None
|
|
51
|
+
} else {
|
|
52
|
+
Some(self.parse_condition_predicates(&raw.when)?)
|
|
53
|
+
};
|
|
54
|
+
let requires_fact = self.parse_fact_requirements(&raw.requires_fact)?;
|
|
55
|
+
|
|
56
|
+
Ok(AuthorityPolicy {
|
|
57
|
+
policy_id: raw.policy_id,
|
|
58
|
+
modality: raw.modality,
|
|
59
|
+
priority: raw.priority,
|
|
60
|
+
applies_to,
|
|
61
|
+
when,
|
|
62
|
+
requires_fact,
|
|
63
|
+
semantics_version: self.semantics_version.clone(),
|
|
64
|
+
override_spec: raw.override_spec,
|
|
65
|
+
obligation_spec: raw.obligation_spec,
|
|
66
|
+
description: raw.description,
|
|
67
|
+
evidence_ref: raw.evidence_ref,
|
|
68
|
+
})
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
fn parse_structural_predicates(
|
|
72
|
+
&self,
|
|
73
|
+
raw: &HashMap<String, serde_json::Value>,
|
|
74
|
+
) -> Result<StructuralPredicates, AuthorityError> {
|
|
75
|
+
for key in raw.keys() {
|
|
76
|
+
validate_fact_path(key)?;
|
|
77
|
+
}
|
|
78
|
+
Ok(StructuralPredicates {
|
|
79
|
+
predicates: raw.clone(),
|
|
80
|
+
})
|
|
81
|
+
}
|
|
82
|
+
|
|
83
|
+
fn parse_condition_predicates(
|
|
84
|
+
&self,
|
|
85
|
+
raw: &HashMap<String, serde_json::Value>,
|
|
86
|
+
) -> Result<ConditionPredicates, AuthorityError> {
|
|
87
|
+
for key in raw.keys() {
|
|
88
|
+
validate_fact_path(key)?;
|
|
89
|
+
}
|
|
90
|
+
Ok(ConditionPredicates {
|
|
91
|
+
conditions: raw.clone(),
|
|
92
|
+
})
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
fn parse_fact_requirements(
|
|
96
|
+
&self,
|
|
97
|
+
raw: &[RawFactRequirement],
|
|
98
|
+
) -> Result<Vec<FactRequirement>, AuthorityError> {
|
|
99
|
+
let mut requirements = Vec::new();
|
|
100
|
+
for req in raw {
|
|
101
|
+
validate_fact_path(&req.fact_path)?;
|
|
102
|
+
requirements.push(FactRequirement {
|
|
103
|
+
fact_path: req.fact_path.clone(),
|
|
104
|
+
allowed_source_classes: req.allowed_source_classes.clone(),
|
|
105
|
+
allowed_source_ids: req.allowed_source_ids.clone().unwrap_or_default(),
|
|
106
|
+
max_age: req
|
|
107
|
+
.max_age
|
|
108
|
+
.as_ref()
|
|
109
|
+
.map(|s| parse_duration(s))
|
|
110
|
+
.transpose()?,
|
|
111
|
+
evidence_ref_required: req.evidence_ref_required.unwrap_or(false),
|
|
112
|
+
signature_required: req.signature_required.unwrap_or(false),
|
|
113
|
+
minimum_confidence: req.minimum_confidence,
|
|
114
|
+
required_transform: req.required_transform.clone(),
|
|
115
|
+
derived_from_source: req.derived_from_source.clone(),
|
|
116
|
+
});
|
|
117
|
+
}
|
|
118
|
+
Ok(requirements)
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
|
|
122
|
+
fn parse_duration(s: &str) -> Result<chrono::Duration, AuthorityError> {
|
|
123
|
+
let s = s.trim();
|
|
124
|
+
let seconds = if s.ends_with('s') {
|
|
125
|
+
s.trim_end_matches('s').parse::<i64>().ok()
|
|
126
|
+
} else if s.ends_with('m') {
|
|
127
|
+
s.trim_end_matches('m').parse::<i64>().ok().map(|v| v * 60)
|
|
128
|
+
} else if s.ends_with('h') {
|
|
129
|
+
s.trim_end_matches('h')
|
|
130
|
+
.parse::<i64>()
|
|
131
|
+
.ok()
|
|
132
|
+
.map(|v| v * 3600)
|
|
133
|
+
} else if s.ends_with('d') {
|
|
134
|
+
s.trim_end_matches('d')
|
|
135
|
+
.parse::<i64>()
|
|
136
|
+
.ok()
|
|
137
|
+
.map(|v| v * 86400)
|
|
138
|
+
} else {
|
|
139
|
+
s.parse::<i64>().ok().map(|v| v * 3600) // default hours
|
|
140
|
+
};
|
|
141
|
+
seconds
|
|
142
|
+
.map(chrono::Duration::seconds)
|
|
143
|
+
.ok_or_else(|| AuthorityError::invalid_environment(format!("Invalid duration: '{}'", s)))
|
|
144
|
+
}
|
|
145
|
+
|
|
146
|
+
pub struct CompatibilityLoweringAuditor {
|
|
147
|
+
version: String,
|
|
148
|
+
}
|
|
149
|
+
|
|
150
|
+
impl CompatibilityLoweringAuditor {
|
|
151
|
+
pub fn new(version: String) -> Result<Self, AuthorityError> {
|
|
152
|
+
if version.trim().is_empty() {
|
|
153
|
+
return Err(AuthorityError::invalid_environment(
|
|
154
|
+
"Compatibility lowering version is required",
|
|
155
|
+
));
|
|
156
|
+
}
|
|
157
|
+
|
|
158
|
+
Ok(Self { version })
|
|
159
|
+
}
|
|
160
|
+
|
|
161
|
+
pub fn version(&self) -> &str {
|
|
162
|
+
&self.version
|
|
163
|
+
}
|
|
164
|
+
|
|
165
|
+
pub fn audit_expression(&self, expr: &str) -> Result<Option<LoweredPolicy>, AuthorityError> {
|
|
166
|
+
let expr_lc = expr.to_lowercase();
|
|
167
|
+
|
|
168
|
+
// Reject all structural OR as ambiguous (spec §14.1.7, §17.7)
|
|
169
|
+
if expr_lc.contains(" or ") {
|
|
170
|
+
return Err(AuthorityError::ambiguous_lowering(expr));
|
|
171
|
+
}
|
|
172
|
+
|
|
173
|
+
// Handle negated conditions: `not X = "Y"` lowers to when condition
|
|
174
|
+
// Reject negative structural predicates (spec §14.1.7)
|
|
175
|
+
if let Some(inner) = expr_lc.strip_prefix("not ") {
|
|
176
|
+
let inner_trimmed = inner.trim();
|
|
177
|
+
// Reject if the negated expression targets structural keys
|
|
178
|
+
if inner_trimmed.starts_with("resource.")
|
|
179
|
+
|| inner_trimmed.starts_with("actor.")
|
|
180
|
+
|| inner_trimmed.starts_with("action")
|
|
181
|
+
{
|
|
182
|
+
return Err(AuthorityError::ambiguous_lowering(expr));
|
|
183
|
+
}
|
|
184
|
+
// Lower `not fact.path = "value"` to when condition with negated comparison
|
|
185
|
+
if let Some(eq_pos) = inner_trimmed.find(" = ") {
|
|
186
|
+
let key = expr[4..][..eq_pos].trim().to_string();
|
|
187
|
+
let val = expr[4..][eq_pos + 3..].trim().trim_matches('"').to_string();
|
|
188
|
+
return Ok(Some(LoweredPolicy {
|
|
189
|
+
original: expr.to_string(),
|
|
190
|
+
lowered_applies_to: HashMap::new(),
|
|
191
|
+
lowered_when: {
|
|
192
|
+
let mut m = HashMap::new();
|
|
193
|
+
m.insert(key, serde_json::json!({"__neq": val}));
|
|
194
|
+
m
|
|
195
|
+
},
|
|
196
|
+
}));
|
|
197
|
+
}
|
|
198
|
+
return Err(AuthorityError::ambiguous_lowering(expr));
|
|
199
|
+
}
|
|
200
|
+
|
|
201
|
+
if expr_lc.contains(" and ") {
|
|
202
|
+
// Split on case-insensitive " and " boundaries
|
|
203
|
+
let mut parts: Vec<&str> = Vec::new();
|
|
204
|
+
let mut last = 0;
|
|
205
|
+
let lc_bytes = expr_lc.as_bytes();
|
|
206
|
+
let pattern = b" and ";
|
|
207
|
+
let plen = pattern.len();
|
|
208
|
+
for i in 0..=lc_bytes.len().saturating_sub(plen) {
|
|
209
|
+
if &lc_bytes[i..i + plen] == pattern {
|
|
210
|
+
parts.push(&expr[last..i]);
|
|
211
|
+
last = i + plen;
|
|
212
|
+
}
|
|
213
|
+
}
|
|
214
|
+
parts.push(&expr[last..]);
|
|
215
|
+
let mut applies_to = HashMap::new();
|
|
216
|
+
let mut when = HashMap::new();
|
|
217
|
+
for part in parts {
|
|
218
|
+
let trimmed = part.trim();
|
|
219
|
+
let trimmed_lc = trimmed.to_lowercase();
|
|
220
|
+
if trimmed_lc.starts_with("resource.")
|
|
221
|
+
|| trimmed_lc.starts_with("actor.")
|
|
222
|
+
|| trimmed_lc.starts_with("action")
|
|
223
|
+
{
|
|
224
|
+
if let Some((k, v)) = parse_equality(trimmed) {
|
|
225
|
+
applies_to.insert(k, v);
|
|
226
|
+
}
|
|
227
|
+
} else if let Some((k, v)) = parse_equality(trimmed) {
|
|
228
|
+
when.insert(k, v);
|
|
229
|
+
}
|
|
230
|
+
}
|
|
231
|
+
return Ok(Some(LoweredPolicy {
|
|
232
|
+
original: expr.to_string(),
|
|
233
|
+
lowered_applies_to: applies_to,
|
|
234
|
+
lowered_when: when,
|
|
235
|
+
}));
|
|
236
|
+
}
|
|
237
|
+
|
|
238
|
+
if let Some((k, v)) = parse_equality(expr) {
|
|
239
|
+
let mut applies_to = HashMap::new();
|
|
240
|
+
applies_to.insert(k, v);
|
|
241
|
+
return Ok(Some(LoweredPolicy {
|
|
242
|
+
original: expr.to_string(),
|
|
243
|
+
lowered_applies_to: applies_to,
|
|
244
|
+
lowered_when: HashMap::new(),
|
|
245
|
+
}));
|
|
246
|
+
}
|
|
247
|
+
|
|
248
|
+
Ok(None)
|
|
249
|
+
}
|
|
250
|
+
}
|
|
251
|
+
|
|
252
|
+
fn parse_equality(s: &str) -> Option<(String, serde_json::Value)> {
|
|
253
|
+
let s = s.trim();
|
|
254
|
+
if let Some(eq_pos) = s.find(" = ") {
|
|
255
|
+
let key = s[..eq_pos].trim().to_string();
|
|
256
|
+
let val = s[eq_pos + 3..].trim().trim_matches('"').to_string();
|
|
257
|
+
Some((key, serde_json::Value::String(val)))
|
|
258
|
+
} else {
|
|
259
|
+
None
|
|
260
|
+
}
|
|
261
|
+
}
|
|
262
|
+
|
|
263
|
+
#[derive(Debug, Clone)]
|
|
264
|
+
pub struct LoweredPolicy {
|
|
265
|
+
pub original: String,
|
|
266
|
+
pub lowered_applies_to: HashMap<String, serde_json::Value>,
|
|
267
|
+
pub lowered_when: HashMap<String, serde_json::Value>,
|
|
268
|
+
}
|
|
269
|
+
|
|
270
|
+
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
271
|
+
pub struct RawPolicy {
|
|
272
|
+
pub policy_id: String,
|
|
273
|
+
pub modality: PolicyModality,
|
|
274
|
+
pub priority: i32,
|
|
275
|
+
#[serde(default)]
|
|
276
|
+
pub applies_to: HashMap<String, serde_json::Value>,
|
|
277
|
+
#[serde(default)]
|
|
278
|
+
pub when: HashMap<String, serde_json::Value>,
|
|
279
|
+
#[serde(default)]
|
|
280
|
+
pub requires_fact: Vec<RawFactRequirement>,
|
|
281
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
282
|
+
pub override_spec: Option<OverrideSpec>,
|
|
283
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
284
|
+
pub obligation_spec: Option<ObligationSpec>,
|
|
285
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
286
|
+
pub description: Option<String>,
|
|
287
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
288
|
+
pub evidence_ref: Option<String>,
|
|
289
|
+
}
|
|
290
|
+
|
|
291
|
+
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
292
|
+
pub struct RawFactRequirement {
|
|
293
|
+
pub fact_path: String,
|
|
294
|
+
pub allowed_source_classes: Vec<SourceClass>,
|
|
295
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
296
|
+
pub allowed_source_ids: Option<Vec<String>>,
|
|
297
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
298
|
+
pub max_age: Option<String>,
|
|
299
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
300
|
+
pub evidence_ref_required: Option<bool>,
|
|
301
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
302
|
+
pub signature_required: Option<bool>,
|
|
303
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
304
|
+
pub minimum_confidence: Option<f64>,
|
|
305
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
306
|
+
pub required_transform: Option<String>,
|
|
307
|
+
#[serde(skip_serializing_if = "Option::is_none")]
|
|
308
|
+
pub derived_from_source: Option<Vec<SourceClass>>,
|
|
309
|
+
}
|
|
@@ -0,0 +1,203 @@
|
|
|
1
|
+
use serde::{Deserialize, Serialize};
|
|
2
|
+
|
|
3
|
+
use super::compiler::{CompatibilityLoweringAuditor, PolicyCompiler};
|
|
4
|
+
use super::error::{AuthorityError, AuthorityErrorCode};
|
|
5
|
+
use super::fact_resolver::{FactResolver, FactSourceRegistry};
|
|
6
|
+
use super::pack::AuthorityPack;
|
|
7
|
+
use super::resolver::AuthorityResolver;
|
|
8
|
+
use super::trace::{AuthorityTrace, AuthorityTraceEmitter, EvidenceSink};
|
|
9
|
+
use super::transform::{DerivedFactEngine, FactTransformRegistry};
|
|
10
|
+
use super::types::*;
|
|
11
|
+
|
|
12
|
+
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
13
|
+
pub struct AuthorityEnvironmentConfig {
|
|
14
|
+
pub resolver_semantics_version: String,
|
|
15
|
+
pub specificity_profile: SpecificityProfile,
|
|
16
|
+
pub unknown_handling: UnknownHandlingConfig,
|
|
17
|
+
pub fact_sources: Vec<FactSource>,
|
|
18
|
+
pub fact_transforms: Vec<FactTransform>,
|
|
19
|
+
pub authority_packs: Vec<serde_json::Value>,
|
|
20
|
+
pub strict_mode: bool,
|
|
21
|
+
pub compatibility_lowering_version: String,
|
|
22
|
+
pub resolver_version: String,
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
pub struct AuthorityEnvironment {
|
|
26
|
+
config: AuthorityEnvironmentConfig,
|
|
27
|
+
source_registry: FactSourceRegistry,
|
|
28
|
+
transform_registry: FactTransformRegistry,
|
|
29
|
+
loaded_packs: Vec<AuthorityPack>,
|
|
30
|
+
compiler: PolicyCompiler,
|
|
31
|
+
compatibility_auditor: CompatibilityLoweringAuditor,
|
|
32
|
+
resolver: AuthorityResolver,
|
|
33
|
+
trace_emitter: AuthorityTraceEmitter,
|
|
34
|
+
validated: bool,
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
impl AuthorityEnvironment {
|
|
38
|
+
pub fn new(config: AuthorityEnvironmentConfig) -> Result<Self, AuthorityError> {
|
|
39
|
+
let mut source_registry = FactSourceRegistry::new();
|
|
40
|
+
for source in &config.fact_sources {
|
|
41
|
+
source_registry.register(source.clone())?;
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
let mut transform_registry = FactTransformRegistry::new();
|
|
45
|
+
for transform in &config.fact_transforms {
|
|
46
|
+
transform_registry.register(transform.clone())?;
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
let mut loaded_packs = Vec::new();
|
|
50
|
+
for pack_value in &config.authority_packs {
|
|
51
|
+
let pack: AuthorityPack = serde_json::from_value(pack_value.clone()).map_err(|e| {
|
|
52
|
+
AuthorityError::new(
|
|
53
|
+
AuthorityErrorCode::InvalidPolicyPack,
|
|
54
|
+
format!("Failed to parse pack: {}", e),
|
|
55
|
+
)
|
|
56
|
+
})?;
|
|
57
|
+
pack.validate()?;
|
|
58
|
+
pack.validate_semantics_version(&config.resolver_semantics_version)?;
|
|
59
|
+
loaded_packs.push(pack);
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
let compiler = PolicyCompiler::new(
|
|
63
|
+
config.resolver_semantics_version.clone(),
|
|
64
|
+
config.compatibility_lowering_version.clone(),
|
|
65
|
+
);
|
|
66
|
+
let compatibility_auditor =
|
|
67
|
+
CompatibilityLoweringAuditor::new(config.compatibility_lowering_version.clone())?;
|
|
68
|
+
let resolver = AuthorityResolver::new(
|
|
69
|
+
config.unknown_handling.clone(),
|
|
70
|
+
config.specificity_profile.clone(),
|
|
71
|
+
config.strict_mode,
|
|
72
|
+
config.resolver_semantics_version.clone(),
|
|
73
|
+
config.compatibility_lowering_version.clone(),
|
|
74
|
+
);
|
|
75
|
+
let trace_emitter = AuthorityTraceEmitter::new(
|
|
76
|
+
config.resolver_version.clone(),
|
|
77
|
+
config.resolver_semantics_version.clone(),
|
|
78
|
+
config.compatibility_lowering_version.clone(),
|
|
79
|
+
EvidenceSink::Memory,
|
|
80
|
+
);
|
|
81
|
+
|
|
82
|
+
Ok(Self {
|
|
83
|
+
config,
|
|
84
|
+
source_registry,
|
|
85
|
+
transform_registry,
|
|
86
|
+
loaded_packs,
|
|
87
|
+
compiler,
|
|
88
|
+
compatibility_auditor,
|
|
89
|
+
resolver,
|
|
90
|
+
trace_emitter,
|
|
91
|
+
validated: false,
|
|
92
|
+
})
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
pub fn validate(&mut self) -> Result<(), AuthorityError> {
|
|
96
|
+
self.source_registry.validate()?;
|
|
97
|
+
self.transform_registry.validate()?;
|
|
98
|
+
|
|
99
|
+
if self.compiler.semantics_version() != self.config.resolver_semantics_version {
|
|
100
|
+
return Err(AuthorityError::invalid_environment(format!(
|
|
101
|
+
"Compiler semantics version '{}' does not match resolver semantics version '{}'",
|
|
102
|
+
self.compiler.semantics_version(),
|
|
103
|
+
self.config.resolver_semantics_version
|
|
104
|
+
)));
|
|
105
|
+
}
|
|
106
|
+
if self.compiler.compatibility_version() != self.config.compatibility_lowering_version {
|
|
107
|
+
return Err(AuthorityError::invalid_environment(format!(
|
|
108
|
+
"Compiler compatibility version '{}' does not match configured compatibility lowering version '{}'",
|
|
109
|
+
self.compiler.compatibility_version(),
|
|
110
|
+
self.config.compatibility_lowering_version
|
|
111
|
+
)));
|
|
112
|
+
}
|
|
113
|
+
if self.compatibility_auditor.version() != self.config.compatibility_lowering_version {
|
|
114
|
+
return Err(AuthorityError::invalid_environment(format!(
|
|
115
|
+
"Compatibility auditor version '{}' does not match configured compatibility lowering version '{}'",
|
|
116
|
+
self.compatibility_auditor.version(),
|
|
117
|
+
self.config.compatibility_lowering_version
|
|
118
|
+
)));
|
|
119
|
+
}
|
|
120
|
+
self.resolver.validate_versions(
|
|
121
|
+
&self.config.resolver_semantics_version,
|
|
122
|
+
&self.config.compatibility_lowering_version,
|
|
123
|
+
)?;
|
|
124
|
+
|
|
125
|
+
for pack in &self.loaded_packs {
|
|
126
|
+
if pack.required_specificity_profile != self.config.specificity_profile.id
|
|
127
|
+
&& self.config.strict_mode
|
|
128
|
+
{
|
|
129
|
+
return Err(AuthorityError::conflicting_specificity_profile(
|
|
130
|
+
&pack.id,
|
|
131
|
+
&self.config.specificity_profile.id,
|
|
132
|
+
));
|
|
133
|
+
}
|
|
134
|
+
}
|
|
135
|
+
|
|
136
|
+
self.config.unknown_handling.validate()?;
|
|
137
|
+
self.validated = true;
|
|
138
|
+
Ok(())
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
pub fn evaluate(
|
|
142
|
+
&self,
|
|
143
|
+
request: &AuthorityRequest,
|
|
144
|
+
provided_facts: &[FactEnvelope],
|
|
145
|
+
) -> Result<(AuthorityTrace, AuthorityDecision), AuthorityError> {
|
|
146
|
+
if !self.validated {
|
|
147
|
+
return Err(AuthorityError::invalid_environment(
|
|
148
|
+
"Environment not validated. Call validate() first.",
|
|
149
|
+
));
|
|
150
|
+
}
|
|
151
|
+
|
|
152
|
+
request.validate()?;
|
|
153
|
+
|
|
154
|
+
let fact_resolver = FactResolver::new(self.source_registry.clone());
|
|
155
|
+
let now = chrono::Utc::now();
|
|
156
|
+
let raw_facts = fact_resolver.wrap_context_as_caller_supplied(&request.context, now);
|
|
157
|
+
let (all_facts, trust_decisions) =
|
|
158
|
+
fact_resolver.resolve_trusted_facts(&raw_facts, provided_facts, now);
|
|
159
|
+
|
|
160
|
+
let transform_keys: Vec<String> = self
|
|
161
|
+
.config
|
|
162
|
+
.fact_transforms
|
|
163
|
+
.iter()
|
|
164
|
+
.map(|t| format!("{}@{}", t.id, t.version))
|
|
165
|
+
.collect();
|
|
166
|
+
let derived_engine = DerivedFactEngine::new(self.transform_registry.clone());
|
|
167
|
+
let (derived_facts, derived_lineages) =
|
|
168
|
+
derived_engine.compute_derived_facts(&all_facts, &transform_keys)?;
|
|
169
|
+
|
|
170
|
+
let mut all_resolved_facts = all_facts;
|
|
171
|
+
all_resolved_facts.extend(derived_facts);
|
|
172
|
+
|
|
173
|
+
let resolver_output = self.resolver.resolve(
|
|
174
|
+
request,
|
|
175
|
+
&self.loaded_packs,
|
|
176
|
+
&all_resolved_facts,
|
|
177
|
+
&trust_decisions,
|
|
178
|
+
&derived_lineages,
|
|
179
|
+
)?;
|
|
180
|
+
|
|
181
|
+
let compat_decisions = vec![];
|
|
182
|
+
|
|
183
|
+
self.trace_emitter.emit(
|
|
184
|
+
request,
|
|
185
|
+
&self.loaded_packs,
|
|
186
|
+
&all_resolved_facts,
|
|
187
|
+
&trust_decisions,
|
|
188
|
+
&derived_lineages,
|
|
189
|
+
&resolver_output,
|
|
190
|
+
&self.config.specificity_profile,
|
|
191
|
+
&self.config.unknown_handling,
|
|
192
|
+
&compat_decisions,
|
|
193
|
+
)
|
|
194
|
+
}
|
|
195
|
+
|
|
196
|
+
pub fn packs(&self) -> &[AuthorityPack] {
|
|
197
|
+
&self.loaded_packs
|
|
198
|
+
}
|
|
199
|
+
|
|
200
|
+
pub fn config(&self) -> &AuthorityEnvironmentConfig {
|
|
201
|
+
&self.config
|
|
202
|
+
}
|
|
203
|
+
}
|
|
@@ -0,0 +1,164 @@
|
|
|
1
|
+
use serde::{Deserialize, Serialize};
|
|
2
|
+
use std::fmt;
|
|
3
|
+
|
|
4
|
+
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
|
|
5
|
+
pub enum AuthorityErrorCode {
|
|
6
|
+
InvalidAuthorityEnvironment,
|
|
7
|
+
InvalidPolicyPack,
|
|
8
|
+
FactTrustViolation,
|
|
9
|
+
SourceUnavailable,
|
|
10
|
+
InvalidTransform,
|
|
11
|
+
SpecificityConflict,
|
|
12
|
+
AmbiguousCompatibilityLowering,
|
|
13
|
+
TracePersistenceFailure,
|
|
14
|
+
MissingConfigError,
|
|
15
|
+
ParseError,
|
|
16
|
+
SchemaError,
|
|
17
|
+
UnsupportedKindError,
|
|
18
|
+
MissingCredentialError,
|
|
19
|
+
PolicyParseError,
|
|
20
|
+
PolicyEvaluationError,
|
|
21
|
+
InvalidReloadError,
|
|
22
|
+
ConflictingSpecificityProfileError,
|
|
23
|
+
InvalidFactSourceError,
|
|
24
|
+
InvalidTransformError,
|
|
25
|
+
ResolverSemanticsHashMismatch,
|
|
26
|
+
PackHashMismatch,
|
|
27
|
+
InvalidRequest,
|
|
28
|
+
ConflictResolutionError,
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
32
|
+
pub struct AuthorityError {
|
|
33
|
+
pub code: AuthorityErrorCode,
|
|
34
|
+
pub message: String,
|
|
35
|
+
pub recoverable: bool,
|
|
36
|
+
pub recoverability_hint: Option<String>,
|
|
37
|
+
pub context: serde_json::Value,
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
impl AuthorityError {
|
|
41
|
+
pub fn new(code: AuthorityErrorCode, message: impl Into<String>) -> Self {
|
|
42
|
+
Self {
|
|
43
|
+
code,
|
|
44
|
+
message: message.into(),
|
|
45
|
+
recoverable: false,
|
|
46
|
+
recoverability_hint: None,
|
|
47
|
+
context: serde_json::json!({}),
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
pub fn recoverable(mut self) -> Self {
|
|
52
|
+
self.recoverable = true;
|
|
53
|
+
self
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
pub fn with_hint(mut self, hint: impl Into<String>) -> Self {
|
|
57
|
+
self.recoverability_hint = Some(hint.into());
|
|
58
|
+
self
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
pub fn with_context(mut self, ctx: serde_json::Value) -> Self {
|
|
62
|
+
self.context = ctx;
|
|
63
|
+
self
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
pub fn missing_config(field: &str) -> Self {
|
|
67
|
+
Self::new(
|
|
68
|
+
AuthorityErrorCode::MissingConfigError,
|
|
69
|
+
format!("Missing required config: {}", field),
|
|
70
|
+
)
|
|
71
|
+
}
|
|
72
|
+
|
|
73
|
+
pub fn invalid_environment(msg: impl Into<String>) -> Self {
|
|
74
|
+
Self::new(AuthorityErrorCode::InvalidAuthorityEnvironment, msg)
|
|
75
|
+
}
|
|
76
|
+
|
|
77
|
+
pub fn fact_trust_violation(fact_path: &str, reason: &str) -> Self {
|
|
78
|
+
Self::new(
|
|
79
|
+
AuthorityErrorCode::FactTrustViolation,
|
|
80
|
+
format!("Fact trust violation for '{}': {}", fact_path, reason),
|
|
81
|
+
)
|
|
82
|
+
}
|
|
83
|
+
|
|
84
|
+
pub fn source_unavailable(source_id: &str, reason: &str) -> Self {
|
|
85
|
+
Self::new(
|
|
86
|
+
AuthorityErrorCode::SourceUnavailable,
|
|
87
|
+
format!("Fact source '{}' unavailable: {}", source_id, reason),
|
|
88
|
+
)
|
|
89
|
+
.recoverable()
|
|
90
|
+
.with_hint(format!("Check upstream {} availability", source_id))
|
|
91
|
+
}
|
|
92
|
+
|
|
93
|
+
pub fn invalid_transform(id: &str, reason: &str) -> Self {
|
|
94
|
+
Self::new(
|
|
95
|
+
AuthorityErrorCode::InvalidTransform,
|
|
96
|
+
format!("Transform '{}' invalid: {}", id, reason),
|
|
97
|
+
)
|
|
98
|
+
}
|
|
99
|
+
|
|
100
|
+
pub fn specificity_conflict(policy_a: &str, policy_b: &str) -> Self {
|
|
101
|
+
Self::new(
|
|
102
|
+
AuthorityErrorCode::SpecificityConflict,
|
|
103
|
+
format!(
|
|
104
|
+
"Incomparable specificity between '{}' and '{}'",
|
|
105
|
+
policy_a, policy_b
|
|
106
|
+
),
|
|
107
|
+
)
|
|
108
|
+
}
|
|
109
|
+
|
|
110
|
+
pub fn ambiguous_lowering(expr: &str) -> Self {
|
|
111
|
+
Self::new(
|
|
112
|
+
AuthorityErrorCode::AmbiguousCompatibilityLowering,
|
|
113
|
+
format!(
|
|
114
|
+
"Ambiguous compatibility expression cannot be safely lowered: {}",
|
|
115
|
+
expr
|
|
116
|
+
),
|
|
117
|
+
)
|
|
118
|
+
}
|
|
119
|
+
|
|
120
|
+
pub fn trace_persistence_failure(reason: &str) -> Self {
|
|
121
|
+
Self::new(
|
|
122
|
+
AuthorityErrorCode::TracePersistenceFailure,
|
|
123
|
+
format!("Trace persistence failed: {}", reason),
|
|
124
|
+
)
|
|
125
|
+
.recoverable()
|
|
126
|
+
.with_hint("Check evidence sink availability and retry")
|
|
127
|
+
}
|
|
128
|
+
|
|
129
|
+
pub fn conflicting_specificity_profile(pack_a: &str, pack_b: &str) -> Self {
|
|
130
|
+
Self::new(
|
|
131
|
+
AuthorityErrorCode::ConflictingSpecificityProfileError,
|
|
132
|
+
format!(
|
|
133
|
+
"Packs '{}' and '{}' require incompatible specificity profiles",
|
|
134
|
+
pack_a, pack_b
|
|
135
|
+
),
|
|
136
|
+
)
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
pub fn pack_hash_mismatch(pack_id: &str) -> Self {
|
|
140
|
+
Self::new(
|
|
141
|
+
AuthorityErrorCode::PackHashMismatch,
|
|
142
|
+
format!("Pack '{}' hash mismatch", pack_id),
|
|
143
|
+
)
|
|
144
|
+
}
|
|
145
|
+
|
|
146
|
+
pub fn semantics_hash_mismatch() -> Self {
|
|
147
|
+
Self::new(
|
|
148
|
+
AuthorityErrorCode::ResolverSemanticsHashMismatch,
|
|
149
|
+
"Resolver semantics hash mismatch",
|
|
150
|
+
)
|
|
151
|
+
}
|
|
152
|
+
|
|
153
|
+
pub fn invalid_request(msg: impl Into<String>) -> Self {
|
|
154
|
+
Self::new(AuthorityErrorCode::InvalidRequest, msg)
|
|
155
|
+
}
|
|
156
|
+
}
|
|
157
|
+
|
|
158
|
+
impl fmt::Display for AuthorityError {
|
|
159
|
+
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
|
160
|
+
write!(f, "[{:?}] {}", self.code, self.message)
|
|
161
|
+
}
|
|
162
|
+
}
|
|
163
|
+
|
|
164
|
+
impl std::error::Error for AuthorityError {}
|