Skip to main content

bynk_syntax/
ast.rs

1//! Abstract syntax tree types for Bynk v0 (spec §9.2).
2
3use crate::span::Span;
4
5/// An identifier with its source span.
6#[derive(Debug, Clone)]
7pub struct Ident {
8    pub name: String,
9    pub span: Span,
10}
11
12/// Comment trivia attached to a declaration or statement (v1.1 LSP spec
13/// §3.5). The parser collects line comments from the token stream and
14/// attaches them to nearby AST nodes so the formatter can re-emit them.
15///
16/// - `leading` holds comments that appear immediately above the node,
17///   ordered top-to-bottom. Each entry is the body of one `--` line
18///   (the text after the marker, with its original inline whitespace
19///   preserved).
20/// - `trailing` holds a single comment that appears on the same source
21///   line as the node's final token (e.g. `expr  -- note`).
22#[derive(Debug, Clone, Default)]
23pub struct Trivia {
24    pub leading: Vec<String>,
25    pub trailing: Option<String>,
26}
27
28impl Trivia {
29    pub fn is_empty(&self) -> bool {
30        self.leading.is_empty() && self.trailing.is_none()
31    }
32}
33
34/// A whole parsed commons source file.
35///
36/// In v0.3 a commons may be split across multiple files in a directory; the
37/// resolver merges them into one logical commons. Each parsed AST instance
38/// represents the contribution from a single source file.
39#[derive(Debug, Clone)]
40pub struct Commons {
41    pub name: QualifiedName,
42    pub items: Vec<CommonsItem>,
43    /// `uses` clauses declared in this file.
44    pub uses: Vec<UsesDecl>,
45    /// Optional documentation block attached to the commons declaration.
46    pub documentation: Option<String>,
47    /// Surface form of the file: brace-delimited body or headerless fragment.
48    pub form: CommonsForm,
49    pub span: Span,
50    /// Trivia attached to the commons declaration itself — leading comments
51    /// before the `commons` keyword and a trailing comment after the header
52    /// or closing brace.
53    pub trivia: Trivia,
54    /// Comments appearing after the last item but before the file ends
55    /// (or the closing brace, for brace form). One entry per `--` line.
56    pub trailing_comments: Vec<String>,
57}
58
59/// The two surface forms in which a commons body may be parsed (v0.3 §3.1).
60#[derive(Debug, Clone, Copy, PartialEq, Eq)]
61pub enum CommonsForm {
62    /// `commons name { ... }`
63    Brace,
64    /// `commons name` followed by top-level declarations to EOF.
65    Fragment,
66}
67
68/// A `uses other.commons` declaration (v0.3 §3.3).
69#[derive(Debug, Clone)]
70pub struct UsesDecl {
71    pub target: QualifiedName,
72    pub span: Span,
73    pub trivia: Trivia,
74}
75
76/// A whole parsed context source file (v0.4 §3.1).
77///
78/// Contexts are the architectural-layer declaration kind. Like commons, a
79/// context may be split across multiple files in a directory.
80#[derive(Debug, Clone)]
81pub struct Context {
82    pub name: QualifiedName,
83    pub items: Vec<CommonsItem>,
84    /// `uses` clauses declared in this file.
85    pub uses: Vec<UsesDecl>,
86    /// `consumes` clauses declared in this file.
87    pub consumes: Vec<ConsumesDecl>,
88    /// `exports` clauses declared in this file.
89    pub exports: Vec<ExportsDecl>,
90    /// Optional documentation block attached to the context declaration.
91    pub documentation: Option<String>,
92    /// Surface form of the file: brace-delimited body or headerless fragment.
93    pub form: CommonsForm,
94    pub span: Span,
95    /// Trivia attached to the context declaration itself — leading comments
96    /// before the `context` keyword.
97    pub trivia: Trivia,
98    /// Comments appearing after the last item but before the file ends
99    /// (or the closing brace, for brace form). One entry per `--` line.
100    pub trailing_comments: Vec<String>,
101}
102
103/// A `consumes other.context` declaration (v0.4 §3.2). May optionally carry
104/// an alias introduced by `consumes other.context as Alias` (v0.6 §3.1).
105#[derive(Debug, Clone)]
106pub struct ConsumesDecl {
107    pub target: QualifiedName,
108    pub alias: Option<Ident>,
109    /// v0.17: `consumes U { Cap, … }` — selected capabilities flattened into
110    /// the consumer's local capability namespace under their bare names (§3.3).
111    /// `None` for the whole-unit forms; `Some` (possibly empty) for the braced
112    /// form. Mutually exclusive with `alias`.
113    pub selected: Option<Vec<Ident>>,
114    pub span: Span,
115    pub trivia: Trivia,
116}
117
118/// An `exports visibility { names }` clause (v0.4 §3.3) or, v0.15, an
119/// `exports capability { names }` clause.
120#[derive(Debug, Clone)]
121pub struct ExportsDecl {
122    pub kind: ExportKind,
123    pub names: Vec<Ident>,
124    pub span: Span,
125    pub trivia: Trivia,
126}
127
128/// What an `exports` clause exposes: types (with a visibility) or, v0.15,
129/// capabilities offered for cross-context consumption.
130#[derive(Debug, Clone, Copy, PartialEq, Eq)]
131pub enum ExportKind {
132    /// `exports opaque { ... }` / `exports transparent { ... }` — type exports.
133    Type(Visibility),
134    /// `exports capability { ... }` — capabilities offered to consumers (v0.15).
135    Capability,
136}
137
138/// Visibility level for an exports clause (v0.4 §3.3).
139#[derive(Debug, Clone, Copy, PartialEq, Eq)]
140pub enum Visibility {
141    /// Token-only outside the context: hold, pass, compare; no inspect, no construct.
142    Opaque,
143    /// Readable shape outside the context: inspect fields, match variants; no construct.
144    Transparent,
145}
146
147/// An `adapter qualified.name { … }` declaration (v0.17 §3.1). An adapter
148/// co-locates a capability contract with a non-Bynk binding: it may declare
149/// capabilities, the boundary types they reference, inline pure helper
150/// `type`/`fn` (and `uses`), external (bodiless) providers, `exports
151/// capability`, and exactly one `binding` clause. It may *not* declare
152/// services, agents, or bodied providers. Like commons/contexts it may be
153/// split across files in a directory.
154#[derive(Debug, Clone)]
155pub struct AdapterDecl {
156    pub name: QualifiedName,
157    pub items: Vec<CommonsItem>,
158    /// `uses` clauses declared in this file (pure-vocabulary mixin; allowed
159    /// because helpers cannot pierce containment — spec [DECISION B]).
160    pub uses: Vec<UsesDecl>,
161    /// `exports capability { … }` clauses (adapters export capabilities and
162    /// boundary types, never services).
163    pub exports: Vec<ExportsDecl>,
164    /// v0.18: `consumes U { Cap, … }` clauses — adapter-to-adapter capability
165    /// dependencies (spec §4.5, \[N\]). Braced form only; adapter targets only
166    /// (both enforced semantically, not in the parser).
167    pub consumes: Vec<ConsumesDecl>,
168    /// The `binding "<module>" requires { … }` clause, if present. Required
169    /// when the adapter declares any external provider (`bynk.adapter.no_binding`).
170    pub binding: Option<BindingDecl>,
171    pub documentation: Option<String>,
172    pub form: CommonsForm,
173    pub span: Span,
174    pub trivia: Trivia,
175    pub trailing_comments: Vec<String>,
176}
177
178/// A `binding "<module>" requires { "pkg": "range", … }` clause inside an
179/// adapter (v0.17 §3.5). `module` is the TypeScript module supplying the
180/// adapter's external provider symbols, resolved relative to the adapter's
181/// source file. `requires` declares npm dependencies folded into the
182/// generated `package.json`.
183#[derive(Debug, Clone)]
184pub struct BindingDecl {
185    /// The module path as written (the string-literal contents, no quotes).
186    pub module: String,
187    pub module_span: Span,
188    pub requires: Vec<RequiresDep>,
189    pub span: Span,
190    pub trivia: Trivia,
191}
192
193/// One `"pkg": "range"` entry in a binding's `requires { … }` map.
194#[derive(Debug, Clone)]
195pub struct RequiresDep {
196    pub package: String,
197    pub range: String,
198    pub span: Span,
199}
200
201/// Either a commons or a context — the two declaration kinds at the file
202/// level (v0.4 §3.1). v0.7 adds the test declaration kind; v0.17 the adapter.
203#[derive(Debug, Clone)]
204pub enum SourceUnit {
205    Commons(Commons),
206    Context(Context),
207    Suite(SuiteDecl),
208    /// v0.17: an `adapter` unit — the host boundary (capability contract +
209    /// external binding).
210    Adapter(AdapterDecl),
211}
212
213impl SourceUnit {
214    pub fn name(&self) -> &QualifiedName {
215        match self {
216            SourceUnit::Commons(c) => &c.name,
217            SourceUnit::Context(c) => &c.name,
218            SourceUnit::Suite(t) => &t.target,
219            SourceUnit::Adapter(a) => &a.name,
220        }
221    }
222
223    pub fn span(&self) -> Span {
224        match self {
225            SourceUnit::Commons(c) => c.span,
226            SourceUnit::Context(c) => c.span,
227            SourceUnit::Suite(t) => t.span,
228            SourceUnit::Adapter(a) => a.span,
229        }
230    }
231
232    pub fn kind_name(&self) -> &'static str {
233        match self {
234            SourceUnit::Commons(_) => "commons",
235            SourceUnit::Context(_) => "context",
236            SourceUnit::Suite(_) => "suite",
237            SourceUnit::Adapter(_) => "adapter",
238        }
239    }
240}
241
242/// A `test <qualified-name> { ... }` declaration (v0.7 §3.1).
243///
244/// A test targets a commons or context by qualified name and bundles a set of
245/// test cases plus optional mock declarations. As with commons and contexts, a
246/// test may be split across multiple files (fragment form).
247#[derive(Debug, Clone)]
248pub struct SuiteDecl {
249    /// The targeted commons or context.
250    pub target: QualifiedName,
251    /// `uses` clauses brought in by this test fragment.
252    pub uses: Vec<UsesDecl>,
253    /// v0.118: suite-scoped `provides` clauses — per-seam provider overrides
254    /// applied to every case (a case-scoped `provides` takes precedence).
255    pub provides: Vec<ProvidesClause>,
256    /// The individual test cases.
257    pub cases: Vec<Case>,
258    /// v0.114: generative `property` blocks (testing track slice 2).
259    pub properties: Vec<PropertyDecl>,
260    /// v0.118: the suite-level tier default (`suite … as integration`). `None`
261    /// means the `unit` default; a `case`'s own tier overrides it. A `property`
262    /// ignores a suite tier (tiers are a `case`-only affordance).
263    pub tier: Option<TestTier>,
264    /// Surface form: brace-delimited body or headerless fragment.
265    pub form: CommonsForm,
266    /// Optional documentation block attached to the test declaration.
267    pub documentation: Option<String>,
268    pub span: Span,
269    pub trivia: Trivia,
270    pub trailing_comments: Vec<String>,
271}
272
273/// v0.118: the tier a `case` runs at (testing track slice 6, ADR 0153). One
274/// body promoted across the testing pyramid; `unit` is the default and elided.
275#[derive(Debug, Clone, Copy, PartialEq, Eq)]
276pub enum TestTier {
277    /// Collaborators stubbed (the default).
278    Unit,
279    /// Real collaborators within one context, no serialisation wire.
280    Integration,
281    /// Contexts wired across the real serialise → JSON → deserialise boundary.
282    System,
283}
284
285impl TestTier {
286    pub fn as_str(self) -> &'static str {
287        match self {
288            TestTier::Unit => "unit",
289            TestTier::Integration => "integration",
290            TestTier::System => "system",
291        }
292    }
293}
294
295/// v0.118: a per-seam provider override `provides Cap.method(<args>) returns <v>
296/// | fails` (testing track slice 6, ADR 0154). Substitutes one capability
297/// method's provision under test; the right-hand side is a value or a fault,
298/// never a computed body.
299#[derive(Debug, Clone)]
300pub struct ProvidesClause {
301    /// The capability being overridden (a consumed seam of the unit).
302    pub capability: Ident,
303    /// The overridden method.
304    pub method: Ident,
305    /// One argument pattern per parameter (`_` or a value the arg must equal).
306    pub args: Vec<ArgPattern>,
307    /// The provision: a value, a fault, or a per-call sequence.
308    pub rhs: ProvidesRhs,
309    pub documentation: Option<String>,
310    pub span: Span,
311    pub trivia: Trivia,
312}
313
314/// v0.118: one argument pattern in a `provides` call pattern. Patterns for the
315/// same method are tried top-to-bottom, first match wins.
316#[derive(Debug, Clone)]
317pub enum ArgPattern {
318    /// `_` — matches any argument.
319    Any(Span),
320    /// A value the recorded argument must equal (a literal or pure value expr).
321    Value(Expr),
322}
323
324/// v0.118: the right-hand side of a `provides` clause.
325#[derive(Debug, Clone)]
326pub enum ProvidesRhs {
327    /// `returns <value>` — a single success value, repeated for every call.
328    Returns(Expr),
329    /// `fails` — inject a capability fault (Principle 3).
330    Fails(Span),
331    /// `returns each [<outcome>, …]` — one outcome per call, in order; the last
332    /// outcome repeats once the sequence is exhausted (DECISION V).
333    ReturnsEach(Vec<SeqOutcome>, Span),
334}
335
336impl ProvidesRhs {
337    pub fn span(&self) -> Span {
338        match self {
339            ProvidesRhs::Returns(e) => e.span,
340            ProvidesRhs::Fails(s) => *s,
341            ProvidesRhs::ReturnsEach(_, s) => *s,
342        }
343    }
344}
345
346/// v0.118: one outcome in a sequenced (`returns each`) `provides`.
347#[derive(Debug, Clone)]
348pub enum SeqOutcome {
349    /// A success value.
350    Value(Expr),
351    /// A fault.
352    Fails(Span),
353}
354
355/// A `case "name" [as <tier>] { [provides …] body }` block inside a suite
356/// (v0.7 §3.3; v0.118 adds the tier clause and case-scoped `provides`).
357#[derive(Debug, Clone)]
358pub struct Case {
359    /// The test name, taken from the string literal.
360    pub name: String,
361    /// The span of the string literal — used for diagnostics and runtime
362    /// failure reports.
363    pub name_span: Span,
364    /// v0.118: the case's own tier, if written (`as integration` / `as system`).
365    /// `None` means inherit the suite default (itself `unit` when unset).
366    pub tier: Option<TestTier>,
367    /// v0.118: case-scoped `provides` clauses (override the suite's, and the
368    /// tier default).
369    pub provides: Vec<ProvidesClause>,
370    pub body: Block,
371    pub documentation: Option<String>,
372    pub span: Span,
373    pub trivia: Trivia,
374}
375
376/// A `property "name" { for all <bindings> [where <pred>] { body } }` block
377/// inside a suite (v0.114, testing track slice 2, ADR 0149). The generative
378/// sibling of [`Case`]: the runner draws inhabitants of each binding's type from
379/// its refinement domain and evaluates the body's `expect`s over them.
380#[derive(Debug, Clone)]
381pub struct PropertyDecl {
382    /// The property name, taken from the string literal.
383    pub name: String,
384    /// The span of the string literal — used for diagnostics and reports.
385    pub name_span: Span,
386    /// The `for all` binder: the generated bindings, an optional `where` filter,
387    /// and the predicate body.
388    pub forall: ForAll,
389    pub documentation: Option<String>,
390    pub span: Span,
391    pub trivia: Trivia,
392}
393
394/// The `for all x: T, … [where <pred>] { … }` binder inside a [`PropertyDecl`].
395#[derive(Debug, Clone)]
396pub struct ForAll {
397    /// The generated bindings, `x: T` (one or more).
398    pub bindings: Vec<ForAllBinding>,
399    /// An optional `where <pred>` filter (a pure `Bool`) applied to generated
400    /// tuples before the body runs.
401    pub where_pred: Option<Expr>,
402    /// The body — one or more statements, typically `expect`s.
403    pub body: Block,
404    pub span: Span,
405}
406
407/// One `for all` binding: `name: T`, where the runner generates inhabitants of
408/// `T` from its refinements.
409#[derive(Debug, Clone)]
410pub struct ForAllBinding {
411    pub name: Ident,
412    pub type_ref: TypeRef,
413}
414
415/// A capability reference in a `given` clause (v0.15 §3.2). A bare name is a
416/// local capability (`given Cap`); a dotted name refers to a capability a
417/// consumed context provides (`given B.Cap` / `given Alias.Cap`).
418#[derive(Debug, Clone)]
419pub struct CapRef {
420    /// `None` for a local capability; `Some(prefix)` for a cross-context
421    /// reference where `prefix` is a consumed-context qualified name or alias.
422    pub context: Option<QualifiedName>,
423    /// The capability's simple name (also the local deps key).
424    pub name: Ident,
425    pub span: Span,
426}
427
428impl CapRef {
429    /// The local deps key / capability simple name (e.g. `Clock`).
430    pub fn key(&self) -> &str {
431        &self.name.name
432    }
433
434    /// True when this references a capability provided by a consumed context.
435    pub fn is_cross_context(&self) -> bool {
436        self.context.is_some()
437    }
438
439    /// The cross-context prefix (consumed-context qualified name or alias) as
440    /// a dotted string, if any.
441    pub fn prefix(&self) -> Option<String> {
442        self.context.as_ref().map(|q| q.joined())
443    }
444}
445
446/// A dotted name like `fitness.units`.
447#[derive(Debug, Clone)]
448pub struct QualifiedName {
449    pub parts: Vec<Ident>,
450    pub span: Span,
451}
452
453impl QualifiedName {
454    pub fn joined(&self) -> String {
455        self.parts
456            .iter()
457            .map(|p| p.name.as_str())
458            .collect::<Vec<_>>()
459            .join(".")
460    }
461}
462
463#[derive(Debug, Clone)]
464pub enum CommonsItem {
465    Type(TypeDecl),
466    Fn(FnDecl),
467    /// `capability Name { fn op(...) -> T ... }` (v0.5; contexts only).
468    Capability(CapabilityDecl),
469    /// `provides Cap = ProviderName { fn op(...) -> T { ... } ... }` (v0.5).
470    Provider(ProviderDecl),
471    /// `service Name { on call(...) -> T { ... } ... }` (v0.5).
472    Service(ServiceDecl),
473    /// `agent Name { key id: T; state { ... }; on call ... }` (v0.5).
474    Agent(AgentDecl),
475    /// `actor Name { auth = Scheme, identity = T }` (v0.45). A nominal boundary
476    /// contract consumed by a handler's `by` clause; not a runnable entity.
477    Actor(ActorDecl),
478}
479
480impl CommonsItem {
481    pub fn name(&self) -> &Ident {
482        match self {
483            CommonsItem::Type(t) => &t.name,
484            CommonsItem::Fn(f) => f.name.ident(),
485            CommonsItem::Capability(c) => &c.name,
486            CommonsItem::Provider(p) => &p.provider_name,
487            CommonsItem::Service(s) => &s.name,
488            CommonsItem::Agent(a) => &a.name,
489            CommonsItem::Actor(a) => &a.name,
490        }
491    }
492}
493
494/// A capability declaration (v0.5 §3.3). Capabilities are interface-like
495/// contracts for external dependencies, used inside contexts. They may only
496/// appear inside a `context` declaration.
497#[derive(Debug, Clone)]
498pub struct CapabilityDecl {
499    pub name: Ident,
500    pub ops: Vec<CapabilityOp>,
501    pub documentation: Option<String>,
502    pub span: Span,
503    pub trivia: Trivia,
504}
505
506/// One operation in a capability (signature only; no body).
507#[derive(Debug, Clone)]
508pub struct CapabilityOp {
509    pub name: Ident,
510    pub params: Vec<Param>,
511    pub return_type: TypeRef,
512    pub documentation: Option<String>,
513    pub span: Span,
514    pub trivia: Trivia,
515}
516
517/// A provider declaration (v0.5 §3.4). Supplies an implementation for a
518/// capability.
519#[derive(Debug, Clone)]
520pub struct ProviderDecl {
521    /// The capability being implemented.
522    pub capability: Ident,
523    /// The provider's identifier (used in tests/config to select impls).
524    pub provider_name: Ident,
525    /// v0.12: capabilities this provider depends on (`provides X = Impl given
526    /// Y, Z { … }`). The provider's operation bodies may use these. v0.15:
527    /// a dependency may be a cross-context capability (`given B.Cap`).
528    pub given: Vec<CapRef>,
529    pub ops: Vec<ProviderOp>,
530    /// v0.17: an *external* provider — `provides Cap = Name` with **no** brace
531    /// block — inside an adapter, supplied by the adapter's binding rather than
532    /// a Bynk body. When `true`, `ops` is empty and the emitter produces no
533    /// class. The absence of the brace block (not an empty one) is the signal.
534    pub external: bool,
535    pub documentation: Option<String>,
536    pub span: Span,
537    pub trivia: Trivia,
538}
539
540/// One operation in a provider (signature plus body).
541#[derive(Debug, Clone)]
542pub struct ProviderOp {
543    pub name: Ident,
544    pub params: Vec<Param>,
545    pub return_type: TypeRef,
546    pub body: Block,
547    pub span: Span,
548    pub trivia: Trivia,
549}
550
551/// A service declaration (v0.5 §3.5). Services are the boundary interface
552/// of a context.
553#[derive(Debug, Clone)]
554pub struct ServiceDecl {
555    pub name: Ident,
556    /// The protocol the service conforms to, from the `from <protocol>` header
557    /// clause (v0.44). `Call` when there is no clause.
558    pub protocol: ServiceProtocol,
559    /// The optional cross-origin (CORS) policy (v0.131, ADR 0159) — a `cors { }`
560    /// section in the service body, only meaningful on a `from http` service.
561    /// `None` when absent (same-origin default, byte-for-byte unchanged output).
562    pub cors: Option<CorsPolicy>,
563    /// The optional security-headers policy (v0.141, ADR 0164) — a `security { }`
564    /// section in the service body, only meaningful on a `from http` service.
565    /// `None` when absent, but unlike `cors` the *absence* still stamps the safe
566    /// defaults (`nosniff` on) — the emitter synthesises a default policy for every
567    /// `from http` service, so `None` here means "defaults", not "no headers".
568    pub security: Option<SecurityPolicy>,
569    /// The optional request-body-size policy (v0.142, ADR 0165) — a `limits { }`
570    /// section in the service body, only meaningful on a `from http` service. It
571    /// declares a per-service `maxBody` ceiling (in bytes) for the service's
572    /// body-taking routes; a route may override it with `@limit(maxBody: …)`.
573    /// `None` when absent (no cap — byte-for-byte unchanged output, the opt-in
574    /// CORS posture, not the `security` default-on posture).
575    pub limits: Option<LimitsPolicy>,
576    pub handlers: Vec<Handler>,
577    pub documentation: Option<String>,
578    pub span: Span,
579    pub trivia: Trivia,
580}
581
582/// A cross-origin resource-sharing policy on a `from http` service (v0.131,
583/// ADR 0159): the `cors { }` section in the service body. Parsed leniently as a
584/// list of `name: value` fields (the grammar accepts any field name — an unknown
585/// one is a checker diagnostic, per the `@`-annotation precedent, ADR 0111), and
586/// interpreted through the typed accessors below.
587///
588/// `Access-Control-Allow-Methods` is deliberately **not** a field — it is derived
589/// from the service's routes at emit time (the routes already enumerate the
590/// methods; a restated list would drift). Likewise `Allow-Headers` defaults to
591/// `content-type` (+ `Authorization` when a Bearer route exists) and is only
592/// stored here when the author overrides it.
593#[derive(Debug, Clone)]
594pub struct CorsPolicy {
595    /// The `cors { }` fields as written, in source order. Field names are
596    /// validated against the closed set (`origins`/`headers`/`credentials`/
597    /// `maxAge`) by the checker, not the parser.
598    pub fields: Vec<CorsField>,
599    pub span: Span,
600    pub trivia: Trivia,
601}
602
603/// One `name: value` field inside a `cors { }` policy (v0.131).
604#[derive(Debug, Clone)]
605pub struct CorsField {
606    pub name: Ident,
607    pub value: Expr,
608    pub span: Span,
609}
610
611impl CorsPolicy {
612    /// The raw value expression for a field, by name (the last one wins if a
613    /// field is repeated — the checker flags the duplicate separately).
614    pub fn field(&self, name: &str) -> Option<&Expr> {
615        self.fields
616            .iter()
617            .rev()
618            .find(|f| f.name.name == name)
619            .map(|f| &f.value)
620    }
621
622    /// The allowed origins — the string literals of the `origins:` list. An
623    /// absent or malformed field yields an empty list (the checker has already
624    /// reported the shape error; the emitter fails closed on an empty list).
625    pub fn origins(&self) -> Vec<String> {
626        Self::str_list(self.field("origins")).unwrap_or_default()
627    }
628
629    /// `true` iff `origins` is exactly the wildcard `["*"]`.
630    pub fn is_wildcard(&self) -> bool {
631        let os = self.origins();
632        os.len() == 1 && os[0] == "*"
633    }
634
635    /// Whether credentialed requests are allowed (`credentials: true`); defaults
636    /// to `false` when the field is absent.
637    pub fn credentials(&self) -> bool {
638        matches!(
639            self.field("credentials").map(|e| &e.kind),
640            Some(ExprKind::BoolLit(true))
641        )
642    }
643
644    /// The explicit `Access-Control-Allow-Headers` override, if the author gave
645    /// a `headers:` list; `None` leaves the emitter to apply its smart default.
646    pub fn allow_headers(&self) -> Option<Vec<String>> {
647        self.field("headers").and_then(Self::str_list_of)
648    }
649
650    /// The `Access-Control-Max-Age` in whole seconds, if a `maxAge:` duration was
651    /// given; `None` leaves the header off (the browser default).
652    pub fn max_age_secs(&self) -> Option<i64> {
653        match self.field("maxAge").map(|e| &e.kind) {
654            Some(ExprKind::DurationLit { millis, .. }) => Some(millis / 1_000),
655            _ => None,
656        }
657    }
658
659    /// Interpret an expression as a list of string literals, if it is one.
660    fn str_list(expr: Option<&Expr>) -> Option<Vec<String>> {
661        expr.and_then(Self::str_list_of)
662    }
663
664    fn str_list_of(expr: &Expr) -> Option<Vec<String>> {
665        match &expr.kind {
666            ExprKind::ListLit(items) => items
667                .iter()
668                .map(|e| match &e.kind {
669                    ExprKind::StrLit(s) => Some(s.clone()),
670                    _ => None,
671                })
672                .collect(),
673            _ => None,
674        }
675    }
676}
677
678/// A security-headers policy on a `from http` service (v0.141, ADR 0164): the
679/// `security { }` section in the service body. Parsed leniently as a list of
680/// `name: value` fields (an unknown one is a checker diagnostic, per the CORS /
681/// `@`-annotation precedent) and interpreted through the typed accessors below.
682///
683/// The closed set is `nosniff` (a `Bool`, default `true` — stamps
684/// `X-Content-Type-Options: nosniff`) and `hsts` (a positive `Duration`, opt-in —
685/// stamps `Strict-Transport-Security: max-age=…`). Unlike `cors`, the *safe*
686/// header is on by default: a `from http` service with no `security { }` still
687/// stamps `nosniff`, because a security header you have to remember to switch on
688/// is the one you forget (ADR 0164 DECISION A).
689#[derive(Debug, Clone)]
690pub struct SecurityPolicy {
691    /// The `security { }` fields as written, in source order. Field names are
692    /// validated against the closed set (`hsts`/`nosniff`) by the checker, not
693    /// the parser.
694    pub fields: Vec<SecurityField>,
695    pub span: Span,
696    pub trivia: Trivia,
697}
698
699/// One `name: value` field inside a `security { }` policy (v0.141).
700#[derive(Debug, Clone)]
701pub struct SecurityField {
702    pub name: Ident,
703    pub value: Expr,
704    pub span: Span,
705}
706
707impl SecurityPolicy {
708    /// The raw value expression for a field, by name (the last one wins if a
709    /// field is repeated — the checker flags the duplicate separately).
710    pub fn field(&self, name: &str) -> Option<&Expr> {
711        self.fields
712            .iter()
713            .rev()
714            .find(|f| f.name.name == name)
715            .map(|f| &f.value)
716    }
717
718    /// Whether `X-Content-Type-Options: nosniff` is stamped. Defaults to `true`
719    /// (the safe default, ADR 0164 DECISION A); only an explicit `nosniff: false`
720    /// opts out. A malformed value has already been reported by the checker; it
721    /// falls back to the safe default here.
722    pub fn nosniff(&self) -> bool {
723        !matches!(
724            self.field("nosniff").map(|e| &e.kind),
725            Some(ExprKind::BoolLit(false))
726        )
727    }
728
729    /// The `Strict-Transport-Security` `max-age` in whole seconds, if the author
730    /// opted in with an `hsts:` duration; `None` leaves HSTS off (the default —
731    /// HSTS pins the browser to HTTPS and is a deliberate opt-in, DECISION A).
732    pub fn hsts_max_age_secs(&self) -> Option<i64> {
733        match self.field("hsts").map(|e| &e.kind) {
734            Some(ExprKind::DurationLit { millis, .. }) => Some(millis / 1_000),
735            _ => None,
736        }
737    }
738}
739
740/// A request-body-size policy on a `from http` service (v0.142, ADR 0165): the
741/// `limits { }` section in the service body. Parsed leniently as a list of
742/// `name: value` fields (an unknown one is a checker diagnostic, per the CORS /
743/// `security` / `@`-annotation precedent) and interpreted through the typed
744/// accessor below.
745///
746/// The closed set is `maxBody` — a positive `Int` byte count (there is no byte
747/// `Size` literal yet; a `1.mb`-style literal is a named follow-on, the
748/// `Duration` playbook). Unlike `security`, this is opt-in: a service with no
749/// `limits { }` (and no route `@limit`) has no cap and emits byte-for-byte
750/// unchanged output (ADR 0165 DECISION E — the CORS posture).
751#[derive(Debug, Clone)]
752pub struct LimitsPolicy {
753    /// The `limits { }` fields as written, in source order. Field names are
754    /// validated against the closed set (`maxBody`) by the checker, not the
755    /// parser.
756    pub fields: Vec<LimitsField>,
757    pub span: Span,
758    pub trivia: Trivia,
759}
760
761/// One `name: value` field inside a `limits { }` policy (v0.142).
762#[derive(Debug, Clone)]
763pub struct LimitsField {
764    pub name: Ident,
765    pub value: Expr,
766    pub span: Span,
767}
768
769impl LimitsPolicy {
770    /// The raw value expression for a field, by name (the last one wins if a
771    /// field is repeated — the checker flags the duplicate separately).
772    pub fn field(&self, name: &str) -> Option<&Expr> {
773        self.fields
774            .iter()
775            .rev()
776            .find(|f| f.name.name == name)
777            .map(|f| &f.value)
778    }
779
780    /// The service-wide maximum request-body size in bytes, if the author gave a
781    /// positive `maxBody:` `Int` literal; `None` leaves the service without a
782    /// default cap. A malformed or non-positive value has already been reported
783    /// by the checker; it falls back to `None` here (no cap).
784    pub fn max_body(&self) -> Option<i64> {
785        match self.field("maxBody").map(|e| &e.kind) {
786            Some(ExprKind::IntLit { value, .. }) if *value > 0 => Some(*value),
787            _ => None,
788        }
789    }
790}
791
792/// The protocol a service conforms to — declared on the header via
793/// `from <protocol>` (v0.44). `Call` is the default (no `from` clause): a
794/// contract-mediated internal-RPC surface, not a wire protocol. Multi-endpoint
795/// protocols (`Http`, `Cron`) carry no binding — the endpoint lives on each
796/// handler; single-binding `Queue` carries its queue name.
797#[derive(Debug, Clone)]
798pub enum ServiceProtocol {
799    /// No `from` clause: the service holds `on call` handlers only.
800    Call,
801    /// `from http` — many routes; each handler is `on <Method>("route")`.
802    Http,
803    /// `from cron` — many schedules; each handler is `on schedule("expr")`.
804    Cron,
805    /// `from queue("name")` — one bound queue; handlers are `on message(...)`.
806    Queue { name: String },
807    /// `from WebSocket(in: ClientFrame, out: ServerFrame)` — a held WebSocket
808    /// connection (v0.103, real-time track slice 3). `in_type` is the inbound
809    /// frame type (client→server, decoded and routed as typed agent messages);
810    /// `out_type` is the server→client frame type the held `Connection[out_type]`
811    /// carries. The service holds exactly one `on open` handler (edge auth via
812    /// `by`, then transfer of the connection to an agent).
813    WebSocket { in_type: TypeRef, out_type: TypeRef },
814}
815
816/// An agent declaration (v0.5 §3.6). Agents are state-bearing entities
817/// with their own handlers.
818#[derive(Debug, Clone)]
819pub struct AgentDecl {
820    pub name: Ident,
821    /// `key id: Type` — the identifier-typed value identifying instances.
822    pub key_name: Ident,
823    pub key_type: TypeRef,
824    /// `store` fields (v0.81, storage track) — each an access-pattern slot of a
825    /// declared storage kind (`Cell`/`Map`/…). The successor to the removed
826    /// `state { }` record (ADR 0108); every agent declares its state this way.
827    pub store_fields: Vec<StoreField>,
828    /// Invariants (v0.80 §14) — universally-quantified predicates over the
829    /// agent's `store` fields. The phase sits between the fields and the
830    /// handlers; each is checked against the state staged by a handler's writes
831    /// before it commits.
832    pub invariants: Vec<Invariant>,
833    /// Step invariants (v0.116 §, testing track slice 4) — named predicates over
834    /// the pre-/post-commit state *pair* (`old`/`new`), checked at the commit
835    /// boundary beside [`invariants`], from the second commit onward. Widen the
836    /// invariant subject from a snapshot to a step (ADR 0144 — one predicate
837    /// surface).
838    ///
839    /// [`invariants`]: AgentDecl::invariants
840    pub transitions: Vec<Transition>,
841    pub handlers: Vec<Handler>,
842    pub documentation: Option<String>,
843    pub span: Span,
844    pub trivia: Trivia,
845}
846
847/// A `store` field (v0.81, storage track). Each is an access-pattern slot of a
848/// declared storage kind: `store <name>: <Kind>[…] [@annotations] [= <init>]`.
849/// The kind and its element type are carried as an ordinary [`TypeRef`]
850/// (`Cell[Int]`, `Map[K, V]`); the checker restricts which heads are storage
851/// kinds. Access-pattern annotations (`@indexed`, …) parse into [`annotations`]
852/// (v0.85, ADR 0111); the checker validates them against the closed registry.
853///
854/// [`annotations`]: StoreField::annotations
855#[derive(Debug, Clone)]
856pub struct StoreField {
857    pub name: Ident,
858    /// The storage kind and its element type(s): `Cell[Int]`, `Map[K, V]`. A
859    /// dedicated [`StoreKind`] rather than a [`TypeRef`] — storage kinds are not
860    /// value types, and the checker dispatches kind-aware operations on the head.
861    pub kind: StoreKind,
862    /// Storage annotations on the field (v0.85, ADR 0111): `@ttl(5.minutes)`,
863    /// `@indexed(by: orderId)`. Parsed in declaration order (after the kind,
864    /// before the initialiser); the checker validates names against the closed
865    /// registry and gates each to the slice that implements it.
866    pub annotations: Vec<Annotation>,
867    /// The fresh-key initial value (`= expr`), if given — same disposition as a
868    /// `state` field's initialiser (ADRs 0003/0004 carry forward).
869    pub init: Option<Expr>,
870    pub documentation: Option<String>,
871    pub span: Span,
872    pub trivia: Trivia,
873}
874
875/// A storage annotation on a `store` field (v0.85, storage track; ADR 0111):
876/// `@<name>(<args>)`. The `name` is matched against the closed registry
877/// (`@indexed`/`@ttl`/`@retain`/`@bounded`) by the checker; the grammar accepts
878/// any identifier so an unknown name is a checker diagnostic, not a parse error.
879/// Arguments are compile-time metadata, restricted to literals (and the `by:`
880/// field-name labels of `@indexed`) by the checker per ADR 0111 D4.
881#[derive(Debug, Clone)]
882pub struct Annotation {
883    pub name: Ident,
884    pub args: Vec<AnnotationArg>,
885    pub span: Span,
886}
887
888/// A single annotation argument (v0.85; ADR 0111): an optional `label:` followed
889/// by a value expression — `by: orderId` (labelled) or `5.minutes` (positional).
890/// The value is parsed as an ordinary [`Expr`] so the duration-literal form
891/// (`5.minutes`, landing with the `Duration` slice) needs no special grammar;
892/// the checker restricts it to a literal where the annotation is functional.
893#[derive(Debug, Clone)]
894pub struct AnnotationArg {
895    pub label: Option<Ident>,
896    pub value: Expr,
897    pub span: Span,
898}
899
900/// A storage kind applied to its element type(s) (v0.81): `Cell[Int]`,
901/// `Map[ReservationId, Reservation]`. The `head` is the kind name (`Cell`,
902/// `Map`, `Set`, `Log`, `Queue`, `Cache`); the checker validates it against the
903/// closed catalogue. Element types are ordinary [`TypeRef`]s. Refined element
904/// types (`Cell[Int where NonNegative]`) ride a later slice (parse_type_ref does
905/// not yet accept an inline refinement in type-argument position).
906#[derive(Debug, Clone)]
907pub struct StoreKind {
908    pub head: Ident,
909    pub args: Vec<TypeRef>,
910    pub span: Span,
911}
912
913/// An agent invariant (v0.80 §14). A named predicate over the agent's state
914/// fields that must hold of every committed state; a commit that would violate
915/// it faults (`InvariantViolation`) before the state is persisted. The
916/// predicate references state fields by bare name, mirroring the design-notes
917/// worked examples (`status == Paid implies paymentRef.isSome()`).
918#[derive(Debug, Clone)]
919pub struct Invariant {
920    pub name: Ident,
921    /// The predicate expression — an ordinary `Bool`-typed expression over the
922    /// state fields, plus `implies` and `is`. The parsed-predicate-on-a-
923    /// declaration shape mirrors [`ActorRefinement::predicate`].
924    pub predicate: Expr,
925    pub documentation: Option<String>,
926    pub span: Span,
927    pub trivia: Trivia,
928}
929
930/// An agent step invariant (v0.116 §, testing track slice 4). A named predicate
931/// over the *pair* of committed states — the pre-commit `old` and the proposed
932/// `new`, each the agent's state record — that must hold of every state move; a
933/// commit that would violate it faults (`InvariantViolation`) before the state is
934/// persisted, exactly as a snapshot [`Invariant`] does. Widens the invariant
935/// subject from a snapshot to a step (ADR 0144 — one predicate surface); the
936/// predicate reuses the invariant surface (`implies`/`is`/pure methods) with
937/// `old`/`new` bound contextually (`old.status is Paid implies new.status is
938/// Paid`).
939#[derive(Debug, Clone)]
940pub struct Transition {
941    pub name: Ident,
942    /// The predicate expression — an ordinary `Bool`-typed expression over the
943    /// `old` and `new` state records, with `implies`/`is` and pure methods,
944    /// mirroring [`Invariant`].
945    pub predicate: Expr,
946    pub documentation: Option<String>,
947    pub span: Span,
948    pub trivia: Trivia,
949}
950
951/// A function contract clause (v0.115 §, testing track slice 3). A named
952/// predicate on a `fn` signature — a `requires` (precondition) or `ensures`
953/// (postcondition). A contract is the invariant predicate attached to a
954/// function (ADR 0144 — one predicate surface): the predicate is a pure `Bool`
955/// expression over the parameters (`requires`) or the parameters plus `result`
956/// (`ensures`), with `implies`/`is` and pure methods, mirroring [`Invariant`].
957/// The name rides the failure report and the redundant-test dedup.
958#[derive(Debug, Clone)]
959pub struct Contract {
960    pub name: Ident,
961    /// The predicate expression — an ordinary `Bool`-typed expression over the
962    /// parameters (and, for an `ensures`, the contextual `result` binding).
963    pub predicate: Expr,
964    pub span: Span,
965}
966
967/// An actor declaration (v0.45 §3.7). An actor is a nominal *contract type*
968/// describing an external party at a boundary — not a runnable entity. A
969/// handler consumes an actor on its `by` clause; the boundary verifies the
970/// declared `auth` scheme and mints a sealed identity (`name.identity`).
971#[derive(Debug, Clone)]
972pub struct ActorDecl {
973    pub name: Ident,
974    /// The authentication scheme from `auth = <Scheme>`, stored as the raw
975    /// identifier. The checker classifies it: `None`/`Internal`/`Bearer` are
976    /// admitted; `Signature` is reserved-and-rejected
977    /// (`bynk.actor.scheme_unsupported`); anything else is
978    /// `bynk.actor.unknown_scheme`. `None` for the refinement form.
979    pub auth: Option<Ident>,
980    /// The scheme's keyed config from `auth = Scheme(key = value, …)` (v0.47
981    /// `Bearer(secret = "…")`; v0.51 generalised for `Signature(secret, header,
982    /// timestamp?, tolerance?)`). Empty for schemes/forms with no config. The
983    /// checker validates which keys each scheme requires/allows.
984    pub auth_config: Vec<SchemeArg>,
985    /// The optional identity type from `, identity = <T>`. Absent ⇒ the
986    /// scheme default (`()` for `None`; a sealed `CallerId` for the `Internal`
987    /// `on call` channel, `()` for other `Internal` channels).
988    pub identity: Option<TypeRef>,
989    /// The reserved-and-rejected refinement form `actor Admin = Base where p`
990    /// (Q3). Parsed so the grammar is fixed now; the checker emits
991    /// `bynk.actor.refinement_unsupported`.
992    pub refinement: Option<ActorRefinement>,
993    pub documentation: Option<String>,
994    pub span: Span,
995    pub trivia: Trivia,
996}
997
998impl ActorDecl {
999    /// The value of a scheme config arg by key, if present (e.g. `secret`,
1000    /// `header`).
1001    pub fn scheme_arg(&self, key: &str) -> Option<&SchemeArg> {
1002        self.auth_config.iter().find(|a| a.key.name == key)
1003    }
1004}
1005
1006/// One `key = value` argument in a scheme config (`Scheme(key = value, …)`).
1007#[derive(Debug, Clone)]
1008pub struct SchemeArg {
1009    pub key: Ident,
1010    pub value: SchemeArgValue,
1011    /// Span of the value, for diagnostics.
1012    pub span: Span,
1013}
1014
1015/// A scheme config arg value — a string literal or an integer.
1016#[derive(Debug, Clone)]
1017pub enum SchemeArgValue {
1018    Str(String),
1019    Int(i64),
1020}
1021
1022impl SchemeArgValue {
1023    pub fn as_str(&self) -> Option<&str> {
1024        match self {
1025            SchemeArgValue::Str(s) => Some(s),
1026            SchemeArgValue::Int(_) => None,
1027        }
1028    }
1029    pub fn as_int(&self) -> Option<i64> {
1030        match self {
1031            SchemeArgValue::Int(n) => Some(*n),
1032            SchemeArgValue::Str(_) => None,
1033        }
1034    }
1035}
1036
1037/// The reserved refinement form `actor Admin = User where <predicate>` (Q3).
1038/// Parsed in Foundations so the grammar is fixed; admission is a later slice.
1039#[derive(Debug, Clone)]
1040pub struct ActorRefinement {
1041    /// The base actor being refined.
1042    pub base: Ident,
1043    /// The `where` predicate. Parsed but not yet checked.
1044    pub predicate: Expr,
1045    pub span: Span,
1046}
1047
1048/// The `by (<binder>:)? <Actor>` clause on a handler (v0.45; binder optional in
1049/// v0.50). Names the actor contract the handler consumes; when a `binder` is
1050/// given, the verified identity binds to it and is read as `binder.identity`.
1051/// Omitting the binder (`by <Actor>`) declares-and-verifies the contract without
1052/// capturing the identity — for anonymous or verify-and-discard handlers. Sits
1053/// after the protocol config and before the parameters.
1054#[derive(Debug, Clone)]
1055pub struct ByClause {
1056    /// The identity binder, if the handler consumes the identity. `None` for the
1057    /// binder-less `by <Actor>` form. Required when `actors` names more than one
1058    /// (a sum is resolved by matching on the bound actor).
1059    pub binder: Option<Ident>,
1060    /// The actor contract(s) referenced — each a local actor decl or a prelude
1061    /// actor. A single name is the ordinary single-actor handler; more than one
1062    /// (`by who: A | B`, v0.52) is an **ordered sum of peer actors** resolved
1063    /// first-wins, the body matching on the resolved actor. Always non-empty.
1064    pub actors: Vec<Ident>,
1065    pub span: Span,
1066}
1067
1068impl ByClause {
1069    /// The first (and, for a single-actor handler, only) actor contract named.
1070    pub fn primary(&self) -> &Ident {
1071        &self.actors[0]
1072    }
1073    /// Whether this `by` clause names an ordered sum of peer actors (`A | B`).
1074    pub fn is_sum(&self) -> bool {
1075        self.actors.len() > 1
1076    }
1077}
1078
1079/// A handler block — `on call(args) -> T given C1, C2 { body }`.
1080/// Used by both services and agents.
1081#[derive(Debug, Clone)]
1082pub struct Handler {
1083    pub kind: HandlerKind,
1084    /// Handler-position annotations (v0.140, ADR 0163): `@cache(maxAge: 5.minutes)`
1085    /// written immediately before `on <METHOD>(…)`. Reuses the [`Annotation`] AST
1086    /// shared with `store` fields (ADR 0111); the grammar accepts any `@name(args)`
1087    /// so an unknown name is a project-validation diagnostic, not a parse error. The
1088    /// first handler-position annotation surface — empty for every handler that
1089    /// carries none.
1090    pub annotations: Vec<Annotation>,
1091    /// For agent handlers, the method-style handler name (e.g.
1092    /// `on call addItem(...)`). For service handlers, this is None (just
1093    /// `on call(...)`).
1094    pub method_name: Option<Ident>,
1095    /// The `by <binder>: <Actor>` clause (v0.45), if present. Service handlers
1096    /// only; an absent clause inherits the protocol's default actor.
1097    pub by_clause: Option<ByClause>,
1098    pub params: Vec<Param>,
1099    pub return_type: TypeRef,
1100    pub given: Vec<CapRef>,
1101    pub body: Block,
1102    pub documentation: Option<String>,
1103    pub span: Span,
1104    pub trivia: Trivia,
1105}
1106
1107#[derive(Debug, Clone, PartialEq, Eq)]
1108pub enum HandlerKind {
1109    /// `on call(...)` — typed RPC (the only kind in v0.5).
1110    Call,
1111    /// `on http METHOD "path"` — external-facing HTTP route (v0.9).
1112    Http { method: HttpMethod, path: String },
1113    /// `on cron "expr"` — scheduled task; `expr` is a 5-field cron
1114    /// expression (v0.10a).
1115    Cron { expr: String },
1116    /// `on message(m: T)` — a message off the service's bound queue. The queue
1117    /// binding lives on the service's `ServiceProtocol::Queue` (v0.44).
1118    Message,
1119    /// `on open ...` — the WebSocket upgrade handler (v0.103, real-time track
1120    /// slice 3). Exactly one per `from WebSocket` service; carries a mandatory
1121    /// `by` clause (edge auth) and receives a fresh owned `Connection[out]`.
1122    Open,
1123    /// `on close ...` — the WebSocket close handler (v0.106, real-time track slice
1124    /// 3b-iii). Optional, ≤1 per `from WebSocket` service; runs when the socket
1125    /// closes. Like `on open`, edge-authenticated (`by`), with the identity/params
1126    /// recovered from the socket attachment (set at `on open`). (A `from WebSocket`
1127    /// `on message` reuses [`HandlerKind::Message`], disambiguated by the protocol.)
1128    Close,
1129}
1130
1131/// HTTP methods supported by `on http` handlers (v0.9).
1132#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
1133pub enum HttpMethod {
1134    Get,
1135    Post,
1136    Put,
1137    Patch,
1138    Delete,
1139}
1140
1141impl HttpMethod {
1142    pub fn as_str(self) -> &'static str {
1143        match self {
1144            HttpMethod::Get => "GET",
1145            HttpMethod::Post => "POST",
1146            HttpMethod::Put => "PUT",
1147            HttpMethod::Patch => "PATCH",
1148            HttpMethod::Delete => "DELETE",
1149        }
1150    }
1151
1152    pub fn from_ident(s: &str) -> Option<HttpMethod> {
1153        match s {
1154            "GET" => Some(HttpMethod::Get),
1155            "POST" => Some(HttpMethod::Post),
1156            "PUT" => Some(HttpMethod::Put),
1157            "PATCH" => Some(HttpMethod::Patch),
1158            "DELETE" => Some(HttpMethod::Delete),
1159            _ => None,
1160        }
1161    }
1162
1163    /// True if this method conventionally has no request body.
1164    pub fn forbids_body(self) -> bool {
1165        matches!(self, HttpMethod::Get | HttpMethod::Delete)
1166    }
1167}
1168
1169/// Payload shape of an `HttpResult[T]` variant (v0.9 §3.3).
1170#[derive(Debug, Clone, Copy, PartialEq, Eq)]
1171pub enum HttpVariantPayload {
1172    /// No payload (e.g. `NoContent`, `Unauthorized`).
1173    None,
1174    /// Carries a value of the `HttpResult` type parameter `T`.
1175    Value,
1176    /// Carries a `String` message (e.g. `BadRequest`, `Conflict`).
1177    Message,
1178    /// Carries a `String` target URL, emitted as a `Location` header — the
1179    /// redirect variants (`Found`, `SeeOther`, `PermanentRedirect`, …).
1180    Location,
1181    /// Carries a `Stream[String]`, emitted as an SSE (`text/event-stream`)
1182    /// streaming body — the `Streaming` (200) variant (v0.101, real-time track
1183    /// slice 1).
1184    Streamed,
1185    /// Carries `(body: Bytes, contentType: String)` — the author-owned raw body
1186    /// written straight into the response with the declared `content-type` and
1187    /// **no codec** (the typed-wire guarantee is deliberately off). The `Raw`
1188    /// (200) variant (v0.111); the first two-argument payload shape.
1189    Raw,
1190}
1191
1192/// One variant of the built-in `HttpResult[T]` sum (v0.9 §3.3).
1193#[derive(Debug, Clone, Copy)]
1194pub struct HttpVariant {
1195    pub name: &'static str,
1196    pub payload: HttpVariantPayload,
1197    pub status: u16,
1198}
1199
1200/// All `HttpResult[T]` variants, in declaration order (ascending status). The
1201/// vocabulary tracks the common, modern HTTP status codes (RFC 9110): success
1202/// and created/accepted (`Value`), redirects carrying a `Location` URL, and
1203/// the client/server failures that handlers routinely return (`Message` when
1204/// an explanation helps the caller, `None` for self-describing statuses).
1205pub const HTTP_VARIANTS: &[HttpVariant] = &[
1206    // ── 2xx success ──────────────────────────────────────────────────────
1207    HttpVariant {
1208        name: "Ok",
1209        payload: HttpVariantPayload::Value,
1210        status: 200,
1211    },
1212    // v0.101 (real-time track slice 1): a 200 whose body is a streamed
1213    // `Stream[String]`, SSE-framed. Status precedes the body, so streaming is
1214    // 200-only — pre-stream failures are ordinary variants returned instead.
1215    HttpVariant {
1216        name: "Streaming",
1217        payload: HttpVariantPayload::Streamed,
1218        status: 200,
1219    },
1220    // v0.111: a 200 whose body is an author-owned `Bytes` written straight into
1221    // the response with the declared `content-type` — no codec runs. 200-only,
1222    // like `Streaming`: it serves service-tier raw bodies (`robots.txt`,
1223    // `sitemap.xml`, feeds, a QR PNG), not custom-status error pages.
1224    HttpVariant {
1225        name: "Raw",
1226        payload: HttpVariantPayload::Raw,
1227        status: 200,
1228    },
1229    HttpVariant {
1230        name: "Created",
1231        payload: HttpVariantPayload::Value,
1232        status: 201,
1233    },
1234    HttpVariant {
1235        name: "Accepted",
1236        payload: HttpVariantPayload::Value,
1237        status: 202,
1238    },
1239    HttpVariant {
1240        name: "NoContent",
1241        payload: HttpVariantPayload::None,
1242        status: 204,
1243    },
1244    // ── 3xx redirection (carry a `Location` URL) ─────────────────────────
1245    HttpVariant {
1246        name: "MovedPermanently",
1247        payload: HttpVariantPayload::Location,
1248        status: 301,
1249    },
1250    HttpVariant {
1251        name: "Found",
1252        payload: HttpVariantPayload::Location,
1253        status: 302,
1254    },
1255    HttpVariant {
1256        name: "SeeOther",
1257        payload: HttpVariantPayload::Location,
1258        status: 303,
1259    },
1260    HttpVariant {
1261        name: "TemporaryRedirect",
1262        payload: HttpVariantPayload::Location,
1263        status: 307,
1264    },
1265    HttpVariant {
1266        name: "PermanentRedirect",
1267        payload: HttpVariantPayload::Location,
1268        status: 308,
1269    },
1270    // ── 4xx client error ─────────────────────────────────────────────────
1271    HttpVariant {
1272        name: "BadRequest",
1273        payload: HttpVariantPayload::Message,
1274        status: 400,
1275    },
1276    HttpVariant {
1277        name: "Unauthorized",
1278        payload: HttpVariantPayload::None,
1279        status: 401,
1280    },
1281    HttpVariant {
1282        name: "Forbidden",
1283        payload: HttpVariantPayload::None,
1284        status: 403,
1285    },
1286    HttpVariant {
1287        name: "NotFound",
1288        payload: HttpVariantPayload::None,
1289        status: 404,
1290    },
1291    HttpVariant {
1292        name: "MethodNotAllowed",
1293        payload: HttpVariantPayload::None,
1294        status: 405,
1295    },
1296    HttpVariant {
1297        name: "NotAcceptable",
1298        payload: HttpVariantPayload::None,
1299        status: 406,
1300    },
1301    HttpVariant {
1302        name: "RequestTimeout",
1303        payload: HttpVariantPayload::None,
1304        status: 408,
1305    },
1306    HttpVariant {
1307        name: "Conflict",
1308        payload: HttpVariantPayload::Message,
1309        status: 409,
1310    },
1311    HttpVariant {
1312        name: "Gone",
1313        payload: HttpVariantPayload::None,
1314        status: 410,
1315    },
1316    HttpVariant {
1317        name: "LengthRequired",
1318        payload: HttpVariantPayload::None,
1319        status: 411,
1320    },
1321    HttpVariant {
1322        name: "PayloadTooLarge",
1323        payload: HttpVariantPayload::Message,
1324        status: 413,
1325    },
1326    HttpVariant {
1327        name: "UnsupportedMediaType",
1328        payload: HttpVariantPayload::Message,
1329        status: 415,
1330    },
1331    HttpVariant {
1332        name: "UnprocessableEntity",
1333        payload: HttpVariantPayload::Message,
1334        status: 422,
1335    },
1336    HttpVariant {
1337        name: "TooManyRequests",
1338        payload: HttpVariantPayload::Message,
1339        status: 429,
1340    },
1341    HttpVariant {
1342        name: "UnavailableForLegalReasons",
1343        payload: HttpVariantPayload::Message,
1344        status: 451,
1345    },
1346    // ── 5xx server error ─────────────────────────────────────────────────
1347    HttpVariant {
1348        name: "ServerError",
1349        payload: HttpVariantPayload::Message,
1350        status: 500,
1351    },
1352    HttpVariant {
1353        name: "NotImplemented",
1354        payload: HttpVariantPayload::Message,
1355        status: 501,
1356    },
1357    HttpVariant {
1358        name: "BadGateway",
1359        payload: HttpVariantPayload::Message,
1360        status: 502,
1361    },
1362    HttpVariant {
1363        name: "ServiceUnavailable",
1364        payload: HttpVariantPayload::Message,
1365        status: 503,
1366    },
1367    HttpVariant {
1368        name: "GatewayTimeout",
1369        payload: HttpVariantPayload::Message,
1370        status: 504,
1371    },
1372];
1373
1374/// Find an `HttpResult[T]` variant by name. Returns the variant info or
1375/// `None` if the name doesn't match.
1376pub fn http_variant(name: &str) -> Option<HttpVariant> {
1377    HTTP_VARIANTS.iter().copied().find(|v| v.name == name)
1378}
1379
1380/// Payload shape of a `QueueResult` variant (v0.44). Non-generic — a verdict
1381/// carries no value; `Retry` carries a `String` reason for the log path.
1382#[derive(Debug, Clone, Copy, PartialEq, Eq)]
1383pub enum QueueVariantPayload {
1384    /// No payload (`Ack`).
1385    None,
1386    /// Carries a `String` reason (`Retry`).
1387    Message,
1388}
1389
1390/// One variant of the built-in `QueueResult` sum (v0.44).
1391#[derive(Debug, Clone, Copy)]
1392pub struct QueueVariant {
1393    pub name: &'static str,
1394    pub payload: QueueVariantPayload,
1395}
1396
1397/// All `QueueResult` variants, in declaration order. `Ack` confirms the
1398/// message; `Retry` redelivers it, carrying a reason for observability.
1399pub const QUEUE_VARIANTS: &[QueueVariant] = &[
1400    QueueVariant {
1401        name: "Ack",
1402        payload: QueueVariantPayload::None,
1403    },
1404    QueueVariant {
1405        name: "Retry",
1406        payload: QueueVariantPayload::Message,
1407    },
1408];
1409
1410/// Find a `QueueResult` variant by name.
1411pub fn queue_variant(name: &str) -> Option<QueueVariant> {
1412    QUEUE_VARIANTS.iter().copied().find(|v| v.name == name)
1413}
1414
1415#[derive(Debug, Clone)]
1416pub struct TypeDecl {
1417    pub name: Ident,
1418    pub body: TypeBody,
1419    /// Documentation block attached to this declaration (v0.3).
1420    pub documentation: Option<String>,
1421    pub span: Span,
1422    pub trivia: Trivia,
1423}
1424
1425/// The right-hand side of a `type` declaration. In v0/v0.1 only the
1426/// `Refined` variant existed; v0.2 adds records and sums; v0.3 adds opaque.
1427#[derive(Debug, Clone)]
1428pub enum TypeBody {
1429    /// Refined base type: `BaseType where refinement`.
1430    Refined {
1431        base: BaseType,
1432        base_span: Span,
1433        refinement: Option<Refinement>,
1434    },
1435    /// Record type: `{ field: T where ..., ... }`.
1436    Record(RecordBody),
1437    /// Sum type: pipe-form variants or `enum { ... }` shorthand.
1438    Sum(SumBody),
1439    /// Opaque base type: `opaque BaseType (where refinement)?` (v0.3 §3.4).
1440    /// Identity is nominal; the base type is hidden outside the defining commons.
1441    Opaque {
1442        base: BaseType,
1443        base_span: Span,
1444        refinement: Option<Refinement>,
1445    },
1446}
1447
1448/// Body of a record-type declaration (v0.2 §3.1).
1449#[derive(Debug, Clone)]
1450pub struct RecordBody {
1451    pub fields: Vec<RecordField>,
1452    pub span: Span,
1453}
1454
1455/// One field of a record type declaration. Each field may carry inline
1456/// refinement, which is enforced at construction time on the field's value.
1457#[derive(Debug, Clone)]
1458pub struct RecordField {
1459    pub name: Ident,
1460    pub type_ref: TypeRef,
1461    pub refinement: Option<Refinement>,
1462    /// v0.11: an optional initial-value expression. Only meaningful on agent
1463    /// `state` fields (the field's fresh-key value); ignored / rejected on
1464    /// record-type fields by the checker.
1465    pub init: Option<Expr>,
1466    pub span: Span,
1467}
1468
1469/// Body of a sum-type declaration (v0.2 §3.2).
1470#[derive(Debug, Clone)]
1471pub struct SumBody {
1472    pub variants: Vec<Variant>,
1473    pub span: Span,
1474}
1475
1476/// One variant of a sum type. Variants may have payload fields; a
1477/// payload-less variant is a simple tag.
1478#[derive(Debug, Clone)]
1479pub struct Variant {
1480    pub name: Ident,
1481    pub payload: Vec<VariantField>,
1482    pub span: Span,
1483}
1484
1485/// One payload field of a sum variant. Variant payload fields use named
1486/// declarations like record fields, but do not carry refinement in v0.2.
1487#[derive(Debug, Clone)]
1488pub struct VariantField {
1489    pub name: Ident,
1490    pub type_ref: TypeRef,
1491    pub span: Span,
1492}
1493
1494#[derive(Debug, Clone, Copy, PartialEq, Eq)]
1495pub enum BaseType {
1496    Int,
1497    String,
1498    Bool,
1499    Float,
1500    /// `Duration` (v0.86, ADR 0112) — a span of time, a distinct base type
1501    /// erased to TS `number` carrying milliseconds (the `Clock` unit). Modelled
1502    /// on `Float`: Bynk-side-only, no implicit `Int` coercion (save the one
1503    /// sanctioned clock-math mix).
1504    Duration,
1505    /// `Instant` (v0.90, ADR 0114) — an absolute point in time, a distinct base
1506    /// type erased to TS `number` carrying Unix epoch milliseconds (the
1507    /// `Clock` unit). No literal (minted by `Clock.now()`); arithmetic composes
1508    /// with `Duration` (`Instant ± Duration -> Instant`, `Instant − Instant ->
1509    /// Duration`). Supersedes ADR 0112 D4's `Int`↔`Duration` clock-math mix.
1510    Instant,
1511    /// `Bytes` (v0.110, ADR 0142) — an immutable finite octet sequence, the
1512    /// seventh base type. Unlike its neighbours it does **not** erase to TS
1513    /// `number`: a `Bytes` lowers to a `Uint8Array`. No source literal
1514    /// (constructed via `Bytes.fromUtf8`/`fromBase64`/`empty`); `==` compares
1515    /// by content (real emitter codegen, not host `===`); wires as a base64
1516    /// JSON string; not `Map`-keyable and not orderable.
1517    Bytes,
1518}
1519
1520impl BaseType {
1521    pub fn name(self) -> &'static str {
1522        match self {
1523            BaseType::Int => "Int",
1524            BaseType::String => "String",
1525            BaseType::Bool => "Bool",
1526            BaseType::Float => "Float",
1527            BaseType::Duration => "Duration",
1528            BaseType::Instant => "Instant",
1529            BaseType::Bytes => "Bytes",
1530        }
1531    }
1532}
1533
1534/// A `Duration` literal unit (v0.86, ADR 0112) — the closed set of suffixes in a
1535/// `<int>.<unit>` literal. Each maps to a fixed millisecond factor (`Duration`
1536/// erases to `Int` milliseconds).
1537#[derive(Debug, Clone, Copy, PartialEq, Eq)]
1538pub enum DurationUnit {
1539    Milliseconds,
1540    Seconds,
1541    Minutes,
1542    Hours,
1543    Days,
1544}
1545
1546impl DurationUnit {
1547    /// Resolve a unit name (`minutes`) to its variant, or `None` if it is not one
1548    /// of the closed set. Used by the parser to recognise an `<int>.<unit>`
1549    /// literal; an unrecognised name leaves the expression a field access.
1550    pub fn from_name(name: &str) -> Option<Self> {
1551        Some(match name {
1552            "milliseconds" => DurationUnit::Milliseconds,
1553            "seconds" => DurationUnit::Seconds,
1554            "minutes" => DurationUnit::Minutes,
1555            "hours" => DurationUnit::Hours,
1556            "days" => DurationUnit::Days,
1557            _ => return None,
1558        })
1559    }
1560
1561    /// The unit name as written.
1562    pub fn name(self) -> &'static str {
1563        match self {
1564            DurationUnit::Milliseconds => "milliseconds",
1565            DurationUnit::Seconds => "seconds",
1566            DurationUnit::Minutes => "minutes",
1567            DurationUnit::Hours => "hours",
1568            DurationUnit::Days => "days",
1569        }
1570    }
1571
1572    /// The unit's value in milliseconds.
1573    pub fn millis(self) -> i64 {
1574        match self {
1575            DurationUnit::Milliseconds => 1,
1576            DurationUnit::Seconds => 1_000,
1577            DurationUnit::Minutes => 60_000,
1578            DurationUnit::Hours => 3_600_000,
1579            DurationUnit::Days => 86_400_000,
1580        }
1581    }
1582}
1583
1584/// An integer refinement bound (v0.40, ADR 0073): the parsed value plus the
1585/// bound's source span (covering a leading `-`). Value-only beyond the span —
1586/// ints have one canonical printed form, so the formatter stays idempotent
1587/// without a stored lexeme. The span backs the `InRange`-swap quick-fix.
1588#[derive(Debug, Clone)]
1589pub struct IntBound {
1590    pub value: i64,
1591    pub span: Span,
1592}
1593
1594/// A float refinement bound (v0.21): the parsed value plus the signed source
1595/// lexeme (for byte-stable emission). v0.40 (ADR 0073): also the source span,
1596/// for the `InRange`-swap quick-fix.
1597#[derive(Debug, Clone)]
1598pub struct FloatBound {
1599    pub value: f64,
1600    pub lexeme: String,
1601    pub span: Span,
1602}
1603
1604#[derive(Debug, Clone)]
1605pub struct Refinement {
1606    pub predicates: Vec<RefinementPred>,
1607    pub span: Span,
1608}
1609
1610#[derive(Debug, Clone)]
1611pub struct RefinementPred {
1612    pub kind: PredKind,
1613    pub span: Span,
1614}
1615
1616#[derive(Debug, Clone)]
1617pub enum PredKind {
1618    Matches(String),
1619    InRange(IntBound, IntBound),
1620    /// `InRange` with float bounds (v0.21) — a separate variant so every
1621    /// `Int` refinement path stays untouched. Bounds keep their source
1622    /// lexemes (including any sign) so emitted runtime checks are
1623    /// byte-stable.
1624    InRangeF(FloatBound, FloatBound),
1625    MinLength(i64),
1626    MaxLength(i64),
1627    Length(i64),
1628    NonNegative,
1629    Positive,
1630    NonEmpty,
1631}
1632
1633impl PredKind {
1634    pub fn name(&self) -> &'static str {
1635        match self {
1636            PredKind::Matches(_) => "Matches",
1637            PredKind::InRange(..) | PredKind::InRangeF(..) => "InRange",
1638            PredKind::MinLength(_) => "MinLength",
1639            PredKind::MaxLength(_) => "MaxLength",
1640            PredKind::Length(_) => "Length",
1641            PredKind::NonNegative => "NonNegative",
1642            PredKind::Positive => "Positive",
1643            PredKind::NonEmpty => "NonEmpty",
1644        }
1645    }
1646}
1647
1648/// A function type parameter (v0.20a, `fn name[A, B](…)`). A struct rather
1649/// than a bare Ident so the ADR-0028 "bound-capable" promise is a later field
1650/// addition, not a representation change.
1651#[derive(Debug, Clone)]
1652pub struct TypeParam {
1653    pub name: Ident,
1654    pub span: Span,
1655}
1656
1657/// A lambda expression (v0.20a): `(params) => expr` or `(params) => { … }`.
1658/// `=>` is the value arrow (shared with `match`); param annotations are
1659/// optional where an expected function type supplies them.
1660#[derive(Debug, Clone)]
1661pub struct LambdaExpr {
1662    pub params: Vec<LambdaParam>,
1663    pub body: Box<Expr>,
1664    pub span: Span,
1665}
1666
1667/// A lambda parameter. A separate type from [`Param`] because its annotation
1668/// is optional — `Param.type_ref` stays mandatory at every signature site.
1669#[derive(Debug, Clone)]
1670pub struct LambdaParam {
1671    pub name: Ident,
1672    pub type_ref: Option<TypeRef>,
1673    pub span: Span,
1674}
1675
1676#[derive(Debug, Clone)]
1677pub struct FnDecl {
1678    /// v0.20a: `[A, B]` type parameters; empty for non-generic functions.
1679    pub type_params: Vec<TypeParam>,
1680    /// Free function or method (`TypeName.methodName`). See [`FnName`].
1681    pub name: FnName,
1682    pub params: Vec<Param>,
1683    pub return_type: TypeRef,
1684    /// v0.115: preconditions (`requires <name>: <pred>`), parsed between the
1685    /// return type and the body. A contract clause is the invariant predicate
1686    /// attached to a function (ADR 0144 — one predicate surface); `requires`
1687    /// scopes over the parameters only.
1688    pub requires: Vec<Contract>,
1689    /// v0.115: postconditions (`ensures <name>: <pred>`). Scopes over the
1690    /// parameters *and* `result`, the contextual binding for the return value.
1691    pub ensures: Vec<Contract>,
1692    pub body: Block,
1693    /// True when the first parameter is the special `self` parameter. Only
1694    /// valid for method declarations.
1695    pub has_self: bool,
1696    /// Documentation block attached to this declaration (v0.3).
1697    pub documentation: Option<String>,
1698    pub span: Span,
1699    pub trivia: Trivia,
1700}
1701
1702/// A function-declaration name: either a free function `f` or a method
1703/// `T.method` (v0.2 §3.6).
1704#[derive(Debug, Clone)]
1705pub enum FnName {
1706    /// `fn name(...)` — a free function.
1707    Free(Ident),
1708    /// `fn TypeName.methodName(...)` — a method attached to a type.
1709    Method {
1710        type_name: Ident,
1711        method_name: Ident,
1712    },
1713}
1714
1715impl FnName {
1716    /// The function's short name for diagnostics. For methods returns the
1717    /// method portion only; the type prefix is recovered via `type_name`.
1718    pub fn ident(&self) -> &Ident {
1719        match self {
1720            FnName::Free(id) => id,
1721            FnName::Method { method_name, .. } => method_name,
1722        }
1723    }
1724
1725    /// For methods, the attached type's identifier; `None` for free fns.
1726    pub fn type_name(&self) -> Option<&Ident> {
1727        match self {
1728            FnName::Free(_) => None,
1729            FnName::Method { type_name, .. } => Some(type_name),
1730        }
1731    }
1732
1733    /// The displayed full name (e.g., `Money.add` or `parseSku`).
1734    pub fn display(&self) -> String {
1735        match self {
1736            FnName::Free(id) => id.name.clone(),
1737            FnName::Method {
1738                type_name,
1739                method_name,
1740            } => format!("{}.{}", type_name.name, method_name.name),
1741        }
1742    }
1743}
1744
1745/// A brace-delimited block of statements ending in a tail expression
1746/// whose value is the block's value (spec v0.1 §3.1).
1747#[derive(Debug, Clone)]
1748pub struct Block {
1749    pub statements: Vec<Statement>,
1750    pub tail: Box<Expr>,
1751    pub span: Span,
1752    /// Line comments that appear between the last statement (or the
1753    /// opening brace) and the tail expression. Preserved here because
1754    /// expressions do not carry trivia in v1.1.
1755    pub tail_leading_comments: Vec<String>,
1756}
1757
1758/// Block-level statement.
1759#[derive(Debug, Clone)]
1760pub enum Statement {
1761    /// `let name (: T)? = expr` — pure binding (v0.1).
1762    Let(LetStmt),
1763    /// `let name (: T)? <- expr` — effectful binding (v0.5).
1764    EffectLet(LetStmt),
1765    /// `expect expr` — verify a Bool predicate at test runtime (v0.7; renamed
1766    /// from `assert` in v0.112). Only valid inside test case bodies.
1767    Expect(ExpectStmt),
1768    /// `~> expr` — an asynchronous fire-and-forget send (v0.79). The caller does
1769    /// not await the reply; legal only when the reply is `Effect[()]`. No binder.
1770    Send(SendStmt),
1771    /// `name := expr` — a `Cell` store write (v0.81, storage track). The
1772    /// unconditional write form; `.update(fn)` (a method call) is the
1773    /// read-modify-write form. ADR 0108.
1774    Assign(AssignStmt),
1775}
1776
1777impl Statement {
1778    pub fn span(&self) -> Span {
1779        match self {
1780            Statement::Let(l) | Statement::EffectLet(l) => l.span,
1781            Statement::Expect(a) => a.span,
1782            Statement::Send(s) => s.span,
1783            Statement::Assign(a) => a.span,
1784        }
1785    }
1786}
1787
1788#[derive(Debug, Clone)]
1789pub struct ExpectStmt {
1790    pub value: Expr,
1791    pub span: Span,
1792    pub trivia: Trivia,
1793}
1794
1795/// `name := expr` — a `Cell` store write (v0.81, storage track). `target` is the
1796/// `Cell` field being written (a bare name for now; the checker resolves it to a
1797/// `store` field). `value` is the new value.
1798#[derive(Debug, Clone)]
1799pub struct AssignStmt {
1800    pub target: Ident,
1801    pub value: Expr,
1802    pub span: Span,
1803    pub trivia: Trivia,
1804}
1805
1806#[derive(Debug, Clone)]
1807pub struct LetStmt {
1808    pub name: Ident,
1809    pub type_annot: Option<TypeRef>,
1810    pub value: Expr,
1811    pub span: Span,
1812    pub trivia: Trivia,
1813}
1814
1815#[derive(Debug, Clone)]
1816pub struct SendStmt {
1817    /// The send target — a recipient call, e.g. `Logger.info(msg)`.
1818    pub value: Expr,
1819    pub span: Span,
1820    pub trivia: Trivia,
1821}
1822
1823#[derive(Debug, Clone)]
1824pub struct Param {
1825    pub name: Ident,
1826    pub type_ref: TypeRef,
1827    pub span: Span,
1828}
1829
1830#[derive(Debug, Clone)]
1831pub enum TypeRef {
1832    Base(BaseType, Span),
1833    Named(Ident),
1834    /// `Result[T, E]` — the built-in generic Result type (v0.1).
1835    Result(Box<TypeRef>, Box<TypeRef>, Span),
1836    /// `Option[T]` — the built-in generic Option type (v0.2).
1837    Option(Box<TypeRef>, Span),
1838    /// `Effect[T]` — the built-in generic Effect type (v0.5).
1839    Effect(Box<TypeRef>, Span),
1840    /// `HttpResult[T]` — the built-in HTTP-result sum (v0.9).
1841    HttpResult(Box<TypeRef>, Span),
1842    /// `QueueResult` — the built-in queue verdict sum (`Ack | Retry`),
1843    /// non-generic; the required return of a queue handler (v0.44).
1844    QueueResult(Span),
1845    /// `List[T]` — the built-in generic immutable list type (v0.20b).
1846    List(Box<TypeRef>, Span),
1847    /// `Map[K, V]` — the built-in generic immutable map type (v0.20b).
1848    /// Keys are confined to value-keyable types
1849    /// (`bynk.types.unkeyable_map_key`).
1850    Map(Box<TypeRef>, Box<TypeRef>, Span),
1851    /// `Query[T]` — the built-in lazy storage-read description (v0.91, ADR 0115).
1852    /// Nameable in a pure helper's return type; non-storable and non-boundary
1853    /// (like `Effect`/`Fn`).
1854    Query(Box<TypeRef>, Span),
1855    /// `Stream[T]` — the value-over-time primitive (v0.100, real-time track
1856    /// slice 0). A lazy, pull-shaped sequence produced over time; non-storable
1857    /// and non-boundary (like `Query`/`Effect`/`Fn`).
1858    Stream(Box<TypeRef>, Span),
1859    /// `Connection[F]` — a held WebSocket connection (v0.102, real-time track
1860    /// slice 2). `F` is the server→client frame type. A `Held` resource:
1861    /// non-serialisable, non-boundary, and governed by the linearity discipline
1862    /// (§2.9); storable only in `Cell[Option[Connection]]` / `Map[K, Connection]`.
1863    Connection(Box<TypeRef>, Span),
1864    /// `History[Agent]` — a generated, driven call-history of an agent (v0.119,
1865    /// testing track slice 7, ADR 0155). A test-only generator, legal only in
1866    /// `for all` binding position inside a `property`; it is not a value type,
1867    /// so it never resolves in a field/param/return position. The bound subject
1868    /// behaves as an ordinary `List[Step]`.
1869    History(Box<TypeRef>, Span),
1870    /// `ValidationError` — the built-in error type used by refined-type
1871    /// constructors (v0.1).
1872    ValidationError(Span),
1873    /// `JsonError` — the built-in JSON-decode error type (v0.22b). A
1874    /// uniform record (`kind`/`path`/`message`, all `String`) the codec
1875    /// maps `BoundaryError` variants and parse failures into.
1876    JsonError(Span),
1877    /// `()` — the unit type (v0.5).
1878    Unit(Span),
1879    /// `A -> B` / `(A, B) -> C` / `() -> B` — a function type (v0.20a).
1880    /// Right-associative; effectful iff the return type is `Effect[_]`
1881    /// (the structural rule). Confined to non-boundary positions
1882    /// (`bynk.types.function_at_boundary`).
1883    Fn(Vec<TypeRef>, Box<TypeRef>, Span),
1884}
1885
1886impl TypeRef {
1887    pub fn span(&self) -> Span {
1888        match self {
1889            TypeRef::Base(_, s) => *s,
1890            TypeRef::Named(id) => id.span,
1891            TypeRef::Result(_, _, s) => *s,
1892            TypeRef::Option(_, s) => *s,
1893            TypeRef::Effect(_, s) => *s,
1894            TypeRef::HttpResult(_, s) => *s,
1895            TypeRef::QueueResult(s) => *s,
1896            TypeRef::List(_, s) => *s,
1897            TypeRef::Map(_, _, s) => *s,
1898            TypeRef::Query(_, s) => *s,
1899            TypeRef::Stream(_, s) => *s,
1900            TypeRef::Connection(_, s) => *s,
1901            TypeRef::History(_, s) => *s,
1902            TypeRef::ValidationError(s) => *s,
1903            TypeRef::JsonError(s) => *s,
1904            TypeRef::Unit(s) => *s,
1905            TypeRef::Fn(_, _, s) => *s,
1906        }
1907    }
1908}
1909
1910#[derive(Debug, Clone)]
1911pub struct Expr {
1912    pub kind: ExprKind,
1913    pub span: Span,
1914}
1915
1916impl ExprKind {
1917    /// Construct an `IntLit` for a *synthesized* integer — one the compiler
1918    /// invents rather than reading from source (a default `1`, a computed bound).
1919    /// The lexeme is the canonical decimal form (no separators). Source-parsed
1920    /// literals keep their as-written lexeme instead (v0.142, ADR 0166).
1921    pub fn int_lit(value: i64) -> ExprKind {
1922        ExprKind::IntLit {
1923            value,
1924            lexeme: value.to_string(),
1925        }
1926    }
1927}
1928
1929#[derive(Debug, Clone)]
1930pub enum ExprKind {
1931    /// An integer literal (typed `Int`). The lexeme is kept alongside the parsed
1932    /// value (v0.142, ADR 0166) so formatting is byte-stable: an author's `_`
1933    /// digit separators (`1_048_576`) survive a round-trip, mirroring the
1934    /// `FloatLit` treatment. The value is separator-free; emission lowers the
1935    /// value, so emitted output is unaffected.
1936    IntLit {
1937        value: i64,
1938        lexeme: String,
1939    },
1940    /// A float literal (v0.21). The lexeme is kept alongside the parsed
1941    /// value so emission and formatting are byte-stable (`1e10` must not
1942    /// normalise to `10000000000`).
1943    FloatLit {
1944        value: f64,
1945        lexeme: String,
1946    },
1947    /// A duration literal `<int>.<unit>` (v0.86, ADR 0112): `5.minutes`,
1948    /// `30.days`. The parser recognises the `IntLit . <unit>` shape and records
1949    /// the magnitude, the unit, and the resolved milliseconds (the value the
1950    /// emitter lowers to). Typed `Duration`.
1951    DurationLit {
1952        /// The integer magnitude as written (`5` in `5.minutes`).
1953        value: i64,
1954        /// The unit name (`minutes`), one of the closed set.
1955        unit: DurationUnit,
1956        /// The value in milliseconds — `value * unit factor`.
1957        millis: i64,
1958    },
1959    StrLit(String),
1960    /// An interpolated string `"… \(expr) …"` (v0.43, ADR 0075). Chunks and
1961    /// holes alternate. A plain `"…"` with no holes stays [`ExprKind::StrLit`],
1962    /// so existing code and the emitter/formatter fast-path are untouched.
1963    InterpStr(Vec<InterpPart>),
1964    BoolLit(bool),
1965    Ident(Ident),
1966    Call {
1967        name: Ident,
1968        /// v0.20a: explicit type arguments (`name[T](…)`); empty when absent.
1969        type_args: Vec<TypeRef>,
1970        args: Vec<Expr>,
1971    },
1972    /// A lambda (v0.20a). See [`LambdaExpr`].
1973    Lambda(LambdaExpr),
1974    BinOp(BinOp, Box<Expr>, Box<Expr>),
1975    UnaryOp(UnaryOp, Box<Expr>),
1976    Paren(Box<Expr>),
1977    /// `{ stmts; expr }` — block expression (v0.1).
1978    Block(Block),
1979    /// `if cond { then } else { else }` (v0.1).
1980    If {
1981        cond: Box<Expr>,
1982        then_block: Box<Block>,
1983        else_block: Box<Block>,
1984    },
1985    /// `Ok(value)` — Result success constructor (v0.1).
1986    Ok(Box<Expr>),
1987    /// `Err(error)` — Result failure constructor (v0.1).
1988    Err(Box<Expr>),
1989    /// `expr?` — propagation operator (v0.1).
1990    Question(Box<Expr>),
1991    /// `TypeName.method(args)` — qualified static call on a type
1992    /// (v0.1: only refined-type `of`; v0.2: any static method or variant
1993    /// constructor for sum types). The resolver decides which.
1994    ConstructorCall {
1995        type_name: Ident,
1996        method: Ident,
1997        args: Vec<Expr>,
1998    },
1999    /// `TypeName { field: value, ... }` — record construction (v0.2).
2000    RecordConstruction {
2001        type_name: Ident,
2002        fields: Vec<FieldInit>,
2003    },
2004    /// `receiver.field` — field access on a record value (v0.2). v0.3 adds
2005    /// `.raw` on opaque types within the defining commons.
2006    FieldAccess {
2007        receiver: Box<Expr>,
2008        field: Ident,
2009    },
2010    /// `receiver.method(args)` — instance method call (v0.2). The
2011    /// resolver determines the receiver's type and looks up the method.
2012    MethodCall {
2013        receiver: Box<Expr>,
2014        method: Ident,
2015        /// v0.22b: explicit type arguments on a qualified static
2016        /// (`Json.decode[T](…)`); empty when absent. The same-line-`[`
2017        /// rule applies as for `Call` type application (0039).
2018        type_args: Vec<TypeRef>,
2019        args: Vec<Expr>,
2020    },
2021    /// `match disc { arm+ }` — pattern matching (v0.2).
2022    Match {
2023        discriminant: Box<Expr>,
2024        arms: Vec<MatchArm>,
2025    },
2026    /// `expr is pattern` — pattern test, returns Bool (v0.2).
2027    Is {
2028        value: Box<Expr>,
2029        pattern: Pattern,
2030    },
2031    /// `Some(value)` — Option Some constructor (v0.2).
2032    Some(Box<Expr>),
2033    /// `None` — Option None constructor (v0.2).
2034    None,
2035    /// `()` — unit literal (v0.5).
2036    UnitLit,
2037    /// `TypeName { ...base, field: value, ... }` or `{ ...base, ... }` —
2038    /// record spread expression (v0.5).
2039    RecordSpread {
2040        /// Optional type prefix (`TypeName { ...base }`). Absent for the
2041        /// bare form used inside `commit`.
2042        type_name: Option<Ident>,
2043        /// The base record being spread.
2044        base: Box<Expr>,
2045        /// Field overrides (always full `name: value` form — never shorthand).
2046        overrides: Vec<FieldInit>,
2047    },
2048    /// `Effect.pure(value)` — wrap a synchronous value into `Effect[T]`
2049    /// (v0.5). Recognised in the parser as a special-form.
2050    EffectPure(Box<Expr>),
2051    /// `expect expr` — expectation as an expression of type `()` (v0.9.1;
2052    /// renamed from `assert` in v0.112). Valid only inside test bodies. Evaluates
2053    /// `expr` (must be Bool); if false, the surrounding test case fails.
2054    Expect(Box<Expr>),
2055    /// `Val[T]`, `Val[T](args)` — test-context value construction (v0.9.4).
2056    /// `args` is empty for the bare form and holds the pin arguments for
2057    /// `Val[T](...)`. The record-override form `Val[T] { ... }` is not yet
2058    /// parsed. Valid only inside test bodies; has type `T`.
2059    Val {
2060        type_ref: TypeRef,
2061        args: Vec<Expr>,
2062    },
2063    /// `[a, b, c]` — list literal (v0.20b). An empty `[]` requires an
2064    /// expected type (`bynk.types.uninferable_element_type`).
2065    ListLit(Vec<Expr>),
2066    /// An observation over a consumed capability's recorded calls (v0.117,
2067    /// testing track slice 5). The direct subject of an `expect` in a `case`
2068    /// body — `expect Cap.op called once with <pred>`, `expect Cap.op never
2069    /// called`, `expect A.op before B.op`. Types as `Bool` (the claim about the
2070    /// recorded trace), lowered to a boolean over the recorded log.
2071    Observation(ObservationExpr),
2072    /// `trace(Cap.op)` — the bound-trace escape hatch (v0.117, testing track
2073    /// slice 5). Yields the recorded calls of `Cap.op` as a `List[<CallRecord>]`
2074    /// (a synthetic record of the operation's parameters), asserted over with the
2075    /// ordinary value surface. Test-body-only, like [`ExprKind::Val`].
2076    Trace {
2077        cap: Ident,
2078        op: Ident,
2079    },
2080}
2081
2082/// An observation of a capability operation's recorded calls (v0.117, testing
2083/// track slice 5). `cap`/`op` name the seam (`Logger.log`); `matcher` is the
2084/// claim about the recorded calls.
2085#[derive(Debug, Clone)]
2086pub struct ObservationExpr {
2087    pub cap: Ident,
2088    pub op: Ident,
2089    pub matcher: ObservationMatcher,
2090}
2091
2092/// The claim an [`ObservationExpr`] makes about a seam's recorded calls (v0.117).
2093#[derive(Debug, Clone)]
2094pub enum ObservationMatcher {
2095    /// `called` [`once` | `<n> times`]? [`with` `<pred>`]?. `count` is `None`
2096    /// for a bare `called` (at least one); `Some(expr)` is the exact-count claim
2097    /// (a literal; `once` desugars to `1`). `with_pred` matches a call whose
2098    /// arguments (in scope by the operation's parameter names) satisfy it.
2099    Called {
2100        count: Option<Box<Expr>>,
2101        with_pred: Option<Box<Expr>>,
2102    },
2103    /// `never called` — zero calls.
2104    NeverCalled,
2105    /// `before Cap.op` — the first call of the subject precedes the first call
2106    /// of the named operation (both must have occurred).
2107    Before { cap: Ident, op: Ident },
2108}
2109
2110/// One part of an interpolated string (v0.43, ADR 0075). An
2111/// [`ExprKind::InterpStr`] holds an alternating run of these.
2112#[derive(Debug, Clone)]
2113pub enum InterpPart {
2114    /// Literal text between holes, with escapes already resolved.
2115    Chunk(String),
2116    /// An interpolated expression `\(expr)`. Type-checked by the hole rule
2117    /// (base scalars only; see the checker) and lowered into a template-
2118    /// literal `${…}` slot.
2119    Hole(Box<Expr>),
2120}
2121
2122/// One field-initialiser inside a record construction expression:
2123/// either `name: expr` or the shorthand `name` (which requires a binding
2124/// of the same name in scope and uses its value).
2125#[derive(Debug, Clone)]
2126pub struct FieldInit {
2127    pub name: Ident,
2128    /// `None` means shorthand — the field's value is the same-named binding.
2129    pub value: Option<Expr>,
2130    pub span: Span,
2131}
2132
2133/// One arm of a `match` expression: `pattern => body`.
2134#[derive(Debug, Clone)]
2135pub struct MatchArm {
2136    pub pattern: Pattern,
2137    pub body: MatchBody,
2138    pub span: Span,
2139}
2140
2141/// The right-hand side of a match arm — either a single expression or
2142/// a block.
2143#[derive(Debug, Clone)]
2144pub enum MatchBody {
2145    Expr(Expr),
2146    Block(Block),
2147}
2148
2149impl MatchBody {
2150    pub fn span(&self) -> Span {
2151        match self {
2152            MatchBody::Expr(e) => e.span,
2153            MatchBody::Block(b) => b.span,
2154        }
2155    }
2156}
2157
2158/// A pattern (v0.2 §3.8). Patterns appear in `match` arms and as the
2159/// right-hand side of the `is` operator.
2160#[derive(Debug, Clone)]
2161pub enum Pattern {
2162    /// `_` — matches any value, no bindings.
2163    Wildcard(Span),
2164    /// A literal pattern — `31`, `"english"`, `true` (v0.130 §2.3.4). Matches a
2165    /// primitive scrutinee (`Int`/`String`/`Bool`) by value equality. The
2166    /// admitted set mirrors ADR 0001's closed literal set (integers — including
2167    /// a leading unary minus — strings, and booleans); `Float`/`()` are not
2168    /// admitted as patterns.
2169    Literal { value: LiteralValue, span: Span },
2170    /// `Variant` or `Variant(bindings)` or `TypeName.Variant(bindings)`.
2171    Variant {
2172        /// Optional qualifier: `TypeName.Variant`.
2173        type_name: Option<Ident>,
2174        /// The variant name.
2175        variant: Ident,
2176        /// Payload bindings (empty for nullary variants).
2177        bindings: Vec<PatternBinding>,
2178        span: Span,
2179    },
2180}
2181
2182/// The value carried by a [`Pattern::Literal`]. A closed set (ADR 0001):
2183/// integer, string, and boolean. Kept distinct from [`ExprKind`] so patterns
2184/// carry only what they can actually match, and so it is `Eq`/`Hash` for the
2185/// duplicate-arm check.
2186#[derive(Debug, Clone, PartialEq, Eq, Hash)]
2187pub enum LiteralValue {
2188    Int(i64),
2189    Str(String),
2190    Bool(bool),
2191}
2192
2193impl LiteralValue {
2194    /// A human-readable rendering for diagnostics (`31`, `"english"`, `true`).
2195    pub fn describe(&self) -> String {
2196        match self {
2197            LiteralValue::Int(n) => n.to_string(),
2198            LiteralValue::Str(s) => format!("{s:?}"),
2199            LiteralValue::Bool(b) => b.to_string(),
2200        }
2201    }
2202}
2203
2204impl Pattern {
2205    pub fn span(&self) -> Span {
2206        match self {
2207            Pattern::Wildcard(s) => *s,
2208            Pattern::Literal { span, .. } => *span,
2209            Pattern::Variant { span, .. } => *span,
2210        }
2211    }
2212}
2213
2214/// A single binding inside a variant pattern. Two surface forms:
2215/// `name` (positional — bind the i-th payload field) and
2216/// `fieldName: bindName` (named — bind the named payload field).
2217/// Both forms also accept `_` as the bind name to discard.
2218#[derive(Debug, Clone)]
2219pub struct PatternBinding {
2220    /// Source form: positional or named.
2221    pub kind: PatternBindingKind,
2222    pub span: Span,
2223}
2224
2225#[derive(Debug, Clone)]
2226pub enum PatternBindingKind {
2227    /// `name` (or `_`): bind the payload field at this position to `name`.
2228    Positional { name: Ident },
2229    /// `field: name` (or `field: _`): bind the named payload field to `name`.
2230    Named { field: Ident, name: Ident },
2231}
2232
2233impl PatternBinding {
2234    /// The local name introduced by this binding (used for scope).
2235    /// `_` is a sentinel for "no binding"; callers should compare against it.
2236    pub fn local_name(&self) -> &Ident {
2237        match &self.kind {
2238            PatternBindingKind::Positional { name } => name,
2239            PatternBindingKind::Named { name, .. } => name,
2240        }
2241    }
2242
2243    pub fn is_wildcard(&self) -> bool {
2244        self.local_name().name == "_"
2245    }
2246}
2247
2248#[derive(Debug, Clone, Copy, PartialEq, Eq)]
2249pub enum BinOp {
2250    /// `P implies Q` — logical implication (v0.80). Desugars to `!P || Q`; sits
2251    /// at the lowest precedence (below `||`). Reads directionally (P → Q).
2252    Implies,
2253    Or,
2254    And,
2255    Eq,
2256    NotEq,
2257    Lt,
2258    LtEq,
2259    Gt,
2260    GtEq,
2261    Add,
2262    Sub,
2263    Mul,
2264    Div,
2265}
2266
2267impl BinOp {
2268    pub fn name(self) -> &'static str {
2269        match self {
2270            BinOp::Implies => "implies",
2271            BinOp::Or => "||",
2272            BinOp::And => "&&",
2273            BinOp::Eq => "==",
2274            BinOp::NotEq => "!=",
2275            BinOp::Lt => "<",
2276            BinOp::LtEq => "<=",
2277            BinOp::Gt => ">",
2278            BinOp::GtEq => ">=",
2279            BinOp::Add => "+",
2280            BinOp::Sub => "-",
2281            BinOp::Mul => "*",
2282            BinOp::Div => "/",
2283        }
2284    }
2285}
2286
2287#[derive(Debug, Clone, Copy, PartialEq, Eq)]
2288pub enum UnaryOp {
2289    Neg,
2290    Not,
2291}
2292
2293impl UnaryOp {
2294    pub fn name(self) -> &'static str {
2295        match self {
2296            UnaryOp::Neg => "-",
2297            UnaryOp::Not => "!",
2298        }
2299    }
2300}