bynk_syntax/ast.rs
1//! Abstract syntax tree types for Bynk v0 (spec §9.2).
2
3use crate::span::Span;
4
5/// An identifier with its source span.
6#[derive(Debug, Clone)]
7pub struct Ident {
8 pub name: String,
9 pub span: Span,
10}
11
12/// Comment trivia attached to a declaration or statement (v1.1 LSP spec
13/// §3.5). The parser collects line comments from the token stream and
14/// attaches them to nearby AST nodes so the formatter can re-emit them.
15///
16/// - `leading` holds comments that appear immediately above the node,
17/// ordered top-to-bottom. Each entry is the body of one `--` line
18/// (the text after the marker, with its original inline whitespace
19/// preserved).
20/// - `trailing` holds a single comment that appears on the same source
21/// line as the node's final token (e.g. `expr -- note`).
22#[derive(Debug, Clone, Default)]
23pub struct Trivia {
24 pub leading: Vec<String>,
25 pub trailing: Option<String>,
26}
27
28impl Trivia {
29 pub fn is_empty(&self) -> bool {
30 self.leading.is_empty() && self.trailing.is_none()
31 }
32}
33
34/// A whole parsed commons source file.
35///
36/// In v0.3 a commons may be split across multiple files in a directory; the
37/// resolver merges them into one logical commons. Each parsed AST instance
38/// represents the contribution from a single source file.
39#[derive(Debug, Clone)]
40pub struct Commons {
41 pub name: QualifiedName,
42 pub items: Vec<CommonsItem>,
43 /// `uses` clauses declared in this file.
44 pub uses: Vec<UsesDecl>,
45 /// Optional documentation block attached to the commons declaration.
46 pub documentation: Option<String>,
47 /// Surface form of the file: brace-delimited body or headerless fragment.
48 pub form: CommonsForm,
49 pub span: Span,
50 /// Trivia attached to the commons declaration itself — leading comments
51 /// before the `commons` keyword and a trailing comment after the header
52 /// or closing brace.
53 pub trivia: Trivia,
54 /// Comments appearing after the last item but before the file ends
55 /// (or the closing brace, for brace form). One entry per `--` line.
56 pub trailing_comments: Vec<String>,
57}
58
59/// The two surface forms in which a commons body may be parsed (v0.3 §3.1).
60#[derive(Debug, Clone, Copy, PartialEq, Eq)]
61pub enum CommonsForm {
62 /// `commons name { ... }`
63 Brace,
64 /// `commons name` followed by top-level declarations to EOF.
65 Fragment,
66}
67
68/// A `uses other.commons` declaration (v0.3 §3.3).
69#[derive(Debug, Clone)]
70pub struct UsesDecl {
71 pub target: QualifiedName,
72 pub span: Span,
73 pub trivia: Trivia,
74}
75
76/// A whole parsed context source file (v0.4 §3.1).
77///
78/// Contexts are the architectural-layer declaration kind. Like commons, a
79/// context may be split across multiple files in a directory.
80#[derive(Debug, Clone)]
81pub struct Context {
82 pub name: QualifiedName,
83 pub items: Vec<CommonsItem>,
84 /// `uses` clauses declared in this file.
85 pub uses: Vec<UsesDecl>,
86 /// `consumes` clauses declared in this file.
87 pub consumes: Vec<ConsumesDecl>,
88 /// `exports` clauses declared in this file.
89 pub exports: Vec<ExportsDecl>,
90 /// Optional documentation block attached to the context declaration.
91 pub documentation: Option<String>,
92 /// Surface form of the file: brace-delimited body or headerless fragment.
93 pub form: CommonsForm,
94 pub span: Span,
95 /// Trivia attached to the context declaration itself — leading comments
96 /// before the `context` keyword.
97 pub trivia: Trivia,
98 /// Comments appearing after the last item but before the file ends
99 /// (or the closing brace, for brace form). One entry per `--` line.
100 pub trailing_comments: Vec<String>,
101}
102
103/// A `consumes other.context` declaration (v0.4 §3.2). May optionally carry
104/// an alias introduced by `consumes other.context as Alias` (v0.6 §3.1).
105#[derive(Debug, Clone)]
106pub struct ConsumesDecl {
107 pub target: QualifiedName,
108 pub alias: Option<Ident>,
109 /// v0.17: `consumes U { Cap, … }` — selected capabilities flattened into
110 /// the consumer's local capability namespace under their bare names (§3.3).
111 /// `None` for the whole-unit forms; `Some` (possibly empty) for the braced
112 /// form. Mutually exclusive with `alias`.
113 pub selected: Option<Vec<Ident>>,
114 pub span: Span,
115 pub trivia: Trivia,
116}
117
118/// An `exports visibility { names }` clause (v0.4 §3.3) or, v0.15, an
119/// `exports capability { names }` clause.
120#[derive(Debug, Clone)]
121pub struct ExportsDecl {
122 pub kind: ExportKind,
123 pub names: Vec<Ident>,
124 pub span: Span,
125 pub trivia: Trivia,
126}
127
128/// What an `exports` clause exposes: types (with a visibility) or, v0.15,
129/// capabilities offered for cross-context consumption.
130#[derive(Debug, Clone, Copy, PartialEq, Eq)]
131pub enum ExportKind {
132 /// `exports opaque { ... }` / `exports transparent { ... }` — type exports.
133 Type(Visibility),
134 /// `exports capability { ... }` — capabilities offered to consumers (v0.15).
135 Capability,
136}
137
138/// Visibility level for an exports clause (v0.4 §3.3).
139#[derive(Debug, Clone, Copy, PartialEq, Eq)]
140pub enum Visibility {
141 /// Token-only outside the context: hold, pass, compare; no inspect, no construct.
142 Opaque,
143 /// Readable shape outside the context: inspect fields, match variants; no construct.
144 Transparent,
145}
146
147/// An `adapter qualified.name { … }` declaration (v0.17 §3.1). An adapter
148/// co-locates a capability contract with a non-Bynk binding: it may declare
149/// capabilities, the boundary types they reference, inline pure helper
150/// `type`/`fn` (and `uses`), external (bodiless) providers, `exports
151/// capability`, and exactly one `binding` clause. It may *not* declare
152/// services, agents, or bodied providers. Like commons/contexts it may be
153/// split across files in a directory.
154#[derive(Debug, Clone)]
155pub struct AdapterDecl {
156 pub name: QualifiedName,
157 pub items: Vec<CommonsItem>,
158 /// `uses` clauses declared in this file (pure-vocabulary mixin; allowed
159 /// because helpers cannot pierce containment — spec [DECISION B]).
160 pub uses: Vec<UsesDecl>,
161 /// `exports capability { … }` clauses (adapters export capabilities and
162 /// boundary types, never services).
163 pub exports: Vec<ExportsDecl>,
164 /// v0.18: `consumes U { Cap, … }` clauses — adapter-to-adapter capability
165 /// dependencies (spec §4.5, \[N\]). Braced form only; adapter targets only
166 /// (both enforced semantically, not in the parser).
167 pub consumes: Vec<ConsumesDecl>,
168 /// The `binding "<module>" requires { … }` clause, if present. Required
169 /// when the adapter declares any external provider (`bynk.adapter.no_binding`).
170 pub binding: Option<BindingDecl>,
171 pub documentation: Option<String>,
172 pub form: CommonsForm,
173 pub span: Span,
174 pub trivia: Trivia,
175 pub trailing_comments: Vec<String>,
176}
177
178/// A `binding "<module>" requires { "pkg": "range", … }` clause inside an
179/// adapter (v0.17 §3.5). `module` is the TypeScript module supplying the
180/// adapter's external provider symbols, resolved relative to the adapter's
181/// source file. `requires` declares npm dependencies folded into the
182/// generated `package.json`.
183#[derive(Debug, Clone)]
184pub struct BindingDecl {
185 /// The module path as written (the string-literal contents, no quotes).
186 pub module: String,
187 pub module_span: Span,
188 pub requires: Vec<RequiresDep>,
189 pub span: Span,
190 pub trivia: Trivia,
191}
192
193/// One `"pkg": "range"` entry in a binding's `requires { … }` map.
194#[derive(Debug, Clone)]
195pub struct RequiresDep {
196 pub package: String,
197 pub range: String,
198 pub span: Span,
199}
200
201/// Either a commons or a context — the two declaration kinds at the file
202/// level (v0.4 §3.1). v0.7 adds the test declaration kind; v0.17 the adapter.
203#[derive(Debug, Clone)]
204pub enum SourceUnit {
205 Commons(Commons),
206 Context(Context),
207 Suite(SuiteDecl),
208 /// v0.17: an `adapter` unit — the host boundary (capability contract +
209 /// external binding).
210 Adapter(AdapterDecl),
211}
212
213impl SourceUnit {
214 pub fn name(&self) -> &QualifiedName {
215 match self {
216 SourceUnit::Commons(c) => &c.name,
217 SourceUnit::Context(c) => &c.name,
218 SourceUnit::Suite(t) => &t.target,
219 SourceUnit::Adapter(a) => &a.name,
220 }
221 }
222
223 pub fn span(&self) -> Span {
224 match self {
225 SourceUnit::Commons(c) => c.span,
226 SourceUnit::Context(c) => c.span,
227 SourceUnit::Suite(t) => t.span,
228 SourceUnit::Adapter(a) => a.span,
229 }
230 }
231
232 pub fn kind_name(&self) -> &'static str {
233 match self {
234 SourceUnit::Commons(_) => "commons",
235 SourceUnit::Context(_) => "context",
236 SourceUnit::Suite(_) => "suite",
237 SourceUnit::Adapter(_) => "adapter",
238 }
239 }
240}
241
242/// A `test <qualified-name> { ... }` declaration (v0.7 §3.1).
243///
244/// A test targets a commons or context by qualified name and bundles a set of
245/// test cases plus optional mock declarations. As with commons and contexts, a
246/// test may be split across multiple files (fragment form).
247#[derive(Debug, Clone)]
248pub struct SuiteDecl {
249 /// The targeted commons or context.
250 pub target: QualifiedName,
251 /// `uses` clauses brought in by this test fragment.
252 pub uses: Vec<UsesDecl>,
253 /// v0.118: suite-scoped `provides` clauses — per-seam provider overrides
254 /// applied to every case (a case-scoped `provides` takes precedence).
255 pub provides: Vec<ProvidesClause>,
256 /// The individual test cases.
257 pub cases: Vec<Case>,
258 /// v0.114: generative `property` blocks (testing track slice 2).
259 pub properties: Vec<PropertyDecl>,
260 /// v0.118: the suite-level tier default (`suite … as integration`). `None`
261 /// means the `unit` default; a `case`'s own tier overrides it. A `property`
262 /// ignores a suite tier (tiers are a `case`-only affordance).
263 pub tier: Option<TestTier>,
264 /// Surface form: brace-delimited body or headerless fragment.
265 pub form: CommonsForm,
266 /// Optional documentation block attached to the test declaration.
267 pub documentation: Option<String>,
268 pub span: Span,
269 pub trivia: Trivia,
270 pub trailing_comments: Vec<String>,
271}
272
273/// v0.118: the tier a `case` runs at (testing track slice 6, ADR 0153). One
274/// body promoted across the testing pyramid; `unit` is the default and elided.
275#[derive(Debug, Clone, Copy, PartialEq, Eq)]
276pub enum TestTier {
277 /// Collaborators stubbed (the default).
278 Unit,
279 /// Real collaborators within one context, no serialisation wire.
280 Integration,
281 /// Contexts wired across the real serialise → JSON → deserialise boundary.
282 System,
283}
284
285impl TestTier {
286 pub fn as_str(self) -> &'static str {
287 match self {
288 TestTier::Unit => "unit",
289 TestTier::Integration => "integration",
290 TestTier::System => "system",
291 }
292 }
293}
294
295/// v0.118: a per-seam provider override `provides Cap.method(<args>) returns <v>
296/// | fails` (testing track slice 6, ADR 0154). Substitutes one capability
297/// method's provision under test; the right-hand side is a value or a fault,
298/// never a computed body.
299#[derive(Debug, Clone)]
300pub struct ProvidesClause {
301 /// The capability being overridden (a consumed seam of the unit).
302 pub capability: Ident,
303 /// The overridden method.
304 pub method: Ident,
305 /// One argument pattern per parameter (`_` or a value the arg must equal).
306 pub args: Vec<ArgPattern>,
307 /// The provision: a value, a fault, or a per-call sequence.
308 pub rhs: ProvidesRhs,
309 pub documentation: Option<String>,
310 pub span: Span,
311 pub trivia: Trivia,
312}
313
314/// v0.118: one argument pattern in a `provides` call pattern. Patterns for the
315/// same method are tried top-to-bottom, first match wins.
316#[derive(Debug, Clone)]
317pub enum ArgPattern {
318 /// `_` — matches any argument.
319 Any(Span),
320 /// A value the recorded argument must equal (a literal or pure value expr).
321 Value(Expr),
322}
323
324/// v0.118: the right-hand side of a `provides` clause.
325#[derive(Debug, Clone)]
326pub enum ProvidesRhs {
327 /// `returns <value>` — a single success value, repeated for every call.
328 Returns(Expr),
329 /// `fails` — inject a capability fault (Principle 3).
330 Fails(Span),
331 /// `returns each [<outcome>, …]` — one outcome per call, in order; the last
332 /// outcome repeats once the sequence is exhausted (DECISION V).
333 ReturnsEach(Vec<SeqOutcome>, Span),
334}
335
336impl ProvidesRhs {
337 pub fn span(&self) -> Span {
338 match self {
339 ProvidesRhs::Returns(e) => e.span,
340 ProvidesRhs::Fails(s) => *s,
341 ProvidesRhs::ReturnsEach(_, s) => *s,
342 }
343 }
344}
345
346/// v0.118: one outcome in a sequenced (`returns each`) `provides`.
347#[derive(Debug, Clone)]
348pub enum SeqOutcome {
349 /// A success value.
350 Value(Expr),
351 /// A fault.
352 Fails(Span),
353}
354
355/// A `case "name" [as <tier>] { [provides …] body }` block inside a suite
356/// (v0.7 §3.3; v0.118 adds the tier clause and case-scoped `provides`).
357#[derive(Debug, Clone)]
358pub struct Case {
359 /// The test name, taken from the string literal.
360 pub name: String,
361 /// The span of the string literal — used for diagnostics and runtime
362 /// failure reports.
363 pub name_span: Span,
364 /// v0.118: the case's own tier, if written (`as integration` / `as system`).
365 /// `None` means inherit the suite default (itself `unit` when unset).
366 pub tier: Option<TestTier>,
367 /// v0.118: case-scoped `provides` clauses (override the suite's, and the
368 /// tier default).
369 pub provides: Vec<ProvidesClause>,
370 pub body: Block,
371 pub documentation: Option<String>,
372 pub span: Span,
373 pub trivia: Trivia,
374}
375
376/// A `property "name" { for all <bindings> [where <pred>] { body } }` block
377/// inside a suite (v0.114, testing track slice 2, ADR 0149). The generative
378/// sibling of [`Case`]: the runner draws inhabitants of each binding's type from
379/// its refinement domain and evaluates the body's `expect`s over them.
380#[derive(Debug, Clone)]
381pub struct PropertyDecl {
382 /// The property name, taken from the string literal.
383 pub name: String,
384 /// The span of the string literal — used for diagnostics and reports.
385 pub name_span: Span,
386 /// The `for all` binder: the generated bindings, an optional `where` filter,
387 /// and the predicate body.
388 pub forall: ForAll,
389 pub documentation: Option<String>,
390 pub span: Span,
391 pub trivia: Trivia,
392}
393
394/// The `for all x: T, … [where <pred>] { … }` binder inside a [`PropertyDecl`].
395#[derive(Debug, Clone)]
396pub struct ForAll {
397 /// The generated bindings, `x: T` (one or more).
398 pub bindings: Vec<ForAllBinding>,
399 /// An optional `where <pred>` filter (a pure `Bool`) applied to generated
400 /// tuples before the body runs.
401 pub where_pred: Option<Expr>,
402 /// The body — one or more statements, typically `expect`s.
403 pub body: Block,
404 pub span: Span,
405}
406
407/// One `for all` binding: `name: T`, where the runner generates inhabitants of
408/// `T` from its refinements.
409#[derive(Debug, Clone)]
410pub struct ForAllBinding {
411 pub name: Ident,
412 pub type_ref: TypeRef,
413}
414
415/// A capability reference in a `given` clause (v0.15 §3.2). A bare name is a
416/// local capability (`given Cap`); a dotted name refers to a capability a
417/// consumed context provides (`given B.Cap` / `given Alias.Cap`).
418#[derive(Debug, Clone)]
419pub struct CapRef {
420 /// `None` for a local capability; `Some(prefix)` for a cross-context
421 /// reference where `prefix` is a consumed-context qualified name or alias.
422 pub context: Option<QualifiedName>,
423 /// The capability's simple name (also the local deps key).
424 pub name: Ident,
425 pub span: Span,
426}
427
428impl CapRef {
429 /// The local deps key / capability simple name (e.g. `Clock`).
430 pub fn key(&self) -> &str {
431 &self.name.name
432 }
433
434 /// True when this references a capability provided by a consumed context.
435 pub fn is_cross_context(&self) -> bool {
436 self.context.is_some()
437 }
438
439 /// The cross-context prefix (consumed-context qualified name or alias) as
440 /// a dotted string, if any.
441 pub fn prefix(&self) -> Option<String> {
442 self.context.as_ref().map(|q| q.joined())
443 }
444}
445
446/// A dotted name like `fitness.units`.
447#[derive(Debug, Clone)]
448pub struct QualifiedName {
449 pub parts: Vec<Ident>,
450 pub span: Span,
451}
452
453impl QualifiedName {
454 pub fn joined(&self) -> String {
455 self.parts
456 .iter()
457 .map(|p| p.name.as_str())
458 .collect::<Vec<_>>()
459 .join(".")
460 }
461}
462
463#[derive(Debug, Clone)]
464pub enum CommonsItem {
465 Type(TypeDecl),
466 Fn(FnDecl),
467 /// `capability Name { fn op(...) -> T ... }` (v0.5; contexts only).
468 Capability(CapabilityDecl),
469 /// `provides Cap = ProviderName { fn op(...) -> T { ... } ... }` (v0.5).
470 Provider(ProviderDecl),
471 /// `service Name { on call(...) -> T { ... } ... }` (v0.5).
472 Service(ServiceDecl),
473 /// `agent Name { key id: T; state { ... }; on call ... }` (v0.5).
474 Agent(AgentDecl),
475 /// `actor Name { auth = Scheme, identity = T }` (v0.45). A nominal boundary
476 /// contract consumed by a handler's `by` clause; not a runnable entity.
477 Actor(ActorDecl),
478}
479
480impl CommonsItem {
481 pub fn name(&self) -> &Ident {
482 match self {
483 CommonsItem::Type(t) => &t.name,
484 CommonsItem::Fn(f) => f.name.ident(),
485 CommonsItem::Capability(c) => &c.name,
486 CommonsItem::Provider(p) => &p.provider_name,
487 CommonsItem::Service(s) => &s.name,
488 CommonsItem::Agent(a) => &a.name,
489 CommonsItem::Actor(a) => &a.name,
490 }
491 }
492}
493
494/// A capability declaration (v0.5 §3.3). Capabilities are interface-like
495/// contracts for external dependencies, used inside contexts. They may only
496/// appear inside a `context` declaration.
497#[derive(Debug, Clone)]
498pub struct CapabilityDecl {
499 pub name: Ident,
500 pub ops: Vec<CapabilityOp>,
501 pub documentation: Option<String>,
502 pub span: Span,
503 pub trivia: Trivia,
504}
505
506/// One operation in a capability (signature only; no body).
507#[derive(Debug, Clone)]
508pub struct CapabilityOp {
509 pub name: Ident,
510 pub params: Vec<Param>,
511 pub return_type: TypeRef,
512 pub documentation: Option<String>,
513 pub span: Span,
514 pub trivia: Trivia,
515}
516
517/// A provider declaration (v0.5 §3.4). Supplies an implementation for a
518/// capability.
519#[derive(Debug, Clone)]
520pub struct ProviderDecl {
521 /// The capability being implemented.
522 pub capability: Ident,
523 /// The provider's identifier (used in tests/config to select impls).
524 pub provider_name: Ident,
525 /// v0.12: capabilities this provider depends on (`provides X = Impl given
526 /// Y, Z { … }`). The provider's operation bodies may use these. v0.15:
527 /// a dependency may be a cross-context capability (`given B.Cap`).
528 pub given: Vec<CapRef>,
529 pub ops: Vec<ProviderOp>,
530 /// v0.17: an *external* provider — `provides Cap = Name` with **no** brace
531 /// block — inside an adapter, supplied by the adapter's binding rather than
532 /// a Bynk body. When `true`, `ops` is empty and the emitter produces no
533 /// class. The absence of the brace block (not an empty one) is the signal.
534 pub external: bool,
535 pub documentation: Option<String>,
536 pub span: Span,
537 pub trivia: Trivia,
538}
539
540/// One operation in a provider (signature plus body).
541#[derive(Debug, Clone)]
542pub struct ProviderOp {
543 pub name: Ident,
544 pub params: Vec<Param>,
545 pub return_type: TypeRef,
546 pub body: Block,
547 pub span: Span,
548 pub trivia: Trivia,
549}
550
551/// A service declaration (v0.5 §3.5). Services are the boundary interface
552/// of a context.
553#[derive(Debug, Clone)]
554pub struct ServiceDecl {
555 pub name: Ident,
556 /// The protocol the service conforms to, from the `from <protocol>` header
557 /// clause (v0.44). `Call` when there is no clause.
558 pub protocol: ServiceProtocol,
559 /// The optional cross-origin (CORS) policy (v0.131, ADR 0159) — a `cors { }`
560 /// section in the service body, only meaningful on a `from http` service.
561 /// `None` when absent (same-origin default, byte-for-byte unchanged output).
562 pub cors: Option<CorsPolicy>,
563 /// The optional security-headers policy (v0.141, ADR 0164) — a `security { }`
564 /// section in the service body, only meaningful on a `from http` service.
565 /// `None` when absent, but unlike `cors` the *absence* still stamps the safe
566 /// defaults (`nosniff` on) — the emitter synthesises a default policy for every
567 /// `from http` service, so `None` here means "defaults", not "no headers".
568 pub security: Option<SecurityPolicy>,
569 /// The optional request-body-size policy (v0.142, ADR 0165) — a `limits { }`
570 /// section in the service body, only meaningful on a `from http` service. It
571 /// declares a per-service `maxBody` ceiling (in bytes) for the service's
572 /// body-taking routes; a route may override it with `@limit(maxBody: …)`.
573 /// `None` when absent (no cap — byte-for-byte unchanged output, the opt-in
574 /// CORS posture, not the `security` default-on posture).
575 pub limits: Option<LimitsPolicy>,
576 pub handlers: Vec<Handler>,
577 pub documentation: Option<String>,
578 pub span: Span,
579 pub trivia: Trivia,
580}
581
582/// A cross-origin resource-sharing policy on a `from http` service (v0.131,
583/// ADR 0159): the `cors { }` section in the service body. Parsed leniently as a
584/// list of `name: value` fields (the grammar accepts any field name — an unknown
585/// one is a checker diagnostic, per the `@`-annotation precedent, ADR 0111), and
586/// interpreted through the typed accessors below.
587///
588/// `Access-Control-Allow-Methods` is deliberately **not** a field — it is derived
589/// from the service's routes at emit time (the routes already enumerate the
590/// methods; a restated list would drift). Likewise `Allow-Headers` defaults to
591/// `content-type` (+ `Authorization` when a Bearer route exists) and is only
592/// stored here when the author overrides it.
593#[derive(Debug, Clone)]
594pub struct CorsPolicy {
595 /// The `cors { }` fields as written, in source order. Field names are
596 /// validated against the closed set (`origins`/`headers`/`credentials`/
597 /// `maxAge`) by the checker, not the parser.
598 pub fields: Vec<CorsField>,
599 pub span: Span,
600 pub trivia: Trivia,
601}
602
603/// One `name: value` field inside a `cors { }` policy (v0.131).
604#[derive(Debug, Clone)]
605pub struct CorsField {
606 pub name: Ident,
607 pub value: Expr,
608 pub span: Span,
609}
610
611impl CorsPolicy {
612 /// The raw value expression for a field, by name (the last one wins if a
613 /// field is repeated — the checker flags the duplicate separately).
614 pub fn field(&self, name: &str) -> Option<&Expr> {
615 self.fields
616 .iter()
617 .rev()
618 .find(|f| f.name.name == name)
619 .map(|f| &f.value)
620 }
621
622 /// The allowed origins — the string literals of the `origins:` list. An
623 /// absent or malformed field yields an empty list (the checker has already
624 /// reported the shape error; the emitter fails closed on an empty list).
625 pub fn origins(&self) -> Vec<String> {
626 Self::str_list(self.field("origins")).unwrap_or_default()
627 }
628
629 /// `true` iff `origins` is exactly the wildcard `["*"]`.
630 pub fn is_wildcard(&self) -> bool {
631 let os = self.origins();
632 os.len() == 1 && os[0] == "*"
633 }
634
635 /// Whether credentialed requests are allowed (`credentials: true`); defaults
636 /// to `false` when the field is absent.
637 pub fn credentials(&self) -> bool {
638 matches!(
639 self.field("credentials").map(|e| &e.kind),
640 Some(ExprKind::BoolLit(true))
641 )
642 }
643
644 /// The explicit `Access-Control-Allow-Headers` override, if the author gave
645 /// a `headers:` list; `None` leaves the emitter to apply its smart default.
646 pub fn allow_headers(&self) -> Option<Vec<String>> {
647 self.field("headers").and_then(Self::str_list_of)
648 }
649
650 /// The `Access-Control-Max-Age` in whole seconds, if a `maxAge:` duration was
651 /// given; `None` leaves the header off (the browser default).
652 pub fn max_age_secs(&self) -> Option<i64> {
653 match self.field("maxAge").map(|e| &e.kind) {
654 Some(ExprKind::DurationLit { millis, .. }) => Some(millis / 1_000),
655 _ => None,
656 }
657 }
658
659 /// Interpret an expression as a list of string literals, if it is one.
660 fn str_list(expr: Option<&Expr>) -> Option<Vec<String>> {
661 expr.and_then(Self::str_list_of)
662 }
663
664 fn str_list_of(expr: &Expr) -> Option<Vec<String>> {
665 match &expr.kind {
666 ExprKind::ListLit(items) => items
667 .iter()
668 .map(|e| match &e.kind {
669 ExprKind::StrLit(s) => Some(s.clone()),
670 _ => None,
671 })
672 .collect(),
673 _ => None,
674 }
675 }
676}
677
678/// A security-headers policy on a `from http` service (v0.141, ADR 0164): the
679/// `security { }` section in the service body. Parsed leniently as a list of
680/// `name: value` fields (an unknown one is a checker diagnostic, per the CORS /
681/// `@`-annotation precedent) and interpreted through the typed accessors below.
682///
683/// The closed set is `nosniff` (a `Bool`, default `true` — stamps
684/// `X-Content-Type-Options: nosniff`) and `hsts` (a positive `Duration`, opt-in —
685/// stamps `Strict-Transport-Security: max-age=…`). Unlike `cors`, the *safe*
686/// header is on by default: a `from http` service with no `security { }` still
687/// stamps `nosniff`, because a security header you have to remember to switch on
688/// is the one you forget (ADR 0164 DECISION A).
689#[derive(Debug, Clone)]
690pub struct SecurityPolicy {
691 /// The `security { }` fields as written, in source order. Field names are
692 /// validated against the closed set (`hsts`/`nosniff`) by the checker, not
693 /// the parser.
694 pub fields: Vec<SecurityField>,
695 pub span: Span,
696 pub trivia: Trivia,
697}
698
699/// One `name: value` field inside a `security { }` policy (v0.141).
700#[derive(Debug, Clone)]
701pub struct SecurityField {
702 pub name: Ident,
703 pub value: Expr,
704 pub span: Span,
705}
706
707impl SecurityPolicy {
708 /// The raw value expression for a field, by name (the last one wins if a
709 /// field is repeated — the checker flags the duplicate separately).
710 pub fn field(&self, name: &str) -> Option<&Expr> {
711 self.fields
712 .iter()
713 .rev()
714 .find(|f| f.name.name == name)
715 .map(|f| &f.value)
716 }
717
718 /// Whether `X-Content-Type-Options: nosniff` is stamped. Defaults to `true`
719 /// (the safe default, ADR 0164 DECISION A); only an explicit `nosniff: false`
720 /// opts out. A malformed value has already been reported by the checker; it
721 /// falls back to the safe default here.
722 pub fn nosniff(&self) -> bool {
723 !matches!(
724 self.field("nosniff").map(|e| &e.kind),
725 Some(ExprKind::BoolLit(false))
726 )
727 }
728
729 /// The `Strict-Transport-Security` `max-age` in whole seconds, if the author
730 /// opted in with an `hsts:` duration; `None` leaves HSTS off (the default —
731 /// HSTS pins the browser to HTTPS and is a deliberate opt-in, DECISION A).
732 pub fn hsts_max_age_secs(&self) -> Option<i64> {
733 match self.field("hsts").map(|e| &e.kind) {
734 Some(ExprKind::DurationLit { millis, .. }) => Some(millis / 1_000),
735 _ => None,
736 }
737 }
738}
739
740/// A request-body-size policy on a `from http` service (v0.142, ADR 0165): the
741/// `limits { }` section in the service body. Parsed leniently as a list of
742/// `name: value` fields (an unknown one is a checker diagnostic, per the CORS /
743/// `security` / `@`-annotation precedent) and interpreted through the typed
744/// accessor below.
745///
746/// The closed set is `maxBody` — a positive `Int` byte count (there is no byte
747/// `Size` literal yet; a `1.mb`-style literal is a named follow-on, the
748/// `Duration` playbook). Unlike `security`, this is opt-in: a service with no
749/// `limits { }` (and no route `@limit`) has no cap and emits byte-for-byte
750/// unchanged output (ADR 0165 DECISION E — the CORS posture).
751#[derive(Debug, Clone)]
752pub struct LimitsPolicy {
753 /// The `limits { }` fields as written, in source order. Field names are
754 /// validated against the closed set (`maxBody`) by the checker, not the
755 /// parser.
756 pub fields: Vec<LimitsField>,
757 pub span: Span,
758 pub trivia: Trivia,
759}
760
761/// One `name: value` field inside a `limits { }` policy (v0.142).
762#[derive(Debug, Clone)]
763pub struct LimitsField {
764 pub name: Ident,
765 pub value: Expr,
766 pub span: Span,
767}
768
769impl LimitsPolicy {
770 /// The raw value expression for a field, by name (the last one wins if a
771 /// field is repeated — the checker flags the duplicate separately).
772 pub fn field(&self, name: &str) -> Option<&Expr> {
773 self.fields
774 .iter()
775 .rev()
776 .find(|f| f.name.name == name)
777 .map(|f| &f.value)
778 }
779
780 /// The service-wide maximum request-body size in bytes, if the author gave a
781 /// positive `maxBody:` `Int` literal; `None` leaves the service without a
782 /// default cap. A malformed or non-positive value has already been reported
783 /// by the checker; it falls back to `None` here (no cap).
784 pub fn max_body(&self) -> Option<i64> {
785 match self.field("maxBody").map(|e| &e.kind) {
786 Some(ExprKind::IntLit { value, .. }) if *value > 0 => Some(*value),
787 _ => None,
788 }
789 }
790}
791
792/// The protocol a service conforms to — declared on the header via
793/// `from <protocol>` (v0.44). `Call` is the default (no `from` clause): a
794/// contract-mediated internal-RPC surface, not a wire protocol. Multi-endpoint
795/// protocols (`Http`, `Cron`) carry no binding — the endpoint lives on each
796/// handler; single-binding `Queue` carries its queue name.
797#[derive(Debug, Clone)]
798pub enum ServiceProtocol {
799 /// No `from` clause: the service holds `on call` handlers only.
800 Call,
801 /// `from http` — many routes; each handler is `on <Method>("route")`.
802 Http,
803 /// `from cron` — many schedules; each handler is `on schedule("expr")`.
804 Cron,
805 /// `from queue("name")` — one bound queue; handlers are `on message(...)`.
806 Queue { name: String },
807 /// `from WebSocket(in: ClientFrame, out: ServerFrame)` — a held WebSocket
808 /// connection (v0.103, real-time track slice 3). `in_type` is the inbound
809 /// frame type (client→server, decoded and routed as typed agent messages);
810 /// `out_type` is the server→client frame type the held `Connection[out_type]`
811 /// carries. The service holds exactly one `on open` handler (edge auth via
812 /// `by`, then transfer of the connection to an agent).
813 WebSocket { in_type: TypeRef, out_type: TypeRef },
814}
815
816/// An agent declaration (v0.5 §3.6). Agents are state-bearing entities
817/// with their own handlers.
818#[derive(Debug, Clone)]
819pub struct AgentDecl {
820 pub name: Ident,
821 /// `key id: Type` — the identifier-typed value identifying instances.
822 pub key_name: Ident,
823 pub key_type: TypeRef,
824 /// `store` fields (v0.81, storage track) — each an access-pattern slot of a
825 /// declared storage kind (`Cell`/`Map`/…). The successor to the removed
826 /// `state { }` record (ADR 0108); every agent declares its state this way.
827 pub store_fields: Vec<StoreField>,
828 /// Invariants (v0.80 §14) — universally-quantified predicates over the
829 /// agent's `store` fields. The phase sits between the fields and the
830 /// handlers; each is checked against the state staged by a handler's writes
831 /// before it commits.
832 pub invariants: Vec<Invariant>,
833 /// Step invariants (v0.116 §, testing track slice 4) — named predicates over
834 /// the pre-/post-commit state *pair* (`old`/`new`), checked at the commit
835 /// boundary beside [`invariants`], from the second commit onward. Widen the
836 /// invariant subject from a snapshot to a step (ADR 0144 — one predicate
837 /// surface).
838 ///
839 /// [`invariants`]: AgentDecl::invariants
840 pub transitions: Vec<Transition>,
841 pub handlers: Vec<Handler>,
842 pub documentation: Option<String>,
843 pub span: Span,
844 pub trivia: Trivia,
845}
846
847/// A `store` field (v0.81, storage track). Each is an access-pattern slot of a
848/// declared storage kind: `store <name>: <Kind>[…] [@annotations] [= <init>]`.
849/// The kind and its element type are carried as an ordinary [`TypeRef`]
850/// (`Cell[Int]`, `Map[K, V]`); the checker restricts which heads are storage
851/// kinds. Access-pattern annotations (`@indexed`, …) parse into [`annotations`]
852/// (v0.85, ADR 0111); the checker validates them against the closed registry.
853///
854/// [`annotations`]: StoreField::annotations
855#[derive(Debug, Clone)]
856pub struct StoreField {
857 pub name: Ident,
858 /// The storage kind and its element type(s): `Cell[Int]`, `Map[K, V]`. A
859 /// dedicated [`StoreKind`] rather than a [`TypeRef`] — storage kinds are not
860 /// value types, and the checker dispatches kind-aware operations on the head.
861 pub kind: StoreKind,
862 /// Storage annotations on the field (v0.85, ADR 0111): `@ttl(5.minutes)`,
863 /// `@indexed(by: orderId)`. Parsed in declaration order (after the kind,
864 /// before the initialiser); the checker validates names against the closed
865 /// registry and gates each to the slice that implements it.
866 pub annotations: Vec<Annotation>,
867 /// The fresh-key initial value (`= expr`), if given — same disposition as a
868 /// `state` field's initialiser (ADRs 0003/0004 carry forward).
869 pub init: Option<Expr>,
870 pub documentation: Option<String>,
871 pub span: Span,
872 pub trivia: Trivia,
873}
874
875/// A storage annotation on a `store` field (v0.85, storage track; ADR 0111):
876/// `@<name>(<args>)`. The `name` is matched against the closed registry
877/// (`@indexed`/`@ttl`/`@retain`/`@bounded`) by the checker; the grammar accepts
878/// any identifier so an unknown name is a checker diagnostic, not a parse error.
879/// Arguments are compile-time metadata, restricted to literals (and the `by:`
880/// field-name labels of `@indexed`) by the checker per ADR 0111 D4.
881#[derive(Debug, Clone)]
882pub struct Annotation {
883 pub name: Ident,
884 pub args: Vec<AnnotationArg>,
885 pub span: Span,
886}
887
888/// A single annotation argument (v0.85; ADR 0111): an optional `label:` followed
889/// by a value expression — `by: orderId` (labelled) or `5.minutes` (positional).
890/// The value is parsed as an ordinary [`Expr`] so the duration-literal form
891/// (`5.minutes`, landing with the `Duration` slice) needs no special grammar;
892/// the checker restricts it to a literal where the annotation is functional.
893#[derive(Debug, Clone)]
894pub struct AnnotationArg {
895 pub label: Option<Ident>,
896 pub value: Expr,
897 pub span: Span,
898}
899
900/// A storage kind applied to its element type(s) (v0.81): `Cell[Int]`,
901/// `Map[ReservationId, Reservation]`. The `head` is the kind name (`Cell`,
902/// `Map`, `Set`, `Log`, `Queue`, `Cache`); the checker validates it against the
903/// closed catalogue. Element types are ordinary [`TypeRef`]s. Refined element
904/// types (`Cell[Int where NonNegative]`) ride a later slice (parse_type_ref does
905/// not yet accept an inline refinement in type-argument position).
906#[derive(Debug, Clone)]
907pub struct StoreKind {
908 pub head: Ident,
909 pub args: Vec<TypeRef>,
910 pub span: Span,
911}
912
913/// An agent invariant (v0.80 §14). A named predicate over the agent's state
914/// fields that must hold of every committed state; a commit that would violate
915/// it faults (`InvariantViolation`) before the state is persisted. The
916/// predicate references state fields by bare name, mirroring the design-notes
917/// worked examples (`status == Paid implies paymentRef.isSome()`).
918#[derive(Debug, Clone)]
919pub struct Invariant {
920 pub name: Ident,
921 /// The predicate expression — an ordinary `Bool`-typed expression over the
922 /// state fields, plus `implies` and `is`. The parsed-predicate-on-a-
923 /// declaration shape mirrors [`ActorRefinement::predicate`].
924 pub predicate: Expr,
925 pub documentation: Option<String>,
926 pub span: Span,
927 pub trivia: Trivia,
928}
929
930/// An agent step invariant (v0.116 §, testing track slice 4). A named predicate
931/// over the *pair* of committed states — the pre-commit `old` and the proposed
932/// `new`, each the agent's state record — that must hold of every state move; a
933/// commit that would violate it faults (`InvariantViolation`) before the state is
934/// persisted, exactly as a snapshot [`Invariant`] does. Widens the invariant
935/// subject from a snapshot to a step (ADR 0144 — one predicate surface); the
936/// predicate reuses the invariant surface (`implies`/`is`/pure methods) with
937/// `old`/`new` bound contextually (`old.status is Paid implies new.status is
938/// Paid`).
939#[derive(Debug, Clone)]
940pub struct Transition {
941 pub name: Ident,
942 /// The predicate expression — an ordinary `Bool`-typed expression over the
943 /// `old` and `new` state records, with `implies`/`is` and pure methods,
944 /// mirroring [`Invariant`].
945 pub predicate: Expr,
946 pub documentation: Option<String>,
947 pub span: Span,
948 pub trivia: Trivia,
949}
950
951/// A function contract clause (v0.115 §, testing track slice 3). A named
952/// predicate on a `fn` signature — a `requires` (precondition) or `ensures`
953/// (postcondition). A contract is the invariant predicate attached to a
954/// function (ADR 0144 — one predicate surface): the predicate is a pure `Bool`
955/// expression over the parameters (`requires`) or the parameters plus `result`
956/// (`ensures`), with `implies`/`is` and pure methods, mirroring [`Invariant`].
957/// The name rides the failure report and the redundant-test dedup.
958#[derive(Debug, Clone)]
959pub struct Contract {
960 pub name: Ident,
961 /// The predicate expression — an ordinary `Bool`-typed expression over the
962 /// parameters (and, for an `ensures`, the contextual `result` binding).
963 pub predicate: Expr,
964 pub span: Span,
965}
966
967/// An actor declaration (v0.45 §3.7). An actor is a nominal *contract type*
968/// describing an external party at a boundary — not a runnable entity. A
969/// handler consumes an actor on its `by` clause; the boundary verifies the
970/// declared `auth` scheme and mints a sealed identity (`name.identity`).
971#[derive(Debug, Clone)]
972pub struct ActorDecl {
973 pub name: Ident,
974 /// The authentication scheme from `auth = <Scheme>`, stored as the raw
975 /// identifier. The checker classifies it: `None`/`Internal`/`Bearer` are
976 /// admitted; `Signature` is reserved-and-rejected
977 /// (`bynk.actor.scheme_unsupported`); anything else is
978 /// `bynk.actor.unknown_scheme`. `None` for the refinement form.
979 pub auth: Option<Ident>,
980 /// The scheme's keyed config from `auth = Scheme(key = value, …)` (v0.47
981 /// `Bearer(secret = "…")`; v0.51 generalised for `Signature(secret, header,
982 /// timestamp?, tolerance?)`). Empty for schemes/forms with no config. The
983 /// checker validates which keys each scheme requires/allows.
984 pub auth_config: Vec<SchemeArg>,
985 /// The optional identity type from `, identity = <T>`. Absent ⇒ the
986 /// scheme default (`()` for `None`; a sealed `CallerId` for the `Internal`
987 /// `on call` channel, `()` for other `Internal` channels).
988 pub identity: Option<TypeRef>,
989 /// The reserved-and-rejected refinement form `actor Admin = Base where p`
990 /// (Q3). Parsed so the grammar is fixed now; the checker emits
991 /// `bynk.actor.refinement_unsupported`.
992 pub refinement: Option<ActorRefinement>,
993 pub documentation: Option<String>,
994 pub span: Span,
995 pub trivia: Trivia,
996}
997
998impl ActorDecl {
999 /// The value of a scheme config arg by key, if present (e.g. `secret`,
1000 /// `header`).
1001 pub fn scheme_arg(&self, key: &str) -> Option<&SchemeArg> {
1002 self.auth_config.iter().find(|a| a.key.name == key)
1003 }
1004}
1005
1006/// One `key = value` argument in a scheme config (`Scheme(key = value, …)`).
1007#[derive(Debug, Clone)]
1008pub struct SchemeArg {
1009 pub key: Ident,
1010 pub value: SchemeArgValue,
1011 /// Span of the value, for diagnostics.
1012 pub span: Span,
1013}
1014
1015/// A scheme config arg value — a string literal or an integer.
1016#[derive(Debug, Clone)]
1017pub enum SchemeArgValue {
1018 Str(String),
1019 Int(i64),
1020}
1021
1022impl SchemeArgValue {
1023 pub fn as_str(&self) -> Option<&str> {
1024 match self {
1025 SchemeArgValue::Str(s) => Some(s),
1026 SchemeArgValue::Int(_) => None,
1027 }
1028 }
1029 pub fn as_int(&self) -> Option<i64> {
1030 match self {
1031 SchemeArgValue::Int(n) => Some(*n),
1032 SchemeArgValue::Str(_) => None,
1033 }
1034 }
1035}
1036
1037/// The reserved refinement form `actor Admin = User where <predicate>` (Q3).
1038/// Parsed in Foundations so the grammar is fixed; admission is a later slice.
1039#[derive(Debug, Clone)]
1040pub struct ActorRefinement {
1041 /// The base actor being refined.
1042 pub base: Ident,
1043 /// The `where` predicate. Parsed but not yet checked.
1044 pub predicate: Expr,
1045 pub span: Span,
1046}
1047
1048/// The `by (<binder>:)? <Actor>` clause on a handler (v0.45; binder optional in
1049/// v0.50). Names the actor contract the handler consumes; when a `binder` is
1050/// given, the verified identity binds to it and is read as `binder.identity`.
1051/// Omitting the binder (`by <Actor>`) declares-and-verifies the contract without
1052/// capturing the identity — for anonymous or verify-and-discard handlers. Sits
1053/// after the protocol config and before the parameters.
1054#[derive(Debug, Clone)]
1055pub struct ByClause {
1056 /// The identity binder, if the handler consumes the identity. `None` for the
1057 /// binder-less `by <Actor>` form. Required when `actors` names more than one
1058 /// (a sum is resolved by matching on the bound actor).
1059 pub binder: Option<Ident>,
1060 /// The actor contract(s) referenced — each a local actor decl or a prelude
1061 /// actor. A single name is the ordinary single-actor handler; more than one
1062 /// (`by who: A | B`, v0.52) is an **ordered sum of peer actors** resolved
1063 /// first-wins, the body matching on the resolved actor. Always non-empty.
1064 pub actors: Vec<Ident>,
1065 pub span: Span,
1066}
1067
1068impl ByClause {
1069 /// The first (and, for a single-actor handler, only) actor contract named.
1070 pub fn primary(&self) -> &Ident {
1071 &self.actors[0]
1072 }
1073 /// Whether this `by` clause names an ordered sum of peer actors (`A | B`).
1074 pub fn is_sum(&self) -> bool {
1075 self.actors.len() > 1
1076 }
1077}
1078
1079/// A handler block — `on call(args) -> T given C1, C2 { body }`.
1080/// Used by both services and agents.
1081#[derive(Debug, Clone)]
1082pub struct Handler {
1083 pub kind: HandlerKind,
1084 /// Handler-position annotations (v0.140, ADR 0163): `@cache(maxAge: 5.minutes)`
1085 /// written immediately before `on <METHOD>(…)`. Reuses the [`Annotation`] AST
1086 /// shared with `store` fields (ADR 0111); the grammar accepts any `@name(args)`
1087 /// so an unknown name is a project-validation diagnostic, not a parse error. The
1088 /// first handler-position annotation surface — empty for every handler that
1089 /// carries none.
1090 pub annotations: Vec<Annotation>,
1091 /// For agent handlers, the method-style handler name (e.g.
1092 /// `on call addItem(...)`). For service handlers, this is None (just
1093 /// `on call(...)`).
1094 pub method_name: Option<Ident>,
1095 /// The `by <binder>: <Actor>` clause (v0.45), if present. Service handlers
1096 /// only; an absent clause inherits the protocol's default actor.
1097 pub by_clause: Option<ByClause>,
1098 pub params: Vec<Param>,
1099 pub return_type: TypeRef,
1100 pub given: Vec<CapRef>,
1101 pub body: Block,
1102 pub documentation: Option<String>,
1103 pub span: Span,
1104 pub trivia: Trivia,
1105}
1106
1107#[derive(Debug, Clone, PartialEq, Eq)]
1108pub enum HandlerKind {
1109 /// `on call(...)` — typed RPC (the only kind in v0.5).
1110 Call,
1111 /// `on http METHOD "path"` — external-facing HTTP route (v0.9).
1112 Http { method: HttpMethod, path: String },
1113 /// `on cron "expr"` — scheduled task; `expr` is a 5-field cron
1114 /// expression (v0.10a).
1115 Cron { expr: String },
1116 /// `on message(m: T)` — a message off the service's bound queue. The queue
1117 /// binding lives on the service's `ServiceProtocol::Queue` (v0.44).
1118 Message,
1119 /// `on open ...` — the WebSocket upgrade handler (v0.103, real-time track
1120 /// slice 3). Exactly one per `from WebSocket` service; carries a mandatory
1121 /// `by` clause (edge auth) and receives a fresh owned `Connection[out]`.
1122 Open,
1123 /// `on close ...` — the WebSocket close handler (v0.106, real-time track slice
1124 /// 3b-iii). Optional, ≤1 per `from WebSocket` service; runs when the socket
1125 /// closes. Like `on open`, edge-authenticated (`by`), with the identity/params
1126 /// recovered from the socket attachment (set at `on open`). (A `from WebSocket`
1127 /// `on message` reuses [`HandlerKind::Message`], disambiguated by the protocol.)
1128 Close,
1129}
1130
1131/// HTTP methods supported by `on http` handlers (v0.9).
1132#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
1133pub enum HttpMethod {
1134 Get,
1135 Post,
1136 Put,
1137 Patch,
1138 Delete,
1139}
1140
1141impl HttpMethod {
1142 pub fn as_str(self) -> &'static str {
1143 match self {
1144 HttpMethod::Get => "GET",
1145 HttpMethod::Post => "POST",
1146 HttpMethod::Put => "PUT",
1147 HttpMethod::Patch => "PATCH",
1148 HttpMethod::Delete => "DELETE",
1149 }
1150 }
1151
1152 pub fn from_ident(s: &str) -> Option<HttpMethod> {
1153 match s {
1154 "GET" => Some(HttpMethod::Get),
1155 "POST" => Some(HttpMethod::Post),
1156 "PUT" => Some(HttpMethod::Put),
1157 "PATCH" => Some(HttpMethod::Patch),
1158 "DELETE" => Some(HttpMethod::Delete),
1159 _ => None,
1160 }
1161 }
1162
1163 /// True if this method conventionally has no request body.
1164 pub fn forbids_body(self) -> bool {
1165 matches!(self, HttpMethod::Get | HttpMethod::Delete)
1166 }
1167}
1168
1169/// Payload shape of an `HttpResult[T]` variant (v0.9 §3.3).
1170#[derive(Debug, Clone, Copy, PartialEq, Eq)]
1171pub enum HttpVariantPayload {
1172 /// No payload (e.g. `NoContent`, `Unauthorized`).
1173 None,
1174 /// Carries a value of the `HttpResult` type parameter `T`.
1175 Value,
1176 /// Carries a `String` message (e.g. `BadRequest`, `Conflict`).
1177 Message,
1178 /// Carries a `String` target URL, emitted as a `Location` header — the
1179 /// redirect variants (`Found`, `SeeOther`, `PermanentRedirect`, …).
1180 Location,
1181 /// Carries a `Stream[String]`, emitted as an SSE (`text/event-stream`)
1182 /// streaming body — the `Streaming` (200) variant (v0.101, real-time track
1183 /// slice 1).
1184 Streamed,
1185 /// Carries `(body: Bytes, contentType: String)` — the author-owned raw body
1186 /// written straight into the response with the declared `content-type` and
1187 /// **no codec** (the typed-wire guarantee is deliberately off). The `Raw`
1188 /// (200) variant (v0.111); the first two-argument payload shape.
1189 Raw,
1190}
1191
1192/// One variant of the built-in `HttpResult[T]` sum (v0.9 §3.3).
1193#[derive(Debug, Clone, Copy)]
1194pub struct HttpVariant {
1195 pub name: &'static str,
1196 pub payload: HttpVariantPayload,
1197 pub status: u16,
1198}
1199
1200/// All `HttpResult[T]` variants, in declaration order (ascending status). The
1201/// vocabulary tracks the common, modern HTTP status codes (RFC 9110): success
1202/// and created/accepted (`Value`), redirects carrying a `Location` URL, and
1203/// the client/server failures that handlers routinely return (`Message` when
1204/// an explanation helps the caller, `None` for self-describing statuses).
1205pub const HTTP_VARIANTS: &[HttpVariant] = &[
1206 // ── 2xx success ──────────────────────────────────────────────────────
1207 HttpVariant {
1208 name: "Ok",
1209 payload: HttpVariantPayload::Value,
1210 status: 200,
1211 },
1212 // v0.101 (real-time track slice 1): a 200 whose body is a streamed
1213 // `Stream[String]`, SSE-framed. Status precedes the body, so streaming is
1214 // 200-only — pre-stream failures are ordinary variants returned instead.
1215 HttpVariant {
1216 name: "Streaming",
1217 payload: HttpVariantPayload::Streamed,
1218 status: 200,
1219 },
1220 // v0.111: a 200 whose body is an author-owned `Bytes` written straight into
1221 // the response with the declared `content-type` — no codec runs. 200-only,
1222 // like `Streaming`: it serves service-tier raw bodies (`robots.txt`,
1223 // `sitemap.xml`, feeds, a QR PNG), not custom-status error pages.
1224 HttpVariant {
1225 name: "Raw",
1226 payload: HttpVariantPayload::Raw,
1227 status: 200,
1228 },
1229 HttpVariant {
1230 name: "Created",
1231 payload: HttpVariantPayload::Value,
1232 status: 201,
1233 },
1234 HttpVariant {
1235 name: "Accepted",
1236 payload: HttpVariantPayload::Value,
1237 status: 202,
1238 },
1239 HttpVariant {
1240 name: "NoContent",
1241 payload: HttpVariantPayload::None,
1242 status: 204,
1243 },
1244 // ── 3xx redirection (carry a `Location` URL) ─────────────────────────
1245 HttpVariant {
1246 name: "MovedPermanently",
1247 payload: HttpVariantPayload::Location,
1248 status: 301,
1249 },
1250 HttpVariant {
1251 name: "Found",
1252 payload: HttpVariantPayload::Location,
1253 status: 302,
1254 },
1255 HttpVariant {
1256 name: "SeeOther",
1257 payload: HttpVariantPayload::Location,
1258 status: 303,
1259 },
1260 HttpVariant {
1261 name: "TemporaryRedirect",
1262 payload: HttpVariantPayload::Location,
1263 status: 307,
1264 },
1265 HttpVariant {
1266 name: "PermanentRedirect",
1267 payload: HttpVariantPayload::Location,
1268 status: 308,
1269 },
1270 // ── 4xx client error ─────────────────────────────────────────────────
1271 HttpVariant {
1272 name: "BadRequest",
1273 payload: HttpVariantPayload::Message,
1274 status: 400,
1275 },
1276 HttpVariant {
1277 name: "Unauthorized",
1278 payload: HttpVariantPayload::None,
1279 status: 401,
1280 },
1281 HttpVariant {
1282 name: "Forbidden",
1283 payload: HttpVariantPayload::None,
1284 status: 403,
1285 },
1286 HttpVariant {
1287 name: "NotFound",
1288 payload: HttpVariantPayload::None,
1289 status: 404,
1290 },
1291 HttpVariant {
1292 name: "MethodNotAllowed",
1293 payload: HttpVariantPayload::None,
1294 status: 405,
1295 },
1296 HttpVariant {
1297 name: "NotAcceptable",
1298 payload: HttpVariantPayload::None,
1299 status: 406,
1300 },
1301 HttpVariant {
1302 name: "RequestTimeout",
1303 payload: HttpVariantPayload::None,
1304 status: 408,
1305 },
1306 HttpVariant {
1307 name: "Conflict",
1308 payload: HttpVariantPayload::Message,
1309 status: 409,
1310 },
1311 HttpVariant {
1312 name: "Gone",
1313 payload: HttpVariantPayload::None,
1314 status: 410,
1315 },
1316 HttpVariant {
1317 name: "LengthRequired",
1318 payload: HttpVariantPayload::None,
1319 status: 411,
1320 },
1321 HttpVariant {
1322 name: "PayloadTooLarge",
1323 payload: HttpVariantPayload::Message,
1324 status: 413,
1325 },
1326 HttpVariant {
1327 name: "UnsupportedMediaType",
1328 payload: HttpVariantPayload::Message,
1329 status: 415,
1330 },
1331 HttpVariant {
1332 name: "UnprocessableEntity",
1333 payload: HttpVariantPayload::Message,
1334 status: 422,
1335 },
1336 HttpVariant {
1337 name: "TooManyRequests",
1338 payload: HttpVariantPayload::Message,
1339 status: 429,
1340 },
1341 HttpVariant {
1342 name: "UnavailableForLegalReasons",
1343 payload: HttpVariantPayload::Message,
1344 status: 451,
1345 },
1346 // ── 5xx server error ─────────────────────────────────────────────────
1347 HttpVariant {
1348 name: "ServerError",
1349 payload: HttpVariantPayload::Message,
1350 status: 500,
1351 },
1352 HttpVariant {
1353 name: "NotImplemented",
1354 payload: HttpVariantPayload::Message,
1355 status: 501,
1356 },
1357 HttpVariant {
1358 name: "BadGateway",
1359 payload: HttpVariantPayload::Message,
1360 status: 502,
1361 },
1362 HttpVariant {
1363 name: "ServiceUnavailable",
1364 payload: HttpVariantPayload::Message,
1365 status: 503,
1366 },
1367 HttpVariant {
1368 name: "GatewayTimeout",
1369 payload: HttpVariantPayload::Message,
1370 status: 504,
1371 },
1372];
1373
1374/// Find an `HttpResult[T]` variant by name. Returns the variant info or
1375/// `None` if the name doesn't match.
1376pub fn http_variant(name: &str) -> Option<HttpVariant> {
1377 HTTP_VARIANTS.iter().copied().find(|v| v.name == name)
1378}
1379
1380/// Payload shape of a `QueueResult` variant (v0.44). Non-generic — a verdict
1381/// carries no value; `Retry` carries a `String` reason for the log path.
1382#[derive(Debug, Clone, Copy, PartialEq, Eq)]
1383pub enum QueueVariantPayload {
1384 /// No payload (`Ack`).
1385 None,
1386 /// Carries a `String` reason (`Retry`).
1387 Message,
1388}
1389
1390/// One variant of the built-in `QueueResult` sum (v0.44).
1391#[derive(Debug, Clone, Copy)]
1392pub struct QueueVariant {
1393 pub name: &'static str,
1394 pub payload: QueueVariantPayload,
1395}
1396
1397/// All `QueueResult` variants, in declaration order. `Ack` confirms the
1398/// message; `Retry` redelivers it, carrying a reason for observability.
1399pub const QUEUE_VARIANTS: &[QueueVariant] = &[
1400 QueueVariant {
1401 name: "Ack",
1402 payload: QueueVariantPayload::None,
1403 },
1404 QueueVariant {
1405 name: "Retry",
1406 payload: QueueVariantPayload::Message,
1407 },
1408];
1409
1410/// Find a `QueueResult` variant by name.
1411pub fn queue_variant(name: &str) -> Option<QueueVariant> {
1412 QUEUE_VARIANTS.iter().copied().find(|v| v.name == name)
1413}
1414
1415#[derive(Debug, Clone)]
1416pub struct TypeDecl {
1417 pub name: Ident,
1418 pub body: TypeBody,
1419 /// Documentation block attached to this declaration (v0.3).
1420 pub documentation: Option<String>,
1421 pub span: Span,
1422 pub trivia: Trivia,
1423}
1424
1425/// The right-hand side of a `type` declaration. In v0/v0.1 only the
1426/// `Refined` variant existed; v0.2 adds records and sums; v0.3 adds opaque.
1427#[derive(Debug, Clone)]
1428pub enum TypeBody {
1429 /// Refined base type: `BaseType where refinement`.
1430 Refined {
1431 base: BaseType,
1432 base_span: Span,
1433 refinement: Option<Refinement>,
1434 },
1435 /// Record type: `{ field: T where ..., ... }`.
1436 Record(RecordBody),
1437 /// Sum type: pipe-form variants or `enum { ... }` shorthand.
1438 Sum(SumBody),
1439 /// Opaque base type: `opaque BaseType (where refinement)?` (v0.3 §3.4).
1440 /// Identity is nominal; the base type is hidden outside the defining commons.
1441 Opaque {
1442 base: BaseType,
1443 base_span: Span,
1444 refinement: Option<Refinement>,
1445 },
1446}
1447
1448/// Body of a record-type declaration (v0.2 §3.1).
1449#[derive(Debug, Clone)]
1450pub struct RecordBody {
1451 pub fields: Vec<RecordField>,
1452 pub span: Span,
1453}
1454
1455/// One field of a record type declaration. Each field may carry inline
1456/// refinement, which is enforced at construction time on the field's value.
1457#[derive(Debug, Clone)]
1458pub struct RecordField {
1459 pub name: Ident,
1460 pub type_ref: TypeRef,
1461 pub refinement: Option<Refinement>,
1462 /// v0.11: an optional initial-value expression. Only meaningful on agent
1463 /// `state` fields (the field's fresh-key value); ignored / rejected on
1464 /// record-type fields by the checker.
1465 pub init: Option<Expr>,
1466 pub span: Span,
1467}
1468
1469/// Body of a sum-type declaration (v0.2 §3.2).
1470#[derive(Debug, Clone)]
1471pub struct SumBody {
1472 pub variants: Vec<Variant>,
1473 pub span: Span,
1474}
1475
1476/// One variant of a sum type. Variants may have payload fields; a
1477/// payload-less variant is a simple tag.
1478#[derive(Debug, Clone)]
1479pub struct Variant {
1480 pub name: Ident,
1481 pub payload: Vec<VariantField>,
1482 pub span: Span,
1483}
1484
1485/// One payload field of a sum variant. Variant payload fields use named
1486/// declarations like record fields, but do not carry refinement in v0.2.
1487#[derive(Debug, Clone)]
1488pub struct VariantField {
1489 pub name: Ident,
1490 pub type_ref: TypeRef,
1491 pub span: Span,
1492}
1493
1494#[derive(Debug, Clone, Copy, PartialEq, Eq)]
1495pub enum BaseType {
1496 Int,
1497 String,
1498 Bool,
1499 Float,
1500 /// `Duration` (v0.86, ADR 0112) — a span of time, a distinct base type
1501 /// erased to TS `number` carrying milliseconds (the `Clock` unit). Modelled
1502 /// on `Float`: Bynk-side-only, no implicit `Int` coercion (save the one
1503 /// sanctioned clock-math mix).
1504 Duration,
1505 /// `Instant` (v0.90, ADR 0114) — an absolute point in time, a distinct base
1506 /// type erased to TS `number` carrying Unix epoch milliseconds (the
1507 /// `Clock` unit). No literal (minted by `Clock.now()`); arithmetic composes
1508 /// with `Duration` (`Instant ± Duration -> Instant`, `Instant − Instant ->
1509 /// Duration`). Supersedes ADR 0112 D4's `Int`↔`Duration` clock-math mix.
1510 Instant,
1511 /// `Bytes` (v0.110, ADR 0142) — an immutable finite octet sequence, the
1512 /// seventh base type. Unlike its neighbours it does **not** erase to TS
1513 /// `number`: a `Bytes` lowers to a `Uint8Array`. No source literal
1514 /// (constructed via `Bytes.fromUtf8`/`fromBase64`/`empty`); `==` compares
1515 /// by content (real emitter codegen, not host `===`); wires as a base64
1516 /// JSON string; not `Map`-keyable and not orderable.
1517 Bytes,
1518}
1519
1520impl BaseType {
1521 pub fn name(self) -> &'static str {
1522 match self {
1523 BaseType::Int => "Int",
1524 BaseType::String => "String",
1525 BaseType::Bool => "Bool",
1526 BaseType::Float => "Float",
1527 BaseType::Duration => "Duration",
1528 BaseType::Instant => "Instant",
1529 BaseType::Bytes => "Bytes",
1530 }
1531 }
1532}
1533
1534/// A `Duration` literal unit (v0.86, ADR 0112) — the closed set of suffixes in a
1535/// `<int>.<unit>` literal. Each maps to a fixed millisecond factor (`Duration`
1536/// erases to `Int` milliseconds).
1537#[derive(Debug, Clone, Copy, PartialEq, Eq)]
1538pub enum DurationUnit {
1539 Milliseconds,
1540 Seconds,
1541 Minutes,
1542 Hours,
1543 Days,
1544}
1545
1546impl DurationUnit {
1547 /// Resolve a unit name (`minutes`) to its variant, or `None` if it is not one
1548 /// of the closed set. Used by the parser to recognise an `<int>.<unit>`
1549 /// literal; an unrecognised name leaves the expression a field access.
1550 pub fn from_name(name: &str) -> Option<Self> {
1551 Some(match name {
1552 "milliseconds" => DurationUnit::Milliseconds,
1553 "seconds" => DurationUnit::Seconds,
1554 "minutes" => DurationUnit::Minutes,
1555 "hours" => DurationUnit::Hours,
1556 "days" => DurationUnit::Days,
1557 _ => return None,
1558 })
1559 }
1560
1561 /// The unit name as written.
1562 pub fn name(self) -> &'static str {
1563 match self {
1564 DurationUnit::Milliseconds => "milliseconds",
1565 DurationUnit::Seconds => "seconds",
1566 DurationUnit::Minutes => "minutes",
1567 DurationUnit::Hours => "hours",
1568 DurationUnit::Days => "days",
1569 }
1570 }
1571
1572 /// The unit's value in milliseconds.
1573 pub fn millis(self) -> i64 {
1574 match self {
1575 DurationUnit::Milliseconds => 1,
1576 DurationUnit::Seconds => 1_000,
1577 DurationUnit::Minutes => 60_000,
1578 DurationUnit::Hours => 3_600_000,
1579 DurationUnit::Days => 86_400_000,
1580 }
1581 }
1582}
1583
1584/// An integer refinement bound (v0.40, ADR 0073): the parsed value plus the
1585/// bound's source span (covering a leading `-`). Value-only beyond the span —
1586/// ints have one canonical printed form, so the formatter stays idempotent
1587/// without a stored lexeme. The span backs the `InRange`-swap quick-fix.
1588#[derive(Debug, Clone)]
1589pub struct IntBound {
1590 pub value: i64,
1591 pub span: Span,
1592}
1593
1594/// A float refinement bound (v0.21): the parsed value plus the signed source
1595/// lexeme (for byte-stable emission). v0.40 (ADR 0073): also the source span,
1596/// for the `InRange`-swap quick-fix.
1597#[derive(Debug, Clone)]
1598pub struct FloatBound {
1599 pub value: f64,
1600 pub lexeme: String,
1601 pub span: Span,
1602}
1603
1604#[derive(Debug, Clone)]
1605pub struct Refinement {
1606 pub predicates: Vec<RefinementPred>,
1607 pub span: Span,
1608}
1609
1610#[derive(Debug, Clone)]
1611pub struct RefinementPred {
1612 pub kind: PredKind,
1613 pub span: Span,
1614}
1615
1616#[derive(Debug, Clone)]
1617pub enum PredKind {
1618 Matches(String),
1619 InRange(IntBound, IntBound),
1620 /// `InRange` with float bounds (v0.21) — a separate variant so every
1621 /// `Int` refinement path stays untouched. Bounds keep their source
1622 /// lexemes (including any sign) so emitted runtime checks are
1623 /// byte-stable.
1624 InRangeF(FloatBound, FloatBound),
1625 MinLength(i64),
1626 MaxLength(i64),
1627 Length(i64),
1628 NonNegative,
1629 Positive,
1630 NonEmpty,
1631}
1632
1633impl PredKind {
1634 pub fn name(&self) -> &'static str {
1635 match self {
1636 PredKind::Matches(_) => "Matches",
1637 PredKind::InRange(..) | PredKind::InRangeF(..) => "InRange",
1638 PredKind::MinLength(_) => "MinLength",
1639 PredKind::MaxLength(_) => "MaxLength",
1640 PredKind::Length(_) => "Length",
1641 PredKind::NonNegative => "NonNegative",
1642 PredKind::Positive => "Positive",
1643 PredKind::NonEmpty => "NonEmpty",
1644 }
1645 }
1646}
1647
1648/// A function type parameter (v0.20a, `fn name[A, B](…)`). A struct rather
1649/// than a bare Ident so the ADR-0028 "bound-capable" promise is a later field
1650/// addition, not a representation change.
1651#[derive(Debug, Clone)]
1652pub struct TypeParam {
1653 pub name: Ident,
1654 pub span: Span,
1655}
1656
1657/// A lambda expression (v0.20a): `(params) => expr` or `(params) => { … }`.
1658/// `=>` is the value arrow (shared with `match`); param annotations are
1659/// optional where an expected function type supplies them.
1660#[derive(Debug, Clone)]
1661pub struct LambdaExpr {
1662 pub params: Vec<LambdaParam>,
1663 pub body: Box<Expr>,
1664 pub span: Span,
1665}
1666
1667/// A lambda parameter. A separate type from [`Param`] because its annotation
1668/// is optional — `Param.type_ref` stays mandatory at every signature site.
1669#[derive(Debug, Clone)]
1670pub struct LambdaParam {
1671 pub name: Ident,
1672 pub type_ref: Option<TypeRef>,
1673 pub span: Span,
1674}
1675
1676#[derive(Debug, Clone)]
1677pub struct FnDecl {
1678 /// v0.20a: `[A, B]` type parameters; empty for non-generic functions.
1679 pub type_params: Vec<TypeParam>,
1680 /// Free function or method (`TypeName.methodName`). See [`FnName`].
1681 pub name: FnName,
1682 pub params: Vec<Param>,
1683 pub return_type: TypeRef,
1684 /// v0.115: preconditions (`requires <name>: <pred>`), parsed between the
1685 /// return type and the body. A contract clause is the invariant predicate
1686 /// attached to a function (ADR 0144 — one predicate surface); `requires`
1687 /// scopes over the parameters only.
1688 pub requires: Vec<Contract>,
1689 /// v0.115: postconditions (`ensures <name>: <pred>`). Scopes over the
1690 /// parameters *and* `result`, the contextual binding for the return value.
1691 pub ensures: Vec<Contract>,
1692 pub body: Block,
1693 /// True when the first parameter is the special `self` parameter. Only
1694 /// valid for method declarations.
1695 pub has_self: bool,
1696 /// Documentation block attached to this declaration (v0.3).
1697 pub documentation: Option<String>,
1698 pub span: Span,
1699 pub trivia: Trivia,
1700}
1701
1702/// A function-declaration name: either a free function `f` or a method
1703/// `T.method` (v0.2 §3.6).
1704#[derive(Debug, Clone)]
1705pub enum FnName {
1706 /// `fn name(...)` — a free function.
1707 Free(Ident),
1708 /// `fn TypeName.methodName(...)` — a method attached to a type.
1709 Method {
1710 type_name: Ident,
1711 method_name: Ident,
1712 },
1713}
1714
1715impl FnName {
1716 /// The function's short name for diagnostics. For methods returns the
1717 /// method portion only; the type prefix is recovered via `type_name`.
1718 pub fn ident(&self) -> &Ident {
1719 match self {
1720 FnName::Free(id) => id,
1721 FnName::Method { method_name, .. } => method_name,
1722 }
1723 }
1724
1725 /// For methods, the attached type's identifier; `None` for free fns.
1726 pub fn type_name(&self) -> Option<&Ident> {
1727 match self {
1728 FnName::Free(_) => None,
1729 FnName::Method { type_name, .. } => Some(type_name),
1730 }
1731 }
1732
1733 /// The displayed full name (e.g., `Money.add` or `parseSku`).
1734 pub fn display(&self) -> String {
1735 match self {
1736 FnName::Free(id) => id.name.clone(),
1737 FnName::Method {
1738 type_name,
1739 method_name,
1740 } => format!("{}.{}", type_name.name, method_name.name),
1741 }
1742 }
1743}
1744
1745/// A brace-delimited block of statements ending in a tail expression
1746/// whose value is the block's value (spec v0.1 §3.1).
1747#[derive(Debug, Clone)]
1748pub struct Block {
1749 pub statements: Vec<Statement>,
1750 pub tail: Box<Expr>,
1751 pub span: Span,
1752 /// Line comments that appear between the last statement (or the
1753 /// opening brace) and the tail expression. Preserved here because
1754 /// expressions do not carry trivia in v1.1.
1755 pub tail_leading_comments: Vec<String>,
1756}
1757
1758/// Block-level statement.
1759#[derive(Debug, Clone)]
1760pub enum Statement {
1761 /// `let name (: T)? = expr` — pure binding (v0.1).
1762 Let(LetStmt),
1763 /// `let name (: T)? <- expr` — effectful binding (v0.5).
1764 EffectLet(LetStmt),
1765 /// `expect expr` — verify a Bool predicate at test runtime (v0.7; renamed
1766 /// from `assert` in v0.112). Only valid inside test case bodies.
1767 Expect(ExpectStmt),
1768 /// `~> expr` — an asynchronous fire-and-forget send (v0.79). The caller does
1769 /// not await the reply; legal only when the reply is `Effect[()]`. No binder.
1770 Send(SendStmt),
1771 /// `name := expr` — a `Cell` store write (v0.81, storage track). The
1772 /// unconditional write form; `.update(fn)` (a method call) is the
1773 /// read-modify-write form. ADR 0108.
1774 Assign(AssignStmt),
1775}
1776
1777impl Statement {
1778 pub fn span(&self) -> Span {
1779 match self {
1780 Statement::Let(l) | Statement::EffectLet(l) => l.span,
1781 Statement::Expect(a) => a.span,
1782 Statement::Send(s) => s.span,
1783 Statement::Assign(a) => a.span,
1784 }
1785 }
1786}
1787
1788#[derive(Debug, Clone)]
1789pub struct ExpectStmt {
1790 pub value: Expr,
1791 pub span: Span,
1792 pub trivia: Trivia,
1793}
1794
1795/// `name := expr` — a `Cell` store write (v0.81, storage track). `target` is the
1796/// `Cell` field being written (a bare name for now; the checker resolves it to a
1797/// `store` field). `value` is the new value.
1798#[derive(Debug, Clone)]
1799pub struct AssignStmt {
1800 pub target: Ident,
1801 pub value: Expr,
1802 pub span: Span,
1803 pub trivia: Trivia,
1804}
1805
1806#[derive(Debug, Clone)]
1807pub struct LetStmt {
1808 pub name: Ident,
1809 pub type_annot: Option<TypeRef>,
1810 pub value: Expr,
1811 pub span: Span,
1812 pub trivia: Trivia,
1813}
1814
1815#[derive(Debug, Clone)]
1816pub struct SendStmt {
1817 /// The send target — a recipient call, e.g. `Logger.info(msg)`.
1818 pub value: Expr,
1819 pub span: Span,
1820 pub trivia: Trivia,
1821}
1822
1823#[derive(Debug, Clone)]
1824pub struct Param {
1825 pub name: Ident,
1826 pub type_ref: TypeRef,
1827 pub span: Span,
1828}
1829
1830#[derive(Debug, Clone)]
1831pub enum TypeRef {
1832 Base(BaseType, Span),
1833 Named(Ident),
1834 /// `Result[T, E]` — the built-in generic Result type (v0.1).
1835 Result(Box<TypeRef>, Box<TypeRef>, Span),
1836 /// `Option[T]` — the built-in generic Option type (v0.2).
1837 Option(Box<TypeRef>, Span),
1838 /// `Effect[T]` — the built-in generic Effect type (v0.5).
1839 Effect(Box<TypeRef>, Span),
1840 /// `HttpResult[T]` — the built-in HTTP-result sum (v0.9).
1841 HttpResult(Box<TypeRef>, Span),
1842 /// `QueueResult` — the built-in queue verdict sum (`Ack | Retry`),
1843 /// non-generic; the required return of a queue handler (v0.44).
1844 QueueResult(Span),
1845 /// `List[T]` — the built-in generic immutable list type (v0.20b).
1846 List(Box<TypeRef>, Span),
1847 /// `Map[K, V]` — the built-in generic immutable map type (v0.20b).
1848 /// Keys are confined to value-keyable types
1849 /// (`bynk.types.unkeyable_map_key`).
1850 Map(Box<TypeRef>, Box<TypeRef>, Span),
1851 /// `Query[T]` — the built-in lazy storage-read description (v0.91, ADR 0115).
1852 /// Nameable in a pure helper's return type; non-storable and non-boundary
1853 /// (like `Effect`/`Fn`).
1854 Query(Box<TypeRef>, Span),
1855 /// `Stream[T]` — the value-over-time primitive (v0.100, real-time track
1856 /// slice 0). A lazy, pull-shaped sequence produced over time; non-storable
1857 /// and non-boundary (like `Query`/`Effect`/`Fn`).
1858 Stream(Box<TypeRef>, Span),
1859 /// `Connection[F]` — a held WebSocket connection (v0.102, real-time track
1860 /// slice 2). `F` is the server→client frame type. A `Held` resource:
1861 /// non-serialisable, non-boundary, and governed by the linearity discipline
1862 /// (§2.9); storable only in `Cell[Option[Connection]]` / `Map[K, Connection]`.
1863 Connection(Box<TypeRef>, Span),
1864 /// `History[Agent]` — a generated, driven call-history of an agent (v0.119,
1865 /// testing track slice 7, ADR 0155). A test-only generator, legal only in
1866 /// `for all` binding position inside a `property`; it is not a value type,
1867 /// so it never resolves in a field/param/return position. The bound subject
1868 /// behaves as an ordinary `List[Step]`.
1869 History(Box<TypeRef>, Span),
1870 /// `ValidationError` — the built-in error type used by refined-type
1871 /// constructors (v0.1).
1872 ValidationError(Span),
1873 /// `JsonError` — the built-in JSON-decode error type (v0.22b). A
1874 /// uniform record (`kind`/`path`/`message`, all `String`) the codec
1875 /// maps `BoundaryError` variants and parse failures into.
1876 JsonError(Span),
1877 /// `()` — the unit type (v0.5).
1878 Unit(Span),
1879 /// `A -> B` / `(A, B) -> C` / `() -> B` — a function type (v0.20a).
1880 /// Right-associative; effectful iff the return type is `Effect[_]`
1881 /// (the structural rule). Confined to non-boundary positions
1882 /// (`bynk.types.function_at_boundary`).
1883 Fn(Vec<TypeRef>, Box<TypeRef>, Span),
1884}
1885
1886impl TypeRef {
1887 pub fn span(&self) -> Span {
1888 match self {
1889 TypeRef::Base(_, s) => *s,
1890 TypeRef::Named(id) => id.span,
1891 TypeRef::Result(_, _, s) => *s,
1892 TypeRef::Option(_, s) => *s,
1893 TypeRef::Effect(_, s) => *s,
1894 TypeRef::HttpResult(_, s) => *s,
1895 TypeRef::QueueResult(s) => *s,
1896 TypeRef::List(_, s) => *s,
1897 TypeRef::Map(_, _, s) => *s,
1898 TypeRef::Query(_, s) => *s,
1899 TypeRef::Stream(_, s) => *s,
1900 TypeRef::Connection(_, s) => *s,
1901 TypeRef::History(_, s) => *s,
1902 TypeRef::ValidationError(s) => *s,
1903 TypeRef::JsonError(s) => *s,
1904 TypeRef::Unit(s) => *s,
1905 TypeRef::Fn(_, _, s) => *s,
1906 }
1907 }
1908}
1909
1910#[derive(Debug, Clone)]
1911pub struct Expr {
1912 pub kind: ExprKind,
1913 pub span: Span,
1914}
1915
1916impl ExprKind {
1917 /// Construct an `IntLit` for a *synthesized* integer — one the compiler
1918 /// invents rather than reading from source (a default `1`, a computed bound).
1919 /// The lexeme is the canonical decimal form (no separators). Source-parsed
1920 /// literals keep their as-written lexeme instead (v0.142, ADR 0166).
1921 pub fn int_lit(value: i64) -> ExprKind {
1922 ExprKind::IntLit {
1923 value,
1924 lexeme: value.to_string(),
1925 }
1926 }
1927}
1928
1929#[derive(Debug, Clone)]
1930pub enum ExprKind {
1931 /// An integer literal (typed `Int`). The lexeme is kept alongside the parsed
1932 /// value (v0.142, ADR 0166) so formatting is byte-stable: an author's `_`
1933 /// digit separators (`1_048_576`) survive a round-trip, mirroring the
1934 /// `FloatLit` treatment. The value is separator-free; emission lowers the
1935 /// value, so emitted output is unaffected.
1936 IntLit {
1937 value: i64,
1938 lexeme: String,
1939 },
1940 /// A float literal (v0.21). The lexeme is kept alongside the parsed
1941 /// value so emission and formatting are byte-stable (`1e10` must not
1942 /// normalise to `10000000000`).
1943 FloatLit {
1944 value: f64,
1945 lexeme: String,
1946 },
1947 /// A duration literal `<int>.<unit>` (v0.86, ADR 0112): `5.minutes`,
1948 /// `30.days`. The parser recognises the `IntLit . <unit>` shape and records
1949 /// the magnitude, the unit, and the resolved milliseconds (the value the
1950 /// emitter lowers to). Typed `Duration`.
1951 DurationLit {
1952 /// The integer magnitude as written (`5` in `5.minutes`).
1953 value: i64,
1954 /// The unit name (`minutes`), one of the closed set.
1955 unit: DurationUnit,
1956 /// The value in milliseconds — `value * unit factor`.
1957 millis: i64,
1958 },
1959 StrLit(String),
1960 /// An interpolated string `"… \(expr) …"` (v0.43, ADR 0075). Chunks and
1961 /// holes alternate. A plain `"…"` with no holes stays [`ExprKind::StrLit`],
1962 /// so existing code and the emitter/formatter fast-path are untouched.
1963 InterpStr(Vec<InterpPart>),
1964 BoolLit(bool),
1965 Ident(Ident),
1966 Call {
1967 name: Ident,
1968 /// v0.20a: explicit type arguments (`name[T](…)`); empty when absent.
1969 type_args: Vec<TypeRef>,
1970 args: Vec<Expr>,
1971 },
1972 /// A lambda (v0.20a). See [`LambdaExpr`].
1973 Lambda(LambdaExpr),
1974 BinOp(BinOp, Box<Expr>, Box<Expr>),
1975 UnaryOp(UnaryOp, Box<Expr>),
1976 Paren(Box<Expr>),
1977 /// `{ stmts; expr }` — block expression (v0.1).
1978 Block(Block),
1979 /// `if cond { then } else { else }` (v0.1).
1980 If {
1981 cond: Box<Expr>,
1982 then_block: Box<Block>,
1983 else_block: Box<Block>,
1984 },
1985 /// `Ok(value)` — Result success constructor (v0.1).
1986 Ok(Box<Expr>),
1987 /// `Err(error)` — Result failure constructor (v0.1).
1988 Err(Box<Expr>),
1989 /// `expr?` — propagation operator (v0.1).
1990 Question(Box<Expr>),
1991 /// `TypeName.method(args)` — qualified static call on a type
1992 /// (v0.1: only refined-type `of`; v0.2: any static method or variant
1993 /// constructor for sum types). The resolver decides which.
1994 ConstructorCall {
1995 type_name: Ident,
1996 method: Ident,
1997 args: Vec<Expr>,
1998 },
1999 /// `TypeName { field: value, ... }` — record construction (v0.2).
2000 RecordConstruction {
2001 type_name: Ident,
2002 fields: Vec<FieldInit>,
2003 },
2004 /// `receiver.field` — field access on a record value (v0.2). v0.3 adds
2005 /// `.raw` on opaque types within the defining commons.
2006 FieldAccess {
2007 receiver: Box<Expr>,
2008 field: Ident,
2009 },
2010 /// `receiver.method(args)` — instance method call (v0.2). The
2011 /// resolver determines the receiver's type and looks up the method.
2012 MethodCall {
2013 receiver: Box<Expr>,
2014 method: Ident,
2015 /// v0.22b: explicit type arguments on a qualified static
2016 /// (`Json.decode[T](…)`); empty when absent. The same-line-`[`
2017 /// rule applies as for `Call` type application (0039).
2018 type_args: Vec<TypeRef>,
2019 args: Vec<Expr>,
2020 },
2021 /// `match disc { arm+ }` — pattern matching (v0.2).
2022 Match {
2023 discriminant: Box<Expr>,
2024 arms: Vec<MatchArm>,
2025 },
2026 /// `expr is pattern` — pattern test, returns Bool (v0.2).
2027 Is {
2028 value: Box<Expr>,
2029 pattern: Pattern,
2030 },
2031 /// `Some(value)` — Option Some constructor (v0.2).
2032 Some(Box<Expr>),
2033 /// `None` — Option None constructor (v0.2).
2034 None,
2035 /// `()` — unit literal (v0.5).
2036 UnitLit,
2037 /// `TypeName { ...base, field: value, ... }` or `{ ...base, ... }` —
2038 /// record spread expression (v0.5).
2039 RecordSpread {
2040 /// Optional type prefix (`TypeName { ...base }`). Absent for the
2041 /// bare form used inside `commit`.
2042 type_name: Option<Ident>,
2043 /// The base record being spread.
2044 base: Box<Expr>,
2045 /// Field overrides (always full `name: value` form — never shorthand).
2046 overrides: Vec<FieldInit>,
2047 },
2048 /// `Effect.pure(value)` — wrap a synchronous value into `Effect[T]`
2049 /// (v0.5). Recognised in the parser as a special-form.
2050 EffectPure(Box<Expr>),
2051 /// `expect expr` — expectation as an expression of type `()` (v0.9.1;
2052 /// renamed from `assert` in v0.112). Valid only inside test bodies. Evaluates
2053 /// `expr` (must be Bool); if false, the surrounding test case fails.
2054 Expect(Box<Expr>),
2055 /// `Val[T]`, `Val[T](args)` — test-context value construction (v0.9.4).
2056 /// `args` is empty for the bare form and holds the pin arguments for
2057 /// `Val[T](...)`. The record-override form `Val[T] { ... }` is not yet
2058 /// parsed. Valid only inside test bodies; has type `T`.
2059 Val {
2060 type_ref: TypeRef,
2061 args: Vec<Expr>,
2062 },
2063 /// `[a, b, c]` — list literal (v0.20b). An empty `[]` requires an
2064 /// expected type (`bynk.types.uninferable_element_type`).
2065 ListLit(Vec<Expr>),
2066 /// An observation over a consumed capability's recorded calls (v0.117,
2067 /// testing track slice 5). The direct subject of an `expect` in a `case`
2068 /// body — `expect Cap.op called once with <pred>`, `expect Cap.op never
2069 /// called`, `expect A.op before B.op`. Types as `Bool` (the claim about the
2070 /// recorded trace), lowered to a boolean over the recorded log.
2071 Observation(ObservationExpr),
2072 /// `trace(Cap.op)` — the bound-trace escape hatch (v0.117, testing track
2073 /// slice 5). Yields the recorded calls of `Cap.op` as a `List[<CallRecord>]`
2074 /// (a synthetic record of the operation's parameters), asserted over with the
2075 /// ordinary value surface. Test-body-only, like [`ExprKind::Val`].
2076 Trace {
2077 cap: Ident,
2078 op: Ident,
2079 },
2080}
2081
2082/// An observation of a capability operation's recorded calls (v0.117, testing
2083/// track slice 5). `cap`/`op` name the seam (`Logger.log`); `matcher` is the
2084/// claim about the recorded calls.
2085#[derive(Debug, Clone)]
2086pub struct ObservationExpr {
2087 pub cap: Ident,
2088 pub op: Ident,
2089 pub matcher: ObservationMatcher,
2090}
2091
2092/// The claim an [`ObservationExpr`] makes about a seam's recorded calls (v0.117).
2093#[derive(Debug, Clone)]
2094pub enum ObservationMatcher {
2095 /// `called` [`once` | `<n> times`]? [`with` `<pred>`]?. `count` is `None`
2096 /// for a bare `called` (at least one); `Some(expr)` is the exact-count claim
2097 /// (a literal; `once` desugars to `1`). `with_pred` matches a call whose
2098 /// arguments (in scope by the operation's parameter names) satisfy it.
2099 Called {
2100 count: Option<Box<Expr>>,
2101 with_pred: Option<Box<Expr>>,
2102 },
2103 /// `never called` — zero calls.
2104 NeverCalled,
2105 /// `before Cap.op` — the first call of the subject precedes the first call
2106 /// of the named operation (both must have occurred).
2107 Before { cap: Ident, op: Ident },
2108}
2109
2110/// One part of an interpolated string (v0.43, ADR 0075). An
2111/// [`ExprKind::InterpStr`] holds an alternating run of these.
2112#[derive(Debug, Clone)]
2113pub enum InterpPart {
2114 /// Literal text between holes, with escapes already resolved.
2115 Chunk(String),
2116 /// An interpolated expression `\(expr)`. Type-checked by the hole rule
2117 /// (base scalars only; see the checker) and lowered into a template-
2118 /// literal `${…}` slot.
2119 Hole(Box<Expr>),
2120}
2121
2122/// One field-initialiser inside a record construction expression:
2123/// either `name: expr` or the shorthand `name` (which requires a binding
2124/// of the same name in scope and uses its value).
2125#[derive(Debug, Clone)]
2126pub struct FieldInit {
2127 pub name: Ident,
2128 /// `None` means shorthand — the field's value is the same-named binding.
2129 pub value: Option<Expr>,
2130 pub span: Span,
2131}
2132
2133/// One arm of a `match` expression: `pattern => body`.
2134#[derive(Debug, Clone)]
2135pub struct MatchArm {
2136 pub pattern: Pattern,
2137 pub body: MatchBody,
2138 pub span: Span,
2139}
2140
2141/// The right-hand side of a match arm — either a single expression or
2142/// a block.
2143#[derive(Debug, Clone)]
2144pub enum MatchBody {
2145 Expr(Expr),
2146 Block(Block),
2147}
2148
2149impl MatchBody {
2150 pub fn span(&self) -> Span {
2151 match self {
2152 MatchBody::Expr(e) => e.span,
2153 MatchBody::Block(b) => b.span,
2154 }
2155 }
2156}
2157
2158/// A pattern (v0.2 §3.8). Patterns appear in `match` arms and as the
2159/// right-hand side of the `is` operator.
2160#[derive(Debug, Clone)]
2161pub enum Pattern {
2162 /// `_` — matches any value, no bindings.
2163 Wildcard(Span),
2164 /// A literal pattern — `31`, `"english"`, `true` (v0.130 §2.3.4). Matches a
2165 /// primitive scrutinee (`Int`/`String`/`Bool`) by value equality. The
2166 /// admitted set mirrors ADR 0001's closed literal set (integers — including
2167 /// a leading unary minus — strings, and booleans); `Float`/`()` are not
2168 /// admitted as patterns.
2169 Literal { value: LiteralValue, span: Span },
2170 /// `Variant` or `Variant(bindings)` or `TypeName.Variant(bindings)`.
2171 Variant {
2172 /// Optional qualifier: `TypeName.Variant`.
2173 type_name: Option<Ident>,
2174 /// The variant name.
2175 variant: Ident,
2176 /// Payload bindings (empty for nullary variants).
2177 bindings: Vec<PatternBinding>,
2178 span: Span,
2179 },
2180}
2181
2182/// The value carried by a [`Pattern::Literal`]. A closed set (ADR 0001):
2183/// integer, string, and boolean. Kept distinct from [`ExprKind`] so patterns
2184/// carry only what they can actually match, and so it is `Eq`/`Hash` for the
2185/// duplicate-arm check.
2186#[derive(Debug, Clone, PartialEq, Eq, Hash)]
2187pub enum LiteralValue {
2188 Int(i64),
2189 Str(String),
2190 Bool(bool),
2191}
2192
2193impl LiteralValue {
2194 /// A human-readable rendering for diagnostics (`31`, `"english"`, `true`).
2195 pub fn describe(&self) -> String {
2196 match self {
2197 LiteralValue::Int(n) => n.to_string(),
2198 LiteralValue::Str(s) => format!("{s:?}"),
2199 LiteralValue::Bool(b) => b.to_string(),
2200 }
2201 }
2202}
2203
2204impl Pattern {
2205 pub fn span(&self) -> Span {
2206 match self {
2207 Pattern::Wildcard(s) => *s,
2208 Pattern::Literal { span, .. } => *span,
2209 Pattern::Variant { span, .. } => *span,
2210 }
2211 }
2212}
2213
2214/// A single binding inside a variant pattern. Two surface forms:
2215/// `name` (positional — bind the i-th payload field) and
2216/// `fieldName: bindName` (named — bind the named payload field).
2217/// Both forms also accept `_` as the bind name to discard.
2218#[derive(Debug, Clone)]
2219pub struct PatternBinding {
2220 /// Source form: positional or named.
2221 pub kind: PatternBindingKind,
2222 pub span: Span,
2223}
2224
2225#[derive(Debug, Clone)]
2226pub enum PatternBindingKind {
2227 /// `name` (or `_`): bind the payload field at this position to `name`.
2228 Positional { name: Ident },
2229 /// `field: name` (or `field: _`): bind the named payload field to `name`.
2230 Named { field: Ident, name: Ident },
2231}
2232
2233impl PatternBinding {
2234 /// The local name introduced by this binding (used for scope).
2235 /// `_` is a sentinel for "no binding"; callers should compare against it.
2236 pub fn local_name(&self) -> &Ident {
2237 match &self.kind {
2238 PatternBindingKind::Positional { name } => name,
2239 PatternBindingKind::Named { name, .. } => name,
2240 }
2241 }
2242
2243 pub fn is_wildcard(&self) -> bool {
2244 self.local_name().name == "_"
2245 }
2246}
2247
2248#[derive(Debug, Clone, Copy, PartialEq, Eq)]
2249pub enum BinOp {
2250 /// `P implies Q` — logical implication (v0.80). Desugars to `!P || Q`; sits
2251 /// at the lowest precedence (below `||`). Reads directionally (P → Q).
2252 Implies,
2253 Or,
2254 And,
2255 Eq,
2256 NotEq,
2257 Lt,
2258 LtEq,
2259 Gt,
2260 GtEq,
2261 Add,
2262 Sub,
2263 Mul,
2264 Div,
2265}
2266
2267impl BinOp {
2268 pub fn name(self) -> &'static str {
2269 match self {
2270 BinOp::Implies => "implies",
2271 BinOp::Or => "||",
2272 BinOp::And => "&&",
2273 BinOp::Eq => "==",
2274 BinOp::NotEq => "!=",
2275 BinOp::Lt => "<",
2276 BinOp::LtEq => "<=",
2277 BinOp::Gt => ">",
2278 BinOp::GtEq => ">=",
2279 BinOp::Add => "+",
2280 BinOp::Sub => "-",
2281 BinOp::Mul => "*",
2282 BinOp::Div => "/",
2283 }
2284 }
2285}
2286
2287#[derive(Debug, Clone, Copy, PartialEq, Eq)]
2288pub enum UnaryOp {
2289 Neg,
2290 Not,
2291}
2292
2293impl UnaryOp {
2294 pub fn name(self) -> &'static str {
2295 match self {
2296 UnaryOp::Neg => "-",
2297 UnaryOp::Not => "!",
2298 }
2299 }
2300}