axon-lang 1.38.5

AXON v1.5.1 — first crates.io publication of the AXON language full-stack runtime. Lexer/parser/type-checker/IR generator (re-exported from axon-frontend) plus the native Rust runtime: typed channels (TypedEventBus with QoS×5, π-calculus mobility, capability extrusion via shield D8 — Fase 13.f.2), Free Monad CPS handlers (Fase 2), lease kernel + reconcile loop (Fase 3+5), Epistemic Security Kernel (ESK Fase 6), Trust Types + ReplayLog (Fase 11.a+11.c), Stateful PEM over WebSocket (Fase 11.d), Ontological Tool Synthesis (Fase 11.e), Mobile Typed Channels (Fase 13). Crate publishes as `axon-lang` to mirror the Python PyPI package; library import remains `use axon::*` so existing call sites keep working unchanged.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250

//! WebSocket binary-frame accumulator.
//!
//! §λ-L-E Fase 11.b. WebSocket spec (RFC 6455) allows a message to
//! be split across multiple frames:
//!
//! - Frame #1: opcode=0x2 (binary), FIN=0
//! - Frame #2..N: opcode=0x0 (continuation), FIN=0
//! - Final frame: opcode=0x0 (continuation), FIN=1
//!
//! The accumulator stitches fragments into a single contiguous
//! [`crate::buffer::ZeroCopyBuffer`] without copying the payload
//! across frames — bytes land directly in a [`BufferMut`] and
//! freeze when FIN arrives.
//!
//! The accumulator is frame-shape-agnostic (it doesn't parse the WS
//! frame header; the transport layer does that). Callers hand us
//! already-unmasked payload bytes plus the `is_final` flag.

use crate::buffer::{BufferKind, BufferMut, ZeroCopyBuffer};

#[derive(Debug)]
pub enum WsBinaryError {
    /// A continuation frame arrived without a preceding non-FIN
    /// binary opener.
    OrphanContinuation,
    /// Accumulated payload exceeded the configured ceiling.
    MessageTooLarge {
        limit: usize,
    },
}

impl std::fmt::Display for WsBinaryError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::OrphanContinuation => {
                write!(f, "continuation frame without opener")
            }
            Self::MessageTooLarge { limit } => {
                write!(f, "binary message exceeded {limit} bytes")
            }
        }
    }
}

impl std::error::Error for WsBinaryError {}

/// Per-accumulator configuration.
#[derive(Debug, Clone)]
pub struct WsBinaryLimits {
    pub max_message_bytes: usize,
}

impl Default for WsBinaryLimits {
    fn default() -> Self {
        // 128 MiB default — large enough for a short video clip,
        // small enough to catch runaway producers. Adopters override
        // for long-lived ingest of multi-GiB streams.
        WsBinaryLimits {
            max_message_bytes: 128 * 1024 * 1024,
        }
    }
}

/// Per-connection accumulator. Consume it across frames of a single
/// connection; reset via [`WsBinaryAccumulator::reset`] if the
/// connection cycles.
pub struct WsBinaryAccumulator {
    buffer: Option<BufferMut>,
    kind: BufferKind,
    limits: WsBinaryLimits,
    tenant_id: Option<String>,
}

impl WsBinaryAccumulator {
    pub fn new(kind: BufferKind, limits: WsBinaryLimits) -> Self {
        WsBinaryAccumulator {
            buffer: None,
            kind,
            limits,
            tenant_id: None,
        }
    }

    pub fn with_tenant(mut self, tenant_id: impl Into<String>) -> Self {
        self.tenant_id = Some(tenant_id.into());
        self
    }

    /// Start (or continue) a message. `opcode` is 0x2 for a fresh
    /// binary message and 0x0 for a continuation. `is_final` is the
    /// FIN flag from the frame header.
    ///
    /// Returns `Some(buffer)` at end-of-message, `None` while
    /// accumulating.
    pub fn feed(
        &mut self,
        opcode: u8,
        is_final: bool,
        payload: &[u8],
    ) -> Result<Option<ZeroCopyBuffer>, WsBinaryError> {
        match opcode {
            0x2 => {
                // Opener. Any previous incomplete buffer is
                // overwritten — the spec forbids interleaved
                // messages but we tolerate it by discarding the
                // partial.
                let mut body = BufferMut::with_capacity(
                    payload.len().max(4 * 1024),
                    self.kind.clone(),
                );
                if let Some(tenant) = &self.tenant_id {
                    body = body.with_tenant(tenant.as_str());
                }
                if payload.len() > self.limits.max_message_bytes {
                    return Err(WsBinaryError::MessageTooLarge {
                        limit: self.limits.max_message_bytes,
                    });
                }
                body.extend_from_slice(payload);
                self.buffer = Some(body);
            }
            0x0 => {
                // Continuation.
                let Some(buf) = self.buffer.as_mut() else {
                    return Err(WsBinaryError::OrphanContinuation);
                };
                if buf.len() + payload.len() > self.limits.max_message_bytes {
                    return Err(WsBinaryError::MessageTooLarge {
                        limit: self.limits.max_message_bytes,
                    });
                }
                buf.extend_from_slice(payload);
            }
            _ => {
                // Any other opcode (text, control) is out of scope
                // for this accumulator — the transport handles it.
                return Ok(None);
            }
        }

        if is_final {
            let body = self.buffer.take().expect("buffer present in final frame");
            Ok(Some(body.freeze()))
        } else {
            Ok(None)
        }
    }

    pub fn reset(&mut self) {
        self.buffer = None;
    }

    /// Observability — bytes accumulated so far (0 when idle).
    pub fn pending_bytes(&self) -> usize {
        self.buffer.as_ref().map(|b| b.len()).unwrap_or(0)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn single_frame_message() {
        let mut acc = WsBinaryAccumulator::new(
            BufferKind::pcm16(),
            WsBinaryLimits::default(),
        );
        let result = acc
            .feed(0x2, true, b"hello")
            .unwrap()
            .expect("buffer");
        assert_eq!(result.as_slice(), b"hello");
        assert_eq!(result.kind().slug(), "pcm16");
    }

    #[test]
    fn fragmented_message_is_stitched() {
        let mut acc = WsBinaryAccumulator::new(
            BufferKind::raw(),
            WsBinaryLimits::default(),
        );
        assert!(acc.feed(0x2, false, b"he").unwrap().is_none());
        assert!(acc.feed(0x0, false, b"ll").unwrap().is_none());
        let end = acc
            .feed(0x0, true, b"o")
            .unwrap()
            .expect("buffer on FIN");
        assert_eq!(end.as_slice(), b"hello");
    }

    #[test]
    fn orphan_continuation_errors() {
        let mut acc = WsBinaryAccumulator::new(
            BufferKind::raw(),
            WsBinaryLimits::default(),
        );
        let err = acc.feed(0x0, true, b"x").unwrap_err();
        matches!(err, WsBinaryError::OrphanContinuation);
    }

    #[test]
    fn message_too_large_errors() {
        let mut acc = WsBinaryAccumulator::new(
            BufferKind::raw(),
            WsBinaryLimits {
                max_message_bytes: 4,
            },
        );
        let err = acc.feed(0x2, true, b"too-big").unwrap_err();
        matches!(err, WsBinaryError::MessageTooLarge { .. });
    }

    #[test]
    fn partial_then_oversize_errors_on_second_frame() {
        let mut acc = WsBinaryAccumulator::new(
            BufferKind::raw(),
            WsBinaryLimits {
                max_message_bytes: 4,
            },
        );
        assert!(acc.feed(0x2, false, b"ok").unwrap().is_none());
        let err = acc.feed(0x0, true, b"xxxx").unwrap_err();
        matches!(err, WsBinaryError::MessageTooLarge { .. });
    }

    #[test]
    fn tenant_tag_propagates_into_buffer() {
        let mut acc = WsBinaryAccumulator::new(
            BufferKind::raw(),
            WsBinaryLimits::default(),
        )
        .with_tenant("alpha");
        let out = acc
            .feed(0x2, true, b"payload")
            .unwrap()
            .expect("buffer");
        assert_eq!(out.tenant_id(), Some("alpha"));
    }

    #[test]
    fn control_opcode_is_ignored() {
        let mut acc = WsBinaryAccumulator::new(
            BufferKind::raw(),
            WsBinaryLimits::default(),
        );
        // 0x9 = ping — not our concern.
        assert!(acc.feed(0x9, true, b"ping").unwrap().is_none());
    }
}