batpak 0.8.0

Event sourcing with causal graphs and caller-defined gates. Sync API, no async runtime.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226

use crate::event::EventKind;
use serde::{Deserialize, Serialize};
use std::fmt;

/// Denial: returned by a Gate when it rejects a proposal.
/// Separate from OutcomeError. Library does NOT auto-store denials.
/// Products decide whether to persist denials as events.

#[derive(Clone, Debug, PartialEq, Serialize)]
// NOTE: Denial does NOT derive Deserialize. The gate field is &'static str which
// cannot be deserialized from owned data (no 'static lifetime at deser time).
// The library never persists Denials — it returns them to callers.
// Products that want to persist denials serialize them into event payloads.
pub struct Denial {
    /// Name of the gate that issued this denial.
    pub gate: &'static str,
    /// Machine-readable error code for this denial.
    pub code: String,
    /// Human-readable description of why the proposal was denied.
    pub message: String,
    /// Key-value pairs providing additional context about the denial.
    pub context: Vec<(String, String)>,
}

impl Denial {
    /// Creates a new `Denial` from the gate name and a human-readable message.
    pub fn new(gate: &'static str, message: impl Into<String>) -> Self {
        Self {
            gate,
            code: String::new(),
            message: message.into(),
            context: vec![],
        }
    }

    /// Attaches a machine-readable error code to this denial.
    pub fn with_code(mut self, code: impl Into<String>) -> Self {
        self.code = code.into();
        self
    }

    /// Appends a key-value pair to the denial's context metadata.
    pub fn with_context(mut self, key: impl Into<String>, value: impl Into<String>) -> Self {
        self.context.push((key.into(), value.into()));
        self
    }
}

impl fmt::Display for Denial {
    /// "\[gate\] message"
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "[{}] {}", self.gate, self.message)
    }
}
impl std::error::Error for Denial {}

/// Persistable gate identifier for denial tracing.
#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
pub struct GateId(String);

/// Validation failure for [`GateId`].
#[derive(Clone, Debug, PartialEq, Eq)]
#[non_exhaustive]
pub enum GateIdError {
    /// Gate identifiers must not be empty.
    Empty,
    /// Gate identifiers must be ASCII.
    NonAscii,
}

impl GateId {
    /// Construct a validated gate identifier.
    ///
    /// # Errors
    /// Returns [`GateIdError`] when the identifier is empty or contains
    /// non-ASCII bytes.
    pub fn new(value: impl Into<String>) -> Result<Self, GateIdError> {
        let value = value.into();
        if value.is_empty() {
            return Err(GateIdError::Empty);
        }
        if !value.is_ascii() {
            return Err(GateIdError::NonAscii);
        }
        Ok(Self(value))
    }

    /// Construct a validated gate identifier from a gate `name()`.
    pub(crate) fn from_name(value: &str) -> Self {
        if let Ok(gate_id) = Self::new(value.to_owned()) {
            return gate_id;
        }
        debug_assert!(
            false,
            "gate names used for denial tracing must be non-empty ASCII: {value:?}"
        );
        let mut fallback = String::from("invalid:");
        for byte in value.as_bytes() {
            use std::fmt::Write as _;
            let _ = write!(&mut fallback, "{byte:02x}");
        }
        Self(fallback)
    }

    /// Borrow the gate identifier string.
    #[must_use]
    pub fn as_str(&self) -> &str {
        &self.0
    }
}

/// Persisted verdict for one gate in a denial trace.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub enum Verdict {
    /// Gate ran and permitted the proposal.
    Permit,
    /// Gate ran and denied the proposal.
    Deny {
        /// Machine-readable denial code.
        code: String,
        /// Human-readable denial message.
        message: String,
        /// Structured context key/value pairs attached to the denial.
        context: Vec<(String, String)>,
    },
    /// Gate was not evaluated because an earlier denial stopped the pipeline.
    Skipped,
}

/// Persisted evaluation result for one gate in a denial trace.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct GateEvaluation {
    gate_id: GateId,
    verdict: Verdict,
    evidence_hash: Option<[u8; 32]>,
}

impl GateEvaluation {
    /// Build a persisted gate evaluation.
    #[must_use]
    pub fn new(gate_id: GateId, verdict: Verdict, evidence_hash: Option<[u8; 32]>) -> Self {
        Self {
            gate_id,
            verdict,
            evidence_hash,
        }
    }

    /// Borrow the gate identifier for this evaluation.
    #[must_use]
    pub fn gate_id(&self) -> &GateId {
        &self.gate_id
    }

    /// Borrow the persisted verdict for this evaluation.
    #[must_use]
    pub fn verdict(&self) -> &Verdict {
        &self.verdict
    }

    /// Return the optional evidence hash attached to this evaluation.
    #[must_use]
    pub fn evidence_hash(&self) -> Option<[u8; 32]> {
        self.evidence_hash
    }
}

/// Persistable denial payload appended as `SYSTEM_DENIAL`.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct DenialPayload {
    evaluations: Vec<GateEvaluation>,
    pipeline_id: Option<String>,
    proposed_kind: EventKind,
    proposed_content_hash: Option<[u8; 32]>,
}

impl DenialPayload {
    pub(crate) fn new(
        evaluations: Vec<GateEvaluation>,
        pipeline_id: Option<String>,
        proposed_kind: EventKind,
        proposed_content_hash: Option<[u8; 32]>,
    ) -> Self {
        Self {
            evaluations,
            pipeline_id,
            proposed_kind,
            proposed_content_hash,
        }
    }

    /// Borrow the ordered gate evaluations captured in this denial trace.
    #[must_use]
    pub fn evaluations(&self) -> &[GateEvaluation] {
        &self.evaluations
    }

    /// Return the optional pipeline identity attached to this trace.
    #[must_use]
    pub fn pipeline_id(&self) -> Option<&str> {
        self.pipeline_id.as_deref()
    }

    /// Return the event kind that was proposed before the denial.
    #[must_use]
    pub fn proposed_kind(&self) -> EventKind {
        self.proposed_kind
    }

    /// Return the optional proposed payload hash that was evaluated.
    #[must_use]
    pub fn proposed_content_hash(&self) -> Option<[u8; 32]> {
        self.proposed_content_hash
    }
}

impl fmt::Display for GateIdError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::Empty => write!(f, "gate id cannot be empty"),
            Self::NonAscii => write!(f, "gate id must be ASCII"),
        }
    }
}

impl std::error::Error for GateIdError {}