heddle-objects 0.3.1

An AI-native version control system
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337

// SPDX-License-Identifier: Apache-2.0
//! Typed risk signals computed against a state and persisted alongside it.
//!
//! Computation is pure (`(prior_state, new_state, repo_config) -> Vec<RiskSignal>`)
//! and lives in `crates/state_review/`. This module owns only the shape: what
//! a signal is, how it serializes on disk, and the validation rules.
//!
//! The full set of fired signals is stored on the state. Tick budgeting (which
//! signals to surface in the review UI) happens at render time and is never
//! baked into storage — see [`state_review::budget`].
//!
//! Wire encoding: rmp-serde MessagePack. Format version is `1`. New optional
//! fields are appended at the tail of [`RiskSignal`] with `#[serde(default)]`,
//! matching the convention used elsewhere in the object model.

use serde::{Deserialize, Serialize};

use crate::object::hash::ChangeId;

/// Maximum length of [`RiskSignal::reason`], in bytes.
///
/// The reason is meant to be a single sentence, surfaced in tight gutter UI.
/// Keeping the cap at 200 forces producers to be specific and prevents the
/// review payload from ballooning when many signals fire.
pub const MAX_REASON_LEN: usize = 200;

/// Top-level encoded blob. Stored under a [`ContentHash`] referenced from
/// [`State::risk_signals`]. A blob with `format_version > FORMAT_VERSION` is
/// rejected; older versions are read with the missing-field defaults.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct RiskSignalBlob {
    pub format_version: u8,
    pub signals: Vec<RiskSignal>,
}

versioned_msgpack_blob! {
    blob: RiskSignalBlob,
    item: RiskSignal,
    field: signals,
    error: RiskSignalError,
    codec_err: Encoding,
    version: 1,
}

#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct RiskSignal {
    pub kind: RiskSignalKind,
    pub anchor: SignalAnchor,
    pub reason: String,
    pub producer: ProducerId,
    /// Unix epoch seconds.
    pub computed_at: i64,
    /// Optional state this signal was computed against. Useful for retracing
    /// when a signal moves between renders (e.g., anchor travel after a
    /// rename).
    #[serde(default)]
    pub computed_against: Option<ChangeId>,
}

impl RiskSignal {
    pub fn validate(&self) -> Result<(), RiskSignalError> {
        if self.reason.is_empty() {
            return Err(RiskSignalError::EmptyReason);
        }
        if self.reason.len() > MAX_REASON_LEN {
            return Err(RiskSignalError::ReasonTooLong {
                len: self.reason.len(),
                max: MAX_REASON_LEN,
            });
        }
        self.anchor.validate()?;
        self.producer.validate()?;
        Ok(())
    }

    /// Stable canonical anchor string used to group signals on the same anchor
    /// during render-time budgeting. The format is intentionally simple so
    /// budgeting comparisons are cheap and order-independent.
    pub fn anchor_key(&self) -> String {
        self.anchor.canonical()
    }
}

/// Why a signal fired. Variants are wire-stable; new variants are appended.
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum RiskSignalKind {
    /// New control-flow shape that doesn't appear elsewhere in the repo.
    Novelty,
    /// No test in the repo statically reaches the changed symbol.
    /// Reasoning text *must* clarify this is static reachability via
    /// tree-sitter, not runtime coverage.
    TestReachability,
    /// New code structurally diverges from local exemplars (sibling
    /// functions or the prior version of the same symbol).
    PatternDeviation,
    /// An invariant or `enforces`-tagged annotation lives on the changed
    /// symbol.
    InvariantAdjacency,
    /// Agent flagged uncertainty about its own output. Passthrough from
    /// the captured state's provenance.
    SelfFlaggedUncertainty,
}

impl RiskSignalKind {
    pub fn as_str(&self) -> &'static str {
        match self {
            Self::Novelty => "novelty",
            Self::TestReachability => "test_reachability",
            Self::PatternDeviation => "pattern_deviation",
            Self::InvariantAdjacency => "invariant_adjacency",
            Self::SelfFlaggedUncertainty => "self_flagged_uncertainty",
        }
    }

    /// Render-time priority. Lower numbers surface first when budgeting.
    /// See `state_review::budget` for the full algorithm.
    ///
    /// The order is load-bearing: changing it changes which signals reviewers
    /// see first when many fire on the same state. If you bump these numbers,
    /// update the budgeting test goldens too.
    pub fn priority_rank(&self) -> u8 {
        match self {
            Self::InvariantAdjacency => 0,
            Self::SelfFlaggedUncertainty => 1,
            Self::PatternDeviation => 2,
            Self::Novelty => 3,
            Self::TestReachability => 4,
        }
    }
}

/// Where in the change a signal fires. Symbol-level is preferred — symbols
/// are durable across renames; line ranges are computed at fire time and
/// drift as code is reformatted.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct SignalAnchor {
    pub file: String,
    #[serde(default)]
    pub symbol: Option<String>,
    #[serde(default)]
    pub line_range: Option<(u32, u32)>,
}

impl SignalAnchor {
    pub fn file(file: impl Into<String>) -> Self {
        Self {
            file: file.into(),
            symbol: None,
            line_range: None,
        }
    }

    pub fn symbol(file: impl Into<String>, symbol: impl Into<String>) -> Self {
        Self {
            file: file.into(),
            symbol: Some(symbol.into()),
            line_range: None,
        }
    }

    pub fn with_line_range(mut self, start: u32, end: u32) -> Self {
        self.line_range = Some((start, end));
        self
    }

    pub fn validate(&self) -> Result<(), RiskSignalError> {
        if self.file.is_empty() {
            return Err(RiskSignalError::EmptyAnchorFile);
        }
        if let Some((start, end)) = self.line_range
            && start > end
        {
            return Err(RiskSignalError::InvalidLineRange(start, end));
        }
        Ok(())
    }

    /// Stable canonical form `<file>[:symbol][:start-end]` for grouping.
    pub fn canonical(&self) -> String {
        let mut s = self.file.clone();
        if let Some(symbol) = &self.symbol {
            s.push(':');
            s.push_str(symbol);
        }
        if let Some((start, end)) = self.line_range {
            s.push(':');
            s.push_str(&format!("{start}-{end}"));
        }
        s
    }
}

/// Identifies the producer that fired this signal. The `version` lets
/// budgeting and signal-health surfaces age out signals from old producer
/// versions without re-running computation — important when we tune a
/// producer's heuristics and want to compare apples to apples.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct ProducerId {
    pub module: String,
    pub version: u32,
}

impl ProducerId {
    pub fn new(module: impl Into<String>, version: u32) -> Self {
        Self {
            module: module.into(),
            version,
        }
    }

    pub fn validate(&self) -> Result<(), RiskSignalError> {
        if self.module.is_empty() {
            return Err(RiskSignalError::EmptyProducerModule);
        }
        Ok(())
    }
}

#[derive(Debug, thiserror::Error)]
pub enum RiskSignalError {
    #[error("unsupported risk signal blob version {0}")]
    UnsupportedVersion(u8),
    #[error("risk signal reason must not be empty")]
    EmptyReason,
    #[error("risk signal reason too long ({len} bytes, max {max})")]
    ReasonTooLong { len: usize, max: usize },
    #[error("risk signal anchor must reference a non-empty file")]
    EmptyAnchorFile,
    #[error("risk signal line range start {0} exceeds end {1}")]
    InvalidLineRange(u32, u32),
    #[error("risk signal producer module must not be empty")]
    EmptyProducerModule,
    #[error("risk signal blob encoding error: {0}")]
    Encoding(String),
}

#[cfg(test)]
mod tests {
    use super::*;

    fn sample_signal(kind: RiskSignalKind, file: &str, sym: &str) -> RiskSignal {
        RiskSignal {
            kind,
            anchor: SignalAnchor::symbol(file, sym),
            reason: "structural divergence from sibling implementations".into(),
            producer: ProducerId::new("pattern_deviation", 1),
            computed_at: 1_700_000_000,
            computed_against: None,
        }
    }

    #[test]
    fn empty_reason_is_rejected() {
        let mut sig = sample_signal(RiskSignalKind::Novelty, "src/lib.rs", "foo");
        sig.reason = String::new();
        assert!(matches!(sig.validate(), Err(RiskSignalError::EmptyReason)));
    }

    #[test]
    fn over_long_reason_is_rejected() {
        let mut sig = sample_signal(RiskSignalKind::Novelty, "src/lib.rs", "foo");
        sig.reason = "x".repeat(MAX_REASON_LEN + 1);
        assert!(matches!(
            sig.validate(),
            Err(RiskSignalError::ReasonTooLong { .. })
        ));
    }

    #[test]
    fn minimum_anchor_validates() {
        let sig = sample_signal(RiskSignalKind::TestReachability, "src/lib.rs", "bar");
        sig.validate().unwrap();
    }

    #[test]
    fn anchor_canonical_is_stable() {
        let a = SignalAnchor::symbol("src/lib.rs", "foo").with_line_range(10, 12);
        let b = SignalAnchor::symbol("src/lib.rs", "foo").with_line_range(10, 12);
        assert_eq!(a.canonical(), b.canonical());
        assert_eq!(a.canonical(), "src/lib.rs:foo:10-12");
    }

    #[test]
    fn priority_order_matches_spec() {
        assert!(
            RiskSignalKind::InvariantAdjacency.priority_rank()
                < RiskSignalKind::SelfFlaggedUncertainty.priority_rank()
        );
        assert!(
            RiskSignalKind::SelfFlaggedUncertainty.priority_rank()
                < RiskSignalKind::PatternDeviation.priority_rank()
        );
        assert!(
            RiskSignalKind::PatternDeviation.priority_rank()
                < RiskSignalKind::Novelty.priority_rank()
        );
        assert!(
            RiskSignalKind::Novelty.priority_rank()
                < RiskSignalKind::TestReachability.priority_rank()
        );
    }

    #[test]
    fn blob_encode_decode_roundtrips() {
        let blob = RiskSignalBlob::new(vec![sample_signal(
            RiskSignalKind::Novelty,
            "src/lib.rs",
            "foo",
        )]);
        let bytes = blob.encode().unwrap();
        let decoded = RiskSignalBlob::decode(&bytes).unwrap();
        assert_eq!(blob, decoded);
    }

    #[test]
    fn future_version_is_rejected() {
        let blob = RiskSignalBlob {
            format_version: RiskSignalBlob::FORMAT_VERSION + 1,
            signals: vec![],
        };
        assert!(matches!(
            blob.validate(),
            Err(RiskSignalError::UnsupportedVersion(_))
        ));
    }

    #[test]
    fn empty_producer_module_rejected() {
        let mut sig = sample_signal(RiskSignalKind::Novelty, "src/lib.rs", "foo");
        sig.producer.module = String::new();
        assert!(matches!(
            sig.validate(),
            Err(RiskSignalError::EmptyProducerModule)
        ));
    }
}