pmcp-workbook-runtime 0.1.0

Reader-free workbook IR + deterministic executor + writer-only .xlsx renderer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243

//! The shared version-changelog data model (Phase 13, Plan 01 — D-13/D-15).
//!
//! This model is the CONTRACT that crosses two trust boundaries:
//!
//! 1. **offline-compiler → served-binary (via bundle):** the promote step RECORDS
//!    a prev→current [`VersionChangelog`] into the bundle (D-15); the served
//!    `diff_version` MCP tool DESERIALIZES it and serves it.
//! 2. **`workbook-runtime` ↔ `workbook-compiler` (crate link boundary):** because
//!    the served binary links ONLY `workbook-runtime` (umya-free), every TYPE the
//!    `diff_version` tool reads from a bundle MUST be defined HERE — never in
//!    `workbook-compiler`. `just purity-check` (cargo-tree) enforces this.
//!
//! In particular [`ChangeClass`] lives HERE (review item 7): `OutputDelta`'s
//! `change_class` is the closed serde enum, NOT a stringly-typed label. An unknown
//! wire tag fails deserialization at the served boundary, so a forged class cannot
//! masquerade as a known routing class (T-13-19). This enum carries NO derivation
//! logic — Plan 03's `classify`/`policy` operate on the SAME enum but the
//! classification rules stay compiler-side.
//!
//! Owned-only fields; no foreign types cross the public boundary (the project's
//! owned-types-at-boundary idiom). All records derive
//! `Serialize + Deserialize + schemars::JsonSchema` (so `diff_version` can
//! advertise an output schema), following the exact derive style of
//! [`crate::manifest_model::ChangelogEntry`].

use serde::{Deserialize, Serialize};

/// The auto-derived class of a single output change (D-08). Six closed variants,
/// each mapping onto a manifest-model dimension; the offline classifier
/// (Plan 03's `classify`/`policy`) AND the served `diff_version` tool share this
/// ONE definition (review item 7).
///
/// Wire tags are kebab-case so they match the D-08 class labels
/// (`output-schema`, `governed-data`, …). The closed set is LOAD-BEARING: an
/// unknown tag fails deserialization at the served boundary (T-13-19), so a forged
/// class label can never masquerade as a known routing class.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, schemars::JsonSchema)]
#[serde(rename_all = "kebab-case")]
pub enum ChangeClass {
    /// A named output region's declared `meaning`/`unit`/`source` (provenance)
    /// changed.
    OutputSchema,
    /// A `GovernedDatum.value` changed (`manifest.governed_data`).
    GovernedData,
    /// The compiled IR (formula AST) for a region changed.
    FormulaLogic,
    /// A `Role::Input` cell was added / removed / retyped.
    InputSchema,
    /// `manifest.capability_calls` (`CapabilityDecl`) changed.
    CapabilityContract,
    /// A yellow assumption (`Role::Constant` with `source == "yellow-assumption"`)
    /// changed.
    Assumption,
}

/// The severity of an output change (D-14). Exactly TWO variants:
///
/// - [`Drift`](Severity::Drift): a pure value change with identical schema (handled
///   by the corpus / `--accept` numeric gate).
/// - [`Redefinition`](Severity::Redefinition): a change to a named output's declared
///   `meaning`/`unit`/`source` or the IDENTITY of what it computes (BA review;
///   flagged; never silently re-baselined).
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, schemars::JsonSchema)]
#[serde(rename_all = "kebab-case")]
pub enum Severity {
    /// A pure value change with identical schema.
    Drift,
    /// A schema/identity change (BA review, never silently re-baselined).
    Redefinition,
}

/// The declared metadata of a named output region at a single version: the
/// `meaning`/`unit`/`provenance` triple the redefinition predicate (D-14) compares.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, schemars::JsonSchema)]
pub struct OutputMeta {
    /// The human-readable meaning of the output region.
    pub meaning: Option<String>,
    /// The unit text (e.g. `"GBP"`, `"m2"`), when known.
    pub unit: Option<String>,
    /// The provenance/source of the output region (e.g. `"colour+guide"`).
    pub provenance: Option<String>,
}

/// One per-changed-output record (D-13). Aligns with the cargo-pmcp schema-diff
/// compare-and-summarize shape; serde-clean so the served `diff_version` tool can
/// deserialize it. `change_class` is the [`ChangeClass`] ENUM (NOT a `String`).
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, schemars::JsonSchema)]
pub struct OutputDelta {
    /// The named output region (`sheet!addr` or named-range name).
    pub region: String,
    /// The auto-derived change class (from the shared [`ChangeClass`] enum).
    pub change_class: ChangeClass,
    /// The region metadata at the previous version.
    pub old: OutputMeta,
    /// The region metadata at the current version.
    pub new: OutputMeta,
    /// Whether the change is a drift or a redefinition.
    pub severity: Severity,
}

/// The top-level recorded changelog (D-15): the prev→current transition the promote
/// step records into the bundle and the served `diff_version` tool serves. No
/// multiple bundle versions are kept loaded at runtime — this single recorded
/// changelog is the served artifact.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, schemars::JsonSchema)]
pub struct VersionChangelog {
    /// The version this changelog transitions FROM.
    pub from_version: String,
    /// The version this changelog transitions TO.
    pub to_version: String,
    /// The per-changed-output records.
    pub deltas: Vec<OutputDelta>,
    /// A human-readable summary of the transition (D-13).
    pub summary: String,
}

#[cfg(test)]
mod tests {
    use super::*;

    fn sample_changelog() -> VersionChangelog {
        VersionChangelog {
            from_version: "1.0.0".to_string(),
            to_version: "1.1.0".to_string(),
            deltas: vec![
                OutputDelta {
                    region: "7_Quote!C11".to_string(),
                    change_class: ChangeClass::GovernedData,
                    old: OutputMeta {
                        meaning: Some("supply total".to_string()),
                        unit: Some("GBP".to_string()),
                        provenance: Some("colour+guide".to_string()),
                    },
                    new: OutputMeta {
                        meaning: Some("supply total".to_string()),
                        unit: Some("GBP".to_string()),
                        provenance: Some("colour+guide".to_string()),
                    },
                    severity: Severity::Drift,
                },
                OutputDelta {
                    region: "7_Quote!C12".to_string(),
                    change_class: ChangeClass::OutputSchema,
                    old: OutputMeta {
                        meaning: Some("install total".to_string()),
                        unit: Some("GBP".to_string()),
                        provenance: None,
                    },
                    new: OutputMeta {
                        meaning: Some("install total (inc VAT)".to_string()),
                        unit: Some("GBP".to_string()),
                        provenance: Some("colour+guide".to_string()),
                    },
                    severity: Severity::Redefinition,
                },
            ],
            summary: "1 drift, 1 redefinition".to_string(),
        }
    }

    /// Locks the serde JSON round-trip (serialize → deserialize → equality),
    /// mirroring the `ir_round_trip`-style shape locking.
    #[test]
    fn version_changelog_round_trips() {
        let original = sample_changelog();
        let json = serde_json::to_string_pretty(&original).expect("serialize");
        let restored: VersionChangelog = serde_json::from_str(&json).expect("deserialize");
        assert_eq!(original, restored);
    }

    /// `OutputDelta` deserializes from a hand-written JSON fixture — proving the
    /// served `diff_version` tool can read a recorded changelog member, and that
    /// `change_class` is the kebab-case enum tag (NOT a free-form string).
    #[test]
    fn output_delta_deserializes_from_fixture() {
        let fixture = r#"{
            "region": "7_Quote!C11",
            "change_class": "governed-data",
            "old": { "meaning": "supply total", "unit": "GBP", "provenance": "colour+guide" },
            "new": { "meaning": "supply total", "unit": "GBP", "provenance": "colour+guide" },
            "severity": "drift"
        }"#;
        let delta: OutputDelta = serde_json::from_str(fixture).expect("deserialize fixture");
        assert_eq!(delta.region, "7_Quote!C11");
        assert_eq!(delta.change_class, ChangeClass::GovernedData);
        assert_eq!(delta.severity, Severity::Drift);
    }

    /// `Severity` serializes to EXACTLY two kebab-case wire tags: `drift` and
    /// `redefinition`. A closed two-variant set is the D-14 contract.
    #[test]
    fn severity_has_exactly_two_variants() {
        assert_eq!(
            serde_json::to_string(&Severity::Drift).expect("serialize drift"),
            "\"drift\""
        );
        assert_eq!(
            serde_json::to_string(&Severity::Redefinition).expect("serialize redefinition"),
            "\"redefinition\""
        );
        // Round-trip both variants so the closed set is locked end-to-end.
        for variant in [Severity::Drift, Severity::Redefinition] {
            let json = serde_json::to_string(&variant).expect("serialize");
            let restored: Severity = serde_json::from_str(&json).expect("deserialize");
            assert_eq!(variant, restored);
        }
    }

    /// `ChangeClass` serializes to EXACTLY six stable kebab-case wire tags
    /// (review item 7) and round-trips identically. The closed set is what makes a
    /// forged class label fail deserialization at the served boundary (T-13-19).
    #[test]
    fn change_class_has_exactly_six_variants() {
        let expected = [
            (ChangeClass::OutputSchema, "\"output-schema\""),
            (ChangeClass::GovernedData, "\"governed-data\""),
            (ChangeClass::FormulaLogic, "\"formula-logic\""),
            (ChangeClass::InputSchema, "\"input-schema\""),
            (ChangeClass::CapabilityContract, "\"capability-contract\""),
            (ChangeClass::Assumption, "\"assumption\""),
        ];
        assert_eq!(expected.len(), 6);
        for (variant, tag) in expected {
            assert_eq!(
                serde_json::to_string(&variant).expect("serialize"),
                tag,
                "wire tag for {variant:?}"
            );
            let restored: ChangeClass =
                serde_json::from_str(tag).expect("deserialize from stable tag");
            assert_eq!(variant, restored);
        }
    }

    /// An unknown `change_class` wire tag MUST fail deserialization (T-13-19): a
    /// forged class label cannot masquerade as a known routing class.
    #[test]
    fn unknown_change_class_tag_is_rejected() {
        let forged = "\"super-admin-bypass\"";
        let result: Result<ChangeClass, _> = serde_json::from_str(forged);
        assert!(result.is_err(), "unknown ChangeClass tag must be rejected");
    }
}