telltale-runtime 17.0.0

Choreographic programming for Telltale - effect-based distributed protocols
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

//! Machine-checkable transport contract ledger for the topology/transport boundary.
//!
//! This mirrors the handler-contract surface for first-party transports. It
//! separates:
//!
//! - semantic obligations required for the verified runtime guarantees
//! - operational choices that transports may vary while still preserving those
//!   obligations
//!
//! Third-party transports can still implement [`Transport`] without
//! participating in this ledger, but they remain outside the first-party
//! verified claim unless they separately satisfy and document the same
//! contract.

use thiserror::Error;

use super::TransportType;

/// Broad classification of what kind of transport surface is being documented.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum TransportContractTier {
    /// A first-party transport used by shipped runtime paths.
    FirstPartyRuntime,
    /// A deterministic harness transport intended for testing/regression.
    ObservationalHarness,
}

/// How a transport becomes ready for message exchange.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum TransportStartupMode {
    /// Ready immediately after construction.
    ReadyOnCreate,
    /// Starts itself in the background before first use.
    BackgroundWarmup,
    /// Requires an explicit `start()` call by the embedding code.
    ExplicitStart,
}

/// Semantic obligations of a first-party transport.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct TransportSemanticContract {
    pub role_addressed_routing: bool,
    pub authenticated_peers: bool,
    pub per_peer_fifo_delivery: bool,
    pub fail_closed_unknown_role: bool,
    pub no_message_synthesis: bool,
    pub explicit_readiness_errors: bool,
    pub deterministic_for_regression: bool,
}

/// Operational choices that may vary while preserving the semantic contract.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct TransportOperationalContract {
    pub transport_type: TransportType,
    pub startup_mode: TransportStartupMode,
    pub environment_resolved: bool,
}

/// Complete machine-checkable profile for a transport family.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct TransportContractProfile {
    pub transport_name: &'static str,
    pub tier: TransportContractTier,
    pub semantics: TransportSemanticContract,
    pub operational: TransportOperationalContract,
    pub notes: Vec<&'static str>,
}

/// Profile consistency errors.
#[derive(Debug, Error, PartialEq, Eq)]
pub enum TransportContractViolation {
    #[error("first-party transports must route by role")]
    MissingRoleRouting,
    #[error("first-party transports must preserve per-peer FIFO delivery")]
    MissingPerPeerFifo,
    #[error("network transports must document whether peers are authenticated")]
    MissingPeerAuthenticationDisclosure,
    #[error("first-party transports must fail closed for unknown roles")]
    MissingFailClosedUnknownRole,
    #[error("first-party transports must not synthesize messages")]
    MessageSynthesisAllowed,
    #[error("background or explicit-start transports must expose readiness failures")]
    MissingReadinessErrors,
    #[error("observational harness transports must be deterministic for regression use")]
    NonDeterministicHarness,
}

/// Trait implemented by first-party transports that document their contract.
pub trait DocumentedTransportContract {
    fn contract_profile() -> TransportContractProfile
    where
        Self: Sized;
}

/// Validate that a transport profile is internally consistent.
pub fn validate_transport_contract_profile(
    profile: &TransportContractProfile,
) -> Result<(), TransportContractViolation> {
    match profile.tier {
        TransportContractTier::FirstPartyRuntime => {
            if !profile.semantics.role_addressed_routing {
                return Err(TransportContractViolation::MissingRoleRouting);
            }
            if !profile.semantics.per_peer_fifo_delivery {
                return Err(TransportContractViolation::MissingPerPeerFifo);
            }
            if !profile.semantics.fail_closed_unknown_role {
                return Err(TransportContractViolation::MissingFailClosedUnknownRole);
            }
            if !profile.semantics.no_message_synthesis {
                return Err(TransportContractViolation::MessageSynthesisAllowed);
            }
            if matches!(profile.operational.transport_type, TransportType::Tcp)
                && !profile
                    .notes
                    .iter()
                    .any(|note| note.contains("authenticated") || note.contains("trusted-network"))
            {
                return Err(TransportContractViolation::MissingPeerAuthenticationDisclosure);
            }
        }
        TransportContractTier::ObservationalHarness => {
            if !profile.semantics.deterministic_for_regression {
                return Err(TransportContractViolation::NonDeterministicHarness);
            }
        }
    }

    if matches!(
        profile.operational.startup_mode,
        TransportStartupMode::BackgroundWarmup | TransportStartupMode::ExplicitStart
    ) && !profile.semantics.explicit_readiness_errors
    {
        return Err(TransportContractViolation::MissingReadinessErrors);
    }

    Ok(())
}

/// Convenience helper for compile-time discoverable transport profile checks.
pub fn validated_transport_contract_profile<T>(
) -> Result<TransportContractProfile, TransportContractViolation>
where
    T: DocumentedTransportContract,
{
    let profile = T::contract_profile();
    validate_transport_contract_profile(&profile)?;
    Ok(profile)
}