telltale-runtime 17.0.0

Choreographic programming for Telltale - effect-based distributed protocols
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

//! Machine-checkable handler contract ledger for the algebraic-effects boundary.
//!
//! This module is the contract document for `ChoreoHandler` and runtime extension
//! dispatch. It separates:
//!
//! - protocol semantics that every conforming handler must preserve
//! - transport policy choices that handlers are still free to choose
//!
//! The contract is intentionally narrow. It does not try to prove arbitrary
//! handlers correct. Instead, it gives every important runtime handler a
//! structured profile that tests and CI can validate mechanically.

use thiserror::Error;

/// Broad classification of what kind of behavioral surface a handler exposes.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum HandlerContractTier {
    /// A handler that can execute the full typed protocol surface.
    FullProtocol,
    /// A harness that is intentionally observational or partial.
    ObservationalHarness,
}

/// Delivery substrate chosen by a handler implementation.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum DeliveryModel {
    InMemoryChannels,
    ScriptedHarness,
    SessionBoundary,
    NoTransport,
}

/// How retries are introduced.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum RetryPolicy {
    None,
    ExternalMiddleware,
}

/// How timeouts are enforced.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum TimeoutPolicy {
    EnforcingRoleOnly,
    PassThrough,
}

/// Extension dispatch support model.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ExtensionDispatchMode {
    Unsupported,
    RegisteredOnlyTypeExact,
}

/// Semantic obligations of a `ChoreoHandler`.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct ProtocolSemanticContract {
    pub typed_send_recv_roundtrip: bool,
    pub exact_choice_label_preservation: bool,
    pub fail_closed_transport_errors: bool,
    pub timeouts_scoped_to_enforcing_role: bool,
    pub deterministic_for_regression: bool,
    pub can_materialize_values: bool,
}

/// Transport-policy choices a handler is allowed to vary.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct TransportPolicyContract {
    pub delivery_model: DeliveryModel,
    pub retry_policy: RetryPolicy,
    pub timeout_policy: TimeoutPolicy,
}

/// Contract for runtime extension dispatch.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct ExtensionDispatchContract {
    pub mode: ExtensionDispatchMode,
    pub fail_closed_when_unregistered: bool,
    pub type_exact_before_side_effects: bool,
}

/// Complete machine-checkable profile for a handler family.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct HandlerContractProfile {
    pub handler_name: &'static str,
    pub tier: HandlerContractTier,
    pub semantics: ProtocolSemanticContract,
    pub transport: TransportPolicyContract,
    pub extension_dispatch: ExtensionDispatchContract,
    pub notes: Vec<&'static str>,
}

/// Contract profile must be internally consistent before tests can trust it.
#[derive(Debug, Error, PartialEq, Eq)]
pub enum HandlerContractViolation {
    #[error("full-protocol handlers must preserve typed send/recv round trips")]
    MissingTypedRoundtrip,
    #[error("full-protocol handlers must preserve exact choice labels")]
    MissingChoicePreservation,
    #[error("full-protocol handlers must fail closed on transport/dispatch errors")]
    MissingFailClosedErrors,
    #[error("full-protocol handlers must be able to materialize values")]
    MissingValueMaterialization,
    #[error("timeout policy says enforcing-role only, but semantics do not")]
    TimeoutPolicyMismatch,
    #[error("observational harnesses must be deterministic for regression use")]
    NonDeterministicHarness,
    #[error("registered extension dispatch must fail closed when unregistered")]
    NonFailClosedExtensionDispatch,
    #[error("registered extension dispatch must validate type before side effects")]
    NonExactExtensionDispatch,
}

/// Trait implemented by handlers that document their runtime contract.
pub trait DocumentedHandlerContract {
    fn contract_profile() -> HandlerContractProfile
    where
        Self: Sized;
}

/// Validate that a documented profile is self-consistent.
pub fn validate_handler_contract_profile(
    profile: &HandlerContractProfile,
) -> Result<(), HandlerContractViolation> {
    if profile.transport.timeout_policy == TimeoutPolicy::EnforcingRoleOnly
        && !profile.semantics.timeouts_scoped_to_enforcing_role
    {
        return Err(HandlerContractViolation::TimeoutPolicyMismatch);
    }

    match profile.tier {
        HandlerContractTier::FullProtocol => {
            if !profile.semantics.typed_send_recv_roundtrip {
                return Err(HandlerContractViolation::MissingTypedRoundtrip);
            }
            if !profile.semantics.exact_choice_label_preservation {
                return Err(HandlerContractViolation::MissingChoicePreservation);
            }
            if !profile.semantics.fail_closed_transport_errors {
                return Err(HandlerContractViolation::MissingFailClosedErrors);
            }
            if !profile.semantics.can_materialize_values {
                return Err(HandlerContractViolation::MissingValueMaterialization);
            }
        }
        HandlerContractTier::ObservationalHarness => {
            if !profile.semantics.deterministic_for_regression {
                return Err(HandlerContractViolation::NonDeterministicHarness);
            }
        }
    }

    if profile.extension_dispatch.mode == ExtensionDispatchMode::RegisteredOnlyTypeExact {
        if !profile.extension_dispatch.fail_closed_when_unregistered {
            return Err(HandlerContractViolation::NonFailClosedExtensionDispatch);
        }
        if !profile.extension_dispatch.type_exact_before_side_effects {
            return Err(HandlerContractViolation::NonExactExtensionDispatch);
        }
    }

    Ok(())
}

/// Convenience helper for compile-time discoverable handler profile checks.
pub fn validated_contract_profile<H>() -> Result<HandlerContractProfile, HandlerContractViolation>
where
    H: DocumentedHandlerContract,
{
    let profile = H::contract_profile();
    validate_handler_contract_profile(&profile)?;
    Ok(profile)
}