Skip to main content

harn_parser/
diagnostic_codes.rs

1//! Stable diagnostic code registry.
2//!
3//! Codes use `HARN-<CATEGORY>-<NNN>` identifiers so CLI output, editor
4//! diagnostics, docs, and future `harn explain` lookups can refer to one
5//! durable namespace.
6//!
7//! ```
8//! use harn_parser::diagnostic_codes::Category;
9//!
10//! let categories: Vec<_> = Category::ALL.iter().map(|category| category.as_str()).collect();
11//! assert_eq!(
12//!     categories,
13//!     [
14//!         "TYP", "PAR", "NAM", "CAP", "LLM", "ORC", "STD", "PRM",
15//!         "MOD", "RMD", "SUS", "LNT", "FMT", "IMP", "OWN", "RCV",
16//!         "MAT", "POL", "MET", "CST", "CMP",
17//!     ],
18//! );
19//! ```
20
21use std::fmt;
22use std::str::FromStr;
23
24/// Top-level diagnostic category used in a stable Harn diagnostic code.
25#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, PartialOrd, Ord)]
26pub enum Category {
27    Typ,
28    Par,
29    Nam,
30    Cap,
31    Llm,
32    Orc,
33    Std,
34    Prm,
35    Mod,
36    Rmd,
37    Sus,
38    Lnt,
39    Fmt,
40    Imp,
41    Own,
42    Rcv,
43    Mat,
44    Pol,
45    /// Meta — restrictions on what may appear in compile-time-evaluated
46    /// positions (e.g. `const` initializers). Reserved by issue #1791
47    /// (bounded const-eval).
48    Met,
49    /// Const-eval sandbox — bounded compile-time interpreter limits and
50    /// capability violations (steps, recursion depth, fs/net/env/process
51    /// denial). Reserved by issue #1791.
52    Cst,
53    /// Bytecode compilation — structural/codegen errors the type checker does
54    /// not catch but that prevent the program from running (e.g. unsupported
55    /// nested match patterns, `break` outside a loop, malformed string
56    /// interpolation). Surfaced by `harn check` as well as `harn run`.
57    Cmp,
58}
59
60impl Category {
61    pub const ALL: &'static [Category] = &[
62        Category::Typ,
63        Category::Par,
64        Category::Nam,
65        Category::Cap,
66        Category::Llm,
67        Category::Orc,
68        Category::Std,
69        Category::Prm,
70        Category::Mod,
71        Category::Rmd,
72        Category::Sus,
73        Category::Lnt,
74        Category::Fmt,
75        Category::Imp,
76        Category::Own,
77        Category::Rcv,
78        Category::Mat,
79        Category::Pol,
80        Category::Met,
81        Category::Cst,
82        Category::Cmp,
83    ];
84
85    pub const fn as_str(self) -> &'static str {
86        match self {
87            Category::Typ => "TYP",
88            Category::Par => "PAR",
89            Category::Nam => "NAM",
90            Category::Cap => "CAP",
91            Category::Llm => "LLM",
92            Category::Orc => "ORC",
93            Category::Std => "STD",
94            Category::Prm => "PRM",
95            Category::Mod => "MOD",
96            Category::Rmd => "RMD",
97            Category::Sus => "SUS",
98            Category::Lnt => "LNT",
99            Category::Fmt => "FMT",
100            Category::Imp => "IMP",
101            Category::Own => "OWN",
102            Category::Rcv => "RCV",
103            Category::Mat => "MAT",
104            Category::Pol => "POL",
105            Category::Met => "MET",
106            Category::Cst => "CST",
107            Category::Cmp => "CMP",
108        }
109    }
110}
111
112impl fmt::Display for Category {
113    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
114        f.write_str(self.as_str())
115    }
116}
117
118/// One registered diagnostic code.
119#[derive(Debug, Clone, Copy, PartialEq, Eq)]
120pub struct RegistryEntry {
121    pub code: Code,
122    pub identifier: &'static str,
123    pub category: Category,
124    pub summary: &'static str,
125}
126
127macro_rules! diagnostic_codes {
128    ($($variant:ident, $identifier:literal, $category:ident, $summary:literal;)*) => {
129        /// Stable diagnostic identifier.
130        #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, PartialOrd, Ord)]
131        pub enum Code {
132            $($variant,)*
133        }
134
135        impl Code {
136            pub const ALL: &'static [Code] = &[
137                $(Code::$variant,)*
138            ];
139
140            pub const fn as_str(self) -> &'static str {
141                match self {
142                    $(Code::$variant => $identifier,)*
143                }
144            }
145
146            pub const fn category(self) -> Category {
147                match self {
148                    $(Code::$variant => Category::$category,)*
149                }
150            }
151
152            pub const fn summary(self) -> &'static str {
153                match self {
154                    $(Code::$variant => $summary,)*
155                }
156            }
157
158            /// Full markdown explanation embedded at compile time. Every
159            /// registered code must ship a matching file under
160            /// `diagnostic_codes/explanations/`; missing files fail the build.
161            pub const fn explanation(self) -> &'static str {
162                match self {
163                    $(Code::$variant => include_str!(
164                        concat!("diagnostic_codes/explanations/", $identifier, ".md")
165                    ),)*
166                }
167            }
168        }
169
170        pub const REGISTRY: &[RegistryEntry] = &[
171            $(RegistryEntry {
172                code: Code::$variant,
173                identifier: $identifier,
174                category: Category::$category,
175                summary: $summary,
176            },)*
177        ];
178    };
179}
180
181diagnostic_codes! {
182    TypeMismatch, "HARN-TYP-001", Typ, "expected and actual types are incompatible";
183    InvalidBinaryOperator, "HARN-TYP-002", Typ, "binary operator is not defined for the operand types";
184    StringInterpolationRewrite, "HARN-TYP-003", Typ, "string concatenation should be rewritten as interpolation";
185    ReturnTypeMismatch, "HARN-TYP-004", Typ, "returned expression does not match the declared return type";
186    AssignmentTypeMismatch, "HARN-TYP-005", Typ, "assigned value does not match the target type";
187    ArgumentTypeMismatch, "HARN-TYP-006", Typ, "argument value does not match the parameter type";
188    VariableTypeMismatch, "HARN-TYP-007", Typ, "initializer does not match the declared variable type";
189    ClosureReturnTypeMismatch, "HARN-TYP-008", Typ, "closure return expression does not match its declared type";
190    FieldTypeMismatch, "HARN-TYP-009", Typ, "field value does not match its declared type";
191    MethodTypeMismatch, "HARN-TYP-010", Typ, "method receiver or result type is incompatible";
192    GenericTypeArgumentUnsupported, "HARN-TYP-011", Typ, "callable does not accept type arguments";
193    GenericTypeArgumentMismatch, "HARN-TYP-012", Typ, "type argument does not satisfy the generic parameter";
194    GenericTypeArgumentArity, "HARN-TYP-013", Typ, "generic call has the wrong number of type arguments";
195    TypeParameterArity, "HARN-TYP-014", Typ, "declaration has the wrong number of type parameters";
196    WhereConstraintMismatch, "HARN-TYP-015", Typ, "type argument does not satisfy a where-clause constraint";
197    IterableExpected, "HARN-TYP-016", Typ, "expression must be iterable";
198    InvalidIndexType, "HARN-TYP-017", Typ, "subscript index type is invalid";
199    CallableExpected, "HARN-TYP-018", Typ, "expression must be callable";
200    InvalidCast, "HARN-TYP-019", Typ, "cast cannot be proven valid";
201    UnknownTypeName, "HARN-TYP-020", Typ, "type name cannot be resolved";
202    InvalidVariantUse, "HARN-TYP-021", Typ, "variant type is used in an invalid position";
203    InvalidStructLiteral, "HARN-TYP-022", Typ, "struct literal is invalid";
204    InvalidEnumConstruct, "HARN-TYP-023", Typ, "enum construction is invalid";
205    InvalidPatternBinding, "HARN-TYP-024", Typ, "pattern binding is invalid for the expected type";
206    InvalidOptionalAccess, "HARN-TYP-025", Typ, "optional access is invalid for the receiver type";
207    ParserUnexpectedToken, "HARN-PAR-001", Par, "parser found an unexpected token";
208    ParserUnexpectedEof, "HARN-PAR-002", Par, "parser reached end of file while expecting syntax";
209    ParserUnexpectedCharacter, "HARN-PAR-003", Par, "lexer found an unexpected character";
210    ParserUnterminatedString, "HARN-PAR-004", Par, "string literal is unterminated";
211    ParserUnterminatedBlockComment, "HARN-PAR-005", Par, "block comment is unterminated";
212    ParserIntegerLiteralOutOfRange, "HARN-PAR-006", Par, "integer literal is out of range for int (i64)";
213    CompilerError, "HARN-CMP-001", Cmp, "the program failed to compile to bytecode";
214    UndefinedVariable, "HARN-NAM-001", Nam, "variable name cannot be resolved";
215    UndefinedFunction, "HARN-NAM-002", Nam, "function name cannot be resolved";
216    UnknownAttribute, "HARN-NAM-003", Nam, "attribute name is not recognized";
217    UnknownField, "HARN-NAM-004", Nam, "field name does not exist on the target type";
218    UnknownMethod, "HARN-NAM-005", Nam, "method name does not exist on the receiver type";
219    DuplicateArgument, "HARN-NAM-006", Nam, "argument name is duplicated";
220    UnknownOption, "HARN-NAM-007", Nam, "option key is not recognized";
221    UnknownBuiltin, "HARN-NAM-008", Nam, "builtin name cannot be resolved";
222    DeprecatedFunction, "HARN-NAM-009", Nam, "function call targets a deprecated declaration";
223    UnknownDeclaration, "HARN-NAM-010", Nam, "declaration reference cannot be resolved";
224    InvalidAttributeTarget, "HARN-NAM-011", Nam, "attribute is attached to an unsupported declaration";
225    InvalidAttributeArgument, "HARN-NAM-012", Nam, "attribute argument is invalid";
226    InvalidMainSignature, "HARN-NAM-101", Nam, "`main` entrypoint must take a single `harness: Harness` parameter";
227    CapabilityPayloadInvalid, "HARN-CAP-001", Cap, "capability payload is invalid";
228    HitlMissingApprovalPolicy, "HARN-CAP-002", Cap, "human approval construct is missing policy";
229    HitlInvalidApprovalArgument, "HARN-CAP-003", Cap, "human approval argument is invalid";
230    CapabilityResultUnchecked, "HARN-CAP-004", Cap, "capability result must be checked";
231    CapabilityUnknownOperation, "HARN-CAP-005", Cap, "host capability operation is not declared";
232    CapabilityCallStaticNameRequired, "HARN-CAP-006", Cap, "host capability call must use a static operation name";
233    CapabilityBindingInvalid, "HARN-CAP-007", Cap, "tool host capability binding is invalid";
234    EffectInheritanceViolation, "HARN-CAP-301", Cap, "child agent effect set exceeds the parent's declared effects";
235    UnknownLlmOption, "HARN-LLM-001", Llm, "LLM option key is not recognized";
236    DeprecatedLlmOption, "HARN-LLM-002", Llm, "LLM option key is deprecated";
237    LlmSchemaMissing, "HARN-LLM-003", Llm, "LLM call is missing schema validation";
238    LlmSchemaInvalid, "HARN-LLM-004", Llm, "LLM schema option is invalid";
239    LlmProviderIdentityBranch, "HARN-LLM-005", Llm, "prompt branches on provider identity instead of capability flags";
240    OrchestrationArity, "HARN-ORC-001", Orc, "orchestration construct has invalid arity";
241    OrchestrationType, "HARN-ORC-002", Orc, "orchestration construct argument has invalid type";
242    AgentDefinitionInvalid, "HARN-ORC-003", Orc, "agent declaration is invalid";
243    WorkflowDefinitionInvalid, "HARN-ORC-004", Orc, "workflow declaration is invalid";
244    ToolDefinitionInvalid, "HARN-ORC-005", Orc, "tool declaration is invalid";
245    PipelineDefinitionInvalid, "HARN-ORC-006", Orc, "pipeline declaration is invalid";
246    InvalidSelectConstruct, "HARN-ORC-007", Orc, "select construct is invalid";
247    UnreachableCode, "HARN-ORC-008", Orc, "statement cannot be reached";
248    FlowInvariantAttributeInvalid, "HARN-ORC-009", Orc, "Flow invariant attribute set is invalid";
249    ExecutionTargetMissing, "HARN-ORC-010", Orc, "execution target path cannot be found";
250    SelfDeadlockDetected, "HARN-ORC-011", Orc, "a self-deadlock acquire would block forever";
251    WaitForGraphDeadlockDetected, "HARN-ORC-012", Orc, "a wait-for graph cycle would block forever";
252    DeprecatedStdlibSymbol, "HARN-STD-001", Std, "stdlib symbol has been renamed or deprecated";
253    StdlibUsageInvalid, "HARN-STD-002", Std, "stdlib call is invalid";
254    BuiltinArity, "HARN-STD-003", Std, "builtin call has invalid arity";
255    LintMissingStdlibMetadata, "HARN-STD-101", Std, "public stdlib function is missing declared metadata";
256    PromptTemplateParse, "HARN-PRM-001", Prm, "prompt template cannot be parsed";
257    PromptVariantExplosion, "HARN-PRM-002", Prm, "prompt template has too many capability-aware branches";
258    PromptInjectionRisk, "HARN-PRM-003", Prm, "prompt construction risks direct injection";
259    PromptProviderIdentityBranch, "HARN-PRM-004", Prm, "prompt template branches on provider identity";
260    PromptToolSurfaceUnknown, "HARN-PRM-005", Prm, "prompt references a tool outside the declared surface";
261    PromptToolSurfaceDeferredReference, "HARN-PRM-006", Prm, "prompt references a deferred tool without tool search";
262    PromptTargetMissing, "HARN-PRM-007", Prm, "prompt or template target cannot be found";
263    ModuleImportUnresolved, "HARN-MOD-001", Mod, "module import cannot be resolved";
264    ModuleImportUnused, "HARN-MOD-002", Mod, "module import is unused";
265    ModuleImportOrder, "HARN-MOD-003", Mod, "module imports are not in canonical order";
266    ModuleExportInvalid, "HARN-MOD-004", Mod, "module export is invalid";
267    ModuleImportCollision, "HARN-MOD-005", Mod, "module imports expose colliding names";
268    ModuleReExportConflict, "HARN-MOD-006", Mod, "module re-exports conflict";
269    ReminderUnknownOption, "HARN-RMD-001", Rmd, "reminder lifecycle option key is not recognized";
270    ReminderInvalidShape, "HARN-RMD-002", Rmd, "reminder payload shape is invalid";
271    ReminderUnsupportedUserBlockRoleHint, "HARN-RMD-003", Rmd, "user_block reminder role hint is not supported by the selected provider";
272    ReminderInfiniteDiscardable, "HARN-RMD-004", Rmd, "discardable reminder has no TTL";
273    ReminderUnknownPropagate, "HARN-RMD-005", Rmd, "reminder propagate value is not recognized";
274    ReminderProviderMalformedSpec, "HARN-RMD-006", Rmd, "reminder provider returned a malformed reminder spec";
275    ReminderProviderBloat, "HARN-RMD-007", Rmd, "too many reminder providers are enabled";
276    ReminderUnsupportedHookEvent, "HARN-RMD-008", Rmd, "hook event does not support reminder effects";
277    SuspendWorkerNotRunning, "HARN-SUS-001", Sus, "suspend_agent target worker is not running";
278    ResumeConditionsInvalid, "HARN-SUS-002", Sus, "ResumeConditions validation failed";
279    ResumeWorkerNotSuspended, "HARN-SUS-003", Sus, "resume_agent target worker is not suspended";
280    ResumeSnapshotInvalid, "HARN-SUS-004", Sus, "resume snapshot cannot be loaded or used";
281    AwaitResumptionOutsideAgentLoop, "HARN-SUS-005", Sus, "agent_await_resumption was invoked outside agent_loop structural handling";
282    ConcurrentResumeConflict, "HARN-SUS-006", Sus, "concurrent resume changed the worker before resume could complete";
283    ResumeTriggerRegistrationFailed, "HARN-SUS-007", Sus, "ResumeConditions trigger could not be registered";
284    ResumeTimeoutUnsupported, "HARN-SUS-008", Sus, "resume timeout action is unsupported";
285    ResumeInputInvalid, "HARN-SUS-009", Sus, "resume input failed agent_loop input validation";
286    ResumeWorkerClosed, "HARN-SUS-010", Sus, "closed suspended worker cannot be resumed";
287    ReplayResumeInputHashMismatch, "HARN-SUS-011", Sus, "replay resume input hash diverges from journaled suspension";
288    ReplayDrainDecisionPromptHashMismatch, "HARN-SUS-012", Sus, "replay drain decision prompt hash diverges from journaled receipt";
289    LifecycleSignatureMismatch, "HARN-SUS-013", Sus, "lifecycle receipt signed timestamp failed verification";
290    LintRenamedStdlibSymbol, "HARN-LNT-001", Lnt, "renamed stdlib symbol lint";
291    LintCyclomaticComplexity, "HARN-LNT-002", Lnt, "cyclomatic complexity lint";
292    LintNamingConvention, "HARN-LNT-003", Lnt, "naming convention lint";
293    LintEagerCollectionConversion, "HARN-LNT-004", Lnt, "eager collection conversion lint";
294    LintRedundantClone, "HARN-LNT-005", Lnt, "redundant clone lint";
295    LintLongRunningWithoutCleanup, "HARN-LNT-006", Lnt, "long-running workflow cleanup lint";
296    LintMcpToolAnnotations, "HARN-LNT-007", Lnt, "MCP tool annotations lint";
297    LintPrOpenWithoutSecretScan, "HARN-LNT-008", Lnt, "PR open without secret scan lint";
298    LintShadowVariable, "HARN-LNT-009", Lnt, "shadow variable lint";
299    LintPersonaHookTarget, "HARN-LNT-010", Lnt, "persona hook target lint";
300    LintDeadCodeAfterReturn, "HARN-LNT-011", Lnt, "dead code after return lint";
301    LintLetThenReturn, "HARN-LNT-012", Lnt, "let then return lint";
302    LintUnhandledApprovalResult, "HARN-LNT-013", Lnt, "unhandled approval result lint";
303    LintUnusedVariable, "HARN-LNT-014", Lnt, "unused variable lint";
304    LintUnusedPatternBinding, "HARN-LNT-015", Lnt, "unused pattern binding lint";
305    LintUnusedParameter, "HARN-LNT-016", Lnt, "unused parameter lint";
306    LintUnusedImport, "HARN-LNT-017", Lnt, "unused import lint";
307    LintMutableNeverReassigned, "HARN-LNT-018", Lnt, "mutable never reassigned lint";
308    LintUnusedFunction, "HARN-LNT-019", Lnt, "unused function lint";
309    LintUnusedType, "HARN-LNT-020", Lnt, "unused type lint";
310    LintPersonaBodyMustCallSteps, "HARN-LNT-021", Lnt, "persona body must call steps lint";
311    LintUndefinedFunction, "HARN-LNT-022", Lnt, "undefined function lint";
312    LintPipelineReturnType, "HARN-LNT-023", Lnt, "pipeline return type lint";
313    LintMissingHarndoc, "HARN-LNT-024", Lnt, "missing harndoc lint";
314    LintAssertOutsideTest, "HARN-LNT-025", Lnt, "assert outside test lint";
315    LintPromptInjectionRisk, "HARN-LNT-026", Lnt, "prompt injection risk lint";
316    LintConnectorEffectPolicy, "HARN-LNT-027", Lnt, "connector effect policy lint";
317    LintUnnecessaryCast, "HARN-LNT-028", Lnt, "unnecessary cast lint";
318    LintUntypedDictAccess, "HARN-LNT-029", Lnt, "untyped dict access lint";
319    LintConstantLogicalOperand, "HARN-LNT-030", Lnt, "constant logical operand lint";
320    LintPointlessComparison, "HARN-LNT-031", Lnt, "pointless comparison lint";
321    LintComparisonToBool, "HARN-LNT-032", Lnt, "comparison to bool lint";
322    LintInvalidBinaryOpLiteral, "HARN-LNT-033", Lnt, "invalid binary operator literal lint";
323    LintRedundantNilTernary, "HARN-LNT-034", Lnt, "redundant nil ternary lint";
324    LintEmptyBlock, "HARN-LNT-035", Lnt, "empty block lint";
325    LintUnnecessaryElseReturn, "HARN-LNT-036", Lnt, "unnecessary else return lint";
326    LintDuplicateMatchArm, "HARN-LNT-037", Lnt, "duplicate match arm lint";
327    LintRequireInTest, "HARN-LNT-038", Lnt, "require in test lint";
328    LintBreakOutsideLoop, "HARN-LNT-039", Lnt, "break outside loop lint";
329    LintTemplateParse, "HARN-LNT-040", Lnt, "template parse lint";
330    LintBlankLineBetweenItems, "HARN-LNT-041", Lnt, "blank line between items lint";
331    LintTrailingComma, "HARN-LNT-042", Lnt, "trailing comma lint";
332    LintUnnecessaryParentheses, "HARN-LNT-043", Lnt, "unnecessary parentheses lint";
333    LintTemplateVariantExplosion, "HARN-LNT-044", Lnt, "template variant explosion lint";
334    LintRequireFileHeader, "HARN-LNT-045", Lnt, "require file header lint";
335    LintTemplateProviderIdentityBranch, "HARN-LNT-046", Lnt, "template provider identity branch lint";
336    LintImportOrder, "HARN-LNT-047", Lnt, "import order lint";
337    LintPreferOptionalShorthand, "HARN-LNT-048", Lnt, "prefer optional shorthand lint";
338    LintLegacyDocComment, "HARN-LNT-049", Lnt, "legacy doc comment lint";
339    LintDeprecatedLlmOptions, "HARN-LNT-050", Lnt, "deprecated LLM options lint";
340    LintUnnecessarySafeNavigation, "HARN-LNT-051", Lnt, "unnecessary safe navigation lint";
341    LintAmbientClockBuiltin, "HARN-LNT-052", Lnt, "ambient clock builtin replaced by `harness.clock.*`";
342    LintAmbientStdioBuiltin, "HARN-LNT-053", Lnt, "ambient stdio builtin replaced by `harness.stdio.*`";
343    LintAmbientFsBuiltin, "HARN-LNT-054", Lnt, "ambient fs builtin replaced by `harness.fs.*`";
344    LintAmbientEnvBuiltin, "HARN-LNT-055", Lnt, "ambient env builtin replaced by `harness.env.*`";
345    LintAmbientRandomBuiltin, "HARN-LNT-056", Lnt, "ambient random builtin replaced by `harness.random.*`";
346    LintAmbientNetBuiltin, "HARN-LNT-057", Lnt, "ambient net builtin replaced by `harness.net.*`";
347    LintVacuousCondition, "HARN-LNT-058", Lnt, "if / while / guard condition is statically known to always succeed or always fail";
348    LintRuleEngine, "HARN-LNT-059", Lnt, "project rule-engine or native lint rule";
349    LintUnnormalizedOptions, "HARN-LNT-060", Lnt, "inline options dict bypasses the typed option constructors";
350    SandboxCapabilityDenied, "HARN-CAP-201", Cap, "harness capability denied by active sandbox profile";
351    FormatterParseFailed, "HARN-FMT-001", Fmt, "formatter could not parse the source";
352    FormatterWouldReformat, "HARN-FMT-002", Fmt, "source is not in canonical format";
353    FormatterTrailingComma, "HARN-FMT-003", Fmt, "formatter normalized trailing comma layout";
354    ImportResolutionFailed, "HARN-IMP-001", Imp, "import target cannot be resolved";
355    ImportSymbolMissing, "HARN-IMP-002", Imp, "imported symbol does not exist";
356    ImportCycle, "HARN-IMP-003", Imp, "import graph contains a cycle";
357    ImmutableAssignment, "HARN-OWN-001", Own, "immutable binding is reassigned";
358    MutableNeverReassigned, "HARN-OWN-002", Own, "mutable binding is never reassigned";
359    OwnershipEscape, "HARN-OWN-003", Own, "owned value escapes its valid scope";
360    BoundaryValueUnvalidated, "HARN-OWN-004", Own, "unvalidated boundary value is used directly";
361    RescueOutsideFunction, "HARN-RCV-001", Rcv, "rescue construct is outside a function body";
362    TryOutsideFunction, "HARN-RCV-002", Rcv, "try construct is outside a function body";
363    InvalidRescueConstruct, "HARN-RCV-003", Rcv, "rescue construct is invalid";
364    NonExhaustiveMatch, "HARN-MAT-001", Mat, "match expression is not exhaustive";
365    DuplicateMatchArm, "HARN-MAT-002", Mat, "match expression contains a duplicate arm";
366    InvalidMatchPattern, "HARN-MAT-003", Mat, "match pattern is invalid";
367    PoolBackpressureFull, "HARN-POL-001", Pol, "pool backpressure rejected a submit";
368    PoolFailFastFull, "HARN-POL-002", Pol, "fail-fast pool has no immediate capacity";
369    ConstEvalDisallowedExpression, "HARN-MET-001", Met, "expression is not permitted in a const initializer";
370    ConstEvalStepLimit, "HARN-CST-001", Cst, "const initializer exceeded the step budget";
371    ConstEvalRecursionLimit, "HARN-CST-002", Cst, "const initializer exceeded the recursion depth budget";
372    ConstEvalSandboxViolation, "HARN-CST-003", Cst, "const initializer attempted a sandboxed capability";
373    ConstEvalRuntimeError, "HARN-CST-004", Cst, "const initializer raised a runtime error during evaluation";
374}
375
376impl Code {
377    pub const fn registry() -> &'static [RegistryEntry] {
378        REGISTRY
379    }
380
381    /// Codes that an agent should consider alongside this one when planning
382    /// repairs. Curated per-code — typically near-neighbours in the same
383    /// category that share a fix shape. Returns an empty slice for codes
384    /// without curated cross-references.
385    pub const fn related(self) -> &'static [Code] {
386        match self {
387            // Type mismatches form a family — surfacing the others helps an
388            // agent disambiguate between assignment, argument, return, etc.
389            Code::TypeMismatch => &[
390                Code::AssignmentTypeMismatch,
391                Code::ArgumentTypeMismatch,
392                Code::ReturnTypeMismatch,
393                Code::VariableTypeMismatch,
394                Code::FieldTypeMismatch,
395            ],
396            Code::AssignmentTypeMismatch => &[Code::TypeMismatch, Code::VariableTypeMismatch],
397            Code::ArgumentTypeMismatch => &[Code::TypeMismatch, Code::GenericTypeArgumentMismatch],
398            Code::ReturnTypeMismatch => &[Code::TypeMismatch, Code::ClosureReturnTypeMismatch],
399            Code::VariableTypeMismatch => &[Code::TypeMismatch, Code::AssignmentTypeMismatch],
400            Code::ClosureReturnTypeMismatch => &[Code::ReturnTypeMismatch],
401            Code::FieldTypeMismatch => &[Code::TypeMismatch, Code::InvalidStructLiteral],
402            Code::MethodTypeMismatch => &[Code::TypeMismatch, Code::CallableExpected],
403            // Generic type-argument family.
404            Code::GenericTypeArgumentUnsupported => &[
405                Code::GenericTypeArgumentMismatch,
406                Code::GenericTypeArgumentArity,
407            ],
408            Code::GenericTypeArgumentMismatch => &[
409                Code::GenericTypeArgumentArity,
410                Code::WhereConstraintMismatch,
411            ],
412            Code::GenericTypeArgumentArity => {
413                &[Code::GenericTypeArgumentMismatch, Code::TypeParameterArity]
414            }
415            Code::TypeParameterArity => &[Code::GenericTypeArgumentArity],
416            Code::WhereConstraintMismatch => &[Code::GenericTypeArgumentMismatch],
417            // Naming.
418            Code::UndefinedVariable => &[Code::UndefinedFunction, Code::UnknownDeclaration],
419            Code::UndefinedFunction => &[Code::UnknownBuiltin, Code::UnknownDeclaration],
420            Code::UnknownField => &[Code::UnknownMethod, Code::InvalidStructLiteral],
421            Code::UnknownMethod => &[Code::UnknownField, Code::CallableExpected],
422            Code::UnknownAttribute => {
423                &[Code::InvalidAttributeArgument, Code::InvalidAttributeTarget]
424            }
425            Code::InvalidAttributeArgument => {
426                &[Code::UnknownAttribute, Code::InvalidAttributeTarget]
427            }
428            Code::InvalidAttributeTarget => {
429                &[Code::UnknownAttribute, Code::InvalidAttributeArgument]
430            }
431            // LLM call family — schema, options, provider branching.
432            Code::LlmSchemaMissing => &[Code::LlmSchemaInvalid, Code::UnknownLlmOption],
433            Code::LlmSchemaInvalid => &[Code::LlmSchemaMissing, Code::UnknownLlmOption],
434            Code::UnknownLlmOption => &[Code::DeprecatedLlmOption, Code::LlmSchemaInvalid],
435            Code::DeprecatedLlmOption => &[Code::UnknownLlmOption],
436            Code::LlmProviderIdentityBranch => &[Code::PromptProviderIdentityBranch],
437            // Prompt-template family.
438            Code::PromptTemplateParse => &[Code::PromptTargetMissing],
439            Code::PromptInjectionRisk => &[Code::LintPromptInjectionRisk],
440            Code::PromptProviderIdentityBranch => &[
441                Code::LlmProviderIdentityBranch,
442                Code::LintTemplateProviderIdentityBranch,
443            ],
444            Code::PromptVariantExplosion => &[Code::LintTemplateVariantExplosion],
445            // Capabilities.
446            Code::CapabilityResultUnchecked => {
447                &[Code::RescueOutsideFunction, Code::TryOutsideFunction]
448            }
449            Code::CapabilityUnknownOperation => &[Code::CapabilityCallStaticNameRequired],
450            Code::EffectInheritanceViolation => &[
451                Code::CapabilityPayloadInvalid,
452                Code::CapabilityBindingInvalid,
453            ],
454            // Recovery / match.
455            Code::RescueOutsideFunction => {
456                &[Code::TryOutsideFunction, Code::InvalidRescueConstruct]
457            }
458            Code::TryOutsideFunction => &[Code::RescueOutsideFunction],
459            Code::NonExhaustiveMatch => &[Code::InvalidMatchPattern, Code::DuplicateMatchArm],
460            Code::DuplicateMatchArm => &[Code::NonExhaustiveMatch, Code::LintDuplicateMatchArm],
461            // Module / import family.
462            Code::ModuleImportUnresolved => {
463                &[Code::ImportResolutionFailed, Code::ImportSymbolMissing]
464            }
465            Code::ModuleImportUnused => &[Code::LintUnusedImport],
466            Code::ImportResolutionFailed => {
467                &[Code::ModuleImportUnresolved, Code::ImportSymbolMissing]
468            }
469            Code::ImportCycle => &[Code::ImportResolutionFailed],
470            // Suspend / resume lifecycle.
471            Code::SuspendWorkerNotRunning => {
472                &[Code::ResumeWorkerNotSuspended, Code::ResumeWorkerClosed]
473            }
474            Code::ResumeConditionsInvalid => &[
475                Code::ResumeTriggerRegistrationFailed,
476                Code::ResumeTimeoutUnsupported,
477            ],
478            Code::ResumeWorkerNotSuspended => &[
479                Code::SuspendWorkerNotRunning,
480                Code::ConcurrentResumeConflict,
481            ],
482            Code::ResumeSnapshotInvalid => &[Code::ResumeWorkerNotSuspended],
483            Code::AwaitResumptionOutsideAgentLoop => &[Code::ResumeConditionsInvalid],
484            Code::ConcurrentResumeConflict => {
485                &[Code::ResumeWorkerNotSuspended, Code::ResumeWorkerClosed]
486            }
487            Code::ResumeTriggerRegistrationFailed => &[
488                Code::ResumeConditionsInvalid,
489                Code::ResumeTimeoutUnsupported,
490            ],
491            Code::ResumeTimeoutUnsupported => &[
492                Code::ResumeConditionsInvalid,
493                Code::ResumeTriggerRegistrationFailed,
494            ],
495            Code::ResumeInputInvalid => &[Code::ResumeWorkerNotSuspended],
496            Code::ResumeWorkerClosed => &[
497                Code::ResumeWorkerNotSuspended,
498                Code::ConcurrentResumeConflict,
499            ],
500            // Reminder lifecycle diagnostics share the same payload shape and
501            // propagation field, so nearby codes help route runtime vs lint
502            // failures to the right fix.
503            Code::ReminderUnknownOption => {
504                &[Code::ReminderInvalidShape, Code::ReminderUnknownPropagate]
505            }
506            Code::ReminderInvalidShape => {
507                &[Code::ReminderUnknownOption, Code::ReminderUnknownPropagate]
508            }
509            Code::ReminderUnknownPropagate => {
510                &[Code::ReminderUnknownOption, Code::ReminderInvalidShape]
511            }
512            Code::ReminderProviderMalformedSpec => &[Code::ReminderInvalidShape],
513            Code::ReminderProviderBloat => &[Code::ReminderInfiniteDiscardable],
514            Code::ReminderUnsupportedHookEvent => &[Code::ReminderProviderMalformedSpec],
515            // Ownership.
516            Code::ImmutableAssignment => &[Code::MutableNeverReassigned],
517            Code::MutableNeverReassigned => &[Code::LintMutableNeverReassigned],
518            // Lint pairs (drift between lint and runtime/typecheck codes).
519            Code::LintDeprecatedLlmOptions => &[Code::DeprecatedLlmOption, Code::UnknownLlmOption],
520            Code::LintUnnormalizedOptions => {
521                &[Code::LintDeprecatedLlmOptions, Code::LintUntypedDictAccess]
522            }
523            Code::LintPromptInjectionRisk => &[Code::PromptInjectionRisk],
524            Code::LintTemplateVariantExplosion => &[Code::PromptVariantExplosion],
525            Code::LintTemplateProviderIdentityBranch => &[Code::PromptProviderIdentityBranch],
526            Code::LintRenamedStdlibSymbol => &[Code::DeprecatedStdlibSymbol],
527            Code::LintAmbientClockBuiltin
528            | Code::LintAmbientStdioBuiltin
529            | Code::LintAmbientFsBuiltin
530            | Code::LintAmbientEnvBuiltin
531            | Code::LintAmbientRandomBuiltin
532            | Code::LintAmbientNetBuiltin => {
533                &[Code::InvalidMainSignature, Code::LintRenamedStdlibSymbol]
534            }
535            Code::SandboxCapabilityDenied => &[Code::CapabilityPayloadInvalid],
536            Code::LintMutableNeverReassigned => &[Code::MutableNeverReassigned],
537            Code::LintUnusedImport => &[Code::ModuleImportUnused],
538            Code::LintDuplicateMatchArm => &[Code::DuplicateMatchArm],
539            _ => &[],
540        }
541    }
542}
543
544impl fmt::Display for Code {
545    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
546        f.write_str(self.as_str())
547    }
548}
549
550/// Error returned when parsing an unknown diagnostic code.
551#[derive(Debug, Clone, Copy, PartialEq, Eq)]
552pub struct ParseCodeError;
553
554impl fmt::Display for ParseCodeError {
555    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
556        f.write_str("unknown Harn diagnostic code")
557    }
558}
559
560impl std::error::Error for ParseCodeError {}
561
562impl FromStr for Code {
563    type Err = ParseCodeError;
564
565    fn from_str(value: &str) -> Result<Self, Self::Err> {
566        Code::ALL
567            .iter()
568            .copied()
569            .find(|code| code.as_str() == value)
570            .ok_or(ParseCodeError)
571    }
572}
573
574/// Autonomy ceiling of a proposed repair.
575///
576/// Agents and IDEs dispatch on this class to decide whether to auto-apply
577/// a fix, propose it as a suggestion, or escalate to a human. Variants
578/// are ordered from least to most disruptive — call sites can compare
579/// with `<=` to enforce a configured ceiling like
580/// `"apply anything up to behavior-preserving"`.
581///
582/// The wire-format strings (`format-only`, `behavior-preserving`, …) are
583/// the contract surface; renaming a variant string is a breaking change.
584#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
585pub enum RepairSafety {
586    /// Whitespace, trivia, or canonical layout only. No code structure
587    /// changes; safe to auto-apply.
588    FormatOnly,
589    /// Intended not to change observable runtime behavior (e.g. delete an
590    /// unreachable branch, drop a redundant cast).
591    BehaviorPreserving,
592    /// Confined to the current local scope or file. Runtime behavior may
593    /// change, but the blast radius does not cross a declaration boundary
594    /// or a public surface.
595    ScopeLocal,
596    /// Touches a signature, export, or call-site surface that other files
597    /// or external consumers can observe.
598    SurfaceChanging,
599    /// Required capabilities or sandbox profile may change as a result of
600    /// applying the repair (e.g. swapping `provider: "openai"` for a
601    /// capability flag widens the routing surface).
602    CapabilityChanging,
603    /// Planning hint only — agents should propose, never auto-apply.
604    /// Aligned with the `AutonomyTier::Suggest`/`ActWithApproval` rungs
605    /// in `trust_graph.rs`.
606    NeedsHuman,
607}
608
609impl RepairSafety {
610    pub const ALL: &'static [RepairSafety] = &[
611        RepairSafety::FormatOnly,
612        RepairSafety::BehaviorPreserving,
613        RepairSafety::ScopeLocal,
614        RepairSafety::SurfaceChanging,
615        RepairSafety::CapabilityChanging,
616        RepairSafety::NeedsHuman,
617    ];
618
619    /// Stable wire-format string. The contract surface — do not rename
620    /// without coordinating with `harn fix --safety <…>` callers and
621    /// downstream LSP/IDE clients.
622    pub const fn as_str(self) -> &'static str {
623        match self {
624            RepairSafety::FormatOnly => "format-only",
625            RepairSafety::BehaviorPreserving => "behavior-preserving",
626            RepairSafety::ScopeLocal => "scope-local",
627            RepairSafety::SurfaceChanging => "surface-changing",
628            RepairSafety::CapabilityChanging => "capability-changing",
629            RepairSafety::NeedsHuman => "needs-human",
630        }
631    }
632
633    /// True when `self` sits at or below `ceiling`. Used by
634    /// `harn fix --apply --safety <ceiling>` and IDE auto-apply policies
635    /// to decide whether a repair clears the configured autonomy bar.
636    pub const fn is_at_most(self, ceiling: RepairSafety) -> bool {
637        (self as u8) <= (ceiling as u8)
638    }
639}
640
641impl fmt::Display for RepairSafety {
642    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
643        f.write_str(self.as_str())
644    }
645}
646
647/// Error returned when parsing an unknown repair-safety string.
648#[derive(Debug, Clone, Copy, PartialEq, Eq)]
649pub struct ParseRepairSafetyError;
650
651impl fmt::Display for ParseRepairSafetyError {
652    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
653        f.write_str("unknown Harn repair-safety class")
654    }
655}
656
657impl std::error::Error for ParseRepairSafetyError {}
658
659impl FromStr for RepairSafety {
660    type Err = ParseRepairSafetyError;
661
662    fn from_str(value: &str) -> Result<Self, Self::Err> {
663        RepairSafety::ALL
664            .iter()
665            .copied()
666            .find(|safety| safety.as_str() == value)
667            .ok_or(ParseRepairSafetyError)
668    }
669}
670
671/// Namespaced kebab-case repair identifier (e.g. `imports/fix-path`).
672///
673/// Wraps a `Cow` so registry-driven values reuse a `'static` literal and
674/// per-site overrides can still attach an owned string. The wire-format
675/// string is the contract surface — never normalize or reformat on read.
676#[derive(Debug, Clone, PartialEq, Eq, Hash)]
677pub struct RepairId(std::borrow::Cow<'static, str>);
678
679impl RepairId {
680    pub const fn from_static(s: &'static str) -> Self {
681        RepairId(std::borrow::Cow::Borrowed(s))
682    }
683
684    pub fn from_owned(s: String) -> Self {
685        RepairId(std::borrow::Cow::Owned(s))
686    }
687
688    pub fn as_str(&self) -> &str {
689        &self.0
690    }
691}
692
693impl fmt::Display for RepairId {
694    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
695        f.write_str(&self.0)
696    }
697}
698
699/// A structured repair proposal attached to a diagnostic.
700///
701/// `id` and `summary` are agent-readable metadata; `safety` is the
702/// dispatch dimension that decides whether the repair clears an
703/// autonomy ceiling. The concrete edits, when known statically, live on
704/// the diagnostic's `fix: Option<Vec<FixEdit>>`; this `Repair` is the
705/// classifier above those edits, not a replacement for them.
706#[derive(Debug, Clone)]
707pub struct Repair {
708    pub id: RepairId,
709    pub summary: String,
710    pub safety: RepairSafety,
711}
712
713impl Repair {
714    pub fn from_template(template: &RepairTemplate) -> Self {
715        Repair {
716            id: RepairId::from_static(template.id),
717            summary: template.summary.to_string(),
718            safety: template.safety,
719        }
720    }
721}
722
723/// Static-lifetime repair template bound to a diagnostic code.
724///
725/// Stored in the registry alongside `Code`. Construction sites can
726/// materialize a `Repair` via [`Repair::from_template`] or override
727/// `summary` for instance-specific detail by building a `Repair`
728/// directly.
729#[derive(Debug, Clone, Copy)]
730pub struct RepairTemplate {
731    pub id: &'static str,
732    pub summary: &'static str,
733    pub safety: RepairSafety,
734}
735
736impl Code {
737    /// Look up the default repair template attached to this diagnostic
738    /// code, or `None` if no actionable fix shape is registered.
739    pub const fn repair_template(self) -> Option<&'static RepairTemplate> {
740        match self {
741            // --- TYP: type mismatches & coercions -------------------------
742            Code::TypeMismatch
743            | Code::ReturnTypeMismatch
744            | Code::AssignmentTypeMismatch
745            | Code::ArgumentTypeMismatch
746            | Code::VariableTypeMismatch
747            | Code::ClosureReturnTypeMismatch
748            | Code::FieldTypeMismatch
749            | Code::MethodTypeMismatch
750            | Code::InvalidIndexType => Some(&REPAIR_INSERT_EXPLICIT_CONVERSION),
751            Code::StringInterpolationRewrite => Some(&REPAIR_REWRITE_STRING_INTERPOLATION),
752            Code::UnknownTypeName => Some(&REPAIR_IMPORTS_FIX_PATH),
753            Code::InvalidCast => Some(&REPAIR_CASTS_REMOVE_UNCHECKED),
754
755            // --- NAM / IMP: imports & names -------------------------------
756            Code::UndefinedVariable
757            | Code::UndefinedFunction
758            | Code::UnknownField
759            | Code::UnknownMethod
760            | Code::UnknownBuiltin
761            | Code::UnknownDeclaration => Some(&REPAIR_BINDINGS_RENAME_TO_CLOSEST),
762            Code::InvalidMainSignature => Some(&REPAIR_BINDINGS_THREAD_HARNESS_NEEDS_PARAM),
763            Code::DeprecatedFunction => Some(&REPAIR_STDLIB_MIGRATE_RENAMED),
764            Code::ModuleImportUnresolved | Code::ImportResolutionFailed => {
765                Some(&REPAIR_IMPORTS_FIX_PATH)
766            }
767            Code::ModuleImportUnused => Some(&REPAIR_IMPORTS_REMOVE_UNUSED),
768            Code::ModuleImportOrder => Some(&REPAIR_IMPORTS_REORDER),
769
770            // --- CAP / RCV: capabilities & error recovery -----------------
771            Code::CapabilityResultUnchecked => Some(&REPAIR_ERRORS_CHECK_OR_RESCUE),
772            Code::CapabilityBindingInvalid => Some(&REPAIR_MANUAL_REVIEW_CAPABILITY),
773            Code::EffectInheritanceViolation => Some(&REPAIR_POLICY_NARROW_CHILD_EFFECTS),
774            Code::RescueOutsideFunction | Code::TryOutsideFunction => {
775                Some(&REPAIR_ERRORS_WRAP_IN_FN)
776            }
777
778            // --- LLM / PRM: model + prompt contract -----------------------
779            Code::DeprecatedLlmOption => Some(&REPAIR_LLM_MIGRATE_DEPRECATED_OPTION),
780            Code::LlmSchemaMissing => Some(&REPAIR_LLM_ADD_SCHEMA),
781            Code::LlmProviderIdentityBranch | Code::PromptProviderIdentityBranch => {
782                Some(&REPAIR_LLM_USE_CAPABILITY_FLAG)
783            }
784            Code::PromptInjectionRisk => Some(&REPAIR_PROMPTS_ESCAPE_INJECTION),
785            Code::PromptToolSurfaceUnknown | Code::PromptToolSurfaceDeferredReference => {
786                Some(&REPAIR_PROMPTS_ADD_TOOL_TO_SURFACE)
787            }
788            Code::PromptVariantExplosion => Some(&REPAIR_MANUAL_NEEDS_HUMAN),
789
790            // --- STD: stdlib usage ----------------------------------------
791            Code::DeprecatedStdlibSymbol => Some(&REPAIR_STDLIB_MIGRATE_RENAMED),
792            Code::LintMissingStdlibMetadata => Some(&REPAIR_DOC_ADD_STDLIB_METADATA),
793
794            // --- OWN: ownership & mutability ------------------------------
795            Code::ImmutableAssignment => Some(&REPAIR_BINDINGS_MAKE_MUTABLE),
796            Code::MutableNeverReassigned => Some(&REPAIR_BINDINGS_MAKE_IMMUTABLE),
797
798            // --- MAT: match exhaustiveness --------------------------------
799            Code::NonExhaustiveMatch => Some(&REPAIR_MATCH_ADD_MISSING_ARMS),
800            Code::DuplicateMatchArm => Some(&REPAIR_MATCH_REMOVE_DUPLICATE_ARM),
801
802            // --- ORC: orchestration ---------------------------------------
803            Code::UnreachableCode => Some(&REPAIR_DEAD_CODE_REMOVE),
804
805            // --- FMT: formatter -------------------------------------------
806            Code::FormatterWouldReformat | Code::FormatterTrailingComma => {
807                Some(&REPAIR_FORMAT_REFORMAT)
808            }
809
810            // --- LNT: lints with structured fixes -------------------------
811            Code::LintUnusedVariable
812            | Code::LintUnusedPatternBinding
813            | Code::LintUnusedParameter => Some(&REPAIR_BINDINGS_RENAME_UNUSED),
814            Code::LintUnusedImport => Some(&REPAIR_IMPORTS_REMOVE_UNUSED),
815            Code::LintUnusedFunction | Code::LintUnusedType => {
816                Some(&REPAIR_DECLARATIONS_REMOVE_UNUSED)
817            }
818            Code::LintMutableNeverReassigned => Some(&REPAIR_BINDINGS_MAKE_IMMUTABLE),
819            Code::LintImportOrder => Some(&REPAIR_IMPORTS_REORDER),
820            Code::LintBlankLineBetweenItems
821            | Code::LintTrailingComma
822            | Code::LintUnnecessaryParentheses
823            | Code::LintRequireFileHeader => Some(&REPAIR_FORMAT_REFORMAT),
824            Code::LintLegacyDocComment => Some(&REPAIR_DOC_COMMENT_MIGRATE),
825            Code::LintEmptyBlock => Some(&REPAIR_BLOCK_REMOVE_EMPTY),
826            Code::LintUnnecessaryElseReturn | Code::LintLetThenReturn => {
827                Some(&REPAIR_CONTROL_FLOW_FLATTEN)
828            }
829            Code::LintRedundantNilTernary
830            | Code::LintUnnecessarySafeNavigation
831            | Code::LintPreferOptionalShorthand
832            | Code::LintComparisonToBool
833            | Code::LintPointlessComparison
834            | Code::LintConstantLogicalOperand => Some(&REPAIR_EXPRESSION_SIMPLIFY),
835            Code::LintUnnecessaryCast => Some(&REPAIR_CASTS_REMOVE_REDUNDANT),
836            Code::LintRedundantClone => Some(&REPAIR_CLONE_REMOVE_REDUNDANT),
837            Code::LintEagerCollectionConversion => Some(&REPAIR_COLLECTION_PREFER_LAZY),
838            Code::LintDeadCodeAfterReturn => Some(&REPAIR_DEAD_CODE_REMOVE),
839            Code::LintRenamedStdlibSymbol => Some(&REPAIR_STDLIB_MIGRATE_RENAMED),
840            Code::LintAmbientClockBuiltin => Some(&REPAIR_BINDINGS_THREAD_HARNESS_CLOCK),
841            Code::LintAmbientFsBuiltin => Some(&REPAIR_BINDINGS_THREAD_HARNESS_FS),
842            Code::LintAmbientEnvBuiltin => Some(&REPAIR_BINDINGS_THREAD_HARNESS_ENV),
843            Code::LintAmbientRandomBuiltin => Some(&REPAIR_BINDINGS_THREAD_HARNESS_RANDOM),
844            Code::LintAmbientNetBuiltin => Some(&REPAIR_BINDINGS_THREAD_HARNESS_NET),
845            Code::LintAmbientStdioBuiltin => Some(&REPAIR_BINDINGS_THREAD_HARNESS),
846            Code::LintDeprecatedLlmOptions => Some(&REPAIR_LLM_MIGRATE_DEPRECATED_OPTION),
847            Code::LintTemplateProviderIdentityBranch => Some(&REPAIR_LLM_USE_CAPABILITY_FLAG),
848            Code::LintPromptInjectionRisk => Some(&REPAIR_PROMPTS_ESCAPE_INJECTION),
849            Code::LintShadowVariable => Some(&REPAIR_BINDINGS_RENAME_SHADOW),
850            Code::LintNamingConvention => Some(&REPAIR_STYLE_RENAME_TO_CONVENTION),
851            Code::LintUnhandledApprovalResult => Some(&REPAIR_ERRORS_CHECK_OR_RESCUE),
852            Code::LintMissingHarndoc => Some(&REPAIR_DOC_ADD_HARNDOC),
853            Code::LintDuplicateMatchArm => Some(&REPAIR_MATCH_REMOVE_DUPLICATE_ARM),
854            Code::LintUntypedDictAccess => Some(&REPAIR_TYPES_ADD_SHAPE_ANNOTATION),
855            Code::LintUnnormalizedOptions => Some(&REPAIR_TYPES_ADD_SHAPE_ANNOTATION),
856            Code::LintMcpToolAnnotations => Some(&REPAIR_MANUAL_NEEDS_HUMAN),
857            Code::LintTemplateVariantExplosion | Code::LintLongRunningWithoutCleanup => {
858                Some(&REPAIR_MANUAL_NEEDS_HUMAN)
859            }
860
861            // Everything else: no statically known repair shape. Agents
862            // should treat these as "diagnose only" until a repair is
863            // registered.
864            _ => None,
865        }
866    }
867}
868
869// Repair-id catalog. Each `RepairTemplate` carries a kebab-case
870// namespaced id (`<namespace>/<verb-noun>`), a one-line summary written
871// in the imperative voice, and a `RepairSafety` class.
872//
873// Conventions:
874//   - Namespaces stay short: `bindings/`, `imports/`, `errors/`, `casts/`,
875//     `format/`, `llm/`, `prompts/`, `match/`, `stdlib/`, `lint/`,
876//     `doc/`, `style/`, `types/`, `manual/`.
877//   - Summary starts with a verb ("Replace…", "Remove…", "Insert…").
878//   - Safety must be the most permissive class that is still always true
879//     for every site this template attaches to. When unsure, pick the
880//     stricter class — agents tighten too-loose policies later, never
881//     too-tight ones.
882
883const REPAIR_INSERT_EXPLICIT_CONVERSION: RepairTemplate = RepairTemplate {
884    id: "casts/insert-explicit-conversion",
885    summary: "Insert an explicit conversion or correct the operand type",
886    safety: RepairSafety::ScopeLocal,
887};
888
889const REPAIR_REWRITE_STRING_INTERPOLATION: RepairTemplate = RepairTemplate {
890    id: "style/string-interpolation",
891    summary: "Rewrite string concatenation as an interpolation literal",
892    safety: RepairSafety::BehaviorPreserving,
893};
894
895const REPAIR_CASTS_REMOVE_UNCHECKED: RepairTemplate = RepairTemplate {
896    id: "casts/remove-unchecked",
897    summary: "Remove the unchecked cast or guard it with a type test",
898    safety: RepairSafety::ScopeLocal,
899};
900
901const REPAIR_CASTS_REMOVE_REDUNDANT: RepairTemplate = RepairTemplate {
902    id: "casts/remove-redundant",
903    summary: "Remove the redundant cast",
904    safety: RepairSafety::BehaviorPreserving,
905};
906
907const REPAIR_BINDINGS_RENAME_TO_CLOSEST: RepairTemplate = RepairTemplate {
908    id: "bindings/rename-to-closest",
909    summary: "Rename to the closest in-scope identifier",
910    safety: RepairSafety::ScopeLocal,
911};
912
913const REPAIR_BINDINGS_MAKE_MUTABLE: RepairTemplate = RepairTemplate {
914    id: "bindings/make-mutable",
915    summary: "Declare the binding with `var` so it can be reassigned",
916    safety: RepairSafety::ScopeLocal,
917};
918
919const REPAIR_BINDINGS_MAKE_IMMUTABLE: RepairTemplate = RepairTemplate {
920    id: "bindings/make-immutable",
921    summary: "Declare the never-reassigned binding with `let` instead of `var`",
922    safety: RepairSafety::BehaviorPreserving,
923};
924
925const REPAIR_BINDINGS_RENAME_UNUSED: RepairTemplate = RepairTemplate {
926    id: "bindings/rename-unused",
927    summary: "Use the `_` discard binding for an unused binding",
928    safety: RepairSafety::BehaviorPreserving,
929};
930
931const REPAIR_BINDINGS_RENAME_SHADOW: RepairTemplate = RepairTemplate {
932    id: "bindings/rename-shadow",
933    summary: "Rename the shadowing binding to a distinct name",
934    safety: RepairSafety::ScopeLocal,
935};
936
937const REPAIR_BINDINGS_THREAD_HARNESS: RepairTemplate = RepairTemplate {
938    id: "bindings/thread-harness",
939    summary: "Thread the existing `harness` binding through local helper calls and replace the ambient stdio builtin with `harness.stdio.*`",
940    safety: RepairSafety::ScopeLocal,
941};
942
943const REPAIR_BINDINGS_THREAD_HARNESS_NEEDS_PARAM: RepairTemplate = RepairTemplate {
944    id: "bindings/thread-harness-needs-param",
945    summary: "Add a `harness: Harness` parameter where the stdio capability handle is required and update local callers",
946    safety: RepairSafety::SurfaceChanging,
947};
948
949const REPAIR_BINDINGS_THREAD_HARNESS_CLOCK: RepairTemplate = RepairTemplate {
950    id: "bindings/thread-harness-clock",
951    summary: "Replace the ambient clock builtin with the corresponding `harness.clock.*` method",
952    safety: RepairSafety::ScopeLocal,
953};
954
955const REPAIR_BINDINGS_THREAD_HARNESS_FS: RepairTemplate = RepairTemplate {
956    id: "bindings/thread-harness-fs",
957    summary: "Replace the ambient fs builtin with the corresponding `harness.fs.*` method",
958    safety: RepairSafety::ScopeLocal,
959};
960
961const REPAIR_BINDINGS_THREAD_HARNESS_ENV: RepairTemplate = RepairTemplate {
962    id: "bindings/thread-harness-env",
963    summary: "Replace the ambient env builtin with the corresponding `harness.env.*` method",
964    safety: RepairSafety::ScopeLocal,
965};
966
967const REPAIR_BINDINGS_THREAD_HARNESS_RANDOM: RepairTemplate = RepairTemplate {
968    id: "bindings/thread-harness-random",
969    summary: "Replace the ambient random builtin with the corresponding `harness.random.*` method",
970    safety: RepairSafety::ScopeLocal,
971};
972
973const REPAIR_BINDINGS_THREAD_HARNESS_NET: RepairTemplate = RepairTemplate {
974    id: "bindings/thread-harness-net",
975    summary: "Replace the ambient net builtin with the corresponding `harness.net.*` method",
976    safety: RepairSafety::ScopeLocal,
977};
978
979const REPAIR_DECLARATIONS_REMOVE_UNUSED: RepairTemplate = RepairTemplate {
980    id: "declarations/remove-unused",
981    summary: "Remove the unused declaration",
982    safety: RepairSafety::SurfaceChanging,
983};
984
985const REPAIR_IMPORTS_FIX_PATH: RepairTemplate = RepairTemplate {
986    id: "imports/fix-path",
987    summary: "Replace the import path with a resolvable target",
988    safety: RepairSafety::ScopeLocal,
989};
990
991const REPAIR_IMPORTS_REMOVE_UNUSED: RepairTemplate = RepairTemplate {
992    id: "imports/remove-unused",
993    summary: "Remove the unused import",
994    safety: RepairSafety::BehaviorPreserving,
995};
996
997const REPAIR_IMPORTS_REORDER: RepairTemplate = RepairTemplate {
998    id: "imports/reorder",
999    summary: "Reorder imports into canonical grouping",
1000    safety: RepairSafety::FormatOnly,
1001};
1002
1003const REPAIR_ERRORS_CHECK_OR_RESCUE: RepairTemplate = RepairTemplate {
1004    id: "errors/check-or-rescue",
1005    summary: "Check the result or wrap the call in a `rescue` block",
1006    safety: RepairSafety::ScopeLocal,
1007};
1008
1009const REPAIR_ERRORS_WRAP_IN_FN: RepairTemplate = RepairTemplate {
1010    id: "errors/wrap-in-fn",
1011    summary: "Move the construct inside a function body",
1012    safety: RepairSafety::SurfaceChanging,
1013};
1014
1015const REPAIR_MATCH_ADD_MISSING_ARMS: RepairTemplate = RepairTemplate {
1016    id: "match/add-missing-arms",
1017    summary: "Add arms covering the missing variants",
1018    safety: RepairSafety::ScopeLocal,
1019};
1020
1021const REPAIR_MATCH_REMOVE_DUPLICATE_ARM: RepairTemplate = RepairTemplate {
1022    id: "match/remove-duplicate-arm",
1023    summary: "Remove the duplicated match arm",
1024    safety: RepairSafety::BehaviorPreserving,
1025};
1026
1027const REPAIR_FORMAT_REFORMAT: RepairTemplate = RepairTemplate {
1028    id: "format/reformat",
1029    summary: "Apply canonical formatting",
1030    safety: RepairSafety::FormatOnly,
1031};
1032
1033const REPAIR_DOC_COMMENT_MIGRATE: RepairTemplate = RepairTemplate {
1034    id: "doc/migrate-comment-style",
1035    summary: "Migrate the legacy comment to canonical doc syntax",
1036    safety: RepairSafety::FormatOnly,
1037};
1038
1039const REPAIR_DOC_ADD_HARNDOC: RepairTemplate = RepairTemplate {
1040    id: "doc/add-harndoc",
1041    summary: "Add a `///` doc comment describing this declaration",
1042    safety: RepairSafety::BehaviorPreserving,
1043};
1044
1045const REPAIR_DOC_ADD_STDLIB_METADATA: RepairTemplate = RepairTemplate {
1046    id: "doc/add-stdlib-metadata",
1047    summary: "Add `@effects` and `@errors` fields to the stdlib function's doc block",
1048    safety: RepairSafety::BehaviorPreserving,
1049};
1050
1051const REPAIR_BLOCK_REMOVE_EMPTY: RepairTemplate = RepairTemplate {
1052    id: "blocks/remove-empty",
1053    summary: "Remove the empty block or fill in an explicit body",
1054    safety: RepairSafety::ScopeLocal,
1055};
1056
1057const REPAIR_CONTROL_FLOW_FLATTEN: RepairTemplate = RepairTemplate {
1058    id: "control-flow/flatten",
1059    summary: "Flatten the unnecessary control flow construct",
1060    safety: RepairSafety::BehaviorPreserving,
1061};
1062
1063const REPAIR_EXPRESSION_SIMPLIFY: RepairTemplate = RepairTemplate {
1064    id: "expressions/simplify",
1065    summary: "Simplify the expression to its canonical form",
1066    safety: RepairSafety::BehaviorPreserving,
1067};
1068
1069const REPAIR_CLONE_REMOVE_REDUNDANT: RepairTemplate = RepairTemplate {
1070    id: "clones/remove-redundant",
1071    summary: "Remove the redundant clone",
1072    safety: RepairSafety::BehaviorPreserving,
1073};
1074
1075const REPAIR_COLLECTION_PREFER_LAZY: RepairTemplate = RepairTemplate {
1076    id: "collections/prefer-lazy",
1077    summary: "Replace the eager collection step with a lazy variant",
1078    safety: RepairSafety::ScopeLocal,
1079};
1080
1081const REPAIR_DEAD_CODE_REMOVE: RepairTemplate = RepairTemplate {
1082    id: "control-flow/remove-dead",
1083    summary: "Remove the unreachable code",
1084    safety: RepairSafety::BehaviorPreserving,
1085};
1086
1087const REPAIR_STDLIB_MIGRATE_RENAMED: RepairTemplate = RepairTemplate {
1088    id: "stdlib/migrate-renamed",
1089    summary: "Rename the call to the renamed stdlib symbol",
1090    safety: RepairSafety::ScopeLocal,
1091};
1092
1093const REPAIR_LLM_MIGRATE_DEPRECATED_OPTION: RepairTemplate = RepairTemplate {
1094    id: "llm/migrate-deprecated-option",
1095    summary: "Replace the deprecated option with its supported equivalent",
1096    safety: RepairSafety::ScopeLocal,
1097};
1098
1099const REPAIR_LLM_ADD_SCHEMA: RepairTemplate = RepairTemplate {
1100    id: "llm/add-schema",
1101    summary: "Add a typed output schema to the LLM call",
1102    safety: RepairSafety::SurfaceChanging,
1103};
1104
1105const REPAIR_LLM_USE_CAPABILITY_FLAG: RepairTemplate = RepairTemplate {
1106    id: "llm/use-capability-flag",
1107    summary: "Branch on a capability flag instead of provider identity",
1108    safety: RepairSafety::CapabilityChanging,
1109};
1110
1111const REPAIR_PROMPTS_ESCAPE_INJECTION: RepairTemplate = RepairTemplate {
1112    id: "prompts/escape-injection",
1113    summary: "Pass the untrusted input through a structured placeholder",
1114    safety: RepairSafety::ScopeLocal,
1115};
1116
1117const REPAIR_PROMPTS_ADD_TOOL_TO_SURFACE: RepairTemplate = RepairTemplate {
1118    id: "prompts/add-tool-to-surface",
1119    summary: "Add the referenced tool to the declared tool surface",
1120    safety: RepairSafety::SurfaceChanging,
1121};
1122
1123const REPAIR_STYLE_RENAME_TO_CONVENTION: RepairTemplate = RepairTemplate {
1124    id: "style/rename-to-convention",
1125    summary: "Rename to match the casing convention for this kind",
1126    safety: RepairSafety::SurfaceChanging,
1127};
1128
1129const REPAIR_TYPES_ADD_SHAPE_ANNOTATION: RepairTemplate = RepairTemplate {
1130    id: "types/add-shape-annotation",
1131    summary: "Annotate the dict with a concrete shape type",
1132    safety: RepairSafety::SurfaceChanging,
1133};
1134
1135const REPAIR_MANUAL_REVIEW_CAPABILITY: RepairTemplate = RepairTemplate {
1136    id: "manual/review-capability-binding",
1137    summary: "Review the capability binding; the fix is not mechanical",
1138    safety: RepairSafety::NeedsHuman,
1139};
1140
1141const REPAIR_POLICY_NARROW_CHILD_EFFECTS: RepairTemplate = RepairTemplate {
1142    id: "policy/narrow-child-effects",
1143    summary: "Narrow the child agent's effects to a subset of the parent's, or widen the parent's declared effects",
1144    safety: RepairSafety::SurfaceChanging,
1145};
1146
1147const REPAIR_MANUAL_NEEDS_HUMAN: RepairTemplate = RepairTemplate {
1148    id: "manual/needs-human",
1149    summary: "Plan a human-led change; auto-apply is not safe here",
1150    safety: RepairSafety::NeedsHuman,
1151};
1152
1153/// Every distinct repair template registered by [`Code::repair_template`],
1154/// in source order. Used by the catalog wire-up in E1.7 and by tests
1155/// asserting the catalog is healthy.
1156pub const REPAIR_REGISTRY: &[&RepairTemplate] = &[
1157    &REPAIR_INSERT_EXPLICIT_CONVERSION,
1158    &REPAIR_REWRITE_STRING_INTERPOLATION,
1159    &REPAIR_CASTS_REMOVE_UNCHECKED,
1160    &REPAIR_CASTS_REMOVE_REDUNDANT,
1161    &REPAIR_BINDINGS_RENAME_TO_CLOSEST,
1162    &REPAIR_BINDINGS_MAKE_MUTABLE,
1163    &REPAIR_BINDINGS_MAKE_IMMUTABLE,
1164    &REPAIR_BINDINGS_RENAME_UNUSED,
1165    &REPAIR_BINDINGS_RENAME_SHADOW,
1166    &REPAIR_BINDINGS_THREAD_HARNESS,
1167    &REPAIR_BINDINGS_THREAD_HARNESS_NEEDS_PARAM,
1168    &REPAIR_BINDINGS_THREAD_HARNESS_CLOCK,
1169    &REPAIR_BINDINGS_THREAD_HARNESS_FS,
1170    &REPAIR_BINDINGS_THREAD_HARNESS_ENV,
1171    &REPAIR_BINDINGS_THREAD_HARNESS_RANDOM,
1172    &REPAIR_BINDINGS_THREAD_HARNESS_NET,
1173    &REPAIR_DECLARATIONS_REMOVE_UNUSED,
1174    &REPAIR_IMPORTS_FIX_PATH,
1175    &REPAIR_IMPORTS_REMOVE_UNUSED,
1176    &REPAIR_IMPORTS_REORDER,
1177    &REPAIR_ERRORS_CHECK_OR_RESCUE,
1178    &REPAIR_ERRORS_WRAP_IN_FN,
1179    &REPAIR_MATCH_ADD_MISSING_ARMS,
1180    &REPAIR_MATCH_REMOVE_DUPLICATE_ARM,
1181    &REPAIR_FORMAT_REFORMAT,
1182    &REPAIR_DOC_COMMENT_MIGRATE,
1183    &REPAIR_DOC_ADD_HARNDOC,
1184    &REPAIR_DOC_ADD_STDLIB_METADATA,
1185    &REPAIR_BLOCK_REMOVE_EMPTY,
1186    &REPAIR_CONTROL_FLOW_FLATTEN,
1187    &REPAIR_EXPRESSION_SIMPLIFY,
1188    &REPAIR_CLONE_REMOVE_REDUNDANT,
1189    &REPAIR_COLLECTION_PREFER_LAZY,
1190    &REPAIR_DEAD_CODE_REMOVE,
1191    &REPAIR_STDLIB_MIGRATE_RENAMED,
1192    &REPAIR_LLM_MIGRATE_DEPRECATED_OPTION,
1193    &REPAIR_LLM_ADD_SCHEMA,
1194    &REPAIR_LLM_USE_CAPABILITY_FLAG,
1195    &REPAIR_PROMPTS_ESCAPE_INJECTION,
1196    &REPAIR_PROMPTS_ADD_TOOL_TO_SURFACE,
1197    &REPAIR_STYLE_RENAME_TO_CONVENTION,
1198    &REPAIR_TYPES_ADD_SHAPE_ANNOTATION,
1199    &REPAIR_MANUAL_REVIEW_CAPABILITY,
1200    &REPAIR_MANUAL_NEEDS_HUMAN,
1201    &REPAIR_POLICY_NARROW_CHILD_EFFECTS,
1202];
1203
1204#[cfg(test)]
1205mod tests {
1206    use super::{Category, Code, ParseRepairSafetyError, RepairSafety, REPAIR_REGISTRY};
1207    use std::collections::HashSet;
1208    use std::str::FromStr;
1209
1210    #[test]
1211    fn parses_registered_code() {
1212        assert_eq!(Code::from_str("HARN-TYP-014"), Ok(Code::TypeParameterArity));
1213    }
1214
1215    #[test]
1216    fn registry_has_unique_identifiers() {
1217        let mut seen = HashSet::new();
1218        for entry in Code::registry() {
1219            assert!(
1220                seen.insert(entry.identifier),
1221                "duplicate diagnostic code {}",
1222                entry.identifier
1223            );
1224            assert_eq!(entry.code.as_str(), entry.identifier);
1225            assert_eq!(entry.code.category(), entry.category);
1226            let expected_prefix = format!("HARN-{}-", entry.category);
1227            assert!(entry.identifier.starts_with(&expected_prefix));
1228            let suffix = entry.identifier.trim_start_matches(&expected_prefix);
1229            assert_eq!(suffix.len(), 3);
1230            assert!(suffix.chars().all(|ch| ch.is_ascii_digit()));
1231            assert!(!entry.summary.is_empty());
1232        }
1233        assert!(Code::registry().len() >= 40);
1234    }
1235
1236    #[test]
1237    fn every_category_is_populated() {
1238        for category in Category::ALL {
1239            assert!(
1240                Code::registry()
1241                    .iter()
1242                    .any(|entry| entry.category == *category),
1243                "missing diagnostic code category {category}"
1244            );
1245        }
1246    }
1247
1248    #[test]
1249    fn every_code_has_non_empty_explanation() {
1250        for entry in Code::registry() {
1251            let body = entry.code.explanation();
1252            assert!(
1253                !body.trim().is_empty(),
1254                "diagnostic code {} has an empty explanation file",
1255                entry.identifier
1256            );
1257            assert!(
1258                body.contains(entry.identifier),
1259                "explanation for {} should reference its identifier",
1260                entry.identifier
1261            );
1262        }
1263    }
1264
1265    #[test]
1266    fn related_codes_are_registered_and_non_self() {
1267        for entry in Code::registry() {
1268            for &other in entry.code.related() {
1269                assert_ne!(
1270                    other, entry.code,
1271                    "{} lists itself as a related code",
1272                    entry.identifier
1273                );
1274                assert!(
1275                    Code::registry().iter().any(|e| e.code == other),
1276                    "{} lists unregistered related code {}",
1277                    entry.identifier,
1278                    other
1279                );
1280            }
1281        }
1282    }
1283
1284    #[test]
1285    fn repair_safety_string_roundtrip() {
1286        for safety in RepairSafety::ALL {
1287            let parsed = RepairSafety::from_str(safety.as_str()).unwrap();
1288            assert_eq!(parsed, *safety);
1289            assert_eq!(parsed.to_string(), safety.as_str());
1290        }
1291        assert_eq!(
1292            RepairSafety::from_str("not-a-safety-class"),
1293            Err(ParseRepairSafetyError)
1294        );
1295    }
1296
1297    #[test]
1298    fn repair_safety_ordering_is_monotonic_low_to_high() {
1299        // The is_at_most ceiling check relies on this ordering being
1300        // least-to-most disruptive; a regression here flips the meaning
1301        // of `harn fix --safety <ceiling>` for every caller.
1302        let order = RepairSafety::ALL;
1303        for window in order.windows(2) {
1304            assert!(
1305                window[0] < window[1],
1306                "{:?} should be safer than {:?}",
1307                window[0],
1308                window[1]
1309            );
1310            assert!(window[0].is_at_most(window[1]));
1311            assert!(!window[1].is_at_most(window[0]));
1312        }
1313    }
1314
1315    #[test]
1316    fn repair_registry_has_at_least_twenty_entries() {
1317        assert!(
1318            REPAIR_REGISTRY.len() >= 20,
1319            "expected ≥20 repair templates, found {}",
1320            REPAIR_REGISTRY.len()
1321        );
1322    }
1323
1324    #[test]
1325    fn repair_ids_are_kebab_case_namespaced_and_unique() {
1326        let mut seen = HashSet::new();
1327        for template in REPAIR_REGISTRY {
1328            assert!(
1329                seen.insert(template.id),
1330                "duplicate repair id {}",
1331                template.id
1332            );
1333            let (namespace, leaf) = template.id.split_once('/').unwrap_or_else(|| {
1334                panic!(
1335                    "repair id `{}` is missing `<namespace>/` prefix",
1336                    template.id
1337                )
1338            });
1339            assert!(
1340                !namespace.is_empty() && !leaf.is_empty(),
1341                "repair id `{}` has empty namespace or leaf",
1342                template.id
1343            );
1344            for ch in template.id.chars() {
1345                assert!(
1346                    ch.is_ascii_lowercase() || ch.is_ascii_digit() || ch == '-' || ch == '/',
1347                    "repair id `{}` has non-kebab character {ch:?}",
1348                    template.id
1349                );
1350            }
1351            assert!(
1352                !template.summary.is_empty(),
1353                "repair {} has empty summary",
1354                template.id
1355            );
1356            // Summaries are imperative: start with a capital ASCII letter.
1357            let first = template.summary.chars().next().unwrap();
1358            assert!(
1359                first.is_ascii_uppercase(),
1360                "repair {} summary `{}` should start with a capital",
1361                template.id,
1362                template.summary
1363            );
1364        }
1365    }
1366
1367    #[test]
1368    fn manual_namespace_is_needs_human() {
1369        for template in REPAIR_REGISTRY {
1370            if let Some(("manual", _)) = template.id.split_once('/') {
1371                assert_eq!(
1372                    template.safety,
1373                    RepairSafety::NeedsHuman,
1374                    "manual/* repair {} must be NeedsHuman",
1375                    template.id
1376                );
1377            }
1378        }
1379    }
1380
1381    #[test]
1382    fn known_codes_carry_expected_safety_class() {
1383        // Spot-check: the autonomy contract for several representative
1384        // diagnostics. Lock in the safety class so cross-repo agents that
1385        // dispatch on these don't silently drift when the catalog moves.
1386        let expected: &[(Code, RepairSafety, &str)] = &[
1387            (
1388                Code::FormatterWouldReformat,
1389                RepairSafety::FormatOnly,
1390                "format/reformat",
1391            ),
1392            (
1393                Code::ModuleImportUnused,
1394                RepairSafety::BehaviorPreserving,
1395                "imports/remove-unused",
1396            ),
1397            (
1398                Code::ImmutableAssignment,
1399                RepairSafety::ScopeLocal,
1400                "bindings/make-mutable",
1401            ),
1402            (
1403                Code::LintUnusedFunction,
1404                RepairSafety::SurfaceChanging,
1405                "declarations/remove-unused",
1406            ),
1407            (
1408                Code::LlmProviderIdentityBranch,
1409                RepairSafety::CapabilityChanging,
1410                "llm/use-capability-flag",
1411            ),
1412            (
1413                Code::PromptVariantExplosion,
1414                RepairSafety::NeedsHuman,
1415                "manual/needs-human",
1416            ),
1417            (
1418                Code::NonExhaustiveMatch,
1419                RepairSafety::ScopeLocal,
1420                "match/add-missing-arms",
1421            ),
1422            (
1423                Code::LintAmbientClockBuiltin,
1424                RepairSafety::ScopeLocal,
1425                "bindings/thread-harness-clock",
1426            ),
1427            (
1428                Code::LintAmbientStdioBuiltin,
1429                RepairSafety::ScopeLocal,
1430                "bindings/thread-harness",
1431            ),
1432            (
1433                Code::InvalidMainSignature,
1434                RepairSafety::SurfaceChanging,
1435                "bindings/thread-harness-needs-param",
1436            ),
1437        ];
1438        for (code, safety, repair_id) in expected {
1439            let template = code
1440                .repair_template()
1441                .unwrap_or_else(|| panic!("{code} should have a repair template"));
1442            assert_eq!(template.safety, *safety, "{code} safety class drifted");
1443            assert_eq!(template.id, *repair_id, "{code} repair id drifted");
1444        }
1445    }
1446
1447    #[test]
1448    fn repair_templates_cover_at_least_twenty_codes() {
1449        let covered = Code::ALL
1450            .iter()
1451            .filter(|code| code.repair_template().is_some())
1452            .count();
1453        assert!(
1454            covered >= 20,
1455            "expected ≥20 codes with a repair template, found {covered}"
1456        );
1457    }
1458
1459    #[test]
1460    fn every_registered_repair_is_referenced_by_some_code() {
1461        let referenced: HashSet<&'static str> = Code::ALL
1462            .iter()
1463            .filter_map(|code| code.repair_template())
1464            .map(|template| template.id)
1465            .collect();
1466        for template in REPAIR_REGISTRY {
1467            assert!(
1468                referenced.contains(template.id),
1469                "repair {} is in REPAIR_REGISTRY but no Code maps to it",
1470                template.id
1471            );
1472        }
1473    }
1474
1475    #[test]
1476    fn every_referenced_repair_template_is_in_registry() {
1477        let registered: HashSet<&'static str> =
1478            REPAIR_REGISTRY.iter().map(|template| template.id).collect();
1479        for code in Code::ALL {
1480            let Some(template) = code.repair_template() else {
1481                continue;
1482            };
1483            assert!(
1484                registered.contains(template.id),
1485                "repair {} (used by {}) is missing from REPAIR_REGISTRY",
1486                template.id,
1487                code
1488            );
1489        }
1490    }
1491}