vane_core/

predicate.rs

use std::hash::{Hash, Hasher};
use std::net::IpAddr;
use std::sync::Arc;

use bytes::Bytes;
use ipnet::IpNet;

use crate::body::Request;
use crate::conn_context::ConnContext;

#[derive(Clone, Eq, PartialEq, Hash, Debug, serde::Serialize, serde::Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum FieldPath {
	Transport,
	RemoteIp,
	RemotePort,
	LocalIp,
	LocalPort,
	Peek,
	TlsSni,
	TlsAlpn,
	TlsVersion,
	TlsPeerCertSubjectCn,
	HttpMethod,
	HttpUriPath,
	HttpUriQuery,
	HttpHeader(Arc<str>),
	HttpBody,
}

#[derive(Clone, Debug)]
pub enum CompiledValue {
	Str(Arc<str>),
	Bytes(Bytes),
	Int(i64),
	Bool(bool),
	Addr(IpAddr),
}

impl PartialEq for CompiledValue {
	fn eq(&self, other: &Self) -> bool {
		match (self, other) {
			(Self::Str(a), Self::Str(b)) => a.as_ref() == b.as_ref(),
			(Self::Bytes(a), Self::Bytes(b)) => a == b,
			(Self::Int(a), Self::Int(b)) => a == b,
			(Self::Bool(a), Self::Bool(b)) => a == b,
			(Self::Addr(a), Self::Addr(b)) => a == b,
			_ => false,
		}
	}
}

impl Eq for CompiledValue {}

impl Hash for CompiledValue {
	fn hash<H: Hasher>(&self, state: &mut H) {
		std::mem::discriminant(self).hash(state);
		match self {
			Self::Str(s) => s.as_ref().hash(state),
			Self::Bytes(b) => b.hash(state),
			Self::Int(i) => i.hash(state),
			Self::Bool(b) => b.hash(state),
			Self::Addr(a) => a.hash(state),
		}
	}
}

#[derive(Clone, Debug)]
pub enum CompiledOperator {
	Equals(CompiledValue),
	NotEquals(CompiledValue),
	Contains(Bytes),
	NotContains(Bytes),
	Prefix(Bytes),
	Suffix(Bytes),
	Matches(fancy_regex::Regex),
	In(Vec<CompiledValue>),
	NotIn(Vec<CompiledValue>),
	Gt(i64),
	Gte(i64),
	Lt(i64),
	Lte(i64),
	Cidr(IpNet),
}

impl PartialEq for CompiledOperator {
	fn eq(&self, other: &Self) -> bool {
		match (self, other) {
			(Self::Equals(a), Self::Equals(b)) | (Self::NotEquals(a), Self::NotEquals(b)) => a == b,
			(Self::Contains(a), Self::Contains(b))
			| (Self::NotContains(a), Self::NotContains(b))
			| (Self::Prefix(a), Self::Prefix(b))
			| (Self::Suffix(a), Self::Suffix(b)) => a == b,
			(Self::Matches(a), Self::Matches(b)) => a.as_str() == b.as_str(),
			(Self::In(a), Self::In(b)) | (Self::NotIn(a), Self::NotIn(b)) => a == b,
			(Self::Gt(a), Self::Gt(b))
			| (Self::Gte(a), Self::Gte(b))
			| (Self::Lt(a), Self::Lt(b))
			| (Self::Lte(a), Self::Lte(b)) => a == b,
			(Self::Cidr(a), Self::Cidr(b)) => a == b,
			_ => false,
		}
	}
}

impl Eq for CompiledOperator {}

impl Hash for CompiledOperator {
	fn hash<H: Hasher>(&self, state: &mut H) {
		std::mem::discriminant(self).hash(state);
		match self {
			Self::Equals(v) | Self::NotEquals(v) => v.hash(state),
			Self::Contains(b) | Self::NotContains(b) | Self::Prefix(b) | Self::Suffix(b) => {
				b.hash(state);
			}
			Self::Matches(r) => r.as_str().hash(state),
			Self::In(v) | Self::NotIn(v) => v.hash(state),
			Self::Gt(i) | Self::Gte(i) | Self::Lt(i) | Self::Lte(i) => i.hash(state),
			Self::Cidr(n) => n.hash(state),
		}
	}
}

#[derive(Clone, Debug, Eq, PartialEq, Hash, serde::Serialize, serde::Deserialize)]
pub struct PredicateInst {
	pub path: FieldPath,
	pub op: CompiledOperator,
}

pub enum PredicateView<'a> {
	L4 { conn: &'a Arc<ConnContext>, peek: Option<&'a [u8]> },
	L7Req { conn: &'a Arc<ConnContext>, req: &'a Request },
}

impl<'a> PredicateView<'a> {
	/// Build the phase-appropriate view the executor hands to
	/// `PredicateInst::test`. Picks `L7Req` when a `Request` is in scope
	/// (phase `L7Request`), otherwise falls back to `L4`.
	///
	/// `peek` is hardcoded to `None` for C7 — the peek buffer wiring on
	/// `ConnContext` lands with `protocol_detect` (S1-16). Predicates on
	/// `FieldPath::Peek` consequently evaluate to `false` until then; the
	/// operator-matrix stub already returns `false` for unsupported cases.
	#[must_use]
	pub fn build(
		conn: &'a Arc<ConnContext>,
		req: Option<&'a Request>,
		_l4: Option<&'a crate::l4::L4Conn>,
	) -> Self {
		match req {
			Some(r) => Self::L7Req { conn, req: r },
			None => Self::L4 { conn, peek: None },
		}
	}
}

impl PredicateInst {
	/// Evaluate the predicate against a phase-typed view.
	///
	/// C7 minimal matrix — two combinations are wired today, everything
	/// else returns `false` with a TODO. The full operator × field-path
	/// matrix from `18-predicate-schema.md` is a separate task (~14 ops
	/// across a dozen field paths).
	#[must_use]
	pub fn test(&self, view: &PredicateView<'_>) -> bool {
		match (&self.path, &self.op, view) {
			(
				FieldPath::RemoteIp,
				CompiledOperator::Equals(CompiledValue::Addr(expected)),
				PredicateView::L4 { conn, .. } | PredicateView::L7Req { conn, .. },
			) => conn.remote.ip() == *expected,

			(
				FieldPath::HttpMethod,
				CompiledOperator::Equals(CompiledValue::Str(expected)),
				PredicateView::L7Req { req, .. },
			) => req.method().as_str() == expected.as_ref(),

			// TODO(predicate-matrix): full operator × field-path dispatch per
			// 18-predicate-schema.md. Unsupported combinations are sound-by-
			// default: they always miss, never spuriously match.
			_ => false,
		}
	}
}

pub const REGEX_PATTERN_MAX_BYTES: usize = 4 * 1024;

#[derive(Debug, Clone, serde::Serialize)]
pub enum Predicate {
	AnyOf(AnyOfP),
	Not(NotP),
	Check(CheckMap),
}

#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
#[serde(deny_unknown_fields)]
pub struct AnyOfP {
	pub any_of: Vec<Predicate>,
}

#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
#[serde(deny_unknown_fields)]
pub struct NotP {
	pub not: Box<Predicate>,
}

#[derive(Debug, Clone, serde::Serialize)]
pub struct CheckMap {
	pub path: FieldPath,
	pub op: Operator,
}

#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
#[serde(rename_all = "snake_case")]
pub enum Operator {
	Equals(Value),
	NotEquals(Value),
	Contains(Value),
	NotContains(Value),
	Prefix(Value),
	Suffix(Value),
	Matches(String),
	In(Vec<Value>),
	NotIn(Vec<Value>),
	Gt(i64),
	Gte(i64),
	Lt(i64),
	Lte(i64),
	Cidr(String),
}

#[derive(Debug, Clone, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
#[serde(untagged)]
pub enum Value {
	Bool(bool),
	Int(i64),
	Str(String),
}

impl<'de> serde::Deserialize<'de> for Predicate {
	fn deserialize<D: serde::Deserializer<'de>>(de: D) -> Result<Self, D::Error> {
		let v = serde_json::Value::deserialize(de)?;
		let serde_json::Value::Object(ref map) = v else {
			return Err(serde::de::Error::custom("predicate must be a JSON object"));
		};
		if map.len() == 1 {
			let (key, _) = map.iter().next().expect("len == 1");
			match key.as_str() {
				"any_of" => {
					return serde_json::from_value::<AnyOfP>(v)
						.map(Predicate::AnyOf)
						.map_err(serde::de::Error::custom);
				}
				"not" => {
					return serde_json::from_value::<NotP>(v)
						.map(Predicate::Not)
						.map_err(serde::de::Error::custom);
				}
				_ => {}
			}
		}
		serde_json::from_value::<CheckMap>(v).map(Predicate::Check).map_err(serde::de::Error::custom)
	}
}

impl<'de> serde::Deserialize<'de> for CheckMap {
	fn deserialize<D: serde::Deserializer<'de>>(de: D) -> Result<Self, D::Error> {
		struct Visitor;

		impl<'de> serde::de::Visitor<'de> for Visitor {
			type Value = CheckMap;

			fn expecting(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
				f.write_str("a single-key object of the form {\"<field-path>\": {\"<operator>\": <value>}}")
			}

			fn visit_map<M: serde::de::MapAccess<'de>>(self, mut map: M) -> Result<CheckMap, M::Error> {
				let Some(key) = map.next_key::<String>()? else {
					return Err(serde::de::Error::invalid_length(0, &"exactly one key"));
				};
				let path = parse_field_path(&key).map_err(serde::de::Error::custom)?;
				let op: Operator = map.next_value()?;
				if map.next_key::<serde::de::IgnoredAny>()?.is_some() {
					return Err(serde::de::Error::custom("check object must have exactly one key"));
				}
				validate_operator(&op).map_err(serde::de::Error::custom)?;
				Ok(CheckMap { path, op })
			}
		}

		de.deserialize_map(Visitor)
	}
}

fn parse_field_path(s: &str) -> Result<FieldPath, String> {
	if s.chars().any(|c| c.is_ascii_uppercase()) {
		return Err(format!(
			"field path must be lowercase: {:?} — did you mean {:?}?",
			s,
			s.to_ascii_lowercase(),
		));
	}
	match s {
		"transport" => Ok(FieldPath::Transport),
		"remote.ip" => Ok(FieldPath::RemoteIp),
		"remote.port" => Ok(FieldPath::RemotePort),
		"local.ip" => Ok(FieldPath::LocalIp),
		"local.port" => Ok(FieldPath::LocalPort),
		"peek" => Ok(FieldPath::Peek),
		"tls.sni" => Ok(FieldPath::TlsSni),
		"tls.alpn" => Ok(FieldPath::TlsAlpn),
		"tls.version" => Ok(FieldPath::TlsVersion),
		"tls.peer_cert.subject_cn" => Ok(FieldPath::TlsPeerCertSubjectCn),
		"http.method" => Ok(FieldPath::HttpMethod),
		"http.uri.path" => Ok(FieldPath::HttpUriPath),
		"http.uri.query" => Ok(FieldPath::HttpUriQuery),
		"http.body" => Ok(FieldPath::HttpBody),
		other if other.starts_with("http.header.") => {
			let name = &other["http.header.".len()..];
			if name.is_empty() {
				return Err(format!("http.header.* requires a header name: {other:?}"));
			}
			Ok(FieldPath::HttpHeader(Arc::from(name)))
		}
		other => Err(format!("unknown field path: {other:?}")),
	}
}

fn validate_operator(op: &Operator) -> Result<(), String> {
	if let Operator::Matches(pattern) = op
		&& pattern.len() > REGEX_PATTERN_MAX_BYTES
	{
		return Err(format!(
			"regex pattern source exceeds {REGEX_PATTERN_MAX_BYTES}-byte limit: got {} bytes",
			pattern.len(),
		));
	}
	Ok(())
}

mod serde_impls {
	use base64::Engine as _;
	use base64::engine::general_purpose::STANDARD as B64;
	use bytes::Bytes;
	use std::net::IpAddr;
	use std::sync::Arc;

	use super::{CompiledOperator, CompiledValue};

	pub(super) fn ser_bytes<S: serde::Serializer>(b: &Bytes, s: S) -> Result<S::Ok, S::Error> {
		s.serialize_str(&B64.encode(b))
	}

	pub(super) fn de_bytes<'de, D: serde::Deserializer<'de>>(d: D) -> Result<Bytes, D::Error> {
		use serde::Deserialize as _;
		let s = String::deserialize(d)?;
		B64.decode(s.as_bytes()).map(Bytes::from).map_err(serde::de::Error::custom)
	}

	pub(super) fn ser_regex<S: serde::Serializer>(
		r: &fancy_regex::Regex,
		s: S,
	) -> Result<S::Ok, S::Error> {
		s.serialize_str(r.as_str())
	}

	pub(super) fn de_regex<'de, D: serde::Deserializer<'de>>(
		d: D,
	) -> Result<fancy_regex::Regex, D::Error> {
		use serde::Deserialize as _;
		let s = String::deserialize(d)?;
		fancy_regex::Regex::new(&s)
			.map_err(|e| serde::de::Error::custom(format!("invalid regex {s:?}: {e}")))
	}

	// Shadow for CompiledValue — externally-tagged snake_case.
	#[derive(serde::Serialize, serde::Deserialize)]
	#[serde(rename_all = "snake_case")]
	pub(super) enum ValueShadow {
		Str(Arc<str>),
		#[serde(serialize_with = "ser_bytes", deserialize_with = "de_bytes")]
		Bytes(Bytes),
		Int(i64),
		Bool(bool),
		Addr(IpAddr),
	}

	impl From<&CompiledValue> for ValueShadow {
		fn from(v: &CompiledValue) -> Self {
			match v {
				CompiledValue::Str(s) => Self::Str(Arc::clone(s)),
				CompiledValue::Bytes(b) => Self::Bytes(b.clone()),
				CompiledValue::Int(i) => Self::Int(*i),
				CompiledValue::Bool(b) => Self::Bool(*b),
				CompiledValue::Addr(a) => Self::Addr(*a),
			}
		}
	}

	impl From<ValueShadow> for CompiledValue {
		fn from(v: ValueShadow) -> Self {
			match v {
				ValueShadow::Str(s) => Self::Str(s),
				ValueShadow::Bytes(b) => Self::Bytes(b),
				ValueShadow::Int(i) => Self::Int(i),
				ValueShadow::Bool(b) => Self::Bool(b),
				ValueShadow::Addr(a) => Self::Addr(a),
			}
		}
	}

	// Shadow for CompiledOperator — variant names mirror parse-form Operator
	// (snake_case), so round-tripping a dry-run JSON preserves reader intuition.
	#[derive(serde::Serialize, serde::Deserialize)]
	#[serde(rename_all = "snake_case")]
	pub(super) enum OperatorShadow {
		Equals(CompiledValue),
		NotEquals(CompiledValue),
		#[serde(serialize_with = "ser_bytes", deserialize_with = "de_bytes")]
		Contains(Bytes),
		#[serde(serialize_with = "ser_bytes", deserialize_with = "de_bytes")]
		NotContains(Bytes),
		#[serde(serialize_with = "ser_bytes", deserialize_with = "de_bytes")]
		Prefix(Bytes),
		#[serde(serialize_with = "ser_bytes", deserialize_with = "de_bytes")]
		Suffix(Bytes),
		#[serde(serialize_with = "ser_regex", deserialize_with = "de_regex")]
		Matches(fancy_regex::Regex),
		In(Vec<CompiledValue>),
		NotIn(Vec<CompiledValue>),
		Gt(i64),
		Gte(i64),
		Lt(i64),
		Lte(i64),
		Cidr(ipnet::IpNet),
	}

	impl From<&CompiledOperator> for OperatorShadow {
		fn from(op: &CompiledOperator) -> Self {
			match op {
				CompiledOperator::Equals(v) => Self::Equals(v.clone()),
				CompiledOperator::NotEquals(v) => Self::NotEquals(v.clone()),
				CompiledOperator::Contains(b) => Self::Contains(b.clone()),
				CompiledOperator::NotContains(b) => Self::NotContains(b.clone()),
				CompiledOperator::Prefix(b) => Self::Prefix(b.clone()),
				CompiledOperator::Suffix(b) => Self::Suffix(b.clone()),
				CompiledOperator::Matches(r) => {
					Self::Matches(fancy_regex::Regex::new(r.as_str()).expect("round-trippable"))
				}
				CompiledOperator::In(vs) => Self::In(vs.clone()),
				CompiledOperator::NotIn(vs) => Self::NotIn(vs.clone()),
				CompiledOperator::Gt(i) => Self::Gt(*i),
				CompiledOperator::Gte(i) => Self::Gte(*i),
				CompiledOperator::Lt(i) => Self::Lt(*i),
				CompiledOperator::Lte(i) => Self::Lte(*i),
				CompiledOperator::Cidr(n) => Self::Cidr(*n),
			}
		}
	}

	impl From<OperatorShadow> for CompiledOperator {
		fn from(op: OperatorShadow) -> Self {
			match op {
				OperatorShadow::Equals(v) => Self::Equals(v),
				OperatorShadow::NotEquals(v) => Self::NotEquals(v),
				OperatorShadow::Contains(b) => Self::Contains(b),
				OperatorShadow::NotContains(b) => Self::NotContains(b),
				OperatorShadow::Prefix(b) => Self::Prefix(b),
				OperatorShadow::Suffix(b) => Self::Suffix(b),
				OperatorShadow::Matches(r) => Self::Matches(r),
				OperatorShadow::In(vs) => Self::In(vs),
				OperatorShadow::NotIn(vs) => Self::NotIn(vs),
				OperatorShadow::Gt(i) => Self::Gt(i),
				OperatorShadow::Gte(i) => Self::Gte(i),
				OperatorShadow::Lt(i) => Self::Lt(i),
				OperatorShadow::Lte(i) => Self::Lte(i),
				OperatorShadow::Cidr(n) => Self::Cidr(n),
			}
		}
	}
}

impl serde::Serialize for CompiledValue {
	fn serialize<S: serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
		serde_impls::ValueShadow::from(self).serialize(s)
	}
}

impl<'de> serde::Deserialize<'de> for CompiledValue {
	fn deserialize<D: serde::Deserializer<'de>>(d: D) -> Result<Self, D::Error> {
		serde_impls::ValueShadow::deserialize(d).map(Self::from)
	}
}

impl serde::Serialize for CompiledOperator {
	fn serialize<S: serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
		serde_impls::OperatorShadow::from(self).serialize(s)
	}
}

impl<'de> serde::Deserialize<'de> for CompiledOperator {
	fn deserialize<D: serde::Deserializer<'de>>(d: D) -> Result<Self, D::Error> {
		serde_impls::OperatorShadow::deserialize(d).map(Self::from)
	}
}

#[cfg(test)]
mod tests {
	use std::collections::hash_map::DefaultHasher;
	use std::hash::Hash;
	use std::net::{Ipv4Addr, Ipv6Addr};
	use std::str::FromStr;
	use std::sync::OnceLock;
	use std::time::Instant;

	use bytes::Bytes;
	use fancy_regex::Regex;
	use ipnet::IpNet;
	use parking_lot::Mutex;

	use super::*;
	use crate::body::{Body, Request};
	use crate::conn_context::{ConnId, Transport};

	// PredicateInst::test is todo!() until S1-09; behavior assertions live there.
	// Tests below cover Hash/Eq semantics and IR construction only.

	fn hash_of<T: Hash>(v: &T) -> u64 {
		let mut h = DefaultHasher::new();
		v.hash(&mut h);
		h.finish()
	}

	fn make_conn() -> Arc<ConnContext> {
		Arc::new(ConnContext {
			id: ConnId(1),
			remote: "127.0.0.1:0".parse().expect("parse remote"),
			local: "127.0.0.1:0".parse().expect("parse local"),
			transport: Transport::Tcp,
			entered_at: Instant::now(),
			tls: Mutex::new(None),
			http_version: OnceLock::new(),
			user: Mutex::new(http::Extensions::new()),
		})
	}

	#[test]
	fn field_path_http_header_is_equal_by_string_content_not_arc_identity() {
		let a = FieldPath::HttpHeader(Arc::from("host"));
		let b = FieldPath::HttpHeader(Arc::from("host"));
		assert_eq!(a, b);
		assert_eq!(hash_of(&a), hash_of(&b));
		// Arcs are distinct allocations; Hash/Eq must not depend on pointer
		// identity. Per the 18-predicate-schema grammar, path segments are
		// already lowercased upstream, so lower/upper comparison is a sanity
		// check that the compiled form does not re-casefold.
		let upper = FieldPath::HttpHeader(Arc::from("Host"));
		assert_ne!(a, upper);
	}

	#[test]
	fn field_path_simple_variants_are_self_equal_and_mutually_distinct() {
		let paths = [
			FieldPath::Transport,
			FieldPath::RemoteIp,
			FieldPath::RemotePort,
			FieldPath::LocalIp,
			FieldPath::LocalPort,
			FieldPath::Peek,
			FieldPath::TlsSni,
			FieldPath::TlsAlpn,
			FieldPath::TlsVersion,
			FieldPath::TlsPeerCertSubjectCn,
			FieldPath::HttpMethod,
			FieldPath::HttpUriPath,
			FieldPath::HttpUriQuery,
			FieldPath::HttpBody,
		];
		for (i, a) in paths.iter().enumerate() {
			for (j, b) in paths.iter().enumerate() {
				if i == j {
					assert_eq!(a, b);
				} else {
					assert_ne!(a, b);
				}
			}
		}
	}

	#[test]
	fn compiled_value_str_is_equal_by_content_not_arc_identity() {
		let a = CompiledValue::Str(Arc::<str>::from("x"));
		let b = CompiledValue::Str(Arc::<str>::from("x"));
		assert_eq!(a, b);
		assert_eq!(hash_of(&a), hash_of(&b));
		let c = CompiledValue::Str(Arc::<str>::from("y"));
		assert_ne!(a, c);
	}

	#[test]
	fn compiled_value_cross_variant_inequality() {
		let s = CompiledValue::Str(Arc::<str>::from("42"));
		let i = CompiledValue::Int(42);
		assert_ne!(s, i);
	}

	#[test]
	fn compiled_value_bytes_int_bool_addr_self_equal() {
		assert_eq!(
			CompiledValue::Bytes(Bytes::from_static(b"abc")),
			CompiledValue::Bytes(Bytes::copy_from_slice(b"abc")),
		);
		assert_eq!(CompiledValue::Int(7), CompiledValue::Int(7));
		assert_ne!(CompiledValue::Int(7), CompiledValue::Int(8));
		assert_eq!(CompiledValue::Bool(true), CompiledValue::Bool(true));
		assert_ne!(CompiledValue::Bool(true), CompiledValue::Bool(false));
		assert_eq!(
			CompiledValue::Addr(Ipv4Addr::new(10, 0, 0, 1).into()),
			CompiledValue::Addr(Ipv4Addr::new(10, 0, 0, 1).into()),
		);
		assert_ne!(
			CompiledValue::Addr(Ipv4Addr::new(10, 0, 0, 1).into()),
			CompiledValue::Addr(Ipv6Addr::LOCALHOST.into()),
		);
	}

	#[test]
	fn compiled_operator_matches_equal_by_pattern_source() {
		let a = CompiledOperator::Matches(Regex::new("^/api").expect("compile a"));
		let b = CompiledOperator::Matches(Regex::new("^/api").expect("compile b"));
		assert_eq!(a, b);
		assert_eq!(hash_of(&a), hash_of(&b));
	}

	#[test]
	fn compiled_operator_matches_distinct_patterns_unequal() {
		// Spec: the compiler does not rewrite regexes — structurally-different
		// but semantically-equivalent sources are treated as distinct.
		let a = CompiledOperator::Matches(Regex::new("a|b").expect("compile a"));
		let b = CompiledOperator::Matches(Regex::new("b|a").expect("compile b"));
		assert_ne!(a, b);
	}

	#[test]
	fn compiled_operator_cidr_equal_by_canonical_form() {
		let a = CompiledOperator::Cidr(IpNet::from_str("10.0.0.0/8").expect("parse a"));
		let b = CompiledOperator::Cidr(IpNet::from_str("10.0.0.0/8").expect("parse b"));
		assert_eq!(a, b);
		assert_eq!(hash_of(&a), hash_of(&b));
	}

	#[test]
	fn compiled_operator_cidr_distinct_networks_unequal() {
		let a = CompiledOperator::Cidr(IpNet::from_str("10.0.0.0/8").expect("parse a"));
		let b = CompiledOperator::Cidr(IpNet::from_str("10.0.0.0/16").expect("parse b"));
		assert_ne!(a, b);
	}

	#[test]
	fn compiled_operator_in_is_order_sensitive() {
		let xs =
			vec![CompiledValue::Str(Arc::<str>::from("a")), CompiledValue::Str(Arc::<str>::from("b"))];
		let ys =
			vec![CompiledValue::Str(Arc::<str>::from("b")), CompiledValue::Str(Arc::<str>::from("a"))];
		assert_ne!(CompiledOperator::In(xs.clone()), CompiledOperator::In(ys.clone()));
		assert_ne!(CompiledOperator::NotIn(xs), CompiledOperator::NotIn(ys));
	}

	#[test]
	fn compiled_operator_numeric_comparisons_distinct_per_variant() {
		// Gt / Gte / Lt / Lte with the same threshold are distinct operators.
		let ops = [
			CompiledOperator::Gt(10),
			CompiledOperator::Gte(10),
			CompiledOperator::Lt(10),
			CompiledOperator::Lte(10),
		];
		for (i, a) in ops.iter().enumerate() {
			for (j, b) in ops.iter().enumerate() {
				if i == j {
					assert_eq!(a, b);
				} else {
					assert_ne!(a, b);
				}
			}
		}
	}

	#[test]
	fn compiled_operator_bytes_variants_distinguished() {
		let payload = Bytes::from_static(b"abc");
		let ops = [
			CompiledOperator::Contains(payload.clone()),
			CompiledOperator::NotContains(payload.clone()),
			CompiledOperator::Prefix(payload.clone()),
			CompiledOperator::Suffix(payload),
		];
		for (i, a) in ops.iter().enumerate() {
			for (j, b) in ops.iter().enumerate() {
				if i == j {
					assert_eq!(a, b);
				} else {
					assert_ne!(a, b);
				}
			}
		}
	}

	#[test]
	fn predicate_inst_equal_across_independent_construction_paths() {
		let lhs = PredicateInst {
			path: FieldPath::HttpHeader(Arc::from("host")),
			op: CompiledOperator::Equals(CompiledValue::Str(Arc::<str>::from("example.com"))),
		};
		let rhs = PredicateInst {
			path: FieldPath::HttpHeader(Arc::from("host")),
			op: CompiledOperator::Equals(CompiledValue::Str(Arc::<str>::from("example.com"))),
		};
		assert_eq!(lhs, rhs);
		assert_eq!(hash_of(&lhs), hash_of(&rhs));
	}

	#[test]
	fn predicate_inst_equal_with_regex_operator_from_separate_compiles() {
		let lhs = PredicateInst {
			path: FieldPath::HttpUriPath,
			op: CompiledOperator::Matches(Regex::new("^/").expect("compile a")),
		};
		let rhs = PredicateInst {
			path: FieldPath::HttpUriPath,
			op: CompiledOperator::Matches(Regex::new("^/").expect("compile b")),
		};
		assert_eq!(lhs, rhs);
		assert_eq!(hash_of(&lhs), hash_of(&rhs));
	}

	#[test]
	fn predicate_inst_unequal_on_path_difference() {
		let value = CompiledValue::Str(Arc::<str>::from("x"));
		let a =
			PredicateInst { path: FieldPath::HttpUriPath, op: CompiledOperator::Equals(value.clone()) };
		let b = PredicateInst { path: FieldPath::HttpUriQuery, op: CompiledOperator::Equals(value) };
		assert_ne!(a, b);
	}

	#[test]
	fn predicate_view_variants_construct() {
		let conn = make_conn();
		let peek_bytes: &[u8] = b"\x16\x03\x01";
		let l4 = PredicateView::L4 { conn: &conn, peek: Some(peek_bytes) };
		match l4 {
			PredicateView::L4 { peek, .. } => assert_eq!(peek.map(<[u8]>::len), Some(3)),
			PredicateView::L7Req { .. } => panic!("wrong variant"),
		}

		let conn2 = make_conn();
		let req: Request =
			http::Request::builder().method("GET").uri("/").body(Body::Empty).expect("build request");
		let l7 = PredicateView::L7Req { conn: &conn2, req: &req };
		match l7 {
			PredicateView::L7Req { .. } => {}
			PredicateView::L4 { .. } => panic!("wrong variant"),
		}
	}

	// Parse-layer coverage for Predicate / CheckMap / Operator / Value.
	// Tests exercise the wire format defined in spec/architecture/18-predicate-schema.md.

	fn parse_predicate(v: serde_json::Value) -> Result<Predicate, serde_json::Error> {
		serde_json::from_value(v)
	}

	fn expect_check(p: &Predicate) -> &CheckMap {
		match p {
			Predicate::Check(c) => c,
			other => panic!("expected Predicate::Check, got {other:?}"),
		}
	}

	#[test]
	fn parse_any_of_happy_path() {
		let raw = serde_json::json!({
			"any_of": [
				{ "tls.sni": { "equals": "a" } },
				{ "tls.sni": { "equals": "b" } },
			],
		});
		let p = parse_predicate(raw).expect("parse any_of");
		let Predicate::AnyOf(AnyOfP { any_of }) = p else {
			panic!("expected AnyOf");
		};
		assert_eq!(any_of.len(), 2);
		let c0 = expect_check(&any_of[0]);
		let c1 = expect_check(&any_of[1]);
		assert_eq!(c0.path, FieldPath::TlsSni);
		assert_eq!(c1.path, FieldPath::TlsSni);
		match (&c0.op, &c1.op) {
			(Operator::Equals(Value::Str(a)), Operator::Equals(Value::Str(b))) => {
				assert_eq!(a, "a");
				assert_eq!(b, "b");
			}
			(a, b) => panic!("unexpected ops: {a:?} / {b:?}"),
		}
	}

	#[test]
	fn parse_not_happy_path() {
		let raw = serde_json::json!({
			"not": { "tls.sni": { "equals": "internal" } },
		});
		let p = parse_predicate(raw).expect("parse not");
		let Predicate::Not(NotP { not }) = p else {
			panic!("expected Not");
		};
		let inner = expect_check(&not);
		assert_eq!(inner.path, FieldPath::TlsSni);
		match &inner.op {
			Operator::Equals(Value::Str(s)) => assert_eq!(s, "internal"),
			other => panic!("unexpected op: {other:?}"),
		}
	}

	#[test]
	fn parse_check_across_representative_paths() {
		let cases = [
			(serde_json::json!({ "tls.sni": { "equals": "api.example.com" } }), FieldPath::TlsSni),
			(serde_json::json!({ "remote.port": { "gt": 1024 } }), FieldPath::RemotePort),
			(serde_json::json!({ "http.method": { "equals": "GET" } }), FieldPath::HttpMethod),
			(serde_json::json!({ "http.uri.path": { "prefix": "/api" } }), FieldPath::HttpUriPath),
			(
				serde_json::json!({ "http.header.host": { "equals": "a.example.com" } }),
				FieldPath::HttpHeader(Arc::from("host")),
			),
			(serde_json::json!({ "http.body": { "contains": "hello" } }), FieldPath::HttpBody),
		];
		for (raw, expected_path) in cases {
			let p = parse_predicate(raw.clone()).unwrap_or_else(|e| panic!("parse {raw}: {e}"));
			let c = expect_check(&p);
			assert_eq!(c.path, expected_path, "input: {raw}");
		}
	}

	#[test]
	fn parse_any_of_with_extra_key_is_rejected() {
		// AnyOfP carries deny_unknown_fields; an object with any_of + an extra key must not
		// silently fall back to Check (two top-level keys would also fail CheckMap).
		let raw = serde_json::json!({
			"any_of": [ { "tls.sni": { "equals": "a" } } ],
			"extra": true,
		});
		let err = parse_predicate(raw).expect_err("must reject extra key on any_of");
		let _ = err.to_string();
	}

	#[test]
	fn parse_http_header_any_of_is_a_check_not_combinator() {
		// A header literally named "any_of" is a multi-segment dotted path and is a Check,
		// not the combinator form. 18-predicate-schema.md § "Why this doesn't need reserved-word policy".
		let raw = serde_json::json!({ "http.header.any_of": { "equals": "x" } });
		let p = parse_predicate(raw).expect("parse");
		let c = expect_check(&p);
		assert_eq!(c.path, FieldPath::HttpHeader(Arc::from("any_of")));
	}

	#[test]
	fn parse_uppercase_field_path_suggests_lowercase() {
		let raw = serde_json::json!({ "http.header.Host": { "equals": "x" } });
		let err = parse_predicate(raw).expect_err("uppercase must fail");
		let msg = err.to_string();
		assert!(msg.contains("http.header.Host"), "error mentions offending input: {msg}");
		assert!(msg.contains("did you mean"), "error includes suggestion phrase: {msg}");
		assert!(msg.contains("http.header.host"), "error contains lowercased form: {msg}");
	}

	#[test]
	fn parse_multi_key_check_is_rejected() {
		let raw = serde_json::json!({
			"http.uri.path": { "matches": "^/" },
			"http.method": { "equals": "GET" },
		});
		let err = parse_predicate(raw).expect_err("multi-key check must fail");
		let _ = err.to_string();
	}

	#[test]
	fn parse_empty_http_header_name_is_rejected() {
		let raw = serde_json::json!({ "http.header.": { "equals": "x" } });
		let err = parse_predicate(raw).expect_err("empty header name must fail");
		let _ = err.to_string();
	}

	#[test]
	fn parse_unknown_field_path_is_rejected_with_name() {
		let raw = serde_json::json!({ "http.nope": { "equals": "x" } });
		let err = parse_predicate(raw).expect_err("unknown path must fail");
		let msg = err.to_string();
		assert!(msg.contains("http.nope"), "error mentions offending path: {msg}");
	}

	fn parse_op(v: serde_json::Value) -> Operator {
		let mut map = serde_json::Map::new();
		map.insert("tls.sni".to_string(), v);
		let raw = serde_json::Value::Object(map);
		match parse_predicate(raw).expect("parse check") {
			Predicate::Check(c) => c.op,
			other => panic!("expected Check, got {other:?}"),
		}
	}

	#[test]
	fn operator_equals_and_not_equals_on_string() {
		let eq = parse_op(serde_json::json!({ "equals": "api" }));
		match eq {
			Operator::Equals(Value::Str(s)) => assert_eq!(s, "api"),
			other => panic!("expected equals/str: {other:?}"),
		}
		let neq = parse_op(serde_json::json!({ "not_equals": "api" }));
		match neq {
			Operator::NotEquals(Value::Str(s)) => assert_eq!(s, "api"),
			other => panic!("expected not_equals/str: {other:?}"),
		}
	}

	#[test]
	fn operator_contains_and_not_contains_on_string() {
		let c = parse_op(serde_json::json!({ "contains": "foo" }));
		match c {
			Operator::Contains(Value::Str(s)) => assert_eq!(s, "foo"),
			other => panic!("expected contains/str: {other:?}"),
		}
		let nc = parse_op(serde_json::json!({ "not_contains": "foo" }));
		match nc {
			Operator::NotContains(Value::Str(s)) => assert_eq!(s, "foo"),
			other => panic!("expected not_contains/str: {other:?}"),
		}
	}

	#[test]
	fn operator_prefix_and_suffix_on_string() {
		let p = parse_op(serde_json::json!({ "prefix": "/api" }));
		match p {
			Operator::Prefix(Value::Str(s)) => assert_eq!(s, "/api"),
			other => panic!("expected prefix/str: {other:?}"),
		}
		let s = parse_op(serde_json::json!({ "suffix": ".json" }));
		match s {
			Operator::Suffix(Value::Str(v)) => assert_eq!(v, ".json"),
			other => panic!("expected suffix/str: {other:?}"),
		}
	}

	#[test]
	fn operator_matches_carries_pattern_source() {
		let op = parse_op(serde_json::json!({ "matches": "^/api/v\\d+" }));
		match op {
			Operator::Matches(pattern) => assert_eq!(pattern, "^/api/v\\d+"),
			other => panic!("expected matches: {other:?}"),
		}
	}

	#[test]
	fn operator_in_and_not_in_accept_mixed_scalar_types() {
		let op = parse_op(serde_json::json!({ "in": ["foo", 42] }));
		let Operator::In(xs) = op else {
			panic!("expected in");
		};
		assert_eq!(xs.len(), 2);
		assert_eq!(xs[0], Value::Str("foo".into()));
		assert_eq!(xs[1], Value::Int(42));
		let op2 = parse_op(serde_json::json!({ "not_in": ["bar", 7] }));
		let Operator::NotIn(ys) = op2 else {
			panic!("expected not_in");
		};
		assert_eq!(ys.len(), 2);
		assert_eq!(ys[0], Value::Str("bar".into()));
		assert_eq!(ys[1], Value::Int(7));
	}

	#[test]
	fn operator_numeric_comparisons() {
		assert!(matches!(parse_op(serde_json::json!({ "gt": 10 })), Operator::Gt(10)));
		assert!(matches!(parse_op(serde_json::json!({ "gte": 10 })), Operator::Gte(10)));
		assert!(matches!(parse_op(serde_json::json!({ "lt": 10 })), Operator::Lt(10)));
		assert!(matches!(parse_op(serde_json::json!({ "lte": 10 })), Operator::Lte(10)));
	}

	#[test]
	fn operator_cidr_carries_source_string() {
		let op = parse_op(serde_json::json!({ "cidr": "10.0.0.0/8" }));
		match op {
			Operator::Cidr(s) => assert_eq!(s, "10.0.0.0/8"),
			other => panic!("expected cidr: {other:?}"),
		}
	}

	#[test]
	fn value_untagged_priority_bool_before_str() {
		// Per the untagged listing (Bool, Int, Str), `true`/`false` must land as Bool,
		// not as Str("true").
		let op_t = parse_op(serde_json::json!({ "equals": true }));
		assert!(matches!(op_t, Operator::Equals(Value::Bool(true))));
		let op_f = parse_op(serde_json::json!({ "equals": false }));
		assert!(matches!(op_f, Operator::Equals(Value::Bool(false))));
	}

	#[test]
	fn value_untagged_priority_int_before_str() {
		// A JSON number `42` must land as Int, not as Str("42").
		let op = parse_op(serde_json::json!({ "equals": 42 }));
		assert!(matches!(op, Operator::Equals(Value::Int(42))));
	}

	#[test]
	fn value_untagged_json_string_stays_str() {
		// A JSON string `"42"` must land as Str; the untagged enum must not coerce digit
		// strings into Int.
		let op = parse_op(serde_json::json!({ "equals": "42" }));
		match op {
			Operator::Equals(Value::Str(s)) => assert_eq!(s, "42"),
			other => panic!("expected equals/str(\"42\"): {other:?}"),
		}
	}

	#[test]
	fn regex_pattern_exactly_at_limit_parses() {
		// 4096 bytes == REGEX_PATTERN_MAX_BYTES; must parse.
		assert_eq!(REGEX_PATTERN_MAX_BYTES, 4 * 1024);
		let pattern = "a".repeat(REGEX_PATTERN_MAX_BYTES);
		let raw = serde_json::json!({ "http.uri.path": { "matches": pattern } });
		let p = parse_predicate(raw).expect("4 KiB pattern parses");
		let c = expect_check(&p);
		match &c.op {
			Operator::Matches(src) => assert_eq!(src.len(), REGEX_PATTERN_MAX_BYTES),
			other => panic!("expected matches: {other:?}"),
		}
	}

	#[test]
	fn regex_pattern_over_limit_rejected_with_limit_in_message() {
		let pattern = "a".repeat(REGEX_PATTERN_MAX_BYTES + 1);
		let raw = serde_json::json!({ "http.uri.path": { "matches": pattern } });
		let err = parse_predicate(raw).expect_err("over-limit pattern must fail");
		let msg = err.to_string();
		assert!(
			msg.contains(&REGEX_PATTERN_MAX_BYTES.to_string()),
			"error mentions the limit ({REGEX_PATTERN_MAX_BYTES}): {msg}",
		);
	}

	// ──────────────────────────────────────────────────────────────────────
	// Dry-run JSON wire-format contract (02-flow.md § _The compiled form_).
	// The compiled IR round-trips through the shadow-enum convention
	// documented in spec: externally-tagged snake_case for both `FieldPath`
	// and `CompiledValue` / `CompiledOperator`, bytes as STANDARD base64,
	// regex as the source string, CIDR as canonical form.
	// ──────────────────────────────────────────────────────────────────────

	fn value_round_trip(v: &CompiledValue) -> CompiledValue {
		let encoded = serde_json::to_string(v).expect("serialize value");
		serde_json::from_str(&encoded).expect("deserialize value")
	}

	#[test]
	fn compiled_value_str_round_trip_including_empty() {
		let non_empty = CompiledValue::Str(Arc::<str>::from("x"));
		assert_eq!(value_round_trip(&non_empty), non_empty);
		let empty = CompiledValue::Str(Arc::<str>::from(""));
		assert_eq!(value_round_trip(&empty), empty);
	}

	#[test]
	fn compiled_value_bytes_round_trip_including_empty_and_binary() {
		let hello = CompiledValue::Bytes(Bytes::from_static(b"hello"));
		assert_eq!(value_round_trip(&hello), hello);
		let empty = CompiledValue::Bytes(Bytes::new());
		assert_eq!(value_round_trip(&empty), empty);
		let binary = CompiledValue::Bytes(Bytes::from_static(&[0xff, 0x00, 0x13]));
		assert_eq!(value_round_trip(&binary), binary);
	}

	#[test]
	fn compiled_value_int_round_trip_including_extremes() {
		for i in [0_i64, i64::MIN, i64::MAX] {
			let v = CompiledValue::Int(i);
			assert_eq!(value_round_trip(&v), v);
		}
	}

	#[test]
	fn compiled_value_bool_round_trip_both_variants() {
		for b in [true, false] {
			let v = CompiledValue::Bool(b);
			assert_eq!(value_round_trip(&v), v);
		}
	}

	#[test]
	fn compiled_value_addr_round_trip_v4_and_v6() {
		let v4 = CompiledValue::Addr(Ipv4Addr::LOCALHOST.into());
		assert_eq!(value_round_trip(&v4), v4);
		let v6 = CompiledValue::Addr(Ipv6Addr::LOCALHOST.into());
		assert_eq!(value_round_trip(&v6), v6);
	}

	#[test]
	fn compiled_value_bytes_emits_standard_base64_literal() {
		// STANDARD base64 ("hello" → "aGVsbG8="). Pins the alphabet choice per
		// 02-flow.md § _The compiled form_ — a url-safe switch would break
		// external dry-run consumers.
		let v = CompiledValue::Bytes(Bytes::from_static(b"hello"));
		let encoded = serde_json::to_string(&v).expect("serialize");
		assert_eq!(encoded, r#"{"bytes":"aGVsbG8="}"#);
	}

	fn op_round_trip(op: &CompiledOperator) -> CompiledOperator {
		let encoded = serde_json::to_string(op).expect("serialize op");
		serde_json::from_str(&encoded).expect("deserialize op")
	}

	#[test]
	fn compiled_operator_equals_and_not_equals_round_trip() {
		let eq = CompiledOperator::Equals(CompiledValue::Str(Arc::<str>::from("x")));
		assert_eq!(op_round_trip(&eq), eq);
		let neq = CompiledOperator::NotEquals(CompiledValue::Str(Arc::<str>::from("x")));
		assert_eq!(op_round_trip(&neq), neq);
	}

	#[test]
	fn compiled_operator_bytes_variants_round_trip() {
		let payload = Bytes::from_static(b"hello");
		let ops = [
			CompiledOperator::Contains(payload.clone()),
			CompiledOperator::NotContains(payload.clone()),
			CompiledOperator::Prefix(payload.clone()),
			CompiledOperator::Suffix(payload),
		];
		for op in ops {
			assert_eq!(op_round_trip(&op), op);
		}
	}

	#[test]
	fn compiled_operator_matches_round_trip_preserves_pattern_source() {
		let op = CompiledOperator::Matches(Regex::new("^/api/v[0-9]+").expect("compile"));
		let decoded = op_round_trip(&op);
		// Regex equality is by source (see `CompiledOperator::eq` above).
		assert_eq!(decoded, op);
		match decoded {
			CompiledOperator::Matches(r) => assert_eq!(r.as_str(), "^/api/v[0-9]+"),
			other => panic!("expected matches, got {other:?}"),
		}
	}

	#[test]
	fn compiled_operator_in_and_not_in_round_trip_mixed_values() {
		let xs = vec![CompiledValue::Str(Arc::<str>::from("a")), CompiledValue::Int(42)];
		let in_op = CompiledOperator::In(xs.clone());
		assert_eq!(op_round_trip(&in_op), in_op);
		let not_in_op = CompiledOperator::NotIn(xs);
		assert_eq!(op_round_trip(&not_in_op), not_in_op);
	}

	#[test]
	fn compiled_operator_numeric_comparisons_round_trip() {
		let ops = [
			CompiledOperator::Gt(100),
			CompiledOperator::Gte(100),
			CompiledOperator::Lt(100),
			CompiledOperator::Lte(100),
		];
		for op in ops {
			assert_eq!(op_round_trip(&op), op);
		}
	}

	#[test]
	fn compiled_operator_cidr_round_trip_preserves_canonical_form() {
		let op = CompiledOperator::Cidr(IpNet::from_str("10.0.0.0/8").expect("parse"));
		assert_eq!(op_round_trip(&op), op);
	}

	#[test]
	fn compiled_operator_matches_with_invalid_regex_is_rejected() {
		// An unterminated character class is a classic invalid regex. The
		// shadow-enum's custom error path surfaces the offending source in
		// the error message so operators can locate the bad rule.
		let raw = r#"{"matches":"["}"#;
		let err = serde_json::from_str::<CompiledOperator>(raw)
			.expect_err("invalid regex must fail to deserialize");
		let msg = err.to_string();
		assert!(msg.contains('['), "error mentions offending regex source: {msg}");
	}

	#[test]
	fn predicate_inst_pins_exact_wire_shape_for_http_header_equals() {
		let inst = PredicateInst {
			path: FieldPath::HttpHeader(Arc::from("host")),
			op: CompiledOperator::Equals(CompiledValue::Str(Arc::<str>::from("example.com"))),
		};
		let encoded = serde_json::to_string(&inst).expect("serialize");
		assert_eq!(encoded, r#"{"path":{"http_header":"host"},"op":{"equals":{"str":"example.com"}}}"#,);
		let decoded: PredicateInst = serde_json::from_str(&encoded).expect("deserialize");
		assert_eq!(decoded, inst);
	}

	#[test]
	fn predicate_inst_round_trip_with_regex_operator() {
		let inst = PredicateInst {
			path: FieldPath::HttpUriPath,
			op: CompiledOperator::Matches(Regex::new("^/api").expect("compile")),
		};
		let encoded = serde_json::to_string(&inst).expect("serialize");
		let decoded: PredicateInst = serde_json::from_str(&encoded).expect("deserialize");
		assert_eq!(decoded, inst);
	}
}