feat(call): add ScopedPeerEnv peer-pinned reachability (ADR-029 §4, call/scoped-peer-env)

This commit is contained in:
2026-06-30 11:07:41 +00:00
parent 5c4feff468
commit bfd1621b9b
10 changed files with 397 additions and 99 deletions

View File

@@ -6,7 +6,7 @@ use alknet_core::auth::Identity;
use alknet_core::types::Capabilities;
use serde_json::Value;
use super::env::OperationEnv;
use super::env::{OperationEnv, PeerId, PeerRef};
pub struct OperationContext {
pub request_id: String,
@@ -25,7 +25,7 @@ pub struct OperationContext {
pub forwarded_for: Option<Identity>,
pub capabilities: Capabilities,
pub metadata: HashMap<String, Value>,
pub scoped_env: ScopedOperationEnv,
pub scoped_env: ScopedPeerEnv,
pub env: Arc<dyn OperationEnv + Send + Sync>,
pub abort_policy: AbortPolicy,
pub deadline: Option<Instant>,
@@ -75,29 +75,65 @@ impl CompositionAuthority {
}
#[derive(Debug, Clone)]
pub struct ScopedOperationEnv {
allowed: HashSet<String>,
pub struct ScopedPeerEnv {
/// Peer-agnostic reachability — reachable via `PeerRef::Any` or
/// `PeerRef::Specific(any)`. The common case (peer-agnostic composition).
pub allowed_ops: HashSet<String>,
/// Peer-pinned reachability — `"peer-id/op-name"`, reachable only via
/// `PeerRef::Specific(that peer)`. Additive to `allowed_ops`; opt-in for
/// the disambiguation case (ADR-029 §4).
pub peer_pinned: HashSet<String>,
}
impl ScopedOperationEnv {
impl ScopedPeerEnv {
pub fn empty() -> Self {
Self {
allowed: HashSet::new(),
allowed_ops: HashSet::new(),
peer_pinned: HashSet::new(),
}
}
pub fn new(ops: impl IntoIterator<Item = impl Into<String>>) -> Self {
Self {
allowed: ops.into_iter().map(|s| s.into()).collect(),
allowed_ops: ops.into_iter().map(|s| s.into()).collect(),
peer_pinned: HashSet::new(),
}
}
/// Peer-pinned reachability: `"peer-id/op-name"`. Reachable only via
/// `PeerRef::Specific(that peer)`. Additive to `new` — call `new` for the
/// peer-agnostic set, then `with_pinned` for the pinned set.
pub fn with_pinned(mut self, pinned: impl IntoIterator<Item = impl Into<String>>) -> Self {
self.peer_pinned = pinned.into_iter().map(|s| s.into()).collect();
self
}
/// Peer-agnostic reachability — unchanged from `ScopedOperationEnv::allows`.
/// A name here is reachable via any routing path (`PeerRef::Any` or
/// `Specific`).
pub fn allows(&self, name: &str) -> bool {
self.allowed.contains(name)
self.allowed_ops.contains(name)
}
/// Peer-pinned reachability — reachable only via `PeerRef::Specific(peer)`.
/// The entry shape is `"peer-id/op-name"` (ADR-029 §4, OQ-33).
pub fn allows_pinned(&self, peer: &PeerId, name: &str) -> bool {
self.peer_pinned.contains(&format!("{peer}/{name}"))
}
/// Does this scoped env permit `name` via `peer`? Used by the reachability
/// gate in `invoke_peer` / `invoke_with_policy`.
/// - `PeerRef::Any` → `allows(name)`
/// - `PeerRef::Specific(peer)` → `allows(name) || allows_pinned(peer, name)`
pub fn allows_via(&self, peer: &PeerRef, name: &str) -> bool {
match peer {
PeerRef::Any => self.allows(name),
PeerRef::Specific(p) => self.allows(name) || self.allows_pinned(p, name),
}
}
}
impl Default for ScopedOperationEnv {
impl Default for ScopedPeerEnv {
fn default() -> Self {
Self::empty()
}
@@ -114,24 +150,108 @@ mod tests {
#[test]
fn scoped_env_allows_in_set() {
let env = ScopedOperationEnv::new(["fs/readFile", "agent/chat"]);
let env = ScopedPeerEnv::new(["fs/readFile", "agent/chat"]);
assert!(env.allows("fs/readFile"));
assert!(env.allows("agent/chat"));
}
#[test]
fn scoped_env_disallows_not_in_set() {
let env = ScopedOperationEnv::new(["fs/readFile"]);
let env = ScopedPeerEnv::new(["fs/readFile"]);
assert!(!env.allows("agent/chat"));
assert!(!env.allows(""));
}
#[test]
fn scoped_env_empty_allows_nothing() {
let env = ScopedOperationEnv::empty();
let env = ScopedPeerEnv::empty();
assert!(!env.allows("fs/readFile"));
}
#[test]
fn scoped_peer_env_new_with_pinned_populates_both_fields() {
let env = ScopedPeerEnv::new(["fs/readFile"]).with_pinned(["worker-a/container/exec"]);
assert!(env.allowed_ops.contains("fs/readFile"));
assert!(env.peer_pinned.contains("worker-a/container/exec"));
assert!(!env.allowed_ops.contains("worker-a/container/exec"));
assert!(!env.peer_pinned.contains("fs/readFile"));
}
#[test]
fn scoped_peer_env_allows_checks_allowed_ops_only() {
let env = ScopedPeerEnv::empty().with_pinned(["worker-a/container/exec"]);
assert!(
!env.allows("container/exec"),
"pinned-only op not in allowed_ops"
);
let env2 = ScopedPeerEnv::new(["container/exec"]).with_pinned(["worker-a/container/exec"]);
assert!(
env2.allows("container/exec"),
"op in allowed_ops is allowed"
);
}
#[test]
fn scoped_peer_env_allows_pinned_checks_peer_pinned_shape() {
let env = ScopedPeerEnv::empty().with_pinned(["worker-a/container/exec"]);
assert!(env.allows_pinned(&"worker-a".to_string(), "container/exec"));
assert!(
!env.allows_pinned(&"worker-b".to_string(), "container/exec"),
"wrong peer"
);
assert!(
!env.allows_pinned(&"worker-a".to_string(), "other/op"),
"wrong op"
);
}
#[test]
fn scoped_peer_env_allows_via_any_uses_allowed_ops_only() {
let env = ScopedPeerEnv::new(["fs/readFile"]).with_pinned(["worker-a/container/exec"]);
assert!(
env.allows_via(&PeerRef::Any, "fs/readFile"),
"allowed op via Any"
);
assert!(
!env.allows_via(&PeerRef::Any, "container/exec"),
"pinned-only op NOT reachable via Any"
);
}
#[test]
fn scoped_peer_env_allows_via_specific_uses_allowed_ops_or_peer_pinned() {
let env = ScopedPeerEnv::new(["fs/readFile"]).with_pinned(["worker-a/container/exec"]);
assert!(
env.allows_via(&PeerRef::Specific("worker-a".to_string()), "container/exec"),
"pinned-only op reachable via Specific(pinned peer)"
);
assert!(
env.allows_via(&PeerRef::Specific("worker-a".to_string()), "fs/readFile"),
"allowed op reachable via Specific(any peer)"
);
assert!(
!env.allows_via(&PeerRef::Specific("worker-b".to_string()), "container/exec"),
"pinned-only op NOT reachable via Specific(wrong peer)"
);
}
#[test]
fn scoped_peer_env_op_in_both_sets_reachable_via_both_any_and_specific() {
let env = ScopedPeerEnv::new(["container/exec"]).with_pinned(["worker-a/container/exec"]);
assert!(
env.allows_via(&PeerRef::Any, "container/exec"),
"op in allowed_ops reachable via Any"
);
assert!(
env.allows_via(&PeerRef::Specific("worker-a".to_string()), "container/exec"),
"op in both sets reachable via Specific(peer)"
);
assert!(
env.allows_via(&PeerRef::Specific("worker-b".to_string()), "container/exec"),
"op in allowed_ops reachable via Specific(other peer) too"
);
}
#[test]
fn composition_authority_as_identity_correct() {
let mut resources = HashMap::new();