Add remote subscription support so spokes can consume streaming operations
over pubsub transports (WebSocket, Redis). Extract checkAccess to access.ts
to break circular dep between call.ts and subscribe.ts.
- Add access control to registry.execute(): checks requiredScopes, requiredScopesAny,
and resourceType/resourceAction; rejects with ACCESS_DENIED when identity required
but absent; skips when context.trusted is true
- Add trusted field to OperationContext schema (internal, set by buildEnv for
nested calls to skip redundant scope checks)
- Simplify CallHandler to thin adapter: delegates to registry.execute() instead of
duplicating lookup, validation, and access control
- Remove callMap option from buildEnv(): always uses execute(), propagates context
with trusted: true for nested calls
- Add access control to subscribe(): same default-deny logic as execute()
- Change execute() to throw CallError instead of plain Error for not found,
no handler, and validation errors
- Export checkAccess from call.ts and index.ts for external use
- Remove CallMap type export, update EnvOptions
- Update architecture docs: api-surface.md, call-protocol.md,
ADR-006 status to implemented, source vs spec drift sections
- All 228 tests passing
Remove stale ADR-005 drift tables across all architecture docs since
ResponseEnvelope types, factories, detection, and integration points
are now fully implemented in source code. Key changes:
- api-surface.md: Remove ADR-005 drift table (all items implemented),
retain ADR-006 drift table without execute() return type (now done)
- call-protocol.md: Remove ADR-005 drift table, update ADR-006 table,
fix CallHandlerConfig to show callMap? (current source)
- adapters.md: Remove 'current source state' and 'implementation
changes needed' tables for from_mcp and from_openapi, replace with
current-accurate descriptions of envelope behavior
- response-envelopes.md: Remove 'current source state' blocks,
update migration checklist to show all code changes completed
- 005-response-envelopes.md: Change status from Draft to Implemented
- 006-unified-invocation-path.md: Update Prerequisites section to note
ADR-005 is now implemented
- build-distribution.md: Add response-envelope.ts to source layout
- architecture.md: Add response-envelopes.md link and ADR-005/006
entries to design decisions table
- README.md: Add response-envelopes.md to documents table
- Update last_updated dates on all changed docs
Remove the Bugs subsection from Source vs. Spec Drift since both bugs
(checkAccess resource bypass and PendingRequestMap type name conflict)
have been resolved. Update intro sentence to remove Bug mention.
ADR-005 and ADR-006 drift tables remain intact.
ADR-006: Unify on registry.execute() as the single invocation entry point.
Call protocol becomes internal transport for cross-process routing.
CallHandler calls execute() instead of reimplementing lookup/validation.
Access control enforcement in execute() with trusted flag for nested calls.
Default-deny: reject when requiredScopes non-empty and identity absent.
Source-vs-spec drift tables added to call-protocol.md and api-surface.md,
documenting all gaps between architecture docs and current source:
- ADR-005 gaps (envelope types, pipeline, factory functions)
- ADR-006 gaps (unified invocation, access control, CallHandler refactor)
- Two bugs: checkAccess() resource bypass when identity.resources is
undefined, and PendingRequestMap type/class naming conflict
Introduce ResponseEnvelope as a first-class concept for uniform operation
result handling across MCP, OpenAPI, and local adapters. Key decisions:
- ResponseEnvelope<T> wraps every result with typed metadata
(LocalResponseMeta, HTTPResponseMeta, MCPResponseMeta)
- CallHandler becomes sole publisher of call.responded (handler
responsibility shift from publish-to-return)
- Envelope detection via closed-set string discriminant
(isResponseEnvelope) — no Symbols, JSON-serializable
- MCP isError:true no longer throws; wraps in envelope with
meta.isError flag preserving error content for consumers
- outputSchema validates envelope.data, not the full envelope
- PendingRequestMap.respond() validates envelope at runtime
- Factory functions (localEnvelope, httpEnvelope, mcpEnvelope)
ensure consistent construction
- Breaking change: execute() returns ResponseEnvelope<TOutput>,
call.responded.output is ResponseEnvelopeSchema
- No Client abstraction yet (ADR-014)
Extracted from alkhub_ts packages/core/operations/ and packages/core/mcp/.
- Runtime-agnostic (injected fs/env deps, no Deno globals)
- Direct @logtape/logtape import instead of logger wrapper
- PendingRequestMap with pubsub-wired call protocol
- Peer-dep isolation for MCP adapter (sub-path export)
- Schema const naming convention (XSchema + X type alias)
- 68 tests passing, build + lint + test all green
