cellstate_pipeline/pack/

schema.rs

//! Pack manifest schema (cstate.toml)

use cellstate_core::SecretString;
use serde::Deserialize;
use std::collections::HashMap;

// NOTE: deny_unknown_fields is intentionally NOT on PackManifest to support
// the x-* extension namespace. Unknown top-level keys are validated post-parse
// in compose_pack() — any key not starting with "x-" is rejected there.
// All nested structs still use deny_unknown_fields for strict validation.
#[derive(Debug, Clone, Deserialize)]
pub struct PackManifest {
    pub meta: Option<MetaSection>,
    pub defaults: Option<DefaultsSection>,
    pub settings: Option<SettingsSection>,
    pub routing: Option<RoutingSection>,
    #[serde(default)]
    pub profiles: HashMap<String, ProfileDef>,
    #[serde(default)]
    pub adapters: HashMap<String, AdapterDef>,
    #[serde(default)]
    pub formats: HashMap<String, FormatDef>,
    #[serde(default)]
    pub policies: HashMap<String, PolicyDef>,
    #[serde(default)]
    pub injections: HashMap<String, InjectionDef>,
    #[serde(default)]
    pub providers: HashMap<String, ProviderDef>,
    #[serde(default)]
    pub tools: ToolsSection,
    #[serde(default)]
    pub toolsets: HashMap<String, ToolsetDef>,
    #[serde(default)]
    pub agents: HashMap<String, PackAgentBinding>,
    /// Vendor/tool-specific extension keys (must start with "x-").
    ///
    /// Example: `x-mycompany-feature = { enabled = true }`
    #[serde(flatten)]
    pub extensions: HashMap<String, toml::Value>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct MetaSection {
    /// pack spec version. Must be "cstate.toml/v1.0" when present.
    pub spec: Option<String>,
    pub version: Option<String>,
    /// Project name. Required — emitters fall back gracefully but this should always be set.
    pub project: Option<String>,
    pub env: Option<String>,
    /// Project-level description for SKILL.md, AGENTS.md, A2A Agent Card, llms.txt.
    pub description: Option<String>,
    /// Build/test/coding convention instructions for AGENTS.md generation.
    /// Can be inline text or a path to a markdown file (e.g., "instructions.md").
    pub instructions: Option<String>,
    /// Project homepage URL for A2A Agent Card and llms.txt.
    pub homepage: Option<String>,
    /// License identifier (e.g., "Apache-2.0") for SKILL.md compliance.
    pub license: Option<String>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct DefaultsSection {
    pub context_format: Option<String>,
    pub token_budget: Option<i32>,
    pub strict_markdown: Option<bool>,
    pub strict_refs: Option<bool>,
    pub secrets_mode: Option<String>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct SettingsSection {
    pub matrix: Option<SettingsMatrix>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct SettingsMatrix {
    pub allowed: Vec<ProfileBinding>,
    #[serde(default)]
    pub enforce_profiles_only: bool,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct RoutingSection {
    /// Routing strategy hint (first|round_robin|random|least_latency).
    pub strategy: Option<String>,
    /// Preferred provider name for embeddings.
    pub embedding_provider: Option<String>,
    /// Preferred provider name for summarization.
    pub summarization_provider: Option<String>,
    /// Preferred provider name for chat completions.
    #[serde(default)]
    pub chat_provider: Option<String>,
    /// OpenRouter sort preference (e.g., "price", "throughput").
    #[serde(default)]
    pub sort: Option<String>,
    /// Zero Data Retention opt-in.
    #[serde(default)]
    pub zdr: Option<bool>,
    /// Explicit provider ordering for OpenRouter.
    #[serde(default)]
    pub provider_order: Option<Vec<String>>,
    /// OpenRouter data collection preference ("deny" | "allow").
    #[serde(default)]
    pub data_collection: Option<String>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ProfileBinding {
    pub name: String,
    pub retention: String,
    pub index: String,
    pub embeddings: String,
    pub format: String,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ProfileDef {
    pub retention: String,
    pub index: String,
    pub embeddings: String,
    pub format: String,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct AdapterDef {
    #[serde(rename = "type")]
    pub adapter_type: String,
    pub connection: String,
    #[serde(default)]
    pub options: HashMap<String, String>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct FormatDef {
    #[serde(rename = "type")]
    pub format_type: String,
    pub include_audit: Option<bool>,
    pub include_sources: Option<bool>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct PolicyDef {
    pub trigger: String,
    #[serde(default)]
    pub actions: Vec<PolicyActionDef>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct PolicyActionDef {
    #[serde(rename = "type")]
    pub action_type: String,
    pub target: Option<String>,
    pub max_tokens: Option<i32>,
    pub mode: Option<String>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct InjectionDef {
    pub source: String,
    pub target: String,
    /// Explicit entity type this injection targets (e.g., "note", "artifact").
    pub entity_type: Option<String>,
    pub mode: String,
    #[serde(default)]
    pub priority: i32,
    pub max_tokens: Option<i32>,
    pub top_k: Option<usize>,
    pub threshold: Option<f32>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ProviderDef {
    #[serde(rename = "type")]
    pub provider_type: String,
    pub api_key: SecretString,
    pub model: String,
    #[serde(default)]
    pub options: HashMap<String, String>,
}

#[derive(Debug, Clone, Deserialize, Default)]
#[serde(deny_unknown_fields)]
pub struct ToolsSection {
    #[serde(default)]
    pub bin: HashMap<String, ToolExecDef>,
    #[serde(default)]
    pub prompts: HashMap<String, ToolPromptDef>,
    /// Bash tools — sandboxed TypeScript bash interpreter (just-bash).
    /// Commands execute against the agent's virtual filesystem (AgentFs / just-bash FS layer).
    #[serde(default)]
    pub bash: HashMap<String, ToolBashDef>,
    /// Browser tools — accessibility-first browser automation via Stagehand/Playwright.
    /// Executed client-side with resource limits and PII redaction.
    #[serde(default)]
    pub browser: HashMap<String, ToolBrowserDef>,
    /// Composio tools — managed SaaS integrations (800+ tools).
    /// OAuth and authentication handled by Composio; CELLSTATE manages state.
    #[serde(default)]
    pub composio: HashMap<String, ToolComposioDef>,
    /// Dynamic Composio MCP Gateway configuration.
    /// When enabled, exposes a `composio_search_tools` meta-tool for runtime discovery.
    #[serde(default)]
    pub composio_gateway: Option<ComposioGatewayDef>,
}

/// Dynamic Composio MCP Gateway configuration.
/// Enables runtime discovery of Composio's 800+ tool integrations via a meta-tool.
#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ComposioGatewayDef {
    /// Whether gateway discovery is enabled.
    #[serde(default)]
    pub enabled: bool,
    /// Max tools to surface per search (default 30).
    #[serde(default = "default_max_tools")]
    pub max_tools: usize,
    /// Allowed toolkits filter (empty = all).
    #[serde(default)]
    pub allowed_toolkits: Vec<String>,
    /// Blocked toolkits filter.
    #[serde(default)]
    pub blocked_toolkits: Vec<String>,
}

fn default_max_tools() -> usize {
    30
}

/// Bash tool definition — sandboxed command execution via just-bash.
#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ToolBashDef {
    #[serde(rename = "kind")]
    pub kind: Option<String>,
    /// Description of what this bash tool does
    pub description: Option<String>,
    /// Timeout in milliseconds (default: 30000)
    pub timeout_ms: Option<i32>,
    /// Whether to allow network access (default: false)
    pub allow_network: Option<bool>,
    /// Whether to allow filesystem writes (default: true)
    pub allow_fs: Option<bool>,
    /// Allowed commands whitelist (empty = all allowed)
    #[serde(default)]
    pub allowed_commands: Vec<String>,
    /// Blocked commands blacklist
    #[serde(default)]
    pub blocked_commands: Vec<String>,
}

/// Browser tool definition — accessibility-first browser automation.
#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ToolBrowserDef {
    #[serde(rename = "kind")]
    pub kind: Option<String>,
    /// Description of what this browser tool does.
    pub description: Option<String>,
    /// Timeout for individual actions in milliseconds (default: 30000).
    pub timeout_ms: Option<i32>,
    /// Maximum navigations per session (default: 50).
    pub max_navigations: Option<i32>,
    /// Maximum session duration in milliseconds (default: 300000).
    pub max_duration_ms: Option<i32>,
    /// Allowed domain patterns (glob). Empty = all allowed.
    #[serde(default)]
    pub allowed_domains: Vec<String>,
    /// Blocked domain patterns (glob). Takes precedence over allowed.
    #[serde(default)]
    pub blocked_domains: Vec<String>,
    /// Use vision (screenshots) instead of accessibility tree. Default: false.
    pub use_vision: Option<bool>,
    /// Whether to allow network access (default: true for browser tools).
    pub allow_network: Option<bool>,
}

/// Composio tool definition — managed SaaS integrations via Composio REST API.
/// Composio handles OAuth, authentication, and API mapping for 800+ tools.
/// CELLSTATE records why the tool was called, what memory informed the decision,
/// and what gates it passed.
#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ToolComposioDef {
    #[serde(rename = "kind")]
    pub kind: Option<String>,
    /// Composio toolkit name (e.g. "GMAIL", "SLACK", "GITHUB", "LINEAR").
    pub toolkit: String,
    /// Composio action names to expose (e.g. ["GMAIL_SEND_EMAIL", "GMAIL_LIST_EMAILS"]).
    #[serde(default)]
    pub actions: Vec<String>,
    /// Description of what this tool integration does.
    pub description: Option<String>,
    /// Timeout in milliseconds for Composio API calls (default: 30000).
    pub timeout_ms: Option<i32>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ToolExecDef {
    #[serde(rename = "kind")]
    pub kind: Option<String>,
    pub cmd: String,
    pub timeout_ms: Option<i32>,
    pub allow_network: Option<bool>,
    pub allow_fs: Option<bool>,
    pub allow_subprocess: Option<bool>,
    /// How OAuth credentials should be delivered to the tool.
    pub credential_delivery: Option<String>,
    /// OAuth provider IDs whose tokens should be injected server-side.
    #[serde(default)]
    pub oauth_providers: Vec<String>,
    /// Required OAuth scopes per provider, enforced at tool-execution time.
    /// Example:
    /// oauth_required_scopes.github = ["repo", "workflow"]
    #[serde(default)]
    pub oauth_required_scopes: HashMap<String, Vec<String>>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ToolPromptDef {
    #[serde(rename = "kind")]
    pub kind: Option<String>,
    pub prompt_md: String,
    pub contract: Option<String>,
    pub result_format: Option<String>,
    pub timeout_ms: Option<i32>,
}

#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct ToolsetDef {
    pub tools: Vec<String>,
}

/// Pack agent binding - wires toolsets and prompts to an agent role.
/// Not to be confused with ast::AgentDef which defines agent capabilities.
#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct PackAgentBinding {
    pub enabled: Option<bool>,
    pub profile: String,
    pub adapter: Option<String>,
    pub format: Option<String>,
    pub token_budget: Option<i32>,
    pub prompt_md: String,
    #[serde(default)]
    pub toolsets: Vec<String>,
    /// Human-readable description of what this agent does.
    /// Used for SKILL.md description, A2A Agent Card, AGENTS.md, and progressive disclosure.
    pub description: Option<String>,
    /// Tags for skill discovery and categorization (e.g., ["code-review", "security"]).
    #[serde(default)]
    pub tags: Vec<String>,
}

pub fn parse_manifest(toml_source: &str) -> Result<PackManifest, PackError> {
    const MAX_MANIFEST_BYTES: usize = 10 * 1024 * 1024; // 10 MB
    if toml_source.len() > MAX_MANIFEST_BYTES {
        return Err(PackError::Validation(format!(
            "manifest size {} exceeds maximum {MAX_MANIFEST_BYTES}",
            toml_source.len()
        )));
    }
    toml::from_str(toml_source).map_err(|e| PackError::Toml(e.to_string()))
}

// Error lives in ir.rs
use super::ir::PackError;

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn parse_manifest_empty_fails() {
        let result = parse_manifest("");
        // Empty string may parse as empty manifest or fail — either is acceptable
        // The key is it doesn't panic
        let _ = result;
    }

    #[test]
    fn parse_manifest_meta_only() {
        let toml = r#"
[meta]
project = "minimal"
version = "0.0.1"
"#;
        let m = parse_manifest(toml).unwrap();
        let meta = m.meta.as_ref().unwrap();
        assert_eq!(meta.project.as_deref(), Some("minimal"));
        assert_eq!(meta.version.as_deref(), Some("0.0.1"));
        assert!(m.defaults.is_none());
        assert!(m.profiles.is_empty());
    }

    #[test]
    fn parse_manifest_with_routing() {
        let toml = r#"
[meta]
project = "routed"
version = "1.0.0"

[routing]
strategy = "intent"
"#;
        let m = parse_manifest(toml).unwrap();
        assert!(m.routing.is_some());
    }

    #[test]
    fn parse_manifest_with_settings() {
        let toml = r#"
[meta]
project = "settings-test"
version = "1.0.0"

[settings.matrix]
allowed = []
"#;
        let m = parse_manifest(toml).unwrap();
        assert!(m.settings.is_some());
    }

    #[test]
    fn default_max_tools_is_positive() {
        assert!(default_max_tools() > 0);
    }

    #[test]
    fn test_manifest_size_limit() {
        // 11 MB of 'a' characters — exceeds the 10 MB limit
        let oversized = "a".repeat(11 * 1024 * 1024);
        let result = parse_manifest(&oversized);
        assert!(result.is_err(), "manifest exceeding 10 MB must be rejected");
        let err = result.unwrap_err();
        match &err {
            PackError::Validation(msg) => {
                assert!(
                    msg.contains("manifest size") && msg.contains("exceeds maximum"),
                    "error should mention size limit: {msg}"
                );
            }
            other => panic!("expected PackError::Validation, got {:?}", other),
        }
    }

    #[test]
    fn pack_manifest_toml_roundtrip() {
        let toml = r#"
[meta]
project = "roundtrip"
version = "2.0.0"
description = "Test roundtrip"
"#;
        let m = parse_manifest(toml).unwrap();
        let meta = m.meta.as_ref().unwrap();
        assert_eq!(meta.project.as_deref(), Some("roundtrip"));
        assert_eq!(meta.version.as_deref(), Some("2.0.0"));
        assert_eq!(meta.description.as_deref(), Some("Test roundtrip"));
    }
}