Class: LcpRuby::Authorization::RuntimeInvariantValidator

Inherits:

Object

Object
LcpRuby::Authorization::RuntimeInvariantValidator

show all

Defined in:: lib/lcp_ruby/authorization/runtime_invariant_validator.rb

Overview

Boot-time validator that asserts behavioral invariants of permission YAML against the live model classes after build. Runs after ‘LcpRuby.on_models_loaded` callbacks have fired (Engine.load_metadata!), so late-bound scope registrations are visible.

Does NOT duplicate ‘Metadata::ConfigurationValidator` (which checks YAML shape); this checks behavioral invariants — does the custom-scope method actually exist on the dynamic model class, etc.

Each violation has a stable code (AUTH-001 … AUTH-009) so host apps can dial severity per-code without substring matching. See docs/design/authorization_hardening.md § “RuntimeInvariantValidator check loop” and § “Default severity per code”. The default-per-code table lives on ‘InvariantCheck::Configuration::DEFAULT_SEVERITIES` — `Configuration#severity_for(code)` is the single resolver both host introspection and this validator consult.

Class Attribute Summary collapse

.last_run ⇒ Object

Returns the value of attribute last_run.

Instance Attribute Summary collapse

#violations ⇒ Object readonly

Returns the value of attribute violations.

Instance Method Summary collapse

#initialize(loader, config: nil) ⇒ RuntimeInvariantValidator constructor

A new instance of RuntimeInvariantValidator.
#run! ⇒ Object

Runs the validation pass and drains the collected violations.

Constructor Details

#initialize(loader, config: nil) ⇒ `RuntimeInvariantValidator`

Returns a new instance of RuntimeInvariantValidator.

# File 'lib/lcp_ruby/authorization/runtime_invariant_validator.rb', line 36

def initialize(loader, config: nil)
  @loader = loader
  @config = config || resolve_config
  @violations = []
end

Class Attribute Details

.last_run ⇒ `Object`

Returns the value of attribute last_run.



33
34
35

# File 'lib/lcp_ruby/authorization/runtime_invariant_validator.rb', line 33

def last_run
  @last_run
end

Instance Attribute Details

#violations ⇒ `Object` (readonly)

Returns the value of attribute violations.



24
25
26

# File 'lib/lcp_ruby/authorization/runtime_invariant_validator.rb', line 24

def violations
  @violations
end

Instance Method Details

#run! ⇒ `Object`

Runs the validation pass and drains the collected violations. Dev/test: raises ‘InvariantError` if any error-severity violation was recorded (single error message, newline-joined for multi-typo boots — configurator sees every typo in one pass). Production: records via `record_error` and re-raises only when `invariant_check.fail_boot = true`.

# File 'lib/lcp_ruby/authorization/runtime_invariant_validator.rb', line 48

def run!
  validate_permissions
  validate_pages
  drain!
  self.class.last_run = self
  self
end