docs(spec): unify Context.create() signature across SDKs (#66)

tercel · tercel · commit 17538949eb2b · 2026-05-22T09:51:23.000+08:00
- New 6-input canonical signature: identity, trace_parent, cancel_token, data, services, global_deadline. Order is normative for positional languages. - Remove executor and caller_id from public factory inputs. executor binding moves to a new normative §"Contract: Executor binding to Context" that unifies three sources (local create, cross-process deserialize, hot-reload restore) under one rule. - Add cancel_token as a first-class parameter — eliminates 9 production post-hoc ctx.cancel_token = token sites (apcore-mcp-{python,ts}, axum-apcore, django/flask/fastapi-apcore). - Rust TraceParent struct will embed tracestate; ContextBuilder tracestate() setter removed. - New normative §"Contract: Distributed cancellation" + §"Contract: global_deadline distributed semantics" pin down cross-process behavior. - New conformance fixture conformance/fixtures/context_create.json validates cross-SDK parity (15 test cases). Folds into v0.22.0 (CHANGELOG [Unreleased] entry will graduate on next release-cut commit). No git tag for v0.22.0 yet — bundling here avoids a v0.23 minor bump. See issue #66 for the full ecosystem-wide audit. Signed-off-by: tercel <tercel.yi@gmail.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- **Decision D-24 — `Context.create()` signature unified across all SDKs (#66).** Reduced to the six caller-supplied fields only: `identity`, `trace_parent`, `cancel_token`, `data`, `services`, `global_deadline`. Two prior inputs are removed from the public factory surface:
+  - `executor` — Executor self-binds at pipeline entry under the new normative §"Contract: Executor binding to Context" (`docs/features/core-executor.md`). This unifies three previously distinct binding scenarios under one rule: local construction via `Context.create()`, cross-process deserialize, and hot-reload survivor restore.
+  - `caller_id` — zero production / test / doc callers across the 25-repo ecosystem. Top-level Contexts always have `caller_id = null`; the value is managed exclusively by `Context.child()`. Reserved name for future revisions.
+
+  Added `cancel_token` as a first-class parameter, eliminating the post-hoc `ctx.cancel_token = token` anti-pattern documented in 9 production sites across `apcore-mcp-{python,typescript}`, `apcore-typescript/async-task.ts` (which had to cast away `readonly`), `axum-apcore`, `django-apcore`, `fastapi-apcore`.
+
+  Rust `TraceParent` struct gains a `tracestate: Vec<(String, String)>` field to align with Python/TS shape; the redundant `ContextBuilder::tracestate()` setter is removed.
+
+  Two new normative sections clarify distributed semantics:
+  - §"Contract: Distributed cancellation" — `cancel_token` is local-only; cross-process cancellation MUST go through out-of-band channels (e.g., AsyncTaskStore task_id lookup).
+  - §"Contract: `global_deadline` distributed semantics" — `global_deadline` does not propagate across process boundaries; callers needing wall-clock deadline propagation SHOULD store it in `context.data` under an extension key.
+
+  Conformance fixture `context_create.json` validates cross-SDK parameter parity, removal of `executor`/`caller_id`, idempotent same-executor rebinding, and cross-executor conflict behavior.
+
 ### Added
 
 - **Decision D-17 — `TaskStore` is async across all SDKs** (`docs/features/async-tasks.md` §1.1). Pluggable backends like Redis or SQL cannot satisfy a sync `TaskStore` contract without blocking the runtime's event loop. New normative: every `TaskStore` method MUST be asynchronous in Python (`async def`), TypeScript (returns `Promise<T>`), and Rust (`async fn` via `#[async_trait]`). `InMemoryTaskStore` MUST still expose async signatures even though its operations are CPU-only — uniform shape lets stores compose generically. Supersedes the partially-sync contract present in apcore-python and apcore-typescript through v0.21.x. Found via `/apcore-skills:sync` (finding A-D-AT-04).
diff --git a/conformance/README.md b/conformance/README.md
@@ -38,6 +38,7 @@ SDK conformance runners **must** load `.json` files with a JSON parser. The `.ya
 | `middleware_on_error_recovery.json` | A11 | After-middleware error recovery: first-dict-wins, null passthrough, success non-override |
 | `identity_system.json` | — | Identity construction, field access, and context propagation (AC-014, AC-015) |
 | `context_trace_parent.json` | §10.5 | Context.create trace_parent strict validation: 32-hex only, W3C-invalid rejection, no auto-normalization |
+| `context_create.json` | Issue #66 | Context.create unified-signature contract: 6-param input list, executor/caller_id NOT inputs, Executor binding (local + deserialize + hot-reload), idempotent same-executor rebind, cross-executor conflict, child() propagation of executor + cancel_token, distributed cancel_token/global_deadline semantics, TraceParent embeds tracestate |
 | `dependency_version_constraints.json` | §5.3, §5.15.2 | Dependency `version` constraint enforcement: exact, `>=`, `<=`, `^`, `~`, ranges, optional skip |
 | `binding_errors.json` | — | 6 canonical cross-SDK error message parity test cases (`BindingFileInvalidError`, `BindingSchemaModeConflictError`, `BindingSchemaInferenceFailedError`, `PipelineHandlerNotSupportedError`, `BindingInvalidTargetError`, `BindingModuleNotFoundError`) |
 | `binding_yaml_canonical.yaml` | — | Cross-SDK binding YAML canonical fixture (`.yaml` format): permissive auto_schema, explicit schemas with display overlay, strict auto_schema mode |
diff --git a/conformance/fixtures/context_create.json b/conformance/fixtures/context_create.json
@@ -0,0 +1,217 @@
+{
+  "description": "Context.create unified-signature contract across all SDKs. Validates the v0.22.0 normative input list (identity, trace_parent, cancel_token, data, services, global_deadline), the removal of executor and caller_id as inputs, the Executor binding rules (local create, cross-process deserialize, hot-reload restore), and child() propagation. See docs/features/core-executor.md §Contract: Context.create + §Contract: Executor binding to Context, and Issue #66.",
+  "test_cases": [
+    {
+      "id": "create_minimal_all_defaults",
+      "description": "Context.create() with no arguments yields a fresh top-level Context — null executor, null identity, null cancel_token, empty data, empty call_chain, null caller_id, 32-char hex trace_id.",
+      "input": {},
+      "expected": {
+        "trace_id_pattern": "^[0-9a-f]{32}$",
+        "identity": null,
+        "executor": null,
+        "cancel_token": null,
+        "services": null,
+        "global_deadline": null,
+        "caller_id": null,
+        "call_chain": [],
+        "data_empty": true
+      }
+    },
+    {
+      "id": "create_with_identity_only",
+      "description": "Most common adapter pattern: only identity supplied. trace_id auto-generated, all other caller-inputs null.",
+      "input": {
+        "identity": {
+          "id": "user-42",
+          "type": "user",
+          "roles": ["analyst"]
+        }
+      },
+      "expected": {
+        "trace_id_pattern": "^[0-9a-f]{32}$",
+        "identity_id": "user-42",
+        "executor": null,
+        "cancel_token": null
+      }
+    },
+    {
+      "id": "create_with_cancel_token",
+      "description": "cancel_token is a first-class parameter (v0.22.0+). Verifies the token is carried on the returned Context without post-hoc assignment.",
+      "input": {
+        "cancel_token_handle": "TOKEN_FIXTURE_A"
+      },
+      "expected": {
+        "cancel_token_bound": true,
+        "cancel_token_matches_input": true,
+        "executor_at_create_time": null
+      }
+    },
+    {
+      "id": "create_with_global_deadline",
+      "description": "global_deadline is an accepted caller input. Local-only — does not affect serialize round-trip (see context_create_distributed).",
+      "input": {
+        "global_deadline": 1234567890.5
+      },
+      "expected": {
+        "global_deadline": 1234567890.5,
+        "executor": null
+      }
+    },
+    {
+      "id": "create_rejects_executor_input",
+      "description": "executor MUST NOT be a public Context.create() parameter. SDKs MAY enforce by signature (no such parameter exists) or by runtime check. Either is conforming as long as 'pass executor at construction' is not possible through the public API.",
+      "input": {
+        "attempt_pass_executor": true
+      },
+      "expected": {
+        "executor_is_not_a_parameter": true
+      }
+    },
+    {
+      "id": "create_rejects_caller_id_input",
+      "description": "caller_id MUST NOT be a public Context.create() parameter. Top-level Contexts always have caller_id = null; the field is managed exclusively by Context.child().",
+      "input": {
+        "attempt_pass_caller_id": "fake.caller"
+      },
+      "expected": {
+        "caller_id_is_not_a_parameter": true,
+        "caller_id_after_create": null
+      }
+    },
+    {
+      "id": "executor_binds_on_first_call_local",
+      "description": "Local construction → first Executor.call() binds the Executor to ctx.executor. After the call returns, ctx.executor MUST equal the Executor instance.",
+      "input": {
+        "construction": "Context.create()",
+        "call_module": "test.echo"
+      },
+      "expected": {
+        "executor_at_create_time": null,
+        "executor_after_first_call_bound": true,
+        "binding_pre_step_1": true
+      }
+    },
+    {
+      "id": "executor_binds_idempotent_same_instance",
+      "description": "Reusing the same Context across multiple top-level Executor.call() invocations on the same Executor instance is a noop on subsequent calls — MUST NOT raise.",
+      "input": {
+        "construction": "Context.create()",
+        "calls": ["test.echo", "test.echo", "test.echo"],
+        "same_executor": true
+      },
+      "expected": {
+        "rebind_noop": true,
+        "raised_error": false,
+        "executor_identity_stable": true
+      }
+    },
+    {
+      "id": "executor_rejects_cross_executor_rebind",
+      "description": "If ctx.executor is already bound to Executor A and Executor B receives the same Context, B SHOULD raise ContextBindingError. SDKs that accept silently MUST document this deviation prominently.",
+      "input": {
+        "executor_a_first": true,
+        "executor_b_second": true,
+        "same_executor": false
+      },
+      "expected_one_of": [
+        {
+          "behavior": "raise",
+          "error_type": "ContextBindingError"
+        },
+        {
+          "behavior": "silent_accept",
+          "documented_deviation_required": true
+        }
+      ]
+    },
+    {
+      "id": "child_propagates_executor",
+      "description": "Context.child() MUST propagate the bound executor to the child Context.",
+      "input": {
+        "bind_executor": true,
+        "create_child_module_id": "test.target"
+      },
+      "expected": {
+        "child_executor_matches_parent": true,
+        "child_caller_id_from_parent_chain_tip": true,
+        "child_call_chain_appends_target": true
+      }
+    },
+    {
+      "id": "child_propagates_cancel_token",
+      "description": "Context.child() MUST propagate the cancel_token to the child Context. Same reference (or equivalent linked instance) — modules deep in the call chain MUST observe cancellation.",
+      "input": {
+        "create_with_cancel_token": "TOKEN_FIXTURE_B",
+        "create_child_module_id": "test.target"
+      },
+      "expected": {
+        "child_cancel_token_bound": true,
+        "child_cancel_token_matches_parent": true
+      }
+    },
+    {
+      "id": "deserialize_then_call_binds_local_executor",
+      "description": "Cross-process scenario: deserialize a serialized Context (executor / cancel_token / services / global_deadline all stripped per §5.7), then call() on the receiving node. The local Executor MUST bind itself per the same rule as local Context.create().",
+      "input": {
+        "serialized_context": {
+          "_context_version": 1,
+          "trace_id": "4bf92f3577b34da6a3ce929d0e0e4736",
+          "caller_id": "remote.caller",
+          "call_chain": ["remote.caller", "remote.target"],
+          "identity": {"id": "user-remote", "type": "user", "roles": [], "attrs": {}},
+          "data": {}
+        },
+        "call_module": "local.target"
+      },
+      "expected": {
+        "executor_after_deserialize": null,
+        "cancel_token_after_deserialize": null,
+        "services_after_deserialize": null,
+        "global_deadline_after_deserialize": null,
+        "caller_id_preserved": "remote.caller",
+        "executor_bound_on_first_call": true
+      }
+    },
+    {
+      "id": "distributed_cancel_token_synthesized_locally",
+      "description": "When a deserialized Context arrives on a remote node, the receiving Executor MUST synthesize a fresh local CancelToken at pipeline entry. Distributed cancellation does NOT ride the in-context cancel_token field.",
+      "input": {
+        "deserialized_context_has_no_cancel_token": true,
+        "execute_module": "local.slow"
+      },
+      "expected": {
+        "fresh_cancel_token_synthesized": true,
+        "cancel_token_is_local_instance": true
+      }
+    },
+    {
+      "id": "distributed_global_deadline_recomputed_locally",
+      "description": "When a deserialized Context arrives on a remote node, the receiving Executor MUST recompute global_deadline from local executor.global_timeout config. The originating node's deadline intent does not propagate via global_deadline.",
+      "input": {
+        "deserialized_context_has_no_global_deadline": true,
+        "local_executor_global_timeout_ms": 60000
+      },
+      "expected": {
+        "global_deadline_recomputed_locally": true,
+        "global_deadline_derived_from_config": true
+      }
+    },
+    {
+      "id": "tracestate_carried_inside_traceparent",
+      "description": "TraceParent type MUST carry tracestate as a field (no separate Context.create() parameter). Verifies cross-SDK shape: Python/TS/Rust all embed tracestate in TraceParent.",
+      "input": {
+        "trace_parent": {
+          "trace_id": "4bf92f3577b34da6a3ce929d0e0e4736",
+          "parent_id": "00f067aa0ba902b7",
+          "trace_flags": "01",
+          "tracestate": [["vendor1", "value1"], ["vendor2", "value2"]]
+        }
+      },
+      "expected": {
+        "trace_id": "4bf92f3577b34da6a3ce929d0e0e4736",
+        "tracestate_preserved": true,
+        "no_separate_tracestate_parameter": true
+      }
+    }
+  ]
+}
diff --git a/docs/features/context-object.md b/docs/features/context-object.md
@@ -14,7 +14,7 @@ For caller-identity semantics, type values, and ACL integration see [Identity Sy
 - Context MUST carry a `trace_id` that uniquely identifies the call chain and is preserved across all child invocations.
 - Context MUST carry the `caller_id` of the module that initiated the current call, or `None` for top-level calls.
 - Context MUST carry the `call_chain` (ordered list of module IDs from root to current invocation), maintained automatically by the Executor.
-- Context MUST carry an `executor` reference so modules can dispatch inter-module calls.
+- Context MUST carry an `executor` reference so modules can dispatch inter-module calls. The reference is **bound by the Executor** at pipeline entry (not by `Context.create()`); see [Executor binding to Context](./core-executor.md#contract-executor-binding-to-context).
 - Context SHOULD carry an `identity` describing the caller (used by ACL).
 - Context SHOULD expose a `logger` that auto-injects `trace_id`, `module_id`, and `caller_id`.
 - Context SHOULD expose `redacted_inputs` — the input dict with `x-sensitive` fields replaced by `"***REDACTED***"` — so middleware can log safely.
@@ -37,18 +37,19 @@ For caller-identity semantics, type values, and ACL integration see [Identity Sy
 
 ### Field Constraints
 
-| Field | Type | Level | Limit | Thread Safety | Serializable |
-|-------|------|-------|-------|---------------|--------------|
-| `trace_id` | string (32-char hex) | MUST | 32 chars | Read-only, safe | MUST |
-| `caller_id` | string \| null | MUST | 128 chars | Read-only, safe | MUST |
-| `call_chain` | list[string] | MUST | Max depth 32 | Read-only, safe | MUST |
-| `executor` | Executor | MUST | — | Thread-safe | MUST NOT |
-| `identity` | Identity \| null | SHOULD | — | Read-only, safe | MUST |
-| `logger` | ContextLogger | SHOULD | — | Thread-safe | MUST NOT |
-| `redacted_inputs` | dict \| null | SHOULD | — | Read-only, safe | MAY |
-| `cancel_token` | CancelToken \| null | MAY | — | Thread-safe | MUST NOT |
-| `services` | T \| null | MAY | — | Read-only, safe | MUST NOT |
-| `data` | dict[str, Any] | MUST | — | Not thread-safe | SHOULD |
+| Field | Type | Level | Limit | Thread Safety | Serializable | Notes |
+|-------|------|-------|-------|---------------|--------------|-------|
+| `trace_id` | string (32-char hex) | MUST | 32 chars | Read-only, safe | MUST | Auto-generated. Not a `Context.create()` input. |
+| `caller_id` | string \| null | MUST | 128 chars | Read-only, safe | MUST | Top-level: null. Managed exclusively by `Context.child()`. Not a `Context.create()` input. |
+| `call_chain` | list[string] | MUST | Max depth 32 | Read-only, safe | MUST | Managed exclusively by the Executor. |
+| `executor` | Executor \| null | MUST (after binding) | — | Thread-safe | MUST NOT | **Bound by the Executor** at pipeline entry, not by `Context.create()`. See [Executor binding to Context](./core-executor.md#contract-executor-binding-to-context). |
+| `identity` | Identity \| null | SHOULD | — | Read-only, safe | MUST | |
+| `logger` | ContextLogger | SHOULD | — | Thread-safe | MUST NOT | Derived property from `trace_id` + `caller_id`. Not a `Context.create()` input. |
+| `redacted_inputs` | dict \| null | SHOULD | — | Read-only, safe | MAY | Populated by Executor pipeline step 5. |
+| `redacted_output` | dict \| null | SHOULD | — | Read-only, safe | MAY | Populated by Executor pipeline step 9. |
+| `cancel_token` | CancelToken \| null | MAY | — | Thread-safe | MUST NOT | First-class `Context.create()` parameter since v0.22.0. |
+| `services` | T \| null | MAY | — | Read-only, safe | MUST NOT | Caller-supplied DI container only — MUST NOT carry framework-owned fields. |
+| `data` | dict[str, Any] | MUST | — | Not thread-safe | SHOULD | |
 
 ### Call-Chain Safety
 
@@ -154,7 +155,7 @@ For cross-process transfer (distributed execution, task queues) Context supports
 - Skipped (runtime-only) fields: `executor`, `cancel_token`, `services`.
 - A `_context_version: 1` field is included for forward compatibility.
 
-After deserialization, the `executor` reference MUST be re-injected before the Context can be used for inter-module calls.
+After deserialization the `executor` field is null. The receiving Executor MUST bind itself on first `Executor.call()` per the unified rule in [Core Executor §Contract: Executor binding to Context](./core-executor.md#contract-executor-binding-to-context) — this covers local construction, cross-process deserialize, and hot-reload restore under a single mechanism. `cancel_token` and `services` are similarly runtime-only: the receiving Executor synthesizes a fresh local `CancelToken`; `services` is re-injected by the application boundary.
 
 ## Edge Cases
 
@@ -487,7 +488,8 @@ The reserved `_apcore.` prefix described in [`data` Key Convention](#data-key-co
     client = APCore()
     user_identity = Identity(id="user-42", type="user", roles=["analyst"])
 
-    context = Context.create(executor=client.executor, identity=user_identity)
+    # Executor self-binds on first call() — no need to pass executor= here.
+    context = Context.create(identity=user_identity)
     context.data["task_info"] = {"type": "report", "date": "2024-01"}
 
     client.executor.call("module_fetch",   inputs={}, context=context)
@@ -509,7 +511,8 @@ The reserved `_apcore.` prefix described in [`data` Key Convention](#data-key-co
     const client = new APCore();
     const userIdentity = createIdentity('user-42', 'user', ['analyst']);
 
-    const context = Context.create(client.executor, userIdentity);
+    // Executor self-binds on first call() — no need to pass it here.
+    const context = Context.create(userIdentity);
     context.data['task_info'] = { type: 'report', date: '2024-01' };
 
     await client.executor.call('module_fetch',   {}, context);
diff --git a/docs/features/core-executor.md b/docs/features/core-executor.md
