LiveEndpoint
The HTTP live loop terminus: verifies a request, dispatches it to a mounted component's `handle()`, re-renders, and returns a response the client can apply. This is the controller the 2026-07-08 lab audit found missing — Sync/Transport/Security were all individually proven but never wired to a real entrypoint. Trust model: the client cannot hold the HMAC signing secret, so it never builds a signed envelope itself. Instead it echoes back — byte for byte — the last `<milpa-state>` envelope the server signed and handed it (first embedded in the SSR'd page, then refreshed on every response). Verifying that envelope (`StateTransferCodecInterface::decodeState()`) is what proves the state hasn't been tampered with since this server last saw it; `action`/`payload` are ordinary untrusted input, constrained instead by the CSRF guard and the contract-based action allowlist.
LiveEndpoint::__construct()
public function __construct(Milpa\Live\Contracts\Component\ComponentRegistryInterface $components, Milpa\Live\Contracts\Transport\StateTransferCodecInterface $codec, Milpa\Live\Contracts\Security\InteractionAuthorizerInterface $authorizer, Milpa\Live\Contracts\Security\CsrfGuardInterface $csrf, string $route, array $renderers = [], array $renderProps = [], ?Milpa\Interfaces\Event\MilpaEventDispatcherInterface $dispatcher = null):Parameters
| Name | Type | Description |
|---|---|---|
| $components | Milpa\Live\Contracts\Component\ComponentRegistryInterface | |
| $codec | Milpa\Live\Contracts\Transport\StateTransferCodecInterface | |
| $authorizer | Milpa\Live\Contracts\Security\InteractionAuthorizerInterface | |
| $csrf | Milpa\Live\Contracts\Security\CsrfGuardInterface | |
| $route | string | |
| $renderers | array<string, ComponentRendererInterface> | component name => renderer used to re-render after handle() |
| $renderProps | array<string, array<string, mixed>> | component name => base render props needed to re-render faithfully (e.g. the live endpoint URL) |
| $dispatcher | ?Milpa\Interfaces\Event\MilpaEventDispatcherInterface |
LiveEndpoint::handle()
public function handle(Milpa\Live\Http\LiveHttpRequest $request, ?Milpa\Live\ValueObjects\SecurityPrincipal $principal = null): Milpa\Live\Http\LiveHttpResponseProcesses one interaction request end to end: method/CSRF/state- signature checks, authorization, dispatch to {@see \Milpa\Live\Contracts\Component\ComponentDefinitionInterface::handle()}, and (when a renderer is registered for the component) re-rendering to HTML. Every failure path returns an {@see LiveHttpResponse} error rather than throwing — this method MUST NOT throw for ordinary bad input (wrong method, missing fields, invalid/expired state signature, failed CSRF/authorization); it is the single point that turns those into the appropriate HTTP status code. `$principal` MUST already be resolved by the caller (e.g. via a {@see \Milpa\Live\Contracts\Security\TokenVerifierInterface}) — this method only consumes it for authorization, it does not perform authentication itself.
Parameters
| Name | Type | Description |
|---|---|---|
| $request | Milpa\Live\Http\LiveHttpRequest | |
| $principal | ?Milpa\Live\ValueObjects\SecurityPrincipal |