Skip to content
docsv0.1.0

LiveEndpoint

The HTTP live loop terminus: verifies a request, dispatches it to a mounted component's `handle()`, re-renders, and returns a response the client can apply. This is the controller the 2026-07-08 lab audit found missing — Sync/Transport/Security were all individually proven but never wired to a real entrypoint. Trust model: the client cannot hold the HMAC signing secret, so it never builds a signed envelope itself. Instead it echoes back — byte for byte — the last `<milpa-state>` envelope the server signed and handed it (first embedded in the SSR'd page, then refreshed on every response). Verifying that envelope (`StateTransferCodecInterface::decodeState()`) is what proves the state hasn't been tampered with since this server last saw it; `action`/`payload` are ordinary untrusted input, constrained instead by the CSRF guard and the contract-based action allowlist.

LiveEndpoint::__construct()

public function __construct(Milpa\Live\Contracts\Component\ComponentRegistryInterface $components, Milpa\Live\Contracts\Transport\StateTransferCodecInterface $codec, Milpa\Live\Contracts\Security\InteractionAuthorizerInterface $authorizer, Milpa\Live\Contracts\Security\CsrfGuardInterface $csrf, string $route, array $renderers = [], array $renderProps = [], ?Milpa\Interfaces\Event\MilpaEventDispatcherInterface $dispatcher = null):

Parameters

Parameters of __construct()
NameTypeDescription
$componentsMilpa\Live\Contracts\Component\ComponentRegistryInterface
$codecMilpa\Live\Contracts\Transport\StateTransferCodecInterface
$authorizerMilpa\Live\Contracts\Security\InteractionAuthorizerInterface
$csrfMilpa\Live\Contracts\Security\CsrfGuardInterface
$routestring
$renderersarray<string, ComponentRendererInterface>component name => renderer used to re-render after handle()
$renderPropsarray<string, array<string, mixed>>component name => base render props needed to re-render faithfully (e.g. the live endpoint URL)
$dispatcher?Milpa\Interfaces\Event\MilpaEventDispatcherInterface

LiveEndpoint::handle()

public function handle(Milpa\Live\Http\LiveHttpRequest $request, ?Milpa\Live\ValueObjects\SecurityPrincipal $principal = null): Milpa\Live\Http\LiveHttpResponse

Processes one interaction request end to end: method/CSRF/state- signature checks, authorization, dispatch to {@see \Milpa\Live\Contracts\Component\ComponentDefinitionInterface::handle()}, and (when a renderer is registered for the component) re-rendering to HTML. Every failure path returns an {@see LiveHttpResponse} error rather than throwing — this method MUST NOT throw for ordinary bad input (wrong method, missing fields, invalid/expired state signature, failed CSRF/authorization); it is the single point that turns those into the appropriate HTTP status code. `$principal` MUST already be resolved by the caller (e.g. via a {@see \Milpa\Live\Contracts\Security\TokenVerifierInterface}) — this method only consumes it for authorization, it does not perform authentication itself.

Parameters

Parameters of handle()
NameTypeDescription
$requestMilpa\Live\Http\LiveHttpRequest
$principal?Milpa\Live\ValueObjects\SecurityPrincipal