pub struct PublishCommit<'a> {
pub req: &'a PublishRequest,
pub authority: &'a str,
pub idempotency: Option<PendingIdempotencyCommit<'a>>,
pub tenant: Option<&'a str>,
pub receipt_minter: Option<&'a (dyn Fn(&Body) -> Result<Value, AcdpError> + Send + Sync)>,
}Expand description
Single-shot atomic publish input (FEAT-01).
Passed to RegistryStore::commit_publish so the predecessor
lookup, supersession check, body insertion, predecessor
supersession marking, and idempotency record are all done under one
critical section. Eliminates TOCTOU races between two concurrent
publishes that target the same supersedes ctx_id or share an
idempotency_key.
Fields§
§req: &'a PublishRequestThe validated, signature-verified publish request.
The hostname the registry serves — used to mint ctx_ids and
stored verbatim into body.origin_registry (BUG-01).
idempotency: Option<PendingIdempotencyCommit<'a>>Idempotency wiring, present iff the registry advertises
caps.supports_idempotency_key and the request carries an
Idempotency-Key.
tenant: Option<&'a str>Tenant this publish is scoped to, if the registry is multi-tenant.
None means untenanted (single-tenant / V0). A multi-tenant store
MUST persist this atomically with the context row so the tenancy is
never observable as the default bucket (and never stranded there on a
crash between insert and a separate stamping UPDATE). Stores that do
not implement tenancy ignore it.
receipt_minter: Option<&'a (dyn Fn(&Body) -> Result<Value, AcdpError> + Send + Sync)>Receipt minting hook (ACDP 0.2, RFC-ACDP-0010). When present,
the store MUST invoke it with the fully assigned Body
(ctx_id / lineage_id / created_at populated) inside the same
critical section / transaction as the insert, persist the
returned receipt with the context, and include it in the
response. A context published under the
acdp-registry-receipts profile must never exist without its
receipt — a crash between insert and mint must not be
observable. None for receipt-less (0.1.0-mode) registries.