Expand description
#951 (Track A QC sweep, 2026-05-20) — canonical
is_visible_to_caller helper, non-sal-gated so both feature
flag profiles share the same predicate. See module docstring
for the drift history that motivated the consolidation.
v0.7.0 #951 (Track A QC sweep, 2026-05-20) — single canonical
is_visible_to_caller helper, available on both sal and
non-sal builds.
Pre-#951 the same visibility check was inlined / duplicated in at least 3 sites:
src/store/mod.rs::is_visible_to_caller(sal-gated; canonical)src/handlers/memories_query.rs::is_visible_to_caller(handler-local duplicate; DRIFT — missing themetadata.target_agent_idinbox carve-out)src/handlers/memories.rs::get_memory(inline gate per #927; couldn’t import the canonical version becausecrate::storeis#[cfg(feature = "sal")]-gated)
Moving the helper here (not gated) lets the sqlite-only build, the sal-only build, and the sal-postgres build all share the same predicate so future scope semantics can change once and land everywhere.
Semantics (load-bearing — DO NOT drift):
is_visible_to_caller(mem, caller) returns true iff:
- mem.metadata.scope != "private" (rows without the field
default to private per the CLAUDE.md NHI contract), OR
- mem.metadata.agent_id == caller (owner), OR
- mem.metadata.target_agent_id == caller (inbox carve-
out: the sender stamps target_agent_id on a private-by-
default _inbox/<recipient> row so the recipient can
read their own inbox even though the row is scope=private
under the sender’s ownership).
Functions§
- is_
visible_ to_ caller - Returns
truewhen the caller is entitled to see the memory.