pub struct Provenance {
pub trace: TraceContext,
pub tenant: Option<Arc<TenantConfig>>,
pub claims: Option<Arc<Claims>>,
pub session: Option<Arc<Session>>,
}Expand description
Who/where/why for one unit of work — identical shape across transports.
Fields§
§trace: TraceContextW3C trace identity: continued from the caller/producer, or a fresh root.
tenant: Option<Arc<TenantConfig>>Resolved + validated tenant (None = unknown without fallback, or
suspended — callers must treat suspended as a hard cut-off).
claims: Option<Arc<Claims>>Decoded principal claims (JWT / signed cookie), when presented.
session: Option<Arc<Session>>Server-side session, when the session pipeline matched a cookie.
Implementations§
Source§impl Provenance
impl Provenance
Sourcepub async fn from_headers(
headers: &HeaderMap,
container: &FrozenDiContainer,
) -> Self
pub async fn from_headers( headers: &HeaderMap, container: &FrozenDiContainer, ) -> Self
HTTP requests: headers carry everything.
This is the ONE place trace + tenant + credentials meet a header map.
Sourcepub fn from_ws_handshake(
headers: &HeaderMap,
query: Option<&str>,
container: &FrozenDiContainer,
) -> Self
pub fn from_ws_handshake( headers: &HeaderMap, query: Option<&str>, container: &FrozenDiContainer, ) -> Self
WebSocket handshakes: headers, plus ?access_token=<jwt> from the URL.
Identical to Provenance::from_headers except for that one extra
credential source — browsers cannot set headers on new WebSocket(url),
so without it no browser can authenticate a handshake at all. The query
token is only consulted when no header/cookie credential is present, and
it decodes through the same access-JWT path, so the claims a gateway sees
are the same either way. See extract_claims_ws.
No server-side session is loaded: a WS connection authenticates once at upgrade and holds its identity for the life of the socket.
Sourcepub fn from_message(msg: &InboundMessage, container: &FrozenDiContainer) -> Self
pub fn from_message(msg: &InboundMessage, container: &FrozenDiContainer) -> Self
Consumer-mesh messages: the producing request’s identity rides the
envelope. The tenant id is validated against the SAME registry as
HTTP — a suspended tenant’s queued events resolve to None and stop
being processed — and the producer’s traceparent continues the
distributed trace instead of starting an orphan root.
Messages authenticate at the transport (broker credentials), not per
event, so claims/session are absent by design.
Sourcepub fn traceparent(&self) -> String
pub fn traceparent(&self) -> String
traceparent for stamping outbound hops (HTTP calls, outbox rows,
queue envelopes).
Auto Trait Implementations§
impl Freeze for Provenance
impl RefUnwindSafe for Provenance
impl Send for Provenance
impl Sync for Provenance
impl Unpin for Provenance
impl UnsafeUnpin for Provenance
impl UnwindSafe for Provenance
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
Source§impl<T> FutureExt for T
impl<T> FutureExt for T
Source§fn with_context(self, otel_cx: Context) -> WithContext<Self>
fn with_context(self, otel_cx: Context) -> WithContext<Self>
Source§fn with_current_context(self) -> WithContext<Self>
fn with_current_context(self) -> WithContext<Self>
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoRequest<T> for T
impl<T> IntoRequest<T> for T
Source§fn into_request(self) -> Request<T>
fn into_request(self) -> Request<T>
T in a tonic::Request