Struct ScopedStateView 

pub struct ScopedStateView<'a> { /* private fields */ }

Tenant-scoped view over a StateStore. All key arguments are transparently prefixed with tenant:<tenant_id>: before hitting the underlying store; on the way out, the prefix is stripped so callers see their original keys.

Construct via StateStore::scoped. When tenant is None, the prefix is empty and the view is functionally equivalent to the unscoped methods on StateStore — useful for code paths that always go through this view regardless of whether scope is active.

Isolation guarantee

Two views with distinct tenant strings cannot observe each other’s writes through get / exists / keys. The transitions log still records the full (prefixed) key so audit / replay sees the actual storage layout.

What isolation does not cover (phase 3 follow-ups)

• StateStore::snapshot / restore are deliberately unscoped — they’re called at proposal boundaries for rollback and need to see the whole map. Per-tenant partial rollback is a known concurrency hole when multiple proposals run interleaved; the pre-#187 baseline has the same issue, and fixing it cleanly requires either serializing per-tenant or extending the transactional model. Tracked as a follow-up.
• The journal file (when durability is on) records full prefixed keys. Operators rotating tenants out can grep the journal by prefix.

Implementations

impl<'a> ScopedStateView<'a>

pub fn get(&self, key: &str) -> Option<Value>

pub fn get_or(&self, key: &str, default: Value) -> Value

pub fn exists(&self, key: &str) -> bool

pub fn set(&self, key: &str, value: Value, action_id: &str) -> StateTransition

pub fn set_with_ttl( &self, key: &str, value: Value, action_id: &str, ttl_secs: u64, ) -> StateTransition

pub fn delete(&self, key: &str, action_id: &str) -> Option<StateTransition>

pub fn keys(&self) -> Vec<String>

Return keys belonging to this tenant only, with the tenant:<id>: prefix stripped so callers see their original key names. Unscoped views (no tenant) return only keys that don’t start with tenant: — preventing accidental visibility of scoped state through a legacy code path.