Struct DeclaredAuthoritySurface 

pub struct DeclaredAuthoritySurface {
    pub egress_rules: Vec<EgressRule>,
    pub secret_refs: Vec<String>,
    pub dns_queries: Vec<String>,
}

Capability surface declared by the in-VM guest agent.

Distinct from AuthorityCapability (what the host has authorized) — DeclaredAuthoritySurface is what the workload CLAIMS it will use. The host validates declared ⊆ authorized via validate_declared_authority_surface before accepting any guest-side telemetry per ADR-0006 §3.

All three fields are bare-data: no derivation bookkeeping, no signature, no ADG. The surface is treated as an input to host-side validation, not as evidence in itself. Backing evidence for individual events lives in crate::authority::DeclaredAuthority.

An empty surface (all three fields empty) is valid — it means the workload claims the minimal authority surface, which is always a subset of any authorized capability.

Fields

egress_rules: Vec<EgressRule>

Egress rules the workload declares it will exercise. Checked as a subset of the authorizing AuthorityCapability::egress_rules under the same host/port/protocol equality the host-side superset check uses (host case-insensitive, port and protocol exact).

secret_refs: Vec<String>

Secret refs the workload declares it will request from the broker. Checked as a subset of AuthorityCapability::secret_refs.

dns_queries: Vec<String>

Hostname patterns the workload declares it will resolve. Kept as a distinct list from egress_rules because DNS resolution can target hostnames the cell does not subsequently dial (e.g. health-check lookups, telemetry of getaddrinfo calls). The host does not subset-check these against egress_rules — DNS authority lives on its own dimension (see crate::types::DnsAuthority). The list is retained here so the host can later cross-reference against dnsAuthority.hostnameAllowlist if the surface is wired into the SEC-21 / SEC-22 dataplane validators; F2 itself only audits presence.

Implementations

impl DeclaredAuthoritySurface

pub fn empty() -> Self

Construct an empty surface — the workload claims the minimal authority surface (no egress, no secrets, no DNS).

pub fn is_empty(&self) -> bool

true iff every field is empty. An empty surface is always a valid subset of any authorized AuthorityCapability.

Trait Implementations

impl Clone for DeclaredAuthoritySurface

fn clone(&self) -> DeclaredAuthoritySurface

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for DeclaredAuthoritySurface

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for DeclaredAuthoritySurface

fn default() -> DeclaredAuthoritySurface

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for DeclaredAuthoritySurface

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl PartialEq for DeclaredAuthoritySurface

fn eq(&self, other: &DeclaredAuthoritySurface) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for DeclaredAuthoritySurface

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl Eq for DeclaredAuthoritySurface

impl StructuralPartialEq for DeclaredAuthoritySurface