pub trait ExecutionNonceStore: Send + Sync {
// Required method
fn reserve(&self, nonce_id: &str) -> Result<bool, KernelError>;
// Provided method
fn reserve_until(
&self,
nonce_id: &str,
_nonce_expires_at: i64,
) -> Result<bool, KernelError> { ... }
}Expand description
Persistence boundary for replay-prevention of execution nonces.
Implementations MUST ensure that reserve(nonce_id) returns true
exactly once per nonce identifier. All subsequent calls for the same
identifier return false. Fail-closed: any internal error is returned
via KernelError so the caller can deny the request.
Required Methods§
Sourcefn reserve(&self, nonce_id: &str) -> Result<bool, KernelError>
fn reserve(&self, nonce_id: &str) -> Result<bool, KernelError>
Attempt to reserve (consume) the given nonce identifier.
Ok(true)– nonce was fresh; it is now marked consumed.Ok(false)– nonce has already been consumed (replay detected).Err(_)– the store is unreachable or corrupted; fail-closed.
Prefer Self::reserve_until when the caller knows the signed
expiry of the nonce: durable stores need to retain the consumed
marker at least as long as the signed nonce is valid, otherwise
the row may be pruned and the nonce can be replayed within its
remaining validity window.
Provided Methods§
Sourcefn reserve_until(
&self,
nonce_id: &str,
_nonce_expires_at: i64,
) -> Result<bool, KernelError>
fn reserve_until( &self, nonce_id: &str, _nonce_expires_at: i64, ) -> Result<bool, KernelError>
Reserve a nonce while telling the store when the nonce stops
being cryptographically valid. Durable implementations (SQLite,
remote KV stores) MUST retain the consumed marker until at least
nonce_expires_at so replay protection covers the nonce’s full
validity window.
The default implementation falls back to Self::reserve for
in-memory / best-effort stores that already track retention
internally. nonce_expires_at is wall-clock unix seconds.