Expand description
Secret-bearing and opaque-identifier newtypes.
Secret types wrap a SecretString whose Debug (and Display, where
present) implementations are redacted, so a plaintext code, session secret,
or form-token secret cannot leak through logs, panic messages, or
{:?}-formatting (threat model INV-1, SR-38). The plaintext is reachable
only through an explicit SecretString::expose call, which is easy to
grep for in review.
These are the v0.1 foundations of the typestate model in RFC-019. They are deliberately minimal: enough to make misuse visible, without committing to the full typestate surface before the store traits exist.
Structs§
- CodeId
- Identifier of a code record. Not a secret; safe to log and display.
- Form
Token Secret - A form-token secret in plaintext. Lives only in the rendered form or a short-lived cookie; only its derived lookup key is stored (RFC-007).
- Normalized
Code - A one-time code after normalization (whitespace/hyphen stripped, uppercased).
- Plain
Code - A one-time code in plaintext — either freshly generated for one-time display, or received as user input. Never persisted (INV-1).
- Purpose
- A validated purpose label for a code or form token (RFC-019).
- Scope
Key - A scope key — an optional host-owned boundary label (community ID, tenant, etc.) used to restrict code lookup and revocation (RFC-019).
- Secret
String - A string holding a sensitive value whose contents are never shown by
DebugorDisplay. - Session
Id - Identifier of a session record. Not a bearer credential on its own (RFC-006 §13.1).
- Session
Secret - A session secret in plaintext. Lives only in the cookie; only its derived lookup key is stored (RFC-006).
- Subject
Id - Host-owned identity anchor returned after authentication. codlet does not interpret its meaning (RFC-001).