pub struct NamespaceToken { /* private fields */ }Expand description
Authorization proof that a caller is permitted to access a specific namespace.
Created by crate::VerbRegistry::dispatch after the gate approves the request.
The sealed inner field prevents external code from constructing a token
without going through the authorization path.
The namespace field is the write namespace: all records created via
this token land in that namespace. visible is the read visibility set:
list/search/get operations will return records from any namespace in this
set. The write namespace is always a member of the visible set.
Single-namespace behaviour (backward-compatible default): visible contains
exactly [namespace] — identical to the old strict-equality checks.
Implementations§
Source§impl NamespaceToken
impl NamespaceToken
Sourcepub fn namespace(&self) -> &Namespace
pub fn namespace(&self) -> &Namespace
Return the write namespace this token authorises.
All records created via this token land in this namespace.
Sourcepub fn visible_namespaces(&self) -> &[Namespace]
pub fn visible_namespaces(&self) -> &[Namespace]
Return the read-visibility set.
List, search, and get operations must accept records whose namespace is a member of this set. The write namespace is always included.
Sourcepub fn visible_namespace_strs(&self) -> Vec<&str>
pub fn visible_namespace_strs(&self) -> Vec<&str>
Return a deduplicated list of visible namespace strings (borrowed).
Convenience for passing directly to storage layer filters.
Sourcepub fn with_namespace(&self, ns: Namespace) -> Self
pub fn with_namespace(&self, ns: Namespace) -> Self
Return a new token with the same actor but a different namespace.
The visible set is replaced with [ns] — the minted token has
namespace = ns and visible = [ns]. This is a full read+write token
for ns: public runtime APIs (list_notes, update_note, delete_note,
etc.) accept it and will operate on ns. It is NOT a type-enforced
write-only or append-only capability. This is a capability-transfer
primitive, not a policy gate: the caller is responsible for enforcing any
ACL check before calling this method and for using the minted token only
in the intended narrow scope (e.g. a single create_note call).
Callers today:
khive-pack-memoryFTS fanout: iterates token’s own visible set; no escalation.khive-pack-comminbound delivery: mints a token for the recipient ns, gated byactor.allowed_outbound_namespacesallowlist check immediately before, and uses it for exactly onecreate_notecall (append-only by convention, not by type enforcement).
Under a security model (cloud, mutual auth), replace this call pattern with a
type-enforced append-only capability or a comm.ingest Subhandler dispatch
(see ADR-056/ADR-053) that goes through the Gate.
Trait Implementations§
Source§impl Clone for NamespaceToken
impl Clone for NamespaceToken
Source§fn clone(&self) -> NamespaceToken
fn clone(&self) -> NamespaceToken
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more