pub struct NamespaceToken { /* private fields */ }Expand description
Authorization proof that a caller is permitted to access a specific namespace.
Created by crate::VerbRegistry::dispatch after the gate approves the request.
The sealed inner field prevents external code from constructing a token
without going through the authorization path.
The namespace field is the write namespace: all records created via
this token land in that namespace. visible is the read visibility set:
list/search/get operations will return records from any namespace in this
set. The write namespace is always a member of the visible set.
Single-namespace behaviour (backward-compatible default): visible contains
exactly [namespace] — identical to the old strict-equality checks.
Implementations§
Source§impl NamespaceToken
impl NamespaceToken
Sourcepub fn namespace(&self) -> &Namespace
pub fn namespace(&self) -> &Namespace
Return the write namespace this token authorises.
All records created via this token land in this namespace.
Sourcepub fn visible_namespaces(&self) -> &[Namespace]
pub fn visible_namespaces(&self) -> &[Namespace]
Return the read-visibility set.
List, search, and get operations must accept records whose namespace is a member of this set. The write namespace is always included.
Sourcepub fn visible_namespace_strs(&self) -> Vec<&str>
pub fn visible_namespace_strs(&self) -> Vec<&str>
Return a deduplicated list of visible namespace strings (borrowed).
Convenience for passing directly to storage layer filters.
Sourcepub fn with_namespace(&self, ns: Namespace) -> Self
pub fn with_namespace(&self, ns: Namespace) -> Self
Return a new token with the same actor but a different namespace.
The visible set is replaced with [ns]: this is a full read+write token
for ns, not a type-enforced write-only or append-only capability. It is
a capability-transfer primitive, not a policy gate: callers must enforce
any ACL check before calling this and use the minted token only within
the intended narrow scope (e.g. a single create_note call). A future
security model should replace this pattern with a type-enforced
append-only capability that goes through the Gate.
Trait Implementations§
Source§impl Clone for NamespaceToken
impl Clone for NamespaceToken
Source§fn clone(&self) -> NamespaceToken
fn clone(&self) -> NamespaceToken
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more