net-mesh 0.23.0

High-performance, schema-agnostic, backend-agnostic event bus
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180

//! `WriteToken` — typed handle to a specific write on a specific
//! origin's chain. Returned by event-ingest paths; consumed by
//! read-your-writes wait primitives.
//!
//! The substrate uses a 64-bit `origin_hash` throughout (see
//! `identity::entity::EntityKeypair::origin_hash`). An earlier draft
//! of the Dataforts plan speculated a 32-byte origin; the substrate
//! shape wins because every causal-chain primitive already keys on
//! `u64`.
//!
//! ## Threat model
//!
//! `WriteToken` is **plain in-process data**, not a signed
//! capability. The fields are `pub` so the FFI / binding layer can
//! marshal them without going through `serde`; in-process callers
//! can construct any token they want. RYW guarantees are upheld by
//! the *adapter*: `TasksAdapter::wait_for_token` and
//! `MemoriesAdapter::wait_for_token` reject tokens whose
//! `origin_hash` doesn't match the adapter's own bound origin
//! ([`super::cortex::WaitForTokenError::WrongOrigin`]).
//!
//! This means the trust boundary is the adapter handle, not the
//! token. A caller holding a `TasksAdapter` bound to origin X
//! cannot use it to learn anything about origin Y by forging a
//! token — `wait_for_token` will reject and `note_wrong_origin`
//! will trip the metric. Tokens crossing the wire (e.g. encoded
//! into another origin's payload) must be treated as untrusted
//! input; the receiving side validates via the adapter binding
//! before honoring them.

use std::fmt;
use std::str::FromStr;

/// Address of a write — origin (which chain) + seq (which event on
/// that chain). Round-trips through every binding as a typed value.
///
/// Treat tokens as **opaque, in-process data**. They are not
/// signed. The fields are `pub` so FFI / binding layers can
/// marshal them; application code should not synthesise tokens.
/// See module-level docs for the trust model — origin-bound
/// adapters reject mismatched tokens at `wait_for_token`.
#[derive(Clone, Copy, PartialEq, Eq, Hash, Debug)]
pub struct WriteToken {
    /// 64-bit hash of the entity whose chain this write landed on
    /// (`EntityKeypair::origin_hash`).
    pub origin_hash: u64,
    /// Per-chain monotonic sequence assigned by `RedexFile::append`.
    pub seq: u64,
}

impl WriteToken {
    /// Construct a token from its components. **Not for application
    /// use** — the ingest path returns tokens with the right
    /// `(origin_hash, seq)` already attached. Exposed only so
    /// FFI / binding layers can marshal tokens across the
    /// language boundary. Hand-rolled tokens that don't match an
    /// actually-issued ingest produce waits that will hang until
    /// the deadline expires or `WrongOrigin` rejects.
    #[doc(hidden)]
    pub const fn new(origin_hash: u64, seq: u64) -> Self {
        Self { origin_hash, seq }
    }
}

/// `<origin_hex>:<seq>` — chosen for grep-ability against the
/// `causal:<hex>:<seq>` reserved-prefix tag shape. Stable wire
/// form for log/CLI surfaces; bindings serialise the struct
/// directly instead.
impl fmt::Display for WriteToken {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{:016x}:{}", self.origin_hash, self.seq)
    }
}

/// Errors returned by [`WriteToken::from_str`].
#[derive(Debug, PartialEq, Eq)]
pub enum WriteTokenParseError {
    /// Input did not contain the `:` that separates origin from seq.
    MissingSeparator,
    /// Origin portion was not 16 lowercase hex characters.
    BadOrigin,
    /// Seq portion did not parse as a decimal `u64`.
    BadSeq,
}

impl fmt::Display for WriteTokenParseError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::MissingSeparator => f.write_str("expected `<origin_hex>:<seq>`"),
            Self::BadOrigin => f.write_str("origin must be 16 lowercase hex chars"),
            Self::BadSeq => f.write_str("seq must be a decimal u64"),
        }
    }
}

impl std::error::Error for WriteTokenParseError {}

impl FromStr for WriteToken {
    type Err = WriteTokenParseError;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        let (origin_str, seq_str) = s
            .split_once(':')
            .ok_or(WriteTokenParseError::MissingSeparator)?;
        if origin_str.len() != 16 {
            return Err(WriteTokenParseError::BadOrigin);
        }
        let origin_hash =
            u64::from_str_radix(origin_str, 16).map_err(|_| WriteTokenParseError::BadOrigin)?;
        let seq: u64 = seq_str.parse().map_err(|_| WriteTokenParseError::BadSeq)?;
        Ok(Self::new(origin_hash, seq))
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn display_pads_origin_to_16_hex() {
        let token = WriteToken::new(0xDEAD_BEEF, 42);
        assert_eq!(token.to_string(), "00000000deadbeef:42");
    }

    #[test]
    fn display_round_trips_via_from_str() {
        let token = WriteToken::new(0x0123_4567_89AB_CDEF, 12345);
        let parsed: WriteToken = token.to_string().parse().unwrap();
        assert_eq!(parsed, token);
    }

    #[test]
    fn from_str_rejects_missing_separator() {
        assert_eq!(
            "deadbeef".parse::<WriteToken>(),
            Err(WriteTokenParseError::MissingSeparator)
        );
    }

    #[test]
    fn from_str_rejects_short_origin() {
        assert_eq!(
            "deadbeef:1".parse::<WriteToken>(),
            Err(WriteTokenParseError::BadOrigin)
        );
    }

    #[test]
    fn from_str_rejects_non_hex_origin() {
        assert_eq!(
            "zzzzzzzzzzzzzzzz:1".parse::<WriteToken>(),
            Err(WriteTokenParseError::BadOrigin)
        );
    }

    #[test]
    fn from_str_rejects_bad_seq() {
        assert_eq!(
            "0000000000000001:-1".parse::<WriteToken>(),
            Err(WriteTokenParseError::BadSeq)
        );
    }

    #[test]
    fn equality_is_componentwise() {
        let a = WriteToken::new(1, 2);
        let b = WriteToken::new(1, 2);
        let c = WriteToken::new(1, 3);
        let d = WriteToken::new(2, 2);
        assert_eq!(a, b);
        assert_ne!(a, c);
        assert_ne!(a, d);
    }

    #[test]
    fn token_is_copy() {
        fn assert_copy<T: Copy>() {}
        assert_copy::<WriteToken>();
    }
}