Struct Redaction 

pub struct Redaction {
    pub redacted_blob: ContentHash,
    pub state: ChangeId,
    pub path: String,
    pub reason: String,
    pub redactor: Principal,
    pub redacted_at: DateTime<Utc>,
    pub signature: Option<StateSignature>,
    pub purged_at: Option<DateTime<Utc>>,
    pub supersedes: Option<ContentHash>,
}

A redaction declaration on a single blob in a single state.

Fields

redacted_blob: ContentHash

The blob whose bytes should no longer materialize.

state: ChangeId

The state in which the path resides. A redaction is scoped to the (blob, state, path) triple; --all-states produces one redaction per matching state.

path: String

Path within the state’s tree where the blob lives.

reason: String

Operator-supplied reason (“leaked credential”, “PII”, …).

redactor: Principal

Who declared the redaction.

redacted_at: DateTime<Utc>

When the redaction was declared. RFC3339 string at the wire format boundary; DateTime<Utc> internally.

signature: Option<StateSignature>

Optional cryptographic signature over the canonical signing payload (see [canonical_signing_payload]). None for unsigned redactions (still recorded in the oplog, still surfaced in materialize, but reviewers will see them flagged unsigned).

purged_at: Option<DateTime<Utc>>

When heddle purge removed the underlying blob bytes. None while the redaction is declared-but-bytes-still-on-disk.

supersedes: Option<ContentHash>

The redaction this one supersedes, if any — for chains where the reason or scope was updated. Identified by the prior redaction’s content hash.

Implementations

impl Redaction

pub fn canonical_signing_payload(&self) -> Vec<u8>

Build the canonical bytes a signer covers. Anything outside this payload (e.g. purged_at, signature itself) is intentionally excluded — purges happen after signing, and the signature can’t sign itself.

pub fn mark_purged(&mut self, at: DateTime<Utc>) -> bool

Mark the redaction as purged. Returns true if the state changed (false if already purged — callers can use this for idempotency).

pub fn is_purged(&self) -> bool

Whether the blob bytes are gone from local storage.

pub fn stub_text(&self, redaction_id: &ContentHash) -> String

Format the stub a reader sees instead of the redacted blob content. Plain text, ASCII-only, safe to embed in materialized worktrees and downstream Git exports.

Trait Implementations

impl Clone for Redaction

fn clone(&self) -> Redaction

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Redaction

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for Redaction

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Eq for Redaction

impl PartialEq for Redaction

fn eq(&self, other: &Redaction) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for Redaction

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for Redaction