Struct ChannelConfig 

pub struct ChannelConfig {
    pub channel_id: ChannelId,
    pub visibility: Visibility,
    pub publish_caps: Option<CapabilityFilter>,
    pub subscribe_caps: Option<CapabilityFilter>,
    pub require_token: bool,
    pub token_roots: Vec<EntityId>,
    pub priority: u8,
    pub reliable: bool,
    pub max_rate_pps: Option<u32>,
}

Channel configuration with capability-based access control.

Authorization flow:

1. Node announces capabilities via CapabilityAd
2. If publish_caps is set, node’s CapabilitySet must match the filter
3. If require_token is true, node must also have a valid PermissionToken
4. On success, (origin_hash, channel_hash) is inserted into the AuthGuard

Capability filters are advisory, not an access boundary

publish_caps / subscribe_caps match against a node’s self-advertised CapabilitySet: a peer declares its own capabilities in its own signed announcement, so any peer can satisfy a cap-filter simply by advertising the required tag (e.g. self-asserting role:admin). Treat cap-filters as matchmaking / intent-routing, not as a security boundary.

The actual access boundary is require_token + token_roots: a root-anchored TokenChain cannot be forged because each link is signature-verified up to a root the channel explicitly trusts. Any channel that must restrict who can publish or subscribe must use token enforcement; a cap-filter alone restricts nothing.

Fields

channel_id: ChannelId

Channel identity (name + hash).

visibility: Visibility

Visibility scope for subnet routing.

publish_caps: Option<CapabilityFilter>

Capability requirements for publishing. None = any node can publish. Advisory only — matched against the node’s self-advertised caps; use require_token for a real boundary.

subscribe_caps: Option<CapabilityFilter>

Capability requirements for subscribing. None = any node can subscribe. Advisory only — matched against the node’s self-advertised caps; use require_token for a real boundary.

require_token: bool

Whether a valid PermissionToken is required (in addition to capabilities).

token_roots: Vec<EntityId>

Entities whose signature roots a valid token chain for this channel — the channel’s root(s) of trust.

When require_token is set, a presented TokenChain is only honored if its root link (tokens[0].issuer) is one of these entities. This is the anchor the bare-token path lacked: without it check/can_subscribe only verified a token was internally self-consistent (the named issuer signed it), so any peer could self-issue issuer = subject = self and pass. An empty token_roots combined with require_token = true fails closed — there is no authority a chain could anchor to, so nothing is authorized.

priority: u8

Default priority level for this channel’s packets (0 = lowest).

reliable: bool

Default reliability mode for streams on this channel.

max_rate_pps: Option<u32>

Optional rate limit in packets per second.

Implementations

impl ChannelConfig

pub fn new(channel_id: ChannelId) -> ChannelConfig

Create a new channel config with defaults (open access, global visibility).

pub fn with_visibility(self, visibility: Visibility) -> ChannelConfig

Set visibility.

pub fn with_publish_caps(self, filter: CapabilityFilter) -> ChannelConfig

Set capability requirements for publishing.

Advisory matchmaking, not access control: caps are self-advertised, so any peer can satisfy the filter by declaring the tag. Combine with Self::with_token_roots to actually restrict publishers.

pub fn with_subscribe_caps(self, filter: CapabilityFilter) -> ChannelConfig

Set capability requirements for subscribing.

Advisory matchmaking, not access control: caps are self-advertised, so any peer can satisfy the filter by declaring the tag. Combine with Self::with_token_roots to actually restrict subscribers.

pub fn with_require_token(self, require: bool) -> ChannelConfig

Require a valid permission token.

pub fn with_token_roots(self, roots: Vec<EntityId>) -> ChannelConfig

Require a token chain rooted at one of roots. Sets require_token = true and installs the channel’s authorizing root(s). This is the safe way to turn on token enforcement — with_require_token(true) alone (no roots) fails every authorization closed, since a chain has no authority to anchor to.

pub fn token_required(&self) -> bool

Whether this channel enforces token authorization.

Enforcement is on when require_token is set or any token_roots are configured. Coupling the two means a config that names roots but forgot to flip require_token (e.g. built by struct literal or direct field assignment rather than Self::with_token_roots) still enforces, instead of silently admitting every peer — the fields are both public, so the invariant can’t be guaranteed at construction. All token gates (subscribe, publish, the periodic sweep, the publish re-check) consult this rather than require_token directly.

pub fn with_priority(self, priority: u8) -> ChannelConfig

Set default priority.

pub fn with_reliable(self, reliable: bool) -> ChannelConfig

Set default reliability.

pub fn with_rate_limit(self, pps: u32) -> ChannelConfig

Set rate limit.

pub fn can_publish( &self, node_caps: &CapabilitySet, entity_id: &EntityId, chain: Option<&TokenChain>, revocation: &RevocationRegistry, skew_secs: u64, ) -> bool

Check if entity_id is authorized to publish on this channel, presenting chain.

See Self::can_subscribe for the chain-verification contract; this is the PUBLISH-scope counterpart.

pub fn can_subscribe( &self, node_caps: &CapabilitySet, entity_id: &EntityId, chain: Option<&TokenChain>, revocation: &RevocationRegistry, skew_secs: u64, ) -> bool

Check if entity_id is authorized to subscribe to this channel, presenting chain.

When require_token is set, chain must be a TokenChain that (a) roots at one of Self::token_roots, (b) is bound at its leaf to entity_id (the AEAD-verified presenter), and (c) authorizes SUBSCRIBE on this channel at every link with no link revoked. A missing chain, an empty token_roots, or a chain that fails verification all reject — fail closed.

pub fn reverify_subscribe( &self, chain: &TokenChain, entity_id: &EntityId, revocation: &RevocationRegistry, skew_secs: u64, ) -> bool

Re-verify a previously-presented SUBSCRIBE chain against the current clock + revocation floors, anchored to this channel’s roots. Shared by the periodic expiry sweep and the publish-time re-check so the root-anchoring contract (which roots, which action, which channel hash) lives in exactly one place instead of being re-threaded at each call site — where it had already started to diverge (token_roots vs. an unwrap_or(&[]) fallback).

pub fn reverify_subscribe_presigned( &self, chain: &TokenChain, entity_id: &EntityId, revocation: &RevocationRegistry, skew_secs: u64, ) -> bool

Like Self::reverify_subscribe but skips the per-link ed25519 signature verification — for callers re-checking a chain whose signatures already verified once (immutable tokens). Time bounds, revocation, anchoring, and scope are still re-checked. See TokenChain::verify_authorizes_presigned.

Trait Implementations

impl Clone for ChannelConfig

fn clone(&self) -> ChannelConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for ChannelConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.