Expand description
Hot-path inbound gate.
Plugins call PairingGate::should_admit before publishing an
inbound event to the broker. Three outcomes:
Decision::Admitโ sender is inallow_from; publish.Decision::Challengeโ first time we see this sender and the binding hasauto_challenge: true; the plugin replies with the code and drops the message.Decision::Dropโauto_challenge: falseand sender unknown, or max-pending exhausted; silent drop.
A short-TTL cache (30 s) keeps the SQLite hit out of the hot path
for already-allowlisted senders. Operators that need an immediate
revoke can call PairingGate::flush_cache.