Skip to main content

Module identity

Module identity 

Source
Expand description

Identity types for the multi-graph server (MR-668) + forward-compatible shapes for Cloud mode (RFC 0003) and OAuth provider (RFC 0004).

Per decision 13 in the implementation plan: ship the type shapes that Cloud mode will consume, without committing to any trait shape (TokenVerifier stays draft in RFC 0001). Every Cluster-mode call site constructs these types with their Cluster-mode-specific values:

  • tenant_id: None (Cloud will set Some(...) from the OAuth org_id claim)
  • scopes: vec![Scope::Full] (Cloud will populate from the OAuth scope claim)
  • source: AuthSource::Static (Cloud / OIDC will set AuthSource::Oidc)

The enums use #[non_exhaustive] so RFC 0001 step 1 / RFC 0004 can add variants without breaking exhaustive matches in callers.

Structs§

GraphKey
Registry HashMap key. Cluster mode populates tenant_id: None; Cloud mode (RFC 0003) populates tenant_id: Some(...).
ResolvedActor
Server-resolved actor identity. Replaces the previous AuthenticatedActor(Arc<str>) from lib.rs.
TenantId
Cloud-mode tenant identifier. Validated with the same regex as GraphId so the two interchange syntactically.

Enums§

AuthSource
How the actor was authenticated. Cluster mode: every actor authenticates via the existing SHA-256 hash compare against a static token set, so AuthSource::Static. RFC 0001 step 1 adds AuthSource::Oidc when the OidcJwtVerifier ships.
Scope
Authorization scope. Cluster mode: every authenticated actor gets Scope::Full. Cloud mode (RFC 0004) adds OAuth-style scopes via the dashboard-configured graph:read, graph:write, graph:admin, graph:* set; those become additional variants here.

Constants§

TENANT_ID_MAX_LEN
Maximum length of a TenantId value.