Expand description
Identity types for the multi-graph server (MR-668) + forward-compatible shapes for Cloud mode (RFC 0003) and OAuth provider (RFC 0004).
Per decision 13 in the implementation plan: ship the type shapes that
Cloud mode will consume, without committing to any trait shape
(TokenVerifier stays draft in RFC 0001). Every Cluster-mode call site
constructs these types with their Cluster-mode-specific values:
tenant_id: None(Cloud will setSome(...)from the OAuthorg_idclaim)scopes: vecsource: AuthSource::Static(Cloud / OIDC will setAuthSource::Oidc)
The enums use #[non_exhaustive] so RFC 0001 step 1 / RFC 0004 can
add variants without breaking exhaustive matches in callers.
Structs§
- Graph
Key - Registry HashMap key. Cluster mode populates
tenant_id: None; Cloud mode (RFC 0003) populatestenant_id: Some(...). - Resolved
Actor - Server-resolved actor identity. Replaces the previous
AuthenticatedActor(Arc<str>)fromlib.rs. - Tenant
Id - Cloud-mode tenant identifier. Validated with the same regex as
GraphIdso the two interchange syntactically.
Enums§
- Auth
Source - How the actor was authenticated. Cluster mode: every actor authenticates
via the existing SHA-256 hash compare against a static token set, so
AuthSource::Static. RFC 0001 step 1 addsAuthSource::Oidcwhen theOidcJwtVerifierships. - Scope
- Authorization scope. Cluster mode: every authenticated actor gets
Scope::Full. Cloud mode (RFC 0004) adds OAuth-style scopes via the dashboard-configuredgraph:read,graph:write,graph:admin,graph:*set; those become additional variants here.
Constants§
- TENANT_
ID_ MAX_ LEN - Maximum length of a
TenantIdvalue.