pub trait GrantPolicy:
Send
+ Sync
+ Debug {
// Required methods
fn grant(&self, grant: CommandGrant) -> Result<(), GrantError>;
fn revoke(&self, pattern: &str) -> Result<(), GrantError>;
fn is_granted(&self, command: &str) -> Result<bool, GrantError>;
fn clear(&self) -> Result<(), GrantError>;
fn grant_count(&self) -> usize;
fn list_grants(&self) -> Result<Vec<CommandGrant>, GrantError>;
}Expand description
Dynamic command permission management.
Abstracts the “dynamic WHAT” layer of the permission model. Implementations store granted patterns and answer queries.
§Thread Safety
Implementations must be Send + Sync for use across async boundaries.
§Example
use orcs_auth::{GrantPolicy, CommandGrant};
fn check_with_grants(grants: &dyn GrantPolicy, cmd: &str) -> bool {
grants.is_granted(cmd).unwrap_or(false)
}Required Methods§
Sourcefn grant(&self, grant: CommandGrant) -> Result<(), GrantError>
fn grant(&self, grant: CommandGrant) -> Result<(), GrantError>
Grants a command pattern.
After granting, commands matching this pattern will be allowed
by is_granted.
§Errors
Returns GrantError if internal state is inaccessible.
Sourcefn revoke(&self, pattern: &str) -> Result<(), GrantError>
fn revoke(&self, pattern: &str) -> Result<(), GrantError>
Revokes a previously granted pattern.
The pattern must match exactly (not prefix match).
§Errors
Returns GrantError if internal state is inaccessible.
Sourcefn is_granted(&self, command: &str) -> Result<bool, GrantError>
fn is_granted(&self, command: &str) -> Result<bool, GrantError>
Checks if a command is allowed by any granted pattern.
Uses prefix matching: returns true if the command starts
with any granted pattern. One-time grants are consumed on match.
§Errors
Returns GrantError if internal state is inaccessible.
Sourcefn clear(&self) -> Result<(), GrantError>
fn clear(&self) -> Result<(), GrantError>
Sourcefn grant_count(&self) -> usize
fn grant_count(&self) -> usize
Returns the number of active grants.
Sourcefn list_grants(&self) -> Result<Vec<CommandGrant>, GrantError>
fn list_grants(&self) -> Result<Vec<CommandGrant>, GrantError>
Returns all currently active grants.
This is a trait-level operation (not an impl-specific convenience).
Any GrantPolicy implementation — whether backed by local memory,
a remote store, or a database — must be able to enumerate its grants
so that callers (e.g., session persistence) can work through
dyn GrantPolicy without knowing the concrete type (OCP).
§Errors
Returns GrantError if internal state is inaccessible.
§Notes
- OneTime grants are included (they haven’t been consumed yet)
- The order of returned grants is unspecified