Expand description
Tenanted<S>, Scoped<'a, S>, and the sealed TenantScopedStore marker
trait — the structural foundation for tenant-scoped storage access.
Per AUTHZ-0 principle 1 (“trust is structural, not procedural”), an
activation must not be able to hold a bare storage handle and call its
query API directly. The wrapper introduced here is the load-bearing
enforcement: an activation receives a Tenanted<S>, the inner store
is unreachable, and the only way to call any storage method is through
a tenant-tagged Scoped<'a, S> borrow obtained by
Tenanted::scoped.
See plans/AUTHZ/AUTHZ-DATA-1-WRAPPER.md for the contract and
plans/AUTHZ/AUTHZ-DATA-S01-output.md §3 for the design rationale
(wrapper-plus-trait, option a with elements of b and c).
§Sealing summary
| Protection | Mechanism |
|---|---|
| Inner store unreachable | Tenanted::inner is module-private |
No fabrication of Tenanted | Tenanted::new_sealed is pub(crate) |
| Marker trait cannot be implemented externally | TenantScopedStore: seal::SealedStore (private super) |
TenantBoundary proof unforgeable | TenantBoundary::new_sealed is pub(crate) |
No accidental Default | Not derived on any sealed type |
No leaky Deserialize | Not derived on any sealed type |
§The three structural compile-fails (per ticket §“Failing examples”)
§1. Reaching for the inner store directly
use plexus_auth_core::tenant::storage::Tenanted;
fn leak<S>(t: &Tenanted<S>)
where
S: plexus_auth_core::TenantScopedStore,
{
let _ = &t.inner;
}Diagnostic: field 'inner' of struct 'Tenanted' is private (E0616).
§2. Constructing a Tenant from a literal inside an activation
use plexus_auth_core::Tenant;
let _ = Tenant::try_new("victim-tenant");Diagnostic: associated function 'try_new' is private (E0624).
§3. Implementing TenantScopedStore for a sibling-crate type without
the sealed super-trait
struct MyStore;
impl plexus_auth_core::TenantScopedStore for MyStore {
type Error = std::io::Error;
}Diagnostic: the trait bound 'MyStore: SealedStore' is not satisfied
(E0277), pointing to the private seal::SealedStore super-trait.
§Canonical happy path (passing doc test)
The doc test below demonstrates the end-to-end pattern using the
framework-supplied reference::InMemoryKvStore (a pre-sealed
reference store kept in this crate so the canonical pattern is
exercise-able from a doc test). In a real activation, the type
satisfying TenantScopedStore is the activation’s own storage
handle, the impl is generated by AUTHZ-DATA-2-MACRO, and domain
methods are added by a trait implemented on
Scoped<'_, MyStore> from inside the activation crate (Rust’s
orphan rule forbids inherent impls on a foreign type — see the
run-notes for the design implication).
use plexus_auth_core::tenant::storage::{
reference::InMemoryKvStore, Scoped, TenantScopedStore, Tenanted,
};
use plexus_auth_core::Tenant;
// 1. The framework hands the activation a `Tenanted<S>`.
// Here we mint one via the framework-blessed reference store.
let store = InMemoryKvStore::new();
store.put_for_doc_test("acme", "widget-1", b"sprocket".to_vec());
store.put_for_doc_test("acme", "widget-2", b"flange".to_vec());
store.put_for_doc_test("beta", "widget-1", b"do-not-leak".to_vec());
let tenanted: Tenanted<InMemoryKvStore> =
plexus_auth_core::tenant::storage::__doctest_blessed_tenanted(store);
// 2. The framework hands the activation a `&Tenant` extension.
let tenant: Tenant =
plexus_auth_core::tenant::storage::__doctest_blessed_tenant("acme");
// 3. The activation calls `.scoped(tenant)` and invokes domain
// methods on the borrow. For the reference store, those methods
// are pre-defined on `Scoped<'_, InMemoryKvStore>`.
let scoped: Scoped<'_, InMemoryKvStore> = tenanted.scoped(&tenant);
let names = scoped.list_keys();
assert_eq!(names.len(), 2);
assert!(names.contains(&"widget-1".to_string()));
assert!(names.contains(&"widget-2".to_string()));Modules§
- reference
- Reference
TenantScopedStoreimplementations.
Structs§
- Scoped
- A tenant-tagged borrow of a storage handle.
- Tenant
Boundary - Zero-sized witness that a tenant boundary was crossed structurally.
- Tenanted
- A tenant-scoped wrapper around a storage handle.
Traits§
- Tenant
Scoped Store - Sealed capability marker for types that can be wrapped in a
Tenanted<S>.