Expand description
The stateless regen-on-read workbook:// resource handler (WBSV-05, V3/V12).
RenderWorkbookResource implements pmcp::server::ResourceHandler over a
verified WorkbookBundle. render_workbook (the tool) hands the client a
workbook:// POINTER; the client reads that pointer via resources/read, and
THIS handler regenerates the .xlsx from the URI on EVERY read — there is NO
server-side session or render cache (V3, Lambda-safe). Because the URI is
attacker-controlled (it round-trips through the client), every read runs the
full hardening pipeline before it renders a single byte:
- Decode (
render_uri::decode) — the size guard (T-92-14) is the first thing checked, so an oversized URI is rejected before any base64 work; the decode is total and panic-free (T-92-17). - Verify provenance — the decoded provenance MUST equal the live bundle
stamp (
combined_hash, Codex HIGH #3). A cross-provenance / forged URI is rejected BEFORE rendering (spoofing guard, T-92-15). - Re-validate inputs — the decoded inputs are run through
super::input::validate_inputAGAIN (the inputs rode through an untrusted round-trip; an out-of-range / injected input is rejected here, T-92-16). - Re-run + render — re-run the executor over the validated seeds, then
pmcp_workbook_runtime::render::render_xlsx(writer-only, reader-free). - base64 (STANDARD) the bytes into a
ReadResourceResult.
render_xlsx pins document properties to a fixed datetime, so reading the
SAME URI twice yields BYTE-IDENTICAL bytes (stateless determinism).
There is exactly ONE resource on this handler (no dispatching wrapper — A3).
Structs§
- Render
Workbook Resource - The stateless regen-on-read resource handler for
workbook://render pointers (WBSV-05). Holds the shared verified bundle; every read regenerates the.xlsxfrom the (untrusted) URI — provenance-verified, re-validated, re-run, rendered, base64-encoded.
Constants§
- RENDER_
RESOURCE_ LIST_ URI - The single resource URI advertised by
resources/listfor the render surface.