pub fn decode(uri: &str) -> Result<DecodedRender, WorkbookToolError>Expand description
Decode a workbook:// render pointer URI back into its DecodedRender
payload — TOTAL and panic-free over arbitrary/adversarial input.
The size guard is checked FIRST (T-92-14 / V12): a URI longer than
MAX_ENCODED_URI_LEN is rejected BEFORE any base64 decode, so an oversized
attacker payload never reaches the allocating decode path.
§Errors
Returns WorkbookToolError::invalid_input for ANY malformed input — an
oversized URI, a wrong/absent scheme prefix, non-base64 body, non-UTF-8 or
non-JSON decoded bytes, or a payload missing the dto/provenance fields.
NEVER panics (T-92-17, deny(panic) + proptest-proven).