Skip to main content

Module render_uri

pmcp_server_toolkit::workbook

Module render_uri 

Source
Expand description

The workbook:// render-pointer URI codec (WBSV-05, V12).

render_workbook does NOT return the .xlsx bytes. It validates the inputs, then returns a workbook:// URI that encodes the (canonical) inputs PLUS the bundle provenance stamp. The bytes are recomputed per resources/read by decoding the URI, re-verifying provenance, re-validating the inputs, re-running the executor, and rendering (see super::render_resource). This keeps the server STATELESS (Lambda-safe — no session, no server-side render cache, V3).

§The URI as an attacker-controlled payload

The pointer round-trips through the client, so the URI handed back to resources/read is UNTRUSTED — an attacker may forge, truncate, oversize, or cross-wire it. The codec is hardened accordingly:

  • Size guard FIRST (T-92-14 / V12): decode rejects any URI longer than MAX_ENCODED_URI_LEN BEFORE any base64 work — an oversized payload never reaches the allocator-heavy decode path (DoS mitigation).
  • Total, panic-free decode (T-92-17): every malformed / truncated / garbage input returns Err(WorkbookToolError), NEVER a panic. The crate deny(panic) lint plus the prop_decode_total proptest enforce totality over arbitrary/adversarial input.

Provenance verification (decoded stamp == bundle stamp) and input re-validation happen on the READ side (super::render_resource), not here — this module is purely the codec.

§Privacy note (Codex MEDIUM #10)

The workbook:// URI ENCODES the caller’s inputs in its payload. A client, proxy, or gateway that logs resource URIs will therefore log the inputs. Operators handling sensitive inputs must treat the URI as sensitive. See docs/workbook-uri-spec.md for the published contract + privacy warning.

Structs§

DecodedRender
The decoded render payload: the canonical input DTO plus the provenance stamp that was bound into the URI at render_workbook time.

Constants§

MAX_ENCODED_URI_LEN
The hard upper bound on an encoded workbook:// URI length, in bytes.
RENDER_URI_PREFIX
The workbook:// scheme prefix every render pointer carries.
WORKBOOK_XLSX_MIME
The MIME type of the rendered .xlsx workbook (the OOXML spreadsheet type). Advertised by render_workbook and carried on the resources/read content so the client knows the base64 payload is a downloadable spreadsheet.

Functions§

decode
Decode a workbook:// render pointer URI back into its DecodedRender payload — TOTAL and panic-free over arbitrary/adversarial input.
encode
Encode a validated input DTO + provenance stamp into a workbook:// render pointer URI.