Expand description
(tenant, role) → HashSet<CollectionId> visibility cache.
Computed once per (tenant, role) tuple and reused for the 60-second
TTL window. Invalidated explicitly on:
- GRANT / REVOKE
- CREATE POLICY / DROP POLICY (and policy attach/detach)
- DROP COLLECTION
Why a separate cache from PermissionCache: PermissionCache answers
“does (resource, action) match for this user?” and is keyed by
UserId. The AI pipeline needs the inverse — “what collections is
this caller allowed to see?” — keyed by (tenant, role) so two
users that share a tenant + role share the cache slot. A 60s TTL is
tight enough that policy churn becomes visible within one minute even
if an explicit invalidation was missed; the explicit invalidations
still fire on every relevant mutation so the common case is zero
staleness.
The cache exposes hit/miss counters so the AuthCache::stats()
probe required by issue #119 can be wired into the runtime metrics
plane.
Structs§
- Auth
Cache - Visible-collections cache. Thread-safe; cheaply cloneable through
an enclosing
Arc. Construction usesDefault::default()so the cache can sit onAuthStorewithout extra plumbing. - Auth
Cache Stats - Hit/miss/invalidate counters surfaced by
AuthCache::stats(). - Scope
Key - Cache key —
(tenant, role).Nonetenant = platform tenant.
Constants§
- DEFAULT_
TTL - Default TTL for a
visible_collectionscache entry.