Expand description
Per-request OperationContext — the single bag of state every
port receives.
Today, ports take &self only and reach into hidden runtime
state (transaction map keyed by connection id, audit principal
resolved via thread-local hacks, request id missing entirely).
That spreading makes multi-port invariants — “this request’s
port_a call and port_b call must share an xid” — invisible to
the type system and untestable.
OperationContext flips that around: handlers build it once at
request entry and pass it through every port call. Forgetting to
propagate it is a compile error; sharing it across two ports is
a single move.
WriteConsent is a sealed token: it can only be constructed by
WriteGate::check, so a port’s mutating method that demands
ctx.write_consent.is_some() is statically guaranteed to have
passed the gate. Forgetting the gate is impossible at the type
level.
Migration is gated behind the ctx-ports feature flag while the
9 ports are converted one PR at a time. OperationContext::implicit()
returns a no-op context that lets unmigrated callers keep
compiling.
Structs§
- Operation
Context - Per-request context plumbed through every port method.
- Write
Consent - Sealed write-permission token. Construct via
WriteGate::check; cannot be assembled by application code, even within this crate, because the inner field is private and markedPhantomData<*const ()>— and the_sealfield can only be created insideruntime::write_gate. - Write
Consent Seal - Module-private marker. Public type, but the only constructor lives
in
runtime::write_gate::WriteConsentSeal::new(), which is only callable from the write-gate module. Code outside that module can pattern-match on this struct but cannot construct it, so building aWriteConsentrequires going through the gate.
Type Aliases§
- Xid
- Snapshot identifier used for MVCC reads.
Nonemeans autocommit — the port allocates a fresh snapshot per call (current default for unwrapped paths).