Expand description
(tenant, principal, role) → HashSet<CollectionId> visibility cache.
Computed once per (tenant, principal, role) tuple and reused for the
60-second TTL window. Invalidated explicitly on:
- GRANT / REVOKE
- CREATE POLICY / DROP POLICY (and policy attach/detach)
- DROP COLLECTION
Why a separate cache from PermissionCache: PermissionCache answers
“does (resource, action) match for this user?” and is keyed by
UserId. The AI pipeline needs the inverse — “what collections is
this caller allowed to see?” — keyed by principal too because two
users can share tenant + role while holding different direct grants.
A 60s TTL is tight enough that policy churn becomes visible within
one minute even if an explicit invalidation was missed; the explicit
invalidations still fire on every relevant mutation so the common
case is zero staleness.
The cache exposes hit/miss counters so the AuthCache::stats()
probe required by issue #119 can be wired into the runtime metrics
plane.
Structs§
- Auth
Cache - Visible-collections cache. Thread-safe; cheaply cloneable through
an enclosing
Arc. Construction usesDefault::default()so the cache can sit onAuthStorewithout extra plumbing. - Auth
Cache Stats - Hit/miss/invalidate counters surfaced by
AuthCache::stats(). - Scope
Key - Cache key —
(tenant, principal, role).Nonetenant = platform tenant.
Constants§
- DEFAULT_
TTL - Default TTL for a
visible_collectionscache entry.