pub struct RelayFabric { /* private fields */ }Expand description
A remote or relayed EvalFabric node carrying a surface session.
RelayFabric wraps an inner EvalFabricRef reached across a link and
enforces a non-escalating capability policy in front of it. Because
EvalFabric is location-transparent, code that targets the realize
surface treats a relay exactly like a local fabric; the relay differs only
in that it can refuse and that its link can drop (failing closed, with no
resume).
The relay preserves each request’s Consistency
unchanged and lets the inner fabric honor it: the inner node beyond the link
is the remote authority, so a relay boundary is naturally a
RemoteOnly/LocalFirst hop, but the relay never rewrites the caller’s
declared consistency.
§Trust of declared capabilities
The capability gate matches each request’s self-declared
EvalRequest::required_capabilities against the allowed set. The relay
therefore PRESUMES truthful capability declaration: it is a connectivity
gate, not the enforcement authority. A caller that under-declares its
capabilities can pass the relay; the inner / far-side fabric, which performs
the real operations behind its own cx.require(...) checks, is the actual
authority. The relay’s gate exists to fail fast and avoid even reaching the
link for plainly out-of-policy requests, not to substitute for far-side
enforcement.
Implementations§
Source§impl RelayFabric
impl RelayFabric
Sourcepub fn new(inner: EvalFabricRef, allowed: Vec<CapabilityName>) -> Self
pub fn new(inner: EvalFabricRef, allowed: Vec<CapabilityName>) -> Self
Builds a connected relay over inner that allows only allowed.
The relay starts RelayStatus::Connected. Any request whose
EvalRequest::required_capabilities step outside allowed is refused
rather than forwarded, so the relay can never grant more than it was
configured to pass through.
Sourcepub fn status(&self) -> RelayStatus
pub fn status(&self) -> RelayStatus
Returns the relay’s current link RelayStatus.
Sourcepub fn allows(&self, capability: &CapabilityName) -> bool
pub fn allows(&self, capability: &CapabilityName) -> bool
Reports whether capability is within the relay’s allowed set.
Sourcepub fn disconnect(&mut self)
pub fn disconnect(&mut self)
Severs the link, moving the relay to RelayStatus::Disconnected.
While disconnected, RelayFabric::realize fails closed and never
reaches the inner fabric.
Sourcepub fn begin_reconnect(&mut self)
pub fn begin_reconnect(&mut self)
Marks the link as RelayStatus::Reconnecting.
Requests still fail closed until RelayFabric::reconnect completes the
handshake.
Sourcepub fn reconnect(&mut self)
pub fn reconnect(&mut self)
Restores the link to RelayStatus::Connected.
This only re-opens the gate so that subsequent RelayFabric::realize
attempts may proceed. It carries no session state and does NOT resume any
request that was in flight when the link dropped: such a request already
returned Err and is the caller’s to retry as a fresh attempt.