Module users 

User table + RBAC types for v4.1.

Three roles, narrow on purpose:

• Admin — full read+write + can manage other users
• ReadWrite — full read+write, no user-mgmt
• ReadOnly — SELECT / SHOW only

Passwords stored as BLAKE3(salt || password) — the salt is a random 16-byte value per user, kept inline with the record so we never need to hash twice. The hash is not designed to resist a determined offline attack on the snapshot file (that’s what file perms are for in the docker-compose deployment shape); it’s enough that the snapshot itself doesn’t leak plaintext, and that an in-memory dump can’t trivially reverse a typed password.

Structs

ScramSecrets

SCRAM-SHA-256 stored credentials per RFC 5802 §5. salt and iters are sent to the client in server-first; stored_key and server_key are kept secret and used in the final-message verification.

UserRecord

UserStore

Enums

Role

UserDeserializeError

UserError

Constants

SCRAM_DEFAULT_ITERS

SCRAM_SALT_LEN

Functions

compute_scram_secrets

v4.8: derive SCRAM-SHA-256 stored credentials per RFC 5802 §3.