pub struct InMemoryArtifactStore { /* private fields */ }Expand description
In-memory artifact store. Intended for tests, fuzzers, and ephemeral caches.
§SECURITY WARNING: NO integrity or signature verification
Unlike DiskArtifactStore, this store performs NO HMAC signing
and NO HMAC/content-hash verification on put / get. It stores
the plaintext payload in a HashMap and hands it straight back. The
hmac_key below is accepted only so the constructor signature
matches the disk store’s; it is never used to sign or verify anything
(hence #[allow(dead_code)]).
This is safe only because the in-memory map is the trust boundary:
the bytes returned are exactly the bytes a (trusted) caller inserted
in the same process, so there is no untrusted on-the-wire/on-disk
envelope to authenticate. Do NOT use this type to back any data
path that crosses a trust boundary (untrusted input, persistence,
IPC, network). For anything that must detect tampering or forged
blobs, use DiskArtifactStore, which signs and constant-time
verifies every record. Treat this store as test/ephemeral-only.
Implementations§
Trait Implementations§
Source§impl ArtifactStore for InMemoryArtifactStore
impl ArtifactStore for InMemoryArtifactStore
Source§fn put(&self, payload: &[u8]) -> Result<ContentHash, ArtifactError>
fn put(&self, payload: &[u8]) -> Result<ContentHash, ArtifactError>
payload into the store. The returned ContentHash is
blake3(payload); repeated calls with identical payloads return
identical hashes and overwrite the existing entry in place.Source§fn get(&self, hash: &ContentHash) -> Result<Vec<u8>, ArtifactError>
fn get(&self, hash: &ContentHash) -> Result<Vec<u8>, ArtifactError>
hash. Returns
ArtifactError::NotFound on a genuine miss; integrity-failure
variants (ArtifactError::BadMagic, ArtifactError::BadVersion,
ArtifactError::BadHmac, ArtifactError::HashMismatch) are
returned when a record was present but the format checks rejected
it.Source§fn get_to(
&self,
hash: &ContentHash,
out: &mut dyn Write,
) -> Result<u64, ArtifactError>
fn get_to( &self, hash: &ContentHash, out: &mut dyn Write, ) -> Result<u64, ArtifactError>
hash into out,
returning the number of bytes written. This completes the
streaming story Self::put already has on the write side: where
Self::get returns an owned Vec<u8> (up to
MAX_DECOMPRESSED_LEN resident),
get_to lets a caller pipe a large artifact straight into a file,
socket, or hashing sink without first materialising the whole
decoded payload as a return value. Read moreSource§fn list(&self) -> Result<Vec<ContentHash>, ArtifactError>
fn list(&self) -> Result<Vec<ContentHash>, ArtifactError>
Source§fn contains(&self, hash: &ContentHash) -> Result<bool, ArtifactError>
fn contains(&self, hash: &ContentHash) -> Result<bool, ArtifactError>
hash: returns true if an entry is
present, false otherwise. This is deliberately a stat-only
check — it does NOT decode, decompress, or HMAC-verify the
record, so it is dramatically cheaper than Self::get and
suitable for the GC/audit roadmap’s “is this content already
resident?” question. Read moreSource§fn remove(&self, hash: &ContentHash) -> Result<bool, ArtifactError>
fn remove(&self, hash: &ContentHash) -> Result<bool, ArtifactError>
hash. Returns true if a record
was removed, false if nothing was stored under hash (a
no-op delete is not an error — it mirrors HashMap::remove’s
“was it there?” boolean and the POSIX unlink-of-missing
convention GC callers expect). Read more