Skip to main content

Module actors

Module actors 

Source
Expand description

v0.45 actor contracts (the actors-foundations slice).

An actor declaration is a nominal boundary contract (ADR Q1): a closed, compiler-known authentication Scheme plus an optional sealed identity. A handler consumes an actor on its by clause; the boundary verifies the scheme and mints the identity before the body runs (two-phase, fail-closed — ADR Q5/Q2).

This module holds the compiler-known parts: the closed scheme set, the prelude actors, the per-protocol default actors, and the admissible-scheme sets. Foundations admits only the two zero-crypto schemes (None, Internal); Bearer/Signature are reserved-and-rejected.

Structs§

BearerSeam
v0.47: the data the emitter needs to lower a Bearer verification seam for a handler — the by binder (v0.50: None for the binder-less verify-and- discard form), the signing-secret env name, and the identity type to construct from the JWT sub claim. Resolved only for a handler whose by clause names a local Bearer actor; the checker guarantees the secret is present and the identity is a string-constructible local type.
Contract
A resolved actor contract: its scheme and the identity it yields.
SignatureSeam
v0.51: the data the emitter needs to lower a Signature verification seam — the signing-secret env name, the signature header, and an optional timestamp header + tolerance window for replay defence. Resolved only for a handler whose by clause names a local Signature actor.
SumMember
v0.52: one resolved member of a multi-actor sum — the seam the emitter tries at that position in the first-wins order. actor_name is the variant tag the body matches on.

Enums§

ClaimPredicate
v0.53: the closed claim-predicate vocabulary for a refinement actor’s where clause (actor Admin = User where hasClaim("admin")). Claims are untyped JSON, so the predicate is a closed set — hasClaim/claimEquals composed with &&/||/! — checked against the verified JWT claims at the boundary. A general typed-claims expression surface is a later slice.
Identity
The identity a verified actor yields (ADR Q2). In Foundations this is () for trivial actors, the built-in sealed CallerId for the cross-context Internal channel (Q7, folded in), or a context-owned declared type.
Scheme
The authentication scheme — a closed, compiler-known set (ADR Q1). Sealed now, openable later by widening this enum.
SumMemberSeam
The verification a sum member contributes. None (a catch-all such as Visitor) always resolves, so it terminates the order.

Constants§

CALLER_ID
The built-in sealed identity type for the cross-context calling principal.

Functions§

bearer_seam_for
Resolve a handler’s Bearer seam, if its by clause names a local Bearer actor — or a refinement of one (v0.53), following the refinement to its base for the scheme/secret/identity and carrying the authorisation predicate. Returns None for non-Bearer handlers (prelude actors are never Bearer) — those emit unchanged.
caller_binder_for
v0.54: the binder of a cross-context on call … by c: Caller handler that captures a live CallerId (the calling context’s name, Q7). None unless the handler binds an identity whose contract is CallerId — i.e. the Caller prelude actor (the only source of CallerId). A binder-less on call (or one inheriting the Caller default) captures nothing and is unaffected.
claim_predicate_to_js
Lower a claim predicate to a JavaScript boolean expression over claims_var (the verified claims object, Record<string, unknown>). Used by the emitter for the refinement seam’s 403 check.
default_actor
The default actor a handler inherits when it omits by, by protocol (ADR Q5). HTTP has no safe default — by is required there.
parse_claim_predicate
Recognise the closed claim-predicate vocabulary in a refinement where expression. Err(span) points at the first sub-expression outside the set (for bynk.actor.refinement_predicate_unsupported).
prelude_actor
The prelude actors — compiler-known boundary contracts available without a declaration. They back the per-protocol defaults and let public HTTP routes write by v: Visitor without ceremony.
scheme_admissible
Whether scheme is admissible on protocol (the admissible-scheme-per- protocol check). HTTP admits None (public routes) and Bearer (an Authorization header is an HTTP concept); the internal protocols (call/cron/queue) admit Internal. Signature is still reserved.
signature_seam_for
Resolve a handler’s Signature seam, if its by clause names a local Signature actor. The checker guarantees secret and header are present.
sum_members_for
v0.52: resolve a handler’s by clause into ordered sum members, if it names more than one actor. None for a single-actor handler (those keep the existing seam paths). The checker has already validated peer/scheme/ reachability rules; this lowers the verified members for emission.