Module actor 

The Actor request guard: the authenticated initiator of a mutating request.

Identity is tokens-first (no OAuth on the critical path). A request carries a rerun token via the X-Cortex-Token header or a ?token= query parameter; the guard resolves it to an owner through config().auth.rerun_tokens, or fails the request with 401. Mutating routes take an Actor so the initiator is threaded into the owner of every write (attributable actions — the observability mandate) and so writes are denied by default (an empty token map rejects everyone, rather than letting anyone wipe results).

Structs

Actor

The authenticated initiator of a mutating request, resolved from a rerun token.

ActorCarriers

The raw credential carriers on a request, extracted without any lookup (cheap, sync): the bearer token (the X-Cortex-Token header or ?token= query) and the ADMIN_COOKIE session cookie. The audit fairing extracts these synchronously so it can resolve them to an owner off the response path (the cookie now needs a DB session lookup — see resolve_carriers). A token in a POST form body (the un-signed-in human forms) is deliberately not visible here.

AdminSession

A signed-in admin’s browser session — the Actor’s counterpart for the human admin UI. The ADMIN_COOKIE cookie carries a random opaque session id (not a credential); this guard resolves it against the server-side sessions table on every request, so sign-out (which deletes the row) immediately ends the session and a forged cookie is a useless random id. Established by the admin token or a passkey at sign-in. Gated admin screens take an AdminSession; an unauthenticated browser is sent to the sign-in page (handled per-route via Option<AdminSession>).

ReturnTo

The current request’s path + query, captured for the ?next= return-to-after-login flow on gated GET screens. An infallible request guard (always succeeds).

Enums

AdminReject

The rejection of an admin-gated human screen: either a redirect to the sign-in page (the browser isn’t signed in) or a genuine error status (e.g. 404 unknown resource, 503 pool exhausted). This lets a gated page keep its real error cases while sending an unauthenticated browser to sign in — rather than showing it a bare 401. The agent APIs are unaffected: they keep the token-based Actor guard, so a machine still gets a clean 401, not an HTML redirect.

Constants

ADMIN_COOKIE

The cookie carrying a signed-in admin’s session token (set by the /admin/login page).

Functions

actor_carriers

Extracts the ActorCarriers from a request (no lookups).

owner_for_token

Resolves a rerun token to its owner, mirroring the Actor guard’s lookup. For form-based human submissions (a <form method=post> token field), where the guard — which only reads the X-Cortex-Token header or ?token= query — can’t see a token in the request body.

require_admin

Requires a signed-in admin for a human screen, else a redirect to the sign-in page. The first line of every admin-gated page handler (which returns Result<Template, AdminReject>): a handler’s existing Status errors convert through ? (see AdminReject’s From<Status>), so it keeps its real 404/503 while unauthenticated browsers are bounced to /admin/login.

require_admin_to

Like require_admin, but for a GET screen: an unauthenticated browser is redirected to the sign-in page with a ?next= pointing back at return_to, so it lands here again after signing in.

resolve_carriers

Resolves ActorCarriers to an owner: the bearer token against the configured admin tokens, the session cookie against the sessions table (hence the connection). The token wins if both are present (an explicit API credential is the more specific intent). None if neither resolves.

safe_next

Validates a post-login next destination: the path if it is a safe local path, else /admin.

sign_in_url

Builds the sign-in URL: /admin/login, with ?bad=true when a previous attempt failed and &next=<encoded> when next is a safe local path to return to after login (open-redirect guarded — a non-local next is dropped).