futu_auth/limits/types.rs
1//! Split from limits.rs: types.
2//!
3//! pub items: Limits,CheckCtx,LimitReason,LimitOutcome,ValueRejectReason,market_to_currency,validate_order_value.
4
5use std::collections::HashSet;
6
7use serde::{Deserialize, Serialize};
8
9/// 限额配置(与 KeyRecord 字段平级,独立出来便于传递)
10#[derive(Debug, Clone, Default, Serialize, Deserialize)]
11pub struct Limits {
12 pub allowed_markets: Option<HashSet<String>>,
13 pub allowed_symbols: Option<HashSet<String>>,
14 pub max_order_value: Option<f64>,
15 pub max_daily_value: Option<f64>,
16 pub hours_window: Option<String>,
17 /// 每分钟下单次数上限(滑动窗口,None 表示不限)。挡 spray-and-pray
18 /// 类攻击:即使每单小于 max_order_value、日累计也够,也限制速率。
19 #[serde(default, skip_serializing_if = "Option::is_none")]
20 pub max_orders_per_minute: Option<u32>,
21 /// 允许的交易方向白名单:例如 `["SELL"]` = 只让平仓 bot 卖;
22 /// None / 空集 → 不限。大小写敏感,用 `"BUY"` / `"SELL"` / `"SELL_SHORT"` / `"BUY_BACK"`。
23 #[serde(default, skip_serializing_if = "Option::is_none")]
24 pub allowed_trd_sides: Option<HashSet<String>>,
25 /// v1.4.35 加(external reviewer 回归报告建议 1):**per-key acc_id 白名单**
26 ///
27 /// 语义:该 key 只能对这些 acc_id 发 trade / unlock / query 操作;超出
28 /// 列表的 acc_id 直接被 auth 层拒(403)。None / 空集 → 不限(向后兼容老 key)。
29 ///
30 /// **定位**:operational safety(防 agent bug / LLM 幻觉 / key 泄露后爆炸半径)。
31 /// **不等同** financial isolation —— 后者需要多 union card(L4,见 CLAUDE.md 隔离层级)。
32 /// 对**纯现金策略**用户,L2 实质上等同财务隔离(没借钱就没传导)。
33 ///
34 /// 典型用法:
35 /// ```text
36 /// futucli gen-key --id bot-A --scopes trade:real,acc:read --allowed-acc-ids 10001,10002
37 /// futucli gen-key --id bot-B --scopes trade:real,acc:read --allowed-acc-ids 10003
38 /// ```
39 /// bot-A 只能动 10001/10002,bot-B 只能动 10003,互不影响。
40 #[serde(default, skip_serializing_if = "Option::is_none")]
41 pub allowed_acc_ids: Option<HashSet<u64>>,
42 /// v1.4.103 (B10): per-key card_num 白名单 (string format).
43 ///
44 /// daemon 启动后通过 GetAccList resolve → 合并进 `allowed_acc_ids`. 详见
45 /// [`KeyRecord::allowed_card_nums`].
46 #[serde(default, skip_serializing_if = "Option::is_none")]
47 pub allowed_card_nums: Option<Vec<String>>,
48}
49
50/// 限额检查上下文:一次下单的 market/symbol/金额/方向
51#[derive(Debug, Clone, Default)]
52pub struct CheckCtx {
53 /// "HK" / "US" / "CN" / "HKCC" 等
54 pub market: String,
55 /// "HK.00700" 格式(market + code);**空串** 表示调用方无法推导 symbol
56 /// (改单 / 撤单路径),此时 symbol 白名单检查被跳过(但 market 仍会被校验)。
57 pub symbol: String,
58 /// qty × price(本币);None 表示无法计算(如 MARKET 单),跳过金额检查
59 pub order_value: Option<f64>,
60 /// 交易方向字符串(`"BUY"` / `"SELL"` / ...);None 表示无需方向校验
61 /// (改单 / 撤单路径)
62 pub trd_side: Option<String>,
63 /// v1.4.35:被操作的账户 ID;None 表示此请求不涉及特定账户(全局请求
64 /// 如 subscribe / quote,跳过 acc_id 白名单检查)。
65 pub acc_id: Option<u64>,
66 /// v1.4.106 codex 0538 F2 (P2): typed marker — 此 mutation 不产生
67 /// 新 exposure delta(撤单 / 失效 / 生效 / 删除老单)。
68 ///
69 /// **语义**:true = 改 daemon 状态但不动 risk exposure(不跑 daily
70 /// counter, 但仍跑 acc_id / market / rate / hours 白名单)。
71 /// false = 真有 exposure delta(PlaceOrder, ModifyOrder Normal)→
72 /// 必须给 order_value 让 daily counter 累加.
73 ///
74 /// 区分 ModifyOrder 5 种 op:
75 ///
76 /// | modify_order_op | 含义 | mutation_no_exposure | order_value |
77 /// |---|---|---|---|
78 /// | 1 (Normal) | 改价 / 改量 → 新 exposure | **false** | Some(qty*price) |
79 /// | 2 (Cancel) | 撤单 → 减 exposure | true | None |
80 /// | 3 (Disable) | 失效 | true | None |
81 /// | 4 (Enable) | 生效(之前 Disable)| true | None (cap 难算) |
82 /// | 5 (Delete) | 删除老单 | true | None |
83 ///
84 /// **保守语义**:Enable 理论可重新激活老单产生 exposure, 但不知 qty/price
85 /// 上下文(仅靠 order_id),无法算 order_value → 标 mutation_no_exposure
86 /// = true(跳 daily counter);rate-window 仍计数挡 spray attack。
87 ///
88 /// **默认 false**: 所有 PlaceOrder / 已知 exposure 路径默认 false(保守)。
89 pub mutation_no_exposure: bool,
90 /// v1.4.106 codex 0538 F4 (P3): 订单币种 (`HKD` / `USD` / `CNY` / `JPY`
91 /// / `SGD` / `AUD` / `MYR` / `CAD` 等)
92 ///
93 /// **None** = 让 auth 层从 [`Self::market`] 派生;market 也无法派生时才进入
94 /// legacy 单桶模式 (counter 全合并到 `_default_` key, 与 v1.4.105 行为兼容);
95 ///
96 /// **Some(ccy)** = per-currency 桶 (HKD / USD / ... 各自独立 daily counter,
97 /// USD 单不消耗 HKD 配额, 防 cross-currency dilution).
98 ///
99 /// `Limits::max_daily_value` cap 解释成**每个 currency 桶独立 cap**.
100 ///
101 /// 防御性语义:调用方可提供,但 daily bucket 选择会优先使用
102 /// [`market_to_currency`] 的派生值,避免跨 surface 误传 currency 导致额度记错桶。
103 pub currency: Option<String>,
104}
105
106impl CheckCtx {
107 /// Return the daily-limit currency bucket for this request.
108 ///
109 /// Known markets are authoritative because all current order-write surfaces
110 /// already carry a market, while some legacy/MCP callers still leave
111 /// `currency=None`. If both are present but conflict, use the market-derived
112 /// bucket and log the mismatch for diagnostics.
113 pub fn daily_currency(&self) -> Option<String> {
114 let derived = market_to_currency(self.market.as_str());
115 match (derived, self.currency.as_deref()) {
116 (Some(market_currency), Some(caller_currency))
117 if !caller_currency.eq_ignore_ascii_case(market_currency) =>
118 {
119 tracing::warn!(
120 market = %self.market,
121 caller_currency,
122 derived_currency = market_currency,
123 "CheckCtx currency mismatch; using market-derived daily limit bucket"
124 );
125 Some(market_currency.to_string())
126 }
127 (Some(market_currency), _) => Some(market_currency.to_string()),
128 (None, Some(caller_currency)) => {
129 let trimmed = caller_currency.trim();
130 (!trimmed.is_empty()).then(|| trimmed.to_ascii_uppercase())
131 }
132 (None, None) => None,
133 }
134 }
135}
136
137/// v1.4.106 codex 0538 F4 (P3): trd market → currency 推导.
138///
139/// 用于派生 [`CheckCtx::currency`]. 各市场按 base trading currency:
140///
141/// | market | currency |
142/// |---|---|
143/// | HK / HKCC | HKD |
144/// | US | USD |
145/// | CN | CNY |
146/// | JP | JPY |
147/// | SG | SGD |
148/// | AU | AUD |
149/// | MY | MYR |
150/// | CA | CAD |
151/// | 其他 (FUTURES / 未知) | None (合并到 default 桶) |
152///
153/// **注意**: HKCC (HK 沪港通) 实际多币种, 但 daily counter 视角统一 HKD —
154/// 避免双桶碎片化. 真实多币种细分 (e.g. 沪港通买卖差价是 HKD 还是 CNY)
155/// 应由 backend 业务层决定, daemon 限额引擎只挡 quota.
156#[must_use]
157pub fn market_to_currency(market: &str) -> Option<&'static str> {
158 match market {
159 "HK" | "HKCC" => Some("HKD"),
160 "US" => Some("USD"),
161 "CN" => Some("CNY"),
162 "JP" => Some("JPY"),
163 "SG" => Some("SGD"),
164 "AU" => Some("AUD"),
165 "MY" => Some("MYR"),
166 "CA" => Some("CAD"),
167 _ => None,
168 }
169}
170
171/// **v1.4.106 codex 0542 F2 [P2 SECURITY]**: 限额拒绝原因 typed enum.
172///
173/// 三层语义视图同 reject 不同消费方:
174///
175/// | 视图 | 用途 | 是否含 PII / 敏感细节 |
176/// |---|---|---|
177/// | [`Self::public_message`] | client error body (REST 403/429 JSON, gRPC Status.message) | **不含** — 只说 "rejected by <category>" |
178/// | [`Self::audit_message`] | audit log + tracing (内部 ops 用) | 含 — `daily 27000.00 > 25000.00` 等数值 |
179/// | [`Self::metric_label`] | Prometheus `reason` label (固定桶) | **不含** — 固定 8 字串集合 |
180///
181/// **设计动机** (v1.4.105 之前):
182///
183/// 老代码 `LimitOutcome::*Reject(String)` 把 `format!("daily value 27000.00 > 25000.00 (current=18000.00 + order=9000.00)")`
184/// 同字符串既给 client (HTTP body) 又给 audit log 又给 prometheus reason
185/// (走 [`crate::metrics::classify_limit_reason`] 字符串前缀分桶). 三个 leak:
186///
187/// 1. **client 看到 user 内部数值** — 攻击者撞 daily cap 时能精确推出 cap
188/// threshold 与当前累计 (cap=25000, current=18000 → 还能下 7000).
189/// 2. **prometheus reason label 字符串前缀分桶** — 任何 reason format 漂移
190/// (e.g. 加 ", retry after 60s") 落到 `other` 桶, dashboard 静默断流.
191/// 维护需 "新增 reason category 时同步改 classify_limit_reason match
192/// arm" — 易漂.
193/// 3. **audit log 与 client message 无法独立演进** — 想给 audit 加更细节
194/// 时, 等同于给 client error body 也加, surface mismatch.
195///
196/// **F2 修法**: typed enum + 3 个 method, 各自只 emit 自己 surface 需要的
197/// 信息. caller 用 `match` 编译期穷举确保不漏 surface, [`crate::metrics::
198/// classify_limit_reason`] 仍保留 (作向后兼容兜底字符串路径), 但新代码走
199/// `LimitReason::metric_label()` 拿固定桶名.
200#[derive(Debug, Clone, PartialEq)]
201#[non_exhaustive]
202pub enum LimitReason {
203 /// per-key acc_id 白名单拒 (403). `id` = 实际请求 acc_id, `allowed_count`
204 /// = 配置白名单 entry 数 (audit 用; client surface 不展示).
205 AccIdWhitelist { id: u64, allowed_count: usize },
206 /// 市场白名单拒 (403). `requested` = 请求 market (e.g. "US"),
207 /// `allowed_count` = 配置 set size.
208 MarketWhitelist {
209 requested: String,
210 allowed_count: usize,
211 },
212 /// 品种白名单拒 (403). `requested` = 请求 symbol (e.g. "HK.09988"),
213 /// 不返 allowed list (太长, 也 leak 内部允许品种).
214 SymbolWhitelist { requested: String },
215 /// 交易方向白名单拒 (403). `requested` = 请求 side ("BUY" / "SELL" /
216 /// "SELL_SHORT" / "BUY_BACK"), `allowed_count` = 配置 set size.
217 TrdSideWhitelist {
218 requested: String,
219 allowed_count: usize,
220 },
221 /// 时间窗外拒 (429 — 用户之后再试). `spec` = 配置 (e.g. "09:30-16:00"),
222 /// `now_hhmm` = 当前 local time (e.g. "08:15").
223 HoursOutsideWindow { spec: String, now_hhmm: String },
224 /// 时间窗 spec 解析失败 (429 — 配置 bug). `spec` = 原 string, `err` = 解析错.
225 HoursInvalidSpec { spec: String, err: String },
226 /// 单笔上限超 (403). `value` = 请求金额, `cap` = 配置 per-order cap.
227 PerOrderCap { value: f64, cap: f64 },
228 /// per-minute 速率超 (429). `recent` = 60s 内已下单数, `cap` = 配置 cap.
229 RateLimit { recent: u32, cap: u32 },
230 /// 日累计超 (429). `next` = 累加后 total, `cap` = 配置 daily cap, `current`
231 /// = 累加前 total, `add` = 本次金额.
232 DailyCap {
233 next: f64,
234 cap: f64,
235 current: f64,
236 add: f64,
237 },
238}
239
240impl LimitReason {
241 /// **client surface** (REST 403/429 JSON / gRPC Status.message): 只说
242 /// "rejected by <category>" + 极简 hint, **不含** cap / threshold / current
243 /// 等数值 (反 enumeration / probing).
244 #[must_use]
245 pub fn public_message(&self) -> String {
246 match self {
247 LimitReason::AccIdWhitelist { .. } => "acc_id not in allowed list".to_string(),
248 LimitReason::MarketWhitelist { .. } => "market not in allowed list".to_string(),
249 LimitReason::SymbolWhitelist { .. } => "symbol not in allowed list".to_string(),
250 LimitReason::TrdSideWhitelist { .. } => "trd_side not in allowed list".to_string(),
251 LimitReason::HoursOutsideWindow { .. } => "outside trading hours window".to_string(),
252 LimitReason::HoursInvalidSpec { .. } => {
253 "trading hours window misconfigured".to_string()
254 }
255 LimitReason::PerOrderCap { .. } => "order value exceeds per-order cap".to_string(),
256 LimitReason::RateLimit { .. } => "rate limit exceeded".to_string(),
257 LimitReason::DailyCap { .. } => "daily value cap exceeded".to_string(),
258 }
259 }
260
261 /// **audit / log surface** (内部 ops, full detail), 含数值 + threshold.
262 ///
263 /// 与 v1.4.105 之前 `Reject(String)` 字符串内容兼容 — 保留前缀 (e.g.
264 /// `"rate limit exceeded:"`) 让 [`crate::metrics::classify_limit_reason`]
265 /// 字符串桶继续命中 (向后兼容已有 dashboard).
266 #[must_use]
267 pub fn audit_message(&self) -> String {
268 match self {
269 LimitReason::AccIdWhitelist { id, allowed_count } => {
270 format!("acc_id {id} not in allowed list ({allowed_count} entries)")
271 }
272 LimitReason::MarketWhitelist {
273 requested,
274 allowed_count,
275 } => {
276 format!("market {requested:?} not in allowed list ({allowed_count} entries)")
277 }
278 LimitReason::SymbolWhitelist { requested } => {
279 format!("symbol {requested:?} not in allowed list")
280 }
281 LimitReason::TrdSideWhitelist {
282 requested,
283 allowed_count,
284 } => {
285 format!("trd_side {requested:?} not in allowed list ({allowed_count} entries)")
286 }
287 LimitReason::HoursOutsideWindow { spec, now_hhmm } => {
288 format!("outside hours window {spec} (now={now_hhmm})")
289 }
290 LimitReason::HoursInvalidSpec { spec, err } => {
291 format!("invalid hours_window {spec:?}: {err}")
292 }
293 LimitReason::PerOrderCap { value, cap } => {
294 format!("order value {value:.2} exceeds per-order cap {cap:.2}")
295 }
296 LimitReason::RateLimit { recent, cap } => {
297 format!("rate limit exceeded: {recent} orders in the last 60s (cap {cap})")
298 }
299 LimitReason::DailyCap {
300 next,
301 cap,
302 current,
303 add,
304 } => format!(
305 "daily value cap exceeded: {next:.2} > {cap:.2} (current={current:.2} + order={add:.2})"
306 ),
307 }
308 }
309
310 /// **prometheus surface**: 固定 8 字串集合, 任何漂移 (audit_message format
311 /// 改) 都不影响 dashboard. 与 [`crate::metrics::classify_limit_reason`] 字符串
312 /// 前缀分桶**保持 1-1 对应**, 但典型化为编译期穷举.
313 #[must_use]
314 pub fn metric_label(&self) -> &'static str {
315 match self {
316 LimitReason::AccIdWhitelist { .. } => "acc_id",
317 LimitReason::MarketWhitelist { .. } => "market",
318 LimitReason::SymbolWhitelist { .. } => "symbol",
319 LimitReason::TrdSideWhitelist { .. } => "side",
320 LimitReason::HoursOutsideWindow { .. } | LimitReason::HoursInvalidSpec { .. } => {
321 "hours"
322 }
323 LimitReason::PerOrderCap { .. } => "per_order",
324 LimitReason::RateLimit { .. } => "rate",
325 LimitReason::DailyCap { .. } => "daily",
326 }
327 }
328
329 /// HTTP status code: 429 (rate-like, retry) vs 403 (whitelist/value, don't retry).
330 #[must_use]
331 pub fn http_status_code(&self) -> u16 {
332 match self {
333 // throughput-like (rate / hours / daily) → 429
334 LimitReason::HoursOutsideWindow { .. }
335 | LimitReason::HoursInvalidSpec { .. }
336 | LimitReason::RateLimit { .. }
337 | LimitReason::DailyCap { .. } => 429,
338 // whitelist / value → 403
339 LimitReason::AccIdWhitelist { .. }
340 | LimitReason::MarketWhitelist { .. }
341 | LimitReason::SymbolWhitelist { .. }
342 | LimitReason::TrdSideWhitelist { .. }
343 | LimitReason::PerOrderCap { .. } => 403,
344 }
345 }
346}
347
348/// 限额检查结果
349///
350/// v1.4.36 Bug #1 扩展:拒绝类型区分 `Throughput` vs `Whitelist` vs `Value`,
351/// 让 REST / gRPC middleware 能把不同类型映射到正确的 HTTP status:
352///
353/// - **Throughput**(速率 / 日累计 / 时间窗)→ HTTP 429 Too Many Requests
354/// 客户端按 rate-limit 语义 backoff 重试即可
355/// - **Whitelist**(market / symbol / trd_side / acc_id 不在白名单)→ HTTP 403 Forbidden
356/// 客户端**不该重试**,是权限问题,需要改 key / 改请求参数
357/// - **Value**(单笔上限超 / NaN / inf / 负数)→ HTTP 403 Forbidden
358/// 同 Whitelist,不该重试;需要拆单或换 key
359///
360/// **v1.4.106 codex 0542 F2 [P2 SECURITY]**: `*Reject(String)` variants 现承载
361/// `audit_message()` (内部 full-detail). client surface 应通过新 [`LimitReason`]
362/// 字段拿 `public_message()` (terse, no cap leak). 见 [`Self::reason_typed`].
363///
364/// 老代码用 `Reject(String)`,保留作向后兼容 —— 但新检查应返对应 `*Reject` 类型。
365///
366/// v1.4.106 codex 0538 F1 (P1 SECURITY): `ValueReject` 内部带结构化原因,
367/// 让 fail-closed validation (NaN / inf / negative) 与 normal cap-exceeded
368/// 区分;display 消息仍 backward-compat 字符串格式。
369#[derive(Debug, Clone, PartialEq)]
370#[non_exhaustive]
371pub enum LimitOutcome {
372 Allow,
373 /// 速率 / 日累计 / 时间窗类拒绝(429 语义:客户端应 backoff 重试).
374 /// String = `LimitReason::audit_message()`.
375 ThroughputReject(String),
376 /// 白名单类拒绝(403 语义:权限问题,不该重试).
377 /// String = `LimitReason::audit_message()`.
378 WhitelistReject(String),
379 /// 金额上限拒绝(403 语义:不该重试;拆单或换 key).
380 /// String = `LimitReason::audit_message()`.
381 ValueReject(String),
382 /// **v1.4.106 codex 0542 F2**: typed reject — 推荐新代码用此 variant,
383 /// caller 通过 `LimitReason::public_message()` / `audit_message()` /
384 /// `metric_label()` 各自取所需视图. 与三个老 String variant 共存
385 /// (新代码 emit `Typed`, 老代码 emit `*Reject(String)` 仍工作).
386 Typed(LimitReason),
387}
388
389/// 金额拒绝的结构化原因(v1.4.106 codex 0538 F1 P1 SECURITY)
390///
391/// 区分 fail-closed validation (NaN / inf / negative) 与 normal cap exceed,
392/// 便于 caller 决定是否 audit-log(fail-closed → 高优先级 audit)。display
393/// 消息仍是 backward-compat 字符串。
394///
395/// **NaN / inf / negative 全归 fail-closed**:金融场景不允许这些值流过
396/// 限额引擎 —— LLM agent / proto fuzz / unsanitized REST body 任一来源传
397/// `f64::NAN` 都会让 `value > cap + EPSILON` 静默 false(NaN compare 总返
398/// false),bypass per-order cap 与 daily counter;负数则把 daily counter
399/// **倒减**让后续大单通过。三类全 fail-closed 拒。
400#[derive(Debug, Clone, PartialEq, Eq)]
401#[non_exhaustive]
402pub enum ValueRejectReason {
403 /// 单笔超过 max_order_value cap
404 OverPerOrderCap,
405 /// 日累计超过 max_daily_value cap
406 OverDailyCap,
407 /// order_value 为 NaN(fail-closed)
408 NotANumber,
409 /// order_value 为 +inf / -inf(fail-closed)
410 Infinite,
411 /// order_value 为负数(fail-closed —— 负数会倒减 daily counter)
412 Negative,
413}
414
415impl ValueRejectReason {
416 /// 是否为 fail-closed validation 拒绝(NaN / inf / negative)—— 高优先级 audit
417 #[must_use]
418 pub fn is_fail_closed(&self) -> bool {
419 matches!(self, Self::NotANumber | Self::Infinite | Self::Negative)
420 }
421}
422
423/// 校验 order_value 数值合法性(v1.4.106 codex 0538 F1 P1 SECURITY)
424///
425/// 防御 NaN / inf / negative 三类异常输入。所有走 limit 引擎的 order_value
426/// **必须**先过这层,否则:
427///
428/// - **NaN**:`x > cap + EPSILON` 总 false → bypass 单笔 cap;
429/// daily counter `total + NaN = NaN` → 后续 compare 全 false → 永远 allow.
430/// - **+inf / -inf**:算术 saturate → daily counter inf → 任何后续 add 仍 inf
431/// → reject 但 lose precision;负 inf 让 daily 立即变 -inf → 永远 allow.
432/// - **negative**:daily total + (-100) = total - 100 → daily counter 倒退
433/// → 让后续大单通过 cap.
434///
435/// 三类全 fail-closed (`Err(ValueRejectReason::*)`)。
436pub fn validate_order_value(v: f64) -> Result<f64, ValueRejectReason> {
437 if v.is_nan() {
438 return Err(ValueRejectReason::NotANumber);
439 }
440 if v.is_infinite() {
441 return Err(ValueRejectReason::Infinite);
442 }
443 if v < 0.0 {
444 return Err(ValueRejectReason::Negative);
445 }
446 Ok(v)
447}
448
449impl LimitOutcome {
450 /// 是否拒绝(`!is_allow` 等价于"拒绝")
451 #[must_use]
452 pub fn is_allow(&self) -> bool {
453 matches!(self, LimitOutcome::Allow)
454 }
455
456 /// 拒绝时的 reason 字符串(Allow 返 None).
457 ///
458 /// **v1.4.106 codex 0542 F2 调整**: 现返 `Option<String>` (老
459 /// `Option<&str>` 兼容性 break, 但所有内部 caller 用 `format!("{reason}")`
460 /// 不受影响). 走 [`Self::public_message`] 取 client surface 安全形式.
461 pub fn reason(&self) -> Option<String> {
462 match self {
463 LimitOutcome::Allow => None,
464 LimitOutcome::ThroughputReject(s)
465 | LimitOutcome::WhitelistReject(s)
466 | LimitOutcome::ValueReject(s) => Some(s.clone()),
467 LimitOutcome::Typed(r) => Some(r.audit_message()),
468 }
469 }
470
471 /// **v1.4.106 codex 0542 F2**: typed reason (若 `Typed(r)` variant), 否则 None.
472 #[must_use]
473 pub fn reason_typed(&self) -> Option<&LimitReason> {
474 match self {
475 LimitOutcome::Typed(r) => Some(r),
476 _ => None,
477 }
478 }
479
480 /// **v1.4.106 codex 0542 F2**: client-surface terse message.
481 pub fn public_message(&self) -> Option<String> {
482 match self {
483 LimitOutcome::Allow => None,
484 LimitOutcome::ThroughputReject(s)
485 | LimitOutcome::WhitelistReject(s)
486 | LimitOutcome::ValueReject(s) => Some(s.clone()),
487 LimitOutcome::Typed(r) => Some(r.public_message()),
488 }
489 }
490
491 /// **v1.4.106 codex 0542 F2**: prometheus metric_label (8 固定桶) 若 typed.
492 #[must_use]
493 pub fn metric_label(&self) -> Option<&'static str> {
494 match self {
495 LimitOutcome::Typed(r) => Some(r.metric_label()),
496 _ => None,
497 }
498 }
499
500 /// 适合此拒绝类型的 HTTP 状态码(REST / gRPC middleware 用)
501 ///
502 /// - `Allow` → 200
503 /// - `Throughput` / typed throughput → 429
504 /// - `Whitelist` / `Value` / typed whitelist/value → 403
505 #[must_use]
506 pub fn http_status_code(&self) -> u16 {
507 match self {
508 LimitOutcome::Allow => 200,
509 LimitOutcome::ThroughputReject(_) => 429,
510 LimitOutcome::WhitelistReject(_) | LimitOutcome::ValueReject(_) => 403,
511 LimitOutcome::Typed(r) => r.http_status_code(),
512 }
513 }
514}