audit_trails/core/records/

mod.rs

// Copyright 2020-2026 IOTA Stiftung
// SPDX-License-Identifier: Apache-2.0

//! Record read and mutation APIs for Audit Trails.

use std::collections::{BTreeMap, HashMap};

use iota_interaction::move_core_types::annotated_value::MoveValue;
use iota_interaction::rpc_types::IotaMoveValue;
use iota_interaction::types::base_types::{ObjectID, TypeTag};
use iota_interaction::types::collection_types::LinkedTable;
use iota_interaction::types::dynamic_field::DynamicFieldName;
use iota_interaction::{IotaKeySignature, OptionalSync};
use product_common::core_client::{CoreClient, CoreClientReadOnly};
use product_common::transaction::transaction_builder::TransactionBuilder;
use secret_storage::Signer;
use serde::de::DeserializeOwned;

use crate::core::internal::{linked_table, trail as trail_reader};
use crate::core::trail::{AuditTrailFull, AuditTrailReadOnly};
use crate::core::types::{Data, PaginatedRecord, Record};
use crate::error::Error;

mod operations;
mod transactions;

pub use transactions::{AddRecord, DeleteRecord, DeleteRecordsBatch};

use self::operations::RecordsOps;

const MAX_LIST_PAGE_LIMIT: usize = 1_000;

/// Record API scoped to a specific trail.
///
/// This handle builds record-oriented transactions and loads record data from the trail's linked-table storage.
#[derive(Debug, Clone)]
pub struct TrailRecords<'a, C, D = Data> {
    pub(crate) client: &'a C,
    pub(crate) trail_id: ObjectID,
    pub(crate) selected_capability_id: Option<ObjectID>,
    pub(crate) _phantom: std::marker::PhantomData<D>,
}

impl<'a, C, D> TrailRecords<'a, C, D> {
    pub(crate) fn new(client: &'a C, trail_id: ObjectID, selected_capability_id: Option<ObjectID>) -> Self {
        Self {
            client,
            trail_id,
            selected_capability_id,
            _phantom: std::marker::PhantomData,
        }
    }

    /// Uses the provided capability as the auth capability for subsequent write operations.
    pub fn using_capability(mut self, capability_id: ObjectID) -> Self {
        self.selected_capability_id = Some(capability_id);
        self
    }

    /// Loads a single record by sequence number.
    ///
    /// # Errors
    ///
    /// Returns an error if the record cannot be loaded or deserialized.
    pub async fn get(&self, sequence_number: u64) -> Result<Record<D>, Error>
    where
        C: AuditTrailReadOnly,
        D: DeserializeOwned,
    {
        let tx = RecordsOps::get_record(self.client, self.trail_id, sequence_number).await?;
        self.client.execute_read_only_transaction(tx).await
    }

    /// Builds a transaction that appends a record to the trail.
    ///
    /// Tagged writes must reference a tag already defined on the trail. They also require a capability whose
    /// role allows both `AddRecord` and the requested tag.
    pub fn add<S>(&self, data: D, metadata: Option<String>, tag: Option<String>) -> TransactionBuilder<AddRecord>
    where
        C: AuditTrailFull + CoreClient<S>,
        S: Signer<IotaKeySignature> + OptionalSync,
        D: Into<Data>,
    {
        let owner = self.client.sender_address();
        TransactionBuilder::new(AddRecord::new(
            self.trail_id,
            owner,
            data.into(),
            metadata,
            tag,
            self.selected_capability_id,
        ))
    }

    /// Builds a transaction that deletes a single record.
    ///
    /// Deletion remains subject to record locking rules and tag-based access restrictions enforced on-chain.
    pub fn delete<S>(&self, sequence_number: u64) -> TransactionBuilder<DeleteRecord>
    where
        C: AuditTrailFull + CoreClient<S>,
        S: Signer<IotaKeySignature> + OptionalSync,
    {
        let owner = self.client.sender_address();
        TransactionBuilder::new(DeleteRecord::new(
            self.trail_id,
            owner,
            sequence_number,
            self.selected_capability_id,
        ))
    }

    /// Builds a transaction that deletes up to `limit` records in one operation.
    ///
    /// Batch deletion requires `DeleteAllRecords`, walks the trail from the front in sequence order, and silently
    /// skips records that are either locked or whose tag is not in the capability's allowed set. The returned
    /// vector contains the sequence numbers actually deleted in deletion order; it may be shorter than `limit`
    /// (or empty) when records are skipped or the trail runs out of records before `limit` is reached.
    ///
    /// # Locking semantics
    ///
    /// The set of locked records is fixed at the start of the transaction. For count-based windows, the protected
    /// window is the last `count` records present when the call begins — records this same call deletes do not
    /// change which other records are protected. Time-based locks are evaluated against the clock timestamp
    /// captured at the start of the call. Running `delete_records_batch(limit)` therefore produces the same
    /// final trail state as invoking `delete_record` once per deletable sequence number, as long as the locking
    /// configuration is not mutated and no new records are added between calls.
    ///
    /// # Caveats
    ///
    /// - **Partial progress is not an error.** An empty returned vector means every front-to-back candidate was either
    ///   locked or tag-filtered out.
    /// - **Tag filtering is silent.** A capability with a narrow tag scope can make the batch appear to stop early
    ///   while locked-and-disallowed records still exist further back.
    /// - **Gas and object-size limits.** The call walks and mutates inline; prefer modest `limit` values and repeat the
    ///   call rather than passing a single large `limit`.
    /// - **Order is fixed.** Use [`Self::delete`] to target specific sequence numbers.
    pub fn delete_records_batch<S>(&self, limit: u64) -> TransactionBuilder<DeleteRecordsBatch>
    where
        C: AuditTrailFull + CoreClient<S>,
        S: Signer<IotaKeySignature> + OptionalSync,
    {
        let owner = self.client.sender_address();
        TransactionBuilder::new(DeleteRecordsBatch::new(
            self.trail_id,
            owner,
            limit,
            self.selected_capability_id,
        ))
    }

    /// Placeholder for a future correction helper.
    ///
    /// # Errors
    ///
    /// Always returns [`Error::NotImplemented`].
    pub async fn correct(&self, _replaces: Vec<u64>, _data: D, _metadata: Option<String>) -> Result<(), Error>
    where
        C: AuditTrailFull,
    {
        Err(Error::NotImplemented("TrailRecords::correct"))
    }

    /// Returns the number of records currently stored in the trail.
    ///
    /// # Errors
    ///
    /// Returns an error if the count cannot be computed from the current on-chain state.
    pub async fn record_count(&self) -> Result<u64, Error>
    where
        C: AuditTrailReadOnly,
    {
        let tx = RecordsOps::record_count(self.client, self.trail_id).await?;
        self.client.execute_read_only_transaction(tx).await
    }

    /// Lists all records into a [`HashMap`].
    ///
    /// This traverses the full on-chain linked table and can be expensive for large trails.
    /// For paginated access, use [`list_page`](Self::list_page).
    pub async fn list(&self) -> Result<HashMap<u64, Record<D>>, Error>
    where
        C: AuditTrailReadOnly,
        D: DeserializeOwned,
    {
        let records_table = self.load_records_table().await?;
        list_linked_table::<_, Record<D>>(self.client, &records_table, None).await
    }

    /// Lists all records with a hard cap to protect against expensive traversals.
    pub async fn list_with_limit(&self, max_entries: usize) -> Result<HashMap<u64, Record<D>>, Error>
    where
        C: AuditTrailReadOnly,
        D: DeserializeOwned,
    {
        let records_table = self.load_records_table().await?;
        list_linked_table::<_, Record<D>>(self.client, &records_table, Some(max_entries)).await
    }

    /// Lists one page of linked-table records starting from `cursor`.
    ///
    /// Pass `None` for the first page; use `next_cursor` for subsequent pages.
    pub async fn list_page(&self, cursor: Option<u64>, limit: usize) -> Result<PaginatedRecord<D>, Error>
    where
        C: AuditTrailReadOnly,
        D: DeserializeOwned,
    {
        if limit > MAX_LIST_PAGE_LIMIT {
            return Err(Error::InvalidArgument(format!(
                "page limit {limit} exceeds max supported page size {MAX_LIST_PAGE_LIMIT}"
            )));
        }

        let records_table = self.load_records_table().await?;
        let (records, next_cursor) =
            list_linked_table_page::<_, Record<D>>(self.client, &records_table, cursor, limit).await?;

        Ok(PaginatedRecord {
            has_next_page: next_cursor.is_some(),
            next_cursor,
            records,
        })
    }

    async fn load_records_table(&self) -> Result<LinkedTable<u64>, Error>
    where
        C: AuditTrailReadOnly,
    {
        trail_reader::get_audit_trail(self.trail_id, self.client)
            .await
            .map(|on_chain_trail| on_chain_trail.records)
    }
}

async fn list_linked_table_page<C, V>(
    client: &C,
    table: &LinkedTable<u64>,
    start_key: Option<u64>,
    limit: usize,
) -> Result<(BTreeMap<u64, V>, Option<u64>), Error>
where
    C: CoreClientReadOnly + OptionalSync,
    V: DeserializeOwned,
{
    // Preserve linked-table order while exposing a page as a stable Rust map keyed by sequence number.
    if limit == 0 {
        return Ok((BTreeMap::new(), start_key.or(table.head)));
    }

    let mut cursor = start_key.or(table.head);
    let mut items = BTreeMap::new();

    for _ in 0..limit {
        let Some(key) = cursor else { break };

        if items.contains_key(&key) {
            return Err(Error::UnexpectedApiResponse(format!(
                "cycle detected while traversing linked-table {table_id}; repeated key {key}",
                table_id = table.id
            )));
        }

        let node = linked_table::fetch_node::<_, u64, V>(
            client,
            table.id,
            DynamicFieldName {
                type_: TypeTag::U64,
                value: IotaMoveValue::from(MoveValue::U64(key)).to_json_value(),
            },
        )
        .await?;

        cursor = node.next;
        items.insert(key, node.value);
    }

    Ok((items, cursor))
}

async fn list_linked_table<C, V>(
    client: &C,
    table: &LinkedTable<u64>,
    max_entries: Option<usize>,
) -> Result<HashMap<u64, V>, Error>
where
    C: CoreClientReadOnly + OptionalSync,
    V: DeserializeOwned,
{
    // Full traversal is only allowed when the caller explicitly accepts the current linked-table size.
    let expected = table.size as usize;
    let cap = max_entries.unwrap_or(expected);

    if expected > cap {
        return Err(Error::InvalidArgument(format!(
            "linked-table size {expected} exceeds max_entries {cap}"
        )));
    }

    let (entries, next_key) = list_linked_table_page(client, table, None, expected).await?;

    if entries.len() != expected {
        return Err(Error::UnexpectedApiResponse(format!(
            "linked-table traversal mismatch; expected {expected} entries, got {}",
            entries.len()
        )));
    }

    if next_key.is_some() {
        return Err(Error::UnexpectedApiResponse(format!(
            "linked-table traversal has extra entries beyond declared size {expected}"
        )));
    }

    Ok(entries.into_iter().collect())
}