Enum DenialReason 

pub enum DenialReason {
    RedirectNotInAllowlist,
    InsecureScheme,
    HostInBlockList,
    SizeCapExceeded,
    SchemaDrift,
    CapabilityNotGranted,
    RateLimitWindow,
    SsrfPrivateAddress,
    ContentTypeMismatch,
}

Closed-set reasons a denial-class error envelope can carry on its optional denial_context.reason field.

Wire form (JSON / MCP) is snake_case — e.g. "redirect_not_in_allowlist". The set is closed per ADR-0023 §2: adding a new variant is a minor semver bump; renaming or repurposing one is a breaking change. Mirrors the stability rule that already governs ErrorCode.

See DenialContext for the surrounding struct, docs/ERRORS.md §3.1 for the wire surface, and docs/PUBLIC_API.md §8 for the semver-locked surface contract.

Variants

RedirectNotInAllowlist

Redirect target host did not match the source’s allowlist (HttpError::RedirectDenied).

InsecureScheme

Redirect target had a non-HTTPS scheme (HttpError::InsecureRedirect).

HostInBlockList

Source produced a URL whose host is on a future blocklist.

Reserved — no producer wired yet. Will be emitted by the future per-source URL host-blocklist guard once that component lands (post-Phase-1 supply-chain hardening; see docs/REDIRECT_ALLOWLIST.md §4 for the staging plan).

SizeCapExceeded

Body exceeded PDF_MAX_BYTES (HttpError::OversizedBody).

SchemaDrift

Store entry’s schema_version is ahead of this binary.

Reserved — no producer wired yet. Will be emitted by the FsStore schema-rejection path once the read-side bump check lands (it currently only writes the current SCHEMA_VERSION).

CapabilityNotGranted

Source not in the runtime CapabilityProfile (FetchError::NotEligible).

RateLimitWindow

Rate limiter rejected the call inside the current window.

Reserved — no producer wired yet. Will be emitted by RateLimiter once the limiter surfaces structured denials (Phase 2+; today the limiter only sleeps to enforce the window).

SsrfPrivateAddress

SSRF guard rejected a private / link-local / cloud-metadata address.

Reserved — no producer wired yet. Will be emitted by the future SSRF pre-flight check (post-Phase-1 supply-chain hardening; the workspace currently relies on rustls + the HTTPS-only redirect policy to keep the attack surface small).

ContentTypeMismatch

Response Content-Type / magic-byte mismatch (HttpError::NotAPdf).

Trait Implementations

impl Clone for DenialReason

fn clone(&self) -> DenialReason

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for DenialReason

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for DenialReason

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Hash for DenialReason

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher.

fn hash_slice<H>(data: &[Self], state: &mut H)

where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher.

impl PartialEq for DenialReason

fn eq(&self, other: &DenialReason) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for DenialReason

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl Copy for DenialReason

impl Eq for DenialReason

impl StructuralPartialEq for DenialReason