@suluk/cost - v0.2.0
    Preparing search index...

    Interface CostAttribution

    WHO is charged when a third party fires the event with no live session (C024) — a declared STRATEGY the runtime resolves a concrete principal from, modeled on SulukRateLimit.key. The expression is RUNTIME-ONLY: a C018 runtime-expression that NEVER enters the static matcher (D1-consistent, exactly as C018 walls its callback keys).

    interface CostAttribution {
        strategy: "session" | "event-expression" | "job-stamped";
        expression?: string;
        trust?: "verified" | "unverified-payload";
    }
    Index

    Properties

    strategy: "session" | "event-expression" | "job-stamped"

    session = the live caller (the existing path); event-expression = read the principal from the event payload at runtime; job-stamped = the job carries its own principal.

    expression?: string

    for event-expression: a C018 runtime-expression (e.g. "{$event.body#/customer}"). Runtime-resolved only.

    trust?: "verified" | "unverified-payload"

    is the attribution input authentic? An event-expression off an UNVERIFIED webhook payload is attacker-controlled — honor it as authoritative only when "verified" (a signature/secret check the runtime performs).