session = the live caller (the existing path); event-expression = read the principal from the event payload at runtime; job-stamped = the job carries its own principal.
Optionalexpressionfor event-expression: a C018 runtime-expression (e.g. "{$event.body#/customer}"). Runtime-resolved only.
Optionaltrustis the attribution input authentic? An event-expression off an UNVERIFIED webhook payload is attacker-controlled — honor it as authoritative only when "verified" (a signature/secret check the runtime performs).
WHO is charged when a third party fires the event with no live session (C024) — a declared STRATEGY the runtime resolves a concrete principal from, modeled on
SulukRateLimit.key. Theexpressionis RUNTIME-ONLY: a C018 runtime-expression that NEVER enters the static matcher (D1-consistent, exactly as C018 walls its callback keys).