Skip to content

feat: define clamp_limit behavior contract for pagination #402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Baskarayelu merged 2 commits into from
Mar 28, 2026
+39 −0
Merged

feat: define clamp_limit behavior contract for pagination #402

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
41282a5
feat: define clamp_limit behavior contract for pagination
emperorsixpacks Mar 25, 2026
57c06dc
Merge branch 'main' into feature/common-clamp-limit-contract
Baskarayelu Mar 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions remitwise-common/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,45 @@ pub const CONTRACT_VERSION: u32 = 1;
pub const MAX_BATCH_SIZE: u32 = 50;

/// Helper function to clamp limit
///
/// # Behavior Contract
///
/// `clamp_limit` normalises a caller-supplied page-size value so that every
/// pagination call in the workspace uses a consistent, bounded limit.
///
/// ## Rules (in evaluation order)
///
/// | Input condition | Returned value | Rationale |
/// |--------------------------|----------------------|------------------------------------------------|
/// | `limit == 0` | `DEFAULT_PAGE_LIMIT` | Zero is treated as "use the default". |
/// | `limit > MAX_PAGE_LIMIT` | `MAX_PAGE_LIMIT` | Cap to prevent unbounded storage reads. |
/// | otherwise | `limit` | Caller value is within the valid range. |
///
/// ## Invariants
///
/// - The return value is always in the range `[1, MAX_PAGE_LIMIT]`.
/// - `clamp_limit(0) == DEFAULT_PAGE_LIMIT` (default substitution).
/// - `clamp_limit(MAX_PAGE_LIMIT) == MAX_PAGE_LIMIT` (boundary is inclusive).
/// - `clamp_limit(MAX_PAGE_LIMIT + 1) == MAX_PAGE_LIMIT` (cap is enforced).
/// - The function is pure and has no side effects.
///
/// ## Security Assumptions
///
/// - Callers must not rely on receiving a value larger than `MAX_PAGE_LIMIT`.
/// - A zero input is **not** an error; it is silently replaced with the default.
/// Contracts that need to distinguish "no limit requested" from "default limit"
/// should inspect the raw input before calling this function.
///
/// ## Usage
///
/// ```rust
/// use remitwise_common::{clamp_limit, DEFAULT_PAGE_LIMIT, MAX_PAGE_LIMIT};
///
/// assert_eq!(clamp_limit(0), DEFAULT_PAGE_LIMIT);
/// assert_eq!(clamp_limit(10), 10);
/// assert_eq!(clamp_limit(MAX_PAGE_LIMIT), MAX_PAGE_LIMIT);
/// assert_eq!(clamp_limit(MAX_PAGE_LIMIT + 1), MAX_PAGE_LIMIT);
/// ```
pub fn clamp_limit(limit: u32) -> u32 {
if limit == 0 {
DEFAULT_PAGE_LIMIT
Expand Down
Loading