DIVERGENCE FROM @kehto/acl: acl uses dTag:hash to distinguish napplet
versions. The firewall intentionally omits the hash so rate budgets are shared
across ALL versions of the same napplet dTag. This is the correct behavior for
a behavioral abuse control: we want to track the napplet identity over time,
not its specific loaded version.
Parameters
napplet: string
Napplet dTag (version-agnostic identity key)
opClass: string
Operation class string (e.g. 'relay:write', 'outbox:publish')
Compute the token-bucket key from napplet dTag and operation class.
Key shape:
${napplet}:${opClass}— deliberately dTag-only (version-agnostic).DIVERGENCE FROM @kehto/acl: acl uses
dTag:hashto distinguish napplet versions. The firewall intentionally omits the hash so rate budgets are shared across ALL versions of the same napplet dTag. This is the correct behavior for a behavioral abuse control: we want to track the napplet identity over time, not its specific loaded version.