Enum Scope 

#[non_exhaustive]
pub enum Scope {
    QotRead,
    AccRead,
    TradeSimulate,
    TradeReal,
    TradeUnlock,
    Admin,
    Trade,
    MetricsRead,
}

API Key 能力分组

Variants (Non-exhaustive)

Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.

QotRead

行情只读（11 个工具）

AccRead

账户只读（5 个工具）

TradeSimulate

模拟交易写

TradeReal

真实交易写

TradeUnlock

允许自动 unlock_trade（从 keychain 读密码）

Admin

v1.4.32+ daemon 管理 (/api/admin/status|reload|shutdown)。 权限危险，只给运维 / 监控 key；LLM key 永远不要加这个。

Trade

v1.4.90 P1-A: trade 类 super-scope。仅在 REST middleware scope_for_path 用作“需要任意 trade scope“的占位需求*：持有 Scope::TradeReal / Scope::TradeSimulate / Scope::TradeUnlock 任一即满足。不应写入 keys.json（KeyRecord.scopes 里出现 Scope::Trade 没意义，等价于不分 sim/real/unlock 的旧式权限）。 env 是 sim 还是 real 由 handler 层用 KeyRecord 真实 scopes 二次校验。

MetricsRead

v1.4.106 codex 0542 F1 [P2 SECURITY]: /metrics 端点 scope-gated 的 专用 scope. default secure — 不再像 v1.4.105 之前那样无 auth 暴露 key_id 标签 (= API key id 明文 cardinality enumeration channel, 任意本机 process / agent skill 都能 fingerprint).

行为:

• 持 MetricsRead 的 key → /metrics 通过, key_id= label 仍 redact 为 kh_<8hex> (短 SHA256 hash, 反查 key id 需要离线 dictionary 攻击)
• 不持 MetricsRead → 401 (legacy 模式) 或 403
• opt-out: 老用户 dashboard 依赖明文 key_id 时设 FUTU_METRICS_PUBLIC=1 环境变量回退 v1.4.105 行为 (无 auth + 明文 key_id). 此为 backward-compat 边界 trade-off — secure default + 明示 opt-out, 而非 opt-in.

与 Scope::Admin 区别: Admin 含 mutating endpoint (shutdown/reload), MetricsRead 仅 read-only Prometheus 抓取. dashboard / Prometheus scraper 应持 MetricsRead 而不是 Admin.

Implementations

impl Scope

pub const ALL: &'static [Scope]

pub fn as_str(&self) -> &'static str

pub fn trade_super_members() -> &'static [Scope]

v1.4.90 P1-A: super-scope Scope::Trade 的成员集合。REST middleware 在 mutating trade endpoint 的需求侧用 Scope::Trade 占位，持有任一成员即视为满足；handler 层再用真实 scopes 二次校验 env (sim/real/unlock).

Trait Implementations

impl Clone for Scope

fn clone(&self) -> Scope

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Scope

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for Scope

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Display for Scope

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl From<Scope> for String

fn from(s: Scope) -> String

Converts to this type from the input type.

impl FromStr for Scope

type Err = ScopeParseError

The associated error which can be returned from parsing.

fn from_str(s: &str) -> Result<Self, Self::Err>

Parses a string s to return a value of this type.

impl Hash for Scope

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher.

fn hash_slice<H>(data: &[Self], state: &mut H)

where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher.

impl PartialEq for Scope

fn eq(&self, other: &Scope) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for Scope

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl TryFrom<String> for Scope

type Error = ScopeParseError

The type returned in the event of a conversion error.

fn try_from(value: String) -> Result<Self, Self::Error>

Performs the conversion.

impl Copy for Scope

impl Eq for Scope

impl StructuralPartialEq for Scope