Alpha. Vary is under active development and not ready for production use. Syntax, APIs, performance, and behaviour may change between releases.
content
import content exposes the runtime-backed domain types that represent
validated public content. Every type has a private constructor; the only
way to produce a value is the corresponding Type.validate(raw) call.
| Domain type | Purpose |
|---|---|
IssueTitle | Bounded length, no control characters, no markup. |
MarkdownBody | Bounded length; safe for Markdown.render_body(...). |
SafeHtml | Output of trusted HTML producers (see below). |
PlainText | Bounded text with control characters stripped. |
Username | Length, allowed characters, reserved-name list. |
EmailAddress | Length and format check. |
LabelName | Issue label rules. |
PublicUrl | URL parsing plus UrlPolicy checks. |
SearchText | Search-friendly text (normalized, length bound). |
SearchIndex | Normalized search input ready to feed the search index. |
Content-type selection
The Vary HTTP runtime emits the correct response Content-Type for the
declared response shape:
| Response form | Content-Type |
|---|---|
response NameResponse { ... } | application/json; charset=utf-8 |
Handler returning a JSON envelope from api_response | application/json; charset=utf-8 |
Markdown.render_body(...).safe_html() | text/html; charset=utf-8 |
xml_document(root) | application/atom+xml or application/xml |
| Plain text body | text/plain; charset=utf-8 |
For routes that need a non-default media type, use the raw_content
endpoint clause (see HTTP services). The boundary refuses
to mix declared media types with hand-built Str bodies that pass
through unchecked.
Security constraints
content is the only safe source for the typed HTML and Markdown sinks.
Direct Str flow into Markdown.render_body, the SafeHtml sink, or the
HTML response body is a compile error - the type checker rejects it before
code generation. Validate at the boundary, work with the domain type, and
let the runtime render.