# `Squidie.ReadModel.Visibility`
[🔗](https://github.com/dark-trench/squidie/blob/main/lib/squidie/read_model/visibility.ex#L1)

Actor-scoped read-model redaction helpers.

Visibility is a host-owned authorization boundary. Squidie keeps durable
history immutable and returns factual read models; host applications can call
this module at their HTTP, LiveView, CLI, or dashboard boundary to derive a
less-sensitive view for a specific actor.

# `policy`

```elixir
@type policy() ::
  scope()
  | module()
  | {module(), term()}
  | (term(), term() -> scope() | {:ok, scope()})
```

# `scope`

```elixir
@type scope() :: :external | :operator | :auditor
```

# `visibility_error`

```elixir
@type visibility_error() ::
  {:invalid_visibility_policy,
   :missing_callback | {:scope, term()} | {:policy, term()}}
```

# `redact`

```elixir
@spec redact(term(), term(), policy()) :: {:ok, term()} | {:error, visibility_error()}
```

Applies a host-owned visibility policy to a read-model view.

Supported policy forms:

- `:external`, `:operator`, or `:auditor`
- a two-arity function `(actor, view -> scope | {:ok, scope})`
- a module exporting `visibility_scope/2`
- `{module, opts}` for modules exporting `visibility_scope/3`

`:auditor` returns the original view. `:external` and `:operator` preserve
high-level status and current/manual task shape while removing payloads,
command history, claim metadata, attempt inputs/results/errors, and other
nested runtime evidence.

---

*Consult [api-reference.md](api-reference.md) for complete listing*