spinframework · itowlson · Mar 24, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/factor-key-value/src/host.rs b/crates/factor-key-value/src/host.rs
@@ -235,7 +235,11 @@ impl spin_core::wasmtime::component::HasData for KeyValueDispatch {
     type Data<'a> = &'a mut KeyValueDispatch;
 }
 
-impl v3::Host for KeyValueDispatch {}
+impl v3::Host for KeyValueDispatch {
+    fn convert_error(&mut self, err: v3::Error) -> anyhow::Result<v3::Error> {
+        Ok(err)
+    }
+}
 
 impl v3::HostStore for KeyValueDispatch {
     async fn drop(&mut self, store: Resource<v3::Store>) -> Result<()> {
@@ -248,19 +252,19 @@ impl v3::HostStoreWithStore for crate::KeyValueFactorData {
     async fn open<T>(
         accessor: &Accessor<T, Self>,
         label: String,
-    ) -> Result<Result<Resource<v3::Store>, v3::Error>> {
+    ) -> Result<Resource<v3::Store>, v3::Error> {
         let (allowed, manager) = accessor.with(|mut access| {
             let host = access.get();
             host.otel.reparent_tracing_span();
             (host.allowed_stores.contains(&label), host.manager.clone())
         });
 
         if !allowed {
-            return Ok(Err(v3::Error::AccessDenied));
+            return Err(v3::Error::AccessDenied);
         }
 
-        let store = manager.get(&label).await?;
-        store.after_open().await?;
+        let store = manager.get(&label).await.map_err(to_v3_err)?;
+        store.after_open().await.map_err(to_v3_err)?;
 
         let rsrc = accessor.with(|mut access| {
             let host = access.get();
@@ -270,87 +274,97 @@ impl v3::HostStoreWithStore for crate::KeyValueFactorData {
                 .map_err(|()| v3::Error::StoreTableFull)
         });
 
-        Ok(rsrc)
+        rsrc
     }
 
     async fn get<T>(
         accessor: &Accessor<T, Self>,
         store: Resource<v3::Store>,
         key: String,
-    ) -> Result<Result<Option<Vec<u8>>, v3::Error>> {
-        let store = accessor.with(|mut access| {
-            let host = access.get();
-            host.otel.reparent_tracing_span();
-            host.get_store(store).cloned()
-        })?;
-        Ok(store
+    ) -> Result<Option<Vec<u8>>, v3::Error> {
+        let store = accessor
+            .with(|mut access| {
+                let host = access.get();
+                host.otel.reparent_tracing_span();
+                host.get_store(store).cloned()
+            })
+            .map_err(|_| v3::Error::NoSuchStore)?;
+        store
             .get(&key, MAX_HOST_BUFFERED_BYTES)
             .await
             .map_err(to_v3_err)
-            .map_err(track_error_on_span_v3))
+            .map_err(track_error_on_span_v3)
     }
 
     async fn set<T>(
         accessor: &Accessor<T, Self>,
         store: Resource<v3::Store>,
         key: String,
         value: Vec<u8>,
-    ) -> Result<Result<(), v3::Error>> {
-        let store = accessor.with(|mut access| {
-            let host = access.get();
-            host.otel.reparent_tracing_span();
-            host.get_store(store).cloned()
-        })?;
-        Ok(store
+    ) -> Result<(), v3::Error> {
+        let store = accessor
+            .with(|mut access| {
+                let host = access.get();
+                host.otel.reparent_tracing_span();
+                host.get_store(store).cloned()
+            })
+            .map_err(|_| v3::Error::NoSuchStore)?;
+        store
             .set(&key, &value)
             .await
             .map_err(to_v3_err)
-            .map_err(track_error_on_span_v3))
+            .map_err(track_error_on_span_v3)
     }
 
     async fn delete<T>(
         accessor: &Accessor<T, Self>,
         store: Resource<v3::Store>,
         key: String,
-    ) -> Result<Result<(), v3::Error>> {
-        let store = accessor.with(|mut access| {
-            let host = access.get();
-            host.otel.reparent_tracing_span();
-            host.get_store(store).cloned()
-        })?;
-        Ok(store
+    ) -> Result<(), v3::Error> {
+        let store = accessor
+            .with(|mut access| {
+                let host = access.get();
+                host.otel.reparent_tracing_span();
+                host.get_store(store).cloned()
+            })
+            .map_err(|_| v3::Error::NoSuchStore)?;
+        store
             .delete(&key)
             .await
             .map_err(to_v3_err)
-            .map_err(track_error_on_span_v3))
+            .map_err(track_error_on_span_v3)
     }
 
     async fn exists<T>(
         accessor: &Accessor<T, Self>,
         store: Resource<v3::Store>,
         key: String,
-    ) -> Result<Result<bool, v3::Error>> {
-        let store = accessor.with(|mut access| {
-            let host = access.get();
-            host.otel.reparent_tracing_span();
-            host.get_store(store).cloned()
-        })?;
-        Ok(store
+    ) -> Result<bool, v3::Error> {
+        let store = accessor
+            .with(|mut access| {
+                let host = access.get();
+                host.otel.reparent_tracing_span();
+                host.get_store(store).cloned()
+            })
+            .map_err(|_| v3::Error::NoSuchStore)?;
+        store
             .exists(&key)
             .await
             .map_err(to_v3_err)
-            .map_err(track_error_on_span_v3))
+            .map_err(track_error_on_span_v3)
     }
 
     async fn get_keys<T>(
         accessor: &Accessor<T, Self>,
         store: Resource<v3::Store>,
     ) -> Result<(StreamReader<String>, FutureReader<Result<(), v3::Error>>)> {
-        let store = accessor.with(|mut access| {
-            let host = access.get();
-            host.otel.reparent_tracing_span();
-            host.get_store(store).cloned()
-        })?;
+        let store = accessor
+            .with(|mut access| {
+                let host = access.get();
+                host.otel.reparent_tracing_span();
+                host.get_store(store).cloned()
+            })
+            .map_err(|_| v3::Error::NoSuchStore)?;
 
         let (keys_rx, err_rx) = store.get_keys_async(MAX_HOST_BUFFERED_BYTES).await;
 

diff --git a/crates/factor-outbound-mqtt/src/allowed_hosts.rs b/crates/factor-outbound-mqtt/src/allowed_hosts.rs
@@ -0,0 +1,21 @@
+use std::sync::Arc;
+
+use anyhow::Result;
+use spin_factor_outbound_networking::config::allowed_hosts::OutboundAllowedHosts;
+
+#[derive(Clone)]
+pub struct AllowedHostChecker {
+    allowed_hosts: Arc<OutboundAllowedHosts>,
+}
+
+impl AllowedHostChecker {
+    pub fn new(allowed_hosts: OutboundAllowedHosts) -> Self {
+        Self {
+            allowed_hosts: Arc::new(allowed_hosts),
+        }
+    }
+
+    pub async fn is_address_allowed(&self, address: &str) -> Result<bool> {
+        self.allowed_hosts.check_url(address, "mqtt").await
+    }
+}