Cosmos: RID-aware resource references and raw-path protocol (1/3)

Slice 1 of 3 (stacked, epic #4637) of the Cosmos RID-addressing work. This slice is driver-internal only and has no public API surface.

Add RID-capable ContainerReference (new_by_rid, base_path, is_by_rid; database_name/name_based_path now return Option) and the raw-path / lowercased-RID signing protocol in CosmosResourceReference (compute_paths, rid_signing_override, is_rid_addressed, ResourcePaths::is_rid_based, encode_path_segments). build_transport_request sends RID-based paths raw and percent-encodes name-based paths; session_container indexes on base_path.

validate_addressing and the CLIENT_MIXED_NAME_RID_ADDRESSING status are intentionally deferred to Slice 2; addressing_conflict/parent_chain_is_rid are debug-only here. A minimal compile shim in container_cache.rs adapts to the new Option-returning database_name.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: simorenoh

sdk/cosmos/azure_data_cosmos_driver/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Release History
 
+## 0.6.0 (Unreleased)
+
+### Features Added
+
+### Breaking Changes
+
+### Bugs Fixed
+
+- RID-addressed requests are now signed and routed correctly. The driver signs them over the lowercased resource RID (the leaf for point reads, the parent for feeds), matching the service's `is_name_based = false` rule, and sends the RID raw in the request URL path; name-addressed paths continue to be percent-encoded. Previously the driver signed the full name-style resource link and percent-encoded the RID for every request, so RID-addressed reads were rejected with `401 Unauthorized`. ([#4640](https://github.com/Azure/azure-sdk-for-rust/pull/4640))
+
+### Other Changes
+
 ## 0.5.0 (2026-06-19)
 
 ### Features Added

sdk/cosmos/azure_data_cosmos_driver/src/driver/cache/container_cache.rs

@@ -28,7 +28,7 @@ impl ContainerNameKey {
     fn from_container(c: &ContainerReference) -> Self {
         Self {
             account_endpoint: c.account().endpoint().as_str().to_owned(),
-            db_name: c.database_name().to_owned(),
+            db_name: c.database_name().unwrap_or_default().to_owned(),
             container_name: c.name().to_owned(),
         }
     }
@@ -378,8 +378,8 @@ mod tests {
             .await
             .unwrap();
 
-        assert_eq!(r1.database_name(), "db1");
-        assert_eq!(r2.database_name(), "db2");
+        assert_eq!(r1.database_name(), Some("db1"));
+        assert_eq!(r2.database_name(), Some("db2"));
     }
 
     // --- get returns none ---

sdk/cosmos/azure_data_cosmos_driver/src/driver/pipeline/operation_pipeline.rs

@@ -27,9 +27,9 @@ use crate::{
         transport::CosmosTransport,
     },
     models::{
-        cosmos_headers::QUERY_CONTENT_TYPE, request_header_names, AccountEndpoint, ActivityId,
-        CosmosOperation, CosmosResponse, Credential, DefaultConsistencyLevel,
-        EffectivePartitionKey, OperationType, SessionToken, SubStatusCode,
+        cosmos_headers::QUERY_CONTENT_TYPE, encode_path_segments, request_header_names,
+        AccountEndpoint, ActivityId, CosmosOperation, CosmosResponse, Credential,
+        DefaultConsistencyLevel, EffectivePartitionKey, OperationType, SessionToken, SubStatusCode,
     },
     options::{
         HedgeThreshold, OperationOptionsView, ReadConsistencyStrategy, Region,
@@ -1269,7 +1269,17 @@ fn build_transport_request(
         } else {
             format!("/{}", request_path)
         };
-        base.set_path(&normalized);
+        // Name-based paths are percent-encoded so the gateway reconstructs the
+        // same resource link we signed (names may contain reserved characters).
+        // RID-based paths must be sent raw: encoding the `=` padding of a base64
+        // RID makes the gateway treat the segment as a name and reject the
+        // RID-based signature. The authorization signature is derived from
+        // `paths` below (a lowercased RID for RID-addressed requests).
+        if paths.is_rid_based() {
+            base.set_path(&normalized);
+        } else {
+            base.set_path(&encode_path_segments(&normalized));
+        }
         base
     };
 

sdk/cosmos/azure_data_cosmos_driver/src/driver/routing/session_container.rs

@@ -33,11 +33,15 @@ struct SessionContainerInner {
     name_to_rid: HashMap<String, ResourceId>,
 }
 
-/// Returns the `dbs/{db}/colls/{coll}` name path from a [`ContainerReference`],
-/// reusing the pre-computed `name_based_path` by skipping the leading `/`.
+/// Returns the container path used as the session-token index key, reusing the
+/// pre-computed path by skipping the leading `/`.
+///
+/// For name-addressed containers this is `dbs/{db}/colls/{coll}`; for RID-addressed
+/// containers it is the RID-based path. Either way it is stable per container and
+/// consistent between `set` and `resolve`, which is all the name→RID fallback needs.
 fn name_path(container: &ContainerReference) -> &str {
-    // name_based_path() returns "/dbs/{db}/colls/{coll}"; skip the leading '/'.
-    &container.name_based_path()[1..]
+    // base_path() returns "/dbs/.../colls/..."; skip the leading '/'.
+    &container.base_path()[1..]
 }
 
 impl SessionContainer {