Enum PiiError 

#[non_exhaustive]
pub enum PiiError {
    TierTooLow,
    TypeMismatch,
    CipherDowngrade,
    AadMismatch,
    DecodeFailed,
    InvalidKeyLength,
    EncryptFailed,
    UnsupportedAead,
    DekExhausted,
    ShellPiiCodeOutOfRange,
    ShellPiiAlreadyRegistered,
}

Crypto-erasure + PII handling failure taxonomy.

The display strings are intentionally brief — public error surfaces stay opaque; operator-facing detail is logged separately.

Variants (Non-exhaustive)

Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.

TierTooLow

Current feature set rejects encryption — the caller is running at Tier-0 (default) with no KMS backend wired.

TypeMismatch

Wire pii_code did not match the expected T::PII_CODE — the ciphertext was presented for decryption under the wrong marker type (type-confused-deputy mitigation).

CipherDowngrade

The record’s aead_kind did not match the manifest policy ([audit.pii_cipher]). Downgrade attempts are refused at the decryption boundary.

AadMismatch

AEAD tag verification failed — the AAD was tampered with, the DEK is wrong, or the ciphertext is corrupt.

DecodeFailed

The plaintext decoded correctly at the AEAD layer but failed postcard decoding into T. Usually a schema_version drift.

InvalidKeyLength

Dek buffer was not the expected 32 bytes — construction-time guard (Dek::from_bytes never hands out a short key).

EncryptFailed

AEAD encryption primitive reported an internal error. Opaque on purpose; operator log holds the crate-level detail.

UnsupportedAead

The coordinator was invoked against an unsupported AeadKind under the current feature set — e.g. AES-GCM under tier-1-kms alone.

DekExhausted

Per-DEK monotonic counter reached u64::MAX — the AES-GCM / AES-GCM-SIV paths cannot issue another deterministic nonce without risking reuse. Operator must rotate the DEK before further encryption.

ShellPiiCodeOutOfRange

Shell-scoped PII marker declared a pii_code outside the reserved 0x0100..=0xFFFF range. Canonical codes (0x0001..=0x00FF) are owned by the sealed PiiType trait and cannot be registered through the shell channel.

ShellPiiAlreadyRegistered

Shell manifest tried to register a pii_code that another entry in the same registry already owns. Registration is append-only; removals flow through the shell sunset policy.

Trait Implementations

impl Debug for PiiError

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for PiiError

fn fmt(&self, __formatter: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Error for PiiError

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any.

fn description(&self) -> &str

👎Deprecated since 1.42.0:

use the Display impl or to_string()

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0:

replaced by Error::source, which can support downcasting

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)

Provides type-based access to context intended for error reports.