assay_core/runtime/mod.rs
1//! Runtime mandate enforcement.
2//!
3//! This module provides runtime authorization and consumption of mandates
4//! for tool calls. It ensures atomic single-use enforcement, nonce replay
5//! prevention, and idempotent consumption.
6//!
7//! ## Architecture (SPEC-Mandate-v1.0.3 §7)
8//!
9//! ```text
10//! ┌─────────────────────────────────────────────────────────────────┐
11//! │ MCP Proxy │
12//! │ ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ │
13//! │ │ Policy Check │───▶│ Authorizer │───▶│ Forward to Tool │ │
14//! │ └──────────────┘ └──────┬───────┘ └────────┬─────────┘ │
15//! │ │ │ │
16//! │ ┌───────▼───────┐ ┌──────▼──────┐ │
17//! │ │ MandateStore │ │ Tool Server │ │
18//! │ │ (SQLite) │ └─────────────┘ │
19//! │ └───────────────┘ │
20//! └─────────────────────────────────────────────────────────────────┘
21//! ```
22
23mod authorizer;
24mod mandate_store;
25mod schema;
26
27pub use authorizer::{
28 AuthorizeError, Authorizer, AuthzConfig, MandateData, MandateKind, OperationClass, PolicyError,
29 ToolCallData, DEFAULT_CLOCK_SKEW_SECONDS,
30};
31pub use mandate_store::{
32 compute_use_id, AuthzError, AuthzReceipt, ConsumeParams, MandateMetadata, MandateStore,
33};
34pub use schema::MANDATE_SCHEMA;