codetether_agent/server/auth/claims.rs
1use serde::{Deserialize, Serialize};
2
3/// JWT claims extracted from a Bearer token payload.
4///
5/// These claims are attached to the request after authentication succeeds so
6/// downstream handlers can scope behavior such as bus topic access.
7///
8/// # Examples
9///
10/// ```rust
11/// use codetether_agent::server::auth::JwtClaims;
12///
13/// let claims = JwtClaims {
14/// topics: vec!["agent.alpha".into()],
15/// subject: Some("worker-1".into()),
16/// scopes: vec!["bus:read".into()],
17/// roles: vec!["viewer".into()],
18/// tenant_id: Some("tenant-1".into()),
19/// auth_source: Some("jwt".into()),
20/// };
21///
22/// assert_eq!(claims.subject.as_deref(), Some("worker-1"));
23/// assert_eq!(claims.topics, vec!["agent.alpha"]);
24/// ```
25#[derive(Debug, Clone, Default, Serialize, Deserialize)]
26pub struct JwtClaims {
27 /// Allowed topics for bus stream filtering.
28 #[serde(default)]
29 pub topics: Vec<String>,
30 /// Optional user identifier.
31 #[serde(default, rename = "sub")]
32 pub subject: Option<String>,
33 /// Additional scopes from the JWT.
34 #[serde(default)]
35 pub scopes: Vec<String>,
36 /// Authorization roles from the JWT or API key claim payload.
37 #[serde(default)]
38 pub roles: Vec<String>,
39 /// Optional tenant identifier for policy isolation.
40 #[serde(default)]
41 pub tenant_id: Option<String>,
42 /// Authentication source, for example `jwt` or `api_key`.
43 #[serde(default)]
44 pub auth_source: Option<String>,
45}