codlet_core/store/
error.rs

1//! Public-safe and internal error types (RFC-012/021).
2
3use thiserror::Error;
4
5/// The single public authentication failure response (INV-8, RFC-012 §14.3).
6///
7/// All internal failure states — not found, expired, revoked, already used,
8/// purpose mismatch, binding mismatch, scope mismatch — collapse to
9/// `InvalidOrExpiredCode`. This prevents enumeration attacks by ensuring the
10/// caller cannot distinguish record existence from expiry from prior use.
11#[derive(Debug, Error, PartialEq, Eq, Clone)]
12pub enum PublicAuthError {
13    /// The credential (code, token, session) was not accepted. The reason is
14    /// intentionally omitted from this type; internal diagnostics use the richer
15    /// internal error layer.
16    #[error("invalid or expired")]
17    InvalidOrExpired,
18    /// A transient storage failure prevented the operation. The credential may
19    /// or may not have been consumed; the host should not retry automatically.
20    #[error("service temporarily unavailable")]
21    TemporaryProblem,
22}
23
24/// Internal store failure, not for public display.
25#[derive(Debug, Error)]
26pub enum StoreError {
27    /// The underlying store returned an error.
28    #[error("store error: {0}")]
29    Backend(String),
30    /// A storage invariant was violated (e.g. `changed > 1` after a claim).
31    #[error("store invariant violated: {0}")]
32    InvariantViolation(String),
33}
codlet_core/store/error.rs

codlet_core/store/
error.rs
