1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
//! Auth — Aretta credential resolution + on-disk persistence + (soon)
//! the GitHub OAuth login flow.
//!
//! ## Scope
//!
//! This module is foundational SDK infrastructure: anything in aristo
//! that calls into the Aretta proxy uses it. **It is intentionally NOT
//! a submodule of any feature** (canon, verify, telemetry, ...) so
//! cross-feature consumers don't have to reach into a sibling
//! feature's namespace.
//!
//! ## Layout
//!
//! - [`token`] — the [`Token`] newtype with `Debug` redaction.
//! - [`store`] — credentials-file atomic I/O. Honors `$XDG_CONFIG_HOME`;
//! `0600` perms on Unix.
//! - [`mod@resolve`] — env-var → file precedence. Returns [`Token`] or
//! [`AuthError`].
//! - [`error`] — [`AuthError`] variants (`NoToken`, `Invalid`,
//! `Malformed`).
//!
//! Future additions (see `docs/mockups/13-canon-and-matching/PLAN-auth-extraction-and-oauth.md`):
//!
//! - `server` — [`ServerUrl`] enum for prod / dev / custom base URLs.
//! - `oauth` — GitHub OAuth code-exchange against the proxy's
//! `/auth/cli-token` endpoint.
//! - `git` — auto-derive `repo_full_name` from a workspace's
//! `.git/config`.
//!
//! ## Test pattern
//!
//! Every public function has a `_with` injection variant for testing.
//! The workspace forbids `unsafe_code`, which `std::env::set_var`
//! requires; tests pass explicit env-var + home-dir overrides instead
//! of mutating process state.
pub use AuthError;
pub use derive_repo_full_name;
pub use ;
pub use ;
pub use ServerUrl;
pub use ;
pub use Token;