assay-engine 0.5.4

Standalone workflow + auth + dashboard HTTP server on PostgreSQL 18 + SQLite. Embeddable as a library, or run as a binary.
Documentation
[package]
name = "assay-engine"
version = "0.5.4"
categories = ["asynchronous", "database", "web-programming::http-server"]
edition = "2024"
keywords = ["workflow", "auth", "oidc", "zanzibar", "postgres"]
license = "Apache-2.0"
repository = "https://github.com/developerinlondon/assay"
description = "Standalone workflow + auth + dashboard HTTP server on PostgreSQL 18 + SQLite. Embeddable as a library, or run as a binary."

[[bin]]
name = "assay-engine"
path = "src/bin/assay-engine.rs"
required-features = ["server"]

[lib]
name = "assay_engine"
path = "src/lib.rs"

[features]
# it, so the auth code is always linked. The fine-grained auth-* flags
# stay so downstream slim builds can opt out of individual flavours
# (e.g. drop passkey or OIDC-provider without touching the engine).
default = [
  "backend-postgres",
  "backend-sqlite",
  "server",
  "auth-jwt",
  "auth-session",
  "auth-password",
  "auth-passkey",
  "auth-oidc",
  "auth-oidc-provider",
  "auth-zanzibar",
  "vault",
]

# The bundled operator dashboard (auth-console, vault, workflow,
# engine-core SPAs + /auth/login) is always compiled in. Operators
# disable it at runtime via `[dashboard] enabled = false` in the
# engine.toml — no rebuild required.

# Pass-through declarations so engine's `cfg` matches assay-auth's. Each
# can be turned off independently for a slimmer build.
auth-jwt = ["assay-auth/auth-jwt"]
auth-session = ["assay-auth/auth-session"]
auth-password = ["assay-auth/auth-password"]
auth-passkey = ["assay-auth/auth-passkey"]
auth-oidc = ["assay-auth/auth-oidc"]
auth-oidc-provider = ["assay-auth/auth-oidc-provider"]
auth-zanzibar = ["assay-auth/auth-zanzibar"]

# Vault module (plan 17 / v0.3.0). The umbrella `vault` flag pulls every
# always-on submodule; PKCS#11-backed sealing is opt-in via
# `vault-sealing-hsm` because most operators don't have an HSM.
vault = [
  "dep:assay-vault",
  "assay-vault/vault",
  "vault-kv",
  "vault-transit",
  "vault-collections",
  "vault-share",
  "vault-bitwarden-compat",
  "vault-sealing-shamir",
  "vault-audit-forwarding",
  "vault-dynamic-postgres",
]
vault-sealing-shamir = ["assay-vault?/vault-sealing-shamir"]
vault-audit-forwarding = ["assay-vault?/vault-audit-forwarding"]
vault-dynamic-postgres = ["assay-vault?/vault-dynamic-postgres"]
# Per-surface pass-throughs. Mirroring assay-vault's flags here lets
# downstream binaries opt out of a single surface (e.g. drop the BW
# compat shim) without touching every cfg gate in the engine.
vault-kv = ["assay-vault?/vault-kv"]
vault-transit = ["assay-vault?/vault-transit"]
vault-collections = ["assay-vault?/vault-collections"]
vault-share = ["assay-vault?/vault-share"]
vault-bitwarden-compat = ["assay-vault?/vault-bitwarden-compat"]
vault-sealing-hsm = ["assay-vault?/vault-sealing-hsm"]

server = ["dep:clap"]

backend-postgres = [
  "assay-workflow/backend-postgres",
  "assay-auth/backend-postgres",
  "assay-vault?/backend-postgres",
]
backend-sqlite = [
  "assay-workflow/backend-sqlite",
  "assay-auth/backend-sqlite",
  "assay-vault?/backend-sqlite",
]

[dependencies]
assay-auth = { path = "../assay-auth", version = "0.6" }
assay-dashboard = { path = "../assay-dashboard", version = "0.4" }
assay-domain = { path = "../assay-domain", version = "0.2" }
assay-vault = { path = "../assay-vault", version = "0.4", optional = true, default-features = false }
assay-workflow = { path = "../assay-workflow", version = "0.4" }

axum = "0.8"
clap = { version = "4", features = ["derive", "env"], optional = true }
tokio = { version = "1", features = ["full"] }
tower-http = { version = "0.6", features = ["cors", "trace"] }

# Direct DB access for the v0.1.2 boot sequence (engine_init): the
# orchestrator opens its own pool, ATTACHes module databases on SQLite or
# `CREATE SCHEMA` on PG, then hands the pool to per-module stores.
sqlx = { version = "0.8", features = ["runtime-tokio-rustls", "postgres", "sqlite"] }
uuid = { version = "1.18", features = ["v7", "serde"] }

# Direct dep so rustdoc can resolve `url::Url` references in lib.rs
# auth-composition helpers (transitive through assay-auth otherwise).
url = "2"

anyhow = "1"
serde = { version = "1", features = ["derive"] }
serde_json = "1"
thiserror = "2"
toml = "0.9"
tracing = "0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }

# Direct dep just to flip on the `vendored` feature for the openssl-sys
# transitive (pulled in by webauthn-rs via assay-auth's auth-passkey
# feature). Without this, the release-pipeline cross-build to
# x86_64-unknown-linux-musl can't find a musl-compatible libssl on the
# Ubuntu runner and openssl-sys aborts with "Could not find directory
# of OpenSSL installation". `vendored` makes openssl-sys statically
# compile OpenSSL from bundled source — adds ~30s to musl builds but
# removes the cross-compile sysroot dependency entirely. Cargo feature
# unification spreads the flag to every openssl/openssl-sys consumer
# in the graph, so no other crate has to change.
openssl = { version = "0.10", features = ["vendored"] }

[dev-dependencies]
base64 = "0.22"
reqwest = { version = "0.13", default-features = false, features = ["json", "rustls"] }
tempfile = "3"
tokio = { version = "1", features = ["full", "test-util"] }