codlet-core 0.5.0

Core authentication primitives for codlet: code policy, generation, normalization, keyed lookup derivation, lifecycle state machines, and storage traits.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338

//! Security audit events and the `AuditSink` trait (RFC-012).
//!
//! [`CodeAuthEvent`] represents every notable security event codlet can emit.
//! All variants are **redacted by construction**: no plaintext code, token,
//! session secret, raw lookup key, HMAC key, or raw IP address appears in any
//! variant (RFC-012 §10.3).
//!
//! The host application provides an [`AuditSink`] implementation and maps
//! codlet events into its own audit schema, logging backend, or metrics
//! pipeline. codlet never makes logging decisions for the host.
//!
//! ## Forbidden content
//!
//! The following must never appear in any event field:
//! - plaintext code, token, or session secret;
//! - raw HMAC lookup key or key bytes;
//! - display name, email, or other personally identifiable free text;
//! - raw IP address (use a stable fingerprint / hashed value instead).

use crate::secret::{CodeId, SessionId, SubjectId};

/// A notable security event emitted by codlet (RFC-012 §10.2).
///
/// Variants use stable string names following `noun.verb.outcome` convention.
/// All fields are opaque identifiers or redacted fingerprints — no secrets.
#[derive(Debug, Clone, PartialEq, Eq)]
#[non_exhaustive]
pub enum CodeAuthEvent {
    /// A one-time code was successfully issued and a record inserted.
    ///
    /// Event key: `code.issue.succeeded`
    CodeIssued {
        /// Opaque record ID (not the plaintext code or lookup key).
        code_id: CodeId,
        /// Optional host-provided purpose label.
        purpose: Option<String>,
    },

    /// A one-time code was successfully claimed (atomic winner).
    ///
    /// Event key: `code.redeem.succeeded`
    CodeRedeemed {
        /// The record that was claimed.
        code_id: CodeId,
        /// The subject that claimed it.
        subject_id: SubjectId,
    },

    /// A code redemption attempt failed.
    ///
    /// Event key: `code.redeem.failed`
    RedemptionFailed {
        /// Stable internal classification (safe for logs; not for users).
        reason: crate::error::RedemptionFailReason,
    },

    /// A code was administratively revoked.
    ///
    /// Event key: `code.revoke.succeeded`
    CodeRevoked {
        /// The record that was revoked.
        code_id: CodeId,
        /// Optional scope at which the revocation was scoped.
        scope: Option<String>,
    },

    /// A session was successfully issued.
    ///
    /// Event key: `session.issue.succeeded`
    SessionIssued {
        /// Opaque session record ID (not the bearer secret).
        session_id: SessionId,
        /// The authenticated subject.
        subject_id: SubjectId,
    },

    /// A session validation attempt found no valid session.
    ///
    /// Event key: `session.validate.failed`
    ///
    /// Emitted only when the host opts in; not emitted on every anonymous
    /// request to avoid log noise.
    SessionValidateFailed,

    /// A session was explicitly revoked (logout or incident response).
    ///
    /// Event key: `session.revoke.succeeded`
    SessionRevoked {
        /// The revoked session record ID.
        session_id: SessionId,
    },

    /// A form-token consume returned `Replay` (idempotent second submit).
    ///
    /// Event key: `form_token.consume.replay`
    FormTokenReplay {
        /// The purpose label of the token that was replayed.
        purpose: String,
    },

    /// A rate-limit threshold was exceeded.
    ///
    /// Event key: `rate_limit.blocked`
    RateLimitHit {
        /// A stable, privacy-safe fingerprint of the rate-limit key.
        /// Must not be the raw IP or raw user identifier (RFC-012 §10.3).
        key_fingerprint: String,
        /// The purpose or action class that was limited.
        purpose: Option<String>,
    },

    /// A key version was requested but not found in the provider.
    ///
    /// Event key: `key_provider.missing_version`
    KeyVersionMissing {
        /// The version label that was requested.
        version: crate::hashing::KeyVersion,
    },
}

impl CodeAuthEvent {
    /// A stable, machine-readable event key for this variant.
    ///
    /// Suitable for structured logging, metrics labels, and audit schemas.
    /// Keys follow the `noun.verb.outcome` convention from RFC-012 §10.2.
    #[must_use]
    pub fn key(&self) -> &'static str {
        match self {
            Self::CodeIssued { .. } => "code.issue.succeeded",
            Self::CodeRedeemed { .. } => "code.redeem.succeeded",
            Self::RedemptionFailed { .. } => "code.redeem.failed",
            Self::CodeRevoked { .. } => "code.revoke.succeeded",
            Self::SessionIssued { .. } => "session.issue.succeeded",
            Self::SessionValidateFailed => "session.validate.failed",
            Self::SessionRevoked { .. } => "session.revoke.succeeded",
            Self::FormTokenReplay { .. } => "form_token.consume.replay",
            Self::RateLimitHit { .. } => "rate_limit.blocked",
            Self::KeyVersionMissing { .. } => "key_provider.missing_version",
        }
    }
}

/// A recipient of security audit events (RFC-012 §3).
///
/// Implement this trait to connect codlet events to a logging backend, an
/// audit database, or a metrics pipeline. The implementation must not block the
/// calling thread for extended periods; use a background channel if the backend
/// is slow.
///
/// The implementation must not log the event in a way that violates the
/// redaction contract — i.e., it must not attempt to extract or store
/// plaintext secrets from the event fields.
pub trait AuditSink {
    /// Receive a security event. Called synchronously in the hot path; must
    /// return quickly. Fire-and-forget semantics: codlet does not retry on
    /// failure.
    fn record(&self, event: CodeAuthEvent);
}

/// A no-op audit sink that discards every event. Useful as a default when the
/// host has not configured a sink, and for unit tests that do not care about
/// events.
#[derive(Debug, Default, Clone, Copy)]
pub struct NoopAuditSink;

impl AuditSink for NoopAuditSink {
    fn record(&self, _event: CodeAuthEvent) {}
}

/// An audit sink that accumulates events in a `Vec` for inspection in tests.
#[cfg(any(test, feature = "test-utils"))]
#[derive(Debug, Default)]
pub struct CollectingAuditSink {
    events: std::sync::Mutex<Vec<CodeAuthEvent>>,
}

#[cfg(any(test, feature = "test-utils"))]
impl CollectingAuditSink {
    /// Construct an empty collecting sink.
    #[must_use]
    pub fn new() -> Self {
        Self::default()
    }

    /// Drain and return all collected events.
    pub fn drain(&self) -> Vec<CodeAuthEvent> {
        self.events.lock().unwrap().drain(..).collect()
    }

    /// Number of events collected so far.
    pub fn len(&self) -> usize {
        self.events.lock().unwrap().len()
    }

    /// Whether any events have been collected.
    pub fn is_empty(&self) -> bool {
        self.events.lock().unwrap().is_empty()
    }
}

#[cfg(any(test, feature = "test-utils"))]
impl AuditSink for CollectingAuditSink {
    fn record(&self, event: CodeAuthEvent) {
        self.events.lock().unwrap().push(event);
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::error::RedemptionFailReason;

    #[test]
    fn event_keys_are_stable() {
        let events: &[(&str, CodeAuthEvent)] = &[
            (
                "code.issue.succeeded",
                CodeAuthEvent::CodeIssued {
                    code_id: CodeId::new("c1".into()),
                    purpose: None,
                },
            ),
            (
                "code.redeem.succeeded",
                CodeAuthEvent::CodeRedeemed {
                    code_id: CodeId::new("c1".into()),
                    subject_id: SubjectId::new("s1".into()),
                },
            ),
            (
                "code.redeem.failed",
                CodeAuthEvent::RedemptionFailed {
                    reason: RedemptionFailReason::Expired,
                },
            ),
            (
                "code.revoke.succeeded",
                CodeAuthEvent::CodeRevoked {
                    code_id: CodeId::new("c1".into()),
                    scope: None,
                },
            ),
            (
                "session.issue.succeeded",
                CodeAuthEvent::SessionIssued {
                    session_id: SessionId::new("s1".into()),
                    subject_id: SubjectId::new("u1".into()),
                },
            ),
            (
                "session.validate.failed",
                CodeAuthEvent::SessionValidateFailed,
            ),
            (
                "session.revoke.succeeded",
                CodeAuthEvent::SessionRevoked {
                    session_id: SessionId::new("s1".into()),
                },
            ),
            (
                "form_token.consume.replay",
                CodeAuthEvent::FormTokenReplay {
                    purpose: "logout".into(),
                },
            ),
            (
                "rate_limit.blocked",
                CodeAuthEvent::RateLimitHit {
                    key_fingerprint: "fp1".into(),
                    purpose: None,
                },
            ),
            (
                "key_provider.missing_version",
                CodeAuthEvent::KeyVersionMissing {
                    version: crate::hashing::KeyVersion::new("v0"),
                },
            ),
        ];
        for (expected_key, event) in events {
            assert_eq!(event.key(), *expected_key, "key mismatch for {event:?}");
        }
    }

    #[test]
    fn noop_sink_accepts_all_events() {
        let sink = NoopAuditSink;
        sink.record(CodeAuthEvent::SessionValidateFailed);
        sink.record(CodeAuthEvent::FormTokenReplay {
            purpose: "logout".into(),
        });
    }

    #[test]
    fn collecting_sink_drains() {
        let sink = CollectingAuditSink::new();
        assert!(sink.is_empty());
        sink.record(CodeAuthEvent::SessionValidateFailed);
        sink.record(CodeAuthEvent::SessionRevoked {
            session_id: SessionId::new("s1".into()),
        });
        assert_eq!(sink.len(), 2);
        let drained = sink.drain();
        assert_eq!(drained.len(), 2);
        assert!(sink.is_empty());
        assert_eq!(drained[0].key(), "session.validate.failed");
        assert_eq!(drained[1].key(), "session.revoke.succeeded");
    }

    #[test]
    fn events_contain_no_secrets_by_construction() {
        // Guard: every event variant's Debug output must not contain any of the
        // forbidden content listed in the module docs.
        let forbidden = ["secret", "hmac", "pepper", "cookie", "password"];
        let events = [
            CodeAuthEvent::CodeIssued {
                code_id: CodeId::new("c1".into()),
                purpose: None,
            },
            CodeAuthEvent::RedemptionFailed {
                reason: RedemptionFailReason::AlreadyUsed,
            },
            CodeAuthEvent::RateLimitHit {
                key_fingerprint: "fp".into(),
                purpose: Some("redeem".into()),
            },
        ];
        for ev in &events {
            let dbg = format!("{ev:?}");
            for word in forbidden {
                assert!(
                    !dbg.to_lowercase().contains(word),
                    "event debug contains forbidden word {word:?}: {dbg}"
                );
            }
        }
    }
}