fraiseql-core 2.12.0

Core execution engine for FraiseQL v2 - Compiled GraphQL over SQL
Documentation
//! Security features
//!
//! This module provides core security infrastructure:
//! - Security profiles (STANDARD, REGULATED)
//! - Security headers configuration
//! - Sensitive field masking for PII/regulated data
//! - Field selection filtering for access control
//! - Security error types
//! - Authentication middleware (JWT, Auth0, Clerk)
//! - OIDC/JWKS support for any OIDC-compliant provider
//! - Query validation (depth, complexity)
//! - Audit logging
//! - TLS enforcement
//! - Introspection control
//! - Error formatting

pub mod actor_type;
pub mod audit;
#[cfg(feature = "audit-syslog")]
pub mod audit_export_syslog;
#[cfg(feature = "audit-webhook")]
pub mod audit_export_webhook;
pub mod auth_middleware;
pub mod authorizer;
pub mod error_formatter;
pub mod errors;
pub mod field_authorizer;
pub mod field_filter;
pub mod field_masking;
pub mod headers;
pub mod introspection_enforcer;
pub mod kms;
pub mod oidc;
pub mod profiles;
pub mod query_validator;
pub mod rls_policy;
pub mod security_context;
pub mod tls_enforcer;
pub mod validation_audit;

/// Reserved attribute-namespace prefix for DB-resolved enriched-identity fields.
///
/// The request extractor strips any incoming JWT claim whose key begins with
/// `fraiseql.`, so an attribute under this prefix cannot be forged by a token —
/// it can only originate from the server's identity resolver (#539). Read with
/// **no** fallback by `SessionVariableSource::Enrichment` and
/// `InjectedParamSource::Enrichment`, and written by the server when it merges a
/// resolved identity into the security context.
pub const ENRICHED_NAMESPACE_PREFIX: &str = "fraiseql.enriched.";

// Re-export key types for convenience
pub use actor_type::{ActorType, derive_actor};
pub use audit::{
    AuditEntry, AuditExportConfig, AuditExporter, AuditLevel, AuditLogger, AuditStats,
    SyslogExportConfig, WebhookExportConfig,
};
#[cfg(feature = "audit-syslog")]
pub use audit_export_syslog::SyslogAuditExporter;
#[cfg(feature = "audit-webhook")]
pub use audit_export_webhook::WebhookAuditExporter;
pub use auth_middleware::{AuthConfig, AuthMiddleware, AuthRequest, AuthenticatedUser, SigningKey};
pub use authorizer::{Authorizer, AuthzDecision, AuthzRequest, OperationKind};
pub use error_formatter::{DetailLevel, ErrorFormatter};
pub use errors::SecurityError;
pub use field_authorizer::{FieldAuthorizer, FieldAuthzDecision, FieldAuthzRequest};
pub use field_filter::{FieldAccessError, FieldFilter, FieldFilterBuilder, FieldFilterConfig};
pub use field_masking::{FieldMasker, FieldSensitivity};
pub use headers::SecurityHeaders;
pub use introspection_enforcer::{IntrospectionEnforcer, IntrospectionPolicy};
pub use kms::{
    BaseKmsProvider, DataKeyPair, EncryptedData, KeyPurpose, KeyReference, KeyState, KmsError,
    KmsResult, RotationPolicy, VaultConfig, VaultKmsProvider,
};
pub use oidc::{OidcConfig, OidcValidator};
pub use profiles::SecurityProfile;
pub use query_validator::{QueryValidator, QueryValidatorConfig};
pub use rls_policy::{CompiledRLSPolicy, DefaultRLSPolicy, NoRLSPolicy, RLSPolicy, RlsWhereClause};
pub use security_context::SecurityContext;
pub use tls_enforcer::{TlsConfig, TlsConnection, TlsEnforcer, TlsVersion};
pub use validation_audit::{
    RedactionPolicy, ValidationAuditEntry, ValidationAuditLogger, ValidationAuditLoggerConfig,
};

pub use crate::graphql::complexity::QueryMetrics;

#[cfg(test)]
mod tests;