/// The consumer-side setup bundle the `hackamore-agent` CLI fetches from `/provision`.
/// Projected from a token's bound policy ⋈ the service registry. Contains **no real
/// upstream secrets** — only the hackamore token, consumer-facing endpoints, and the CA.
package provision;
/// How the consumer must handle upstream auth for a service.
enum ProvisionMode {
/// hackamore injects the real upstream credential — the consumer brings nothing.
Inject,
/// Filter-only — the consumer must supply its own upstream credential.
Passthrough,
}
/// What the consumer presents to hackamore to authenticate for a service.
struct BearerAuth {
/// The hackamore token (presented via `X-Hackamore-Token`, or `Authorization: Bearer`).
token: String,
}
/// A dummy AWS SigV4 credential the consumer's tooling signs with; hackamore verifies it and
/// re-signs outbound with the real account credential. Useless against real AWS.
struct SigV4Auth {
access_key_id: String,
secret_access_key: String,
region: String,
}
/// The credential material the consumer uses for a service.
#[type_tag = "type"]
union ProvisionAuth {
Bearer(BearerAuth),
SigV4(SigV4Auth),
}
/// One service the consumer should configure to reach through hackamore.
struct ProvisionService {
/// Service instance name (`Action.target`).
target: String,
/// Normalization flavor, e.g. "github" | "generic".
flavor: String,
/// Consumer-facing address to point the tool at (empty if not configured).
address: String,
/// Whether hackamore injects the credential or the consumer must supply its own.
mode: ProvisionMode,
/// The credential material the consumer presents to hackamore for this service.
auth: ProvisionAuth,
}
/// The setup bundle. Safe to return to the token holder: it carries the hackamore token the
/// holder already has, the CA, and endpoints — never a real upstream secret.
struct ProvisionDoc {
hackamore_token: String,
hackamore_ca: String,
expires_at_ms: u64,
services: Vec<ProvisionService>,
}