nythos-core 0.1.1

Infrastructure-free Rust core library for Nythos authentication and authorization.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193

# Architecture

This document defines what `nythos-core` contains today and what must stay out.

The crate already includes implemented domain types, auth/session/RBAC models,
orchestration services, and boundary ports. These notes describe the constraints
those modules follow.

## Boundary

`nythos-core` is the pure core of Nythos.

It owns:

- domain types and invariants
- auth, session, and RBAC business rules
- orchestration logic for core auth flows
- trait contracts for required external capabilities

It does not own:

- HTTP handlers, routers, middleware, or status codes
- SQL queries, ORM models, migrations, or database drivers
- Redis clients, cache adapters, queues, or event buses
- email, SMS, OAuth providers, or webhook integrations
- concrete signing libraries or password-hasher implementations
- product-specific admin models or deployment concerns

## Five Layers

1. Domain primitives

- `AuthError`
- `NythosResult`
- typed IDs
- `Email`
- `Password`

2. Identity

- `User`
- `Tenant`

3. Auth

- password-hash concepts
- access-token and claims concepts
- token purpose
- register, login, refresh, and revoke orchestration services

4. Session + RBAC

- `Session`
- `RefreshToken`
- `Role`
- `Permission`
- `RoleAssignment`
- `RoleRegistry`

5. Ports

- repository traits
- cryptographic service traits
- revocation-checking traits
- small domain-facing helper payloads for boundary operations

## Dependency Direction

Dependencies point inward.

- `domain` and `error` depend on nothing domain-external
- `auth`, `session`, and `rbac` depend on primitives and shared domain types
- `ports` reference domain types because they describe contracts around them
- infrastructure depends on the core, not the other way around

Practical rule: core code may call trait methods defined in `ports`, but it may
not import infrastructure implementations.

## Module Boundaries

## `error`

Contains the single core error enum `AuthError` and the standard result alias
`NythosResult`.

## `domain`

Contains foundational types and identity models shared across the rest of the crate.

Contains:

- typed ID newtypes over `Uuid`
- `UserId`, `TenantId`, `SessionId`, `RoleId`
- `Email`
- `Password`
- `User`
- `UserStatus`
- `Tenant`
- `TenantSettings`

## `auth`

Contains auth-specific concepts and orchestration logic.

Contains:

- `PasswordHash`
- `AccessToken`
- `Claims`
- `TokenPurpose`
- `RegisterService`
- `LoginService`
- `RefreshService`
- `RevokeSessionService`
- `RevokeAllSessionsService`

## `session`

Contains the session model and refresh-token concepts.

Contains:

- `Session`
- `RefreshToken`

## `rbac`

Contains tenant-scoped authorization concepts.

Contains:

- `Role`
- `Permission`
- `RoleAssignment`
- `RoleRegistry`

## `ports`

Contains pure trait contracts only.

Contains:

- `UserRepository`
- `RoleRepository`
- `SessionStore`
- `PasswordHasher`
- `TokenSigner`
- `RevocationChecker`
- `NewUser`
- `UserCredentials`
- `RoleAssignmentInput`
- `SessionRecord`
- `RefreshTokenRotation`

No default adapters belong here.

## Role Of Ports

Ports are contracts for capabilities the core needs but must not implement directly.

Examples:

- loading and persisting users
- hashing and verifying passwords
- signing and verifying access tokens
- storing, rotating, and revoking sessions

Ports are not extension points for arbitrary plugin systems. They exist because
the core must remain deployment-agnostic.

## Current Design Gap

Verified `Claims` and `RevocationChecker` do not line up completely today.

- `Claims` currently carry subject, tenant, purpose, and issue/expiry timestamps
- `Claims` do not currently carry `SessionId`
- `RevocationChecker` requires `SessionId`
- request-time revocation after token verification therefore cannot be driven by verified `Claims` alone

This is a documented current design gap, not a behavior change request in this
issue.

## Why One Crate

`nythos-core` is kept as a single library crate with internal modules because:

- the current scope is small enough to keep in one crate
- the boundaries are logical, not packaging-driven
- splitting now would add maintenance cost without solving a real problem
- internal module boundaries are enough to keep the architecture clean

A split can still happen later if compile-time, ownership, or public API pressure
makes it useful. Until then, keep it flat.