pas-external 0.14.0

Ppoppo Accounts System (PAS) external SDK — OAuth2 PKCE, JWT verification port, Axum middleware, session liveness
Documentation
//! [`Fetcher`] port — authoritative substrate readout for sv-axis.

use async_trait::async_trait;

/// Authoritative `sv:{sub}` source for the cache-miss path.
///
/// Promoted to the SDK in Phase 11.Z from chat-auth's private
/// `SessionVersionFetcher` trait (§3 Row 6 "replace, don't layer"). The
/// shape stays narrow: one async method returning the current `sv` for
/// a given `sub` (ULID-form `ppnum_id`), or a typed [`FetchError`] on
/// failure.
///
/// **Fail-closed contract.** Failure here surfaces as
/// [`super::EpochRevocationError::Transient`] from the composer, which
/// the engine maps to [`AuthError::SessionVersionLookupUnavailable`]
/// and the SDK maps to
/// [`crate::TokenVerifyError::SessionVersionLookupUnavailable`].
/// Silently admitting on fetch failure would let stale tokens slip
/// through after a break-glass — the entire point of the sv axis.
///
/// ## Implementations
///
/// - chat-api `PgFetcher` — cross-schema SQL `SELECT session_version
///   FROM scaccounts.ppnums WHERE id = $1` (per-account epoch; keyed by
///   the account ULID = token `sub`). Kept consumer-side because it
///   depends on chat-api's `PgPool` and the cross-schema search-path
///   policy. Single-DB architecture only.
/// - RCW/CTW — currently wire NO Fetcher: they opted out of the sv-axis
///   entirely (dropped the `sv` column; revocation bound is the
///   access-token `exp` ≈1h via the refresh-token liveness axis). The
///   deferred PAS per-user readout design (gRPC
///   `pas.session.v1.SessionService` + `AdminSvFetcher`) is recorded
///   design-on-ice in `STANDARDS_AUTH_INVALIDATION §5.4.1` (RFC retired
///   2026-05-24). 3rd-party apps cannot use chat-api's cross-schema
///   pattern (separate DB clusters from PAS).
/// - 0.9.0 `UserinfoFetcher` — DELETED in 0.10.0 (RFC_2026-05-08 §4.3).
///   The API was misleading — PAS's userinfo authenticates the caller
///   only, not an arbitrary queried subject.
///
/// [`AuthError::SessionVersionLookupUnavailable`]: ppoppo_token::access_token::AuthError::SessionVersionLookupUnavailable
#[async_trait]
pub trait Fetcher: Send + Sync {
    /// Read the authoritative current `sv` for the given subject
    /// (ULID-form `ppnum_id` from the `sub` claim).
    async fn fetch(&self, sub: &str) -> Result<i64, FetchError>;
}

/// Typed fetch failure. Each variant carries a free-form detail for
/// audit logs; the composer collapses every variant onto
/// [`super::EpochRevocationError::Transient`] (fail-closed) so the
/// engine sees a uniform contract regardless of substrate flavor.
///
/// 0.11.0 BREAKING — widened from `pub struct FetchError(pub String)`
/// to a typed enum. The variants exist so `Fetcher` impls (today
/// chat-api's `PgFetcher`; a possible future `AdminSvFetcher` over a PAS
/// per-user readout — design-on-ice in
/// `STANDARDS_AUTH_INVALIDATION §5.4.1`) can hand the composer a
/// substrate-grained reason that survives into dashboards. The composer still collapses to `Transient` —
/// fail-closed contract preserved.
///
/// `#[non_exhaustive]` — adding a new variant in a future minor is
/// non-breaking for downstream `Fetcher` impls (they construct, they
/// don't match) but requires consumers that DO match to carry a
/// wildcard arm. The composer matches via `to_string()` /
/// `Display`-collapse rather than variant-specific arms, so
/// downstream additions don't ripple.
#[derive(Debug, thiserror::Error)]
#[non_exhaustive]
pub enum FetchError {
    /// Authority denied — the caller credential is rejected by the
    /// authoritative substrate (e.g. JWT-signed Admin gRPC client
    /// lacks `pas.session.read` scope, or API-key revoked). Distinct
    /// from `SubjectNotFound` because the substrate refused even to
    /// answer the query, not "answered: subject doesn't exist".
    #[error("authority denied: {0}")]
    AuthorityDenied(String),
    /// Subject not found — substrate confirmed the queried `sub` is
    /// absent. For sv-axis this is a "fail closed" signal because
    /// admitting a token whose subject the authority can't confirm
    /// would let dangling tokens slip through.
    #[error("subject not found: {0}")]
    SubjectNotFound(String),
    /// Throttled — substrate rate-limit / 429-class response.
    /// Surfaces as transient so the caller backs off; not a security
    /// signal.
    #[error("throttled: {0}")]
    Throttled(String),
    /// Catch-all for substrate transients (network, deserialization,
    /// unspecified 5xx). Replaces 0.10.x's `FetchError(String)`.
    #[error("session_version fetch failed: {0}")]
    Other(String),
}