pas-external 0.12.0

Ppoppo Accounts System (PAS) external SDK — OAuth2 PKCE, JWT verification port, Axum middleware, session liveness
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

//! [`Fetcher`] port — authoritative substrate readout for sv-axis.

use async_trait::async_trait;

/// Authoritative `sv:{sub}` source for the cache-miss path.
///
/// Promoted to the SDK in Phase 11.Z from chat-auth's private
/// `SessionVersionFetcher` trait (§3 Row 6 "replace, don't layer"). The
/// shape stays narrow: one async method returning the current `sv` for
/// a given `sub` (ULID-form `ppnum_id`), or a typed [`FetchError`] on
/// failure.
///
/// **Fail-closed contract.** Failure here surfaces as
/// [`super::EpochRevocationError::Transient`] from the composer, which
/// the engine maps to [`AuthError::SessionVersionLookupUnavailable`]
/// and the SDK maps to
/// [`crate::TokenVerifyError::SessionVersionLookupUnavailable`].
/// Silently admitting on fetch failure would let stale tokens slip
/// through after a break-glass — the entire point of the sv axis.
///
/// ## Implementations
///
/// - chat-api `PgFetcher` — cross-schema SQL `SELECT session_version
///   FROM scaccounts.ppnum_humans WHERE ppnum_id = $1`. Kept consumer-
///   side because it depends on chat-api's `PgPool` and the cross-
///   schema search-path policy. Single-DB architecture only.
/// - RCW/CTW Fetcher — Slice 3/4 deferred decision per RFC_2026-05-08
///   §4.4 (cache-only fail-closed, PAS per-user readout endpoint, or
///   engine relax). 3rd-party-trust-boundary apps cannot use chat-api's
///   cross-schema pattern (separate DB clusters from PAS).
/// - 0.9.0 `UserinfoFetcher` — DELETED in 0.10.0 (RFC_2026-05-08 §4.3).
///   The API was misleading — PAS's userinfo authenticates the caller
///   only, not an arbitrary queried subject.
///
/// [`AuthError::SessionVersionLookupUnavailable`]: ppoppo_token::access_token::AuthError::SessionVersionLookupUnavailable
#[async_trait]
pub trait Fetcher: Send + Sync {
    /// Read the authoritative current `sv` for the given subject
    /// (ULID-form `ppnum_id` from the `sub` claim).
    async fn fetch(&self, sub: &str) -> Result<i64, FetchError>;
}

/// Typed fetch failure. Each variant carries a free-form detail for
/// audit logs; the composer collapses every variant onto
/// [`super::EpochRevocationError::Transient`] (fail-closed) so the
/// engine sees a uniform contract regardless of substrate flavor.
///
/// 0.11.0 BREAKING — widened from `pub struct FetchError(pub String)`
/// to a typed enum. The variants exist so `Fetcher` impls (today
/// chat-api's `PgFetcher`; tomorrow `AdminSvFetcher` over
/// `pas.session.v1.SessionService` from sv-readout Slice 1) can hand
/// the composer a substrate-grained reason that survives into
/// dashboards. The composer still collapses to `Transient` —
/// fail-closed contract preserved.
///
/// `#[non_exhaustive]` — adding a new variant in a future minor is
/// non-breaking for downstream `Fetcher` impls (they construct, they
/// don't match) but requires consumers that DO match to carry a
/// wildcard arm. The composer matches via `to_string()` /
/// `Display`-collapse rather than variant-specific arms, so
/// downstream additions don't ripple.
#[derive(Debug, thiserror::Error)]
#[non_exhaustive]
pub enum FetchError {
    /// Authority denied — the caller credential is rejected by the
    /// authoritative substrate (e.g. JWT-signed Admin gRPC client
    /// lacks `pas.session.read` scope, or API-key revoked). Distinct
    /// from `SubjectNotFound` because the substrate refused even to
    /// answer the query, not "answered: subject doesn't exist".
    #[error("authority denied: {0}")]
    AuthorityDenied(String),
    /// Subject not found — substrate confirmed the queried `sub` is
    /// absent. For sv-axis this is a "fail closed" signal because
    /// admitting a token whose subject the authority can't confirm
    /// would let dangling tokens slip through.
    #[error("subject not found: {0}")]
    SubjectNotFound(String),
    /// Throttled — substrate rate-limit / 429-class response.
    /// Surfaces as transient so the caller backs off; not a security
    /// signal.
    #[error("throttled: {0}")]
    Throttled(String),
    /// Catch-all for substrate transients (network, deserialization,
    /// unspecified 5xx). Replaces 0.10.x's `FetchError(String)`.
    #[error("session_version fetch failed: {0}")]
    Other(String),
}