pas-external 0.12.0

#![doc = include_str!("../README.md")]

pub mod audit;
// Clock port re-export — External Developer consumers can use
// `pas_external::clock::ArcClock` / `pas_external::clock::FrozenClock`
// without a separate `ppoppo-clock` dep in their Cargo.toml.
pub mod clock {
    pub use ::ppoppo_clock::*;
}
// Perimeter Bearer-auth Layer kit — Phase A Slice 4 lifted the kit to
// `ppoppo_sdk_core::bearer::*`. pas-external 0.11.0 re-exports the
// kit at `pas_external::bearer::*` (audit decision D — 1-level
// role-named module, no `oidc::axum::*` nesting) for 3rd-party
// consumers (RCW/CTW). 1st-party services (chat-auth) import direct
// from sdk-core (audit decision B). The framework-dep visibility
// (axum / tower) is signalled by the `axum` feature gate, not by a
// nested `pas_external::oidc::axum::*` namespace.
#[cfg(feature = "axum")]
pub mod bearer {
    pub use ::ppoppo_sdk_core::bearer::*;
}
// `epoch` re-exports the engine `EpochRevocation` port + ships the
// canonical adapter set (Phase 11.Z, RFC_2026-05-09 §3.5). Gated on
// `well-known-fetch` because the engine port itself needs `token` and
// the original `UserinfoFetcher` (deleted in 0.10.0) required the HTTP
// client (`oauth`) — both implied by the `well-known-fetch` flag.
// `SharedCacheCache` (0.10.0, RFC_2026-05-08 §4.1) requires the
// additional `shared-cache` feature for the `ppoppo-infra` adapter dep.
#[cfg(feature = "well-known-fetch")]
pub mod epoch;
pub mod error;
// `oauth` is the OAuth2 wire-DTO + AuthClient adapter used internally by
// `oidc::RelyingParty`. As of 0.8.0 it is `pub(crate)` — consumers reach
// the OIDC RP composition root (`oidc::RelyingParty<S>`) and never the
// raw OAuth surface. See `oidc::RefreshOutcome` for the boundary type at
// `RelyingParty::refresh`.
#[cfg(feature = "oauth")]
pub(crate) mod oauth;
#[cfg(feature = "token")]
pub mod oidc;
#[cfg(feature = "oauth")]
pub mod pas_port;
// `pkce` primitives (`generate_state`, `generate_code_verifier`,
// `generate_code_challenge`) are SDK plumbing — `oidc::RelyingParty::start`
// consumes them internally and exposes the resulting state via
// `AuthorizationRedirect`. As of 0.8.0 the module is `pub(crate)`.
#[cfg(feature = "oauth")]
pub(crate) mod pkce;
// `session_liveness` is intentionally ungated at module level — the
// 0.10.0 `SessionLiveness` port has no AES / OAuth deps and ships
// regardless of feature configuration so the verifier slot
// (`PasJwtVerifier::with_session_liveness`) can reference it under
// just `feature = "well-known-fetch"`. Internal sub-modules
// (`cipher`, `liveness`) remain gated on `feature = "session-liveness"`
// for the AES wrapper + PAS refresh-token check.
pub mod session_liveness;
pub mod types;

// Test-support helpers. `FakePasServer` is the SDK-owned wiremock-wrapped
// fake PAS Authorization Server, replacing the 0.7.x
// `RelyingParty::for_test_with_parts` escape hatch. Consumer integration
// tests construct a real `RelyingParty::new(...)` against
// `FakePasServer.issuer_url()` so production and test go through the same
// public interface.
#[cfg(feature = "test-support")]
pub mod test_support;

// Re-exports for convenient access
pub use audit::{
    AuditEvent, AuditSink, IdTokenFailureKind, MemoryRateLimiter, NoopAuditSink, RateLimitKey,
    RateLimitedAuditSink, RateLimiter, VerifyErrorKind, compose_id_token_source_id,
    compose_source_id,
};
#[cfg(any(test, feature = "test-support"))]
pub use audit::MemoryAuditSink;
pub use error::{Error, TokenError};
// 0.10.0 — ungated L2 verifier-slot port (RFC_2026-05-08 §4.2 lock).
pub use session_liveness::{SessionLiveness, SessionLivenessError};
#[cfg(feature = "session-liveness")]
pub use session_liveness::{
    CipherError, EncryptedRefreshToken, LivenessFailure, LivenessOutcome, RevokeCause,
    TokenCipher, TransientCause, attempt_liveness_refresh,
};
// γ port-and-adapter — Phase 6.1 (D-04 = γ, locked 2026-05-05).
// Phase A (RFC `RFC_2026-05-08_app-credential-collapse.md`, audit
// decisions E + G) lifted the cohesive verifier group to
// `ppoppo_sdk_core::verifier::*`. pas-external re-exports at top level
// (no `token::` namespace — audit decision E) so consumer code
// reaches `pas_external::{BearerVerifier, JwtVerifier, ...}`. Renames:
// `PasJwtVerifier` → `JwtVerifier`; `Expectations` → `VerifyConfig`;
// `AuthSession` → `VerifiedClaims`. The `crypto-side` `VerifyError`
// re-exports as `TokenVerifyError` (BREAKING) to make space for the
// Layer-side `VerifyError` from `pas_external::bearer::*` (Slice 4
// migration). Phase A 0.11.0 ships clean — no transitional alias.
#[cfg(feature = "token")]
pub use ::ppoppo_sdk_core::verifier::{
    BearerVerifier, VerifiedClaims, VerifyConfig, VerifyError as TokenVerifyError,
};
#[cfg(feature = "well-known-fetch")]
pub use ::ppoppo_sdk_core::verifier::{JwksCache, JwtVerifier};
#[cfg(all(feature = "token", any(test, feature = "test-support")))]
pub use ::ppoppo_sdk_core::verifier::MemoryBearerVerifier;
// OIDC RP surface — composition root + post-verify shapes + ports.
// `RelyingParty<S>` is the consumer-facing entry point; `RefreshOutcome`
// is the typed boundary return for `RelyingParty::refresh` (replaces
// the 0.7.x `oauth::TokenResponse` re-export).
#[cfg(feature = "token")]
pub use oidc::{Address, IdAssertion, IdTokenVerifier, IdVerifyError, Nonce, ScopePiiReader};
#[cfg(all(feature = "token", any(test, feature = "test-support")))]
pub use oidc::MemoryIdTokenVerifier;
pub use types::{KeyId, Ppnum, PpnumId, SessionId, UserId};
// `Url` is consumer-facing via `Config::new(client_id, redirect_uri: Url, ...)`
// and `Discovery::for_test`. Re-exported so consumers reach the same `url`
// crate version the SDK uses without separately tracking it in their
// Cargo.toml.
#[cfg(feature = "oauth")]
pub use url::Url;