1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
[]
= "plexus-auth-core"
= "0.1.0"
= "2021"
= "Sealed-type primitives for the Plexus auth framework: AuthContext, VerifiedUser, Principal."
= "AGPL-3.0-only"
= "https://github.com/hypermemetic/plexus-auth-core"
# Why this is its own crate:
#
# Module-private constructors within `plexus-core` are a procedural defense —
# they rely on contributors respecting visibility within a single crate. A future
# PR to plexus-core that adds a `pub fn forge_auth_context()` would compile.
# Review would catch it; the type system would not.
#
# `plexus-auth-core` exists so the auth primitives have a home that no other
# crate can bypass. Combined with Rust's orphan rules and crate-private
# constructors, this escalates the seal from procedural to structural:
#
# - No fabrication: no public constructor reachable from other crates
# - No backdoor From / Into: orphan rules forbid third crates from adding any
# - No accidental Default: explicitly NOT derived
# - No leaky Deserialize: routed through the verifier or absent
# - No mutation: fields private to plexus-auth-core
#
# See AUTHZ-0 §"Crate-level isolation amplifies the seal" and the ticket
# AUTHZ-CORE-CRATE-1 for the full rationale.
[]
= "plexus_auth_core"
= "src/lib.rs"
[]
# `test-support` exposes a small set of pub-but-doc-hidden constructors so
# downstream crates (notably plexus-core) can write end-to-end tests that
# need to mint real sealed values. These constructors are gated and
# `#[doc(hidden)]`; they MUST NOT be reachable from production builds.
# Enable via `[dev-dependencies] plexus-auth-core = { features =
# ["test-support"] }` — never as a default feature and never in
# `[dependencies]`.
#
# Added by AUTHZ-CRED-CORE-1B so plexus-core can exercise the end-to-end
# `Credential<T>` serialization path now that
# `run_with_credential_capture` is publicly reachable.
= []
[]
# Serialization. Note: Deserialize is intentionally implemented in a way that
# documents the seal rather than offering a back-door. See module docs.
= { = "1.0", = ["derive"] }
= "1.0"
# Schema generation, for IR/codegen integration. `chrono04` so the
# `CredentialMetadata::expires_at` field's `DateTime<Utc>` participates in
# `JsonSchema` derivation.
= { = "1.1", = ["derive", "chrono04"] }
# Async-trait so the SessionValidator-shaped traits can live here in the future.
= "0.1"
# Issuer URLs in OIDC AuthMechanism::Oidc. AUTHZ-S01-output §1 pins
# `IssuerUrl(url::Url)` for the capability-advertisement type set landed in
# AUTHZ-CORE-3.
= { = "2", = ["serde"] }
# Timestamps on credential metadata (expires_at). AUTHZ-CRED-S01-output §2 pins
# `Option<DateTime<Utc>>`; the workspace's canonical timestamp type is
# chrono::DateTime<Utc> (see plexus-core/Cargo.toml). Used by
# `CredentialMetadata::expires_at` in `src/credential.rs`.
= { = "0.4", = false, = ["clock", "serde"] }
# AUTHZ-PRIVACY-1: `AuditRecord::correlation_id` is a UUID (per
# AUTHZ-S01-output §8). Workspace canonical version is 1.x; we pull `v4` for
# generation and `serde` for round-trip.
= { = "1.6", = ["v4", "serde"] }
# AUTHZ-PRIVACY-1: `TracingAuditSink` emits structured `tracing::info!` events
# under `target = "plexus::audit"` so every backend gets observability for
# free (AUTHZ-S01-output §8). Workspace pins `tracing = "0.1"`.
= "0.1"
[]
# trybuild drives compile-fail assertions: AuthContext / VerifiedUser /
# Principal cannot be constructed from outside this crate.
= "1.0"
= { = "1", = ["macros", "rt"] }
# AUTHZ-PRIVACY-1: assert `TracingAuditSink` emits to the `plexus::audit`
# target. `tracing-test` captures span/event output for in-test assertions.
# `no-env-filter` is required because our events use `target = "plexus::audit"`
# (a logical target), not the crate-derived target tracing-test filters on
# by default.
= { = "0.2", = ["no-env-filter"] }