plexus-auth-core 0.1.0

Sealed-type primitives for the Plexus auth framework: AuthContext, VerifiedUser, Principal.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

//! Acceptance tests for the sealed-type guarantees that AUTHZ-CORE-CRATE-1
//! demands. Each `tests/compile_fail/*.rs` file is a small program that
//! attempts to construct a sealed value from outside `plexus-auth-core`.
//! `trybuild` runs the compiler against each one and asserts it FAILS to
//! compile — that compile failure is the structural defense.
//!
//! Per the ticket §"Acceptance criteria":
//!
//!   6. A new test in `plexus-auth-core/tests/` asserts that `AuthContext`
//!      cannot be constructed from outside the crate (intentionally
//!      compile-fails using `trybuild` or equivalent).
//!
//!   7. A new test asserts no `Default` impl exists on `AuthContext`
//!      (compile-fail or `static_assertions`).
//!
//! The compile-fail programs cover:
//!
//!   - VerifiedUser cannot be constructed externally (private constructor +
//!     private fields)
//!   - Principal cannot be constructed externally (all variants gated)
//!   - ServiceIdentity cannot be constructed externally
//!   - VerifiedUser does not implement Default
//!   - Principal does not implement Default
//!   - Tenant cannot be constructed externally (AUTHZ-DATA-1-TYPES §5)
//!   - Tenant has no public field (struct-literal fabrication rejected)
//!   - Tenant does not implement Default (no silent isolation widening)
//!
//! AuthContext currently retains its `pub` constructor and `pub` fields
//! (see RUN-NOTES). The full external-construction lockdown for
//! AuthContext lands in a follow-up ticket once call sites are migrated.
//! In the meantime, the protections that DO hold today for AuthContext
//! are also asserted: no Default impl, and the orphan-rule guarantee
//! (which is a property of Rust's coherence rules, not of an attribute on
//! the type — captured here by inspection in the architecture doc).
//!
//! AUTHZ-CRED-CORE-1 adds compile-fail asserts for the credential
//! primitive (acceptance criteria 6, 7, 8 plus §"Forbidden constructions"
//! and the Tier B Q-WIRE-3 dispatch-capture guard):
//!
//!   - `Credential::new_sealed` is unreachable externally
//!   - `Credential { .. }` struct-literal construction is unreachable
//!   - `Credential<T>` does not implement `Default`
//!   - `CredentialMinter::new_sealed` is unreachable externally
//!   - `impl From<X> for Credential<T>` from a third crate is rejected by
//!     Rust's orphan rule (acceptance criterion 8)
//!   - `Credential<T>` is not `Deserialize` (raw JSON cannot fabricate one)
//!   - `DispatchCaptureGuard::install` is unreachable externally (so the
//!     dispatch-side capture toggle cannot be activated by activation code)

#[test]
fn sealing_compile_fails() {
    let t = trybuild::TestCases::new();
    t.compile_fail("tests/compile_fail/verified_user_construct.rs");
    t.compile_fail("tests/compile_fail/verified_user_field_access.rs");
    t.compile_fail("tests/compile_fail/principal_user_construct.rs");
    t.compile_fail("tests/compile_fail/principal_anonymous_construct.rs");
    t.compile_fail("tests/compile_fail/service_identity_construct.rs");
    t.compile_fail("tests/compile_fail/verified_user_no_default.rs");
    t.compile_fail("tests/compile_fail/principal_no_default.rs");
    t.compile_fail("tests/compile_fail/auth_context_no_default.rs");
    t.compile_fail("tests/compile_fail/tenant_construct.rs");
    t.compile_fail("tests/compile_fail/tenant_field_access.rs");
    t.compile_fail("tests/compile_fail/tenant_no_default.rs");

    // AUTHZ-CRED-CORE-1 acceptance criteria 6, 7, 8 (and the broader
    // sealed-construction asserts called out in §"Forbidden constructions"
    // and Tier B Q-WIRE-3).
    t.compile_fail("tests/compile_fail/credential_construct.rs");
    t.compile_fail("tests/compile_fail/credential_struct_literal.rs");
    t.compile_fail("tests/compile_fail/credential_no_default.rs");
    t.compile_fail("tests/compile_fail/credential_minter_construct.rs");
    t.compile_fail("tests/compile_fail/credential_orphan_from.rs");
    t.compile_fail("tests/compile_fail/credential_no_deserialize.rs");
    t.compile_fail("tests/compile_fail/dispatch_capture_guard_construct.rs");

    // AUTHLANG-2 — the framework-only `AuthContext::derive_callee_context`
    // constructor is `pub(crate)` to plexus-auth-core. Downstream crates
    // cannot reach it; only the framework's dispatch path (AUTHLANG-3)
    // can construct a callee context from a caller's.
    t.compile_fail("tests/compile_fail/derive_callee_context_unreachable.rs");

    // AUTHZ-DATA-1-WRAPPER acceptance criteria 2, 3, 4 plus the explicit
    // "failing examples" called out in the ticket. Each compile-fail
    // file documents the diagnostic it asserts (E0624 for private
    // constructors, E0616 for private fields, E0277 for the unsatisfied
    // `SealedStore` super-trait bound).
    t.compile_fail("tests/compile_fail/tenant_scoped_store_seal.rs");
    t.compile_fail("tests/compile_fail/tenanted_construct.rs");
    t.compile_fail("tests/compile_fail/tenanted_inner_field.rs");
    t.compile_fail("tests/compile_fail/scoped_inner_field.rs");
    t.compile_fail("tests/compile_fail/tenant_boundary_construct.rs");
    t.compile_fail("tests/compile_fail/tenant_boundary_struct_literal.rs");
}