ppoppo-sdk-core 0.2.0

Internal shared primitives for the Ppoppo SDK family (pas-external, pas-plims, pcs-external) — verifier port, audit trait, session liveness port, OIDC discovery, perimeter Bearer-auth Layer kit, identity types. Not a stable public API; do not depend on this crate directly. Consume the SDK crates that re-export from it (e.g. `pas-external`).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

//! [`VerifyError`] — exactly two HTTP dispositions at the perimeter.

/// Verification failure surface — exactly two HTTP dispositions.
///
/// Richer per-substrate taxonomies (chat-auth's break-glass dashboard
/// distinguishes `JtiReplayed` / `SessionVersionStale` / etc.) stay
/// inside the consumer's [`super::AuthProvider`] impl and collapse to
/// one of these two variants at the SDK boundary. The Layer reads only
/// the disposition; the operator dashboard reads the substrate.
#[derive(Debug, Clone, thiserror::Error)]
pub enum VerifyError {
    /// Token rejected — invalid signature, expired, sub missing,
    /// session row missing or revoked, sv mismatch. Maps to **401 +
    /// add-based cookie clearance** at the perimeter so the browser
    /// stops replaying a dead session.
    #[error("token rejected: {0}")]
    Rejected(String),
    /// Substrate transient — JWKS fetch failed with no usable cache,
    /// session-row DB unreachable, sv-axis cache substrate down. Maps
    /// to **503 with cookies preserved**; the session may still be
    /// valid and the browser may retry.
    #[error("auth substrate transient: {0}")]
    SubstrateTransient(String),
}