ppoppo-sdk-core 0.2.0

//! γ port-and-adapter SDK boundary for bearer-token verification.
//!
//! Phase 6.1 — D-04 = γ (locked 2026-05-05). Phase A
//! (RFC `RFC_2026-05-08_app-credential-collapse.md`, audit decision E)
//! lifted the cohesive group from `pas_external::token::*` to here so
//! multiple SDK crates and 1st-party services share one definition.
//!
//! The SDK exposes a [`BearerVerifier`] trait + [`VerifiedClaims`]
//! result, hiding the engine ([`ppoppo_token`]), the token format (JWT,
//! RFC 9068), and the JWKS substrate behind a single async port.
//! External Developer apps inject `Arc<dyn BearerVerifier>` into their
//! middleware and never see `jsonwebtoken::*` types.
//!
//! Module layout (cohesive group, audit decision E):
//!
//! - [`port`] — `BearerVerifier` trait
//! - [`claims`] — `VerifiedClaims` (was `AuthSession` — audit decision G)
//! - [`config`] — `VerifyConfig` (was `Expectations` — audit decision G)
//! - [`error`] — `VerifyError` crypto-side enum
//! - [`jwks_cache`] — `JwksCache` (visibility lifted to `pub` in Phase A)
//! - [`jwt`] — `JwtVerifier` production adapter (was `PasJwtVerifier` — audit decision G)
//! - [`memory`] — `MemoryBearerVerifier` test-support adapter

pub mod claims;
pub mod config;
pub mod error;
pub mod port;

#[cfg(feature = "well-known-fetch")]
pub mod jwks_cache;

#[cfg(feature = "well-known-fetch")]
pub mod jwt;

#[cfg(any(test, feature = "test-support"))]
pub mod memory;

pub use claims::VerifiedClaims;
pub use config::VerifyConfig;
pub use error::VerifyError;
pub use port::BearerVerifier;

#[cfg(feature = "well-known-fetch")]
pub use jwks_cache::JwksCache;

#[cfg(feature = "well-known-fetch")]
pub use jwt::JwtVerifier;

#[cfg(any(test, feature = "test-support"))]
pub use memory::MemoryBearerVerifier;