1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
//! `secure_authz` — Authorization enforcement (OWASP C7).
//!
//! # Feature Overview
//!
//! The crate ships a framework-neutral core plus optional HTTP framework
//! adapters. Pick one or both:
//!
//! | Feature flag | Default | Enables |
//! |---|---|---|
//! | `axum` | ✅ | [`middleware::AuthzLayer`] as a tower `Layer` |
//! | `actix-web` | | [`actix::AuthzTransform`] as an actix middleware |
//!
//! The standard subject/action/resource authorization path remains
//! identity-agnostic: it depends on
//! [`security_core::identity::AuthenticatedIdentity`]. Identity may come from
//! `secure_identity`, Keycloak, Auth0, or any custom provider.
//!
//! Native device-trust predicates are intentionally typed and live in
//! [`device_trust`]. That module accepts `secure_device_trust`,
//! `secure_identity`, and `secure_network` context so route policies can prove
//! that user sessions stay pinned to verified session mTLS.
//!
//! # What this crate gives you
//!
//! - Typed subjects, actions, and resources (no role strings in business code)
//! - Pluggable policy engine (default: casbin RBAC)
//! - Tenant isolation
//! - Bounded LRU decision cache with TTL
//! - Decision logging to `security_events`
//! - Framework adapters (axum and actix-web 4) that share the same
//! enforcement pipeline ([`crate::enforce::run_check`]).
//! - Device-trust route predicates for native clients.
/// Actix-web 4 integration — feature-gated via `actix-web`.
pub use Action;
pub use ;
pub use ;
pub use DefaultPolicyEngine;
pub use ;
pub use ResourceRef;
pub use Subject;