//! JWT plane.
//!
//! Two stateless surfaces, each a free function or unit-struct method that
//! never holds JWT state of its own:
//!
//! - [`mint`] — issues administrator-scoped RS256 tokens via
//! [`JwtService::generate_admin_token`]. Session-scoped tokens are minted by
//! [`crate::session::SessionGenerator`] instead.
//! - [`decode`] — turns a raw `Bearer …` string into a typed
//! [`JwtUserContext`], enforcing kid + RS256, re-deriving `user_type` from
//! `scope` (defence-in-depth against a forged claim), and surfacing every
//! failure as an [`crate::AuthError`] variant.
//!
//! Issuer pinning for full session decode lives in
//! [`crate::AuthValidationService`]; the bare [`decode::extract_user_context`]
//! enforces a first-party `aud` and is used by request-context middleware that
//! does its own session and user lookups against the database after decode.
//!
//! Copyright (c) systemprompt.io — Business Source License 1.1.
//! See <https://systemprompt.io> for licensing details.
pub use ;
pub use ;
pub use ;