systemprompt-security 0.9.0

//! Error types raised by the security infrastructure.
//!
//! Public APIs in this crate return `thiserror`-derived error enums:
//!
//! - [`AuthError`] — request validation, JWT decoding, claim extraction.
//! - [`JwtError`] — JWT minting (admin tokens, session tokens).
//! - [`ManifestSigningError`] — Ed25519 signing of bridge manifests.
//!
//! All three implement `std::error::Error` and can be composed into larger
//! `thiserror` enums via `#[from]`.

use thiserror::Error;

#[derive(Debug, Error)]
pub enum AuthError {
    #[error("missing authorization header")]
    MissingAuthorization,

    #[error("invalid JWT token: {0}")]
    InvalidToken(#[source] jsonwebtoken::errors::Error),

    #[error("missing session_id in token")]
    MissingSessionId,

    #[error("hook token: missing or non-`hook` audience")]
    HookAudienceMissing,

    #[error("hook token: required scope `{0}` not present")]
    HookScopeMissing(&'static str),

    #[error("hook token: missing `plugin_id` claim")]
    HookPluginIdMissing,

    #[error(
        "hook token: plugin_id `{actual}` in claim does not match request plugin_id `{expected}`"
    )]
    HookPluginIdMismatch { expected: String, actual: String },
}

#[derive(Debug, Error)]
pub enum JwtError {
    #[error("jwt encoding failed: {0}")]
    Encoding(#[from] jsonwebtoken::errors::Error),
}

#[derive(Debug, Error)]
pub enum ManifestSigningError {
    #[error("manifest signing seed unavailable: {0}")]
    SeedUnavailable(String),

    #[error("jcs canonicalize: {0}")]
    Canonicalize(String),

    #[error("signing key missing after initialization")]
    KeyMissing,
}

pub type AuthResult<T> = Result<T, AuthError>;

pub type JwtResult<T> = Result<T, JwtError>;

pub type ManifestSigningResult<T> = Result<T, ManifestSigningError>;