1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
// GENERATED by `tf-schema codegen --target rust` — DO NOT EDIT BY HAND.
#![allow(unused_imports, non_camel_case_types, non_snake_case, clippy::all)]
use serde::{Deserialize, Serialize};
use super::*;
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct BridgeEntry {
/// Which TrustForge bridge module handles this credential format.
pub kind: BridgeEntry_Kind,
/// Exact match against the credential's `iss` claim (OAuth/JWT) or trust-domain authority. Use `iss_pattern` for prefix/suffix matching.
#[serde(skip_serializing_if = "Option::is_none", default)]
pub issuer_match: Option<String>,
/// Substring match against the credential's `iss` claim. `clerk.dev` matches both `https://api.clerk.dev/...` and `clerk.dev`.
#[serde(skip_serializing_if = "Option::is_none", default)]
pub iss_pattern: Option<String>,
/// Trust domain the resolved actor belongs to.
#[serde(skip_serializing_if = "Option::is_none", default)]
pub trust_domain: Option<TrustDomain>,
/// Initial TrustForge trust level assigned to actors resolved through this bridge entry.
#[serde(skip_serializing_if = "Option::is_none", default)]
pub trust_level: Option<TrustLevel>,
/// Mapping from the credential's native scope/permission to a TrustForge action name. Keys are the native scope (e.g. OAuth `email`); values are TrustForge action names matching the dotted ActionName pattern.
#[serde(skip_serializing_if = "Option::is_none", default)]
pub capability_map: Option<std::collections::BTreeMap<String, String>>,
/// Per-entry conformance profile override.
#[serde(skip_serializing_if = "Option::is_none", default)]
pub profile: Option<String>,
}
/// Which TrustForge bridge module handles this credential format.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub enum BridgeEntry_Kind {
#[serde(rename = "oauth")]
Oauth,
#[serde(rename = "clerk")]
Clerk,
#[serde(rename = "next-auth")]
NextAuth,
#[serde(rename = "better-auth")]
BetterAuth,
#[serde(rename = "webauthn")]
Webauthn,
#[serde(rename = "tls")]
Tls,
#[serde(rename = "spiffe")]
Spiffe,
#[serde(rename = "did")]
Did,
#[serde(rename = "gnap")]
Gnap,
#[serde(rename = "mcp")]
Mcp,
#[serde(rename = "matrix")]
Matrix,
#[serde(rename = "webhook")]
Webhook,
#[serde(rename = "grpc")]
Grpc,
#[serde(rename = "service-mesh")]
ServiceMesh,
#[serde(rename = "a2a")]
A2a,
#[serde(rename = "session-cookie")]
SessionCookie,
#[serde(rename = "aws")]
Aws,
#[serde(rename = "gcp")]
Gcp,
#[serde(rename = "azure")]
Azure,
#[serde(rename = "vault")]
Vault,
#[serde(rename = "doppler")]
Doppler,
}
/// Per-deployment registry that overrides the default credential-resolver mapping. The daemon reads `.tf/bridges.yaml` once at startup, validates against this schema, and uses `resolveByIssuer` to map an incoming credential's issuer / iss claim / SPIFFE trust domain to a TrustForge bridge entry. When no entry matches, the resolver falls back to the built-in defaults declared in `tools/tf-daemon/src/credential-resolver.ts` (B2).
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct BridgesRegistry {
/// Version of the bridges-registry schema itself.
pub registry_version: BridgesRegistry_RegistryVersion,
/// Optional conformance profile name applied when an entry omits its own. Purely informational at this layer; the FeatureGate is the authoritative gate.
#[serde(skip_serializing_if = "Option::is_none", default)]
pub default_profile: Option<String>,
/// Per-issuer bridge entries. The first entry whose `issuer_match` / `iss_pattern` matches an incoming credential wins.
pub bridges: Vec<BridgeEntry>,
}
/// Version of the bridges-registry schema itself.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub enum BridgesRegistry_RegistryVersion {
#[serde(rename = "1")]
V1,
}