tf-types 0.1.6

Core semantic types, traits, and schemas powering the TrustForge protocol.
Documentation
// GENERATED by `tf-schema codegen --target rust` — DO NOT EDIT BY HAND.

#![allow(unused_imports, non_camel_case_types, non_snake_case, clippy::all)]

use serde::{Deserialize, Serialize};
use super::*;

#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct BridgeEntry {
    /// Which TrustForge bridge module handles this credential format.
    pub kind: BridgeEntry_Kind,
    /// Exact match against the credential's `iss` claim (OAuth/JWT) or trust-domain authority. Use `iss_pattern` for prefix/suffix matching.
    #[serde(skip_serializing_if = "Option::is_none", default)]
    pub issuer_match: Option<String>,
    /// Substring match against the credential's `iss` claim. `clerk.dev` matches both `https://api.clerk.dev/...` and `clerk.dev`.
    #[serde(skip_serializing_if = "Option::is_none", default)]
    pub iss_pattern: Option<String>,
    /// Trust domain the resolved actor belongs to.
    #[serde(skip_serializing_if = "Option::is_none", default)]
    pub trust_domain: Option<TrustDomain>,
    /// Initial TrustForge trust level assigned to actors resolved through this bridge entry.
    #[serde(skip_serializing_if = "Option::is_none", default)]
    pub trust_level: Option<TrustLevel>,
    /// Mapping from the credential's native scope/permission to a TrustForge action name. Keys are the native scope (e.g. OAuth `email`); values are TrustForge action names matching the dotted ActionName pattern.
    #[serde(skip_serializing_if = "Option::is_none", default)]
    pub capability_map: Option<std::collections::BTreeMap<String, String>>,
    /// Per-entry conformance profile override.
    #[serde(skip_serializing_if = "Option::is_none", default)]
    pub profile: Option<String>,
}

/// Which TrustForge bridge module handles this credential format.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub enum BridgeEntry_Kind {
    #[serde(rename = "oauth")]
    Oauth,
    #[serde(rename = "clerk")]
    Clerk,
    #[serde(rename = "next-auth")]
    NextAuth,
    #[serde(rename = "better-auth")]
    BetterAuth,
    #[serde(rename = "webauthn")]
    Webauthn,
    #[serde(rename = "tls")]
    Tls,
    #[serde(rename = "spiffe")]
    Spiffe,
    #[serde(rename = "did")]
    Did,
    #[serde(rename = "gnap")]
    Gnap,
    #[serde(rename = "mcp")]
    Mcp,
    #[serde(rename = "matrix")]
    Matrix,
    #[serde(rename = "webhook")]
    Webhook,
    #[serde(rename = "grpc")]
    Grpc,
    #[serde(rename = "service-mesh")]
    ServiceMesh,
    #[serde(rename = "a2a")]
    A2a,
    #[serde(rename = "session-cookie")]
    SessionCookie,
    #[serde(rename = "aws")]
    Aws,
    #[serde(rename = "gcp")]
    Gcp,
    #[serde(rename = "azure")]
    Azure,
    #[serde(rename = "vault")]
    Vault,
    #[serde(rename = "doppler")]
    Doppler,
}

/// Per-deployment registry that overrides the default credential-resolver mapping. The daemon reads `.tf/bridges.yaml` once at startup, validates against this schema, and uses `resolveByIssuer` to map an incoming credential's issuer / iss claim / SPIFFE trust domain to a TrustForge bridge entry. When no entry matches, the resolver falls back to the built-in defaults declared in `tools/tf-daemon/src/credential-resolver.ts` (B2).
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct BridgesRegistry {
    /// Version of the bridges-registry schema itself.
    pub registry_version: BridgesRegistry_RegistryVersion,
    /// Optional conformance profile name applied when an entry omits its own. Purely informational at this layer; the FeatureGate is the authoritative gate.
    #[serde(skip_serializing_if = "Option::is_none", default)]
    pub default_profile: Option<String>,
    /// Per-issuer bridge entries. The first entry whose `issuer_match` / `iss_pattern` matches an incoming credential wins.
    pub bridges: Vec<BridgeEntry>,
}

/// Version of the bridges-registry schema itself.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub enum BridgesRegistry_RegistryVersion {
    #[serde(rename = "1")]
    V1,
}