//! Generated by `trust-tasks-codegen` — do not edit by hand.
//!
//! Spec slug: `auth/step-up/policy`. Version: `0.1`.
#[allow(unused_imports)]
use serde::{Deserialize, Serialize};
/// Error types.
pub mod error {
/// Error from a `TryFrom` or `FromStr` implementation.
pub struct ConversionError(::std::borrow::Cow<'static, str>);
impl ::std::error::Error for ConversionError {}
impl ::std::fmt::Display for ConversionError {
fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> Result<(), ::std::fmt::Error> {
::std::fmt::Display::fmt(&self.0, f)
}
}
impl ::std::fmt::Debug for ConversionError {
fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> Result<(), ::std::fmt::Error> {
::std::fmt::Debug::fmt(&self.0, f)
}
}
impl From<&'static str> for ConversionError {
fn from(value: &'static str) -> Self {
Self(value.into())
}
}
impl From<String> for ConversionError {
fn from(value: String) -> Self {
Self(value.into())
}
}
}
///Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "title": "Ext",
/// "description": "Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.",
/// "type": "object",
/// "minProperties": 1,
/// "additionalProperties": true,
/// "propertyNames": {
/// "pattern": "^[a-z][a-z0-9-]*(\\.[a-z0-9-]+)+$"
/// }
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(transparent)]
pub struct Ext(pub ::std::collections::HashMap<ExtKey, ::serde_json::Value>);
impl ::std::ops::Deref for Ext {
type Target = ::std::collections::HashMap<ExtKey, ::serde_json::Value>;
fn deref(&self) -> &::std::collections::HashMap<ExtKey, ::serde_json::Value> {
&self.0
}
}
impl ::std::convert::From<Ext> for ::std::collections::HashMap<ExtKey, ::serde_json::Value> {
fn from(value: Ext) -> Self {
value.0
}
}
impl ::std::convert::From<::std::collections::HashMap<ExtKey, ::serde_json::Value>> for Ext {
fn from(value: ::std::collections::HashMap<ExtKey, ::serde_json::Value>) -> Self {
Self(value)
}
}
///`ExtKey`
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "type": "string",
/// "pattern": "^[a-z][a-z0-9-]*(\\.[a-z0-9-]+)+$"
///}
/// ```
/// </details>
#[derive(::serde::Serialize, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[serde(transparent)]
pub struct ExtKey(::std::string::String);
impl ::std::ops::Deref for ExtKey {
type Target = ::std::string::String;
fn deref(&self) -> &::std::string::String {
&self.0
}
}
impl ::std::convert::From<ExtKey> for ::std::string::String {
fn from(value: ExtKey) -> Self {
value.0
}
}
impl ::std::str::FromStr for ExtKey {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
static PATTERN: ::std::sync::LazyLock<::regress::Regex> =
::std::sync::LazyLock::new(|| {
::regress::Regex::new("^[a-z][a-z0-9-]*(\\.[a-z0-9-]+)+$").unwrap()
});
if PATTERN.find(value).is_none() {
return Err("doesn't match pattern \"^[a-z][a-z0-9-]*(\\.[a-z0-9-]+)+$\"".into());
}
Ok(Self(value.to_string()))
}
}
impl ::std::convert::TryFrom<&str> for ExtKey {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for ExtKey {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for ExtKey {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl<'de> ::serde::Deserialize<'de> for ExtKey {
fn deserialize<D>(deserializer: D) -> ::std::result::Result<Self, D::Error>
where
D: ::serde::Deserializer<'de>,
{
::std::string::String::deserialize(deserializer)?
.parse()
.map_err(|e: self::error::ConversionError| {
<D::Error as ::serde::de::Error>::custom(e.to_string())
})
}
}
///`Floor`
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "title": "StepUpFloor",
/// "type": "object",
/// "required": [
/// "mode",
/// "operation"
/// ],
/// "properties": {
/// "allowAal1IfNonEscalating": {
/// "description": "Carve-out for non-escalating self-service operations (notably acl/swap-key key-rotation and method-enrolment). When `true` and the maintainer verifies the request does not escalate (its resulting AclEntry's role and scopes are a subset of the caller's existing entry, and the caller acts on its own entry), the operation is admitted at AAL1 even though `mode` requires AAL2 — so a holder with no authenticator yet can still bootstrap/rotate. Omitted is equivalent to `false` (the correct default for escalating operations such as acl/grant, change-role, revoke, context/delete, key/revoke): a caller lacking a usable step-up method is denied (fail-closed) rather than silently downgraded to AAL1.",
/// "type": "boolean"
/// },
/// "mode": {
/// "description": "Minimum mode required to perform the operation. `none` = AAL1 permitted (no step-up). `self` = the caller must elevate its own session (AAL2 via its own authenticator). `delegated` = a separate approver named on the caller's AclEntry (`stepUp.approver`) MUST ratify (AAL2 via auth/step-up/approve-request). `delegated-any` = any VID satisfying the maintainer's approver criterion MAY ratify. Strictness order for floor/override resolution: none < self < delegated-any < delegated.",
/// "type": "string",
/// "enum": [
/// "none",
/// "self",
/// "delegated",
/// "delegated-any"
/// ]
/// },
/// "operation": {
/// "description": "The operation-class this floor governs: a Trust Task type URI or slug (e.g. `acl/grant`, `acl/swap-key`, `context/delete`, `key/revoke`, `vault/release`), or `*` for the catch-all default applied when no more-specific floor matches.",
/// "type": "string"
/// }
/// },
/// "additionalProperties": false
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(deny_unknown_fields)]
pub struct Floor {
///Carve-out for non-escalating self-service operations (notably acl/swap-key key-rotation and method-enrolment). When `true` and the maintainer verifies the request does not escalate (its resulting AclEntry's role and scopes are a subset of the caller's existing entry, and the caller acts on its own entry), the operation is admitted at AAL1 even though `mode` requires AAL2 — so a holder with no authenticator yet can still bootstrap/rotate. Omitted is equivalent to `false` (the correct default for escalating operations such as acl/grant, change-role, revoke, context/delete, key/revoke): a caller lacking a usable step-up method is denied (fail-closed) rather than silently downgraded to AAL1.
#[serde(
rename = "allowAal1IfNonEscalating",
default,
skip_serializing_if = "::std::option::Option::is_none"
)]
pub allow_aal1_if_non_escalating: ::std::option::Option<bool>,
///Minimum mode required to perform the operation. `none` = AAL1 permitted (no step-up). `self` = the caller must elevate its own session (AAL2 via its own authenticator). `delegated` = a separate approver named on the caller's AclEntry (`stepUp.approver`) MUST ratify (AAL2 via auth/step-up/approve-request). `delegated-any` = any VID satisfying the maintainer's approver criterion MAY ratify. Strictness order for floor/override resolution: none < self < delegated-any < delegated.
pub mode: FloorMode,
///The operation-class this floor governs: a Trust Task type URI or slug (e.g. `acl/grant`, `acl/swap-key`, `context/delete`, `key/revoke`, `vault/release`), or `*` for the catch-all default applied when no more-specific floor matches.
pub operation: ::std::string::String,
}
///Minimum mode required to perform the operation. `none` = AAL1 permitted (no step-up). `self` = the caller must elevate its own session (AAL2 via its own authenticator). `delegated` = a separate approver named on the caller's AclEntry (`stepUp.approver`) MUST ratify (AAL2 via auth/step-up/approve-request). `delegated-any` = any VID satisfying the maintainer's approver criterion MAY ratify. Strictness order for floor/override resolution: none < self < delegated-any < delegated.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "description": "Minimum mode required to perform the operation. `none` = AAL1 permitted (no step-up). `self` = the caller must elevate its own session (AAL2 via its own authenticator). `delegated` = a separate approver named on the caller's AclEntry (`stepUp.approver`) MUST ratify (AAL2 via auth/step-up/approve-request). `delegated-any` = any VID satisfying the maintainer's approver criterion MAY ratify. Strictness order for floor/override resolution: none < self < delegated-any < delegated.",
/// "type": "string",
/// "enum": [
/// "none",
/// "self",
/// "delegated",
/// "delegated-any"
/// ]
///}
/// ```
/// </details>
#[derive(
::serde::Deserialize,
::serde::Serialize,
Clone,
Copy,
Debug,
Eq,
Hash,
Ord,
PartialEq,
PartialOrd,
)]
pub enum FloorMode {
#[serde(rename = "none")]
None,
#[serde(rename = "self")]
Self_,
#[serde(rename = "delegated")]
Delegated,
#[serde(rename = "delegated-any")]
DelegatedAny,
}
impl ::std::fmt::Display for FloorMode {
fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
match *self {
Self::None => f.write_str("none"),
Self::Self_ => f.write_str("self"),
Self::Delegated => f.write_str("delegated"),
Self::DelegatedAny => f.write_str("delegated-any"),
}
}
}
impl ::std::str::FromStr for FloorMode {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
match value {
"none" => Ok(Self::None),
"self" => Ok(Self::Self_),
"delegated" => Ok(Self::Delegated),
"delegated-any" => Ok(Self::DelegatedAny),
_ => Err("invalid value".into()),
}
}
}
impl ::std::convert::TryFrom<&str> for FloorMode {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for FloorMode {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for FloorMode {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
///The relying party's (ACL maintainer's) system-wide step-up policy: the per-operation-class floor that decides whether — and how — a step-up to a higher assurance level is required before a gated operation proceeds. Set by an administrator; resolved per request against per-entry overrides (see acl/_shared AclEntry.stepUp).
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "$id": "https://trusttasks.org/spec/auth/step-up/policy/0.1",
/// "title": "Payload",
/// "description": "The relying party's (ACL maintainer's) system-wide step-up policy: the per-operation-class floor that decides whether — and how — a step-up to a higher assurance level is required before a gated operation proceeds. Set by an administrator; resolved per request against per-entry overrides (see acl/_shared AclEntry.stepUp).",
/// "type": "object",
/// "required": [
/// "enabled",
/// "floors"
/// ],
/// "properties": {
/// "enabled": {
/// "description": "Master switch. `false` (the shipping default) ⇒ step-up is NOT enforced anywhere; every operation proceeds at AAL1 regardless of `floors`, because a freshly-provisioned maintainer has no registered approver and could not otherwise be administered (chicken-and-egg). The maintainer SHOULD surface this 'not enforced' state prominently. `true` ⇒ the `floors` are enforced.",
/// "type": "boolean"
/// },
/// "ext": {
/// "description": "Ecosystem-defined extension members per SPEC.md §4.5.1.",
/// "$ref": "#/definitions/Ext"
/// },
/// "floors": {
/// "description": "The system-wide minimum step-up requirement per operation-class — the maintainer-owned floor. Per-entry `stepUp` settings on an AclEntry MAY raise the requirement for a given subject but MUST NOT lower it (additive-only). The effective requirement for a request is the strictest of (matching floor, caller's per-entry setting).",
/// "type": "array",
/// "items": {
/// "$ref": "#/definitions/Floor"
/// }
/// }
/// },
/// "additionalProperties": false
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(deny_unknown_fields)]
pub struct Payload {
///Master switch. `false` (the shipping default) ⇒ step-up is NOT enforced anywhere; every operation proceeds at AAL1 regardless of `floors`, because a freshly-provisioned maintainer has no registered approver and could not otherwise be administered (chicken-and-egg). The maintainer SHOULD surface this 'not enforced' state prominently. `true` ⇒ the `floors` are enforced.
pub enabled: bool,
///Ecosystem-defined extension members per SPEC.md §4.5.1.
#[serde(default, skip_serializing_if = "::std::option::Option::is_none")]
pub ext: ::std::option::Option<Ext>,
///The system-wide minimum step-up requirement per operation-class — the maintainer-owned floor. Per-entry `stepUp` settings on an AclEntry MAY raise the requirement for a given subject but MUST NOT lower it (additive-only). The effective requirement for a request is the strictest of (matching floor, caller's per-entry setting).
pub floors: ::std::vec::Vec<Floor>,
}
///The policy the maintainer now holds after applying the request. Carried in a Trust Task document whose type is https://trusttasks.org/spec/auth/step-up/policy/0.1#response.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "title": "Response",
/// "description": "The policy the maintainer now holds after applying the request. Carried in a Trust Task document whose type is https://trusttasks.org/spec/auth/step-up/policy/0.1#response.",
/// "type": "object",
/// "required": [
/// "enabled",
/// "floors"
/// ],
/// "properties": {
/// "enabled": {
/// "description": "The effective master switch the maintainer now holds.",
/// "type": "boolean"
/// },
/// "ext": {
/// "$ref": "#/definitions/Ext"
/// },
/// "floors": {
/// "description": "The effective floors the maintainer now holds (canonicalized: deduplicated by `operation`, defaults materialized).",
/// "type": "array",
/// "items": {
/// "$ref": "#/definitions/Floor"
/// }
/// }
/// },
/// "additionalProperties": false,
/// "$anchor": "response"
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(deny_unknown_fields)]
pub struct Response {
///The effective master switch the maintainer now holds.
pub enabled: bool,
#[serde(default, skip_serializing_if = "::std::option::Option::is_none")]
pub ext: ::std::option::Option<Ext>,
///The effective floors the maintainer now holds (canonicalized: deduplicated by `operation`, defaults materialized).
pub floors: ::std::vec::Vec<Floor>,
}
impl crate::Payload for Payload {
const TYPE_URI: &'static str = "https://trusttasks.org/spec/auth/step-up/policy/0.1";
const IS_PROOF_REQUIRED: bool = true;
}
impl crate::Payload for Response {
const TYPE_URI: &'static str = "https://trusttasks.org/spec/auth/step-up/policy/0.1#response";
const IS_PROOF_REQUIRED: bool = true;
}
#[cfg(feature = "validate")]
impl crate::validate::ValidatedPayload for Payload {
const SCHEMA_JSON: &'static str = "{\n \"$defs\": {\n \"Ext\": {\n \"additionalProperties\": true,\n \"description\": \"Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.\",\n \"minProperties\": 1,\n \"propertyNames\": {\n \"pattern\": \"^[a-z][a-z0-9-]*(\\\\.[a-z0-9-]+)+$\"\n },\n \"title\": \"Ext\",\n \"type\": \"object\"\n },\n \"Floor\": {\n \"additionalProperties\": false,\n \"properties\": {\n \"allowAal1IfNonEscalating\": {\n \"description\": \"Carve-out for non-escalating self-service operations (notably acl/swap-key key-rotation and method-enrolment). When `true` and the maintainer verifies the request does not escalate (its resulting AclEntry's role and scopes are a subset of the caller's existing entry, and the caller acts on its own entry), the operation is admitted at AAL1 even though `mode` requires AAL2 — so a holder with no authenticator yet can still bootstrap/rotate. Omitted is equivalent to `false` (the correct default for escalating operations such as acl/grant, change-role, revoke, context/delete, key/revoke): a caller lacking a usable step-up method is denied (fail-closed) rather than silently downgraded to AAL1.\",\n \"type\": \"boolean\"\n },\n \"mode\": {\n \"description\": \"Minimum mode required to perform the operation. `none` = AAL1 permitted (no step-up). `self` = the caller must elevate its own session (AAL2 via its own authenticator). `delegated` = a separate approver named on the caller's AclEntry (`stepUp.approver`) MUST ratify (AAL2 via auth/step-up/approve-request). `delegated-any` = any VID satisfying the maintainer's approver criterion MAY ratify. Strictness order for floor/override resolution: none < self < delegated-any < delegated.\",\n \"enum\": [\n \"none\",\n \"self\",\n \"delegated\",\n \"delegated-any\"\n ],\n \"type\": \"string\"\n },\n \"operation\": {\n \"description\": \"The operation-class this floor governs: a Trust Task type URI or slug (e.g. `acl/grant`, `acl/swap-key`, `context/delete`, `key/revoke`, `vault/release`), or `*` for the catch-all default applied when no more-specific floor matches.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"operation\",\n \"mode\"\n ],\n \"title\": \"StepUpFloor\",\n \"type\": \"object\"\n },\n \"Response\": {\n \"$anchor\": \"response\",\n \"additionalProperties\": false,\n \"description\": \"The policy the maintainer now holds after applying the request. Carried in a Trust Task document whose type is https://trusttasks.org/spec/auth/step-up/policy/0.1#response.\",\n \"properties\": {\n \"enabled\": {\n \"description\": \"The effective master switch the maintainer now holds.\",\n \"type\": \"boolean\"\n },\n \"ext\": {\n \"$ref\": \"#/$defs/Ext\"\n },\n \"floors\": {\n \"description\": \"The effective floors the maintainer now holds (canonicalized: deduplicated by `operation`, defaults materialized).\",\n \"items\": {\n \"$ref\": \"#/$defs/Floor\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"enabled\",\n \"floors\"\n ],\n \"title\": \"Auth — Step-up Policy — response payload\",\n \"type\": \"object\"\n }\n },\n \"$id\": \"https://trusttasks.org/spec/auth/step-up/policy/0.1\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"additionalProperties\": false,\n \"description\": \"The relying party's (ACL maintainer's) system-wide step-up policy: the per-operation-class floor that decides whether — and how — a step-up to a higher assurance level is required before a gated operation proceeds. Set by an administrator; resolved per request against per-entry overrides (see acl/_shared AclEntry.stepUp).\",\n \"properties\": {\n \"enabled\": {\n \"description\": \"Master switch. `false` (the shipping default) ⇒ step-up is NOT enforced anywhere; every operation proceeds at AAL1 regardless of `floors`, because a freshly-provisioned maintainer has no registered approver and could not otherwise be administered (chicken-and-egg). The maintainer SHOULD surface this 'not enforced' state prominently. `true` ⇒ the `floors` are enforced.\",\n \"type\": \"boolean\"\n },\n \"ext\": {\n \"$ref\": \"#/$defs/Ext\",\n \"description\": \"Ecosystem-defined extension members per SPEC.md §4.5.1.\"\n },\n \"floors\": {\n \"description\": \"The system-wide minimum step-up requirement per operation-class — the maintainer-owned floor. Per-entry `stepUp` settings on an AclEntry MAY raise the requirement for a given subject but MUST NOT lower it (additive-only). The effective requirement for a request is the strictest of (matching floor, caller's per-entry setting).\",\n \"items\": {\n \"$ref\": \"#/$defs/Floor\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"enabled\",\n \"floors\"\n ],\n \"title\": \"Auth — Step-up Policy — payload\",\n \"type\": \"object\"\n}\n";
}
#[cfg(test)]
mod conformance {
//! Round-trip tests harvested from the spec's `spec.md`,
//! plus a `rejects_invalid_examples` test for any fixtures
//! in `payload.invalid-examples.json` (validate feature).
#[test]
fn request_example_1() {
const JSON: &str = "{\n \"id\": \"stepup-policy-7f1c-4e2a-9b3d-0c5e6a1b2c3d\",\n \"type\": \"https://trusttasks.org/spec/auth/step-up/policy/0.1\",\n \"issuer\": \"did:web:admin.acme.example\",\n \"recipient\": \"did:web:vta.acme.example\",\n \"issuedAt\": \"2026-06-01T09:00:00Z\",\n \"payload\": {\n \"enabled\": true,\n \"floors\": [\n { \"operation\": \"*\", \"mode\": \"self\" },\n { \"operation\": \"acl/grant\", \"mode\": \"delegated\" },\n { \"operation\": \"acl/change-role\", \"mode\": \"delegated\" },\n { \"operation\": \"acl/revoke\", \"mode\": \"delegated\" },\n { \"operation\": \"context/delete\", \"mode\": \"delegated\" },\n { \"operation\": \"key/revoke\", \"mode\": \"delegated\" },\n { \"operation\": \"acl/swap-key\", \"mode\": \"self\", \"allowAal1IfNonEscalating\": true }\n ]\n },\n \"proof\": {\n \"type\": \"DataIntegrityProof\",\n \"cryptosuite\": \"eddsa-jcs-2022\",\n \"verificationMethod\": \"did:web:admin.acme.example#key-1\",\n \"created\": \"2026-06-01T09:00:00Z\",\n \"proofPurpose\": \"assertionMethod\",\n \"proofValue\": \"z3kg…\"\n }\n}\n";
let doc: crate::TrustTask<super::Payload> =
serde_json::from_str(JSON).expect("deserialize request example");
let rendered = serde_json::to_value(&doc).expect("re-serialize");
let expected: serde_json::Value = serde_json::from_str(JSON).expect("re-parse expected");
assert_eq!(rendered, expected, "request example failed round-trip");
}
#[test]
fn request_example_2() {
const JSON: &str = "{\n \"id\": \"stepup-policy-1a2b-3c4d-5e6f-7a8b9c0d1e2f\",\n \"type\": \"https://trusttasks.org/spec/auth/step-up/policy/0.1\",\n \"issuer\": \"did:web:admin.acme.example\",\n \"recipient\": \"did:web:vta.acme.example\",\n \"issuedAt\": \"2026-06-01T09:05:00Z\",\n \"payload\": { \"enabled\": false, \"floors\": [] },\n \"proof\": {\n \"type\": \"DataIntegrityProof\",\n \"cryptosuite\": \"eddsa-jcs-2022\",\n \"verificationMethod\": \"did:web:admin.acme.example#key-1\",\n \"created\": \"2026-06-01T09:00:00Z\",\n \"proofPurpose\": \"assertionMethod\",\n \"proofValue\": \"z3kg…\"\n }\n}\n";
let doc: crate::TrustTask<super::Payload> =
serde_json::from_str(JSON).expect("deserialize request example");
let rendered = serde_json::to_value(&doc).expect("re-serialize");
let expected: serde_json::Value = serde_json::from_str(JSON).expect("re-parse expected");
assert_eq!(rendered, expected, "request example failed round-trip");
}
#[test]
fn response_example_1() {
const JSON: &str = "{\n \"id\": \"stepup-policy-resp-9c0d-1e2f-3a4b-5c6d7e8f9a0b\",\n \"type\": \"https://trusttasks.org/spec/auth/step-up/policy/0.1#response\",\n \"threadId\": \"stepup-policy-7f1c-4e2a-9b3d-0c5e6a1b2c3d\",\n \"issuer\": \"did:web:vta.acme.example\",\n \"recipient\": \"did:web:admin.acme.example\",\n \"issuedAt\": \"2026-06-01T09:00:01Z\",\n \"payload\": {\n \"enabled\": true,\n \"floors\": [\n { \"operation\": \"*\", \"mode\": \"self\", \"allowAal1IfNonEscalating\": false },\n { \"operation\": \"acl/grant\", \"mode\": \"delegated\", \"allowAal1IfNonEscalating\": false },\n { \"operation\": \"acl/change-role\", \"mode\": \"delegated\", \"allowAal1IfNonEscalating\": false },\n { \"operation\": \"acl/revoke\", \"mode\": \"delegated\", \"allowAal1IfNonEscalating\": false },\n { \"operation\": \"context/delete\", \"mode\": \"delegated\", \"allowAal1IfNonEscalating\": false },\n { \"operation\": \"key/revoke\", \"mode\": \"delegated\", \"allowAal1IfNonEscalating\": false },\n { \"operation\": \"acl/swap-key\", \"mode\": \"self\", \"allowAal1IfNonEscalating\": true }\n ]\n }\n}\n";
let doc: crate::TrustTask<super::Response> =
serde_json::from_str(JSON).expect("deserialize response example");
let rendered = serde_json::to_value(&doc).expect("re-serialize");
let expected: serde_json::Value = serde_json::from_str(JSON).expect("re-parse expected");
assert_eq!(rendered, expected, "response example failed round-trip");
}
}