Skip to main content

hessra_cap_engine/
error.rs

1//! Error types for the capability engine.
2
3use crate::types::{ObjectId, Operation, TaintLabel};
4use thiserror::Error;
5
6/// Errors from the capability engine.
7#[derive(Error, Debug)]
8pub enum EngineError {
9    /// Capability request denied by policy.
10    #[error("capability denied: {subject} cannot perform '{operation}' on '{target}': {reason}")]
11    CapabilityDenied {
12        subject: ObjectId,
13        target: ObjectId,
14        operation: Operation,
15        reason: String,
16    },
17
18    /// Capability request denied due to taint restriction.
19    #[error("capability denied by taint: label '{label}' blocks access to '{target}'")]
20    TaintRestriction { label: TaintLabel, target: ObjectId },
21
22    /// Identity token operation failed.
23    #[error("identity error: {0}")]
24    Identity(String),
25
26    /// Context token operation failed.
27    #[error("context error: {0}")]
28    Context(String),
29
30    /// Token error from underlying token crate.
31    #[error("token error: {0}")]
32    Token(#[from] hessra_token_core::TokenError),
33
34    /// Token creation or verification failed.
35    #[error("token operation failed: {0}")]
36    TokenOperation(String),
37
38    /// Policy backend error.
39    #[error("policy error: {0}")]
40    Policy(String),
41}