Skip to main content

hessra_cap_engine/
error.rs

1//! Error types for the capability engine.
2
3use crate::types::{ExposureLabel, ObjectId, Operation};
4use thiserror::Error;
5
6/// Errors from the capability engine.
7#[derive(Error, Debug)]
8pub enum EngineError {
9    /// Capability request denied by policy.
10    #[error("capability denied: {subject} cannot perform '{operation}' on '{target}': {reason}")]
11    CapabilityDenied {
12        subject: ObjectId,
13        target: ObjectId,
14        operation: Operation,
15        reason: String,
16    },
17
18    /// Capability request denied due to exposure restriction.
19    #[error("capability denied by exposure: label '{label}' blocks access to '{target}'")]
20    ExposureRestriction {
21        label: ExposureLabel,
22        target: ObjectId,
23    },
24
25    /// Identity token operation failed.
26    #[error("identity error: {0}")]
27    Identity(String),
28
29    /// Context token operation failed.
30    #[error("context error: {0}")]
31    Context(String),
32
33    /// Token error from underlying token crate.
34    #[error("token error: {0}")]
35    Token(#[from] hessra_token_core::TokenError),
36
37    /// Token creation or verification failed.
38    #[error("token operation failed: {0}")]
39    TokenOperation(String),
40
41    /// Policy backend error.
42    #[error("policy error: {0}")]
43    Policy(String),
44}