Expand description
§Aura Authenticate - Layer 5: Feature/Protocol Implementation
Purpose: Authority, threshold, and guardian authentication protocols.
Complete end-to-end authentication protocols using the guard chain pattern.
Provides AuthService for authentication operations with pure guard evaluation
and explicit effect execution.
§Architecture Constraints
Layer 5 depends on aura-core, aura-effects, aura-composition, aura-protocol, aura-mpst, and domain crates.
- MUST build on orchestration layer (aura-protocol)
- MUST compose effects from aura-effects and aura-composition
- MUST implement end-to-end protocol logic
- MUST NOT implement effect handlers (that’s aura-effects)
- MUST NOT implement orchestration primitives (that’s aura-protocol)
- MUST NOT do UI or CLI concerns (that’s Layer 7)
§Core Protocols
- Challenge-Response Authentication: Request → Challenge → Proof → Session
- Session Management: Time-limited capabilities with scope restrictions
- Guardian Authentication: M-of-N guardian approval for recovery operations
- Distributed Key Derivation: Multi-party key generation without revealing shares
§Design Principles
- Guard Chain Pattern: Pure evaluation over
GuardSnapshot→GuardOutcome→EffectCommandexecution - Fact-Based State: All state changes recorded as immutable
AuthFactrecords - View Derivation: State derived from facts via
AuthViewReducer - Capability Verification: Guard-based capability checking before operations
- Authority-Centric: Uses
AuthorityIdas the primary identity type
§Module Organization
guards: Pure guard types (GuardSnapshot,GuardOutcome,EffectCommand,RecoveryContext)facts: Domain fact types (AuthFact,AuthFactReducer,AuthFactDelta)service: MainAuthServicewith guard chain integrationview: View types (AuthView,AuthViewReducer) for deriving state from factsguardian_auth_relational: Relational context-based guardian authenticationdkd: Distributed Key Derivation protocol
See docs/102_authority_and_identity.md for the authority model documentation.
Re-exports§
pub use dkd::create_test_config;pub use dkd::execute_simple_dkd;pub use dkd::DkdConfig;pub use dkd::DkdError;pub use dkd::DkdProtocol;pub use dkd::DkdResult;pub use dkd::DkdSessionId;pub use dkd::KeyDerivationContext;pub use dkd::ParticipantContribution;pub use guards::check_capability;pub use guards::check_flow_budget;pub use guards::costs;pub use guards::evaluate_request;pub use guards::EffectCommand;pub use guards::GuardDecision;pub use guards::GuardOutcome;pub use guards::GuardRequest;pub use guards::GuardSnapshot;pub use guards::RecoveryContext;pub use guards::RecoveryOperationType;pub use facts::AuthFact;pub use facts::AuthFactDelta;pub use facts::AuthFactReducer;pub use facts::AUTH_FACT_TYPE_ID;pub use service::AuthService;pub use service::AuthServiceConfig;pub use service::ChallengeResult;pub use service::GuardianApprovalResult;pub use service::SessionResult;pub use view::AuthView;pub use view::AuthViewReducer;pub use view::ChallengeInfo;pub use view::FailureRecord;pub use view::RecoveryInfo;pub use view::SessionInfo;
Modules§
- capabilities
- Typed capability families owned by the authentication domain.
- dkd
- Distributed Key Derivation (DKD) protocol implementation Distributed Key Derivation Protocol
- dkd_
runners - Re-exports for DkdChoreography runners
- facts
- Domain fact types for authentication state changes Authentication Domain Facts
- guardian_
auth_ relational - Guardian authentication via relational contexts
- guardian_
auth_ runners - Re-exports for GuardianAuthRelational choreography runners
- guards
- Guard types for authentication operations
- service
- Authentication service coordinator
- view
- View delta and reducer for authentication facts
Structs§
- Account
Id - Account identifier for distinguishing different Aura accounts
- Biscuit
Guard Evaluator - Biscuit
Token Manager - Biscuit token manager for an authority.
- Guard
Result - Journal
- Unified Journal structure matching the formal specification
- KeyMaterial
- Key material for identity verification
- Session
Ticket - Session ticket that authorizes operations within a session
- Token
Authority - Token authority for issuing Biscuit tokens.
- Verified
Identity - Verified identity after successful authentication
Enums§
- Aura
Error - Unified error type for all Aura operations
- Authentication
Error - Guard
Error - Identity
Proof - Pure identity proof that proves WHO signed something.
- Resource
Scope - Resource scope for authority-based authorization
- Session
Scope - Scope of operations a session ticket authorizes
Constants§
- OPERATION_
CATEGORIES - Operation category map (A/B/C) for protocol gating and review.
Functions§
- operation_
category - Lookup the operation category (A/B/C) for a given operation.
Type Aliases§
- Aura
Result - Standard Result type for Aura operations
- Authentication
Result