pub trait ScopeSet: Sealed {
// Required method
fn names() -> &'static [&'static str];
}Expand description
Sealed trait. Every scope marker (the 6 structs below) implements it;
nothing outside this module can. Bounds verify<S> and Claims<S> so
callers cannot smuggle in Claims<()> and bypass the Has* gating.
── names() (M72) ─────────────────────────────────────────────────────
The full per-scope claim allowlist — every payload key the engine is
permitted to deserialize for this scope. Returned as a &'static
slice so the engine’s M72 check (engine::check_id_token_pii::run)
iterates without allocation. The slice is the COMPLETE allowlist
(registered base claims iss/sub/aud/exp/iat/nonce/azp/
auth_time/acr/amr UNIONED with the scope’s PII fields), so
auditing is single-file: every allowlist lives in this module.
Adding a new claim is a 3-step change (in this order):
- Append the wire name to the appropriate const slice below
(
BASE_CLAIMSfor registered claims,EMAIL_CLAIMS/PROFILE_CLAIMS/PHONE_CLAIMS/ADDRESS_CLAIMSfor PII). - Append the same name to every per-variant
static NAMES_*array that should permit it (the union sets are NOT auto-derived — explicit listing is the audit surface). - Surface the field on
Claims<S>(or extend the deserializer) per the scope-bounded accessor pattern inclaims.rs.
Skipping step 2 leaves verify::<EmailProfile> rejecting a token
that legitimately carries the new claim. The unit test
email_profile_phone_address_is_union_of_components is the
regression guard for accidental drift in the maximal scope.
Required Methods§
Dyn Compatibility§
This trait is not dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety", so this trait is not object safe.