pas_external/lib.rs
1#![doc = include_str!("../README.md")]
2
3pub mod audit;
4// Clock port re-export — External Developer consumers can use
5// `pas_external::clock::ArcClock` / `pas_external::clock::FrozenClock`
6// without a separate `ppoppo-clock` dep in their Cargo.toml.
7pub mod clock {
8 pub use ::ppoppo_clock::*;
9}
10// Perimeter Bearer-auth Layer kit — Phase A Slice 4 lifted the kit to
11// `ppoppo_sdk_core::bearer::*`. pas-external 0.11.0 re-exports the
12// kit at `pas_external::bearer::*` (audit decision D — 1-level
13// role-named module, no `oidc::axum::*` nesting) for 3rd-party
14// consumers (RCW/CTW). 1st-party services (chat-auth) import direct
15// from sdk-core (audit decision B). The framework-dep visibility
16// (axum / tower) is signalled by the `axum` feature gate, not by a
17// nested `pas_external::oidc::axum::*` namespace.
18#[cfg(feature = "axum")]
19pub mod bearer {
20 pub use ::ppoppo_sdk_core::bearer::*;
21}
22// `epoch` re-exports the engine `EpochRevocation` port + ships the
23// canonical adapter set (Phase 11.Z, RFC_2026-05-09 §3.5). Gated on
24// `well-known-fetch` because the engine port itself needs `token` and
25// the original `UserinfoFetcher` (deleted in 0.10.0) required the HTTP
26// client (`oauth`) — both implied by the `well-known-fetch` flag.
27// `SharedCacheCache` (0.10.0, RFC_2026-05-08 §4.1) requires the
28// additional `shared-cache` feature for the `ppoppo-infra` adapter dep.
29#[cfg(feature = "well-known-fetch")]
30pub mod epoch;
31pub mod error;
32// `oauth` is two-tiered: the `TokenResponse` wire DTO compiles at the
33// `oauth` tier (consumed by `pas_port` / `session_liveness`), while the
34// `OAuthConfig` + `AuthClient` HTTP adapter is gated inside the module on
35// `well-known-fetch` — the tier of its sole constructor,
36// `oidc::RelyingParty::new`. As of 0.8.0 the module is `pub(crate)`:
37// consumers reach the OIDC RP composition root (`oidc::RelyingParty<S>`)
38// and never the raw OAuth surface. See `oidc::RefreshOutcome` for the
39// boundary type at `RelyingParty::refresh`.
40#[cfg(feature = "oauth")]
41pub(crate) mod oauth;
42#[cfg(feature = "token")]
43pub mod oidc;
44#[cfg(feature = "oauth")]
45pub mod pas_port;
46// `pkce` primitives (`generate_state`, `generate_code_verifier`,
47// `generate_code_challenge`) are SDK plumbing — `oidc::RelyingParty::start`
48// is the sole consumer, so the module is gated on `well-known-fetch`
49// (the RP's tier) rather than the lower `oauth` tier, which would orphan
50// it under the default feature set. `pub(crate)` since 0.8.0.
51#[cfg(feature = "well-known-fetch")]
52pub(crate) mod pkce;
53// `session_liveness` is intentionally ungated at module level — the
54// 0.10.0 `SessionLiveness` port has no AES / OAuth deps and ships
55// regardless of feature configuration so the verifier slot
56// (`PasJwtVerifier::with_session_liveness`) can reference it under
57// just `feature = "well-known-fetch"`. Internal sub-modules
58// (`cipher`, `liveness`) remain gated on `feature = "session-liveness"`
59// for the AES wrapper + PAS refresh-token check.
60pub mod session_liveness;
61pub mod types;
62
63// Test-support helpers. `FakePasServer` is the SDK-owned wiremock-wrapped
64// fake PAS Authorization Server, replacing the 0.7.x
65// `RelyingParty::for_test_with_parts` escape hatch. Consumer integration
66// tests construct a real `RelyingParty::new(...)` against
67// `FakePasServer.issuer_url()` so production and test go through the same
68// public interface.
69#[cfg(feature = "test-support")]
70pub mod test_support;
71
72// Re-exports for convenient access
73pub use audit::{
74 AuditEvent, AuditSink, IdTokenFailureKind, MemoryRateLimiter, NoopAuditSink, RateLimitKey,
75 RateLimitedAuditSink, RateLimiter, VerifyErrorKind, compose_id_token_source_id,
76 compose_source_id,
77};
78#[cfg(any(test, feature = "test-support"))]
79pub use audit::MemoryAuditSink;
80pub use error::{Error, TokenError};
81// 0.10.0 — ungated L2 verifier-slot port (RFC_2026-05-08 §4.2 lock).
82pub use session_liveness::{SessionLiveness, SessionLivenessError};
83#[cfg(feature = "session-liveness")]
84pub use session_liveness::{
85 CipherError, EncryptedRefreshToken, LivenessFailure, LivenessOutcome, RevokeCause,
86 TokenCipher, TransientCause, attempt_liveness_refresh,
87};
88// γ port-and-adapter — Phase 6.1 (D-04 = γ, locked 2026-05-05).
89// Phase A (RFC `RFC_2026-05-08_app-credential-collapse.md`, audit
90// decisions E + G) lifted the cohesive verifier group to
91// `ppoppo_sdk_core::verifier::*`. pas-external re-exports at top level
92// (no `token::` namespace — audit decision E) so consumer code
93// reaches `pas_external::{BearerVerifier, JwtVerifier, ...}`. Renames:
94// `PasJwtVerifier` → `JwtVerifier`; `Expectations` → `VerifyConfig`;
95// `AuthSession` → `VerifiedClaims`. The `crypto-side` `VerifyError`
96// re-exports as `TokenVerifyError` (BREAKING) to make space for the
97// Layer-side `VerifyError` from `pas_external::bearer::*` (Slice 4
98// migration). Phase A 0.11.0 ships clean — no transitional alias.
99#[cfg(feature = "token")]
100pub use ::ppoppo_sdk_core::verifier::{
101 BearerVerifier, VerifiedClaims, VerifyConfig, VerifyError as TokenVerifyError,
102};
103#[cfg(feature = "well-known-fetch")]
104pub use ::ppoppo_sdk_core::verifier::{JwksCache, JwtVerifier};
105#[cfg(all(feature = "token", any(test, feature = "test-support")))]
106pub use ::ppoppo_sdk_core::verifier::MemoryBearerVerifier;
107// OIDC RP surface — composition root + post-verify shapes + ports.
108// `RelyingParty<S>` is the consumer-facing entry point; `RefreshOutcome`
109// is the typed boundary return for `RelyingParty::refresh` (replaces
110// the 0.7.x `oauth::TokenResponse` re-export).
111#[cfg(feature = "token")]
112pub use oidc::{Address, IdAssertion, IdTokenVerifier, IdVerifyError, Nonce, ScopePiiReader};
113#[cfg(all(feature = "token", any(test, feature = "test-support")))]
114pub use oidc::MemoryIdTokenVerifier;
115pub use types::{KeyId, Ppnum, PpnumId, SessionId, UserId};
116// `Url` is consumer-facing via `Config::new(client_id, redirect_uri: Url, ...)`
117// and `Discovery::for_test`. Re-exported so consumers reach the same `url`
118// crate version the SDK uses without separately tracking it in their
119// Cargo.toml.
120#[cfg(feature = "oauth")]
121pub use url::Url;