pas_external/token/mod.rs
1//! γ port-and-adapter SDK boundary for bearer-token verification.
2//!
3//! Phase 6.1 — D-04 = γ (locked 2026-05-05). The SDK exposes a
4//! [`BearerVerifier`] trait + [`AuthSession`] result, hiding the
5//! engine ([`ppoppo_token`]), the token format (JWT, RFC 9068),
6//! and the JWKS substrate behind a single async port. External
7//! Developer apps inject `Arc<dyn BearerVerifier>` into their
8//! middleware and never see `jsonwebtoken::*` types.
9//!
10//! Module layout — mirrors [`crate::pas_port`] (the OAuth port +
11//! adapter cluster) for parallel structure:
12//!
13//! - [`port`] — `BearerVerifier`, `AuthSession`, `Expectations`,
14//! `VerifyError` (always compiled when `token` feature is on)
15//! - [`jwt`] — `PasJwtVerifier` production adapter (gated
16//! `well-known-fetch`; depends on `ppoppo-token`)
17//! - [`memory`] — `MemoryBearerVerifier` test-support adapter
18//! (gated `cfg(any(test, feature = "test-support"))`)
19//! - [`keyset`] — `JwksCache` (`pub(crate)` — internal to `jwt.rs`)
20
21pub mod port;
22
23#[cfg(feature = "well-known-fetch")]
24pub mod jwt;
25
26#[cfg(feature = "well-known-fetch")]
27pub(crate) mod keyset;
28
29#[cfg(any(test, feature = "test-support"))]
30pub mod memory;
31
32pub use port::{AuthSession, BearerVerifier, Expectations, VerifyError};
33
34#[cfg(feature = "well-known-fetch")]
35pub use jwt::PasJwtVerifier;
36
37#[cfg(any(test, feature = "test-support"))]
38pub use memory::MemoryBearerVerifier;