Expand description
Capability advertisement primitives — what a backend tells a client about
its authentication surface, served at _info.
Per AUTHZ-S01-output §2: a backend extends its _info response with an
optional auth_capabilities field carrying a BackendAuthCapabilities.
Clients (synapse CLI, gamma, generated SDKs, agents) read it to decide
which authentication flow to drive.
These types are not sealed — the cryptographic anchor is AuthContext /
VerifiedUser in this same crate. Capability-advertisement types carry
contract metadata; they belong here with the auth primitives so the
dependency graph and the orphan-rule defense extend uniformly per AUTHZ-0
§“Crate-level isolation amplifies the seal”.
Each newtype follows the strong-typing skill: Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize; #[serde(transparent)] for single-field
wrappers; validation at the wire boundary via a try_new constructor;
as_str() accessor; Display for tracing.
Structs§
- Backend
Auth Capabilities - What the backend advertises at
_info’sauth_capabilitiesfield. - Client
Id - OIDC
client_idopaque identifier. - Cookie
Name - A cookie name (e.g.
"plexus_session"). RFC 6265 token-set validation. - Header
Name - An HTTP header name (e.g.
"Authorization"). - Issuer
Url - An OIDC-style issuer URL.
- Method
Path - A dotted method path like
auth.loginorcone.send_message.
Enums§
- Auth
Mechanism - Tagged union of supported auth mechanisms a backend advertises.
- Backend
Auth Capabilities Error - Why a
BackendAuthCapabilities::newrejected its input. - Client
IdError - Why a
ClientId::try_newrejected its input. - Cookie
Name Error - Why a
CookieName::try_newrejected its input. - Header
Name Error - Why a
HeaderName::try_newrejected its input. - Issuer
UrlError - Why an
IssuerUrl::try_newrejected its input. - Method
Path Error - Why a
MethodPath::try_newrejected its input.