Module auth 

Authentication primitives — relocated to plexus-auth-core.

Per AUTHZ-CORE-CRATE-1, the canonical home for the Plexus auth sealed types is now the plexus-auth-core crate. plexus-core re-exports them here so existing call sites keep compiling during the deprecation window. New code should import directly from plexus_auth_core.

See plans/AUTHZ/AUTHZ-CORE-CRATE-1.md and AUTHZ-0 for rationale.

Structs

Anonymous

Anonymous: drop the entire AuthContext.

AuthContext

Per-connection authentication context, populated during WS upgrade.

CallSite

Identifies a single edge in the call graph at the moment a policy runs.

ForwardDerivation

What a policy returns: a derivation request, NOT a constructed context.

ForwardPolicyName

Stable identifier for a forwarding policy, surfaced into audit records and diagnostics.

IdentityOnly

Identity-only: forwards the caller’s IdP-verified user identity and drops roles, capabilities, and metadata.

MethodPath

A dotted method path like auth.login or cone.send_message.

PassThrough

Pass-through: forward every field of the caller’s context.

ServiceIdentity

Service-identity claim, paired with Principal::Service to identify a non-user authenticated actor (e.g., another Plexus deployment).

VerifiedUser

Sealed proof that an IdP-signed token was verified.

Enums

MethodPathError

Why a MethodPath::try_new rejected its input.

Principal

An authenticated actor: a user, a service, or anonymous.

Constants

ANONYMOUS_NAME

The anonymous policy name (stable string surfaced in audit).

IDENTITY_ONLY_NAME

The identity_only policy name (stable string surfaced in audit).

PASS_THROUGH_NAME

The pass_through policy name (stable string surfaced in audit).

Traits

ForwardPolicy

The forwarding-policy trait.

SessionValidator

Backends implement this trait to validate cookies/tokens during WS upgrade.