Module session 

Signed-cookie session primitives — HMAC-SHA256 key wrapper + sign(secret, msg) helper. Shared by every layer that ships a signed cookie ([tenancy::session], admin::session) so the crypto lives in one place. See session::SessionSecret.

Compiled when either the admin or tenancy feature is on — both bring in the underlying HMAC + base64 crates as transitive deps. Bare-ORM builds (default-features = false without admin / tenancy) skip the module entirely. Signed-cookie session primitives — HMAC-SHA256 key wrapper, sign, and verify helpers shared across the framework.

This module deliberately holds only the crypto primitive + key management, never payload shape. Layers above (tenancy::session for operator/tenant cookies, admin::session for the bare-admin session cookie, …) define their own payload structs and call into [sign] to produce the MAC. That way two layers can share one signing key safely — they just need distinct cookie names + payload shapes so neither layer accidentally decodes the other’s cookie.

Lives at the crate root (not under any feature flag) so the bare admin module can use the same primitives even when the tenancy feature is off — closes the duplication concern raised in #253.

Structs

SessionSecret

Server-held signing key. Wrap Vec<u8> so callers can’t accidentally print it. Clone is opt-in so the same secret can be shared across layers that use distinct cookie names + payload shapes (e.g. tenancy operator + tenancy tenant + bare admin — three layers, one key, three independent cookies).

Enums

SessionSecretError

Error returned by SessionSecret::try_from_env when the RUSTANGO_SESSION_SECRET env var is set but the value isn’t a valid signing key. Used by production boot paths that prefer to fail loudly over silently downgrading to an ephemeral random key.

Functions

is_prod_tier

true for tier strings that mean “production” (case-insensitive prod / production). Anything else (dev, staging, test, unset) is treated as non-production.

load_session_secret_for_tier

Tier-aware session-secret loader (audit M2).

secure_cookies

Whether the tenancy operator + tenant console cookies should carry the Secure attribute (audit H2/N2). Precedence:

set_secure_cookies

Install the explicit console-cookie Secure policy (first call wins). The manage runner calls this from security.secure_cookies (which defaults to true) when settings are applied, so the standard boot path is fail-closed: cookies are Secure unless an operator explicitly sets security.secure_cookies = false (e.g. in dev_settings.toml for local plain-HTTP development). Returns false if the policy was already set.

sign

HMAC-SHA256(secret, msg), truncated to 32 bytes. The shared MAC primitive every signed-cookie layer in the framework calls into.

tier_from_env

Read the deployment tier from RUSTANGO_ENV, defaulting to "dev" when unset (matches crate::config tier resolution).