systemprompt_security/
error.rs

1//! Error types raised by the security infrastructure.
2//!
3//! Public APIs in this crate return `thiserror`-derived error enums:
4//!
5//! - [`AuthError`] — request validation, JWT decoding, claim extraction.
6//! - [`JwtError`] — JWT minting (admin tokens, session tokens).
7//! - [`ManifestSigningError`] — Ed25519 signing of bridge manifests.
8//!
9//! All three implement `std::error::Error` and can be composed into larger
10//! `thiserror` enums via `#[from]`.
11
12use thiserror::Error;
13
14#[derive(Debug, Error)]
15pub enum AuthError {
16    #[error("missing authorization header")]
17    MissingAuthorization,
18
19    #[error("invalid JWT token: {0}")]
20    InvalidToken(#[source] jsonwebtoken::errors::Error),
21
22    #[error("missing session_id in token")]
23    MissingSessionId,
24
25    #[error("hook token: missing or non-`hook` audience")]
26    HookAudienceMissing,
27
28    #[error("hook token: required scope `{0}` not present")]
29    HookScopeMissing(&'static str),
30
31    #[error("hook token: missing `plugin_id` claim")]
32    HookPluginIdMissing,
33
34    #[error(
35        "hook token: plugin_id `{actual}` in claim does not match request plugin_id `{expected}`"
36    )]
37    HookPluginIdMismatch { expected: String, actual: String },
38}
39
40#[derive(Debug, Error)]
41pub enum JwtError {
42    #[error("jwt encoding failed: {0}")]
43    Encoding(#[from] jsonwebtoken::errors::Error),
44}
45
46#[derive(Debug, Error)]
47pub enum ManifestSigningError {
48    #[error("manifest signing seed unavailable: {0}")]
49    SeedUnavailable(String),
50
51    #[error("jcs canonicalize: {0}")]
52    Canonicalize(String),
53
54    #[error("signing key missing after initialization")]
55    KeyMissing,
56}
57
58pub type AuthResult<T> = Result<T, AuthError>;
59
60pub type JwtResult<T> = Result<T, JwtError>;
61
62pub type ManifestSigningResult<T> = Result<T, ManifestSigningError>;
systemprompt_security/error.rs

systemprompt_security/
error.rs
