Skip to main content

tf_types/generated/
bridges_registry.rs

1// GENERATED by `tf-schema codegen --target rust` — DO NOT EDIT BY HAND.
2
3#![allow(unused_imports, non_camel_case_types, non_snake_case, clippy::all)]
4
5use serde::{Deserialize, Serialize};
6use super::*;
7
8#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
9pub struct BridgeEntry {
10    /// Which TrustForge bridge module handles this credential format.
11    pub kind: BridgeEntry_Kind,
12    /// Exact match against the credential's `iss` claim (OAuth/JWT) or trust-domain authority. Use `iss_pattern` for prefix/suffix matching.
13    #[serde(skip_serializing_if = "Option::is_none", default)]
14    pub issuer_match: Option<String>,
15    /// Substring match against the credential's `iss` claim. `clerk.dev` matches both `https://api.clerk.dev/...` and `clerk.dev`.
16    #[serde(skip_serializing_if = "Option::is_none", default)]
17    pub iss_pattern: Option<String>,
18    /// Trust domain the resolved actor belongs to.
19    #[serde(skip_serializing_if = "Option::is_none", default)]
20    pub trust_domain: Option<TrustDomain>,
21    /// Initial TrustForge trust level assigned to actors resolved through this bridge entry.
22    #[serde(skip_serializing_if = "Option::is_none", default)]
23    pub trust_level: Option<TrustLevel>,
24    /// Mapping from the credential's native scope/permission to a TrustForge action name. Keys are the native scope (e.g. OAuth `email`); values are TrustForge action names matching the dotted ActionName pattern.
25    #[serde(skip_serializing_if = "Option::is_none", default)]
26    pub capability_map: Option<std::collections::BTreeMap<String, String>>,
27    /// Per-entry conformance profile override.
28    #[serde(skip_serializing_if = "Option::is_none", default)]
29    pub profile: Option<String>,
30}
31
32/// Which TrustForge bridge module handles this credential format.
33#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
34pub enum BridgeEntry_Kind {
35    #[serde(rename = "oauth")]
36    Oauth,
37    #[serde(rename = "clerk")]
38    Clerk,
39    #[serde(rename = "next-auth")]
40    NextAuth,
41    #[serde(rename = "better-auth")]
42    BetterAuth,
43    #[serde(rename = "webauthn")]
44    Webauthn,
45    #[serde(rename = "tls")]
46    Tls,
47    #[serde(rename = "spiffe")]
48    Spiffe,
49    #[serde(rename = "did")]
50    Did,
51    #[serde(rename = "gnap")]
52    Gnap,
53    #[serde(rename = "mcp")]
54    Mcp,
55    #[serde(rename = "matrix")]
56    Matrix,
57    #[serde(rename = "webhook")]
58    Webhook,
59    #[serde(rename = "grpc")]
60    Grpc,
61    #[serde(rename = "service-mesh")]
62    ServiceMesh,
63    #[serde(rename = "a2a")]
64    A2a,
65    #[serde(rename = "session-cookie")]
66    SessionCookie,
67    #[serde(rename = "aws")]
68    Aws,
69    #[serde(rename = "gcp")]
70    Gcp,
71    #[serde(rename = "azure")]
72    Azure,
73    #[serde(rename = "vault")]
74    Vault,
75    #[serde(rename = "doppler")]
76    Doppler,
77}
78
79/// Per-deployment registry that overrides the default credential-resolver mapping. The daemon reads `.tf/bridges.yaml` once at startup, validates against this schema, and uses `resolveByIssuer` to map an incoming credential's issuer / iss claim / SPIFFE trust domain to a TrustForge bridge entry. When no entry matches, the resolver falls back to the built-in defaults declared in `tools/tf-daemon/src/credential-resolver.ts` (B2).
80#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
81pub struct BridgesRegistry {
82    /// Version of the bridges-registry schema itself.
83    pub registry_version: BridgesRegistry_RegistryVersion,
84    /// Optional conformance profile name applied when an entry omits its own. Purely informational at this layer; the FeatureGate is the authoritative gate.
85    #[serde(skip_serializing_if = "Option::is_none", default)]
86    pub default_profile: Option<String>,
87    /// Per-issuer bridge entries. The first entry whose `issuer_match` / `iss_pattern` matches an incoming credential wins.
88    pub bridges: Vec<BridgeEntry>,
89}
90
91/// Version of the bridges-registry schema itself.
92#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
93pub enum BridgesRegistry_RegistryVersion {
94    #[serde(rename = "1")]
95    V1,
96}