nythos-core v0.1.0

Summary

nythos-core v0.1.0 is the first public release of the Nythos core authentication and authorization library.

This release establishes the infrastructure-free Rust core for Nythos, including domain primitives, identity models, auth/session/RBAC concepts, core orchestration services, and pure trait contracts for outer infrastructure layers.

Highlights

• Published nythos-core as a public Rust crate.
• Added a strict core-only architecture with no HTTP, database, cache, queue, provider, or deployment-specific code.
• Introduced typed ID newtypes over Uuid:
  • UserId
  • TenantId
  • SessionId
  • RoleId
• Added validated domain value objects:
  • Email
  • Password
• Added identity models:
  • User
  • UserStatus
  • Tenant
  • TenantSettings
• Added auth/token models:
  • PasswordHash
  • AccessToken
  • Claims
  • TokenPurpose
• Added session and refresh-token models:
  • Session
  • RefreshToken
• Added tenant-scoped RBAC models:
  • Permission
  • Role
  • RoleAssignment
  • RoleRegistry
• Added core auth orchestration services:
  • RegisterService
  • LoginService
  • RefreshService
  • RevokeSessionService
  • RevokeAllSessionsService
• Added pure infrastructure boundary ports:
  • UserRepository
  • RoleRepository
  • SessionStore
  • PasswordHasher
  • TokenSigner
  • RevocationChecker
• Added mandatory refresh-token rotation semantics.
• Added tenant-scoped RBAC rules with no global admin concept in core.
• Added a crate-wide AuthError and NythosResult.
• Added reference documentation under docs/.
• Added ADRs for core boundaries, single-crate start, tenant-scoped RBAC, and refresh-token rotation.
• Added integration-style tests using in-memory fakes for repository, session, token, password, and revocation ports.

Architecture

nythos-core is intentionally infrastructure-free.

The crate owns:

• domain types and invariants
• auth, session, and RBAC business rules
• orchestration logic for register, login, refresh, and revocation flows
• trait contracts for storage, signing, hashing, role lookup, and revocation checking

The crate does not own:

• HTTP handlers or status-code mapping
• database drivers, ORM models, SQL, or migrations
• Redis/cache adapters
• queues or event buses
• email/SMS/OAuth provider integrations
• concrete password hashing or token signing implementations
• product-specific gateway behavior

Outer layers are expected to implement the provided ports.

Core Flows

Register

Registration validates email/password input, checks tenant-scoped duplicate users, hashes the password through PasswordHasher, creates the user through UserRepository, and can optionally issue session auth material.

Login

Login validates credentials, loads user credentials within a tenant, checks account status, verifies the password, loads tenant-scoped roles, creates a session, signs access claims, and returns auth material.

Refresh

Refresh resolves an opaque refresh token through SessionStore, rejects missing/revoked/expired sessions, reloads tenant-scoped roles, signs fresh access claims, and rotates the refresh token.

Revoke Session

Single-session revocation checks current revocation state and revokes the session through SessionStore.

Revoke All Sessions

Revoke-all invalidates all sessions for a user within a tenant boundary.

Known Design Notes

• Claims currently include subject, tenant, token purpose, issued-at, and expiry timestamps.
• Claims do not currently include SessionId.
• Because RevocationChecker operates on SessionId, request-time revocation cannot be driven from verified Claims alone yet.
• This gap is documented and intentionally deferred past v0.1.0.

Install

[dependencies]
nythos-core = "0.1.0"