Skip to content
TCTDX Identity

Rust rewrite gates

Prototype behavior is not precedent. Only behavior that passes threat modeling, protocol tests, and security review should enter the Rust provider.

Required gates

  1. Email cannot become verified without mailbox proof.
  2. Managed organization membership cannot be created from an unverified email.
  3. Password, OTP, signup, recovery, device, and token endpoints enforce rate limits.
  4. Device approval shows client, domain, scopes, and supports deny.
  5. Signing key lifecycle is separate from raw application database rows.
  6. WebAuthn verifies challenge, origin, RP ID, credential ID, user presence, user verification, and sign count.
  7. TOTP secrets are encrypted and enrolled through server-side pending state.
  8. Organization domains cannot be reassigned by another organization creating a challenge.
  9. UserInfo rejects bearer tokens in query strings.
  10. Production refuses to boot without explicit issuer configuration.
  11. Metadata advertises only implemented features.

Release bar

The Rust provider is releaseable only when the contract is narrow, tested, and honest. A smaller correct provider is better than a broad IAM clone with hidden edge cases.