@callback get_deployment(
  registration :: Ltix.Registration.t(),
  deployment_id :: String.t()
) ::
  {:ok, Ltix.Deployable.t()} | {:error, :not_found}

Look up a deployment by registration and deployment_id.

The deployment_id is case-sensitive and assigned by the platform. The registration parameter is the resolved Ltix.Registration, not the original struct returned by get_registration/2.

Return any struct that implements Ltix.Deployable. The library validates it via the protocol and preserves your original struct in the Ltix.LaunchContext.

@callback get_registration(issuer :: String.t(), client_id :: String.t() | nil) ::
  {:ok, Ltix.Registerable.t()} | {:error, :not_found}

Look up a platform registration by issuer and client_id.

The client_id may be nil when the platform doesn't include it in the login request. Your adapter must handle both cases.

Return any struct that implements Ltix.Registerable. The library extracts the Ltix.Registration it needs via the protocol and preserves your original struct in the Ltix.LaunchContext.

@callback store_nonce(nonce :: String.t(), registration :: Ltix.Registration.t()) :: :ok

Persist a nonce for later verification.

Called during login initiation. The nonce is generated by the library and must be stored so that validate_nonce/2 can verify it was issued by the tool and has not been replayed.

@callback validate_nonce(nonce :: String.t(), registration :: Ltix.Registration.t()) ::
  :ok | {:error, :nonce_already_used | :nonce_not_found}

Verify a nonce from the ID Token and consume it.

The implementation must check two things:

1. The nonce was previously stored by store_nonce/2
2. The nonce has not already been consumed (replay prevention)

After successful validation, mark the nonce as consumed so it cannot be reused.