src/pqc_kv_cache/errors.py
| 1 | """Exception hierarchy for pqc-kv-cache-encryption.""" |
| 2 | |
| 3 | from __future__ import annotations |
| 4 | |
| 5 | |
| 6 | class KVCacheError(Exception): |
| 7 | """Base exception for all pqc-kv-cache-encryption errors.""" |
| 8 | |
| 9 | |
| 10 | class TenantIsolationError(KVCacheError): |
| 11 | """Raised when an operation would cross a tenant boundary. |
| 12 | |
| 13 | This includes attempts to encrypt an entry whose metadata tenant_id does |
| 14 | not match the session tenant, or attempts to decrypt another tenant's |
| 15 | EncryptedEntry with the wrong session. |
| 16 | """ |
| 17 | |
| 18 | |
| 19 | class SessionExpiredError(KVCacheError): |
| 20 | """Raised when a TenantSession's TTL has elapsed.""" |
| 21 | |
| 22 | |
| 23 | class DecryptionError(KVCacheError): |
| 24 | """Raised when AES-256-GCM decryption fails (bad tag, tampered AAD, etc.).""" |
| 25 | |
| 26 | |
| 27 | class NonceReplayError(KVCacheError): |
| 28 | """Raised when the same nonce is presented to a decryptor twice.""" |
| 29 | |
| 30 | |
| 31 | class KeyRotationRequiredError(KVCacheError): |
| 32 | """Raised when the rotation policy demands a new key before continuing.""" |
| 33 | |
| 34 | |
| 35 | class UnknownTenantError(KVCacheError): |
| 36 | """Raised when a TenantIsolationManager is asked about an unknown tenant.""" |
| 37 | |