Refactor middleware

Author: ScriptSmith

src/middleware/admin.rs src/middleware/layers/admin.rssrc/middleware/admin.rs renamed to src/middleware/layers/admin.rs

@@ -24,10 +24,10 @@ use axum::{
 use tower_cookies::Cookies;
 use uuid::Uuid;
 
-use super::{ClientInfo, RequestId};
 use crate::{
     AppState,
     auth::{AuthError, AuthenticatedRequest, Identity, IdentityKind},
+    middleware::{ClientInfo, RequestId},
     observability::metrics,
     services::audit_logs::{AuthEventParams, auth_events},
 };
@@ -647,7 +647,7 @@ async fn try_api_key_admin_auth(
     headers: &axum::http::HeaderMap,
     state: &AppState,
 ) -> Result<Option<Identity>, AuthError> {
-    let api_key_auth = match super::combined::try_api_key_auth(headers, state).await? {
+    let api_key_auth = match super::api::try_api_key_auth(headers, state).await? {
         Some(auth) => auth,
         None => return Ok(None),
     };

src/middleware/combined.rs src/middleware/layers/api.rssrc/middleware/combined.rs renamed to src/middleware/layers/api.rs

@@ -8,20 +8,22 @@ use axum::{
 use chrono::Utc;
 
 use super::{
-    RequestId,
-    budget::{BudgetCheckResult, BudgetError, adjust_budget_reservation},
     rate_limit::{
         RateLimitError, TokenRateLimitCheckResult, TokenRateLimitResult, TokenReservation,
         add_rate_limit_headers, add_token_rate_limit_headers, adjust_token_reservation,
     },
-    scope::required_scope_for_path,
-    usage::{UsageTracker, extract_full_usage_from_response, tracker_from_headers},
+    request_id::RequestId,
 };
 use crate::{
     AppState,
     auth::{ApiKeyAuth, AuthError, AuthenticatedRequest, Identity, IdentityKind},
     cache::{BudgetCheckParams, Cache, CacheKeys, RateLimitCheckParams, RateLimitResult},
     events::{BudgetType, ServerEvent},
+    middleware::util::{
+        budget::{BudgetCheckResult, BudgetError, adjust_budget_reservation},
+        scope::required_scope_for_path,
+        usage::{UsageTracker, extract_full_usage_from_response, tracker_from_headers},
+    },
     models::{AuditActorType, BudgetPeriod, CreateAuditLog, has_valid_prefix, hash_api_key},
     observability::metrics,
 };
@@ -584,7 +586,7 @@ pub async fn api_middleware(
         .map(|ci| ci.0.ip());
 
     // Insert client info for audit logging
-    let client_info = super::ClientInfo {
+    let client_info = crate::middleware::ClientInfo {
         ip_address: connecting_ip.map(|ip| ip.to_string()),
         user_agent: headers
             .get(axum::http::header::USER_AGENT)

src/middleware/authz.rs src/middleware/layers/authz.rssrc/middleware/authz.rs renamed to src/middleware/layers/authz.rs

@@ -596,7 +596,8 @@ pub async fn permissive_authz_middleware(
     };
 
     // Insert ClientInfo for unprotected routes (no admin middleware to extract it).
-    req.extensions_mut().insert(super::ClientInfo::default());
+    req.extensions_mut()
+        .insert(crate::middleware::ClientInfo::default());
 
     // Insert a default AdminAuth with system identity for unprotected routes.
     // This allows handlers to extract AdminAuth for audit logging purposes.

src/middleware/layers/mod.rs

@@ -0,0 +1,6 @@
+pub mod admin;
+pub mod api;
+pub mod authz;
+pub mod rate_limit;
+pub mod request_id;
+pub mod security_headers;

src/middleware/rate_limit.rs src/middleware/layers/rate_limit.rssrc/middleware/rate_limit.rs renamed to src/middleware/layers/rate_limit.rs

@@ -21,30 +21,23 @@
 //! ## Unprotected admin routes (login, session info)
 //! - [`permissive_authz_middleware`] — Injects allow-all authz context
 
-// ── Middleware layers ──────────────────────────────────────────────────────────
-mod admin;
-mod authz;
-mod combined;
-mod rate_limit;
-mod request_id;
-mod security_headers;
+// ── True middleware (Axum middleware layers) ────────────────────────────────────
+mod layers;
 
-// ── Internal helpers (used only by combined.rs) ────────────────────────────────
-mod budget;
-mod scope;
-mod usage;
+// ── Internal utilities (budget, scope, usage helpers for combined middleware) ──
+pub(crate) mod util;
 
 // ── Middleware layer exports ───────────────────────────────────────────────────
-pub use admin::{AdminAuth, admin_auth_middleware};
-pub use authz::{
-    AuthzContext, api_authz_middleware, authz_middleware, permissive_authz_middleware,
-};
-pub use combined::api_middleware;
 #[cfg(feature = "sso")]
-pub use rate_limit::extract_client_ip_from_parts;
-pub use rate_limit::rate_limit_middleware;
-pub use request_id::{RequestId, request_id_middleware};
-pub use security_headers::security_headers_middleware;
+pub use layers::rate_limit::extract_client_ip_from_parts;
+pub use layers::{
+    admin::{AdminAuth, admin_auth_middleware},
+    api::api_middleware,
+    authz::{AuthzContext, api_authz_middleware, authz_middleware, permissive_authz_middleware},
+    rate_limit::rate_limit_middleware,
+    request_id::{RequestId, request_id_middleware},
+    security_headers::security_headers_middleware,
+};
 
 // ── Types extracted by middleware (used by route handlers via Extension<T>) ────
 

src/middleware/request_id.rs src/middleware/layers/request_id.rssrc/middleware/request_id.rs renamed to src/middleware/layers/request_id.rs

@@ -0,0 +1,3 @@
+pub mod budget;
+pub mod scope;
+pub mod usage;