package domain import ( "context" "errors" ) // MFAProvider checks MFA requirements and validates MFA tokens. // KeyCape must NOT implement MFA logic — it delegates entirely to this interface. type MFAProvider interface { // CheckMFARequired returns true if MFA is required for the given user. CheckMFARequired(ctx context.Context, userID string) (bool, error) // ValidateMFAToken validates the given OTP token for the user. // Returns ErrMFAFailed if the token is invalid or expired. ValidateMFAToken(ctx context.Context, userID, token string) error } // ErrMFAFailed is returned when the MFA token is invalid or expired. var ErrMFAFailed = errors.New("mfa validation failed") // ErrMFANotEnrolled is returned when the user has no MFA enrollment. var ErrMFANotEnrolled = errors.New("user has no MFA enrollment")