@spec find_attribute(Spark.Dsl.t(), atom()) ::
  {:ok, Ash.Resource.Attribute.t()} | {:error, Exception.t()}

Find and return a named attribute in the DSL state.

@spec maybe_build_attribute(Spark.Dsl.t(), atom(), (Spark.Dsl.t() ->
                                                {:ok,
                                                 Ash.Resource.Attribute.t()})) ::
  {:ok, Spark.Dsl.t()}

Build an attribute if not present.

@spec persisted_option(Spark.Dsl.t(), atom()) ::
  {:ok, any()} | {:error, {:unknown_persisted, atom()}}

Find and return a persisted option in the DSL state.

@spec validate_behaviour(module(), module()) :: :ok | {:error, Exception.t()}

Ensure that the named module implements a specific behaviour.

@spec validate_extension(Spark.Dsl.t(), module()) :: :ok | {:error, Exception.t()}

Validates that extension is present on the resource.

@spec validate_field_in_values(map(), any(), [any()]) :: :ok | {:error, String.t()}

Given a map validate that the provided field is one of the values provided.

@spec validate_field_with(map(), field, (any() -> boolean()), message) ::
  :ok | {:error, message}
when field: any(), message: any()

Given a map, validate that the provided field predicate returns true for the value.

Validate that a "secret" field is configured correctly.

@spec validate_token_generation_enabled(Spark.Dsl.t(), binary()) ::
  :ok | {:error, Exception.t()}

Ensure that token generation is enabled for the resource.

@spec warn_if_data_layer_cannot_lock(Ash.Resource.t(), String.t()) :: :ok

Emit a Logger.warning if the given resource's data layer does not support the {:lock, :for_update} capability.

Used by verifiers for resources that AshAuthentication tries to lock at runtime (the token resource, the audit log resource, the recovery code resource). On data layers that don't support locking the lock is skipped at runtime — but races between concurrent processes are no longer prevented, which the user should know about.

Returns :ok either way; this is advisory, not a hard failure.