I managed not to send this to the mailaing list...
I don't know the govt spec. but there is a US govt security level where you are not allowed to inform the user why the login failed. It seems to me that there are 2 intertwined components being discussed. 1) A component to perform a user password change capability 2) A plugable validation component. 3) A pluggable observability component. Without a validation component all passwords are valid and provides user messages for failures. Validation receives the new password and some list of old passwords as arguments. Validation returns a structure comprising the success/failure, the user message, internal result, internal result message. The observability implementations could log the results, send counts to Grafana, etc. If there is no observer then no results are presented. Alternatively the validation could accept the observability component as an argument and pass the internal result and internal result message directly to the observability component.
