Function verify_dpop_proof 

pub fn verify_dpop_proof(
    proof: &DpopProof,
    capability: &CapabilityToken,
    expected_tool_server: &str,
    expected_tool_name: &str,
    expected_action_hash: &str,
    nonce_store: &DpopNonceStore,
    config: &DpopConfig,
) -> Result<(), KernelError>

Verify a DPoP proof against the given capability and invocation context.

All six verification steps must pass; the first failure returns an error.

Arguments

• proof - the signed DPoP proof from the agent
• capability - the capability token being used for this invocation
• expected_tool_server - server_id the kernel expects
• expected_tool_name - tool name the kernel expects
• expected_action_hash - SHA-256 hex of the serialized tool arguments
• nonce_store - shared replay-rejection store
• config - TTL and clock-skew bounds