pub fn verify_execution_nonce(
presented: &SignedExecutionNonce,
kernel_pubkey: &PublicKey,
expected: &NonceBinding,
now: i64,
nonce_store: &dyn ExecutionNonceStore,
) -> Result<(), ExecutionNonceError>Expand description
Verify a signed execution nonce against the expected binding.
Steps, in order:
- Schema check.
- Expiry check –
now < nonce.expires_at. - Binding check – subject, capability, server, tool, parameter_hash.
- Signature check – canonical JSON under the kernel’s pubkey.
- Replay check –
nonce_store.reserve(nonce_id)must returntrue.