1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
//! γ port — `BearerVerifier` trait.
//!
//! The SDK's verification surface, format-blind by design. Consumers
//! receive a [`VerifiedClaims`](super::VerifiedClaims) that exposes
//! typed accessors for the values they need (`ppnum_id`, `ppnum`,
//! `session_id`, `expires_at`) without ever seeing the underlying JWT
//! or the `jsonwebtoken` / `ppoppo_token` types. Swapping the
//! production [`JwtVerifier`](super::JwtVerifier) adapter for the
//! in-memory test adapter
//! ([`MemoryBearerVerifier`](super::MemoryBearerVerifier), gated
//! behind `test-support`) requires zero consumer changes — the port is
//! the contract.
//!
//! D-04 (locked γ, 2026-05-05): port-and-adapter SDK boundary; the
//! engine becomes the only place that knows JWT.
use async_trait;
use ;
/// Verification port for incoming bearer tokens.
///
/// Implementations swap the cryptographic backend without altering the
/// caller's surface. The production [`super::JwtVerifier`] verifies
/// PAS-issued JWTs against a TTL-cached JWKS; the test-support
/// [`super::MemoryBearerVerifier`] returns canned
/// [`VerifiedClaims`] values keyed by the bare token string.
///
/// `verify` is async because the production adapter performs
/// stale-on-failure JWKS refresh inside the verify path, and any
/// future 3rd-party adapter is free to make HTTP calls. Caller
/// middleware that needs synchronous semantics wraps the call in
/// `tokio::block_on`; the port itself stays uniformly async.
///
/// The single `bearer_token` parameter mirrors the M38 transport-blind
/// invariant: the engine never reaches into request framing, and
/// neither does the SDK port. Consumer middleware extracts the bare
/// token before calling.