Skip to main content

ppoppo_token/
lib.rs

1// JWT engine (RFC_2026-05-04_jwt-full-adoption Phase 1+).
2//
3// All JWT verification flows through `engine::verify`. The
4// `engine/check_*.rs` submodules are `pub(crate)` — consumers reach them
5// only through the re-exports below. Direct calls to `jsonwebtoken::*`
6// outside `engine/` are forbidden (M51/M52, lint rule lands Phase 7).
7mod claims;
8mod engine;
9mod epoch_revocation;
10mod error;
11mod issue_config;
12mod issue_error;
13mod issue_request;
14mod jwks;
15mod key_set;
16mod replay_defense;
17mod session_revocation;
18mod signing_key;
19mod verify_config;
20
21pub use crate::claims::Claims;
22pub use crate::engine::{issue, verify};
23pub use crate::epoch_revocation::{EpochRevocation, EpochRevocationError};
24pub use crate::error::AuthError;
25pub use crate::issue_config::IssueConfig;
26pub use crate::issue_error::IssueError;
27pub use crate::issue_request::IssueRequest;
28pub use crate::jwks::{Jwk, Jwks, JwksError};
29pub use crate::key_set::KeySet;
30pub use crate::replay_defense::{ReplayDefense, ReplayDefenseError};
31pub use crate::session_revocation::{SessionRevocation, SessionRevocationError};
32pub use crate::signing_key::{ed25519_public_from_pem, SigningKey};
33pub use crate::verify_config::{Algorithm, VerifyConfig};
34
35pub const DEFAULT_ISSUER: &str = "accounts.ppoppo.com";
36
37/// TTL for the `sv:{ppnum_id}` cache entry shared between PAS (writer) and
38/// PCS / external SDK consumers (readers). Bounds the post-break-glass
39/// staleness window when the writer cannot preemptively invalidate.
40///
41/// Value contract: 60 s. See STANDARDS_SHARED_CACHE §3.1 (Reader / Writer
42/// table) and STANDARDS_AUTH_PPOPPO §17.7 (wiring status).
43pub const SV_CACHE_TTL: std::time::Duration = std::time::Duration::from_secs(60);
44
45/// Build the shared cache key for a given Human ppnum's `session_version`.
46///
47/// Returned shape: `sv:{ppnum_id}`. Encapsulates the prefix so callers
48/// cannot accidentally mis-format the key (forgetting the colon, double
49/// prefixing, etc.). PAS writes this key on break-glass commit; PCS
50/// chat-auth and the pas-external SDK validator read it.
51///
52/// SSOT: STANDARDS_SHARED_CACHE §3.1 (`sv:` shared contract).
53#[must_use]
54pub fn sv_cache_key(ppnum_id: &str) -> String {
55    format!("sv:{ppnum_id}")
56}