ppoppo-token 0.2.0

JWT (RFC 9068, EdDSA) issuance + verification engine for the Ppoppo ecosystem. Single deep module with a small interface (issue, verify) hiding RFC 8725 mitigations M01-M45, JWKS handling, and substrate ports (epoch, session, replay).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

//! Per-request verification configuration for the RFC 9068 access-token
//! profile.
//!
//! ── Composition ────────────────────────────────────────────────────────
//!
//! JOSE-shared fields (`issuer`, `audience`, `expected_typ`,
//! `max_token_size`, `algorithms`) live in `engine::SharedVerifyConfig`
//! and are reached via `self.shared`. Access-token-specific axes
//! (replay/session/epoch revocation ports) stay on this struct. The
//! engine submodules `check_algorithm` / `check_header` / `raw` read
//! only from `&SharedVerifyConfig`; `check_claims` / `check_domain` /
//! revocation checks read from this struct (and reach the shared
//! fields via `cfg.shared.*`).
//!
//! ── Phase 5 — orthogonal port slots ────────────────────────────────────
//!
//! Three optional ports model the orthogonal revocation axes (M35-M38 +
//! sv). Each is `Option<Arc<dyn ...>>` so callers wire only what their
//! deployment substrate supports — `None` short-circuits the gate
//! (legacy admit / sibling-test config / migration phases).

use std::sync::Arc;

use super::epoch_revocation::EpochRevocation;
use super::replay_defense::ReplayDefense;
use super::session_revocation::SessionRevocation;
use crate::algorithm::Algorithm;
use crate::engine::shared_config::SharedVerifyConfig;

#[derive(Debug, Clone)]
#[allow(dead_code)] // ports consumed across Phase 5+
pub struct VerifyConfig {
    pub(crate) shared: SharedVerifyConfig,

    // ── Phase 5 revocation port slots ──────────────────────────────────
    /// M35 jti replay defense (Phase 5 commit 5.1).
    pub(crate) replay: Option<Arc<dyn ReplayDefense>>,
    /// M36 session-row liveness (Phase 5 commit 5.2).
    pub(crate) session: Option<Arc<dyn SessionRevocation>>,
    /// sv-port per-account epoch (Phase 5 commits 5.5-5.7).
    pub(crate) epoch: Option<Arc<dyn EpochRevocation>>,
}

impl VerifyConfig {
    /// Canonical access-token config: `at+jwt` typ, EdDSA-only algorithm
    /// whitelist, 8 KB token size cap (M34). All revocation port slots
    /// default to `None`; callers opt in via the builders.
    pub fn access_token(issuer: impl Into<String>, audience: impl Into<String>) -> Self {
        Self {
            shared: SharedVerifyConfig::new(
                issuer,
                audience,
                "at+jwt",
                8 * 1024,
                vec![Algorithm::EdDSA],
            ),
            replay: None,
            session: None,
            epoch: None,
        }
    }

    /// Override the algorithm whitelist. Test-only escape hatch — production
    /// callers MUST go through `access_token` so the EdDSA pin is the default.
    #[must_use]
    pub fn with_algorithms(mut self, algorithms: Vec<Algorithm>) -> Self {
        self.shared.algorithms = algorithms;
        self
    }

    /// Wire the M35 jti replay defense port.
    #[must_use]
    pub fn with_replay_defense(mut self, port: Arc<dyn ReplayDefense>) -> Self {
        self.replay = Some(port);
        self
    }

    /// Wire the M36 session-row liveness port.
    #[must_use]
    pub fn with_session_revocation(mut self, port: Arc<dyn SessionRevocation>) -> Self {
        self.session = Some(port);
        self
    }

    /// Wire the sv-port per-account epoch revocation.
    #[must_use]
    pub fn with_epoch_revocation(mut self, port: Arc<dyn EpochRevocation>) -> Self {
        self.epoch = Some(port);
        self
    }
}