ppoppo-token 0.2.0

JWT (RFC 9068, EdDSA) issuance + verification engine for the Ppoppo ecosystem. Single deep module with a small interface (issue, verify) hiding RFC 8725 mitigations M01-M45, JWKS handling, and substrate ports (epoch, session, replay).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

// JWT engine (RFC_2026-05-04_jwt-full-adoption Phase 1+).
//
// Profile-aware top-level layout (Phase 10.0 — D1):
//
// - `access_token::*` — RFC 9068 access-token profile (Phase 1-5 code).
//   Public re-exports: `verify` / `issue` entry points, `Claims`,
//   `VerifyConfig`, `IssueConfig`, `IssueRequest`, `AuthError`,
//   `IssueError`, plus the operational ports `EpochRevocation` /
//   `ReplayDefense` / `SessionRevocation` (RFC 9068 sv-/jti-/sid-coupled).
//
// - `id_token::*` — OIDC Core 1.0 id-token profile. Phase 10.1+ scaffold;
//   ships in subsequent commits.
//
// - Crate-root pubs (this file): JOSE-shared primitives that neither
//   profile owns — `Algorithm`, `KeySet`, `SigningKey`, `Jwk`, `Jwks`,
//   plus the operational shared-cache contract (`SV_CACHE_TTL`,
//   `sv_cache_key`).
//
// - `engine::*` — `pub(crate)` only. JWS check pipeline reachable solely
//   through `access_token::verify` / `access_token::issue` (and Phase
//   10.1's `id_token::verify` / `id_token::issue`). Direct calls to
//   `jsonwebtoken::*` outside `engine/` are forbidden (M51/M52 lint,
//   landed Phase 7).
mod algorithm;
pub(crate) mod engine;
mod jwks;
mod key_set;
mod signing_key;

pub mod access_token;
pub mod id_token;

pub use crate::algorithm::Algorithm;
pub use crate::engine::shared_error::SharedAuthError;
pub use crate::jwks::{Jwk, Jwks, JwksError};
pub use crate::key_set::KeySet;
pub use crate::signing_key::{ed25519_public_from_pem, SigningKey};

pub const DEFAULT_ISSUER: &str = "accounts.ppoppo.com";

/// TTL for the `sv:{ppnum_id}` cache entry shared between PAS (writer) and
/// PCS / external SDK consumers (readers). Bounds the post-break-glass
/// staleness window when the writer cannot preemptively invalidate.
///
/// Value contract: 60 s. See STANDARDS_SHARED_CACHE §3.1 (Reader / Writer
/// table) and STANDARDS_AUTH_PPOPPO §17.7 (wiring status).
pub const SV_CACHE_TTL: std::time::Duration = std::time::Duration::from_secs(60);

/// Build the shared cache key for a given Human ppnum's `session_version`.
///
/// Returned shape: `sv:{ppnum_id}`. Encapsulates the prefix so callers
/// cannot accidentally mis-format the key (forgetting the colon, double
/// prefixing, etc.). PAS writes this key on break-glass commit; PCS
/// chat-auth and the pas-external SDK validator read it.
///
/// SSOT: STANDARDS_SHARED_CACHE §3.1 (`sv:` shared contract).
#[must_use]
pub fn sv_cache_key(ppnum_id: &str) -> String {
    format!("sv:{ppnum_id}")
}