Expand description
Expiry + rotation reminders per ADR-020 §3.
Two timer concepts attach to every global-index entry:
- Hard expiry.
entry.expires_atis the upstream-reported date the credential stops working. P9.2’s liveness probes write it back into the index when the upstream surfaces one (GitLabexpires_at, GitHubgithub-authentication-token-expirationheader). - Rotation cadence.
entry.last_rotated_at+entry.rotate_every_daysis an advisory schedule the user attaches per secret. The framework doesn’t enforce it; doctor warns when a secret is overdue.
check_rotation_reminders is the pure function that walks
the index against today and returns a list of warnings.
Doctor (P10.1 / this commit’s doctor wiring) renders them as a
single Warning row.
§Warning windows
Per the task spec for P9.3:
now > expires_at - 7d→ExpiringSoon/Expired(negativedays_remaining).now > last_rotated_at + rotate_every_days - 7d→RotationDueSoon/RotationOverdue.
Seven days is the warning window for both timers. P7.3
already uses 14 days for the informational expires_at
check on individual paths in doctor; this module is the
rotation reminders surface and intentionally fires
tighter.
Structs§
- Expiry
Warning - One reminder produced by
check_rotation_reminders.
Enums§
- Expiry
Warning Kind - Reason for an
ExpiryWarning.
Constants§
- WARNING_
WINDOW_ DAYS - Days-out-from-event when the warning starts to fire.
Functions§
- check_
rotation_ reminders - Walk every entry in
indexand produce zero or moreExpiryWarnings relative totoday.