Skip to main content

Module expiry

Module expiry 

Source
Expand description

Expiry + rotation reminders per ADR-020 §3.

Two timer concepts attach to every global-index entry:

  • Hard expiry. entry.expires_at is the upstream-reported date the credential stops working. P9.2’s liveness probes write it back into the index when the upstream surfaces one (GitLab expires_at, GitHub github-authentication-token-expiration header).
  • Rotation cadence. entry.last_rotated_at + entry.rotate_every_days is an advisory schedule the user attaches per secret. The framework doesn’t enforce it; doctor warns when a secret is overdue.

check_rotation_reminders is the pure function that walks the index against today and returns a list of warnings. Doctor (P10.1 / this commit’s doctor wiring) renders them as a single Warning row.

§Warning windows

Per the task spec for P9.3:

  • now > expires_at - 7dExpiringSoon / Expired (negative days_remaining).
  • now > last_rotated_at + rotate_every_days - 7dRotationDueSoon / RotationOverdue.

Seven days is the warning window for both timers. P7.3 already uses 14 days for the informational expires_at check on individual paths in doctor; this module is the rotation reminders surface and intentionally fires tighter.

Structs§

ExpiryWarning
One reminder produced by check_rotation_reminders.

Enums§

ExpiryWarningKind
Reason for an ExpiryWarning.

Constants§

WARNING_WINDOW_DAYS
Days-out-from-event when the warning starts to fire.

Functions§

check_rotation_reminders
Walk every entry in index and produce zero or more ExpiryWarnings relative to today.