Expand description
Concrete HMAC signer for the stateless scroll/PIT affinity envelope
(docs/03 §6). The cluster a cursor is pinned to travels with the cursor in
a signed token, so any fleet instance can recover it with no shared store; the
signature stops a client redirecting a cursor to another cluster.
The MAC is computed through the build’s validated crypto module (ring
under non-fips, aws-lc-rs under fips, cfg-selected exactly like the
directive verifier and the TLS cert fingerprint, ADR-009), so a FIPS artifact
never signs with a non-validated primitive. The mutual-exclusion compile
guards live in crate::directive.
Structs§
- Hmac
Cursor Signer - Signs cursor-affinity envelopes with a shared
HMAC-SHA256key. The same key must be configured on every proxy instance so a token wrapped on one verifies on another (the whole point of the stateless design).