Module token 

γ port-and-adapter SDK boundary for bearer-token verification.

Phase 6.1 — D-04 = γ (locked 2026-05-05). The SDK exposes a BearerVerifier trait + AuthSession result, hiding the engine (ppoppo_token), the token format (JWT, RFC 9068), and the JWKS substrate behind a single async port. External Developer apps inject Arc<dyn BearerVerifier> into their middleware and never see jsonwebtoken::* types.

Module layout — mirrors crate::pas_port (the OAuth port + adapter cluster) for parallel structure:

• port — BearerVerifier, AuthSession, Expectations, VerifyError (always compiled when token feature is on)
• [jwt] — PasJwtVerifier production adapter (gated well-known-fetch; depends on ppoppo-token)
• [memory] — MemoryBearerVerifier test-support adapter (gated cfg(any(test, feature = "test-support")))
• [keyset] — JwksCache (pub(crate) — internal to jwt.rs)

Re-exports

pub use port::AuthSession;

pub use port::BearerVerifier;

pub use port::Expectations;

pub use port::VerifyError;

Modules

port

γ port — BearerVerifier, AuthSession, Expectations, VerifyError.