pub fn issue(
req: &IssueRequest,
cfg: &IssueConfig,
key: &SigningKey,
now: i64,
) -> Result<String, IssueError>Expand description
Issue a signed Compact JWS for the given request + config + key.
Mirrors verify on the issuance side. Order of operations:
- kid match — fail-fast on a misconfigured pipeline before any
encoding work. The
KeyMismatchaudit signal carries both kids so operators can diagnose without a debugger. - clock sanity — refuse to emit if
now()is before UNIX_EPOCH (cannot happen on a correctly configured machine; the check exists so the engine fails closed rather than emitting garbage timestamps). - payload assembly via
encode::IssuePayload::build. - header construction — pin
alg=EdDSA,typ=cfg.typ(at+jwtfor access),kid=cfg.kid. Forbidden headers (jku/x5u/jwk/x5c/crit/extras) are never set; the invariant test intests/issue_invariants.rs::issue_emits_only_alg_typ_kid_in_headeris the regression guard. - encode via
jsonwebtoken::encode— the only call site forjsonwebtoken::*on the issue path; the M51 “no jsonwebtoken outside engine/” lint accommodates this single use site.
issue stays sync (D-11): no I/O on the issuance path.