Skip to main content

ppoppo_token/
lib.rs

1// JWT engine (RFC_2026-05-04_jwt-full-adoption Phase 1+).
2//
3// Profile-aware top-level layout (Phase 10.0 — D1):
4//
5// - `access_token::*` — RFC 9068 access-token profile (Phase 1-5 code).
6//   Public re-exports: `verify` / `issue` entry points, `Claims`,
7//   `VerifyConfig`, `IssueConfig`, `IssueRequest`, `AuthError`,
8//   `IssueError`, plus the operational ports `EpochRevocation` /
9//   `ReplayDefense` / `SessionRevocation` (RFC 9068 sv-/jti-/sid-coupled).
10//
11// - `id_token::*` — OIDC Core 1.0 id-token profile. Phase 10.1+ scaffold;
12//   ships in subsequent commits.
13//
14// - Crate-root pubs (this file): JOSE-shared primitives that neither
15//   profile owns — `Algorithm`, `KeySet`, `SigningKey`, `Jwk`, `Jwks`,
16//   plus the operational shared-cache contract (`SV_CACHE_TTL`,
17//   `sv_cache_key`).
18//
19// - `engine::*` — `pub(crate)` only. JWS check pipeline reachable solely
20//   through `access_token::verify` / `access_token::issue` (and Phase
21//   10.1's `id_token::verify` / `id_token::issue`). Direct calls to
22//   `jsonwebtoken::*` outside `engine/` are forbidden (M51/M52 lint,
23//   landed Phase 7).
24mod algorithm;
25pub(crate) mod engine;
26mod jwks;
27mod key_set;
28mod signing_key;
29
30pub mod access_token;
31pub mod id_token;
32
33pub use crate::algorithm::Algorithm;
34pub use crate::engine::shared_error::SharedAuthError;
35pub use crate::jwks::{Jwk, Jwks, JwksError};
36pub use crate::key_set::KeySet;
37pub use crate::signing_key::{ed25519_public_from_pem, SigningKey};
38
39pub const DEFAULT_ISSUER: &str = "accounts.ppoppo.com";
40
41/// TTL for the `sv:{ppnum_id}` cache entry shared between PAS (writer) and
42/// PCS / external SDK consumers (readers). Bounds the post-break-glass
43/// staleness window when the writer cannot preemptively invalidate.
44///
45/// Value contract: 60 s. See STANDARDS_SHARED_CACHE §3.1 (Reader / Writer
46/// table) and STANDARDS_AUTH_PPOPPO §17.7 (wiring status).
47pub const SV_CACHE_TTL: std::time::Duration = std::time::Duration::from_secs(60);
48
49/// Build the shared cache key for a given Human ppnum's `session_version`.
50///
51/// Returned shape: `sv:{ppnum_id}`. Encapsulates the prefix so callers
52/// cannot accidentally mis-format the key (forgetting the colon, double
53/// prefixing, etc.). PAS writes this key on break-glass commit; PCS
54/// chat-auth and the pas-external SDK validator read it.
55///
56/// SSOT: STANDARDS_SHARED_CACHE §3.1 (`sv:` shared contract).
57#[must_use]
58pub fn sv_cache_key(ppnum_id: &str) -> String {
59    format!("sv:{ppnum_id}")
60}