Struct InvitationStatement 

pub struct InvitationStatement {
    pub type_: String,
    pub session_ref: String,
    pub issuer: String,
    pub invitee_restriction: InviteeRestriction,
    pub granted_capabilities: GrantedCapabilities,
    pub expires_at: String,
    pub max_uses: u32,
    pub nonce: String,
}

One signed invitation. Wrap in a DSSE envelope via crate::attestation::sign with payload_type("invitation") to seal.

Fields

type_: String

session_ref: String

session_id (e.g. ssn_<hex>) that this invitation joins.

issuer: String

Issuer’s Ed25519 public key as base64url-no-pad. Verifiers MUST confirm this key is present in the trust root store under kind SessionHost before honoring the invitation.

invitee_restriction: InviteeRestriction

granted_capabilities: GrantedCapabilities

expires_at: String

RFC 3339 expiry timestamp.

max_uses: u32

Always 1 in Phase 1. The schema carries the field so multi-use invitations (roadmap) don’t need a canonical-format bump.

nonce: String

Random hex-encoded nonce. The Approval Use Journal indexes its SHA-256 digest, so the journal never sees the raw nonce.

Implementations

impl InvitationStatement

pub fn new( session_ref: impl Into<String>, issuer: impl Into<String>, invitee_restriction: InviteeRestriction, granted_capabilities: GrantedCapabilities, expires_at: impl Into<String>, nonce: impl Into<String>, ) -> Self

Construct an invitation with the current canonical type tag.

pub fn canonical_for_signing(&self) -> String

Canonical signing bytes. Pipe-delimited, version-prefixed, following the v0.10.4 Checkpoint::canonical_for_signing shape.

Format: "v1|invitation|{session_ref}|{issuer}|{restriction_canonical}|{capabilities_canonical}|{expires_at}|{max_uses}|{nonce_digest}"

restriction_canonical and capabilities_canonical are sha256:<hex> digests over the sorted-key canonical JSON serialization of the field. Hashing them keeps the canonical string a single line regardless of field cardinality (cert allowed_subjects is a Vec; embedding it directly would require a sub-delimiter and reopen the parser-mismatch attack surface that pipe-delimited canonicals are designed to avoid).

nonce_digest (not the raw nonce) is bound for the same reason the Approval Use Journal stores the digest: the raw nonce is already in the signed envelope’s payload bytes, so binding the digest into the canonical adds redundancy without exposing the nonce in a second place.

pub fn sign_canonical(&self, signer: &dyn Signer) -> Result<String, SignerError>

Sign the invitation under the host’s keypair. The signature is over the canonical bytes (see canonical_for_signing), encoded as base64url-no-pad. The signed envelope (DSSE) is produced by callers via crate::attestation::sign; this helper produces just the raw signature so callers can compose either way.

pub fn verify_canonical(&self, signature_b64url: &str) -> bool

Verify the supplied signature_b64url against self.issuer’s pubkey over the canonical bytes. Returns true only when both the pubkey decodes cleanly AND the signature math checks out. Does NOT consult trust roots – the caller is responsible for checking that self.issuer is pinned under kind SessionHost.

pub fn validate_for_mint( &self, now_unix_secs: u64, ) -> Result<(), InvitationError>

Mint-time validation: rejects invitations that violate protocol-level invariants the verifier alone cannot enforce.

• expires_at parses as RFC 3339 and is in the future.
• expires_at - now_unix_secs does not exceed MAX_INVITATION_LIFETIME_SECS (7 days).
• max_uses == 1 (Phase 1).
• session_ref and nonce are non-empty.
• issuer decodes as a 32-byte Ed25519 pubkey.

pub fn is_expired(&self, now_unix_secs: u64) -> bool

True when now_unix_secs >= expires_at. Verifiers call this at redeem time. Returns true on a malformed expires_at so that a tampered field fails closed.

pub fn nonce_digest(&self) -> String

Returns sha256(<raw nonce>) in sha256:<hex> form. Same digest the Approval Use Journal indexes by; callers route invitation consumption through the journal using this value.

Trait Implementations

impl Clone for InvitationStatement

fn clone(&self) -> InvitationStatement

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for InvitationStatement

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for InvitationStatement

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for InvitationStatement

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.