pub fn mint_container_token(
secret: &str,
service_name: &str,
container_id: &str,
scopes: Vec<TokenScope>,
ttl: Duration,
jti: Option<String>,
) -> Result<String, String>Expand description
Mint a scoped JWT for a container.
The token carries scopes (and the marker role container, which grants
nothing on its own — authority comes from the scopes) and the supplied
jti. When jti is Some, a matching StoredAccessToken record MUST
already be persisted (the auth layer is fail-closed and rejects a jti with
no record); pass None to mint an un-revocable token bounded only by the
short TTL. It is signed with the daemon’s JWT secret so the API accepts it.
§Errors
Returns an error string if the system clock is unavailable or JWT encoding fails.