docs(pairing): TTL + token-revoke now enforced post-bind (nsecbunkerd#27)

nsecbunkerd#27 (deployed 2026-06-19) reverses the #24 finding: the sign-time ACL now evaluates token lifecycle live on every request (checkIfPubkeyAllowed step 4 joins through a liveWhere filter; applyToken stopped photocopying grants into SigningConditions). So: - duration_hours / token expiresAt now bounds an ESTABLISHED binding — an expired token stops signing post-bind, not just at connect. The prior docstring (connect-window-only, pointing at the now-closed nsecbunkerd#24) is corrected. - Token-revoke is no longer a post-redeem no-op (closes the #22 mechanism bunker-side). revoke_spire keeps using revoke_key_user because that's the subject-level ban cutting the whole binding, not just one token's grant — rationale updated, behavior unchanged. Doc/comment only; 20 pairing tests green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 23:23:11 +02:00 · 2026-06-19 23:23:11 +02:00 · b193f6262d
commit b193f6262d
parent cc8d786331
2 changed files with 21 additions and 20 deletions
--- a/tests/test_pairing.py
+++ b/tests/test_pairing.py
@ -287,8 +287,10 @@ def test_pair_default_duration_is_none():


 def test_revoke_spire_calls_revoke_key_user():
-    # revoke MUST go through revoke_key_user (KeyUser.revokedAt), not token
-    # revoke — token revoke is a no-op once redeemed (spirekeeper#22).
+    # revoke goes through revoke_key_user (KeyUser.revokedAt) — the subject-
+    # level ban that cuts the whole binding, not just one token's grant.
+    # (Token-revoke also works post-bind since nsecbunkerd#27, but only
+    # severs a single token; revoke_key_user is the full-deauth call.)
    bunker = FakeBunker(revoke_count=2)
    count = asyncio.run(revoke_spire(_machine(), admin_client=bunker))
    assert count == 2