docs(pairing): correct duration_hours TTL docstring

duration_hours stamps Token.expiresAt, but nsecbunkerd reads expiresAt only in validateToken at connect/redeem time — the sign-time ACL never checks it (materialised SigningConditions carry no expiry; the policy join filters revokedAt only). So TTL bounds only the un-redeemed connect window, not an established binding; revoke_key_user is the real post-bind cutoff. Same ACL-ordering class as the revoke finding (#22). Tracked at aiolabs/nsecbunkerd#24. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
fix(fleet-ui): wrap pair-dialog steps in template v-if/v-else
2026-06-19 00:59:29 +02:00 · 2026-06-19 00:59:29 +02:00
2 changed files with 17 additions and 8 deletions
--- a/pairing.py
+++ b/pairing.py
@ -165,10 +165,15 @@ async def pair_spire(
    """Mint a bunker-held key + scoped connect token for `machine` and
    return the seed URL the spire redeems at first boot.

-    `duration_hours` (optional, aiolabs/lnbits#54 item 2) sets a TTL on the
-    spire's connect token — the bunker stamps `expiresAt` and rejects the
-    token once it lapses, forcing a re-pair. None = non-expiring (the only
-    invalidation path is then revoke, `revoke_spire`).
+    `duration_hours` (optional, aiolabs/lnbits#54 item 2) stamps `expiresAt`
+    on the spire's connect token. NOTE: this bounds ONLY the window in which
+    an *un-redeemed* token can first connect — nsecbunkerd reads `expiresAt`
+    solely in `validateToken` at redeem time. Once the spire has connected
+    and its per-KeyUser grants are materialized, an expired token keeps
+    signing (the sign-time ACL never checks `expiresAt`; same ACL-ordering
+    subtlety as the revoke finding, #22). The real post-bind cutoff is
+    `revoke_spire` (`revoke_key_user`), not TTL. Post-bind TTL enforcement is
+    tracked at aiolabs/nsecbunkerd#24. None = non-expiring connect window.

    `admin_client` must already be connected (the caller owns the
    `async with NsecBunkerAdminClient.from_settings()` context) — keeps
--- a/templates/spirekeeper/index.html
+++ b/templates/spirekeeper/index.html
@ -855,7 +855,8 @@
        </q-card-section>

        <!-- Step 1 — configure + generate -->
-        <q-card-section v-if="!pairDialog.result">
+        <template v-if="!pairDialog.result">
+        <q-card-section>
          <p class="text-caption q-mb-md" :style="{opacity: 0.7}">
            Mints a dedicated signing key for
            <b v-text="(pairDialog.machine && pairDialog.machine.name) || 'this spire'"></b>
@ -880,16 +881,18 @@
            class="q-mb-md"
            dense outlined></q-input>
        </q-card-section>
-        <q-card-actions v-if="!pairDialog.result" align="right" class="text-primary">
+        <q-card-actions align="right" class="text-primary">
          <q-btn flat label="Cancel" v-close-popup></q-btn>
          <q-btn
            color="primary" label="Generate seed URL" icon="vpn_key"
            :loading="pairDialog.saving"
            @click="submitPair"></q-btn>
        </q-card-actions>
+        </template>

        <!-- Step 2 — show the seed URL -->
-        <q-card-section v-else>
+        <template v-else>
+        <q-card-section>
          <q-banner dense rounded class="bg-green-1 text-grey-9 q-mb-md">
            <template v-slot:avatar>
              <q-icon name="check_circle" color="green"></q-icon>
@ -928,9 +931,10 @@
            </q-btn>
          </div>
        </q-card-section>
-        <q-card-actions v-else align="right" class="text-primary">
+        <q-card-actions align="right" class="text-primary">
          <q-btn flat label="Done" color="primary" v-close-popup></q-btn>
        </q-card-actions>
+        </template>
      </q-card>
    </q-dialog>