docs(pairing): TTL + token-revoke now enforced post-bind (nsecbunkerd#27) #28

Merged

padreug merged 1 commit from docs/ttl-revoke-enforced-post-bind into main 2026-06-20 10:05:37 +00:00

Conversation 0 Commits 1 Files changed 2 +21 -20

padreug commented 2026-06-19 21:23:29 +00:00

Owner

Copy link

Reverses the docstring guidance shipped in #27 (the spirekeeper PR) one day prior, after nsecbunkerd#27 landed and was deployed (2026-06-19).

What changed in the bunker

nsecbunkerd#27 (merge 992c6a8, Option D / closes nsecbunkerd#24/#25/#12) makes the sign-time ACL evaluate token lifecycle live on every request:

• checkIfPubkeyAllowed step 4 joins the Token through liveWhere(now) = { revokedAt: null, OR: [expiresAt null, expiresAt > now] }.
• applyToken stopped photocopying policy rules into per-KeyUser SigningCondition rows, so step 4 is the single live source of truth (no materialized grant can outlive its token).

Verified against the deployed dev tree before writing this.

Consequence — two prior claims reversed

1. duration_hours / token expiresAt IS now enforced post-bind. An expired token stops signing on the next request, not just at first connect. The previous docstring ("connect-window-only", pointing at the now-closed nsecbunkerd#24) is corrected.
2. Token-revoke is no longer a post-redeem no-op — closes the spirekeeper#22 mechanism bunker-side.

What did not change

revoke_spire still calls revoke_key_user (sets KeyUser.revokedAt, the step-2 subject-level ban). That cuts the whole binding regardless of how many tokens were issued — the right semantics for "revoke this spire" — whereas token-revoke severs only one token's grant. So the code is unchanged; only the rationale docstring + one test comment are updated.

Doc/comment only — no logic touched. 20 pairing tests green.

🤖 Generated with Claude Code

Reverses the docstring guidance shipped in #27 (the *spirekeeper* PR) one day prior, after **nsecbunkerd#27** landed and was deployed (2026-06-19). ### What changed in the bunker nsecbunkerd#27 (merge `992c6a8`, Option D / closes nsecbunkerd#24/#25/#12) makes the **sign-time ACL evaluate token lifecycle live on every request**: - `checkIfPubkeyAllowed` step 4 joins the `Token` through `liveWhere(now)` = `{ revokedAt: null, OR: [expiresAt null, expiresAt > now] }`. - `applyToken` **stopped photocopying** policy rules into per-`KeyUser` `SigningCondition` rows, so step 4 is the single live source of truth (no materialized grant can outlive its token). Verified against the deployed `dev` tree before writing this. ### Consequence — two prior claims reversed 1. **`duration_hours` / token `expiresAt` IS now enforced post-bind.** An expired token stops signing on the next request, not just at first connect. The previous docstring ("connect-window-only", pointing at the now-closed nsecbunkerd#24) is corrected. 2. **Token-revoke is no longer a post-redeem no-op** — closes the spirekeeper#22 mechanism bunker-side. ### What did *not* change `revoke_spire` still calls `revoke_key_user` (sets `KeyUser.revokedAt`, the step-2 subject-level ban). That cuts the **whole** binding regardless of how many tokens were issued — the right semantics for "revoke this spire" — whereas token-revoke severs only one token's grant. So the code is unchanged; only the rationale docstring + one test comment are updated. Doc/comment only — no logic touched. 20 pairing tests green. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

padreug added 1 commit 2026-06-19 21:23:29 +00:00

docs(pairing): TTL + token-revoke now enforced post-bind (nsecbunkerd#27) ... b193f6262d

nsecbunkerd#27 (deployed 2026-06-19) reverses the #24 finding: the
sign-time ACL now evaluates token lifecycle live on every request
(checkIfPubkeyAllowed step 4 joins through a liveWhere filter;
applyToken stopped photocopying grants into SigningConditions). So:

- duration_hours / token expiresAt now bounds an ESTABLISHED binding —
  an expired token stops signing post-bind, not just at connect. The
  prior docstring (connect-window-only, pointing at the now-closed
  nsecbunkerd#24) is corrected.
- Token-revoke is no longer a post-redeem no-op (closes the #22
  mechanism bunker-side). revoke_spire keeps using revoke_key_user
  because that's the subject-level ban cutting the whole binding, not
  just one token's grant — rationale updated, behavior unchanged.

Doc/comment only; 20 pairing tests green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

padreug referenced this pull request 2026-06-19 21:24:55 +00:00

pair/revoke endpoint must call revoke_key_user, not revoke_key_token (revoke-one-spire is a no-op otherwise) #22

padreug merged commit 47b7efc53c into main 2026-06-20 10:05:37 +00:00

padreug deleted branch docs/ttl-revoke-enforced-post-bind 2026-06-20 10:05:37 +00:00

padreug referenced this pull request from a commit 2026-06-20 10:05:38 +00:00

Merge pull request 'docs(pairing): TTL + token-revoke now enforced post-bind (nsecbunkerd#27)' (#28) from docs/ttl-revoke-enforced-post-bind into main

padreug referenced this pull request 2026-06-22 09:00:55 +00:00

Secure cash-in: server-side stamped withdraw via signed kind-21000 RPC (no wallet key on the ATM, verified attribution) #31

padreug referenced this pull request 2026-06-22 09:10:52 +00:00

Secure cash-in: server-side stamped withdraw via signed kind-21000 RPC (no wallet key on the ATM, verified attribution) #31

padreug referenced this pull request from a commit 2026-06-22 10:52:04 +00:00

feat(cash-in): super_config.max_cash_in_sats per-tx cap + UI (#31)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

aiolabs/spirekeeper!28

No description provided.