M3b: trust-auth RS verification crate by aliXsed · Pull Request #13 · NodleCode/trust-relay

aliXsed · 2026-06-05T05:05:48Z

Summary

Adds crates/trust-auth — the resource-server JWT verifier from the M3 roadmap. Rust backends (beacon-relay first) can verify trust-relay bearer tokens locally via cached JWKS without calling trust-relay on the hot path.

Also aligns trust-relay token minting with ADR 0004: drops tier/att from emitted AccessTokenClaims (reserved in TOKEN-SPEC, not emitted).

Live E2E: new tests/trust_auth_e2e.rs spins up trust-relay and verifies a full SIWE → session JWT flow through trust-auth (CI job trust-auth-e2e).

SIWE nonce fix: GET /v1/auth/nonce now issues 32-char hex (no hyphens) and the parser enforces alphanumeric nonces — required for EIP-4361 ABNF compliance and the siwe npm library used in the polyglot test (#14).

What's in `trust-auth`

Component	Purpose
`TokenVerifier`	JWKS fetch/cache + signature + iss/aud/time checks
`AuthedWallet`	`address` (`sub`), `scopes`, `jti`, `issuer`, `expires_at`
`BearerAuth`	Axum extractor (`Authorization: Bearer`)
`verify_scope`	TOKEN-SPEC step 8 → `403 insufficient_scope`
`AuthError`	`401`/`403` + `WWW-Authenticate: Bearer error="invalid_token"`

Revocation and quota remain in the adopting service (HTTP consume or future Redis replica per ADR 0003).

Workspace

Root Cargo.toml is now a workspace: members = [".", "crates/trust-auth"]. CI cargo fmt/clippy/test --workspace covers both crates.

Test plan

cargo fmt --check, cargo clippy -- -D warnings, cargo test --workspace
trust-auth integration tests: verify happy path, missing scope, wrong issuer
tests/trust_auth_e2e.rs: live trust-relay ↔ trust-auth JWT verification
tests/session.rs still passes (no tier in minted token)
SIWE conformance: rejects non-alphanumeric nonces (matches reference oracle)

Follow-up

Add Node.js polyglot E2E (SIWE + JWT/JWKS) #14 — Node.js polyglot E2E (siwe + jose + viem)
Adopt trust-auth in beacon-relay ingest middleware (separate PR in beacon-relay repo)

Introduce a Cargo workspace with crates/trust-auth for resource-server JWT verification: JWKS fetch/cache, TOKEN-SPEC steps 2–8 (signature, issuer, aud, time, scope), AuthedWallet, and an Axum BearerAuth extractor with RFC 6750 error responses. Align trust-relay minting with ADR 0004 by dropping tier/att from AccessTokenClaims (reserved in TOKEN-SPEC, not emitted). Update session tests and AGENTS.md workspace layout.

github-actions · 2026-06-05T05:07:16Z

Coverage report

Thresholds: 80% line · 78% region (condition)

✅ Coverage meets the required threshold.

Summary

/home/runner/work/trust-relay/trust-relay/src/bootstrap.rs:
    1|       |//! Store and service wiring for production and tests.
    2|       |
    3|       |use std::sync::Arc;
    4|       |
    5|       |use crate::{
    6|       |    config::Config,
    7|       |    error::AppError,
    8|       |    middleware::rate_limit::{new_nonce_rate_limiter, RateLimiter},
    9|       |    services::{
   10|       |        heuristics::HeuristicsService, nonce::NonceService, quota::QuotaService,
   11|       |        refresh::RefreshService, revocation::RevocationService, token::TokenService,
   12|       |    },
   13|       |    store::heuristics::{HeuristicsStore, InMemoryHeuristicsStore, RedisHeuristicsStore},
   14|       |    store::nonce::{InMemoryNonceStore, NonceStore, RedisNonceStore},
   15|       |    store::quota::{InMemoryQuotaStore, QuotaStore, RedisQuotaStore},
   16|       |    store::refresh::{InMemoryRefreshStore, RedisRefreshStore, RefreshStore},
   17|       |    store::revocation::{InMemoryRevocationStore, RedisRevocationStore, RevocationStore},
   18|       |};
   19|       |
   20|       |impl From<redis::RedisError> for AppError {
   21|      1|    fn from(e: redis::RedisError) -> Self {
   22|      1|        Self::Internal(format!("redis: {e}"))
   23|      1|    }
   24|       |}
   25|       |
   26|     28|pub async fn build_nonce_store(config: &Config) -> Result<Arc<dyn NonceStore>, AppError> {
   27|     28|    if config.uses_redis() {
   28|     25|        Ok(Arc::new(RedisNonceStore::connect(&config.redis.url).await?))
                                                                                   ^0
   29|       |    } else {
   30|      3|        Ok(Arc::new(InMemoryNonceStore::default()))
   31|       |    }
   32|     28|}
   33|       |
   34|     26|pub fn build_nonce_service(config: &Config, store: Arc<dyn NonceStore>) -> Arc<NonceService> {
   35|     26|    Arc::new(NonceService::new(store, config.auth.clone()))
   36|     26|}
   37|       |
   38|     26|pub fn build_nonce_rate_limiter(config: &Config) -> Arc<RateLimiter> {
   39|     26|    new_nonce_rate_limiter(config.rate_limit.nonce_per_ip_per_minute)
   40|     26|}
   41|       |
   42|     27|pub fn build_token_service(config: &Config) -> Result<Arc<TokenService>, AppError> {
   43|     27|    Ok(Arc::new(TokenService::new(config.signing.clone())?))
                                                                       ^0
   44|     27|}
   45|       |
   46|     26|pub async fn build_revocation_store(config: &Config) -> Result<Arc<dyn RevocationStore>, AppError> {
   47|     26|    if config.uses_redis() {
   48|     24|        Ok(Arc::new(
   49|     24|            RedisRevocationStore::connect(&config.redis.url).await?,
                                                                                ^0
   50|       |        ))
   51|       |    } else {
   52|      2|        Ok(Arc::new(InMemoryRevocationStore::default()))
   53|       |    }
   54|     26|}
   55|       |
   56|     26|pub fn build_revocation_service(store: Arc<dyn RevocationStore>) -> Arc<RevocationService> {
   57|     26|    Arc::new(RevocationService::new(store))
   58|     26|}
   59|       |
   60|     26|pub async fn build_refresh_store(config: &Config) -> Result<Arc<dyn RefreshStore>, AppError> {
   61|     26|    if config.uses_redis() {
   62|     24|        Ok(Arc::new(
   63|     24|            RedisRefreshStore::connect(&config.redis.url).await?,
                                                                             ^0
   64|       |        ))
   65|       |    } else {
   66|      2|        Ok(Arc::new(InMemoryRefreshStore::default()))
   67|       |    }
   68|     26|}
   69|       |
   70|     26|pub fn build_refresh_service(config: &Config, store: Arc<dyn RefreshStore>) -> Arc<RefreshService> {
   71|     26|    Arc::new(RefreshService::new(store, config.auth.clone()))
   72|     26|}
   73|       |
   74|     26|pub async fn build_heuristics_store(config: &Config) -> Result<Arc<dyn HeuristicsStore>, AppError> {
   75|     26|    if config.uses_redis() {
   76|     24|        Ok(Arc::new(
   77|     24|            RedisHeuristicsStore::connect(&config.redis.url).await?,
                                                                                ^0
   78|       |        ))
   79|       |    } else {
   80|      2|        Ok(Arc::new(InMemoryHeuristicsStore::default()))
   81|       |    }
   82|     26|}
   83|       |
   84|     26|pub fn build_heuristics_service(store: Arc<dyn HeuristicsStore>) -> Arc<HeuristicsService> {
   85|     26|    Arc::new(HeuristicsService::new(store))
   86|     26|}
   87|       |
   88|     26|pub async fn build_quota_store(config: &Config) -> Result<Arc<dyn QuotaStore>, AppError> {
   89|     26|    if config.uses_redis() {
   90|     24|        Ok(Arc::new(RedisQuotaStore::connect(&config.redis.url).await?))
                                                                                   ^0
   91|       |    } else {
   92|      2|        Ok(Arc::new(InMemoryQuotaStore::default()))
   93|       |    }
   94|     26|}
   95|       |
   96|     26|pub fn build_quota_service(config: &Config, store: Arc<dyn QuotaStore>) -> Arc<QuotaService> {
   97|     26|    Arc::new(QuotaService::new(store, config.quota.clone()))
   98|     26|}
   99|       |
  100|       |#[cfg(test)]
  101|       |mod tests {
  102|       |    use super::*;
  103|       |
  104|       |    #[test]
  105|      1|    fn redis_error_converts_to_internal_app_error() {
  106|      1|        let redis_err = redis::RedisError::from((redis::ErrorKind::IoError, "connection refused"));
  107|      1|        let app: AppError = redis_err.into();
  108|      1|        assert!(matches!(app, AppError::Internal(_)));
                              ^0
  109|      1|    }
  110|       |
  111|       |    #[tokio::test]
  112|      1|    async fn build_nonce_store_uses_memory_without_redis_url() {
  113|      1|        let mut cfg = Config::load().expect("config should load");
  114|      1|        cfg.redis.url.clear();
  115|      1|        let store = build_nonce_store(&cfg)
  116|      1|            .await
  117|      1|            .expect("in-memory store should build");
  118|      1|        let now = time::OffsetDateTime::now_utc();
  119|      1|        let record = crate::store::nonce::NonceRecord {
  120|      1|            issued_at: now,
  121|      1|            expires_at: now + time::Duration::seconds(30),
  122|      1|            client_ip: None,
  123|      1|            used: false,
  124|      1|        };
  125|      1|        store.put("n", &record).await.unwrap();
  126|      1|        assert!(store.get("n").await.unwrap().is_some());
  127|      1|    }
  128|       |
  129|       |    #[test]
  130|      1|    fn build_token_service_succeeds() {
  131|      1|        let cfg = Config::load().expect("config should load");
  132|      1|        let token = build_token_service(&cfg).expect("token service should build");
  133|      1|        assert_eq!(token.kid(), cfg.signing.kid);
  134|      1|    }
  135|       |}

/home/runner/work/trust-relay/trust-relay/src/config.rs:
    1|       |//! Figment-based configuration loading.
    2|       |
    3|       |use std::collections::HashMap;
    4|       |
    5|       |use figment::{
    6|       |    providers::{Env, Format, Toml},
    7|       |    Figment,
    8|       |};
    9|       |use serde::Deserialize;
   10|       |
   11|       |#[derive(Debug, Clone, Deserialize)]
   12|       |pub struct Config {
   13|       |    pub server: ServerConfig,
   14|       |    pub telemetry: TelemetryConfig,
   15|       |    pub redis: RedisConfig,
   16|       |    pub auth: AuthConfig,
   17|       |    pub rate_limit: RateLimitConfig,
   18|       |    pub signing: SigningConfig,
   19|       |    pub quota: QuotaConfig,
   20|       |}
   21|       |
   22|       |/// Which HTTP routes this process exposes (see `docs/DEPLOYMENT.md`).
   23|       |#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize, Default, serde::Serialize)]
   24|       |#[serde(rename_all = "lowercase")]
   25|       |pub enum ExposeMode {
   26|       |    /// All routes (local dev and single-process deploys).
   27|       |    #[default]
   28|       |    All,
   29|       |    /// Internet-facing: SIWE ceremony, JWKS, logout; no RS quota APIs.
   30|       |    Public,
   31|       |    /// VPC-only: quota consume and related backend helpers; plus `/healthz`.
   32|       |    Internal,
   33|       |}
   34|       |
   35|       |#[derive(Debug, Clone, Deserialize)]
   36|       |pub struct ServerConfig {
   37|       |    pub host: String,
   38|       |    pub port: u16,
   39|       |    #[serde(default)]
   40|       |    pub expose: ExposeMode,
   41|       |}
   42|       |
   43|       |#[derive(Debug, Clone, Deserialize)]
   44|       |pub struct TelemetryConfig {
   45|       |    pub format: String,
   46|       |    pub filter: String,
   47|       |}
   48|       |
   49|       |#[derive(Debug, Clone, Deserialize)]
   50|       |pub struct RedisConfig {
   51|       |    pub url: String,
   52|       |    pub pool_size: u32,
   53|       |}
   54|       |
   55|       |#[derive(Debug, Clone, Deserialize)]
   56|       |pub struct AuthConfig {
   57|       |    pub nonce_ttl_secs: u32,
   58|       |    pub domain: String,
   59|       |    pub uri: String,
   60|       |    pub chain_id: u64,
   61|       |    /// Scopes granted on wallet-tier `POST /v1/auth/session` (paid-scope gating is M5).
   62|       |    #[serde(default = "default_wallet_scopes")]
   63|       |    pub default_scopes: Vec<String>,
   64|       |    /// Opaque refresh token lifetime (~7 days default).
   65|       |    #[serde(default = "default_refresh_token_ttl_secs")]
   66|       |    pub refresh_token_ttl_secs: u32,
   67|       |    /// When false, session responses omit `refreshToken` (access-only mode).
   68|       |    #[serde(default = "default_issue_refresh_tokens")]
   69|       |    pub issue_refresh_tokens: bool,
   70|       |}
   71|       |
   72|      1|fn default_refresh_token_ttl_secs() -> u32 {
   73|      1|    604_800
   74|      1|}
   75|       |
   76|      1|fn default_issue_refresh_tokens() -> bool {
   77|      1|    true
   78|      1|}
   79|       |
   80|      1|fn default_wallet_scopes() -> Vec<String> {
   81|      1|    vec![
   82|      1|        "ai:invoke".into(),
   83|      1|        "mint:request".into(),
   84|      1|        "scan:submit".into(),
   85|      1|        "profile:read".into(),
   86|       |    ]
   87|      1|}
   88|       |
   89|       |#[derive(Debug, Clone, Deserialize)]
   90|       |pub struct RateLimitConfig {
   91|       |    pub nonce_per_ip_per_minute: u32,
   92|       |}
   93|       |
   94|       |#[derive(Debug, Clone, Deserialize)]
   95|       |pub struct QuotaConfig {
   96|       |    #[serde(default = "default_quota_enabled")]
   97|       |    pub enabled: bool,
   98|       |    #[serde(default = "default_quota_window_secs")]
   99|       |    pub window_secs: u32,
  100|       |    #[serde(default = "default_paid_scopes")]
  101|       |    pub paid_scopes: Vec<String>,
  102|       |    #[serde(default)]
  103|       |    pub limits: QuotaLimitTiers,
  104|       |}
  105|       |
  106|      0|fn default_quota_enabled() -> bool {
  107|      0|    true
  108|      0|}
  109|       |
  110|      1|fn default_quota_window_secs() -> u32 {
  111|      1|    86_400
  112|      1|}
  113|       |
  114|      1|fn default_paid_scopes() -> Vec<String> {
  115|      1|    vec!["ai:invoke".into(), "mint:request".into()]
  116|      1|}
  117|       |
  118|       |#[derive(Debug, Clone, Deserialize)]
  119|       |pub struct QuotaLimitTiers {
  120|       |    #[serde(default = "default_new_wallet_limits")]
  121|       |    pub new_wallet: HashMap<String, u64>,
  122|       |    #[serde(default = "default_established_limits")]
  123|       |    pub established: HashMap<String, u64>,
  124|       |}
  125|       |
  126|      1|fn default_new_wallet_limits() -> HashMap<String, u64> {
  127|      1|    HashMap::from([("ai:invoke".into(), 10), ("mint:request".into(), 2)])
  128|      1|}
  129|       |
  130|      1|fn default_established_limits() -> HashMap<String, u64> {
  131|      1|    HashMap::from([("ai:invoke".into(), 1_000), ("mint:request".into(), 50)])
  132|      1|}
  133|       |
  134|       |impl Default for QuotaLimitTiers {
  135|      1|    fn default() -> Self {
  136|      1|        Self {
  137|      1|            new_wallet: default_new_wallet_limits(),
  138|      1|            established: default_established_limits(),
  139|      1|        }
  140|      1|    }
  141|       |}
  142|       |
  143|       |#[derive(Debug, Clone, Deserialize)]
  144|       |pub struct SigningConfig {
  145|       |    pub issuer: String,
  146|       |    pub audience: String,
  147|       |    pub kid: String,
  148|       |    pub access_token_ttl_secs: u32,
  149|       |    /// Base64-encoded 32-byte Ed25519 seed. Empty generates an ephemeral dev key at startup.
  150|       |    pub key_seed_b64: String,
  151|       |}
  152|       |
  153|       |impl Config {
  154|       |    /// Load config: `config/default.toml` -> `config/{APP_ENV}.toml` ->
  155|       |    /// `APP_`-prefixed env vars (nested via `__`).
  156|     34|    pub fn load() -> Result<Self, Box<figment::Error>> {
  157|     34|        let env = std::env::var("APP_ENV").unwrap_or_else(|_| "development".into());
                                                                            ^32           ^32
  158|     34|        Figment::new()
  159|     34|            .merge(Toml::file("config/default.toml"))
  160|     34|            .merge(Toml::file(format!("config/{env}.toml")))
  161|     34|            .merge(Env::prefixed("APP_").split("__"))
  162|     34|            .extract()
  163|     34|            .map_err(Box::new)
  164|     34|    }
  165|       |
  166|       |    /// Use Redis when `redis.url` is non-empty.
  167|    135|    pub fn uses_redis(&self) -> bool {
  168|    135|        !self.redis.url.trim().is_empty()
  169|    135|    }
  170|       |}
  171|       |
  172|       |#[cfg(test)]
  173|       |mod tests {
  174|       |    use super::*;
  175|       |
  176|       |    #[test]
  177|      1|    fn expose_mode_deserializes_lowercase() {
  178|      1|        assert_eq!(
  179|      1|            serde_json::from_str::<ExposeMode>("\"public\"").unwrap(),
  180|       |            ExposeMode::Public
  181|       |        );
  182|      1|        assert_eq!(
  183|      1|            serde_json::from_str::<ExposeMode>("\"internal\"").unwrap(),
  184|       |            ExposeMode::Internal
  185|       |        );
  186|      1|    }
  187|       |
  188|       |    #[test]
  189|      1|    fn uses_redis_when_url_is_non_empty() {
  190|      1|        let cfg = Config {
  191|      1|            server: ServerConfig {
  192|      1|                host: "127.0.0.1".into(),
  193|      1|                port: 3001,
  194|      1|                expose: ExposeMode::All,
  195|      1|            },
  196|      1|            telemetry: TelemetryConfig {
  197|      1|                format: "pretty".into(),
  198|      1|                filter: "info".into(),
  199|      1|            },
  200|      1|            redis: RedisConfig {
  201|      1|                url: "redis://127.0.0.1/".into(),
  202|      1|                pool_size: 1,
  203|      1|            },
  204|      1|            auth: AuthConfig {
  205|      1|                nonce_ttl_secs: 120,
  206|      1|                domain: "localhost".into(),
  207|      1|                uri: "http://localhost".into(),
  208|      1|                chain_id: 1,
  209|      1|                default_scopes: default_wallet_scopes(),
  210|      1|                refresh_token_ttl_secs: default_refresh_token_ttl_secs(),
  211|      1|                issue_refresh_tokens: default_issue_refresh_tokens(),
  212|      1|            },
  213|      1|            rate_limit: RateLimitConfig {
  214|      1|                nonce_per_ip_per_minute: 30,
  215|      1|            },
  216|      1|            signing: SigningConfig {
  217|      1|                issuer: "http://localhost:3001".into(),
  218|      1|                audience: "nodle-backend".into(),
  219|      1|                kid: "test-key".into(),
  220|      1|                access_token_ttl_secs: 3600,
  221|      1|                key_seed_b64: String::new(),
  222|      1|            },
  223|      1|            quota: QuotaConfig {
  224|      1|                enabled: true,
  225|      1|                window_secs: default_quota_window_secs(),
  226|      1|                paid_scopes: default_paid_scopes(),
  227|      1|                limits: QuotaLimitTiers::default(),
  228|      1|            },
  229|      1|        };
  230|      1|        assert!(cfg.uses_redis());
  231|      1|        let mut empty = cfg;
  232|      1|        empty.redis.url.clear();
  233|      1|        assert!(!empty.uses_redis());
  234|      1|        empty.redis.url = "   ".into();
  235|      1|        assert!(!empty.uses_redis());
  236|      1|    }
  237|       |}

/home/runner/work/trust-relay/trust-relay/src/error.rs:
    1|       |//! Application errors mapped to TOKEN-SPEC HTTP responses.
    2|       |
    3|       |use axum::{
    4|       |    http::{HeaderValue, StatusCode},
    5|       |    response::{IntoResponse, Response},
    6|       |    Json,
    7|       |};
    8|       |use serde::Serialize;
    9|       |use thiserror::Error;
   10|       |
   11|       |/// Machine-readable auth error codes from TOKEN-SPEC §8.
   12|       |#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)]
   13|       |#[serde(rename_all = "snake_case")]
   14|       |pub enum ErrorCode {
   15|       |    InvalidRequest,
   16|       |    InvalidNonce,
   17|       |    NonceExpired,
   18|       |    NonceUsed,
   19|       |    InvalidSignature,
   20|       |    InvalidToken,
   21|       |    InsufficientScope,
   22|       |    WalletBlocked,
   23|       |    QuotaExceeded,
   24|       |    RateLimited,
   25|       |    Internal,
   26|       |}
   27|       |
   28|       |impl ErrorCode {
   29|     25|    pub fn as_str(self) -> &'static str {
   30|     25|        match self {
   31|      3|            Self::InvalidRequest => "invalid_request",
   32|      2|            Self::InvalidNonce => "invalid_nonce",
   33|      1|            Self::NonceExpired => "nonce_expired",
   34|      2|            Self::NonceUsed => "nonce_used",
   35|      2|            Self::InvalidSignature => "invalid_signature",
   36|      4|            Self::InvalidToken => "invalid_token",
   37|      0|            Self::InsufficientScope => "insufficient_scope",
   38|      1|            Self::WalletBlocked => "wallet_blocked",
   39|      1|            Self::QuotaExceeded => "quota_exceeded",
   40|      8|            Self::RateLimited => "rate_limited",
   41|      1|            Self::Internal => "internal_error",
   42|       |        }
   43|     25|    }
   44|       |}
   45|       |
   46|       |#[derive(Debug, Serialize)]
   47|       |struct ErrorBody<'a> {
   48|       |    error: &'a str,
   49|       |    #[serde(skip_serializing_if = "Option::is_none")]
   50|       |    error_description: Option<&'a str>,
   51|       |}
   52|       |
   53|       |#[derive(Debug, Error)]
   54|       |pub enum AppError {
   55|       |    #[error("{0}")]
   56|       |    InvalidRequest(String),
   57|       |    #[error("{0}")]
   58|       |    InvalidNonce(String),
   59|       |    #[error("{0}")]
   60|       |    NonceExpired(String),
   61|       |    #[error("{0}")]
   62|       |    NonceUsed(String),
   63|       |    #[error("{0}")]
   64|       |    InvalidSignature(String),
   65|       |    #[error("{0}")]
   66|       |    InvalidToken(String),
   67|       |    #[error("{0}")]
   68|       |    InsufficientScope(String),
   69|       |    #[error("{0}")]
   70|       |    WalletBlocked(String),
   71|       |    #[error("{0}")]
   72|       |    QuotaExceeded(String),
   73|       |    #[error("{0}")]
   74|       |    RateLimited(String),
   75|       |    #[error("{0}")]
   76|       |    Internal(String),
   77|       |}
   78|       |
   79|       |impl AppError {
   80|     25|    pub fn code(&self) -> ErrorCode {
   81|     25|        match self {
   82|      3|            Self::InvalidRequest(_) => ErrorCode::InvalidRequest,
   83|      2|            Self::InvalidNonce(_) => ErrorCode::InvalidNonce,
   84|      1|            Self::NonceExpired(_) => ErrorCode::NonceExpired,
   85|      2|            Self::NonceUsed(_) => ErrorCode::NonceUsed,
   86|      2|            Self::InvalidSignature(_) => ErrorCode::InvalidSignature,
   87|      4|            Self::InvalidToken(_) => ErrorCode::InvalidToken,
   88|      0|            Self::InsufficientScope(_) => ErrorCode::InsufficientScope,
   89|      1|            Self::WalletBlocked(_) => ErrorCode::WalletBlocked,
   90|      1|            Self::QuotaExceeded(_) => ErrorCode::QuotaExceeded,
   91|      8|            Self::RateLimited(_) => ErrorCode::RateLimited,
   92|      1|            Self::Internal(_) => ErrorCode::Internal,
   93|       |        }
   94|     25|    }
   95|       |
   96|     40|    pub fn status(&self) -> StatusCode {
   97|     40|        match self {
   98|       |            Self::InvalidRequest(_)
   99|       |            | Self::InvalidNonce(_)
  100|       |            | Self::NonceExpired(_)
  101|     14|            | Self::NonceUsed(_) => StatusCode::BAD_REQUEST,
  102|      8|            Self::InvalidSignature(_) | Self::InvalidToken(_) => StatusCode::UNAUTHORIZED,
  103|      3|            Self::InsufficientScope(_) | Self::WalletBlocked(_) => StatusCode::FORBIDDEN,
  104|     12|            Self::QuotaExceeded(_) | Self::RateLimited(_) => StatusCode::TOO_MANY_REQUESTS,
  105|      3|            Self::Internal(_) => StatusCode::INTERNAL_SERVER_ERROR,
  106|       |        }
  107|     40|    }
  108|       |
  109|     25|    fn description(&self) -> &str {
  110|     25|        match self {
  111|      3|            Self::InvalidRequest(m)
  112|      2|            | Self::InvalidNonce(m)
  113|      1|            | Self::NonceExpired(m)
  114|      2|            | Self::NonceUsed(m)
  115|      2|            | Self::InvalidSignature(m)
  116|      4|            | Self::InvalidToken(m)
  117|      0|            | Self::InsufficientScope(m)
  118|      1|            | Self::WalletBlocked(m)
  119|      1|            | Self::QuotaExceeded(m)
  120|      8|            | Self::RateLimited(m)
  121|     25|            | Self::Internal(m) => m,
                                           ^1
  122|       |        }
  123|     25|    }
  124|       |}
  125|       |
  126|       |impl IntoResponse for AppError {
  127|     25|    fn into_response(self) -> Response {
  128|     25|        let status = self.status();
  129|     25|        let code = self.code();
  130|     25|        let body = ErrorBody {
  131|     25|            error: code.as_str(),
  132|     25|            error_description: Some(self.description()),
  133|     25|        };
  134|       |
  135|     25|        let mut response = (status, Json(body)).into_response();
  136|     25|        if status == StatusCode::UNAUTHORIZED {
  137|      6|            if let Ok(value) = HeaderValue::from_str(r#"Bearer error="invalid_token""#) {
  138|      6|                response
  139|      6|                    .headers_mut()
  140|      6|                    .insert(axum::http::header::WWW_AUTHENTICATE, value);
  141|      6|            }
                          ^0
  142|     19|        }
  143|     25|        response
  144|     25|    }
  145|       |}
  146|       |
  147|       |#[cfg(test)]
  148|       |mod tests {
  149|       |    use super::*;
  150|       |
  151|       |    #[tokio::test]
  152|      1|    async fn invalid_token_maps_to_401_with_www_authenticate() {
  153|      1|        let response = AppError::InvalidToken("expired".into()).into_response();
  154|      1|        assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
  155|      1|        assert!(response
  156|      1|            .headers()
  157|      1|            .get(axum::http::header::WWW_AUTHENTICATE)
  158|      1|            .is_some());
  159|       |
  160|      1|        let body = axum::body::to_bytes(response.into_body(), usize::MAX)
  161|      1|            .await
  162|      1|            .unwrap();
  163|      1|        let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
  164|      1|        assert_eq!(json["error"], "invalid_token");
  165|      1|        assert_eq!(json["error_description"], "expired");
  166|      1|    }
  167|       |
  168|       |    #[tokio::test]
  169|      1|    async fn rate_limited_maps_to_429() {
  170|      1|        let response = AppError::RateLimited("too many requests".into()).into_response();
  171|      1|        assert_eq!(response.status(), StatusCode::TOO_MANY_REQUESTS);
  172|      1|    }
  173|       |
  174|       |    #[tokio::test]
  175|      1|    async fn nonce_errors_map_to_bad_request() {
  176|      3|        for err in [
                      ^1
  177|      1|            AppError::InvalidNonce("bad".into()),
  178|      1|            AppError::NonceExpired("old".into()),
  179|      1|            AppError::NonceUsed("again".into()),
  180|      1|        ] {
  181|      3|            let response = err.into_response();
  182|      3|            assert_eq!(response.status(), StatusCode::BAD_REQUEST);
  183|      1|        }
  184|      1|    }
  185|       |}

/home/runner/work/trust-relay/trust-relay/src/main.rs:
    1|       |//! Trust Relay — entry point.
    2|       |//!
    3|       |//! Boot order: load config -> init tracing -> build router -> serve.
    4|       |//! This is the phase-0 seed: only `GET /healthz` is wired. The SIWE grant,
    5|       |//! JWKS endpoint, and token issuance land per docs/ARCHITECTURE.md.
    6|       |
    7|       |use trust_relay::{config, server};
    8|       |
    9|       |#[tokio::main]
   10|      0|async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
   11|      0|    server::run(config::Config::load()?).await
   12|      0|}

/home/runner/work/trust-relay/trust-relay/src/middleware/rate_limit.rs:
    1|       |//! Per-IP rate limiting for nonce issuance.
    2|       |
    3|       |use std::net::IpAddr;
    4|       |use std::sync::Arc;
    5|       |use std::time::{Duration, Instant};
    6|       |
    7|       |use dashmap::DashMap;
    8|       |
    9|       |use crate::error::AppError;
   10|       |
   11|       |#[derive(Clone)]
   12|       |pub struct RateLimiter {
   13|       |    limits: DashMap<IpAddr, Vec<Instant>>,
   14|       |    max_per_window: u32,
   15|       |    window: Duration,
   16|       |}
   17|       |
   18|       |impl RateLimiter {
   19|     26|    pub fn new(max_per_window: u32, window: Duration) -> Self {
   20|     26|        Self {
   21|     26|            limits: DashMap::new(),
   22|     26|            max_per_window,
   23|     26|            window,
   24|     26|        }
   25|     26|    }
   26|       |
   27|     52|    pub fn check(&self, ip: IpAddr) -> Result<(), AppError> {
   28|     52|        let now = Instant::now();
   29|     52|        let mut entry = self.limits.entry(ip).or_default();
   30|    616|        entry.retain(|t| now.duration_since(*t) < self.window);
                      ^52   ^52
   31|     52|        if entry.len() >= self.max_per_window as usize {
   32|      6|            return Err(AppError::RateLimited("nonce rate limit exceeded".into()));
   33|     46|        }
   34|     46|        entry.push(now);
   35|     46|        Ok(())
   36|     52|    }
   37|       |}
   38|       |
   39|     26|pub fn new_nonce_rate_limiter(max_per_minute: u32) -> Arc<RateLimiter> {
   40|     26|    Arc::new(RateLimiter::new(max_per_minute, Duration::from_secs(60)))
   41|     26|}

/home/runner/work/trust-relay/trust-relay/src/routes/auth.rs:
    1|       |//! Authentication endpoints.
    2|       |
    3|       |use std::net::IpAddr;
    4|       |
    5|       |use axum::{
    6|       |    extract::State,
    7|       |    http::{HeaderMap, StatusCode},
    8|       |    Json,
    9|       |};
   10|       |use serde::{Deserialize, Serialize};
   11|       |use time::format_description::well_known::Rfc3339;
   12|       |
   13|       |use crate::{
   14|       |    error::AppError, models::claims::AccessTokenClaims, services::siwe::verify_siwe_session,
   15|       |    state::AppState,
   16|       |};
   17|       |
   18|       |#[derive(Serialize)]
   19|       |pub struct NonceResponse {
   20|       |    pub nonce: String,
   21|       |    #[serde(rename = "expiresAt")]
   22|       |    pub expires_at: String,
   23|       |}
   24|       |
   25|       |#[derive(Deserialize)]
   26|       |pub struct SessionRequest {
   27|       |    pub message: String,
   28|       |    pub signature: String,
   29|       |}
   30|       |
   31|       |#[derive(Serialize)]
   32|       |pub struct SessionResponse {
   33|       |    #[serde(rename = "accessToken")]
   34|       |    pub access_token: String,
   35|       |    #[serde(rename = "tokenType")]
   36|       |    pub token_type: &'static str,
   37|       |    #[serde(rename = "expiresIn")]
   38|       |    pub expires_in: u32,
   39|       |    #[serde(rename = "walletAddress")]
   40|       |    pub wallet_address: String,
   41|       |    pub scopes: Vec<String>,
   42|       |    #[serde(rename = "refreshToken", skip_serializing_if = "Option::is_none")]
   43|       |    pub refresh_token: Option<String>,
   44|       |}
   45|       |
   46|       |#[derive(Deserialize)]
   47|       |pub struct RefreshRequest {
   48|       |    #[serde(rename = "refreshToken")]
   49|       |    pub refresh_token: String,
   50|       |}
   51|       |
   52|       |#[derive(Serialize)]
   53|       |pub struct RefreshResponse {
   54|       |    #[serde(rename = "accessToken")]
   55|       |    pub access_token: String,
   56|       |    #[serde(rename = "expiresIn")]
   57|       |    pub expires_in: u32,
   58|       |    #[serde(rename = "refreshToken")]
   59|       |    pub refresh_token: String,
   60|       |}
   61|       |
   62|       |#[derive(Deserialize)]
   63|       |pub struct QuotaConsumeRequest {
   64|       |    pub scope: String,
   65|       |    #[serde(default = "default_quota_amount")]
   66|       |    pub amount: u64,
   67|       |}
   68|       |
   69|      4|fn default_quota_amount() -> u64 {
   70|      4|    1
   71|      4|}
   72|       |
   73|       |#[derive(Serialize)]
   74|       |pub struct QuotaConsumeResponse {
   75|       |    pub scope: String,
   76|       |    pub remaining: u64,
   77|       |    pub limit: u64,
   78|       |}
   79|       |
   80|       |#[derive(Serialize)]
   81|       |pub struct QuotaStatusResponse {
   82|       |    pub scopes: Vec<QuotaConsumeResponse>,
   83|       |}
   84|       |
   85|     52|pub async fn get_nonce(
   86|     52|    State(state): State<AppState>,
   87|     52|    headers: HeaderMap,
   88|     52|) -> Result<Json<NonceResponse>, AppError> {
   89|     52|    let ip = client_ip_from_headers(&headers)
   90|     52|        .and_then(|s| s.parse().ok())
   91|     52|        .unwrap_or(IpAddr::from([127, 0, 0, 1]));
   92|     52|    state.nonce_rate_limiter.check(ip)?;
                                                    ^6
   93|       |
   94|     46|    let client_ip = client_ip_from_headers(&headers);
   95|     46|    let issued = state.nonce.issue(client_ip).await?;
                                                                 ^0
   96|     46|    let expires_at = issued
   97|     46|        .expires_at
   98|     46|        .format(&Rfc3339)
   99|     46|        .map_err(|e| AppError::Internal(format!("timestamp format: {e}")))?;
                                                      ^0                                ^0
  100|     46|    Ok(Json(NonceResponse {
  101|     46|        nonce: issued.nonce,
  102|     46|        expires_at,
  103|     46|    }))
  104|     52|}
  105|       |
  106|     14|pub async fn post_session(
  107|     14|    State(state): State<AppState>,
  108|     14|    Json(body): Json<SessionRequest>,
  109|     14|) -> Result<Json<SessionResponse>, AppError> {
  110|     14|    let verified = verify_siwe_session(&state.config.auth, &body.message, &body.signature).await?;
                      ^13                                                                                     ^1
  111|     13|    state
  112|     13|        .revocation
  113|     13|        .ensure_wallet_active(&verified.wallet_address)
  114|     13|        .await?;
                            ^1
  115|     12|    state.nonce.validate_and_consume(&verified.nonce).await?;
                                                                         ^1
  116|       |
  117|     11|    let profile = state
  118|     11|        .heuristics
  119|     11|        .profile_for(&verified.wallet_address)
  120|     11|        .await?;
                            ^0
  121|     11|    state
  122|     11|        .quota
  123|     11|        .init_for_wallet(&verified.wallet_address, profile)
  124|     11|        .await?;
                            ^0
  125|       |
  126|     11|    let scopes = state.config.auth.default_scopes.clone();
  127|     11|    let scope_refs: Vec<&str> = scopes.iter().map(String::as_str).collect();
  128|     11|    let access_token = state.token.mint_wallet_token(
  129|     11|        &verified.wallet_address,
  130|     11|        &scope_refs,
  131|     11|        state.config.auth.chain_id,
  132|     11|    )?;
                   ^0
  133|       |
  134|     11|    let refresh_token = if state.refresh.enabled() {
  135|       |        Some(
  136|     11|            state
  137|     11|                .refresh
  138|     11|                .issue(
  139|     11|                    &verified.wallet_address,
  140|     11|                    &scopes,
  141|     11|                    state.config.auth.chain_id,
  142|     11|                )
  143|     11|                .await?
                                    ^0
  144|       |                .token,
  145|       |        )
  146|       |    } else {
  147|      0|        None
  148|       |    };
  149|       |
  150|     11|    state
  151|     11|        .heuristics
  152|     11|        .mark_established(&verified.wallet_address)
  153|     11|        .await?;
                            ^0
  154|       |
  155|     11|    Ok(Json(SessionResponse {
  156|     11|        access_token,
  157|     11|        token_type: "Bearer",
  158|     11|        expires_in: state.config.signing.access_token_ttl_secs,
  159|     11|        wallet_address: verified.wallet_address,
  160|     11|        scopes,
  161|     11|        refresh_token,
  162|     11|    }))
  163|     14|}
  164|       |
  165|       |/// `POST /v1/auth/session/refresh` — rotate opaque refresh token and mint a new access JWT.
  166|      4|pub async fn post_session_refresh(
  167|      4|    State(state): State<AppState>,
  168|      4|    Json(body): Json<RefreshRequest>,
  169|      4|) -> Result<Json<RefreshResponse>, AppError> {
  170|      4|    if !state.refresh.enabled() {
  171|      0|        return Err(AppError::InvalidRequest(
  172|      0|            "refresh tokens are not enabled".into(),
  173|      0|        ));
  174|      4|    }
  175|      4|    let rotated = state.refresh.rotate(&body.refresh_token).await?;
                      ^2                                                       ^2
  176|      2|    state
  177|      2|        .revocation
  178|      2|        .ensure_wallet_active(&rotated.record.wallet)
  179|      2|        .await?;
                            ^0
  180|      2|    state
  181|      2|        .quota
  182|      2|        .init_for_wallet(
  183|      2|            &rotated.record.wallet,
  184|      2|            crate::services::heuristics::WalletProfile::Established,
  185|      2|        )
  186|      2|        .await?;
                            ^0
  187|       |
  188|      2|    let scope_refs: Vec<&str> = rotated.record.scopes.iter().map(String::as_str).collect();
  189|      2|    let access_token = state.token.mint_wallet_token(
  190|      2|        &rotated.record.wallet,
  191|      2|        &scope_refs,
  192|      2|        rotated.record.chain_id,
  193|      2|    )?;
                   ^0
  194|       |
  195|      2|    Ok(Json(RefreshResponse {
  196|      2|        access_token,
  197|      2|        expires_in: state.config.signing.access_token_ttl_secs,
  198|      2|        refresh_token: rotated.token,
  199|      2|    }))
  200|      4|}
  201|       |
  202|       |/// `POST /v1/auth/quota/consume` — decrement a paid-scope counter (RS hot-path helper).
  203|      4|pub async fn post_quota_consume(
  204|      4|    State(state): State<AppState>,
  205|      4|    headers: HeaderMap,
  206|      4|    Json(body): Json<QuotaConsumeRequest>,
  207|      4|) -> Result<Json<QuotaConsumeResponse>, AppError> {
  208|      4|    let claims = verified_claims(&state, &headers)?;
                                                                ^0
  209|      4|    ensure_scope(&claims, &body.scope)?;
                                                    ^0
  210|      4|    let status = state
                      ^3
  211|      4|        .quota
  212|      4|        .consume(&claims.sub, &body.scope, body.amount)
  213|      4|        .await?;
                            ^1
  214|      3|    Ok(Json(QuotaConsumeResponse {
  215|      3|        scope: status.scope,
  216|      3|        remaining: status.remaining,
  217|      3|        limit: status.limit,
  218|      3|    }))
  219|      4|}
  220|       |
  221|       |/// `GET /v1/auth/quota` — remaining paid-scope quota for the bearer wallet.
  222|      2|pub async fn get_quota(
  223|      2|    State(state): State<AppState>,
  224|      2|    headers: HeaderMap,
  225|      2|) -> Result<Json<QuotaStatusResponse>, AppError> {
  226|      2|    let claims = verified_claims(&state, &headers)?;
                                                                ^0
  227|      2|    let scopes: Vec<&str> = claims.scope.split_whitespace().collect();
  228|      2|    let statuses = state.quota.status_for_scopes(&claims.sub, &scopes).await?;
                                                                                          ^0
  229|       |    Ok(Json(QuotaStatusResponse {
  230|      2|        scopes: statuses
  231|      2|            .into_iter()
  232|      2|            .map(|s| QuotaConsumeResponse {
  233|      2|                scope: s.scope,
  234|      2|                remaining: s.remaining,
  235|      2|                limit: s.limit,
  236|      2|            })
  237|      2|            .collect(),
  238|       |    }))
  239|      2|}
  240|       |
  241|       |/// `POST /v1/auth/logout` — revoke the bearer access token's `jti`.
  242|      2|pub async fn post_logout(
  243|      2|    State(state): State<AppState>,
  244|      2|    headers: HeaderMap,
  245|      2|) -> Result<StatusCode, AppError> {
  246|      2|    let token = bearer_token(&headers)?;
                      ^1                            ^1
  247|      1|    let claims = state.token.verify(&token)?;
                                                         ^0
  248|      1|    state.revocation.revoke_access_token(&claims).await?;
                                                                     ^0
  249|      1|    Ok(StatusCode::NO_CONTENT)
  250|      2|}
  251|       |
  252|      6|fn verified_claims(state: &AppState, headers: &HeaderMap) -> Result<AccessTokenClaims, AppError> {
  253|      6|    let token = bearer_token(headers)?;
                                                   ^0
  254|      6|    state.token.verify(&token)
  255|      6|}
  256|       |
  257|      4|fn ensure_scope(claims: &AccessTokenClaims, scope: &str) -> Result<(), AppError> {
  258|      4|    if claims.scope.split_whitespace().any(|s| s == scope) {
  259|      4|        Ok(())
  260|       |    } else {
  261|      0|        Err(AppError::InsufficientScope(format!(
  262|      0|            "token does not grant scope {scope}"
  263|      0|        )))
  264|       |    }
  265|      4|}
  266|       |
  267|      8|fn bearer_token(headers: &HeaderMap) -> Result<String, AppError> {
  268|      8|    let value = headers
                      ^7
  269|      8|        .get(axum::http::header::AUTHORIZATION)
  270|      8|        .and_then(|v| v.to_str().ok())
                                    ^7^7       ^7
  271|      8|        .ok_or_else(|| AppError::InvalidRequest("missing Authorization header".into()))?;
                                                              ^1                             ^1      ^1
  272|      7|    let token = value
  273|      7|        .strip_prefix("Bearer ")
  274|      7|        .or_else(|| value.strip_prefix("bearer "))
                                  ^0    ^0
  275|      7|        .ok_or_else(|| AppError::InvalidRequest("Authorization must be Bearer".into()))?;
                                                              ^0                             ^0      ^0
  276|      7|    if token.trim().is_empty() {
  277|      0|        return Err(AppError::InvalidRequest("missing bearer token".into()));
  278|      7|    }
  279|      7|    Ok(token.trim().to_string())
  280|      8|}
  281|       |
  282|     98|fn client_ip_from_headers(headers: &HeaderMap) -> Option<String> {
  283|     98|    headers
  284|     98|        .get("x-forwarded-for")
  285|     98|        .and_then(|v| v.to_str().ok())
                                    ^2^2       ^2
  286|     98|        .and_then(|v| v.split(',').next())
                                    ^2           ^2
  287|     98|        .map(str::trim)
  288|     98|        .map(str::to_string)
  289|     98|        .or_else(|| Some("127.0.0.1".into()))
                                       ^96         ^96
  290|     98|}

/home/runner/work/trust-relay/trust-relay/src/routes/health.rs:
    1|       |//! Liveness endpoint.
    2|       |
    3|       |use axum::{http::StatusCode, response::IntoResponse, Json};
    4|       |use serde_json::json;
    5|       |
    6|      4|pub async fn healthz() -> impl IntoResponse {
    7|      4|    (StatusCode::OK, Json(json!({ "status": "ok" })))
    8|      4|}

/home/runner/work/trust-relay/trust-relay/src/routes/jwks.rs:
    1|       |//! JWKS publication for resource-server JWT verification.
    2|       |
    3|       |use axum::{extract::State, Json};
    4|       |use serde_json::Value;
    5|       |
    6|       |use crate::state::AppState;
    7|       |
    8|      2|pub async fn jwks(State(state): State<AppState>) -> Json<Value> {
    9|      2|    Json(state.token.jwks())
   10|      2|}

/home/runner/work/trust-relay/trust-relay/src/routes/mod.rs:
    1|       |//! Router construction.
    2|       |
    3|       |mod auth;
    4|       |mod health;
    5|       |mod jwks;
    6|       |
    7|       |use axum::{routing::get, routing::post, Router};
    8|       |use tower_http::{cors::CorsLayer, limit::RequestBodyLimitLayer, trace::TraceLayer};
    9|       |
   10|       |use crate::{config::ExposeMode, state::AppState};
   11|       |
   12|       |/// Max request body size for auth/session routes (POST JSON). Not applied to `/healthz`.
   13|       |pub const MAX_BODY_BYTES: usize = 64 * 1024;
   14|       |
   15|       |/// Liveness and JWKS — exposed on `public` and `all` deploys.
   16|     25|fn health_and_jwks_routes(state: AppState) -> Router {
   17|     25|    Router::new()
   18|     25|        .route("/healthz", get(health::healthz))
   19|     25|        .route("/.well-known/jwks.json", get(jwks::jwks))
   20|     25|        .with_state(state)
   21|     25|}
   22|       |
   23|       |/// Wallet SIWE ceremony and session lifecycle — internet-facing.
   24|     24|fn wallet_auth_routes(state: AppState) -> Router {
   25|     24|    Router::new()
   26|     24|        .route("/v1/auth/nonce", get(auth::get_nonce))
   27|     24|        .route("/v1/auth/session", post(auth::post_session))
   28|     24|        .route("/v1/auth/session/refresh", post(auth::post_session_refresh))
   29|     24|        .route("/v1/auth/logout", post(auth::post_logout))
   30|     24|        .route("/v1/auth/quota", get(auth::get_quota))
   31|     24|        .with_state(state)
   32|     24|        .layer(RequestBodyLimitLayer::new(MAX_BODY_BYTES))
   33|     24|}
   34|       |
   35|       |/// Resource-server helpers — VPC / internal ingress only in production.
   36|     24|fn internal_routes(state: AppState) -> Router {
   37|     24|    Router::new()
   38|     24|        .route("/v1/auth/quota/consume", post(auth::post_quota_consume))
   39|     24|        .with_state(state)
   40|     24|        .layer(RequestBodyLimitLayer::new(MAX_BODY_BYTES))
   41|     24|}
   42|       |
   43|     25|fn apply_global_layers(router: Router) -> Router {
   44|     25|    router
   45|     25|        .layer(TraceLayer::new_for_http())
   46|     25|        .layer(CorsLayer::permissive())
   47|     25|}
   48|       |
   49|       |/// Build the HTTP router for `cfg.server.expose`.
   50|     23|pub fn create_router(state: AppState) -> Router {
   51|     23|    let expose = state.config.server.expose;
   52|     23|    create_router_for_expose(state, expose)
   53|     23|}
   54|       |
   55|       |/// Build the HTTP router for an explicit exposure mode (tests and docs).
   56|     25|pub fn create_router_for_expose(state: AppState, expose: ExposeMode) -> Router {
   57|     25|    let health_state = state.clone();
   58|     25|    let router = match expose {
   59|     23|        ExposeMode::All => Router::new()
   60|     23|            .merge(health_and_jwks_routes(health_state.clone()))
   61|     23|            .merge(wallet_auth_routes(state.clone()))
   62|     23|            .merge(internal_routes(state)),
   63|      1|        ExposeMode::Public => Router::new()
   64|      1|            .merge(health_and_jwks_routes(health_state))
   65|      1|            .merge(wallet_auth_routes(state)),
   66|      1|        ExposeMode::Internal => Router::new()
   67|      1|            .merge(health_and_jwks_routes(health_state))
   68|      1|            .merge(internal_routes(state)),
   69|       |    };
   70|     25|    apply_global_layers(router)
   71|     25|}
   72|       |
   73|       |/// Integration-test router with in-memory stores (or Redis when `APP_REDIS__URL` is set).
   74|      9|pub async fn test_router() -> Router {
   75|      9|    let config = crate::config::Config::load().expect("test config should load");
   76|      9|    test_router_with_config(config).await
   77|      9|}
   78|       |
   79|       |/// Test helper: router with explicit config (`server.expose` respected).
   80|     12|pub async fn test_router_with_config(config: crate::config::Config) -> Router {
   81|     12|    let state = AppState::build(config)
   82|     12|        .await
   83|     12|        .expect("test app state should build");
   84|     12|    create_router(state)
   85|     12|}

/home/runner/work/trust-relay/trust-relay/src/server.rs:
    1|       |//! Server bootstrap — bind, serve, and run entry used by the binary.
    2|       |
    3|       |use std::net::SocketAddr;
    4|       |
    5|       |use tokio::net::TcpListener;
    6|       |
    7|       |use crate::{config::Config, routes, state::AppState, telemetry};
    8|       |
    9|       |/// Load config, init telemetry, bind, and serve until shutdown.
   10|      1|pub async fn run(cfg: Config) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
   11|      1|    telemetry::init(&cfg.telemetry);
   12|      1|    let state = AppState::build(cfg).await?;
                                                        ^0
   13|      1|    let listener = bind(&state.config).await?;
                                                          ^0
   14|      1|    serve(listener, state).await
   15|      0|}
   16|       |
   17|       |/// Bind the listening socket described by `cfg`.
   18|      3|pub async fn bind(cfg: &Config) -> Result<TcpListener, Box<dyn std::error::Error + Send + Sync>> {
   19|      3|    let addr: SocketAddr = format!("{}:{}", cfg.server.host, cfg.server.port).parse()?;
                      ^2    ^2                                                                     ^1
   20|      2|    Ok(TcpListener::bind(addr).await?)
                                                  ^0
   21|      3|}
   22|       |
   23|       |/// Serve the HTTP router on an already-bound listener.
   24|      2|pub async fn serve(
   25|      2|    listener: TcpListener,
   26|      2|    state: AppState,
   27|      2|) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
   28|      2|    let addr = listener.local_addr()?;
                                                  ^0
   29|      2|    let expose = state.config.server.expose;
   30|      2|    tracing::info!(%addr, ?expose, "trust-relay listening");
   31|      2|    axum::serve(listener, routes::create_router(state)).await?;
                                                                           ^0
   32|      0|    Ok(())
   33|      0|}

/home/runner/work/trust-relay/trust-relay/src/services/heuristics.rs:
    1|       |//! Phase-0 wallet heuristics (first-seen vs established).
    2|       |
    3|       |use std::sync::Arc;
    4|       |
    5|       |use crate::{error::AppError, store::heuristics::HeuristicsStore};
    6|       |
    7|       |/// Phase-0 profile derived before minting paid-scope quotas.
    8|       |#[derive(Debug, Clone, Copy, PartialEq, Eq)]
    9|       |pub enum WalletProfile {
   10|       |    /// First successful session for this wallet.
   11|       |    New,
   12|       |    Established,
   13|       |}
   14|       |
   15|       |pub struct HeuristicsService {
   16|       |    store: Arc<dyn HeuristicsStore>,
   17|       |}
   18|       |
   19|       |impl HeuristicsService {
   20|     26|    pub fn new(store: Arc<dyn HeuristicsStore>) -> Self {
   21|     26|        Self { store }
   22|     26|    }
   23|       |
   24|     11|    pub async fn profile_for(&self, wallet: &str) -> Result<WalletProfile, AppError> {
   25|     11|        let wallet = normalize_wallet(wallet)?;
                                                           ^0
   26|     11|        if self.store.is_established(&wallet).await? {
                                                                 ^0
   27|      7|            Ok(WalletProfile::Established)
   28|       |        } else {
   29|      4|            Ok(WalletProfile::New)
   30|       |        }
   31|     11|    }
   32|       |
   33|     11|    pub async fn mark_established(&self, wallet: &str) -> Result<(), AppError> {
   34|     11|        let wallet = normalize_wallet(wallet)?;
                                                           ^0
   35|     11|        self.store.mark_established(&wallet).await?;
                                                                ^0
   36|     11|        Ok(())
   37|     11|    }
   38|       |}
   39|       |
   40|     22|fn normalize_wallet(wallet: &str) -> Result<String, AppError> {
   41|     22|    let w = wallet.trim().to_ascii_lowercase();
   42|     22|    if !w.starts_with("0x") || w.len() != 42 {
   43|      0|        return Err(AppError::InvalidRequest(
   44|      0|            "wallet address must be 0x-prefixed 20-byte hex".into(),
   45|      0|        ));
   46|     22|    }
   47|    880|    if !w[2..].chars().all(|c| c.is_ascii_hexdigit()) {
                      ^22            ^22
   48|      0|        return Err(AppError::InvalidRequest(
   49|      0|            "wallet address must be hex".into(),
   50|      0|        ));
   51|     22|    }
   52|     22|    Ok(w)
   53|     22|}

/home/runner/work/trust-relay/trust-relay/src/services/nonce.rs:
    1|       |//! Single-use nonce generation and validation.
    2|       |
    3|       |use std::sync::Arc;
    4|       |
    5|       |use time::OffsetDateTime;
    6|       |use uuid::Uuid;
    7|       |
    8|       |use crate::{
    9|       |    config::AuthConfig,
   10|       |    error::AppError,
   11|       |    store::nonce::{NonceRecord, NonceStore},
   12|       |};
   13|       |
   14|       |#[derive(Debug, Clone)]
   15|       |pub struct IssuedNonce {
   16|       |    pub nonce: String,
   17|       |    pub expires_at: OffsetDateTime,
   18|       |}
   19|       |
   20|       |pub struct NonceService {
   21|       |    store: Arc<dyn NonceStore>,
   22|       |    config: AuthConfig,
   23|       |}
   24|       |
   25|       |impl NonceService {
   26|     29|    pub fn new(store: Arc<dyn NonceStore>, config: AuthConfig) -> Self {
   27|     29|        Self { store, config }
   28|     29|    }
   29|       |
   30|     49|    pub async fn issue(&self, client_ip: Option<String>) -> Result<IssuedNonce, AppError> {
   31|       |        // EIP-4361 / Spruce SIWE ABNF: nonce must be alphanumeric (no UUID hyphens).
   32|     49|        let nonce = Uuid::new_v4().as_simple().to_string();
   33|     49|        let issued_at = OffsetDateTime::now_utc();
   34|     49|        let expires_at = issued_at + time::Duration::seconds(self.config.nonce_ttl_secs as i64);
   35|     49|        let record = NonceRecord {
   36|     49|            issued_at,
   37|     49|            expires_at,
   38|     49|            client_ip,
   39|     49|            used: false,
   40|     49|        };
   41|     49|        self.store.put(&nonce, &record).await?;
                                                           ^0
   42|     49|        Ok(IssuedNonce { nonce, expires_at })
   43|     49|    }
   44|       |
   45|     16|    pub async fn validate_and_consume(&self, nonce: &str) -> Result<(), AppError> {
   46|     16|        let record = self
                          ^15
   47|     16|            .store
   48|     16|            .get(nonce)
   49|     16|            .await?
                                ^0
   50|     16|            .ok_or_else(|| AppError::InvalidNonce("unknown nonce".into()))?;
                                                                ^1              ^1      ^1
   51|       |
   52|     15|        if record.used {
   53|      2|            return Err(AppError::NonceUsed("nonce already used".into()));
   54|     13|        }
   55|       |
   56|     13|        let now = OffsetDateTime::now_utc();
   57|     13|        if now >= record.expires_at {
   58|      1|            return Err(AppError::NonceExpired("nonce expired".into()));
   59|     12|        }
   60|       |
   61|     12|        self.store.mark_used(nonce).await?;
                                                       ^0
   62|     12|        Ok(())
   63|     16|    }
   64|       |}
   65|       |
   66|       |#[cfg(test)]
   67|       |mod tests {
   68|       |    use std::sync::Arc;
   69|       |
   70|       |    use super::*;
   71|       |    use crate::config::AuthConfig;
   72|       |    use crate::store::nonce::InMemoryNonceStore;
   73|       |
   74|      3|    fn test_auth_config() -> AuthConfig {
   75|      3|        AuthConfig {
   76|      3|            nonce_ttl_secs: 120,
   77|      3|            domain: "localhost".into(),
   78|      3|            uri: "http://localhost".into(),
   79|      3|            chain_id: 324,
   80|      3|            default_scopes: vec!["ai:invoke".into()],
   81|      3|            refresh_token_ttl_secs: 604_800,
   82|      3|            issue_refresh_tokens: true,
   83|      3|        }
   84|      3|    }
   85|       |
   86|       |    #[tokio::test]
   87|      1|    async fn consume_rejects_replay() {
   88|      1|        let store = Arc::new(InMemoryNonceStore::default());
   89|      1|        let svc = NonceService::new(store, test_auth_config());
   90|      1|        let issued = svc.issue(None).await.unwrap();
   91|      1|        svc.validate_and_consume(&issued.nonce).await.unwrap();
   92|      1|        let err = svc.validate_and_consume(&issued.nonce).await.unwrap_err();
   93|      1|        assert!(matches!(err, AppError::NonceUsed(_)));
                              ^0
   94|      1|    }
   95|       |
   96|       |    #[tokio::test]
   97|      1|    async fn consume_rejects_unknown_nonce() {
   98|      1|        let store = Arc::new(InMemoryNonceStore::default());
   99|      1|        let svc = NonceService::new(store, test_auth_config());
  100|      1|        let err = svc.validate_and_consume("missing").await.unwrap_err();
  101|      1|        assert!(matches!(err, AppError::InvalidNonce(_)));
                              ^0
  102|      1|    }
  103|       |
  104|       |    #[tokio::test]
  105|      1|    async fn consume_rejects_expired_nonce() {
  106|      1|        let store = Arc::new(InMemoryNonceStore::default());
  107|      1|        let svc = NonceService::new(store.clone(), test_auth_config());
  108|      1|        let issued = svc.issue(None).await.unwrap();
  109|      1|        let past = OffsetDateTime::now_utc() - time::Duration::hours(1);
  110|      1|        let record = NonceRecord {
  111|      1|            issued_at: past - time::Duration::minutes(2),
  112|      1|            expires_at: past,
  113|      1|            client_ip: None,
  114|      1|            used: false,
  115|      1|        };
  116|      1|        store.put(&issued.nonce, &record).await.unwrap();
  117|      1|        let err = svc.validate_and_consume(&issued.nonce).await.unwrap_err();
  118|      1|        assert!(matches!(err, AppError::NonceExpired(_)));
                              ^0
  119|      1|    }
  120|       |}

/home/runner/work/trust-relay/trust-relay/src/services/quota.rs:
    1|       |//! Per-wallet quota counters for paid scopes.
    2|       |
    3|       |use std::collections::HashMap;
    4|       |use std::sync::Arc;
    5|       |
    6|       |use time::OffsetDateTime;
    7|       |
    8|       |use crate::{
    9|       |    config::QuotaConfig,
   10|       |    error::AppError,
   11|       |    services::heuristics::WalletProfile,
   12|       |    store::quota::{current_window_id, QuotaStore},
   13|       |};
   14|       |
   15|       |pub struct QuotaService {
   16|       |    store: Arc<dyn QuotaStore>,
   17|       |    config: QuotaConfig,
   18|       |}
   19|       |
   20|       |#[derive(Debug)]
   21|       |pub struct QuotaStatus {
   22|       |    pub scope: String,
   23|       |    pub remaining: u64,
   24|       |    pub limit: u64,
   25|       |}
   26|       |
   27|       |impl QuotaService {
   28|     27|    pub fn new(store: Arc<dyn QuotaStore>, config: QuotaConfig) -> Self {
   29|     27|        Self { store, config }
   30|     27|    }
   31|       |
   32|     23|    pub fn enabled(&self) -> bool {
   33|     23|        self.config.enabled
   34|     23|    }
   35|       |
   36|       |    /// Initialize quota buckets for paid scopes using heuristic tier limits.
   37|     14|    pub async fn init_for_wallet(
   38|     14|        &self,
   39|     14|        wallet: &str,
   40|     14|        profile: WalletProfile,
   41|     14|    ) -> Result<(), AppError> {
   42|     14|        if !self.enabled() {
   43|      0|            return Ok(());
   44|     14|        }
   45|     14|        let wallet = normalize_wallet(wallet)?;
                                                           ^0
   46|     14|        let limits = limits_for_profile(&self.config, profile);
   47|     14|        let window_id = self.window_id();
   48|     14|        let ttl = self.config.window_secs as u64;
   49|     23|        for scope in &self.config.paid_scopes {
                                   ^14
   50|     23|            let limit = limits.get(scope).copied().unwrap_or(0);
   51|     23|            if limit == 0 {
   52|      0|                continue;
   53|     23|            }
   54|     23|            self.store
   55|     23|                .init_scope(&wallet, scope, window_id, limit, ttl)
   56|     23|                .await?;
                                    ^0
   57|       |        }
   58|     14|        Ok(())
   59|     14|    }
   60|       |
   61|      7|    pub async fn consume(
   62|      7|        &self,
   63|      7|        wallet: &str,
   64|      7|        scope: &str,
   65|      7|        amount: u64,
   66|      7|    ) -> Result<QuotaStatus, AppError> {
   67|      7|        if !self.enabled() {
   68|      0|            return Err(AppError::InvalidRequest(
   69|      0|                "quota enforcement is disabled".into(),
   70|      0|            ));
   71|      7|        }
   72|      7|        if !self.config.paid_scopes.iter().any(|s| s == scope) {
   73|      0|            return Err(AppError::InvalidRequest(format!(
   74|      0|                "scope {scope} is not quota-gated"
   75|      0|            )));
   76|      7|        }
   77|      7|        let wallet = normalize_wallet(wallet)?;
                                                           ^0
   78|      7|        let window_id = self.window_id();
   79|      7|        let bucket = self
                          ^5
   80|      7|            .store
   81|      7|            .try_consume(&wallet, scope, window_id, amount.max(1))
   82|      7|            .await?;
                                ^2
   83|      5|        Ok(QuotaStatus {
   84|      5|            scope: scope.to_string(),
   85|      5|            remaining: bucket.limit.saturating_sub(bucket.used),
   86|      5|            limit: bucket.limit,
   87|      5|        })
   88|      7|    }
   89|       |
   90|      2|    pub async fn status_for_scopes(
   91|      2|        &self,
   92|      2|        wallet: &str,
   93|      2|        scopes: &[&str],
   94|      2|    ) -> Result<Vec<QuotaStatus>, AppError> {
   95|      2|        if !self.enabled() {
   96|      0|            return Ok(Vec::new());
   97|      2|        }
   98|      2|        let wallet = normalize_wallet(wallet)?;
                                                           ^0
   99|      2|        let window_id = self.window_id();
  100|      2|        let mut out = Vec::new();
  101|      8|        for scope in scopes {
                                   ^2
  102|      8|            if !self.config.paid_scopes.iter().any(|s| s == scope) {
  103|      6|                continue;
  104|      2|            }
  105|      2|            if let Some(bucket) = self.store.get_bucket(&wallet, scope, window_id).await? {
                                                                                                      ^0
  106|      2|                out.push(QuotaStatus {
  107|      2|                    scope: scope.to_string(),
  108|      2|                    remaining: bucket.limit.saturating_sub(bucket.used),
  109|      2|                    limit: bucket.limit,
  110|      2|                });
  111|      2|            }
                          ^0
  112|       |        }
  113|      2|        Ok(out)
  114|      2|    }
  115|       |
  116|     23|    fn window_id(&self) -> u64 {
  117|     23|        let now = OffsetDateTime::now_utc().unix_timestamp();
  118|     23|        current_window_id(now, self.config.window_secs as u64)
  119|     23|    }
  120|       |}
  121|       |
  122|     14|fn limits_for_profile(config: &QuotaConfig, profile: WalletProfile) -> &HashMap<String, u64> {
  123|     14|    match profile {
  124|      5|        WalletProfile::New => &config.limits.new_wallet,
  125|      9|        WalletProfile::Established => &config.limits.established,
  126|       |    }
  127|     14|}
  128|       |
  129|     23|fn normalize_wallet(wallet: &str) -> Result<String, AppError> {
  130|     23|    let w = wallet.trim().to_ascii_lowercase();
  131|     23|    if !w.starts_with("0x") || w.len() != 42 {
  132|      0|        return Err(AppError::InvalidRequest(
  133|      0|            "wallet address must be 0x-prefixed 20-byte hex".into(),
  134|      0|        ));
  135|     23|    }
  136|    920|    if !w[2..].chars().all(|c| c.is_ascii_hexdigit()) {
                      ^23            ^23
  137|      0|        return Err(AppError::InvalidRequest(
  138|      0|            "wallet address must be hex".into(),
  139|      0|        ));
  140|     23|    }
  141|     23|    Ok(w)
  142|     23|}
  143|       |
  144|       |#[cfg(test)]
  145|       |mod tests {
  146|       |    use super::*;
  147|       |    use crate::config::QuotaLimitTiers;
  148|       |    use crate::store::quota::InMemoryQuotaStore;
  149|       |
  150|      1|    fn test_config() -> QuotaConfig {
  151|      1|        let mut new_wallet = HashMap::new();
  152|      1|        new_wallet.insert("ai:invoke".into(), 2);
  153|      1|        let mut established = HashMap::new();
  154|      1|        established.insert("ai:invoke".into(), 100);
  155|      1|        QuotaConfig {
  156|      1|            enabled: true,
  157|      1|            window_secs: 3600,
  158|      1|            paid_scopes: vec!["ai:invoke".into()],
  159|      1|            limits: QuotaLimitTiers {
  160|      1|                new_wallet,
  161|      1|                established,
  162|      1|            },
  163|      1|        }
  164|      1|    }
  165|       |
  166|       |    #[tokio::test]
  167|      1|    async fn new_wallet_gets_lower_limit() {
  168|      1|        let store = Arc::new(InMemoryQuotaStore::default());
  169|      1|        let svc = QuotaService::new(store, test_config());
  170|      1|        svc.init_for_wallet(
  171|      1|            "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266",
  172|      1|            WalletProfile::New,
  173|      1|        )
  174|      1|        .await
  175|      1|        .unwrap();
  176|      1|        let s1 = svc
  177|      1|            .consume("0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266", "ai:invoke", 1)
  178|      1|            .await
  179|      1|            .unwrap();
  180|      1|        assert_eq!(s1.remaining, 1);
  181|      1|        let _ = svc
  182|      1|            .consume("0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266", "ai:invoke", 1)
  183|      1|            .await
  184|      1|            .unwrap();
  185|      1|        let err = svc
  186|      1|            .consume("0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266", "ai:invoke", 1)
  187|      1|            .await
  188|      1|            .unwrap_err();
  189|      1|        assert!(matches!(err, AppError::QuotaExceeded(_)));
                              ^0
  190|      1|    }
  191|       |}

/home/runner/work/trust-relay/trust-relay/src/services/refresh.rs:
    1|       |//! Opaque refresh-token issuance, rotation, and reuse detection.
    2|       |
    3|       |use std::sync::Arc;
    4|       |
    5|       |use base64::Engine;
    6|       |use rand::RngCore;
    7|       |use time::OffsetDateTime;
    8|       |use uuid::Uuid;
    9|       |
   10|       |use crate::{
   11|       |    config::AuthConfig,
   12|       |    error::AppError,
   13|       |    store::refresh::{hash_refresh_token, RefreshLookup, RefreshRecord, RefreshStore},
   14|       |};
   15|       |
   16|       |pub struct RefreshService {
   17|       |    store: Arc<dyn RefreshStore>,
   18|       |    auth: AuthConfig,
   19|       |}
   20|       |
   21|       |#[derive(Debug)]
   22|       |pub struct IssuedRefresh {
   23|       |    pub token: String,
   24|       |}
   25|       |
   26|       |#[derive(Debug)]
   27|       |pub struct RotatedRefresh {
   28|       |    pub token: String,
   29|       |    pub record: RefreshRecord,
   30|       |}
   31|       |
   32|       |impl RefreshService {
   33|     27|    pub fn new(store: Arc<dyn RefreshStore>, auth: AuthConfig) -> Self {
   34|     27|        Self { store, auth }
   35|     27|    }
   36|       |
   37|     15|    pub fn enabled(&self) -> bool {
   38|     15|        self.auth.issue_refresh_tokens
   39|     15|    }
   40|       |
   41|       |    /// Mint a new refresh token for a wallet session (rotation counter 0).
   42|     12|    pub async fn issue(
   43|     12|        &self,
   44|     12|        wallet: &str,
   45|     12|        scopes: &[String],
   46|     12|        chain_id: u64,
   47|     12|    ) -> Result<IssuedRefresh, AppError> {
   48|     12|        let wallet = normalize_wallet(wallet)?;
                                                           ^0
   49|     12|        let now = OffsetDateTime::now_utc().unix_timestamp();
   50|     12|        let ttl = i64::from(self.auth.refresh_token_ttl_secs);
   51|     12|        let record = RefreshRecord {
   52|     12|            family_id: Uuid::new_v4().to_string(),
   53|     12|            wallet,
   54|     12|            rotation: 0,
   55|     12|            scopes: scopes.to_vec(),
   56|     12|            chain_id,
   57|     12|            expires_at: now + ttl,
   58|     12|        };
   59|     12|        let token = generate_opaque_token();
   60|     12|        let hash = hash_refresh_token(&token);
   61|     12|        self.store
   62|     12|            .put_token(&hash, &record, self.auth.refresh_token_ttl_secs as u64)
   63|     12|            .await?;
                                ^0
   64|     12|        Ok(IssuedRefresh { token })
   65|     12|    }
   66|       |
   67|       |    /// Validate a refresh token and rotate it (new opaque secret, incremented rotation).
   68|      7|    pub async fn rotate(&self, raw_token: &str) -> Result<RotatedRefresh, AppError> {
   69|      7|        let raw_token = raw_token.trim();
   70|      7|        if raw_token.is_empty() {
   71|      0|            return Err(AppError::InvalidRequest("refreshToken is required".into()));
   72|      7|        }
   73|      7|        let hash = hash_refresh_token(raw_token);
   74|      7|        let lookup = self.lookup(&hash).await?;
                                                           ^0
   75|       |
   76|      7|        let record = match lookup {
                          ^3
   77|      3|            RefreshLookup::Active(record) => {
   78|      3|                if record.expires_at <= OffsetDateTime::now_utc().unix_timestamp() {
   79|      0|                    return Err(AppError::InvalidToken("refresh token expired".into()));
   80|      3|                }
   81|      3|                record
   82|       |            }
   83|      2|            RefreshLookup::Reuse { family_id } => {
   84|      2|                self.store
   85|      2|                    .revoke_family(&family_id, self.auth.refresh_token_ttl_secs as u64)
   86|      2|                    .await?;
                                        ^0
   87|      2|                return Err(AppError::InvalidToken(
   88|      2|                    "refresh token reuse detected; session family revoked".into(),
   89|      2|                ));
   90|       |            }
   91|       |            RefreshLookup::Unknown => {
   92|      2|                return Err(AppError::InvalidToken("refresh token invalid".into()));
   93|       |            }
   94|       |        };
   95|       |
   96|      3|        self.store.delete_token(&hash).await?;
                                                          ^0
   97|      3|        self.store
   98|      3|            .mark_replay(
   99|      3|                &hash,
  100|      3|                &record.family_id,
  101|      3|                self.auth.refresh_token_ttl_secs as u64,
  102|      3|            )
  103|      3|            .await?;
                                ^0
  104|       |
  105|      3|        let mut next = record.clone();
  106|      3|        next.rotation = next.rotation.saturating_add(1);
  107|      3|        next.expires_at = OffsetDateTime::now_utc().unix_timestamp()
  108|      3|            + i64::from(self.auth.refresh_token_ttl_secs);
  109|       |
  110|      3|        let new_token = generate_opaque_token();
  111|      3|        let new_hash = hash_refresh_token(&new_token);
  112|      3|        self.store
  113|      3|            .put_token(&new_hash, &next, self.auth.refresh_token_ttl_secs as u64)
  114|      3|            .await?;
                                ^0
  115|       |
  116|      3|        Ok(RotatedRefresh {
  117|      3|            token: new_token,
  118|      3|            record: next,
  119|      3|        })
  120|      7|    }
  121|       |
  122|      7|    async fn lookup(&self, token_hash: &str) -> Result<RefreshLookup, AppError> {
  123|      7|        if let Some(family_id) = self.store.is_replay(token_hash).await? {
                                  ^2                                                 ^0
  124|      2|            return Ok(RefreshLookup::Reuse { family_id });
  125|      5|        }
  126|      5|        if let Some(record) = self.store.get_token(token_hash).await? {
                                                                                  ^0
  127|      5|            if self.store.is_family_revoked(&record.family_id).await? {
                                                                                  ^0
  128|      2|                return Ok(RefreshLookup::Unknown);
  129|      3|            }
  130|      3|            return Ok(RefreshLookup::Active(record));
  131|      0|        }
  132|      0|        Ok(RefreshLookup::Unknown)
  133|      7|    }
  134|       |}
  135|       |
  136|     15|fn generate_opaque_token() -> String {
  137|     15|    let mut bytes = [0u8; 32];
  138|     15|    rand::rngs::OsRng.fill_bytes(&mut bytes);
  139|     15|    base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
  140|     15|}
  141|       |
  142|     12|fn normalize_wallet(wallet: &str) -> Result<String, AppError> {
  143|     12|    let w = wallet.trim().to_ascii_lowercase();
  144|     12|    if !w.starts_with("0x") || w.len() != 42 {
  145|      0|        return Err(AppError::InvalidRequest(
  146|      0|            "wallet address must be 0x-prefixed 20-byte hex".into(),
  147|      0|        ));
  148|     12|    }
  149|    480|    if !w[2..].chars().all(|c| c.is_ascii_hexdigit()) {
                      ^12            ^12
  150|      0|        return Err(AppError::InvalidRequest(
  151|      0|            "wallet address must be hex".into(),
  152|      0|        ));
  153|     12|    }
  154|     12|    Ok(w)
  155|     12|}
  156|       |
  157|       |#[cfg(test)]
  158|       |mod tests {
  159|       |    use super::*;
  160|       |    use crate::store::refresh::InMemoryRefreshStore;
  161|       |
  162|      1|    fn test_auth() -> AuthConfig {
  163|      1|        AuthConfig {
  164|      1|            nonce_ttl_secs: 120,
  165|      1|            domain: "localhost".into(),
  166|      1|            uri: "http://localhost:3001".into(),
  167|      1|            chain_id: 324,
  168|      1|            default_scopes: vec!["ai:invoke".into()],
  169|      1|            refresh_token_ttl_secs: 3600,
  170|      1|            issue_refresh_tokens: true,
  171|      1|        }
  172|      1|    }
  173|       |
  174|       |    #[tokio::test]
  175|      1|    async fn rotate_rejects_replay_of_rotated_token() {
  176|      1|        let store = Arc::new(InMemoryRefreshStore::default());
  177|      1|        let svc = RefreshService::new(store, test_auth());
  178|      1|        let issued = svc
  179|      1|            .issue(
  180|      1|                "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266",
  181|      1|                &["ai:invoke".into()],
  182|      1|                324,
  183|      1|            )
  184|      1|            .await
  185|      1|            .unwrap();
  186|      1|        let rotated = svc.rotate(&issued.token).await.unwrap();
  187|      1|        let err = svc.rotate(&issued.token).await.unwrap_err();
  188|      1|        assert!(matches!(err, AppError::InvalidToken(_)));
                              ^0
  189|       |        // Family revoked on reuse — the legitimately rotated token must not work either.
  190|      1|        let err = svc.rotate(&rotated.token).await.unwrap_err();
  191|      1|        assert!(matches!(err, AppError::InvalidToken(_)));
                              ^0
  192|      1|    }
  193|       |}

/home/runner/work/trust-relay/trust-relay/src/services/revocation.rs:
    1|       |//! Session revocation (`jti` denylist) and wallet blocklist.
    2|       |
    3|       |use std::sync::Arc;
    4|       |
    5|       |use time::OffsetDateTime;
    6|       |
    7|       |use crate::{
    8|       |    error::AppError,
    9|       |    models::claims::AccessTokenClaims,
   10|       |    store::revocation::{normalize_ttl_secs, RevocationStore},
   11|       |};
   12|       |
   13|       |pub struct RevocationService {
   14|       |    store: Arc<dyn RevocationStore>,
   15|       |}
   16|       |
   17|       |impl RevocationService {
   18|     27|    pub fn new(store: Arc<dyn RevocationStore>) -> Self {
   19|     27|        Self { store }
   20|     27|    }
   21|       |
   22|       |    /// Reject onboarding when the wallet is on the blocklist.
   23|     16|    pub async fn ensure_wallet_active(&self, wallet: &str) -> Result<(), AppError> {
   24|     16|        let wallet = normalize_wallet(wallet)?;
                                                           ^0
   25|     16|        if self.store.is_wallet_blocked(&wallet).await? {
                                                                    ^0
   26|      2|            return Err(AppError::WalletBlocked(
   27|      2|                "wallet is blocked from new sessions".into(),
   28|      2|            ));
   29|     14|        }
   30|     14|        Ok(())
   31|     16|    }
   32|       |
   33|       |    /// Denylist the access token's `jti` until its `exp` (logout / admin revoke).
   34|      1|    pub async fn revoke_access_token(&self, claims: &AccessTokenClaims) -> Result<(), AppError> {
   35|      1|        let now = OffsetDateTime::now_utc().unix_timestamp();
   36|      1|        let ttl = normalize_ttl_secs(claims.exp - now);
   37|      1|        self.store.revoke_jti(&claims.jti, ttl).await?;
                                                                   ^0
   38|      1|        Ok(())
   39|      1|    }
   40|       |
   41|      1|    pub async fn is_jti_revoked(&self, jti: &str) -> Result<bool, AppError> {
   42|      1|        Ok(self.store.is_jti_revoked(jti).await?)
                                                             ^0
   43|      1|    }
   44|       |
   45|       |    /// Block a wallet from obtaining new sessions (`ttl_secs == 0` = no expiry).
   46|      2|    pub async fn block_wallet(&self, wallet: &str, ttl_secs: u64) -> Result<(), AppError> {
   47|      2|        let wallet = normalize_wallet(wallet)?;
                                                           ^0
   48|      2|        self.store.block_wallet(&wallet, ttl_secs).await?;
                                                                      ^0
   49|      2|        Ok(())
   50|      2|    }
   51|       |}
   52|       |
   53|     18|fn normalize_wallet(wallet: &str) -> Result<String, AppError> {
   54|     18|    let w = wallet.trim().to_ascii_lowercase();
   55|     18|    if !w.starts_with("0x") || w.len() != 42 {
   56|      0|        return Err(AppError::InvalidRequest(
   57|      0|            "wallet address must be 0x-prefixed 20-byte hex".into(),
   58|      0|        ));
   59|     18|    }
   60|    720|    if !w[2..].chars().all(|c| c.is_ascii_hexdigit()) {
                      ^18            ^18
   61|      0|        return Err(AppError::InvalidRequest(
   62|      0|            "wallet address must be hex".into(),
   63|      0|        ));
   64|     18|    }
   65|     18|    Ok(w)
   66|     18|}
   67|       |
   68|       |#[cfg(test)]
   69|       |mod tests {
   70|       |    use super::*;
   71|       |    use crate::store::revocation::InMemoryRevocationStore;
   72|       |
   73|       |    #[tokio::test]
   74|      1|    async fn ensure_wallet_active_rejects_blocked() {
   75|      1|        let store = Arc::new(InMemoryRevocationStore::default());
   76|      1|        let svc = RevocationService::new(store.clone());
   77|      1|        svc.block_wallet("0xF39Fd6e51aad88F6F4ce6aB8827279cffFb92266", 0)
   78|      1|            .await
   79|      1|            .unwrap();
   80|      1|        let err = svc
   81|      1|            .ensure_wallet_active("0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266")
   82|      1|            .await
   83|      1|            .unwrap_err();
   84|      1|        assert!(matches!(err, AppError::WalletBlocked(_)));
                              ^0
   85|      1|    }
   86|       |}

/home/runner/work/trust-relay/trust-relay/src/services/siwe/eoa.rs:
    1|       |//! EOA EIP-191 personal-sign verification (ecrecover).
    2|       |
    3|       |use hex::FromHex;
    4|       |use k256::ecdsa::{RecoveryId, Signature, VerifyingKey};
    5|       |use sha3::{Digest, Keccak256};
    6|       |
    7|       |use crate::error::AppError;
    8|       |
    9|       |/// Decode a 65-byte hex EOA signature (`r||s||v`).
   10|     17|pub fn decode_eoa_signature(signature_hex: &str) -> Result<[u8; 65], AppError> {
   11|     17|    let hex_str = signature_hex
   12|     17|        .trim()
   13|     17|        .strip_prefix("0x")
   14|     17|        .unwrap_or(signature_hex.trim());
   15|     17|    if hex_str.is_empty() {
   16|      0|        return Err(AppError::InvalidRequest("signature is required".into()));
   17|     17|    }
   18|     17|    let sig = Vec::from_hex(hex_str)
   19|     17|        .map_err(|_| AppError::InvalidRequest("signature must be hex".into()))?;
                                                            ^0                      ^0      ^0
   20|     17|    sig.as_slice()
   21|     17|        .try_into()
   22|     17|        .map_err(|_| AppError::InvalidSignature("EOA signature must be 65 bytes".into()))
                                                              ^2                               ^2
   23|     17|}
   24|       |
   25|       |/// Verify EIP-191 signature over the **exact** SIWE message text the wallet signed.
   26|     21|pub fn verify_eip191(
   27|     21|    message_text: &str,
   28|     21|    signature: &[u8; 65],
   29|     21|    expected_address: &[u8; 20],
   30|     21|) -> Result<(), AppError> {
   31|     21|    let prehash = eip191_hash(message_text)?;
                                                         ^0
   32|     21|    let sig = Signature::from_slice(&signature[..64])
   33|     21|        .map_err(|e| AppError::InvalidSignature(format!("invalid signature: {e}")))?;
                                                              ^0                                 ^0
   34|     21|    let recovery_id = RecoveryId::try_from(signature[64] % 27)
   35|     21|        .map_err(|e| AppError::InvalidSignature(format!("invalid recovery id: {e}")))?;
                                                              ^0                                   ^0
   36|       |
   37|     21|    let pk = VerifyingKey::recover_from_prehash(&prehash, &sig, recovery_id)
   38|     21|        .map_err(|e| AppError::InvalidSignature(format!("recovery failed: {e}")))?;
                                                              ^0                               ^0
   39|       |
   40|     21|    let recovered = keccak256_address(&pk);
   41|     21|    if recovered != *expected_address {
   42|      3|        return Err(AppError::InvalidSignature(
   43|      3|            "recovered signer does not match message address".into(),
   44|      3|        ));
   45|     18|    }
   46|     18|    Ok(())
   47|     21|}
   48|       |
   49|     21|fn eip191_hash(message_text: &str) -> Result<[u8; 32], AppError> {
   50|     21|    let prehash = format!(
   51|       |        "\x19Ethereum Signed Message:\n{}{}",
   52|     21|        message_text.len(),
   53|       |        message_text
   54|       |    );
   55|     21|    Ok(Keccak256::digest(prehash.as_bytes()).into())
   56|     21|}
   57|       |
   58|     21|fn keccak256_address(pk: &VerifyingKey) -> [u8; 20] {
   59|     21|    let encoded = pk.to_encoded_point(false);
   60|     21|    let hash = Keccak256::new_with_prefix(&encoded.as_bytes()[1..]).finalize();
   61|     21|    hash[12..].try_into().expect("20-byte address")
   62|     21|}

/home/runner/work/trust-relay/trust-relay/src/services/siwe/message.rs:
    1|       |//! Parsed EIP-4361 SIWE message (internal representation).
    2|       |
    3|       |use sha3::Digest;
    4|       |use time::OffsetDateTime;
    5|       |
    6|       |/// Parsed Sign-In with Ethereum message fields used by trust-relay.
    7|       |#[derive(Debug, Clone, PartialEq, Eq)]
    8|       |pub struct SiweMessage {
    9|       |    /// Optional scheme from the preamble (`https://example.com wants...`).
   10|       |    pub scheme: Option<String>,
   11|       |    /// RFC 3986 authority (host[:port], optional userinfo).
   12|       |    pub domain: String,
   13|       |    pub address: [u8; 20],
   14|       |    pub statement: Option<String>,
   15|       |    pub uri: String,
   16|       |    pub chain_id: u64,
   17|       |    pub nonce: String,
   18|       |    pub issued_at: OffsetDateTime,
   19|       |    pub expiration_time: Option<OffsetDateTime>,
   20|       |    pub not_before: Option<OffsetDateTime>,
   21|       |    pub request_id: Option<String>,
   22|       |    pub resources: Vec<String>,
   23|       |}
   24|       |
   25|       |/// EIP-55 checksummed address (for comparisons with reference vectors).
   26|    112|pub fn eip55(addr: &[u8; 20]) -> String {
   27|    112|    let addr_str = hex::encode(addr);
   28|    112|    let hash = sha3::Keccak256::digest(addr_str.as_bytes());
   29|    112|    "0x".chars()
   30|  4.48k|        .chain(addr_str.chars().enumerate().map(|(i, c)| {
                       ^112  ^112             ^112        ^112
   31|  4.48k|            match (c, hash[i >> 1] & if i % 2 == 0 { 128 } else { 8 } != 0) {
                                                                   ^2.24k       ^2.24k
   32|  1.14k|                ('a'..='f' | 'A'..='F', true) => c.to_ascii_uppercase(),
                                           ^0
   33|  3.33k|                _ => c.to_ascii_lowercase(),
   34|       |            }
   35|  4.48k|        }))
   36|    112|        .collect()
   37|    112|}
   38|       |
   39|       |pub(super) const PREAMBLE: &str = " wants you to sign in with your Ethereum account:";
   40|       |pub(super) const URI_TAG: &str = "URI: ";
   41|       |pub(super) const VERSION_TAG: &str = "Version: ";
   42|       |pub(super) const CHAIN_TAG: &str = "Chain ID: ";
   43|       |pub(super) const NONCE_TAG: &str = "Nonce: ";
   44|       |pub(super) const IAT_TAG: &str = "Issued At: ";
   45|       |pub(super) const EXP_TAG: &str = "Expiration Time: ";
   46|       |pub(super) const NBF_TAG: &str = "Not Before: ";
   47|       |pub(super) const RID_TAG: &str = "Request ID: ";
   48|       |pub(super) const RES_TAG: &str = "Resources:";

/home/runner/work/trust-relay/trust-relay/src/services/siwe/mod.rs:
    1|       |//! EIP-4361 SIWE verification (in-house parser + EOA ecrecover).
    2|       |
    3|       |mod eoa;
    4|       |mod message;
    5|       |mod parse;
    6|       |mod policy;
    7|       |
    8|       |use time::OffsetDateTime;
    9|       |
   10|       |pub use eoa::{decode_eoa_signature, verify_eip191};
   11|       |pub use message::{eip55, SiweMessage};
   12|       |pub use parse::parse_siwe_message;
   13|       |pub use policy::{valid_at, validate_against_config, validate_time};
   14|       |
   15|       |use crate::{config::AuthConfig, error::AppError};
   16|       |
   17|       |/// Wallet address (`0x` + lowercase hex) and nonce after successful SIWE verification.
   18|       |#[derive(Debug, Clone, PartialEq, Eq)]
   19|       |pub struct VerifiedSiwe {
   20|       |    pub wallet_address: String,
   21|       |    pub nonce: String,
   22|       |}
   23|       |
   24|       |/// Parse and verify a SIWE message + EOA signature against configured domain, URI, and chain.
   25|     17|pub async fn verify_siwe_session(
   26|     17|    auth: &AuthConfig,
   27|     17|    message_str: &str,
   28|     17|    signature_hex: &str,
   29|     17|) -> Result<VerifiedSiwe, AppError> {
   30|     17|    let message_str = message_str.trim();
   31|     17|    let signature = eoa::decode_eoa_signature(signature_hex)?;
                      ^15                                                 ^2
   32|     15|    let message = parse::parse_siwe_message(message_str)?;
                                                                      ^0
   33|       |
   34|     15|    policy::validate_against_config(auth, &message)?;
                                                                 ^1
   35|     14|    policy::validate_time(&message, OffsetDateTime::now_utc())?;
                                                                            ^0
   36|       |
   37|     14|    eoa::verify_eip191(message_str, &signature, &message.address)?;
                                                                               ^0
   38|       |
   39|     14|    Ok(VerifiedSiwe {
   40|     14|        wallet_address: format!("0x{}", hex::encode(message.address)),
   41|     14|        nonce: message.nonce,
   42|     14|    })
   43|     17|}
   44|       |
   45|       |#[cfg(test)]
   46|       |mod tests {
   47|       |    use super::*;
   48|       |    use k256::ecdsa::SigningKey;
   49|       |    use sha3::{Digest, Keccak256};
   50|       |
   51|       |    const TEST_KEY: &str = "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80";
   52|       |
   53|      3|    fn test_auth() -> AuthConfig {
   54|      3|        AuthConfig {
   55|      3|            nonce_ttl_secs: 120,
   56|      3|            domain: "localhost".into(),
   57|      3|            uri: "http://localhost:3001".into(),
   58|      3|            chain_id: 324,
   59|      3|            default_scopes: vec!["ai:invoke".into()],
   60|      3|            refresh_token_ttl_secs: 604_800,
   61|      3|            issue_refresh_tokens: true,
   62|      3|        }
   63|      3|    }
   64|       |
   65|      3|    fn build_message(domain: &str, uri: &str, chain_id: u64, nonce: &str) -> String {
   66|      3|        let now = OffsetDateTime::now_utc();
   67|      3|        let iat = now
   68|      3|            .format(&time::format_description::well_known::Rfc3339)
   69|      3|            .unwrap();
   70|      3|        format!(
   71|       |            "{domain} wants you to sign in with your Ethereum account:\n0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266\n\n\nURI: {uri}\nVersion: 1\nChain ID: {chain_id}\nNonce: {nonce}\nIssued At: {iat}"
   72|       |        )
   73|      3|    }
   74|       |
   75|      2|    fn sign_message(message: &str) -> String {
   76|      2|        let key_bytes = hex::decode(TEST_KEY.trim_start_matches("0x")).unwrap();
   77|      2|        let signing_key = SigningKey::from_bytes((&key_bytes[..]).into()).unwrap();
   78|      2|        let prehash = format!("\x19Ethereum Signed Message:\n{}{}", message.len(), message);
   79|      2|        let digest = Keccak256::digest(prehash.as_bytes());
   80|      2|        let (sig, recid) = signing_key
   81|      2|            .sign_prehash_recoverable(digest.as_ref())
   82|      2|            .unwrap();
   83|      2|        let mut bytes = [0u8; 65];
   84|      2|        bytes[..64].copy_from_slice(&sig.to_bytes());
   85|      2|        bytes[64] = recid.to_byte() + 27;
   86|      2|        format!("0x{}", hex::encode(bytes))
   87|      2|    }
   88|       |
   89|       |    #[tokio::test]
   90|      1|    async fn verify_accepts_valid_eoa_signature() {
   91|      1|        let auth = test_auth();
   92|      1|        let msg = build_message("localhost", "http://localhost:3001", 324, "testnonce01");
   93|      1|        let sig = sign_message(&msg);
   94|      1|        let verified = verify_siwe_session(&auth, &msg, &sig).await.unwrap();
   95|      1|        assert_eq!(
   96|       |            verified.wallet_address,
   97|       |            "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266"
   98|       |        );
   99|      1|        assert_eq!(verified.nonce, "testnonce01");
  100|      1|    }
  101|       |
  102|       |    #[tokio::test]
  103|      1|    async fn verify_rejects_wrong_chain() {
  104|      1|        let auth = test_auth();
  105|      1|        let msg = build_message("localhost", "http://localhost:3001", 1, "testnonce01");
  106|      1|        let sig = sign_message(&msg);
  107|      1|        let err = verify_siwe_session(&auth, &msg, &sig).await.unwrap_err();
  108|      1|        assert!(matches!(err, AppError::InvalidRequest(_)));
                              ^0
  109|      1|    }
  110|       |
  111|       |    #[tokio::test]
  112|      1|    async fn verify_rejects_bad_signature() {
  113|      1|        let auth = test_auth();
  114|      1|        let msg = build_message("localhost", "http://localhost:3001", 324, "testnonce01");
  115|      1|        let err = verify_siwe_session(&auth, &msg, "0x00").await.unwrap_err();
  116|      1|        assert!(
  117|      1|            matches!(
                          ^0
  118|      1|                err,
  119|      1|                AppError::InvalidRequest(_) | AppError::InvalidSignature(_)
  120|      1|            ),
  121|      1|            "unexpected: {err:?}"
  122|      1|        );
  123|      1|    }
  124|       |}

/home/runner/work/trust-relay/trust-relay/src/services/siwe/parse.rs:
    1|       |//! EIP-4361 SIWE message parser (trust-relay policy).
    2|       |
    3|       |use hex::FromHex;
    4|       |use time::OffsetDateTime;
    5|       |use url::Url;
    6|       |
    7|       |use super::message::{
    8|       |    eip55, SiweMessage, CHAIN_TAG, EXP_TAG, IAT_TAG, NBF_TAG, NONCE_TAG, PREAMBLE, RES_TAG,
    9|       |    RID_TAG, URI_TAG, VERSION_TAG,
   10|       |};
   11|       |use crate::error::AppError;
   12|       |
   13|       |const MIN_NONCE_LEN: usize = 8;
   14|       |
   15|     61|fn validate_nonce(nonce: &str) -> Result<(), AppError> {
   16|     61|    if nonce.len() < MIN_NONCE_LEN {
   17|      1|        return Err(parse_err("nonce must be at least 8 characters"));
   18|     60|    }
   19|    858|    if !nonce.bytes().all(|b| b.is_ascii_alphanumeric()) {
                      ^60           ^60
   20|      2|        return Err(parse_err("nonce must be alphanumeric"));
   21|     58|    }
   22|     58|    Ok(())
   23|     61|}
   24|       |
   25|     84|pub fn parse_siwe_message(s: &str) -> Result<SiweMessage, AppError> {
   26|     84|    let s = s.trim();
   27|     84|    if s.is_empty() {
   28|      0|        return Err(AppError::InvalidRequest("message is required".into()));
   29|     84|    }
   30|       |
   31|     84|    let mut lines = s.split('\n');
   32|     84|    let preamble = lines
   33|     84|        .next()
   34|     84|        .ok_or_else(|| parse_err("missing preamble line"))?;
                                     ^0                                 ^0
   35|     84|    let (scheme, domain) = parse_preamble(preamble)?;
                       ^81     ^81                               ^3
   36|       |
   37|     81|    let address_line = lines
   38|     81|        .next()
   39|     81|        .ok_or_else(|| parse_err("missing address line"))?;
                                     ^0                                ^0
   40|     81|    let address = parse_address_line(address_line)?;
                      ^76                                       ^5
   41|       |
   42|     76|    lines.next(); // blank line after address
   43|       |
   44|     76|    let statement = match lines.next() {
   45|      0|        None => return Err(parse_err("unexpected end after address")),
   46|     76|        Some("") => None,
                                  ^24
   47|     52|        Some(stmt) => {
   48|  3.05k|            if stmt.contains('\n') || stmt.chars().any(|c| c.is_control()) {
                             ^52  ^52               ^52          ^52
   49|      0|                return Err(parse_err("statement must be printable single-line ASCII"));
   50|     52|            }
   51|     52|            lines.next(); // blank line after statement
   52|     52|            Some(stmt.to_string())
   53|       |        }
   54|       |    };
   55|       |
   56|     76|    let uri = parse_tagged_line(URI_TAG, lines.next())?;
                      ^72                                           ^4
   57|     72|    validate_uri(&uri)?;
                                    ^1
   58|       |
   59|     71|    let version = parse_tagged_line(VERSION_TAG, lines.next())?;
                      ^68                                                   ^3
   60|     68|    if version != "1" {
   61|      1|        return Err(parse_err("version must be 1"));
   62|     67|    }
   63|       |
   64|     67|    let chain_id: u64 = parse_tagged_line(CHAIN_TAG, lines.next())?
                      ^63       ^63                                             ^3
   65|     64|        .parse()
   66|     64|        .map_err(|_| parse_err("invalid chain ID"))?;
                                   ^1                            ^1
   67|       |
   68|     63|    let nonce = parse_tagged_line(NONCE_TAG, lines.next())?;
                      ^61                                               ^2
   69|     61|    validate_nonce(&nonce)?;
                                        ^3
   70|       |
   71|     58|    let issued_at = parse_timestamp_tag(IAT_TAG, lines.next())?;
                      ^55                                                   ^3
   72|       |
   73|     55|    let mut line = lines.next();
   74|     55|    let expiration_time = match tag_optional(EXP_TAG, line)? {
                      ^54                                                ^1
   75|     15|        Some(exp) => {
   76|     15|            line = lines.next();
   77|     15|            Some(exp)
   78|       |        }
   79|     39|        None => None,
   80|       |    };
   81|     54|    let not_before = match tag_optional(NBF_TAG, line)? {
                      ^53                                           ^1
   82|      8|        Some(nbf) => {
   83|      8|            line = lines.next();
   84|      8|            Some(nbf)
   85|       |        }
   86|     45|        None => None,
   87|       |    };
   88|     53|    let request_id = match tag_optional_str(RID_TAG, line)? {
                                                                        ^0
   89|      5|        Some(rid) => {
   90|      5|            line = lines.next();
   91|      5|            Some(rid)
   92|       |        }
   93|     48|        None => None,
   94|       |    };
   95|       |
   96|     53|    let resources = match line {
                      ^46
   97|      9|        Some(RES_TAG) => lines
                                       ^7
   98|     12|            .filter(|l| !l.is_empty())
                           ^7
   99|      7|            .map(parse_resource_line)
  100|      7|            .collect::<Result<Vec<_>, _>>()?,
                                                         ^5
  101|      2|        Some(_) => return Err(parse_err("unexpected line after request ID")),
  102|     44|        None => Vec::new(),
  103|       |    };
  104|       |
  105|     46|    Ok(SiweMessage {
  106|     46|        scheme,
  107|     46|        domain,
  108|     46|        address,
  109|     46|        statement,
  110|     46|        uri,
  111|     46|        chain_id,
  112|     46|        nonce,
  113|     46|        issued_at,
  114|     46|        expiration_time,
  115|     46|        not_before,
  116|     46|        request_id,
  117|     46|        resources,
  118|     46|    })
  119|     84|}
  120|       |
  121|     84|fn parse_preamble(line: &str) -> Result<(Option<String>, String), AppError> {
  122|     84|    let domain_part = line
                      ^83
  123|     84|        .strip_suffix(PREAMBLE)
  124|     84|        .ok_or_else(|| parse_err("invalid preamble"))?;
                                     ^1                            ^1
  125|       |
  126|     83|    if let Some(idx) = domain_part.find("://") {
                              ^3
  127|      3|        let scheme = &domain_part[..idx];
  128|      3|        if !scheme
  129|      3|            .chars()
  130|     11|            .all(|c| c.is_ascii_alphabetic() && !c.is_ascii_digit())
                           ^3                                 ^10
  131|      2|            || scheme.is_empty()
  132|       |        {
  133|      1|            return Err(parse_err("invalid domain scheme"));
  134|      2|        }
  135|      2|        let host = &domain_part[idx + 3..];
  136|      2|        if host.is_empty() || host.contains('/') {
  137|      0|            return Err(parse_err("invalid domain authority"));
  138|      2|        }
  139|      2|        validate_domain_authority(host)?;
                                                     ^0
  140|      2|        return Ok((Some(scheme.to_string()), host.to_string()));
  141|     80|    }
  142|       |
  143|     80|    validate_domain_authority(domain_part)?;
                                                        ^1
  144|     79|    Ok((None, domain_part.to_string()))
  145|     84|}
  146|       |
  147|     82|fn validate_domain_authority(domain: &str) -> Result<(), AppError> {
  148|     82|    if domain.is_empty() || domain.starts_with('#') {
  149|      1|        return Err(parse_err("domain must be a valid RFC 3986 authority"));
  150|     81|    }
  151|       |    // userinfo@host or host:port or ipv6 [::] forms used in test vectors
  152|     81|    if domain.contains(' ') {
  153|      0|        return Err(parse_err("invalid domain"));
  154|     81|    }
  155|     81|    Ok(())
  156|     82|}
  157|       |
  158|     81|fn parse_address_line(line: &str) -> Result<[u8; 20], AppError> {
  159|     81|    let addr = line.trim();
  160|     81|    if !addr.starts_with("0x") || addr.len() != 42 {
                                                ^80
  161|      3|        return Err(parse_err("address must be 0x-prefixed 20-byte hex"));
  162|     78|    }
  163|     78|    let hex_part = &addr[2..];
  164|  3.11k|    if !hex_part.chars().all(|c| c.is_ascii_hexdigit()) {
                      ^78              ^78
  165|      1|        return Err(parse_err("address must be hex"));
  166|     77|    }
  167|       |
  168|    684|    let is_all_lower = addr[2..].chars().all(|c| !c.is_ascii_uppercase());
                      ^77            ^77               ^77
  169|    181|    let is_all_upper = addr[2..].chars().all(|c| !c.is_ascii_lowercase());
                      ^77            ^77               ^77
  170|     77|    if !is_all_lower && !is_all_upper && !checksum_valid(addr) {
                                      ^64              ^64
  171|      1|        return Err(parse_err("address is not valid EIP-55 checksum"));
  172|     76|    }
  173|       |
  174|     76|    <[u8; 20]>::from_hex(hex_part).map_err(|_| parse_err("invalid address bytes"))
                                                             ^0
  175|     81|}
  176|       |
  177|     64|fn checksum_valid(address: &str) -> bool {
  178|     64|    let stripped = address.trim_start_matches("0x");
  179|     64|    let Ok(bytes) = <[u8; 20]>::from_hex(stripped) else {
  180|      0|        return false;
  181|       |    };
  182|     64|    let sum = eip55(&bytes);
  183|     64|    sum.trim_start_matches("0x") == stripped
  184|     64|}
  185|       |
  186|    277|fn parse_tagged_line(tag: &str, line: Option<&str>) -> Result<String, AppError> {
  187|    277|    let line = line.ok_or_else(|| parse_err(format!("missing {tag} line")))?;
                                                ^0        ^0                             ^0
  188|    277|    line.strip_prefix(tag)
  189|    277|        .map(str::trim)
  190|    277|        .filter(|s| !s.is_empty())
                                   ^265^265
  191|    277|        .map(str::to_string)
  192|    277|        .ok_or_else(|| parse_err(format!("expected line starting with {tag}")))
                                     ^12       ^12
  193|    277|}
  194|       |
  195|    109|fn tag_optional(tag: &str, line: Option<&str>) -> Result<Option<OffsetDateTime>, AppError> {
  196|     32|    match line {
  197|     32|        Some(l) if l.starts_with(tag) => {
                           ^25                    ^25
  198|     25|            let raw = l
  199|     25|                .strip_prefix(tag)
  200|     25|                .ok_or_else(|| parse_err(format!("bad {tag}")))?;
                                             ^0        ^0                    ^0
  201|     25|            Ok(Some(parse_rfc3339(raw)?))
                                                    ^2
  202|       |        }
  203|     84|        _ => Ok(None),
  204|       |    }
  205|    109|}
  206|       |
  207|     53|fn tag_optional_str(tag: &str, line: Option<&str>) -> Result<Option<String>, AppError> {
  208|      9|    match line {
  209|      9|        Some(l) if l.starts_with(tag) => Ok(Some(
                           ^5                     ^5
  210|      5|            l.strip_prefix(tag)
  211|      5|                .ok_or_else(|| parse_err(format!("bad {tag}")))?
                                             ^0        ^0                    ^0
  212|      5|                .to_string(),
  213|       |        )),
  214|     48|        _ => Ok(None),
  215|       |    }
  216|     53|}
  217|       |
  218|     58|fn parse_timestamp_tag(tag: &str, line: Option<&str>) -> Result<OffsetDateTime, AppError> {
  219|     58|    let line = line.ok_or_else(|| parse_err(format!("missing {tag}")))?;
                                                ^0        ^0                        ^0
  220|     58|    let raw = line
                      ^56
  221|     58|        .strip_prefix(tag)
  222|     58|        .ok_or_else(|| parse_err(format!("expected {tag}")))?;
                                     ^2        ^2                         ^2
  223|     56|    parse_rfc3339(raw)
  224|     58|}
  225|       |
  226|     81|fn parse_rfc3339(raw: &str) -> Result<OffsetDateTime, AppError> {
  227|     81|    OffsetDateTime::parse(raw.trim(), &time::format_description::well_known::Rfc3339)
  228|     81|        .map_err(|_| parse_err("timestamp must be RFC 3339"))
                                   ^3
  229|     81|}
  230|       |
  231|     12|fn parse_resource_line(line: &str) -> Result<String, AppError> {
  232|     12|    let uri = line
                      ^10
  233|     12|        .strip_prefix("- ")
  234|     12|        .ok_or_else(|| parse_err("resource must start with '- '"))?;
                                     ^2                                         ^2
  235|     10|    if uri.contains(' ') {
  236|      1|        return Err(parse_err(
  237|      1|            "each resource must be on its own line with a single URI",
  238|      1|        ));
  239|      9|    }
  240|      9|    validate_uri(uri)?;
                                   ^2
  241|      7|    Ok(uri.to_string())
  242|     12|}
  243|       |
  244|     81|fn validate_uri(uri: &str) -> Result<(), AppError> {
  245|     81|    Url::parse(uri).map_err(|_| parse_err("URI must be RFC 3986"))?;
                                              ^3                                ^3
  246|     78|    Ok(())
  247|     81|}
  248|       |
  249|     38|fn parse_err(msg: impl Into<String>) -> AppError {
  250|     38|    AppError::InvalidRequest(format!("invalid SIWE message: {}", msg.into()))
  251|     38|}
  252|       |
  253|       |#[cfg(test)]
  254|       |mod tests {
  255|       |    use super::*;
  256|       |
  257|       |    #[test]
  258|      1|    fn rejects_hyphenated_nonce() {
  259|      1|        let nonce = "550e8400-e29b-41d4-a716-446655440000";
  260|      1|        let msg = format!(
  261|       |            "localhost wants you to sign in with your Ethereum account:\n0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266\n\n\nURI: http://localhost:3001\nVersion: 1\nChain ID: 324\nNonce: {nonce}\nIssued At: 2021-09-30T16:25:24Z"
  262|       |        );
  263|      1|        assert!(parse_siwe_message(&msg).is_err());
  264|      1|    }
  265|       |
  266|       |    #[test]
  267|      1|    fn parses_simple_uuid_nonce() {
  268|      1|        let nonce = "550e8400e29b41d4a716446655440000";
  269|      1|        let msg = format!(
  270|       |            "localhost wants you to sign in with your Ethereum account:\n0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266\n\n\nURI: http://localhost:3001\nVersion: 1\nChain ID: 324\nNonce: {nonce}\nIssued At: 2021-09-30T16:25:24Z"
  271|       |        );
  272|      1|        let parsed = parse_siwe_message(&msg).unwrap();
  273|      1|        assert_eq!(parsed.nonce, nonce);
  274|      1|    }
  275|       |}

/home/runner/work/trust-relay/trust-relay/src/services/siwe/policy.rs:
    1|       |//! SIWE validation policy (time window and trust-relay config binding).
    2|       |
    3|       |use time::OffsetDateTime;
    4|       |
    5|       |use super::message::SiweMessage;
    6|       |use crate::{config::AuthConfig, error::AppError};
    7|       |
    8|       |/// Half-open interval `[not_before, expiration_time)` per EIP-4361 best practice.
    9|     24|pub fn valid_at(message: &SiweMessage, t: &OffsetDateTime) -> bool {
   10|     24|    let after_nbf = message.not_before.as_ref().is_none_or(|nbf| t >= nbf);
                                                                               ^2   ^2
   11|     24|    let before_exp = message.expiration_time.as_ref().is_none_or(|exp| t < exp);
                                                                                     ^7  ^7
   12|     24|    after_nbf && before_exp
                               ^23
   13|     24|}
   14|       |
   15|     15|pub fn validate_against_config(auth: &AuthConfig, message: &SiweMessage) -> Result<(), AppError> {
   16|     15|    if message.chain_id != auth.chain_id {
   17|      1|        return Err(AppError::InvalidRequest(format!(
   18|      1|            "chain ID must be {}",
   19|      1|            auth.chain_id
   20|      1|        )));
   21|     14|    }
   22|       |
   23|     14|    let expected_uri = auth.uri.trim();
   24|     14|    if message.uri != expected_uri {
   25|      0|        return Err(AppError::InvalidRequest(
   26|      0|            "SIWE URI does not match configured auth URI".into(),
   27|      0|        ));
   28|     14|    }
   29|       |
   30|     14|    let expected_domain = auth.domain.trim();
   31|     14|    if message.domain != expected_domain {
   32|      0|        return Err(AppError::InvalidRequest(
   33|      0|            "SIWE domain does not match configured auth domain".into(),
   34|      0|        ));
   35|     14|    }
   36|       |
   37|     14|    Ok(())
   38|     15|}
   39|       |
   40|     14|pub fn validate_time(message: &SiweMessage, now: OffsetDateTime) -> Result<(), AppError> {
   41|     14|    if valid_at(message, &now) {
   42|     14|        Ok(())
   43|       |    } else {
   44|      0|        Err(AppError::InvalidSignature(
   45|      0|            "SIWE message is outside its validity window".into(),
   46|      0|        ))
   47|       |    }
   48|     14|}

/home/runner/work/trust-relay/trust-relay/src/services/token.rs:
    1|       |//! Asymmetric JWT access-token minting and JWKS publication.
    2|       |
    3|       |use base64::Engine;
    4|       |use ed25519_dalek::{pkcs8::EncodePrivateKey, SigningKey, VerifyingKey};
    5|       |use jsonwebtoken::{encode, Algorithm, DecodingKey, EncodingKey, Header, Validation};
    6|       |use rand::rngs::OsRng;
    7|       |use serde_json::{json, Value};
    8|       |use time::OffsetDateTime;
    9|       |use uuid::Uuid;
   10|       |
   11|       |use crate::{config::SigningConfig, error::AppError, models::claims::AccessTokenClaims};
   12|       |
   13|       |pub struct TokenService {
   14|       |    verifying_key: VerifyingKey,
   15|       |    encoding_key: EncodingKey,
   16|       |    decoding_key: DecodingKey,
   17|       |    config: SigningConfig,
   18|       |}
   19|       |
   20|       |impl TokenService {
   21|     33|    pub fn new(config: SigningConfig) -> Result<Self, AppError> {
   22|     33|        let signing_key = load_signing_key(&config)?;
                                                                 ^0
   23|     33|        let verifying_key = signing_key.verifying_key();
   24|     33|        let encoding_key = encoding_key_from_signing(&signing_key)?;
                                                                                ^0
   25|     33|        let decoding_key = decoding_key_from_verifying(&verifying_key);
   26|     33|        Ok(Self {
   27|     33|            verifying_key,
   28|     33|            encoding_key,
   29|     33|            decoding_key,
   30|     33|            config,
   31|     33|        })
   32|     33|    }
   33|       |
   34|      1|    pub fn kid(&self) -> &str {
   35|      1|        &self.config.kid
   36|      1|    }
   37|       |
   38|       |    /// RFC 7517 JWKS document for resource-server verification.
   39|      3|    pub fn jwks(&self) -> Value {
   40|      3|        let x =
   41|      3|            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(self.verifying_key.to_bytes());
   42|      3|        json!({
   43|      3|            "keys": [{
   44|      3|                "kty": "OKP",
   45|      3|                "crv": "Ed25519",
   46|      3|                "kid": self.config.kid,
   47|      3|                "use": "sig",
   48|      3|                "alg": "EdDSA",
   49|      3|                "x": x,
   50|       |            }]
   51|       |        })
   52|      3|    }
   53|       |
   54|       |    /// Mint a wallet-tier access token (used by `POST /session` in M2b).
   55|     14|    pub fn mint_wallet_token(
   56|     14|        &self,
   57|     14|        wallet: &str,
   58|     14|        scopes: &[&str],
   59|     14|        chain_id: u64,
   60|     14|    ) -> Result<String, AppError> {
   61|     14|        let sub = normalize_wallet_sub(wallet)?;
                                                            ^0
   62|     14|        let now = OffsetDateTime::now_utc();
   63|     14|        let iat = now.unix_timestamp();
   64|     14|        let exp = iat + i64::from(self.config.access_token_ttl_secs);
   65|     14|        let claims = AccessTokenClaims {
   66|     14|            iss: self.config.issuer.clone(),
   67|     14|            sub,
   68|     14|            aud: self.config.audience.clone(),
   69|     14|            iat,
   70|     14|            nbf: iat,
   71|     14|            exp,
   72|     14|            jti: Uuid::new_v4().to_string(),
   73|     14|            scope: scopes.join(" "),
   74|     14|            chain_id: Some(chain_id),
   75|     14|            ver: Some(1),
   76|     14|        };
   77|     14|        self.encode_claims(&claims)
   78|     14|    }
   79|       |
   80|       |    /// Verify an access token and return claims (for tests and future session flows).
   81|     12|    pub fn verify(&self, token: &str) -> Result<AccessTokenClaims, AppError> {
   82|     12|        let mut validation = Validation::new(Algorithm::EdDSA);
   83|     12|        validation.set_issuer(&[&self.config.issuer]);
   84|     12|        validation.set_audience(&[&self.config.audience]);
   85|     12|        validation.validate_exp = true;
   86|     12|        validation.validate_nbf = true;
   87|     12|        validation.set_required_spec_claims(&["exp", "nbf", "iat"]);
   88|     11|        let token_data =
   89|     12|            jsonwebtoken::decode::<AccessTokenClaims>(token, &self.decoding_key, &validation)
   90|     12|                .map_err(|e| AppError::InvalidToken(format!("jwt verify failed: {e}")))?;
                                                                  ^1                                 ^1
   91|     11|        Ok(token_data.claims)
   92|     12|    }
   93|       |
   94|     14|    fn encode_claims(&self, claims: &AccessTokenClaims) -> Result<String, AppError> {
   95|     14|        let mut header = Header::new(Algorithm::EdDSA);
   96|     14|        header.typ = Some("at+jwt".to_string());
   97|     14|        header.kid = Some(self.config.kid.clone());
   98|     14|        encode(&header, claims, &self.encoding_key)
   99|     14|            .map_err(|e| AppError::Internal(format!("jwt encode failed: {e}")))
                                                          ^0
  100|     14|    }
  101|       |}
  102|       |
  103|     34|fn encoding_key_from_signing(signing_key: &SigningKey) -> Result<EncodingKey, AppError> {
  104|     34|    let der = signing_key
  105|     34|        .to_pkcs8_der()
  106|     34|        .map_err(|e| AppError::Internal(format!("pkcs8 encode failed: {e}")))?;
                                                      ^0                                   ^0
  107|     34|    Ok(EncodingKey::from_ed_der(der.as_bytes()))
  108|     34|}
  109|       |
  110|     33|fn decoding_key_from_verifying(verifying_key: &VerifyingKey) -> DecodingKey {
  111|     33|    let x = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(verifying_key.to_bytes());
  112|     33|    DecodingKey::from_ed_components(&x).expect("valid ed25519 public key")
  113|     33|}
  114|       |
  115|     34|fn load_signing_key(config: &SigningConfig) -> Result<SigningKey, AppError> {
  116|     34|    if config.key_seed_b64.trim().is_empty() {
  117|     14|        tracing::warn!(
  118|       |            "generating ephemeral Ed25519 signing key; set APP_SIGNING__KEY_SEED_B64 for a stable kid/JWKS"
  119|       |        );
  120|     14|        return Ok(SigningKey::generate(&mut OsRng));
  121|     20|    }
  122|       |
  123|     20|    let seed_bytes = base64::engine::general_purpose::STANDARD
  124|     20|        .decode(config.key_seed_b64.trim())
  125|     20|        .map_err(|e| AppError::Internal(format!("signing key seed decode: {e}")))?;
                                                      ^0                                       ^0
  126|     20|    let seed: [u8; 32] = seed_bytes
  127|     20|        .as_slice()
  128|     20|        .try_into()
  129|     20|        .map_err(|_| AppError::Internal("signing key seed must be 32 bytes".into()))?;
                                                      ^0                                  ^0      ^0
  130|     20|    Ok(SigningKey::from_bytes(&seed))
  131|     34|}
  132|       |
  133|     15|fn normalize_wallet_sub(wallet: &str) -> Result<String, AppError> {
  134|     15|    let w = wallet.trim();
  135|     15|    if !w.starts_with("0x") || w.len() != 42 {
                                             ^14
  136|      1|        return Err(AppError::InvalidRequest(
  137|      1|            "wallet address must be 0x-prefixed 20-byte hex".into(),
  138|      1|        ));
  139|     14|    }
  140|    560|    if !w[2..].chars().all(|c| c.is_ascii_hexdigit()) {
                      ^14            ^14
  141|      0|        return Err(AppError::InvalidRequest(
  142|      0|            "wallet address must be hex".into(),
  143|      0|        ));
  144|     14|    }
  145|     14|    Ok(w.to_ascii_lowercase())
  146|     15|}
  147|       |
  148|       |#[cfg(test)]
  149|       |mod tests {
  150|       |    use super::*;
  151|       |    use base64::Engine;
  152|       |
  153|      3|    fn test_config() -> SigningConfig {
  154|      3|        let key = SigningKey::generate(&mut OsRng);
  155|      3|        let b64 = base64::engine::general_purpose::STANDARD.encode(key.to_bytes());
  156|      3|        SigningConfig {
  157|      3|            issuer: "http://localhost:3001".into(),
  158|      3|            audience: "nodle-backend".into(),
  159|      3|            kid: "test-key-1".into(),
  160|      3|            access_token_ttl_secs: 3600,
  161|      3|            key_seed_b64: b64,
  162|      3|        }
  163|      3|    }
  164|       |
  165|       |    #[test]
  166|      1|    fn jwks_contains_ed25519_okp_key() {
  167|      1|        let svc = TokenService::new(test_config()).unwrap();
  168|      1|        let jwks = svc.jwks();
  169|      1|        let key = &jwks["keys"][0];
  170|      1|        assert_eq!(key["kty"], "OKP");
  171|      1|        assert_eq!(key["crv"], "Ed25519");
  172|      1|        assert_eq!(key["kid"], "test-key-1");
  173|      1|        assert_eq!(key["alg"], "EdDSA");
  174|      1|        assert!(key["x"].as_str().is_some());
  175|      1|    }
  176|       |
  177|       |    #[test]
  178|      1|    fn mint_and_verify_wallet_token() {
  179|      1|        let svc = TokenService::new(test_config()).unwrap();
  180|      1|        let token = svc
  181|      1|            .mint_wallet_token(
  182|      1|                "0xF39Fd6e51aad88F6F4ce6aB8827279cffFb92266",
  183|      1|                &["ai:invoke", "mint:request"],
  184|       |                324,
  185|       |            )
  186|      1|            .unwrap();
  187|      1|        let claims = svc.verify(&token).unwrap();
  188|      1|        assert_eq!(claims.sub, "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266");
  189|      1|        assert_eq!(claims.scope, "ai:invoke mint:request");
  190|      1|        assert_eq!(claims.chain_id, Some(324));
  191|      1|        assert_eq!(claims.ver, Some(1));
  192|      1|    }
  193|       |
  194|       |    #[test]
  195|      1|    fn normalize_wallet_rejects_invalid_address() {
  196|      1|        assert!(normalize_wallet_sub("not-a-wallet").is_err());
  197|      1|    }
  198|       |
  199|       |    #[test]
  200|      1|    fn verify_rejects_malformed_exp_claim_type() {
  201|       |        use serde::Serialize;
  202|       |
  203|       |        #[derive(Serialize)]
  204|       |        struct MalformedClaims {
  205|       |            iss: String,
  206|       |            sub: String,
  207|       |            aud: String,
  208|       |            iat: i64,
  209|       |            nbf: i64,
  210|       |            exp: String,
  211|       |            jti: String,
  212|       |        }
  213|       |
  214|      1|        let config = test_config();
  215|      1|        let svc = TokenService::new(config.clone()).unwrap();
  216|      1|        let signing_key = load_signing_key(&config).unwrap();
  217|      1|        let encoding_key = encoding_key_from_signing(&signing_key).unwrap();
  218|      1|        let now = OffsetDateTime::now_utc().unix_timestamp();
  219|      1|        let bad = MalformedClaims {
  220|      1|            iss: config.issuer,
  221|      1|            sub: "0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266".into(),
  222|      1|            aud: config.audience,
  223|      1|            iat: now,
  224|      1|            nbf: now,
  225|      1|            exp: "9999999999".into(),
  226|      1|            jti: Uuid::new_v4().to_string(),
  227|      1|        };
  228|      1|        let mut header = Header::new(Algorithm::EdDSA);
  229|      1|        header.kid = Some(config.kid);
  230|      1|        let token = encode(&header, &bad, &encoding_key).unwrap();
  231|      1|        let err = svc.verify(&token).unwrap_err();
  232|      1|        assert!(matches!(err, AppError::InvalidToken(_)));
                              ^0
  233|      1|    }
  234|       |}

/home/runner/work/trust-relay/trust-relay/src/state.rs:
    1|       |//! Shared application state passed to handlers via Axum `State`.
    2|       |
    3|       |use std::sync::Arc;
    4|       |
    5|       |use crate::{
    6|       |    bootstrap,
    7|       |    config::Config,
    8|       |    error::AppError,
    9|       |    middleware::rate_limit::RateLimiter,
   10|       |    services::{
   11|       |        heuristics::HeuristicsService, nonce::NonceService, quota::QuotaService,
   12|       |        refresh::RefreshService, revocation::RevocationService, token::TokenService,
   13|       |    },
   14|       |};
   15|       |
   16|       |/// Shared state for route handlers.
   17|       |#[derive(Clone)]
   18|       |pub struct AppState {
   19|       |    pub config: Arc<Config>,
   20|       |    pub nonce: Arc<NonceService>,
   21|       |    pub nonce_rate_limiter: Arc<RateLimiter>,
   22|       |    pub token: Arc<TokenService>,
   23|       |    pub revocation: Arc<RevocationService>,
   24|       |    pub refresh: Arc<RefreshService>,
   25|       |    pub heuristics: Arc<HeuristicsService>,
   26|       |    pub quota: Arc<QuotaService>,
   27|       |}
   28|       |
   29|       |impl AppState {
   30|     26|    pub async fn build(config: Config) -> Result<Self, AppError> {
   31|     26|        let store = bootstrap::build_nonce_store(&config).await?;
                                                                             ^0
   32|     26|        let nonce = bootstrap::build_nonce_service(&config, store);
   33|     26|        let nonce_rate_limiter = bootstrap::build_nonce_rate_limiter(&config);
   34|     26|        let token = bootstrap::build_token_service(&config)?;
                                                                         ^0
   35|     26|        let revocation_store = bootstrap::build_revocation_store(&config).await?;
                                                                                             ^0
   36|     26|        let revocation = bootstrap::build_revocation_service(revocation_store);
   37|     26|        let refresh_store = bootstrap::build_refresh_store(&config).await?;
                                                                                       ^0
   38|     26|        let refresh = bootstrap::build_refresh_service(&config, refresh_store);
   39|     26|        let heuristics_store = bootstrap::build_heuristics_store(&config).await?;
                                                                                             ^0
   40|     26|        let heuristics = bootstrap::build_heuristics_service(heuristics_store);
   41|     26|        let quota_store = bootstrap::build_quota_store(&config).await?;
                                                                                   ^0
   42|     26|        let quota = bootstrap::build_quota_service(&config, quota_store);
   43|     26|        Ok(Self {
   44|     26|            config: Arc::new(config),
   45|     26|            nonce,
   46|     26|            nonce_rate_limiter,
   47|     26|            token,
   48|     26|            revocation,
   49|     26|            refresh,
   50|     26|            heuristics,
   51|     26|            quota,
   52|     26|        })
   53|     26|    }
   54|       |}

/home/runner/work/trust-relay/trust-relay/src/store/heuristics.rs:
    1|       |//! Wallet heuristic persistence (phase-0: first-seen / established).
    2|       |
    3|       |mod memory;
    4|       |mod redis;
    5|       |
    6|       |pub use memory::InMemoryHeuristicsStore;
    7|       |pub use redis::RedisHeuristicsStore;
    8|       |
    9|       |use async_trait::async_trait;
   10|       |use thiserror::Error;
   11|       |
   12|       |use crate::error::AppError;
   13|       |
   14|       |#[derive(Debug, Error)]
   15|       |pub enum HeuristicsStoreError {
   16|       |    #[error("store unavailable")]
   17|       |    Unavailable(#[from] ::redis::RedisError),
   18|       |    #[error("{0}")]
   19|       |    Other(String),
   20|       |}
   21|       |
   22|       |impl From<HeuristicsStoreError> for AppError {
   23|      0|    fn from(err: HeuristicsStoreError) -> Self {
   24|      0|        Self::Internal(err.to_string())
   25|      0|    }
   26|       |}
   27|       |
   28|       |#[async_trait]
   29|       |pub trait HeuristicsStore: Send + Sync {
   30|       |    /// Whether the wallet has completed at least one prior session.
   31|       |    async fn is_established(&self, wallet: &str) -> Result<bool, HeuristicsStoreError>;
   32|       |
   33|       |    /// Record that the wallet completed a session (called after successful mint).
   34|       |    async fn mark_established(&self, wallet: &str) -> Result<(), HeuristicsStoreError>;
   35|       |}

/home/runner/work/trust-relay/trust-relay/src/store/heuristics/memory.rs:
    1|       |//! In-memory wallet heuristic store.
    2|       |
    3|       |use std::collections::HashSet;
    4|       |use std::sync::Mutex;
    5|       |
    6|       |use async_trait::async_trait;
    7|       |
    8|       |use super::{HeuristicsStore, HeuristicsStoreError};
    9|       |
   10|       |#[derive(Default)]
   11|       |pub struct InMemoryHeuristicsStore {
   12|       |    established: Mutex<HashSet<String>>,
   13|       |}
   14|       |
   15|       |#[async_trait]
   16|       |impl HeuristicsStore for InMemoryHeuristicsStore {
   17|      0|    async fn is_established(&self, wallet: &str) -> Result<bool, HeuristicsStoreError> {
   18|       |        let guard = self
   19|       |            .established
   20|       |            .lock()
   21|      0|            .map_err(|_| HeuristicsStoreError::Other("lock poisoned".into()))?;
   22|       |        Ok(guard.contains(wallet))
   23|      0|    }
   24|       |
   25|      0|    async fn mark_established(&self, wallet: &str) -> Result<(), HeuristicsStoreError> {
   26|       |        self.established
   27|       |            .lock()
   28|      0|            .map_err(|_| HeuristicsStoreError::Other("lock poisoned".into()))?
   29|       |            .insert(wallet.to_string());
   30|       |        Ok(())
   31|      0|    }
   32|       |}

/home/runner/work/trust-relay/trust-relay/src/store/heuristics/redis.rs:
    1|       |//! Redis-backed wallet heuristic store.
    2|       |
    3|       |use async_trait::async_trait;
    4|       |use redis::AsyncCommands;
    5|       |
    6|       |use super::{HeuristicsStore, HeuristicsStoreError};
    7|       |
    8|       |const SEEN_PREFIX: &str = "heuristic:seen:";
    9|       |
   10|       |#[derive(Clone)]
   11|       |pub struct RedisHeuristicsStore {
   12|       |    client: redis::aio::ConnectionManager,
   13|       |}
   14|       |
   15|       |impl RedisHeuristicsStore {
   16|     24|    pub async fn connect(url: &str) -> Result<Self, redis::RedisError> {
   17|     24|        let client = redis::Client::open(url)?;
                                                           ^0
   18|     24|        let conn = client.get_connection_manager().await?;
                                                                      ^0
   19|     24|        Ok(Self { client: conn })
   20|     24|    }
   21|       |
   22|     22|    fn key(wallet: &str) -> String {
   23|     22|        format!("{SEEN_PREFIX}{wallet}")
   24|     22|    }
   25|       |}
   26|       |
   27|       |#[async_trait]
   28|       |impl HeuristicsStore for RedisHeuristicsStore {
   29|     11|    async fn is_established(&self, wallet: &str) -> Result<bool, HeuristicsStoreError> {
   30|       |        let key = Self::key(wallet);
   31|       |        let mut conn = self.client.clone();
   32|       |        let exists: bool = conn.exists(key).await?;
   33|       |        Ok(exists)
   34|     11|    }
   35|       |
   36|     11|    async fn mark_established(&self, wallet: &str) -> Result<(), HeuristicsStoreError> {
   37|       |        let key = Self::key(wallet);
   38|       |        let mut conn = self.client.clone();
   39|       |        conn.set::<_, _, ()>(key, "1").await?;
   40|       |        Ok(())
   41|     11|    }
   42|       |}

/home/runner/work/trust-relay/trust-relay/src/store/nonce.rs:
    1|       |//! Nonce persistence — single-use, TTL-bound challenge values.
    2|       |
    3|       |mod memory;
    4|       |mod redis;
    5|       |
    6|       |pub use memory::InMemoryNonceStore;
    7|       |pub use redis::RedisNonceStore;
    8|       |
    9|       |use async_trait::async_trait;
   10|       |use thiserror::Error;
   11|       |use time::OffsetDateTime;
   12|       |
   13|       |use crate::error::AppError;
   14|       |
   15|       |#[derive(Debug, Clone)]
   16|       |pub struct NonceRecord {
   17|       |    pub issued_at: OffsetDateTime,
   18|       |    pub expires_at: OffsetDateTime,
   19|       |    pub client_ip: Option<String>,
   20|       |    pub used: bool,
   21|       |}
   22|       |
   23|       |#[derive(Debug, Error)]
   24|       |pub enum NonceStoreError {
   25|       |    #[error("store unavailable")]
   26|       |    Unavailable(#[from] ::redis::RedisError),
   27|       |    #[error("{0}")]
   28|       |    Other(String),
   29|       |}
   30|       |
   31|       |impl From<NonceStoreError> for AppError {
   32|      1|    fn from(err: NonceStoreError) -> Self {
   33|      1|        Self::Internal(err.to_string())
   34|      1|    }
   35|       |}
   36|       |
   37|       |#[async_trait]
   38|       |pub trait NonceStore: Send + Sync {
   39|       |    async fn put(&self, nonce: &str, record: &NonceRecord) -> Result<(), NonceStoreError>;
   40|       |    async fn get(&self, nonce: &str) -> Result<Option<NonceRecord>, NonceStoreError>;
   41|       |    async fn mark_used(&self, nonce: &str) -> Result<(), NonceStoreError>;
   42|       |}
   43|       |
   44|       |#[cfg(test)]
   45|       |mod tests {
   46|       |    use super::*;
   47|       |
   48|       |    #[test]
   49|      1|    fn nonce_store_error_maps_to_internal_app_error() {
   50|      1|        let err = NonceStoreError::Other("boom".into());
   51|      1|        let app: AppError = err.into();
   52|      1|        assert!(matches!(app, AppError::Internal(msg) if msg == "boom"));
   53|      1|    }
   54|       |}

/home/runner/work/trust-relay/trust-relay/src/store/nonce/memory.rs:
    1|       |//! In-memory nonce store for tests and development without Redis.
    2|       |
    3|       |use std::collections::HashMap;
    4|       |use std::sync::Mutex;
    5|       |
    6|       |use async_trait::async_trait;
    7|       |
    8|       |use super::{NonceRecord, NonceStore, NonceStoreError};
    9|       |
   10|       |#[derive(Default)]
   11|       |pub struct InMemoryNonceStore {
   12|       |    inner: Mutex<HashMap<String, NonceRecord>>,
   13|       |}
   14|       |
   15|       |#[async_trait]
   16|       |impl NonceStore for InMemoryNonceStore {
   17|      6|    async fn put(&self, nonce: &str, record: &NonceRecord) -> Result<(), NonceStoreError> {
   18|       |        self.inner
   19|       |            .lock()
   20|      0|            .map_err(|_| NonceStoreError::Other("lock poisoned".into()))?
   21|       |            .insert(nonce.to_string(), record.clone());
   22|       |        Ok(())
   23|      6|    }
   24|       |
   25|      7|    async fn get(&self, nonce: &str) -> Result<Option<NonceRecord>, NonceStoreError> {
   26|       |        Ok(self
   27|       |            .inner
   28|       |            .lock()
   29|      0|            .map_err(|_| NonceStoreError::Other("lock poisoned".into()))?
   30|       |            .get(nonce)
   31|       |            .cloned())
   32|      7|    }
   33|       |
   34|      2|    async fn mark_used(&self, nonce: &str) -> Result<(), NonceStoreError> {
   35|       |        let mut guard = self
   36|       |            .inner
   37|       |            .lock()
   38|      0|            .map_err(|_| NonceStoreError::Other("lock poisoned".into()))?;
   39|       |        if let Some(record) = guard.get_mut(nonce) {
   40|       |            record.used = true;
   41|       |        }
   42|       |        Ok(())
   43|      2|    }
   44|       |}
   45|       |
   46|       |#[cfg(test)]
   47|       |mod tests {
   48|       |    use super::*;
   49|       |    use time::OffsetDateTime;
   50|       |
   51|       |    #[tokio::test]
   52|      1|    async fn put_get_and_mark_used() {
   53|      1|        let store = InMemoryNonceStore::default();
   54|      1|        let now = OffsetDateTime::now_utc();
   55|      1|        let record = NonceRecord {
   56|      1|            issued_at: now,
   57|      1|            expires_at: now + time::Duration::minutes(2),
   58|      1|            client_ip: Some("127.0.0.1".into()),
   59|      1|            used: false,
   60|      1|        };
   61|      1|        store.put("abc", &record).await.unwrap();
   62|      1|        let fetched = store.get("abc").await.unwrap().unwrap();
   63|      1|        assert!(!fetched.used);
   64|      1|        store.mark_used("abc").await.unwrap();
   65|      1|        assert!(store.get("abc").await.unwrap().unwrap().used);
   66|      1|    }
   67|       |}

/home/runner/work/trust-relay/trust-relay/src/store/nonce/redis.rs:
    1|       |//! Redis-backed nonce store for production.
    2|       |
    3|       |use async_trait::async_trait;
    4|       |use redis::AsyncCommands;
    5|       |use serde::{Deserialize, Serialize};
    6|       |use time::OffsetDateTime;
    7|       |
    8|       |use super::{NonceRecord, NonceStore, NonceStoreError};
    9|       |
   10|       |const KEY_PREFIX: &str = "nonce:";
   11|       |
   12|       |#[derive(Clone)]
   13|       |pub struct RedisNonceStore {
   14|       |    client: redis::aio::ConnectionManager,
   15|       |}
   16|       |
   17|       |impl RedisNonceStore {
   18|     27|    pub async fn connect(url: &str) -> Result<Self, redis::RedisError> {
   19|     27|        let client = redis::Client::open(url)?;
                                                           ^0
   20|     27|        let conn = client.get_connection_manager().await?;
                                                                      ^0
   21|     27|        Ok(Self { client: conn })
   22|     27|    }
   23|       |}
   24|       |
   25|       |#[derive(Serialize, Deserialize)]
   26|       |struct StoredNonce {
   27|       |    issued_at: i64,
   28|       |    expires_at: i64,
   29|       |    client_ip: Option<String>,
   30|       |    used: bool,
   31|       |}
   32|       |
   33|       |impl From<&NonceRecord> for StoredNonce {
   34|     49|    fn from(record: &NonceRecord) -> Self {
   35|     49|        Self {
   36|     49|            issued_at: record.issued_at.unix_timestamp(),
   37|     49|            expires_at: record.expires_at.unix_timestamp(),
   38|     49|            client_ip: record.client_ip.clone(),
   39|     49|            used: record.used,
   40|     49|        }
   41|     49|    }
   42|       |}
   43|       |
   44|       |impl StoredNonce {
   45|     17|    fn into_record(self) -> NonceRecord {
   46|       |        NonceRecord {
   47|     17|            issued_at: OffsetDateTime::from_unix_timestamp(self.issued_at)
   48|     17|                .unwrap_or_else(|_| OffsetDateTime::now_utc()),
                                                  ^1
   49|     17|            expires_at: OffsetDateTime::from_unix_timestamp(self.expires_at)
   50|     17|                .unwrap_or_else(|_| OffsetDateTime::now_utc()),
                                                  ^1
   51|     17|            client_ip: self.client_ip,
   52|     17|            used: self.used,
   53|       |        }
   54|     17|    }
   55|       |}
   56|       |
   57|       |#[async_trait]
   58|       |impl NonceStore for RedisNonceStore {
   59|     48|    async fn put(&self, nonce: &str, record: &NonceRecord) -> Result<(), NonceStoreError> {
   60|       |        let key = format!("{KEY_PREFIX}{nonce}");
   61|       |        let ttl = (record.expires_at - record.issued_at)
   62|       |            .whole_seconds()
   63|       |            .max(1) as u64;
   64|       |        let payload = serde_json::to_string(&StoredNonce::from(record))
   65|      0|            .map_err(|e| NonceStoreError::Other(e.to_string()))?;
   66|       |        let mut conn = self.client.clone();
   67|       |        conn.set_ex::<_, _, ()>(key, payload, ttl).await?;
   68|       |        Ok(())
   69|     48|    }
   70|       |
   71|     17|    async fn get(&self, nonce: &str) -> Result<Option<NonceRecord>, NonceStoreError> {
   72|       |        let key = format!("{KEY_PREFIX}{nonce}");
   73|       |        let mut conn = self.client.clone();
   74|       |        let raw: Option<String> = conn.get(key).await?;
   75|       |        Ok(raw
   76|     16|            .map(|s| {
   77|     16|                serde_json::from_str::<StoredNonce>(&s)
   78|     16|                    .map(|stored| stored.into_record())
                                                ^15    ^15
   79|     16|                    .map_err(|e| NonceStoreError::Other(e.to_string()))
                                                                      ^1^1
   80|     16|            })
   81|       |            .transpose()?)
   82|     17|    }
   83|       |
   84|     12|    async fn mark_used(&self, nonce: &str) -> Result<(), NonceStoreError> {
   85|       |        let key = format!("{KEY_PREFIX}{nonce}");
   86|       |        let mut conn = self.client.clone();
   87|       |        let raw: Option<String> = conn.get(&key).await?;
   88|       |        if let Some(s) = raw {
   89|       |            let mut stored: StoredNonce =
   90|      0|                serde_json::from_str(&s).map_err(|e| NonceStoreError::Other(e.to_string()))?;
   91|       |            stored.used = true;
   92|       |            let ttl: i64 = conn.ttl(&key).await.unwrap_or(60);
   93|       |            let ttl = ttl.max(1) as u64;
   94|       |            let payload = serde_json::to_string(&stored)
   95|      0|                .map_err(|e| NonceStoreError::Other(e.to_string()))?;
   96|       |            conn.set_ex::<_, _, ()>(key, payload, ttl).await?;
   97|       |        }
   98|       |        Ok(())
   99|     12|    }
  100|       |}
  101|       |
  102|       |#[cfg(test)]
  103|       |mod tests {
  104|       |    use super::*;
  105|       |    use time::OffsetDateTime;
  106|       |
  107|       |    #[test]
  108|      1|    fn stored_nonce_roundtrip_from_record() {
  109|      1|        let now = OffsetDateTime::now_utc();
  110|      1|        let record = NonceRecord {
  111|      1|            issued_at: now,
  112|      1|            expires_at: now + time::Duration::minutes(2),
  113|      1|            client_ip: Some("127.0.0.1".into()),
  114|      1|            used: true,
  115|      1|        };
  116|      1|        let stored = StoredNonce::from(&record);
  117|      1|        let back = stored.into_record();
  118|      1|        assert_eq!(back.client_ip, record.client_ip);
  119|      1|        assert_eq!(back.used, record.used);
  120|      1|    }
  121|       |
  122|       |    #[test]
  123|      1|    fn stored_nonce_falls_back_on_invalid_timestamps() {
  124|      1|        let stored = StoredNonce {
  125|      1|            issued_at: i64::MAX,
  126|      1|            expires_at: i64::MAX,
  127|      1|            client_ip: None,
  128|      1|            used: false,
  129|      1|        };
  130|      1|        let _ = stored.into_record();
  131|      1|    }
  132|       |}

/home/runner/work/trust-relay/trust-relay/src/store/quota.rs:
    1|       |//! Per-wallet quota counters for paid scopes.
    2|       |
    3|       |mod memory;
    4|       |mod redis;
    5|       |
    6|       |pub use memory::InMemoryQuotaStore;
    7|       |pub use redis::RedisQuotaStore;
    8|       |
    9|       |use async_trait::async_trait;
   10|       |use thiserror::Error;
   11|       |
   12|       |use crate::error::AppError;
   13|       |
   14|       |#[derive(Debug, Clone, PartialEq, Eq)]
   15|       |pub struct QuotaBucket {
   16|       |    pub used: u64,
   17|       |    pub limit: u64,
   18|       |}
   19|       |
   20|       |#[derive(Debug, Error)]
   21|       |pub enum QuotaStoreError {
   22|       |    #[error("store unavailable")]
   23|       |    Unavailable(#[from] ::redis::RedisError),
   24|       |    #[error("quota bucket missing")]
   25|       |    NotFound,
   26|       |    #[error("quota exceeded")]
   27|       |    Exceeded,
   28|       |    #[error("{0}")]
   29|       |    Other(String),
   30|       |}
   31|       |
   32|       |impl From<QuotaStoreError> for AppError {
   33|      2|    fn from(err: QuotaStoreError) -> Self {
   34|      2|        match err {
   35|       |            QuotaStoreError::NotFound => {
   36|      0|                Self::InvalidRequest("quota bucket not initialized for scope".into())
   37|       |            }
   38|      2|            QuotaStoreError::Exceeded => Self::QuotaExceeded("quota exhausted for scope".into()),
   39|      0|            other => Self::Internal(other.to_string()),
   40|       |        }
   41|      2|    }
   42|       |}
   43|       |
   44|       |#[async_trait]
   45|       |pub trait QuotaStore: Send + Sync {
   46|       |    /// Create buckets for the current window when absent (`limit` per scope).
   47|       |    async fn init_scope(
   48|       |        &self,
   49|       |        wallet: &str,
   50|       |        scope: &str,
   51|       |        window_id: u64,
   52|       |        limit: u64,
   53|       |        ttl_secs: u64,
   54|       |    ) -> Result<(), QuotaStoreError>;
   55|       |
   56|       |    async fn get_bucket(
   57|       |        &self,
   58|       |        wallet: &str,
   59|       |        scope: &str,
   60|       |        window_id: u64,
   61|       |    ) -> Result<Option<QuotaBucket>, QuotaStoreError>;
   62|       |
   63|       |    /// Atomically consume `amount` units; returns updated bucket or `NotFound`.
   64|       |    async fn try_consume(
   65|       |        &self,
   66|       |        wallet: &str,
   67|       |        scope: &str,
   68|       |        window_id: u64,
   69|       |        amount: u64,
   70|       |    ) -> Result<QuotaBucket, QuotaStoreError>;
   71|       |}
   72|       |
   73|     24|pub fn encode_bucket(bucket: &QuotaBucket) -> String {
   74|     24|    format!("{},{}", bucket.used, bucket.limit)
   75|     24|}
   76|       |
   77|     24|pub fn decode_bucket(raw: &str) -> Result<QuotaBucket, QuotaStoreError> {
   78|     24|    let (used, limit) = raw
   79|     24|        .split_once(',')
   80|     24|        .ok_or_else(|| QuotaStoreError::Other("invalid quota bucket encoding".into()))?;
                                                            ^0                              ^0      ^0
   81|     24|    let used = used
   82|     24|        .parse()
   83|     24|        .map_err(|_| QuotaStoreError::Other("invalid used count".into()))?;
                                                          ^0                   ^0      ^0
   84|     24|    let limit = limit
   85|     24|        .parse()
   86|     24|        .map_err(|_| QuotaStoreError::Other("invalid limit".into()))?;
                                                          ^0              ^0      ^0
   87|     24|    Ok(QuotaBucket { used, limit })
   88|     24|}
   89|       |
   90|     26|pub fn current_window_id(now_unix: i64, window_secs: u64) -> u64 {
   91|     26|    (now_unix.max(0) as u64) / window_secs.max(1)
   92|     26|}
   93|       |
   94|       |#[cfg(test)]
   95|       |mod tests {
   96|       |    use super::*;
   97|       |
   98|       |    #[test]
   99|      1|    fn bucket_roundtrip() {
  100|      1|        let raw = encode_bucket(&QuotaBucket { used: 3, limit: 10 });
  101|      1|        let bucket = decode_bucket(&raw).unwrap();
  102|      1|        assert_eq!(bucket.used, 3);
  103|      1|        assert_eq!(bucket.limit, 10);
  104|      1|    }
  105|       |
  106|       |    #[test]
  107|      1|    fn window_id_buckets_time() {
  108|      1|        assert_eq!(current_window_id(0, 3600), 0);
  109|      1|        assert_eq!(current_window_id(3600, 3600), 1);
  110|      1|    }
  111|       |}

/home/runner/work/trust-relay/trust-relay/src/store/quota/memory.rs:
    1|       |//! In-memory quota store.
    2|       |
    3|       |use std::collections::HashMap;
    4|       |use std::sync::Mutex;
    5|       |
    6|       |use async_trait::async_trait;
    7|       |
    8|       |use super::{QuotaBucket, QuotaStore, QuotaStoreError};
    9|       |
   10|      4|fn bucket_key(wallet: &str, scope: &str, window_id: u64) -> String {
   11|      4|    format!("{wallet}:{scope}:{window_id}")
   12|      4|}
   13|       |
   14|       |#[derive(Default)]
   15|       |pub struct InMemoryQuotaStore {
   16|       |    buckets: Mutex<HashMap<String, QuotaBucket>>,
   17|       |}
   18|       |
   19|       |#[async_trait]
   20|       |impl QuotaStore for InMemoryQuotaStore {
   21|       |    async fn init_scope(
   22|       |        &self,
   23|       |        wallet: &str,
   24|       |        scope: &str,
   25|       |        window_id: u64,
   26|       |        limit: u64,
   27|       |        _ttl_secs: u64,
   28|      1|    ) -> Result<(), QuotaStoreError> {
   29|       |        let mut guard = self
   30|       |            .buckets
   31|       |            .lock()
   32|      0|            .map_err(|_| QuotaStoreError::Other("lock poisoned".into()))?;
   33|       |        let key = bucket_key(wallet, scope, window_id);
   34|       |        guard
   35|       |            .entry(key)
   36|      0|            .and_modify(|bucket| bucket.limit = limit)
   37|       |            .or_insert(QuotaBucket { used: 0, limit });
   38|       |        Ok(())
   39|      1|    }
   40|       |
   41|       |    async fn get_bucket(
   42|       |        &self,
   43|       |        wallet: &str,
   44|       |        scope: &str,
   45|       |        window_id: u64,
   46|      0|    ) -> Result<Option<QuotaBucket>, QuotaStoreError> {
   47|       |        let guard = self
   48|       |            .buckets
   49|       |            .lock()
   50|      0|            .map_err(|_| QuotaStoreError::Other("lock poisoned".into()))?;
   51|       |        Ok(guard.get(&bucket_key(wallet, scope, window_id)).cloned())
   52|      0|    }
   53|       |
   54|       |    async fn try_consume(
   55|       |        &self,
   56|       |        wallet: &str,
   57|       |        scope: &str,
   58|       |        window_id: u64,
   59|       |        amount: u64,
   60|      3|    ) -> Result<QuotaBucket, QuotaStoreError> {
   61|       |        let mut guard = self
   62|       |            .buckets
   63|       |            .lock()
   64|      0|            .map_err(|_| QuotaStoreError::Other("lock poisoned".into()))?;
   65|       |        let key = bucket_key(wallet, scope, window_id);
   66|       |        let bucket = guard.get_mut(&key).ok_or(QuotaStoreError::NotFound)?;
   67|       |        if bucket.used.saturating_add(amount) > bucket.limit {
   68|       |            return Err(QuotaStoreError::Exceeded);
   69|       |        }
   70|       |        bucket.used += amount;
   71|       |        Ok(bucket.clone())
   72|      3|    }
   73|       |}

/home/runner/work/trust-relay/trust-relay/src/store/quota/redis.rs:
    1|       |//! Redis-backed per-wallet quota counters.
    2|       |
    3|       |use async_trait::async_trait;
    4|       |use redis::AsyncCommands;
    5|       |
    6|       |use super::{decode_bucket, encode_bucket, QuotaBucket, QuotaStore, QuotaStoreError};
    7|       |
    8|       |const KEY_PREFIX: &str = "quota:";
    9|       |
   10|       |#[derive(Clone)]
   11|       |pub struct RedisQuotaStore {
   12|       |    client: redis::aio::ConnectionManager,
   13|       |}
   14|       |
   15|       |impl RedisQuotaStore {
   16|     25|    pub async fn connect(url: &str) -> Result<Self, redis::RedisError> {
   17|     25|        let client = redis::Client::open(url)?;
                                                           ^0
   18|     25|        let conn = client.get_connection_manager().await?;
                                                                      ^0
   19|     25|        Ok(Self { client: conn })
   20|     25|    }
   21|       |
   22|     34|    fn key(wallet: &str, scope: &str, window_id: u64) -> String {
   23|     34|        format!("{KEY_PREFIX}{wallet}:{scope}:{window_id}")
   24|     34|    }
   25|       |}
   26|       |
   27|       |#[async_trait]
   28|       |impl QuotaStore for RedisQuotaStore {
   29|       |    async fn init_scope(
   30|       |        &self,
   31|       |        wallet: &str,
   32|       |        scope: &str,
   33|       |        window_id: u64,
   34|       |        limit: u64,
   35|       |        ttl_secs: u64,
   36|     23|    ) -> Result<(), QuotaStoreError> {
   37|       |        let key = Self::key(wallet, scope, window_id);
   38|       |        let mut conn = self.client.clone();
   39|       |        if let Some(raw) = conn.get::<_, Option<String>>(&key).await? {
   40|       |            let mut bucket = decode_bucket(&raw)?;
   41|       |            bucket.limit = limit;
   42|       |            let payload = encode_bucket(&bucket);
   43|       |            let ttl: i64 = conn.ttl(&key).await.unwrap_or(ttl_secs as i64);
   44|       |            if ttl > 0 {
   45|       |                conn.set_ex::<_, _, ()>(&key, payload, ttl as u64).await?;
   46|       |            } else {
   47|       |                conn.set::<_, _, ()>(&key, payload).await?;
   48|       |            }
   49|       |        } else {
   50|       |            let payload = encode_bucket(&QuotaBucket { used: 0, limit });
   51|       |            conn.set_ex::<_, _, ()>(&key, payload, ttl_secs.max(1))
   52|       |                .await?;
   53|       |        }
   54|       |        Ok(())
   55|     23|    }
   56|       |
   57|       |    async fn get_bucket(
   58|       |        &self,
   59|       |        wallet: &str,
   60|       |        scope: &str,
   61|       |        window_id: u64,
   62|      6|    ) -> Result<Option<QuotaBucket>, QuotaStoreError> {
   63|       |        let key = Self::key(wallet, scope, window_id);
   64|       |        let mut conn = self.client.clone();
   65|       |        let raw: Option<String> = conn.get(key).await?;
   66|      6|        raw.map(|s| decode_bucket(&s)).transpose()
   67|      6|    }
   68|       |
   69|       |    async fn try_consume(
   70|       |        &self,
   71|       |        wallet: &str,
   72|       |        scope: &str,
   73|       |        window_id: u64,
   74|       |        amount: u64,
   75|      5|    ) -> Result<QuotaBucket, QuotaStoreError> {
   76|       |        let key = Self::key(wallet, scope, window_id);
   77|       |        let mut conn = self.client.clone();
   78|       |        let script = r#"
   79|       |            local raw = redis.call('GET', KEYS[1])
   80|       |            if not raw then return -1 end
   81|       |            local sep = string.find(raw, ',')
   82|       |            if not sep then return -2 end
   83|       |            local used = tonumber(string.sub(raw, 1, sep - 1))
   84|       |            local limit = tonumber(string.sub(raw, sep + 1))
   85|       |            local amount = tonumber(ARGV[1])
   86|       |            if used + amount > limit then return -3 end
   87|       |            used = used + amount
   88|       |            local updated = tostring(used) .. ',' .. tostring(limit)
   89|       |            local ttl = redis.call('TTL', KEYS[1])
   90|       |            if ttl > 0 then
   91|       |                redis.call('SET', KEYS[1], updated, 'EX', ttl)
   92|       |            else
   93|       |                redis.call('SET', KEYS[1], updated)
   94|       |            end
   95|       |            return limit - used
   96|       |        "#;
   97|       |        let remaining: i64 = redis::Script::new(script)
   98|       |            .key(key)
   99|       |            .arg(amount)
  100|       |            .invoke_async(&mut conn)
  101|       |            .await?;
  102|       |        match remaining {
  103|       |            -1 => Err(QuotaStoreError::NotFound),
  104|       |            -2 => Err(QuotaStoreError::Other("invalid bucket".into())),
  105|       |            -3 => Err(QuotaStoreError::Exceeded),
  106|       |            _ => self
  107|       |                .get_bucket(wallet, scope, window_id)
  108|       |                .await?
  109|       |                .ok_or(QuotaStoreError::NotFound),
  110|       |        }
  111|      5|    }
  112|       |}

/home/runner/work/trust-relay/trust-relay/src/store/refresh.rs:
    1|       |//! Opaque refresh-token persistence (rotation + replay tombstones).
    2|       |
    3|       |mod memory;
    4|       |mod redis;
    5|       |
    6|       |pub use memory::InMemoryRefreshStore;
    7|       |pub use redis::RedisRefreshStore;
    8|       |
    9|       |use async_trait::async_trait;
   10|       |use serde::{Deserialize, Serialize};
   11|       |use thiserror::Error;
   12|       |
   13|       |use crate::error::AppError;
   14|       |
   15|       |#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
   16|       |pub struct RefreshRecord {
   17|       |    pub family_id: String,
   18|       |    pub wallet: String,
   19|       |    pub rotation: u32,
   20|       |    pub scopes: Vec<String>,
   21|       |    pub chain_id: u64,
   22|       |    pub expires_at: i64,
   23|       |}
   24|       |
   25|       |#[derive(Debug, Error)]
   26|       |pub enum RefreshStoreError {
   27|       |    #[error("store unavailable")]
   28|       |    Unavailable(#[from] ::redis::RedisError),
   29|       |    #[error("{0}")]
   30|       |    Other(String),
   31|       |}
   32|       |
   33|       |impl From<RefreshStoreError> for AppError {
   34|      0|    fn from(err: RefreshStoreError) -> Self {
   35|      0|        Self::Internal(err.to_string())
   36|      0|    }
   37|       |}
   38|       |
   39|       |/// Result of looking up a presented refresh token.
   40|       |#[derive(Debug, Clone, PartialEq, Eq)]
   41|       |pub enum RefreshLookup {
   42|       |    Active(RefreshRecord),
   43|       |    /// Rotated-out token presented again — caller must revoke the family.
   44|       |    Reuse {
   45|       |        family_id: String,
   46|       |    },
   47|       |    Unknown,
   48|       |}
   49|       |
   50|       |#[async_trait]
   51|       |pub trait RefreshStore: Send + Sync {
   52|       |    /// Persist a new refresh token; `token_hash` is SHA-256 hex of the opaque secret.
   53|       |    async fn put_token(
   54|       |        &self,
   55|       |        token_hash: &str,
   56|       |        record: &RefreshRecord,
   57|       |        ttl_secs: u64,
   58|       |    ) -> Result<(), RefreshStoreError>;
   59|       |
   60|       |    async fn get_token(&self, token_hash: &str)
   61|       |        -> Result<Option<RefreshRecord>, RefreshStoreError>;
   62|       |
   63|       |    async fn delete_token(&self, token_hash: &str) -> Result<(), RefreshStoreError>;
   64|       |
   65|       |    /// Tombstone a rotated-out token so reuse can be detected.
   66|       |    async fn mark_replay(
   67|       |        &self,
   68|       |        token_hash: &str,
   69|       |        family_id: &str,
   70|       |        ttl_secs: u64,
   71|       |    ) -> Result<(), RefreshStoreError>;
   72|       |
   73|       |    async fn is_replay(&self, token_hash: &str) -> Result<Option<String>, RefreshStoreError>;
   74|       |
   75|       |    async fn revoke_family(&self, family_id: &str, ttl_secs: u64) -> Result<(), RefreshStoreError>;
   76|       |
   77|       |    async fn is_family_revoked(&self, family_id: &str) -> Result<bool, RefreshStoreError>;
   78|       |}
   79|       |
   80|       |/// SHA-256 hex digest of the opaque refresh secret (never store the raw token).
   81|     25|pub fn hash_refresh_token(token: &str) -> String {
   82|       |    use sha2::{Digest, Sha256};
   83|     25|    hex::encode(Sha256::digest(token.as_bytes()))
   84|     25|}
   85|       |
   86|       |#[cfg(test)]
   87|       |mod tests {
   88|       |    use super::*;
   89|       |
   90|       |    #[test]
   91|      1|    fn hash_refresh_token_is_stable_hex() {
   92|      1|        let h = hash_refresh_token("opaque-secret");
   93|      1|        assert_eq!(h.len(), 64);
   94|      1|        assert_eq!(h, hash_refresh_token("opaque-secret"));
   95|      1|    }
   96|       |}

/home/runner/work/trust-relay/trust-relay/src/store/refresh/memory.rs:
    1|       |//! In-memory refresh-token store for tests and dev without Redis.
    2|       |
    3|       |use std::collections::HashMap;
    4|       |use std::sync::Mutex;
    5|       |use std::time::{Duration, Instant};
    6|       |
    7|       |use async_trait::async_trait;
    8|       |
    9|       |use super::{RefreshRecord, RefreshStore, RefreshStoreError};
   10|       |
   11|       |struct Timed<T> {
   12|       |    value: T,
   13|       |    expires_at: Instant,
   14|       |}
   15|       |
   16|       |#[derive(Default)]
   17|       |pub struct InMemoryRefreshStore {
   18|       |    tokens: Mutex<HashMap<String, Timed<RefreshRecord>>>,
   19|       |    replays: Mutex<HashMap<String, Timed<String>>>,
   20|       |    families: Mutex<HashMap<String, Timed<()>>>,
   21|       |}
   22|       |
   23|       |impl InMemoryRefreshStore {
   24|      4|    fn retain_tokens(map: &mut HashMap<String, Timed<RefreshRecord>>) {
   25|      4|        map.retain(|_, e| e.expires_at > Instant::now());
                                        ^2             ^2
   26|      4|    }
   27|       |
   28|      4|    fn retain_replays(map: &mut HashMap<String, Timed<String>>) {
   29|      4|        map.retain(|_, e| e.expires_at > Instant::now());
                                        ^2             ^2
   30|      4|    }
   31|       |
   32|      3|    fn retain_families(map: &mut HashMap<String, Timed<()>>) {
   33|      3|        map.retain(|_, e| e.expires_at > Instant::now());
                                        ^1             ^1
   34|      3|    }
   35|       |}
   36|       |
   37|       |#[async_trait]
   38|       |impl RefreshStore for InMemoryRefreshStore {
   39|       |    async fn put_token(
   40|       |        &self,
   41|       |        token_hash: &str,
   42|       |        record: &RefreshRecord,
   43|       |        ttl_secs: u64,
   44|      2|    ) -> Result<(), RefreshStoreError> {
   45|       |        let mut guard = self
   46|       |            .tokens
   47|       |            .lock()
   48|      0|            .map_err(|_| RefreshStoreError::Other("lock poisoned".into()))?;
   49|       |        Self::retain_tokens(&mut guard);
   50|       |        guard.insert(
   51|       |            token_hash.to_string(),
   52|       |            Timed {
   53|       |                value: record.clone(),
   54|       |                expires_at: Instant::now() + Duration::from_secs(ttl_secs.max(1)),
   55|       |            },
   56|       |        );
   57|       |        Ok(())
   58|      2|    }
   59|       |
   60|       |    async fn get_token(
   61|       |        &self,
   62|       |        token_hash: &str,
   63|      2|    ) -> Result<Option<RefreshRecord>, RefreshStoreError> {
   64|       |        let mut guard = self
   65|       |            .tokens
   66|       |            .lock()
   67|      0|            .map_err(|_| RefreshStoreError::Other("lock poisoned".into()))?;
   68|       |        Self::retain_tokens(&mut guard);
   69|      2|        Ok(guard.get(token_hash).map(|e| e.value.clone()))
   70|      2|    }
   71|       |
   72|      1|    async fn delete_token(&self, token_hash: &str) -> Result<(), RefreshStoreError> {
   73|       |        let mut guard = self
   74|       |            .tokens
   75|       |            .lock()
   76|      0|            .map_err(|_| RefreshStoreError::Other("lock poisoned".into()))?;
   77|       |        guard.remove(token_hash);
   78|       |        Ok(())
   79|      1|    }
   80|       |
   81|       |    async fn mark_replay(
   82|       |        &self,
   83|       |        token_hash: &str,
   84|       |        family_id: &str,
   85|       |        ttl_secs: u64,
   86|      1|    ) -> Result<(), RefreshStoreError> {
   87|       |        let mut guard = self
   88|       |            .replays
   89|       |            .lock()
   90|      0|            .map_err(|_| RefreshStoreError::Other("lock poisoned".into()))?;
   91|       |        Self::retain_replays(&mut guard);
   92|       |        guard.insert(
   93|       |            token_hash.to_string(),
   94|       |            Timed {
   95|       |                value: family_id.to_string(),
   96|       |                expires_at: Instant::now() + Duration::from_secs(ttl_secs.max(1)),
   97|       |            },
   98|       |        );
   99|       |        Ok(())
  100|      1|    }
  101|       |
  102|      3|    async fn is_replay(&self, token_hash: &str) -> Result<Option<String>, RefreshStoreError> {
  103|       |        let mut guard = self
  104|       |            .replays
  105|       |            .lock()
  106|      0|            .map_err(|_| RefreshStoreError::Other("lock poisoned".into()))?;
  107|       |        Self::retain_replays(&mut guard);
  108|      1|        Ok(guard.get(token_hash).map(|e| e.value.clone()))
  109|      3|    }
  110|       |
  111|      1|    async fn revoke_family(&self, family_id: &str, ttl_secs: u64) -> Result<(), RefreshStoreError> {
  112|       |        let mut guard = self
  113|       |            .families
  114|       |            .lock()
  115|      0|            .map_err(|_| RefreshStoreError::Other("lock poisoned".into()))?;
  116|       |        Self::retain_families(&mut guard);
  117|       |        guard.insert(
  118|       |            family_id.to_string(),
  119|       |            Timed {
  120|       |                value: (),
  121|       |                expires_at: Instant::now() + Duration::from_secs(ttl_secs.max(1)),
  122|       |            },
  123|       |        );
  124|       |        Ok(())
  125|      1|    }
  126|       |
  127|      2|    async fn is_family_revoked(&self, family_id: &str) -> Result<bool, RefreshStoreError> {
  128|       |        let mut guard = self
  129|       |            .families
  130|       |            .lock()
  131|      0|            .map_err(|_| RefreshStoreError::Other("lock poisoned".into()))?;
  132|       |        Self::retain_families(&mut guard);
  133|       |        Ok(guard.contains_key(family_id))
  134|      2|    }
  135|       |}

/home/runner/work/trust-relay/trust-relay/src/store/refresh/redis.rs:
    1|       |//! Redis-backed opaque refresh tokens.
    2|       |
    3|       |use async_trait::async_trait;
    4|       |use redis::AsyncCommands;
    5|       |use serde_json;
    6|       |
    7|       |use super::{RefreshRecord, RefreshStore, RefreshStoreError};
    8|       |
    9|       |const TOKEN_PREFIX: &str = "refresh:tok:";
   10|       |const REPLAY_PREFIX: &str = "refresh:replay:";
   11|       |const FAMILY_PREFIX: &str = "refresh:family:";
   12|       |
   13|       |#[derive(Clone)]
   14|       |pub struct RedisRefreshStore {
   15|       |    client: redis::aio::ConnectionManager,
   16|       |}
   17|       |
   18|       |impl RedisRefreshStore {
   19|     25|    pub async fn connect(url: &str) -> Result<Self, redis::RedisError> {
   20|     25|        let client = redis::Client::open(url)?;
                                                           ^0
   21|     25|        let conn = client.get_connection_manager().await?;
                                                                      ^0
   22|     25|        Ok(Self { client: conn })
   23|     25|    }
   24|       |
   25|     22|    fn token_key(hash: &str) -> String {
   26|     22|        format!("{TOKEN_PREFIX}{hash}")
   27|     22|    }
   28|       |
   29|      8|    fn replay_key(hash: &str) -> String {
   30|      8|        format!("{REPLAY_PREFIX}{hash}")
   31|      8|    }
   32|       |
   33|      4|    fn family_key(family_id: &str) -> String {
   34|      4|        format!("{FAMILY_PREFIX}{family_id}")
   35|      4|    }
   36|       |}
   37|       |
   38|       |#[async_trait]
   39|       |impl RefreshStore for RedisRefreshStore {
   40|       |    async fn put_token(
   41|       |        &self,
   42|       |        token_hash: &str,
   43|       |        record: &RefreshRecord,
   44|       |        ttl_secs: u64,
   45|     14|    ) -> Result<(), RefreshStoreError> {
   46|       |        let payload =
   47|      0|            serde_json::to_string(record).map_err(|e| RefreshStoreError::Other(e.to_string()))?;
   48|       |        let key = Self::token_key(token_hash);
   49|       |        let mut conn = self.client.clone();
   50|       |        conn.set_ex::<_, _, ()>(key, payload, ttl_secs.max(1))
   51|       |            .await?;
   52|       |        Ok(())
   53|     14|    }
   54|       |
   55|       |    async fn get_token(
   56|       |        &self,
   57|       |        token_hash: &str,
   58|      5|    ) -> Result<Option<RefreshRecord>, RefreshStoreError> {
   59|       |        let key = Self::token_key(token_hash);
   60|       |        let mut conn = self.client.clone();
   61|       |        let raw: Option<String> = conn.get(key).await?;
   62|       |        Ok(raw
   63|      4|            .map(|s| serde_json::from_str(&s).map_err(|e| RefreshStoreError::Other(e.to_string())))
                                                                                                 ^0^0
   64|       |            .transpose()?)
   65|      5|    }
   66|       |
   67|      3|    async fn delete_token(&self, token_hash: &str) -> Result<(), RefreshStoreError> {
   68|       |        let key = Self::token_key(token_hash);
   69|       |        let mut conn = self.client.clone();
   70|       |        conn.del::<_, ()>(key).await?;
   71|       |        Ok(())
   72|      3|    }
   73|       |
   74|       |    async fn mark_replay(
   75|       |        &self,
   76|       |        token_hash: &str,
   77|       |        family_id: &str,
   78|       |        ttl_secs: u64,
   79|      3|    ) -> Result<(), RefreshStoreError> {
   80|       |        let key = Self::replay_key(token_hash);
   81|       |        let mut conn = self.client.clone();
   82|       |        conn.set_ex::<_, _, ()>(key, family_id, ttl_secs.max(1))
   83|       |            .await?;
   84|       |        Ok(())
   85|      3|    }
   86|       |
   87|      5|    async fn is_replay(&self, token_hash: &str) -> Result<Option<String>, RefreshStoreError> {
   88|       |        let key = Self::replay_key(token_hash);
   89|       |        let mut conn = self.client.clone();
   90|       |        let raw: Option<String> = conn.get(key).await?;
   91|       |        Ok(raw)
   92|      5|    }
   93|       |
   94|      1|    async fn revoke_family(&self, family_id: &str, ttl_secs: u64) -> Result<(), RefreshStoreError> {
   95|       |        let key = Self::family_key(family_id);
   96|       |        let mut conn = self.client.clone();
   97|       |        conn.set_ex::<_, _, ()>(key, "1", ttl_secs.max(1)).await?;
   98|       |        Ok(())
   99|      1|    }
  100|       |
  101|      3|    async fn is_family_revoked(&self, family_id: &str) -> Result<bool, RefreshStoreError> {
  102|       |        let key = Self::family_key(family_id);
  103|       |        let mut conn = self.client.clone();
  104|       |        let exists: bool = conn.exists(key).await?;
  105|       |        Ok(exists)
  106|      3|    }
  107|       |}

/home/runner/work/trust-relay/trust-relay/src/store/revocation.rs:
    1|       |//! `jti` denylist and wallet blocklist persistence.
    2|       |
    3|       |mod memory;
    4|       |mod redis;
    5|       |
    6|       |pub use memory::InMemoryRevocationStore;
    7|       |pub use redis::RedisRevocationStore;
    8|       |
    9|       |use async_trait::async_trait;
   10|       |use thiserror::Error;
   11|       |
   12|       |use crate::error::AppError;
   13|       |
   14|       |const MIN_TTL_SECS: u64 = 1;
   15|       |
   16|       |#[derive(Debug, Error)]
   17|       |pub enum RevocationStoreError {
   18|       |    #[error("store unavailable")]
   19|       |    Unavailable(#[from] ::redis::RedisError),
   20|       |    #[error("{0}")]
   21|       |    Other(String),
   22|       |}
   23|       |
   24|       |impl From<RevocationStoreError> for AppError {
   25|      0|    fn from(err: RevocationStoreError) -> Self {
   26|      0|        Self::Internal(err.to_string())
   27|      0|    }
   28|       |}
   29|       |
   30|       |#[async_trait]
   31|       |pub trait RevocationStore: Send + Sync {
   32|       |    /// Add `jti` to the denylist until `ttl_secs` elapses (token remaining lifetime).
   33|       |    async fn revoke_jti(&self, jti: &str, ttl_secs: u64) -> Result<(), RevocationStoreError>;
   34|       |
   35|       |    async fn is_jti_revoked(&self, jti: &str) -> Result<bool, RevocationStoreError>;
   36|       |
   37|       |    /// Block a wallet from obtaining new sessions. `ttl_secs == 0` means no expiry.
   38|       |    async fn block_wallet(&self, wallet: &str, ttl_secs: u64) -> Result<(), RevocationStoreError>;
   39|       |
   40|       |    async fn is_wallet_blocked(&self, wallet: &str) -> Result<bool, RevocationStoreError>;
   41|       |}
   42|       |
   43|      7|pub fn normalize_ttl_secs(ttl_secs: i64) -> u64 {
   44|      7|    ttl_secs.max(MIN_TTL_SECS as i64) as u64
   45|      7|}
   46|       |
   47|       |#[cfg(test)]
   48|       |mod tests {
   49|       |    use super::*;
   50|       |
   51|       |    #[test]
   52|      1|    fn normalize_ttl_secs_enforces_minimum() {
   53|      1|        assert_eq!(normalize_ttl_secs(0), MIN_TTL_SECS);
   54|      1|        assert_eq!(normalize_ttl_secs(-5), MIN_TTL_SECS);
   55|      1|        assert_eq!(normalize_ttl_secs(120), 120);
   56|      1|    }
   57|       |}

/home/runner/work/trust-relay/trust-relay/src/store/revocation/memory.rs:
    1|       |//! In-memory revocation store for tests and development without Redis.
    2|       |
    3|       |use std::collections::HashMap;
    4|       |use std::sync::Mutex;
    5|       |use std::time::{Duration, Instant};
    6|       |
    7|       |use async_trait::async_trait;
    8|       |
    9|       |use super::{normalize_ttl_secs, RevocationStore, RevocationStoreError};
   10|       |
   11|       |struct JtiEntry {
   12|       |    expires_at: Instant,
   13|       |}
   14|       |
   15|       |#[derive(Default)]
   16|       |pub struct InMemoryRevocationStore {
   17|       |    jtis: Mutex<HashMap<String, JtiEntry>>,
   18|       |    wallets: Mutex<HashMap<String, Option<Instant>>>,
   19|       |}
   20|       |
   21|       |#[async_trait]
   22|       |impl RevocationStore for InMemoryRevocationStore {
   23|      1|    async fn revoke_jti(&self, jti: &str, ttl_secs: u64) -> Result<(), RevocationStoreError> {
   24|       |        let ttl = normalize_ttl_secs(ttl_secs as i64);
   25|       |        let mut guard = self
   26|       |            .jtis
   27|       |            .lock()
   28|      0|            .map_err(|_| RevocationStoreError::Other("lock poisoned".into()))?;
   29|       |        guard.insert(
   30|       |            jti.to_string(),
   31|       |            JtiEntry {
   32|       |                expires_at: Instant::now() + Duration::from_secs(ttl),
   33|       |            },
   34|       |        );
   35|       |        Ok(())
   36|      1|    }
   37|       |
   38|      2|    async fn is_jti_revoked(&self, jti: &str) -> Result<bool, RevocationStoreError> {
   39|       |        let mut guard = self
   40|       |            .jtis
   41|       |            .lock()
   42|      0|            .map_err(|_| RevocationStoreError::Other("lock poisoned".into()))?;
   43|      2|        guard.retain(|_, entry| entry.expires_at > Instant::now());
   44|       |        Ok(guard.contains_key(jti))
   45|      2|    }
   46|       |
   47|      2|    async fn block_wallet(&self, wallet: &str, ttl_secs: u64) -> Result<(), RevocationStoreError> {
   48|       |        let expires = if ttl_secs == 0 {
   49|       |            None
   50|       |        } else {
   51|       |            Some(Instant::now() + Duration::from_secs(ttl_secs))
   52|       |        };
   53|       |        self.wallets
   54|       |            .lock()
   55|      0|            .map_err(|_| RevocationStoreError::Other("lock poisoned".into()))?
   56|       |            .insert(wallet.to_string(), expires);
   57|       |        Ok(())
   58|      2|    }
   59|       |
   60|      2|    async fn is_wallet_blocked(&self, wallet: &str) -> Result<bool, RevocationStoreError> {
   61|       |        let mut guard = self
   62|       |            .wallets
   63|       |            .lock()
   64|      0|            .map_err(|_| RevocationStoreError::Other("lock poisoned".into()))?;
   65|      2|        guard.retain(|_, expiry| expiry.is_none_or(|t| t > Instant::now()));
                                                                     ^0  ^0
   66|       |        Ok(guard.contains_key(wallet))
   67|      2|    }
   68|       |}
   69|       |
   70|       |#[cfg(test)]
   71|       |mod tests {
   72|       |    use super::*;
   73|       |
   74|       |    #[tokio::test]
   75|      1|    async fn jti_revocation_expires() {
   76|      1|        let store = InMemoryRevocationStore::default();
   77|      1|        store.revoke_jti("jti-1", 1).await.unwrap();
   78|      1|        assert!(store.is_jti_revoked("jti-1").await.unwrap());
   79|      1|        tokio::time::sleep(Duration::from_secs(2)).await;
   80|      1|        assert!(!store.is_jti_revoked("jti-1").await.unwrap());
   81|      1|    }
   82|       |
   83|       |    #[tokio::test]
   84|      1|    async fn wallet_block_without_ttl_persists() {
   85|      1|        let store = InMemoryRevocationStore::default();
   86|      1|        store.block_wallet("0xabc", 0).await.unwrap();
   87|      1|        assert!(store.is_wallet_blocked("0xabc").await.unwrap());
   88|      1|    }
   89|       |}

/home/runner/work/trust-relay/trust-relay/src/store/revocation/redis.rs:
    1|       |//! Redis-backed `jti` denylist and wallet blocklist.
    2|       |
    3|       |use async_trait::async_trait;
    4|       |use redis::AsyncCommands;
    5|       |
    6|       |use super::{normalize_ttl_secs, RevocationStore, RevocationStoreError};
    7|       |
    8|       |const JTI_PREFIX: &str = "revoke:jti:";
    9|       |const WALLET_PREFIX: &str = "blocklist:wallet:";
   10|       |
   11|       |#[derive(Clone)]
   12|       |pub struct RedisRevocationStore {
   13|       |    client: redis::aio::ConnectionManager,
   14|       |}
   15|       |
   16|       |impl RedisRevocationStore {
   17|     25|    pub async fn connect(url: &str) -> Result<Self, redis::RedisError> {
   18|     25|        let client = redis::Client::open(url)?;
                                                           ^0
   19|     25|        let conn = client.get_connection_manager().await?;
                                                                      ^0
   20|     25|        Ok(Self { client: conn })
   21|     25|    }
   22|       |
   23|      4|    fn jti_key(jti: &str) -> String {
   24|      4|        format!("{JTI_PREFIX}{jti}")
   25|      4|    }
   26|       |
   27|     18|    fn wallet_key(wallet: &str) -> String {
   28|     18|        format!("{WALLET_PREFIX}{wallet}")
   29|     18|    }
   30|       |}
   31|       |
   32|       |#[async_trait]
   33|       |impl RevocationStore for RedisRevocationStore {
   34|      2|    async fn revoke_jti(&self, jti: &str, ttl_secs: u64) -> Result<(), RevocationStoreError> {
   35|       |        let ttl = normalize_ttl_secs(ttl_secs as i64);
   36|       |        let key = Self::jti_key(jti);
   37|       |        let mut conn = self.client.clone();
   38|       |        conn.set_ex::<_, _, ()>(key, "1", ttl).await?;
   39|       |        Ok(())
   40|      2|    }
   41|       |
   42|      2|    async fn is_jti_revoked(&self, jti: &str) -> Result<bool, RevocationStoreError> {
   43|       |        let key = Self::jti_key(jti);
   44|       |        let mut conn = self.client.clone();
   45|       |        let exists: bool = conn.exists(key).await?;
   46|       |        Ok(exists)
   47|      2|    }
   48|       |
   49|      2|    async fn block_wallet(&self, wallet: &str, ttl_secs: u64) -> Result<(), RevocationStoreError> {
   50|       |        let key = Self::wallet_key(wallet);
   51|       |        let mut conn = self.client.clone();
   52|       |        if ttl_secs == 0 {
   53|       |            conn.set::<_, _, ()>(key, "1").await?;
   54|       |        } else {
   55|       |            conn.set_ex::<_, _, ()>(key, "1", ttl_secs).await?;
   56|       |        }
   57|       |        Ok(())
   58|      2|    }
   59|       |
   60|     16|    async fn is_wallet_blocked(&self, wallet: &str) -> Result<bool, RevocationStoreError> {
   61|       |        let key = Self::wallet_key(wallet);
   62|       |        let mut conn = self.client.clone();
   63|       |        let exists: bool = conn.exists(key).await?;
   64|       |        Ok(exists)
   65|     16|    }
   66|       |}

/home/runner/work/trust-relay/trust-relay/src/telemetry.rs:
    1|       |//! Tracing subscriber initialization.
    2|       |
    3|       |use crate::config::TelemetryConfig;
    4|       |use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
    5|       |
    6|      4|pub fn init(cfg: &TelemetryConfig) {
    7|      4|    let filter = EnvFilter::try_new(&cfg.filter).unwrap_or_else(|_| EnvFilter::new("info"));
                                                                                  ^1
    8|      4|    let registry = tracing_subscriber::registry().with(filter);
    9|       |
   10|      4|    match cfg.format.as_str() {
   11|      4|        "json" => registry
                                ^1
   12|      1|            .with(tracing_subscriber::fmt::layer().json())
   13|      1|            .init(),
   14|      3|        _ => registry.with(tracing_subscriber::fmt::layer()).init(),
   15|       |    }
   16|      4|}

Run trust-relay and verify session JWTs through trust-auth in CI; issue hyphen-free alphanumeric nonces so EIP-4361 parsers (siwe npm) accept them.

Add trust-auth live E2E test and align SIWE nonce format.

216f1b8

Run trust-relay and verify session JWTs through trust-auth in CI; issue hyphen-free alphanumeric nonces so EIP-4361 parsers (siwe npm) accept them.

aliXsed mentioned this pull request Jun 5, 2026

Add Node.js polyglot E2E (SIWE + JWT/JWKS) #14

Merged

2 tasks

aliXsed merged commit f106151 into main Jun 5, 2026
4 checks passed

aliXsed deleted the feat/trust-auth-m3b branch June 5, 2026 07:21

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

M3b: trust-auth RS verification crate#13

M3b: trust-auth RS verification crate#13
aliXsed merged 2 commits into
mainfrom
feat/trust-auth-m3b

aliXsed commented Jun 5, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Jun 5, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

aliXsed commented Jun 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

What's in trust-auth

Workspace

Test plan

Follow-up

Uh oh!

github-actions Bot commented Jun 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Coverage report

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

aliXsed commented Jun 5, 2026 •

edited

Loading

What's in `trust-auth`

github-actions Bot commented Jun 5, 2026 •

edited

Loading