identity: delegated grant-verification cache with generation invalidation (Phase 3 complete, +9)

cache.sx — a process wrapping the token registry, memoising introspect. Revocation stays real via generation invalidation: any revoke/refresh bumps a generation counter, so every cached positive instantly becomes a miss and re-validates against the live registry. A revoked token never reads valid out of cache, not for a millisecond. stats() exposes hits/misses. New tests/cache.sx. 101/101. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 01:03:57 +00:00
parent dc00ed9786
commit 785faf2441
6 changed files with 151 additions and 6 deletions
--- a/lib/identity/conformance.sh
+++ b/lib/identity/conformance.sh
@@ -35,6 +35,7 @@ SUITES=(
  "oauth|id-oauth-test-pass|id-oauth-test-count"
  "sso|id-sso-test-pass|id-sso-test-count"
  "membership|id-membership-test-pass|id-membership-test-count"
+  "cache|id-cache-test-pass|id-cache-test-count"
 )

 cat > "$TMPFILE" << 'EPOCHS'
@@ -52,6 +53,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/api.sx")
 (load "lib/identity/oauth.sx")
 (load "lib/identity/membership.sx")
+(load "lib/identity/cache.sx")
 (load "lib/identity/tests/session.sx")
 (load "lib/identity/tests/token.sx")
 (load "lib/identity/tests/registry.sx")
@@ -59,6 +61,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/tests/oauth.sx")
 (load "lib/identity/tests/sso.sx")
 (load "lib/identity/tests/membership.sx")
+(load "lib/identity/tests/cache.sx")
 (epoch 100)
 (eval "(list id-session-test-pass id-session-test-count)")
 (epoch 101)
@@ -73,6 +76,8 @@ cat > "$TMPFILE" << 'EPOCHS'
 (eval "(list id-sso-test-pass id-sso-test-count)")
 (epoch 106)
 (eval "(list id-membership-test-pass id-membership-test-count)")
+(epoch 107)
+(eval "(list id-cache-test-pass id-cache-test-count)")
 EPOCHS

 timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1