6 Commits

Author	SHA1	Message	Date
giles	baee67f561	identity: refresh-token rotation + cascading revocation (token.sx grant-centric, +9 tests) ... The grant {Subject,Client,Scope,Status} becomes the unit of authorization and cascade; access + refresh tokens reference it. issue_grant returns an access+refresh pair; refresh (RFC 6749 §6) supersedes the presented refresh token and mints a fresh pair; reusing a superseded refresh token is treated as theft (RFC 6819 §5.2.2.3) and revokes the whole family, killing the live descendant. revoke of any token cascades to the grant. All prior token behaviour preserved. token 18/18, 62/62. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 00:26:05 +00:00
giles	27f43dbf10	identity: OAuth2 authorization-code flow as message protocol + PKCE (14 tests) ... oauth.sx — RFC 6749 §4.1 as a state machine on one authz-server process: authorize → {consent_required} → consent(allow|deny) → {code} → exchange → {ok, Token}. Exchange enforces single-use codes (§10.5, replay → invalid_grant), client_id + redirect_uri binding (§4.1.3), and PKCE (RFC 7636 plain) verifier match. Issued tokens are grant-backed via token.sx so revocation stays real. 53/53. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 00:11:18 +00:00
giles	064bbf18b3	identity: service facade api.sx — login/verify/revoke/logout (10 tests, Phase 1 complete) ... identity:start() spawns one coordinator owning the token table + session registry and exposes the whole-domain ops. The coordinator is the owner sessions notify on idle timeout, so an expired session deregisters itself — timeout-driven, never swept. verify/2 answers identity only ({active, Subject, Client, Scope}); permission is delegated to acl. 39/39. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 00:00:05 +00:00
giles	938e90455d	identity: session registry — route by id and (subject, client) + SSO fan-out (9 tests) ... Directory process holding (SessionId, Subject, Client, Pid) rows. Answers the SSO probe lookup(Subject, Client) and the fan-out sessions_for(Subject) (one subject, many clients). Routes only — no grant state, decides nothing. Integration-tested: register a live session, route to it, confirm active. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-06 23:55:34 +00:00
giles	ac63501266	identity: opaque grant-backed tokens — issue/introspect/revoke (9 tests) ... Token table is a process; the token is an opaque make_ref carrying no information. introspect() is a live table lookup every time, so revocation is real (RFC 7009 §2): a revoked token reads {inactive} on the next introspection with no validity window. Reply shapes follow RFC 7662 §2.2 ({active, Subject, Client, Scope} / {inactive}). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-06 23:48:30 +00:00
giles	1c6b80404e	identity: session-as-process — create/lookup/expire/revoke + idle timeout (11 tests) ... Session is an Erlang process holding {subject, client, status}. lookup/ touch/expire/revoke are messages; expiry is the process's own `receive ... after Ttl` timeout (RFC-agnostic; no global sweep), which notifies the owner and tombstones. Tombstoned sessions answer lookups with an explicit {error, expired|revoked}, never a silent dead mailbox. Adds the conformance harness + scoreboard. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-06 23:45:50 +00:00