Skip to content

Commit 47edb0b

Browse files
hanwenchenghanwencheng
authored
Merge pull request #23 from litentry/fix/issue-10
fix(docs): #10 rename JWT terminology — phase 1 (3 wiki files)
2 parents 744bb2c + 1e30804 commit 47edb0b

8 files changed

Lines changed: 67 additions & 58 deletions

File tree

crates/agentkeys-mock-server/src/handlers/auth_request.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -321,7 +321,7 @@ pub async fn approve_auth_request(
321321
let (child_session_json, child_wallet) = if request_type == "Pair" {
322322
let child_wallet = crate::auth::generate_wallet_address();
323323
let child_token = generate_token();
324-
let ttl = 3600u64;
324+
let ttl: u64 = 2_592_000; // 30 days per wiki/session-token.md policy
325325

326326
// Parse scope from request_details (canonical CBOR contains it)
327327
// For mock: create a session with no scope restriction (full access to child wallet)
@@ -381,7 +381,7 @@ pub async fn approve_auth_request(
381381

382382
if let Some(wallet) = recovered_wallet {
383383
let child_token = generate_token();
384-
let ttl = 3600u64;
384+
let ttl: u64 = 2_592_000; // 30 days per wiki/session-token.md policy
385385

386386
// Preserve scope from the most recent session for this wallet
387387
let scope_json: Option<String> = db

crates/agentkeys-mock-server/src/handlers/session.rs

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,15 @@ use crate::{
1515
use agentkeys_types::{AuthToken, Scope};
1616
use ed25519_dalek::SigningKey;
1717

18+
/// Session token TTL in seconds — 30 days.
19+
///
20+
/// Canonical AgentKeys policy per `wiki/session-token.md`: the bearer token
21+
/// (master CLI or agent daemon) is a **30-day credential**. Agent/child
22+
/// sessions share the same TTL as master for v0. Shorter TTLs for agent
23+
/// sessions may be introduced later as a defense-in-depth tweak, but they
24+
/// MUST align with the policy doc before being applied here.
25+
const DEFAULT_SESSION_TTL_SECONDS: u64 = 30 * 24 * 60 * 60;
26+
1827
#[derive(Deserialize)]
1928
pub struct CreateSessionRequest {
2029
pub auth_token: String,
@@ -57,7 +66,7 @@ pub async fn create_session(
5766
db.execute(
5867
"INSERT INTO sessions (token, wallet_address, parent_token, scope_json, created_at, ttl_seconds, revoked)
5968
VALUES (?1, ?2, NULL, NULL, ?3, ?4, 0)",
60-
params![session_token, wallet_address, now, 86400u64],
69+
params![session_token, wallet_address, now, DEFAULT_SESSION_TTL_SECONDS],
6170
)
6271
.map_err(|e| AppError::internal(e.to_string()))?;
6372
return Ok(Json(CreateSessionResponse { session: session_token, wallet: wallet_address }));
@@ -81,7 +90,7 @@ pub async fn create_session(
8190
db.execute(
8291
"INSERT INTO sessions (token, wallet_address, parent_token, scope_json, created_at, ttl_seconds, revoked)
8392
VALUES (?1, ?2, NULL, NULL, ?3, ?4, 0)",
84-
params![session_token, wallet_address, now, 86400u64],
93+
params![session_token, wallet_address, now, DEFAULT_SESSION_TTL_SECONDS],
8594
)
8695
.map_err(|e| AppError::internal(e.to_string()))?;
8796

@@ -144,7 +153,7 @@ pub async fn create_child_session(
144153
db.execute(
145154
"INSERT INTO sessions (token, wallet_address, parent_token, scope_json, created_at, ttl_seconds, revoked)
146155
VALUES (?1, ?2, ?3, ?4, ?5, ?6, 0)",
147-
params![child_token, child_wallet, parent.token, scope_json, now, 3600u64],
156+
params![child_token, child_wallet, parent.token, scope_json, now, DEFAULT_SESSION_TTL_SECONDS],
148157
)
149158
.map_err(|e| AppError::internal(e.to_string()))?;
150159

@@ -242,7 +251,7 @@ pub async fn recover_session(
242251
db.execute(
243252
"INSERT INTO sessions (token, wallet_address, parent_token, scope_json, created_at, ttl_seconds, revoked)
244253
VALUES (?1, ?2, NULL, ?3, ?4, ?5, 0)",
245-
params![session_token, wallet_address, scope_json, now, 86400u64],
254+
params![session_token, wallet_address, scope_json, now, DEFAULT_SESSION_TTL_SECONDS],
246255
)
247256
.map_err(|e| AppError::internal(e.to_string()))?;
248257

crates/agentkeys-mock-server/src/test_client.rs

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -168,7 +168,7 @@ impl CredentialBackend for InProcessBackend {
168168
wallet: wallet.clone(),
169169
scope: None,
170170
created_at: 0,
171-
ttl_seconds: 86400,
171+
ttl_seconds: 2_592_000, // 30 days per wiki/session-token.md policy
172172
};
173173
Ok((session, wallet))
174174
}
@@ -197,7 +197,7 @@ impl CredentialBackend for InProcessBackend {
197197
wallet: wallet.clone(),
198198
scope: Some(scope),
199199
created_at: 0,
200-
ttl_seconds: 3600,
200+
ttl_seconds: 2_592_000, // 30 days per wiki/session-token.md policy
201201
};
202202
Ok((session, wallet))
203203
}
@@ -585,7 +585,7 @@ impl CredentialBackend for InProcessBackend {
585585
let session = body["session"].as_object().map(|_| {
586586
let token = body["session"]["token"].as_str().unwrap_or("").to_string();
587587
let wallet = body["session"]["wallet"].as_str().unwrap_or("").to_string();
588-
let ttl = body["session"]["ttl_seconds"].as_u64().unwrap_or(3600);
588+
let ttl = body["session"]["ttl_seconds"].as_u64().unwrap_or(2_592_000);
589589
let created = body["session"]["created_at"].as_u64().unwrap_or(0);
590590
Session {
591591
token,
@@ -650,7 +650,7 @@ impl CredentialBackend for InProcessBackend {
650650
wallet: wallet.clone(),
651651
scope: None,
652652
created_at: 0,
653-
ttl_seconds: 86400,
653+
ttl_seconds: 2_592_000, // 30 days per wiki/session-token.md policy
654654
};
655655
Ok((session, wallet))
656656
}

docs/spec/1-step-analysis.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,7 @@ AgentKeys' answer is structurally different from 1Password: **we don't hand user
121121

122122
| Tier | Lifetime | Storage (original spec) | Storage (corrected, JWT model) | Usage |
123123
| --------------------- | ---------------------------------------------------------------- | ------------------------------------------------- | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- |
124-
| **Master auth token** | Short (15 min – 24 h, configurable via `AuthOptions.expires_at`) | OS keychain | Plain file or env var (JWT string, not a private key) | Management commands: `agentkeys init`, `store`, `usage`, `teardown`, `approve`. Never used by running agents. |
124+
| **Master auth token** | 30 days (canonical AgentKeys policy per `wiki/session-token.md`; `AuthOptions.expires_at` can shorten per-session) | OS keychain | Plain file or env var (JWT string, not a private key) | Management commands: `agentkeys init`, `store`, `usage`, `teardown`, `approve`. Never used by running agents. |
125125
| **Agent auth token** | Long (hours to days) | Sandbox filesystem (`~/.agentkeys/session`, 0600) | Same (JWT string in file, 0600) | MCP Credential Server authentication. Scoped to specific credentials for a specific agent. |
126126

127127

@@ -781,10 +781,10 @@ This section explicitly reconciles any points where earlier rounds of this sub-i
781781
| **Canonical account name (Round 6)** | **x402 wallet address (EVM), minted in Heima TEE on account creation. Same primary key for master and each child.** |
782782
| **Billing model (Round 6)** | **Each account's wallet holds its own USDC. Master funds children. Empty wallet = agent stops. No on-chain spend-limit code needed — the balance IS the limit.** |
783783
| Master session storage | OS keychain (Keychain Services / Credential Manager / libsecret), biometric-gated |
784-
| Master session TTL | Short (15 min - 24 h idle, 1P/Enpass style) |
784+
| Master session TTL | 30 days (canonical AgentKeys policy per `wiki/session-token.md`) |
785785
| **Agent session storage** | **On stock sandbox: `/home/gem/.agentkeys/session`** (mode 0600, owner gem) + memfd_secret runtime pages + seccomp-bpf process restrictions + daemon with Unix socket (ssh-agent model). **On cloud LLM or custom sandbox: `$HOME/.agentkeys/session`** with the same hardening stack. *(Original Round 6 design specified `/var/lib/agentkeys/session` with dedicated UID + LSM + Landlock — see §3.3a for historical reference, §3.3c for what ships.)* |
786786
| **Storage stack order (Round 6)** | **S1 (this Round 6 hardening) → S2 (rolling ratchet) → S3 (provider attestation). S4 and S5 rejected.** |
787-
| Agent session TTL | Long (4 h default, up to 24 h for v0) |
787+
| Agent session TTL | 30 days (same policy as master CLI per `wiki/session-token.md`; may be shortened in a future defense-in-depth tweak) |
788788
| Scope | Each agent session bound to its specific service credentials only |
789789
| Revocation | Instant via master CLI (`agentkeys revoke 0x...`) |
790790
| Recovery | New sandbox runs `agentkeys pair` → master runs `agentkeys approve <pair-code>` (mints new session for same wallet address). *(Original design used `agentkeys attach agent-A` with direct HTTP push — superseded by rendezvous model.)* |

0 commit comments

Comments
 (0)