refactor: complete bootstrap of ARNES agent harness framework
- Add complete agent harness structure with 8 roles (leader, triager, architect, implementer, reviewer, security, qa, documenter) - Implement strict workflow with 9 stages and mandatory gates - Add comprehensive verification script and runtime status tracking - Create artifact-based evidence system with contracts and schemas - Add agent policy matrix with permissions and anti-cheat rules - Include test suite (44 tests passing) and CI-ready structure - Add documentation: README, HOWTO, CHECKPOINTS, templates - Configure model routing policies and token-aware task assignment - Add BDD/SDD specification guides and feature templates - Include starter pack for quick project onboarding All verification checks pass. Framework ready for production use.
This commit is contained in:
69
spec/sdd/components/token-service.md
Normal file
69
spec/sdd/components/token-service.md
Normal file
@@ -0,0 +1,69 @@
|
||||
# TokenService Component
|
||||
|
||||
## Purpose
|
||||
Generate, validate, and manage JWT tokens.
|
||||
|
||||
## Public API
|
||||
|
||||
### Methods
|
||||
|
||||
#### create_access_token(user: User) -> str
|
||||
Generate a new JWT access token.
|
||||
|
||||
**Parameters:**
|
||||
- `user`: User object with id, email, role
|
||||
|
||||
**Returns:** JWT token string
|
||||
|
||||
**Token claims:**
|
||||
```json
|
||||
{
|
||||
"sub": user.id,
|
||||
"email": user.email,
|
||||
"role": user.role,
|
||||
"iat": current_timestamp,
|
||||
"exp": current_timestamp + 900, # 15 min
|
||||
"jti": uuid4()
|
||||
}
|
||||
```
|
||||
|
||||
#### create_refresh_token(user: User) -> str
|
||||
Generate a new refresh token.
|
||||
|
||||
**Returns:** JWT refresh token (7 day expiration)
|
||||
|
||||
#### verify_token(token: str) -> TokenPayload
|
||||
Validate and decode a JWT token.
|
||||
|
||||
**Parameters:**
|
||||
- `token`: JWT token string
|
||||
|
||||
**Returns:** TokenPayload with claims
|
||||
|
||||
**Raises:**
|
||||
- `ExpiredSignatureError`: Token expired
|
||||
- `InvalidTokenError`: Token invalid/malformed
|
||||
|
||||
#### revoke_token(token_id: str, user_id: str) -> bool
|
||||
Mark a token as revoked in session store.
|
||||
|
||||
**Parameters:**
|
||||
- `token_id`: JWT jti claim
|
||||
- `user_id`: User ID
|
||||
|
||||
**Returns:** True if revoked
|
||||
|
||||
---
|
||||
|
||||
## Configuration
|
||||
```python
|
||||
ACCESS_TOKEN_EXPIRE = 900 # 15 minutes
|
||||
REFRESH_TOKEN_EXPIRE = 604800 # 7 days
|
||||
ALGORITHM = "HS256" # or RS256 with key pair
|
||||
SECRET_KEY = os.getenv("JWT_SECRET")
|
||||
```
|
||||
|
||||
## Security
|
||||
- Tokens include unique `jti` claim for revocation tracking
|
||||
- Short access token duration minimizes theft window
|
||||
- Refresh tokens stored in Redis for fast revocation
|
||||
Reference in New Issue
Block a user