feat: token handling

Author: evansims

AGENTS.md

@@ -244,7 +244,7 @@ impl TlsConfig {
 
 ## Code Quality
 
-**Linting:** `cargo +1.92 clippy --all-targets -- -D warnings`
+**Linting:** `cargo +1.92 clippy --workspace --all-targets -- -D warnings`
 
 **Formatting:** `cargo +nightly fmt` (nightly required)
 

Cargo.toml

@@ -53,7 +53,7 @@ aes-gcm = "0.10"
 aes-kw = "0.2"
 zeroize = { version = "1", features = ["derive"] }
 bcrypt = "0.17"
-ed25519-dalek = { version = "2", features = ["pkcs8", "pem", "rand_core"] }
+ed25519-dalek = { version = "2", features = ["pkcs8", "pem", "rand_core", "zeroize"] }
 # JWT: rust_crypto backend provides CryptoProvider auto-registration; ed25519-dalek for EdDSA
 jsonwebtoken = { version = "10", features = ["rust_crypto"] }
 

DESIGN.md

@@ -792,12 +792,12 @@ Each refresh token belongs to a **family** (random 16-byte ID assigned at initia
 
 Entity lifecycle changes trigger cascade token revocation through the Raft state machine:
 
-| Event                        | Revocation Scope                      | Mechanism                                           |
-| ---------------------------- | ------------------------------------- | --------------------------------------------------- |
-| App disabled                 | All tokens for app (all vaults)       | `RevokeAllSubjectTokens(App(slug))`                 |
-| App-vault connection removed | Tokens for app+vault pair             | `RevokeAppVaultTokens(app, vault)`                  |
-| Organization deleted         | All signing keys + all refresh tokens | `delete_org_signing_keys` + subject index scan      |
-| Password change              | All user sessions                     | `RevokeAllUserSessions` (increments `TokenVersion`) |
+| Event                        | Revocation Scope                      | Mechanism                                                  |
+| ---------------------------- | ------------------------------------- | ---------------------------------------------------------- |
+| App disabled                 | All tokens for app (all vaults)       | Inline cascade in `SetAppEnabled` apply handler            |
+| App-vault connection removed | Tokens for app+vault pair             | Inline cascade in `RemoveAppVault` apply handler           |
+| Organization deleted         | All signing keys + all refresh tokens | `delete_org_signing_keys` + subject index scan             |
+| Password change              | All user sessions                     | `RevokeAllUserSessions` (increments `TokenVersion`)        |
 
 **TokenVersion for immediate user invalidation**: Each user has an atomic `TokenVersion` counter. `RevokeAllUserSessions` increments it. `ValidateToken` compares the token's `version` claim against current state — stale versions are rejected without waiting for token expiry.
 

MANIFEST.md

@@ -36,8 +36,8 @@ use inferadb_ledger_types::{
     events::{EventAction, EventEmission, EventEntry, EventOutcome, EventScope},
     merkle::MerkleProof as InternalMerkleProof,
     token::{
-        TokenPair as DomainTokenPair, TokenType, UserSessionClaims as DomainUserSessionClaims,
-        ValidatedToken, VaultTokenClaims as DomainVaultTokenClaims,
+        TokenType, UserSessionClaims as DomainUserSessionClaims, ValidatedToken,
+        VaultTokenClaims as DomainVaultTokenClaims,
     },
 };
 use openraft::Vote;
@@ -971,25 +971,6 @@ pub fn user_role_from_i32(value: i32) -> Result<inferadb_ledger_types::UserRole,
     inferadb_ledger_types::UserRole::try_from(proto_role)
 }
 
-// =============================================================================
-// TokenPair conversions (domain::TokenPair <-> proto::TokenPair)
-// =============================================================================
-
-/// Converts a domain [`TokenPair`](DomainTokenPair) to its protobuf representation.
-///
-/// The domain `token_type` field is intentionally dropped — the proto response
-/// context already implies the token type (user session vs vault access).
-impl From<DomainTokenPair> for proto::TokenPair {
-    fn from(pair: DomainTokenPair) -> Self {
-        proto::TokenPair {
-            access_token: pair.access_token,
-            refresh_token: pair.refresh_token,
-            access_expires_at: Some(datetime_to_proto_timestamp(&pair.access_expires_at)),
-            refresh_expires_at: Some(datetime_to_proto_timestamp(&pair.refresh_expires_at)),
-        }
-    }
-}
-
 // =============================================================================
 // ValidatedToken conversions (domain::ValidatedToken -> proto::ValidateTokenResponse)
 // =============================================================================
@@ -2473,31 +2454,6 @@ mod tests {
         assert_eq!(result.expect("unspecified should map to User"), UserRole::User);
     }
 
-    // -------------------------------------------------------------------------
-    // TokenPair conversion tests
-    // -------------------------------------------------------------------------
-
-    #[test]
-    fn token_pair_domain_to_proto() {
-        use inferadb_ledger_types::token::{TokenPair as DomainTP, TokenType};
-
-        let dt = DateTime::from_timestamp(1700000000, 500_000_000).unwrap();
-        let pair = DomainTP {
-            access_token: "access.jwt".to_string(),
-            refresh_token: "ilrt_refresh".to_string(),
-            access_expires_at: dt,
-            refresh_expires_at: dt,
-            token_type: TokenType::UserSession,
-        };
-
-        let proto_pair: proto::TokenPair = pair.into();
-        assert_eq!(proto_pair.access_token, "access.jwt");
-        assert_eq!(proto_pair.refresh_token, "ilrt_refresh");
-        let ts = proto_pair.access_expires_at.unwrap();
-        assert_eq!(ts.seconds, 1700000000);
-        assert_eq!(ts.nanos, 500_000_000);
-    }
-
     // -------------------------------------------------------------------------
     // ValidatedToken conversion tests
     // -------------------------------------------------------------------------
@@ -2699,28 +2655,4 @@ mod tests {
         assert!(validate_signing_key_status("").is_err());
         assert!(validate_signing_key_status("Active").is_err()); // case-sensitive
     }
-
-    // -------------------------------------------------------------------------
-    // TokenPair roundtrip test
-    // -------------------------------------------------------------------------
-
-    #[test]
-    fn token_pair_roundtrip_timestamps_preserved() {
-        use inferadb_ledger_types::token::{TokenPair as DomainTP, TokenType};
-
-        let access_dt = DateTime::from_timestamp(1700001800, 0).unwrap();
-        let refresh_dt = DateTime::from_timestamp(1700086200, 0).unwrap();
-
-        let pair = DomainTP {
-            access_token: "a".to_string(),
-            refresh_token: "r".to_string(),
-            access_expires_at: access_dt,
-            refresh_expires_at: refresh_dt,
-            token_type: TokenType::UserSession,
-        };
-
-        let proto_pair: proto::TokenPair = pair.into();
-        assert_eq!(proto_pair.access_expires_at.unwrap().seconds, 1700001800);
-        assert_eq!(proto_pair.refresh_expires_at.unwrap().seconds, 1700086200);
-    }
 }

crates/proto/src/convert.rs

@@ -17,8 +17,8 @@ use inferadb_ledger_state::{
 };
 use inferadb_ledger_store::StorageBackend;
 use inferadb_ledger_types::{
-    AppId, AppSlug, Hash, LedgerErrorCode, Operation, OrganizationId, TeamId, TeamSlug,
-    TokenSubject, TokenType, VaultEntry, VaultId, compute_tx_merkle_root, decode, encode,
+    AppId, AppSlug, Hash, LedgerErrorCode, Operation, OrganizationId, SetCondition, TeamId,
+    TeamSlug, TokenSubject, TokenType, VaultEntry, VaultId, compute_tx_merkle_root, decode, encode,
     events::{EventAction, EventEntry, EventOutcome},
 };
 
@@ -58,33 +58,55 @@ fn try_encode<T: serde::Serialize>(value: &T, context: &str) -> Option<Vec<u8>>
 /// the record on its next poll cycle.
 ///
 /// This is a synchronous write through the state layer (not Raft) because
-/// the apply handler is already inside a Raft commit.
+/// the apply handler is already inside a Raft commit. The saga ID is derived
+/// deterministically from the scope to ensure all replicas produce identical
+/// state when applying the same log entry.
 fn write_signing_key_saga<B: StorageBackend>(
     state_layer: &Arc<StateLayer<B>>,
     scope: SigningKeyScope,
 ) {
-    let saga_id = uuid::Uuid::new_v4().to_string();
+    let saga_id = match &scope {
+        SigningKeyScope::Global => "create-signing-key-global".to_owned(),
+        SigningKeyScope::Organization(org_id) => {
+            format!("create-signing-key-org-{}", org_id.value())
+        },
+    };
     let saga = CreateSigningKeySaga::new(saga_id.clone(), CreateSigningKeyInput { scope });
     let wrapped = Saga::CreateSigningKey(saga);
 
     let key = format!("saga:{saga_id}");
     match serde_json::to_vec(&wrapped) {
         Ok(value) => {
-            let op =
-                Operation::SetEntity { key: key.clone(), value, condition: None, expires_at: None };
-            if let Err(e) = state_layer.apply_operations(SYSTEM_VAULT_ID, &[op], 0) {
-                tracing::error!(
-                    saga_id = %saga_id,
-                    scope = ?scope,
-                    error = %e,
-                    "Failed to write CreateSigningKeySaga record"
-                );
-            } else {
-                tracing::info!(
-                    saga_id = %saga_id,
-                    scope = ?scope,
-                    "Wrote CreateSigningKeySaga from apply handler"
-                );
+            let op = Operation::SetEntity {
+                key: key.clone(),
+                value,
+                condition: Some(SetCondition::MustNotExist),
+                expires_at: None,
+            };
+            match state_layer.apply_operations(SYSTEM_VAULT_ID, &[op], 0) {
+                Ok(_) => {
+                    tracing::info!(
+                        saga_id = %saga_id,
+                        scope = ?scope,
+                        "Wrote CreateSigningKeySaga from apply handler"
+                    );
+                },
+                Err(StateError::PreconditionFailed { .. }) => {
+                    // Expected on log replay — saga already exists from prior apply.
+                    tracing::info!(
+                        saga_id = %saga_id,
+                        scope = ?scope,
+                        "CreateSigningKeySaga already exists (idempotent replay)"
+                    );
+                },
+                Err(e) => {
+                    tracing::error!(
+                        saga_id = %saga_id,
+                        scope = ?scope,
+                        error = %e,
+                        "Failed to write CreateSigningKeySaga record"
+                    );
+                },
             }
         },
         Err(e) => {
@@ -4138,41 +4160,6 @@ impl<B: StorageBackend> RaftLogStore<B> {
                 }
             },
 
-            LedgerRequest::RevokeAllSubjectTokens { subject } => {
-                let Some(state_layer) = &self.state_layer else {
-                    return error_result(LedgerErrorCode::Internal, "State layer not available");
-                };
-                let sys = SystemOrganizationService::new(state_layer.clone());
-
-                match sys.revoke_all_subject_tokens(subject, block_timestamp) {
-                    Ok(result) => {
-                        (LedgerResponse::SubjectTokensRevoked { count: result.revoked_count }, None)
-                    },
-                    Err(e) => error_result(
-                        LedgerErrorCode::Internal,
-                        format!("Failed to revoke subject tokens: {e}"),
-                    ),
-                }
-            },
-
-            LedgerRequest::RevokeAppVaultTokens { app, vault } => {
-                let Some(state_layer) = &self.state_layer else {
-                    return error_result(LedgerErrorCode::Internal, "State layer not available");
-                };
-                let sys = SystemOrganizationService::new(state_layer.clone());
-
-                match sys.revoke_app_vault_tokens(*app, *vault, block_timestamp) {
-                    Ok(result) => (
-                        LedgerResponse::AppVaultTokensRevoked { count: result.revoked_count },
-                        None,
-                    ),
-                    Err(e) => error_result(
-                        LedgerErrorCode::Internal,
-                        format!("Failed to revoke app vault tokens: {e}"),
-                    ),
-                }
-            },
-
             LedgerRequest::RevokeAllUserSessions { user } => {
                 let Some(state_layer) = &self.state_layer else {
                     return error_result(LedgerErrorCode::Internal, "State layer not available");

crates/raft/src/log_storage/operations.rs

@@ -1247,6 +1247,19 @@ impl<B: StorageBackend + 'static> SagaOrchestrator<B> {
         &self,
         saga: &mut CreateSigningKeySaga,
     ) -> Result<(), SagaError> {
+        // Check timeout before each step (30s — signing key creation is fast)
+        let timeout = Duration::from_secs(30);
+        if saga.is_timed_out(timeout) {
+            warn!(
+                saga_id = %saga.id,
+                scope = ?saga.input.scope,
+                elapsed_secs = (chrono::Utc::now() - saga.created_at).num_seconds(),
+                "CreateSigningKey saga timed out"
+            );
+            saga.transition(CreateSigningKeySagaState::TimedOut);
+            return Ok(());
+        }
+
         match saga.state.clone() {
             CreateSigningKeySagaState::Pending => {
                 // Idempotency: check if an active key already exists for this scope

crates/raft/src/saga_orchestrator.rs

@@ -65,22 +65,6 @@ pub struct TokenMaintenanceJob<B: StorageBackend + 'static> {
 }
 
 impl<B: StorageBackend + 'static> TokenMaintenanceJob<B> {
-    /// Creates a maintenance job from a config interval in seconds.
-    pub fn from_interval_secs(
-        raft: Arc<Raft<LedgerTypeConfig>>,
-        node_id: LedgerNodeId,
-        state: Arc<StateLayer<B>>,
-        interval_secs: u64,
-    ) -> Self {
-        Self {
-            raft,
-            node_id,
-            state,
-            interval: Duration::from_secs(interval_secs),
-            watchdog_handle: None,
-        }
-    }
-
     /// Checks if this node is the current leader.
     fn is_leader(&self) -> bool {
         let metrics = self.raft.metrics().borrow().clone();
@@ -103,6 +87,7 @@ impl<B: StorageBackend + 'static> TokenMaintenanceJob<B> {
         debug!(trace_id = %trace_ctx.trace_id, "Starting token maintenance cycle");
 
         let mut result = MaintenanceResult::default();
+        let mut had_errors = false;
 
         // Phase 1: Delete expired refresh tokens (the apply handler does the actual work)
         match self
@@ -125,6 +110,7 @@ impl<B: StorageBackend + 'static> TokenMaintenanceJob<B> {
                 }
             },
             Err(e) => {
+                had_errors = true;
                 warn!(
                     trace_id = %trace_ctx.trace_id,
                     error = %e,
@@ -155,6 +141,7 @@ impl<B: StorageBackend + 'static> TokenMaintenanceJob<B> {
                             );
                         },
                         Err(e) => {
+                            had_errors = true;
                             warn!(
                                 trace_id = %trace_ctx.trace_id,
                                 kid = %kid,
@@ -166,6 +153,7 @@ impl<B: StorageBackend + 'static> TokenMaintenanceJob<B> {
                 }
             },
             Err(e) => {
+                had_errors = true;
                 warn!(
                     trace_id = %trace_ctx.trace_id,
                     error = %e,
@@ -176,7 +164,8 @@ impl<B: StorageBackend + 'static> TokenMaintenanceJob<B> {
 
         let duration = cycle_start.elapsed().as_secs_f64();
         record_background_job_duration("token_maintenance", duration);
-        record_background_job_run("token_maintenance", "success");
+        let status = if had_errors { "failure" } else { "success" };
+        record_background_job_run("token_maintenance", status);
         record_background_job_items(
             "token_maintenance",
             result.expired_tokens_deleted + result.signing_keys_revoked,