Harden JWT tokens with jti, nbf, iss claims and revocation tracking

[haasonsaas]

Summary

Session JWTs use only exp for expiry. Missing standard claims make tokens weaker against replay and misuse.

Current state

• internal/crypto/sessionjwt/manager.go — tokens have session_id, tenant_id, agent_id, run_id, tool_context, workload_hash, exp
• No jti (JWT ID) — same token can't be individually revoked or tracked
• No nbf (not before) — no clock skew tolerance
• No iss (issuer) — can't distinguish tokens from different broker instances
• No token revocation list — revoking a session doesn't immediately invalidate outstanding tokens

Required work

• Add jti claim with a unique ID per token
• Add nbf claim (issued-at minus clock skew tolerance)
• Add iss claim with the broker's identity
• Implement a token revocation list in Redis (or in-memory for dev): on session revoke, add the jti to the revocation set
• Check the revocation list on every token verification
• Set revocation list entries to auto-expire when the token's exp would have passed (no unbounded growth)

Files

• internal/crypto/sessionjwt/manager.go — add claims, check revocation
• internal/store/redis/runtime.go — add revocation set operations
• internal/app/service.go — on RevokeSession, add token jti to revocation list

Priority

Medium — important for security hardening, not blocking for initial deployment.

🤖 Generated with Claude Code

[haasonsaas]

Taking this now. I’m hardening the session JWT path with standard claims plus revocation tracking in a fresh branch off current main, then I’ll wire tests around revoke-time invalidation.

[haasonsaas]

Draft PR is up: #64. It adds jti/nbf/iss session claims, persists token_id, adds runtime-backed token revocation in memory/Redis, and rejects revoked session tokens during request handling. Local validation passed with unit, full, race, lint, and scoped gosec runs; I’m waiting on GitHub checks now.