test(security): add replay-cache expiry coverage for job token manager

Author: Oxy

src/phase2d.test.ts

@@ -2,6 +2,7 @@ import test from "node:test";
 import assert from "node:assert/strict";
 import { buildControlPlane } from "./control-plane.js";
 import { executeRealTask } from "./node-agent/executor.js";
+import { JobTokenManager } from "./security.js";
 import type { Task } from "./contracts.js";
 
 async function bootstrapNode(app: ReturnType<typeof buildControlPlane>, nodeId: string) {
@@ -175,6 +176,24 @@ test("observability endpoints expose queue depth/latency/success ratio", async (
   await app.close();
 });
 
+test("job token manager prunes replay cache after expiration", async () => {
+  const mgr = new JobTokenManager("test-secret");
+  const token = mgr.issue({ jobId: "job-ttl", exp: Date.now() + 30 });
+
+  const first = mgr.verify(token, { jobId: "job-ttl" });
+  assert.equal(first.ok, true);
+  assert.equal(mgr.replayCacheSize(), 1);
+
+  await new Promise((r) => setTimeout(r, 40));
+
+  // Cache entry should be pruned once expired.
+  assert.equal(mgr.replayCacheSize(), 0);
+
+  const second = mgr.verify(token, { jobId: "job-ttl" });
+  assert.equal(second.ok, false);
+  assert.equal(second.error, "token_expired");
+});
+
 test("failure drills: invalid payload + timeout + crash", async () => {
   const invalid = await executeRealTask({
     schemaVersion: "1.0",

src/security.ts

@@ -18,7 +18,7 @@ function fromB64(data: string) {
 
 export class JobTokenManager {
   private secret: string;
-  private usedJti = new Set<string>();
+  private usedJtiExp = new Map<string, number>();
 
   constructor(secret?: string) {
     this.secret = secret ?? process.env.EDGEMESH_JOB_TOKEN_SECRET ?? "dev-secret";
@@ -51,8 +51,10 @@ export class JobTokenManager {
       return { ok: false as const, error: "token_payload_invalid" };
     }
 
+    this.pruneReplayCache();
+
     if (Date.now() > payload.exp) return { ok: false as const, error: "token_expired" };
-    if (this.usedJti.has(payload.jti)) return { ok: false as const, error: "token_replay" };
+    if (this.usedJtiExp.has(payload.jti)) return { ok: false as const, error: "token_replay" };
     if (payload.jobId !== expected.jobId)
       return { ok: false as const, error: "token_job_mismatch" };
     if (
@@ -63,9 +65,20 @@ export class JobTokenManager {
       return { ok: false as const, error: "token_node_mismatch" };
     }
 
-    this.usedJti.add(payload.jti);
+    this.usedJtiExp.set(payload.jti, payload.exp);
     return { ok: true as const, payload };
   }
+
+  replayCacheSize() {
+    this.pruneReplayCache();
+    return this.usedJtiExp.size;
+  }
+
+  private pruneReplayCache(now = Date.now()) {
+    for (const [jti, exp] of this.usedJtiExp.entries()) {
+      if (exp <= now) this.usedJtiExp.delete(jti);
+    }
+  }
 }
 
 export class NodeTrustManager {