Persistence round-trip: rowToToken drops 8 optional token fields (follow-up to #168)

[pshkv]

Context

Follow-up from #168 (canonical signing payload fix) — the canonicalization fix alone is insufficient for full JSONB round-trip safety. packages/persistence/src/pg-token-store.ts rowToToken currently drops eight optional token fields on read, which means any token issued with those fields set will still fail signature validation after a Postgres round-trip even after #168 merges.

Fields dropped by rowToToken

• modelConstraints
• attestationRequirements
• verifiableComputeRequirements
• executionEnvelope
• revocationEndpoint
• behavioralConstraints
• passportId
• delegationDepth

Why it matters

The signing payload computed post-read will not match the signing payload computed pre-write when any of these fields were populated. The user flow: issue a token with behavioralConstraints, persist, re-read, try to verify → INVALID_SIGNATURE. This is the same failure class #168 solves for nested-key ordering, but at the field-presence level.

Scope

1. Update rowToToken in packages/persistence/src/pg-token-store.ts to preserve all eight optional fields on read
2. Add a persistence round-trip regression test that issues, persists, reads, and re-verifies a token with every optional field populated
3. Schema migration check — confirm the DB schema actually has columns for all eight fields; if not, add them in a migration

Blocks

• Closing Token roundtrip: POST /v1/tokens issues a token whose signature /v1/intercept rejects (INVALID_SIGNATURE) #166 on a partial fix — fix(capability-tokens): canonical signing payload survives JSONB round-trip #168 alone is not sufficient

References

• fix(capability-tokens): canonical signing payload survives JSONB round-trip #168 (upstream fix for canonical JSON serialization)
• Token roundtrip: POST /v1/tokens issues a token whose signature /v1/intercept rejects (INVALID_SIGNATURE) #166 (original INVALID_SIGNATURE issue after persistence round-trip)

[pshkv]

Picked this up as part of the same local hardening pass.

The working-tree patch now preserves the full signed token shape through Postgres store/load, including the optional fields that were being dropped on round-trip (modelConstraints, attestationRequirements, verifiableComputeRequirements, executionEnvelope, revocationEndpoint, behavioralConstraints, passportId, delegationDepth). I also added targeted persistence tests around store/read reconstruction.

Still local at the moment, so the repo state is not fixed until I push the patch and run it through CI. But this issue is now tied to a concrete implementation path rather than just a known gap.

[pshkv]

Update (2026-05-12): addressed in PR #183 (fix(core): harden token canonicalization + persistence round-trip).\n\nPatch scope for this issue:\n- now persists and reconstructs the full signed token shape, including optional fields\n- schema/bootstrap + migration updated for optional token columns\n- targeted tests added for round-trip reconstruction\n\nPending final closeout after PR #183 is green and merged.

[pshkv]

Correction/clarification: the implementation in PR #183 explicitly updates PgTokenStore persistence + reconstruction behavior and adds pg-token-store tests for full optional-field round-trip coverage. This supersedes any formatting artifacts from my previous comment.

[pshkv]

Closed by #183. PgTokenStore now persists and reconstructs the full signed token shape, including the optional fields that were previously dropped, with targeted round-trip coverage.