Implement the D22 tenant-aware signing SPI and secure kid resolver shape from PR #23.
Scope:
- Implement
SigningContext parameter set: AdcpUse use(), nullable tenant identity, nullable principal reference.
- Ship
SigningProvider without any SigningProvider.forUse(AdcpUse) short form.
- Implement inbound verification through
VerificationKeyResolver: start from inbound kid, resolve key/tenant/principal, then verify signature and JWK adcp_use.
- Treat
kid as an opaque lookup key into a pre-provisioned key set.
- Never dereference attacker-controlled URLs from an inbound signed object.
- Any resolver HTTP fetch for JWKS/key refresh must use the strict SSRF-safe HTTP client.
- If verification returns no tenant/principal, receivers must treat the request as untenanted and reject tenant-scoped operations; no fallback to unsigned body/header/query tenant.
- Add v0.2 release note warning
SigningContext.tenant() may be null until v0.3 tenant resolver wiring lands.
References:
Implement the D22 tenant-aware signing SPI and secure
kidresolver shape from PR #23.Scope:
SigningContextparameter set:AdcpUse use(), nullable tenant identity, nullable principal reference.SigningProviderwithout anySigningProvider.forUse(AdcpUse)short form.VerificationKeyResolver: start from inboundkid, resolve key/tenant/principal, then verify signature and JWKadcp_use.kidas an opaque lookup key into a pre-provisioned key set.SigningContext.tenant()may be null until v0.3 tenant resolver wiring lands.References:
ROADMAP.mdD22 / Track 4specs/signing-context.md