Consolidate signed-token key resolution into one rotation seam

[isuttell]

Summary

Each Worker re-implemented the same "env override → key ring → bare secret" cascade for every signed-token kind. The ring builders and verify*WithKeyRing helpers already lived in packages/rotation; the missing piece was the resolution policy as a seam. This adds that seam so key resolution lives in one tested place, migrates all four call surfaces onto it, and fixes a latent rotation bug along the way.

Changes

• New packages/rotation/src/signers.ts — resolveContentTokenSigner, resolveAgentViewTokenSigner, resolveUploadTokenSigner, resolveAccessLinkSigner. Each returns a typed sign/verify pair matched to the kind's natural payload shape; verify walks the rotation overlap window.
• Migrated api (content/bundle/agent-view URL minting, access-link mint + resolve), api/live-updates, content (verify), upload (mint + verify) onto the seam. No inlined cascade remains in any Worker.
• Bug fix: api previously minted content URLs with agentViewSigningSecret, which honored AGENT_VIEW_SIGNING_SECRET, while the content Worker verifies content tokens with the content ring only — setting that override would have made content URLs unverifiable. Content URLs now sign with content material; agent-view tokens keep the override symmetrically. Inert today (override unset), locked in by a new regression test.

Risk: MEDIUM

• Areas touched: signing-secret resolution for all four signed-token kinds (content-gateway, agent-view, upload PUT URL, access-link).
• Security: tightens behavior — content URLs no longer pick up an agent-view override the content Worker can't verify. No new secret surfaces; .signingSecret accessors stay inside trusted Workers.
• Performance: none (same ring construction, same verify walk).
• Breaking: none. Behavior-preserving for rotation; the one semantic change is the content/agent-view split, which is a fix.

Test plan

• packages/rotation unit tests incl. rotation-overlap + content-vs-agent-view regression (43 pass)
• api (149), content (29), upload (32) suites pass
• rg confirms no inlined ring/verify cascade remains in any Worker
• local workflow-code-review: READY FOR PR, CodeRabbit SKIP

Issue: AP-90

🤖 Generated with Claude Code

Summary by CodeRabbit

• Refactor

  • Centralized token signing and verification across content, upload, and access-link services using new signer resolver helpers.

• Tests

  • Added comprehensive test suite for token signer resolution and key rotation scenarios.

• Documentation

  • Updated quality and workflow documentation; removed references to agent skills verification step.

• Chores

  • Removed pnpm agent-skills:check script and associated validation logic.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9b58542e-4b90-40b2-83b3-d671732ef8f9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• ✅ Review completed - (🔄 Check again to review again)

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/signing-key-resolution-seam

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-141.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-141.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-141.isaac-a46.workers.dev
Jobs: https://agent-paste-jobs-pr-141.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-141.isaac-a46.workers.dev
Web (login): https://pr-141.preview.agent-paste.sh (first deploy: allow a few minutes for the TLS cert)
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-little-forest-apps86qh

[linear-code]

AP-90 Consolidate signed-token key resolution into one rotation seam

Outcome

Replace the per-Worker inlined "env override → key ring → bare secret" cascade with a single signing-key resolution seam in packages/rotation, so key resolution for every signed-token kind lives in one tested place.

Context

Surfaced by an architecture review (deepening opportunity #1). Each Worker re-implemented the same cascade per signed-token kind:

• mint: ring?.signingSecret() ?? bareSecret
• verify: ring ? verify*WithKeyRing(token, ring) : verify*(token, bareSecret)

This was inlined in apps/api, apps/content, apps/upload, and apps/api/live-updates.ts. The ring builders and verify*WithKeyRing helpers already lived in packages/rotation; what was missing was the resolution policy as a seam.

Scope

• New packages/rotation/src/signers.ts: resolveContentTokenSigner, resolveAgentViewTokenSigner, resolveUploadTokenSigner, resolveAccessLinkSigner. Each returns a typed sign/verify pair matched to the kind's natural payload shape; verify walks the rotation overlap window.
• Migrate api (content/bundle/agent-view URL minting, access-link mint + resolve), api/live-updates, content (verify), upload (mint + verify) onto the seam.
• Remove the duplicated cascade from all four Workers and the manual access-link env reconstruction in the resolve route.

Bug fixed

api previously minted content URLs with agentViewSigningSecret, which honored AGENT_VIEW_SIGNING_SECRET, while the content Worker verifies content tokens with the content ring only. Setting that override would have made content URLs unverifiable. Content URLs now sign with content material; agent-view tokens keep the override symmetrically on mint and verify. Inert today (override unset everywhere); covered by a new regression test.

Acceptance criteria

• One seam in packages/rotation owns key resolution for all four token kinds
• No inlined ring/verify cascade remains in any Worker (rg confirms)
• Behavior-preserving for rotation (overlap-window verify); content/agent-view split is the only semantic change and is a fix
• Regression test locks in the content-vs-agent-view secret split
• pnpm verify green

Out of scope

• mapRepositoryError deduplication (separate seam, review candidate feat: wire runCommand into mutation routes #4)
• The unreachable V2-only branch in key-ring.ts (pre-existing)

Related

Sibling change in the same PR: removed the obsolete local agent-skills:check guard (workflow skills now validated by central skills CI).

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-141.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-141.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-141.isaac-a46.workers.dev
Jobs: https://agent-paste-jobs-pr-141.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-141.isaac-a46.workers.dev
Web (login): https://pr-141.preview.agent-paste.sh (first deploy: allow a few minutes for the TLS cert)
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-little-forest-apps86qh

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-141.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-141.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-141.isaac-a46.workers.dev
Jobs: https://agent-paste-jobs-pr-141.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-141.isaac-a46.workers.dev
Web (login): https://pr-141.preview.agent-paste.sh (first deploy: allow a few minutes for the TLS cert)
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-little-forest-apps86qh

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-141.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-141.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-141.isaac-a46.workers.dev
Jobs: https://agent-paste-jobs-pr-141.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-141.isaac-a46.workers.dev
Web (login): https://pr-141.preview.agent-paste.sh (first deploy: allow a few minutes for the TLS cert)
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-little-forest-apps86qh

[github-actions]

agent-paste PR preview is ready.

API: https://agent-paste-api-pr-141.isaac-a46.workers.dev
Upload: https://agent-paste-upload-pr-141.isaac-a46.workers.dev
Content: https://agent-paste-content-pr-141.isaac-a46.workers.dev
Jobs: https://agent-paste-jobs-pr-141.isaac-a46.workers.dev
Apex: https://agent-paste-apex-pr-141.isaac-a46.workers.dev
Web (login): https://pr-141.preview.agent-paste.sh (first deploy: allow a few minutes for the TLS cert)
Neon branch: https://console.neon.tech/app/projects/still-forest-91029005/branches/br-little-forest-apps86qh

[github-actions]

agent-paste PR preview resources were cleaned up. The shared Preview GitHub Environment is retained for future preview deploys.