fix(security): rotation JWT compliance (#25, #26)

[moisesja]

Summary

Resolves two Low-severity audit findings on the from_prior rotation path (#25, #26). Both passed a PoC-backed adversarial red-team pass (AGENTS.md §2). Full suite: 625 tests green; warnings-as-errors clean.

Fixes

#	Change
#25	FromPriorBuilder.BuildAsync previously serialized only {iat, iss, sub}, silently discarding FromPriorClaims.Exp/Nbf — so every self-issued rotation JWT was non-expiring and the validator-side FR-ROT-05 freshness control could never fire. Claims are now built via an insertion-ordered JsonObject (exp, iat, iss, nbf, sub), emitting exp/nbf only when set (no-expiry payload byte-identical). New BuildAsync(claims, signerJwk, TimeSpan lifetime) overload sets exp = iat + lifetime so issuing a freshness-bounded token is one call.
#26	FromPriorValidator hand-parses the JWS header and previously read only alg/kid, silently ignoring crit — unlike JwsParser/JweParser, which fail closed (RFC 7515 §4.1.11). It now rejects any crit member with ProtocolException, before signature verification.

The validator/enforcement side already worked (ValidateFromPriorFreshness enforces exp/nbf with clock skew) — so these are narrow, sender-side and header-parse gaps.

Decision applied

The PRD's rotation cookbook (§N) and API matrix referenced a .WithDidRotation(...) helper that was never built (the real API is FromPriorBuilder.BuildAsync + MessageBuilder.WithFromPrior). Per the maintainer's call, the PRD example is realigned to the actual API; WithDidRotation is noted as possible future DX rather than built.

Adversarial red-team pass (AGENTS.md §2) — both hold

• FromPriorBuilder never emits exp/nbf, so self-issued rotation JWTs are non-expiring and the FR-ROT-05 freshness defense is dead on the sender side #25 — the lifetime overflow is unconstructible (TimeSpan.MaxValue.TotalSeconds ≈ 9.2e11 ≪ long overflow), and a forced wrap fails closed at the receiver (negative exp → always expired). No JSON injection (JsonObject escapes); round-trip type-correct; freshness boundary math clean (negative skew tightens, never loosens). Remediated the one footgun found: a sub-second lifetime floored to exp == iat (already-expired) — the overload now rejects < 1s.
• from_prior JWS validation ignores a 'crit' protected header, diverging from the fail-closed RFC 7515 §4.1.11 behavior enforced everywhere else #26 — crit rejection survives unicode-escaped / \u-partial / duplicate(→malformed) / empty / null / wrong-type variants; the only "accepted" inputs are non-normative member names (Crit, crit, nested) no JOSE peer honors as crit. Runs before signature verify; ProtocolException propagates uncaught.

Test plan

• FromPriorBuilder never emits exp/nbf, so self-issued rotation JWTs are non-expiring and the FR-ROT-05 freshness defense is dead on the sender side #25: exact-payload assertions pin the exp,iat,iss,nbf,sub order and the byte-identical no-exp path; the lifetime overload sets exp correctly and rejects ≤ 0 / sub-second; end-to-end a self-issued token with exp in the past is rejected on UnpackAsync (FR-ROT-05).
• from_prior JWS validation ignores a 'crit' protected header, diverging from the fail-closed RFC 7515 §4.1.11 behavior enforced everywhere else #26: a crit-bearing from_prior (spliced without re-signing) → ProtocolException.

Closes #25, closes #26

🤖 Generated with Claude Code

[moisesja]

Good catch — added in 765b91f: DidCommClient_RejectsNotYetValidFromPrior_FrRot05, the symmetric end-to-end test for a future nbf.

One subtlety worth flagging on the suggested Nbf = iat + 86400: with the fixture iat = 1700000000 (Nov 2023), iat + 86400 is still 2023 — i.e. in the past under the real wall clock, so the not-yet-valid check wouldn't fire (the token would be valid now). To make it both faithful to the intent and deterministic, the test pins the clock to iat via DidCommOptions.Clock, so nbf = iat + 1 day is genuinely in the future (well past any skew) regardless of when CI runs:

var pinnedNow = DateTimeOffset.FromUnixTimeSeconds(iat);
var claims = new FromPriorClaims(Sub: "did:example:alice", Iss: PriorDid, Iat: iat, Nbf: iat + 86400);
// … pack authcrypted …
var client = new DidCommClient(secrets, keyService, new DidCommOptions { Clock = () => pinnedNow });
await act.Should().ThrowAsync<ConsistencyException>().Where(e => e.Message.Contains("not yet valid"));

Both freshness directions are now covered end-to-end (expired exp and future nbf). Full suite 626 green.