// Package authz is the control-plane-authorization layer: it verifies // operator-signed destructive ops before the agent executes them. It is what the // reconcile loop (slice 4) calls to gate destructive desired-state deltas and // signed one-shot jobs (03 §4, 04). The signing mechanism is proven (Phase 4, // 14/14) — this package is its production form: a key-type-agnostic SSHSIG // verifier, the full anti-replay/authorization pipeline, and a durable, // crash-safe nonce store. // // # Mechanism (LOCKED — do not redesign) // // - SSHSIG via golang.org/x/crypto/ssh; no hand-rolled crypto, no raw-Ed25519 // fallback. pub.Verify dispatches on the key's own algorithm, so the same path // accepts ed25519 / sk-ssh-ed25519 (FIDO2) / rsa / ecdsa — a hardware operator // key later is a box no-op (Phase 4 §5/§6, doc 04 §7). // - Fixed namespace felhom-op-v1 (package constant, never caller-supplied). // - The verifier verifies over the RAW received blob bytes and never // canonicalizes — the canonical form (sorted-key, whitespace-free JSON) is the // signer's contract, shared by the hub and the felhom-sign CLI. // // # Pipeline order (load-bearing — Verify) // // parse armor → namespace → parse pubkey → allow-list (by key MATERIAL, not // key_id) → crypto verify → parse blob → target → time window → nonce LAST // // Each post-crypto stage rejects even with an otherwise-valid signature. The nonce // is recorded last, so an invalid signature can never consume a nonce. key_id is // advisory/audit only — authz is the key-material allow-list match. // // # Shared-contract dependency (flag for later, not built here) // // Signatures only verify if the op-generator (hub) and the felhom-sign CLI produce // BYTE-IDENTICAL canonical JSON (keys sorted at every level, no insignificant // whitespace, no trailing newline, UTF-8 — Phase 4 §2). The verifier deliberately // does NOT re-canonicalize, so a divergence between those two producers surfaces as // a crypto failure here. A shared canonicalizer that both import would be the right // home for that contract; it is out of scope for this slice. package authz