`ef73d0c`

actions/runnerjwt: add single-use job token foundation (S41c)

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 3 days ago

SHA: ef73d0c2b4950bd5f0c08f84e3585e71561cf699
Parents: 9ecd8ed
Tree: d7d146b

23 changed files

Status	File	+
A	`internal/actions/queries/runner_jwt_used.sql`	10
M	`internal/actions/sqlc/models.go`	10
M	`internal/actions/sqlc/querier.go`	3
A	`internal/actions/sqlc/runner_jwt_used.sql.go`	61
M	`internal/admin/sqlc/models.go`	10
M	`internal/auth/policy/sqlc/models.go`	10
A	`internal/auth/runnerjwt/jwt.go`	298
A	`internal/auth/runnerjwt/jwt_test.go`	164
A	`internal/auth/runnerjwt/replay.go`	40
A	`internal/auth/runnerjwt/replay_test.go`	118
M	`internal/checks/sqlc/models.go`	10
M	`internal/issues/sqlc/models.go`	10
M	`internal/meta/sqlc/models.go`	10
A	`internal/migrationsfs/migrations/0052_runner_jwt_used.sql`	35
M	`internal/notif/sqlc/models.go`	10
M	`internal/orgs/sqlc/models.go`	10
M	`internal/pulls/sqlc/models.go`	10
M	`internal/ratelimit/sqlc/models.go`	10
M	`internal/repos/sqlc/models.go`	10
M	`internal/social/sqlc/models.go`	10
M	`internal/users/sqlc/models.go`	10
M	`internal/webhook/sqlc/models.go`	10
M	`internal/worker/sqlc/models.go`	10

internal/actions/queries/runner_jwt_used.sqladded

 +-- SPDX-License-Identifier: AGPL-3.0-or-later
++
 +-- name: MarkRunnerJWTUsed :one
 +INSERT INTO runner_jwt_used (jti, runner_id, job_id, run_id, repo_id, expires_at)
 +VALUES ($1, $2, $3, $4, $5, $6)
 +ON CONFLICT (jti) DO NOTHING
 +RETURNING jti, runner_id, job_id, run_id, repo_id, expires_at, used_at;
++
 +-- name: DeleteExpiredRunnerJWTUses :exec
 +DELETE FROM runner_jwt_used WHERE expires_at < now();

internal/actions/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/actions/sqlc/querier.gomodified

  	// SPDX-License-Identifier: AGPL-3.0-or-later
  	AppendStepLogChunk(ctx context.Context, db DBTX, arg AppendStepLogChunkParams) (AppendStepLogChunkRow, error)
  	DeleteExpiredArtifacts(ctx context.Context, db DBTX) ([]DeleteExpiredArtifactsRow, error)
 +	DeleteExpiredRunnerJWTUses(ctx context.Context, db DBTX) error
  	DeleteOrgSecret(ctx context.Context, db DBTX, arg DeleteOrgSecretParams) error
  	DeleteOrgVariable(ctx context.Context, db DBTX, arg DeleteOrgVariableParams) error
  	DeleteRepoSecret(ctx context.Context, db DBTX, arg DeleteRepoSecretParams) error
  	// handler uses this to find the existing row so it can surface a
  	// stable RunID. Matches the partial-unique index from migration 0051.
  	LookupWorkflowRunByTriggerEvent(ctx context.Context, db DBTX, arg LookupWorkflowRunByTriggerEventParams) (WorkflowRun, error)
 +	// SPDX-License-Identifier: AGPL-3.0-or-later
 +	MarkRunnerJWTUsed(ctx context.Context, db DBTX, arg MarkRunnerJWTUsedParams) (RunnerJwtUsed, error)
  	// Atomic next-index emitter: take the max + 1 for this repo. Pairs
  	// with the (repo_id, run_index) UNIQUE so concurrent inserts that
  	// race here will catch a unique-violation and the caller retries.

internal/actions/sqlc/runner_jwt_used.sql.goadded

 +// Code generated by sqlc. DO NOT EDIT.
 +// versions:
 +//   sqlc v1.31.1
 +// source: runner_jwt_used.sql
++
 +package actionsdb
++
 +import (
 +	"context"
++
 +	"github.com/jackc/pgx/v5/pgtype"
 +)
++
 +const deleteExpiredRunnerJWTUses = `-- name: DeleteExpiredRunnerJWTUses :exec
 +DELETE FROM runner_jwt_used WHERE expires_at < now()
 +`
++
 +func (q *Queries) DeleteExpiredRunnerJWTUses(ctx context.Context, db DBTX) error {
 +	_, err := db.Exec(ctx, deleteExpiredRunnerJWTUses)
 +	return err
 +}
++
 +const markRunnerJWTUsed = `-- name: MarkRunnerJWTUsed :one
++
 +INSERT INTO runner_jwt_used (jti, runner_id, job_id, run_id, repo_id, expires_at)
 +VALUES ($1, $2, $3, $4, $5, $6)
 +ON CONFLICT (jti) DO NOTHING
 +RETURNING jti, runner_id, job_id, run_id, repo_id, expires_at, used_at
 +`
++
 +type MarkRunnerJWTUsedParams struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +}
++
 +// SPDX-License-Identifier: AGPL-3.0-or-later
 +func (q *Queries) MarkRunnerJWTUsed(ctx context.Context, db DBTX, arg MarkRunnerJWTUsedParams) (RunnerJwtUsed, error) {
 +	row := db.QueryRow(ctx, markRunnerJWTUsed,
 +		arg.Jti,
 +		arg.RunnerID,
 +		arg.JobID,
 +		arg.RunID,
 +		arg.RepoID,
 +		arg.ExpiresAt,
 +	)
 +	var i RunnerJwtUsed
 +	err := row.Scan(
 +		&i.Jti,
 +		&i.RunnerID,
 +		&i.JobID,
 +		&i.RunID,
 +		&i.RepoID,
 +		&i.ExpiresAt,
 +		&i.UsedAt,
 +	)
 +	return i, err
 +}

internal/admin/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/auth/policy/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/auth/runnerjwt/jwt.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +// Package runnerjwt signs and verifies the short-lived job tokens used by
 +// shithub Actions runners.
 +//
 +// Registration tokens authenticate a runner to the heartbeat endpoint. A
 +// successful claim receives one JWT scoped to one workflow_jobs row; job
 +// endpoints verify the signature, expiry, path/job match, and then consume
 +// the jti through runner_jwt_used so the token is single-use.
 +package runnerjwt
++
 +import (
 +	"crypto/hkdf"
 +	"crypto/hmac"
 +	"crypto/rand"
 +	"crypto/sha256"
 +	"encoding/base64"
 +	"encoding/json"
 +	"errors"
 +	"fmt"
 +	"io"
 +	"strconv"
 +	"strings"
 +	"time"
 +)
++
 +const (
 +	// DefaultTTL is the runner job-token lifetime from the S41c contract.
 +	DefaultTTL = 15 * time.Minute
++
 +	signingKeySize = 32
 +	hkdfInfo       = "actions-runner-jwt-v1"
 +	jtiBytes       = 32
 +)
++
 +var (
 +	ErrEmptyKey          = errors.New("runnerjwt: empty key")
 +	ErrInvalidKey        = errors.New("runnerjwt: key must be 32 bytes")
 +	ErrMalformed         = errors.New("runnerjwt: malformed token")
 +	ErrInvalidSignature  = errors.New("runnerjwt: invalid signature")
 +	ErrExpired           = errors.New("runnerjwt: expired token")
 +	ErrInvalidClaims     = errors.New("runnerjwt: invalid claims")
 +	ErrUnsupportedHeader = errors.New("runnerjwt: unsupported header")
 +)
++
 +// Claims are the JWT payload fields accepted by runner job endpoints.
 +type Claims struct {
 +	Sub    string `json:"sub"`
 +	JobID  int64  `json:"job_id"`
 +	RunID  int64  `json:"run_id"`
 +	RepoID int64  `json:"repo_id"`
 +	Exp    int64  `json:"exp"`
 +	JTI    string `json:"jti"`
 +}
++
 +// RunnerID extracts the runner id encoded in sub="runner:<id>".
 +func (c Claims) RunnerID() (int64, error) {
 +	const prefix = "runner:"
 +	if !strings.HasPrefix(c.Sub, prefix) {
 +		return 0, ErrInvalidClaims
 +	}
 +	id, err := strconv.ParseInt(strings.TrimPrefix(c.Sub, prefix), 10, 64)
 +	if err != nil || id <= 0 {
 +		return 0, ErrInvalidClaims
 +	}
 +	return id, nil
 +}
++
 +// MintParams describes a job token to issue.
 +type MintParams struct {
 +	RunnerID int64
 +	JobID    int64
 +	RunID    int64
 +	RepoID   int64
 +	TTL      time.Duration
 +}
++
 +// Signer signs and verifies HS256 runner JWTs.
 +type Signer struct {
 +	key []byte
 +	now func() time.Time
 +	rng io.Reader
 +}
++
 +// Option customizes a Signer. Tests use these for deterministic time/randomness.
 +type Option func(*Signer)
++
 +// WithClock overrides the clock used for exp validation and issuance.
 +func WithClock(now func() time.Time) Option {
 +	return func(s *Signer) {
 +		if now != nil {
 +			s.now = now
 +		}
 +	}
 +}
++
 +// WithRand overrides the random source used for jti generation.
 +func WithRand(r io.Reader) Option {
 +	return func(s *Signer) {
 +		if r != nil {
 +			s.rng = r
 +		}
 +	}
 +}
++
 +// NewFromTOTPKeyB64 decodes cfg.Auth.TOTPKeyB64 and derives an isolated
 +// runner-JWT signing key via HKDF. The raw TOTP/secretbox key is never used
 +// directly for JWT signatures.
 +func NewFromTOTPKeyB64(totpKeyB64 string, opts ...Option) (*Signer, error) {
 +	key, err := DeriveKeyFromTOTPKeyB64(totpKeyB64)
 +	if err != nil {
 +		return nil, err
 +	}
 +	return NewFromKey(key, opts...)
 +}
++
 +// DeriveKeyFromTOTPKeyB64 returns the HS256 key derived from the configured
 +// 32-byte TOTP/secretbox key.
 +func DeriveKeyFromTOTPKeyB64(totpKeyB64 string) ([]byte, error) {
 +	if totpKeyB64 == "" {
 +		return nil, ErrEmptyKey
 +	}
 +	raw, err := decodeKey(totpKeyB64)
 +	if err != nil {
 +		return nil, fmt.Errorf("runnerjwt: decode key: %w", err)
 +	}
 +	if len(raw) != signingKeySize {
 +		return nil, ErrInvalidKey
 +	}
 +	key, err := hkdf.Key(sha256.New, raw, nil, hkdfInfo, signingKeySize)
 +	if err != nil {
 +		return nil, fmt.Errorf("runnerjwt: derive key: %w", err)
 +	}
 +	return key, nil
 +}
++
 +// NewFromKey constructs a Signer from an already-derived 32-byte HS256 key.
 +func NewFromKey(key []byte, opts ...Option) (*Signer, error) {
 +	if len(key) != signingKeySize {
 +		return nil, ErrInvalidKey
 +	}
 +	copied := make([]byte, len(key))
 +	copy(copied, key)
 +	s := &Signer{
 +		key: copied,
 +		now: time.Now,
 +		rng: rand.Reader,
 +	}
 +	for _, opt := range opts {
 +		opt(s)
 +	}
 +	return s, nil
 +}
++
 +// Mint signs a new job token and returns the token plus the exact claims.
 +func (s *Signer) Mint(p MintParams) (string, Claims, error) {
 +	ttl := p.TTL
 +	if ttl == 0 {
 +		ttl = DefaultTTL
 +	}
 +	if p.RunnerID <= 0 || p.JobID <= 0 || p.RunID <= 0 || p.RepoID <= 0 || ttl <= 0 {
 +		return "", Claims{}, ErrInvalidClaims
 +	}
 +	jti, err := newJTI(s.rng)
 +	if err != nil {
 +		return "", Claims{}, err
 +	}
 +	claims := Claims{
 +		Sub:    fmt.Sprintf("runner:%d", p.RunnerID),
 +		JobID:  p.JobID,
 +		RunID:  p.RunID,
 +		RepoID: p.RepoID,
 +		Exp:    s.now().Add(ttl).Unix(),
 +		JTI:    jti,
 +	}
 +	if err := validateClaims(claims); err != nil {
 +		return "", Claims{}, err
 +	}
 +	token, err := s.sign(claims)
 +	if err != nil {
 +		return "", Claims{}, err
 +	}
 +	return token, claims, nil
 +}
++
 +// Verify checks token shape, HS256 signature, registered claims, and expiry.
 +// It does not consume jti; callers perform that DB operation after verifying
 +// path/job ownership.
 +func (s *Signer) Verify(token string) (Claims, error) {
 +	parts := strings.Split(token, ".")
 +	if len(parts) != 3 || parts[0] == "" || parts[1] == "" || parts[2] == "" {
 +		return Claims{}, ErrMalformed
 +	}
 +	headerBytes, err := base64.RawURLEncoding.DecodeString(parts[0])
 +	if err != nil {
 +		return Claims{}, ErrMalformed
 +	}
 +	var header struct {
 +		Alg string `json:"alg"`
 +		Typ string `json:"typ"`
 +	}
 +	if err := json.Unmarshal(headerBytes, &header); err != nil {
 +		return Claims{}, ErrMalformed
 +	}
 +	if header.Alg != "HS256" || header.Typ != "JWT" {
 +		return Claims{}, ErrUnsupportedHeader
 +	}
++
 +	signingInput := parts[0] + "." + parts[1]
 +	gotSig, err := base64.RawURLEncoding.DecodeString(parts[2])
 +	if err != nil {
 +		return Claims{}, ErrMalformed
 +	}
 +	wantSig := signHS256(s.key, signingInput)
 +	if !hmac.Equal(gotSig, wantSig) {
 +		return Claims{}, ErrInvalidSignature
 +	}
++
 +	payloadBytes, err := base64.RawURLEncoding.DecodeString(parts[1])
 +	if err != nil {
 +		return Claims{}, ErrMalformed
 +	}
 +	var claims Claims
 +	if err := json.Unmarshal(payloadBytes, &claims); err != nil {
 +		return Claims{}, ErrMalformed
 +	}
 +	if err := validateClaims(claims); err != nil {
 +		return Claims{}, err
 +	}
 +	if !s.now().Before(time.Unix(claims.Exp, 0)) {
 +		return Claims{}, ErrExpired
 +	}
 +	return claims, nil
 +}
++
 +func (s *Signer) sign(claims Claims) (string, error) {
 +	headerJSON, err := json.Marshal(struct {
 +		Alg string `json:"alg"`
 +		Typ string `json:"typ"`
 +	}{Alg: "HS256", Typ: "JWT"})
 +	if err != nil {
 +		return "", err
 +	}
 +	payloadJSON, err := json.Marshal(claims)
 +	if err != nil {
 +		return "", err
 +	}
 +	header := base64.RawURLEncoding.EncodeToString(headerJSON)
 +	payload := base64.RawURLEncoding.EncodeToString(payloadJSON)
 +	signingInput := header + "." + payload
 +	sig := base64.RawURLEncoding.EncodeToString(signHS256(s.key, signingInput))
 +	return signingInput + "." + sig, nil
 +}
++
 +func signHS256(key []byte, signingInput string) []byte {
 +	mac := hmac.New(sha256.New, key)
 +	_, _ = mac.Write([]byte(signingInput))
 +	return mac.Sum(nil)
 +}
++
 +func newJTI(r io.Reader) (string, error) {
 +	buf := make([]byte, jtiBytes)
 +	if _, err := io.ReadFull(r, buf); err != nil {
 +		return "", fmt.Errorf("runnerjwt: jti: %w", err)
 +	}
 +	return base64.RawURLEncoding.EncodeToString(buf), nil
 +}
++
 +func validateClaims(c Claims) error {
 +	if _, err := c.RunnerID(); err != nil {
 +		return err
 +	}
 +	if c.JobID <= 0 || c.RunID <= 0 || c.RepoID <= 0 || c.Exp <= 0 {
 +		return ErrInvalidClaims
 +	}
 +	if len(c.JTI) < 16 || len(c.JTI) > 128 {
 +		return ErrInvalidClaims
 +	}
 +	return nil
 +}
++
 +func decodeKey(s string) ([]byte, error) {
 +	encodings := []*base64.Encoding{
 +		base64.StdEncoding,
 +		base64.RawStdEncoding,
 +		base64.URLEncoding,
 +		base64.RawURLEncoding,
 +	}
 +	var lastErr error
 +	for _, enc := range encodings {
 +		raw, err := enc.DecodeString(s)
 +		if err == nil {
 +			return raw, nil
 +		}
 +		lastErr = err
 +	}
 +	return nil, lastErr
 +}

internal/auth/runnerjwt/jwt_test.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package runnerjwt_test
++
 +import (
 +	"encoding/base64"
 +	"errors"
 +	"strings"
 +	"testing"
 +	"time"
++
 +	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
 +)
++
 +func TestDeriveKeyFromTOTPKeyB64_UsesHKDFLabel(t *testing.T) {
 +	raw := bytesOf(0x42, 32)
 +	derived, err := runnerjwt.DeriveKeyFromTOTPKeyB64(base64.StdEncoding.EncodeToString(raw))
 +	if err != nil {
 +		t.Fatalf("DeriveKeyFromTOTPKeyB64: %v", err)
 +	}
 +	if len(derived) != 32 {
 +		t.Fatalf("derived length: got %d, want 32", len(derived))
 +	}
 +	if string(derived) == string(raw) {
 +		t.Fatal("derived key matched raw TOTP key; want HKDF isolation")
 +	}
 +}
++
 +func TestMintVerifyRoundTrip(t *testing.T) {
 +	now := time.Date(2026, 5, 10, 12, 0, 0, 0, time.UTC)
 +	signer := newTestSigner(t, now, bytesOf(0x11, 32))
++
 +	token, claims, err := signer.Mint(runnerjwt.MintParams{
 +		RunnerID: 7,
 +		JobID:    11,
 +		RunID:    13,
 +		RepoID:   17,
 +	})
 +	if err != nil {
 +		t.Fatalf("Mint: %v", err)
 +	}
 +	if got := len(strings.Split(token, ".")); got != 3 {
 +		t.Fatalf("token parts: got %d, want 3", got)
 +	}
 +	if claims.Exp != now.Add(runnerjwt.DefaultTTL).Unix() {
 +		t.Fatalf("exp: got %d, want %d", claims.Exp, now.Add(runnerjwt.DefaultTTL).Unix())
 +	}
 +	runnerID, err := claims.RunnerID()
 +	if err != nil {
 +		t.Fatalf("RunnerID: %v", err)
 +	}
 +	if runnerID != 7 {
 +		t.Fatalf("RunnerID: got %d, want 7", runnerID)
 +	}
++
 +	got, err := signer.Verify(token)
 +	if err != nil {
 +		t.Fatalf("Verify: %v", err)
 +	}
 +	if got != claims {
 +		t.Fatalf("claims mismatch:\n got %#v\nwant %#v", got, claims)
 +	}
 +}
++
 +func TestVerifyRejectsTamperedPayload(t *testing.T) {
 +	signer := newTestSigner(t, time.Unix(100, 0), bytesOf(0x22, 32))
 +	token, _, err := signer.Mint(runnerjwt.MintParams{RunnerID: 1, JobID: 2, RunID: 3, RepoID: 4})
 +	if err != nil {
 +		t.Fatalf("Mint: %v", err)
 +	}
 +	parts := strings.Split(token, ".")
 +	replacement := "A"
 +	if parts[1][len(parts[1])-1] == 'A' {
 +		replacement = "B"
 +	}
 +	parts[1] = parts[1][:len(parts[1])-1] + replacement
++
 +	if _, err := signer.Verify(strings.Join(parts, ".")); !errors.Is(err, runnerjwt.ErrInvalidSignature) {
 +		t.Fatalf("Verify tampered payload: got %v, want ErrInvalidSignature", err)
 +	}
 +}
++
 +func TestVerifyRejectsExpiredToken(t *testing.T) {
 +	issuedAt := time.Unix(100, 0)
 +	key, err := runnerjwt.DeriveKeyFromTOTPKeyB64(base64.StdEncoding.EncodeToString(bytesOf(0x99, 32)))
 +	if err != nil {
 +		t.Fatalf("derive: %v", err)
 +	}
 +	signer, err := runnerjwt.NewFromKey(
 +		key,
 +		runnerjwt.WithClock(func() time.Time { return issuedAt }),
 +		runnerjwt.WithRand(strings.NewReader(string(bytesOf(0x55, 32)))),
 +	)
 +	if err != nil {
 +		t.Fatalf("NewFromKey signer: %v", err)
 +	}
 +	token, _, err := signer.Mint(runnerjwt.MintParams{RunnerID: 1, JobID: 2, RunID: 3, RepoID: 4, TTL: time.Second})
 +	if err != nil {
 +		t.Fatalf("Mint: %v", err)
 +	}
 +	verifier, err := runnerjwt.NewFromKey(key, runnerjwt.WithClock(func() time.Time { return issuedAt.Add(time.Second) }))
 +	if err != nil {
 +		t.Fatalf("NewFromKey verifier: %v", err)
 +	}
 +	if _, err := verifier.Verify(token); !errors.Is(err, runnerjwt.ErrExpired) {
 +		t.Fatalf("Verify expired: got %v, want ErrExpired", err)
 +	}
 +}
++
 +func TestVerifyRejectsUnsupportedHeader(t *testing.T) {
 +	signer := newTestSigner(t, time.Unix(100, 0), bytesOf(0x44, 32))
 +	if _, err := signer.Verify("eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.e30.sig"); !errors.Is(err, runnerjwt.ErrUnsupportedHeader) {
 +		t.Fatalf("Verify unsupported header: got %v, want ErrUnsupportedHeader", err)
 +	}
 +}
++
 +func TestMintGeneratesDistinctJTI(t *testing.T) {
 +	now := time.Unix(100, 0)
 +	rng := strings.NewReader(string(append(bytesOf(0x01, 32), bytesOf(0x02, 32)...)))
 +	key, err := runnerjwt.DeriveKeyFromTOTPKeyB64(base64.StdEncoding.EncodeToString(bytesOf(0x77, 32)))
 +	if err != nil {
 +		t.Fatalf("derive: %v", err)
 +	}
 +	signer, err := runnerjwt.NewFromKey(key, runnerjwt.WithClock(func() time.Time { return now }), runnerjwt.WithRand(rng))
 +	if err != nil {
 +		t.Fatalf("NewFromKey: %v", err)
 +	}
 +	_, first, err := signer.Mint(runnerjwt.MintParams{RunnerID: 1, JobID: 2, RunID: 3, RepoID: 4})
 +	if err != nil {
 +		t.Fatalf("Mint first: %v", err)
 +	}
 +	_, second, err := signer.Mint(runnerjwt.MintParams{RunnerID: 1, JobID: 2, RunID: 3, RepoID: 4})
 +	if err != nil {
 +		t.Fatalf("Mint second: %v", err)
 +	}
 +	if first.JTI == second.JTI {
 +		t.Fatalf("JTI reused: %s", first.JTI)
 +	}
 +}
++
 +func newTestSigner(t *testing.T, now time.Time, jtiBytes []byte) *runnerjwt.Signer {
 +	t.Helper()
 +	key, err := runnerjwt.DeriveKeyFromTOTPKeyB64(base64.StdEncoding.EncodeToString(bytesOf(0x99, 32)))
 +	if err != nil {
 +		t.Fatalf("derive: %v", err)
 +	}
 +	signer, err := runnerjwt.NewFromKey(
 +		key,
 +		runnerjwt.WithClock(func() time.Time { return now }),
 +		runnerjwt.WithRand(strings.NewReader(string(jtiBytes))),
 +	)
 +	if err != nil {
 +		t.Fatalf("NewFromKey: %v", err)
 +	}
 +	return signer
 +}
++
 +func bytesOf(b byte, n int) []byte {
 +	out := make([]byte, n)
 +	for i := range out {
 +		out[i] = b
 +	}
 +	return out
 +}

internal/auth/runnerjwt/replay.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package runnerjwt
++
 +import (
 +	"context"
 +	"errors"
 +	"time"
++
 +	"github.com/jackc/pgx/v5"
 +	"github.com/jackc/pgx/v5/pgtype"
++
 +	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"
 +)
++
 +var ErrReplay = errors.New("runnerjwt: token replay")
++
 +// Consume records claims.JTI as used. It returns ErrReplay when the jti was
 +// already consumed, which callers translate to 401.
 +func Consume(ctx context.Context, db actionsdb.DBTX, claims Claims) error {
 +	runnerID, err := claims.RunnerID()
 +	if err != nil {
 +		return err
 +	}
 +	if err := validateClaims(claims); err != nil {
 +		return err
 +	}
 +	_, err = actionsdb.New().MarkRunnerJWTUsed(ctx, db, actionsdb.MarkRunnerJWTUsedParams{
 +		Jti:       claims.JTI,
 +		RunnerID:  runnerID,
 +		JobID:     claims.JobID,
 +		RunID:     claims.RunID,
 +		RepoID:    claims.RepoID,
 +		ExpiresAt: pgtype.Timestamptz{Time: time.Unix(claims.Exp, 0), Valid: true},
 +	})
 +	if errors.Is(err, pgx.ErrNoRows) {
 +		return ErrReplay
 +	}
 +	return err
 +}

internal/auth/runnerjwt/replay_test.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package runnerjwt_test
++
 +import (
 +	"context"
 +	"errors"
 +	"testing"
 +	"time"
++
 +	"github.com/jackc/pgx/v5"
 +	"github.com/jackc/pgx/v5/pgconn"
 +	"github.com/jackc/pgx/v5/pgtype"
++
 +	"github.com/tenseleyFlow/shithub/internal/auth/runnerjwt"
 +)
++
 +func TestConsumeRecordsClaims(t *testing.T) {
 +	claims := runnerjwt.Claims{
 +		Sub:    "runner:7",
 +		JobID:  11,
 +		RunID:  13,
 +		RepoID: 17,
 +		Exp:    time.Unix(1000, 0).Unix(),
 +		JTI:    "0123456789abcdef",
 +	}
 +	db := &fakeReplayDB{row: fakeReplayRow{}}
++
 +	if err := runnerjwt.Consume(context.Background(), db, claims); err != nil {
 +		t.Fatalf("Consume: %v", err)
 +	}
 +	if len(db.args) != 6 {
 +		t.Fatalf("args length: got %d, want 6", len(db.args))
 +	}
 +	if db.args[0] != claims.JTI || db.args[1] != int64(7) ||
 +		db.args[2] != claims.JobID || db.args[3] != claims.RunID || db.args[4] != claims.RepoID {
 +		t.Fatalf("unexpected args: %#v", db.args)
 +	}
 +	expiresAt, ok := db.args[5].(pgtype.Timestamptz)
 +	if !ok {
 +		t.Fatalf("expires_at arg type: got %T", db.args[5])
 +	}
 +	if !expiresAt.Valid || expiresAt.Time.Unix() != claims.Exp {
 +		t.Fatalf("expires_at: got %#v, want unix %d", expiresAt, claims.Exp)
 +	}
 +}
++
 +func TestConsumeMapsNoRowsToReplay(t *testing.T) {
 +	claims := runnerjwt.Claims{
 +		Sub:    "runner:7",
 +		JobID:  11,
 +		RunID:  13,
 +		RepoID: 17,
 +		Exp:    time.Unix(1000, 0).Unix(),
 +		JTI:    "0123456789abcdef",
 +	}
 +	db := &fakeReplayDB{row: fakeReplayRow{err: pgx.ErrNoRows}}
++
 +	if err := runnerjwt.Consume(context.Background(), db, claims); !errors.Is(err, runnerjwt.ErrReplay) {
 +		t.Fatalf("Consume replay: got %v, want ErrReplay", err)
 +	}
 +}
++
 +func TestConsumeRejectsInvalidClaimsBeforeDB(t *testing.T) {
 +	db := &fakeReplayDB{row: fakeReplayRow{}}
 +	err := runnerjwt.Consume(context.Background(), db, runnerjwt.Claims{
 +		Sub:    "user:7",
 +		JobID:  11,
 +		RunID:  13,
 +		RepoID: 17,
 +		Exp:    time.Unix(1000, 0).Unix(),
 +		JTI:    "0123456789abcdef",
 +	})
 +	if !errors.Is(err, runnerjwt.ErrInvalidClaims) {
 +		t.Fatalf("Consume invalid claims: got %v, want ErrInvalidClaims", err)
 +	}
 +	if db.calls != 0 {
 +		t.Fatalf("DB called for invalid claims: %d", db.calls)
 +	}
 +}
++
 +type fakeReplayDB struct {
 +	row   pgx.Row
 +	args  []any
 +	calls int
 +}
++
 +func (f *fakeReplayDB) Exec(context.Context, string, ...any) (pgconn.CommandTag, error) {
 +	return pgconn.CommandTag{}, nil
 +}
++
 +func (f *fakeReplayDB) Query(context.Context, string, ...any) (pgx.Rows, error) {
 +	return nil, nil
 +}
++
 +func (f *fakeReplayDB) QueryRow(_ context.Context, _ string, args ...any) pgx.Row {
 +	f.calls++
 +	f.args = args
 +	return f.row
 +}
++
 +type fakeReplayRow struct {
 +	err error
 +}
++
 +func (r fakeReplayRow) Scan(dest ...any) error {
 +	if r.err != nil {
 +		return r.err
 +	}
 +	*(dest[0].(*string)) = "0123456789abcdef"
 +	*(dest[1].(*int64)) = 7
 +	*(dest[2].(*int64)) = 11
 +	*(dest[3].(*int64)) = 13
 +	*(dest[4].(*int64)) = 17
 +	*(dest[5].(*pgtype.Timestamptz)) = pgtype.Timestamptz{Time: time.Unix(1000, 0), Valid: true}
 +	*(dest[6].(*pgtype.Timestamptz)) = pgtype.Timestamptz{Time: time.Unix(900, 0), Valid: true}
 +	return nil
 +}

internal/checks/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/issues/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/meta/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/migrationsfs/migrations/0052_runner_jwt_used.sqladded

 +-- SPDX-License-Identifier: AGPL-3.0-or-later
 +--
 +-- S41c runner JWT replay protection.
 +--
 +-- The runner heartbeat endpoint mints short-lived, per-job JWTs after a
 +-- registration-token-authenticated runner claims a workflow_jobs row. Job
 +-- endpoints require that JWT and consume its jti exactly once. INSERT ...
 +-- ON CONFLICT DO NOTHING against this table is the replay gate: one affected
 +-- row means "first use"; zero rows means "replay" and the API returns 401.
 +--
 +-- We keep the workflow references here for auditability and cleanup. jti is
 +-- the hot lookup path and is enforced by the PRIMARY KEY.
++
 +-- +goose Up
++
 +CREATE TABLE runner_jwt_used (
 +    jti         text         PRIMARY KEY,
 +    runner_id   bigint       NOT NULL REFERENCES workflow_runners(id) ON DELETE CASCADE,
 +    job_id      bigint       NOT NULL REFERENCES workflow_jobs(id) ON DELETE CASCADE,
 +    run_id      bigint       NOT NULL REFERENCES workflow_runs(id) ON DELETE CASCADE,
 +    repo_id     bigint       NOT NULL REFERENCES repos(id) ON DELETE CASCADE,
 +    expires_at  timestamptz  NOT NULL,
 +    used_at     timestamptz  NOT NULL DEFAULT now(),
++
 +    CONSTRAINT runner_jwt_used_jti_length CHECK (char_length(jti) BETWEEN 16 AND 128)
 +);
++
 +CREATE INDEX runner_jwt_used_expires_idx
 +    ON runner_jwt_used (expires_at);
 +CREATE INDEX runner_jwt_used_runner_used_idx
 +    ON runner_jwt_used (runner_id, used_at DESC);
++
++
 +-- +goose Down
 +DROP TABLE IF EXISTS runner_jwt_used;

internal/notif/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/orgs/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/pulls/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/ratelimit/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/repos/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/users/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/webhook/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64

internal/worker/sqlc/models.gomodified

  	Tsv    interface{}
+ }
 +type RunnerJwtUsed struct {
 +	Jti       string
 +	RunnerID  int64
 +	JobID     int64
 +	RunID     int64
 +	RepoID    int64
 +	ExpiresAt pgtype.Timestamptz
 +	UsedAt    pgtype.Timestamptz
 +}
++
  type RunnerToken struct {
  	ID        int64
  	RunnerID  int64