@openparachute/hub 0.5.2 → 0.5.9-rc.6

package/src/admin-login-ui.ts

@@ -0,0 +1,256 @@
+/**
+ * Branded HTML for the hub's pre-auth surfaces: the `/login` form and the
+ * generic admin error page surfaced when CSRF or rate-limit gates fire on
+ * `/login` and `/logout`. Same privacy posture as `oauth-ui.ts` (no third-
+ * party fonts, inline CSS, no JS) — these pages are pre-auth and have to
+ * stand alone without the SPA shell.
+ *
+ * History: this file was `admin-config-ui.ts` and held the server-rendered
+ * `/admin/config` module-config portal (hub#46). #240 retired the portal
+ * post-SPA-rework; the file shed everything except the two renderers below.
+ * Renamed to `admin-login-ui.ts` in #241 so the filename matches the content.
+ *
+ * Pure functions — DB, sessions live in `admin-handlers.ts`.
+ */
+import { renderCsrfHiddenInput } from "./csrf.ts";
+import { escapeHtml } from "./oauth-ui.ts";
+
+// --- shared chrome ---------------------------------------------------------
+
+const PALETTE = {
+  bg: "#faf8f4",
+  bgSoft: "#f3f0ea",
+  fg: "#2c2a26",
+  fgMuted: "#6b6860",
+  fgDim: "#9a9690",
+  accent: "#4a7c59",
+  accentHover: "#3d6849",
+  accentSoft: "rgba(74, 124, 89, 0.08)",
+  border: "#e4e0d8",
+  borderLight: "#ece9e2",
+  cardBg: "#ffffff",
+  danger: "#a3392b",
+  dangerSoft: "rgba(163, 57, 43, 0.08)",
+  success: "#3d6849",
+  successSoft: "rgba(61, 104, 73, 0.08)",
+} as const;
+
+const FONT_SERIF = `Georgia, "Times New Roman", serif`;
+const FONT_SANS = `-apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif`;
+const FONT_MONO = `ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace`;
+
+function escapeAttr(s: string): string {
+  return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;");
+}
+
+function baseDocument(title: string, body: string): string {
+  return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <title>${escapeHtml(title)}</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <meta name="referrer" content="no-referrer" />
+  <style>${STYLES}</style>
+</head>
+<body>
+  <main>
+${body}
+  </main>
+</body>
+</html>`;
+}
+
+function header(): string {
+  return `
+        <div class="brand">
+          <span class="brand-mark">⌬</span>
+          <span class="brand-name">Parachute</span>
+          <span class="brand-tag">admin</span>
+        </div>`;
+}
+
+// --- /login ---------------------------------------------------------------
+
+export interface AdminLoginProps {
+  /** Continuation path after successful login — submitted as a hidden field. */
+  next: string;
+  csrfToken: string;
+  errorMessage?: string;
+}
+
+export function renderAdminLogin(props: AdminLoginProps): string {
+  const { next, csrfToken, errorMessage } = props;
+  const error = errorMessage ? `<p class="error-banner">${escapeHtml(errorMessage)}</p>` : "";
+  const body = `
+    <div class="card">
+      <div class="card-header">
+        ${header()}
+        <h1>Sign in</h1>
+        <p class="subtitle">to administer this hub</p>
+      </div>
+      ${error}
+      <form method="POST" action="/login" class="auth-form">
+        ${renderCsrfHiddenInput(csrfToken)}
+        <input type="hidden" name="next" value="${escapeAttr(next)}" />
+        <label class="field">
+          <span class="field-label">Username</span>
+          <input type="text" name="username" autocomplete="username" autofocus required />
+        </label>
+        <label class="field">
+          <span class="field-label">Password</span>
+          <input type="password" name="password" autocomplete="current-password" required />
+        </label>
+        <button type="submit" class="btn btn-primary">Sign in</button>
+      </form>
+    </div>`;
+  return baseDocument("Sign in to Parachute Hub admin", body);
+}
+
+// --- error page ------------------------------------------------------------
+
+export function renderAdminError(props: { title: string; message: string }): string {
+  const body = `
+    <div class="card">
+      ${header()}
+      <h1 class="error-title">${escapeHtml(props.title)}</h1>
+      <p class="subtitle">${escapeHtml(props.message)}</p>
+    </div>`;
+  return baseDocument(props.title, body);
+}
+
+// --- styles ----------------------------------------------------------------
+
+const STYLES = `
+  *, *::before, *::after { box-sizing: border-box; }
+  html, body { margin: 0; padding: 0; }
+  body {
+    font-family: ${FONT_SANS};
+    background: ${PALETTE.bg};
+    color: ${PALETTE.fg};
+    line-height: 1.55;
+    min-height: 100vh;
+    -webkit-font-smoothing: antialiased;
+    -moz-osx-font-smoothing: grayscale;
+  }
+  main {
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    min-height: 100vh;
+    padding: 1.5rem;
+  }
+  .card {
+    width: 100%;
+    max-width: 30rem;
+    background: ${PALETTE.cardBg};
+    border: 1px solid ${PALETTE.border};
+    border-radius: 12px;
+    padding: 2rem 1.75rem;
+    box-shadow: 0 1px 2px rgba(44, 42, 38, 0.04), 0 8px 24px rgba(44, 42, 38, 0.06);
+  }
+  .card-header { margin-bottom: 1.5rem; }
+  .brand {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+    color: ${PALETTE.accent};
+    font-weight: 500;
+    font-size: 0.95rem;
+    margin-bottom: 1.25rem;
+  }
+  .brand-mark { font-size: 1.1rem; line-height: 1; }
+  .brand-name { letter-spacing: 0.01em; }
+  .brand-tag {
+    text-transform: uppercase;
+    letter-spacing: 0.06em;
+    font-size: 0.7rem;
+    color: ${PALETTE.fgMuted};
+    border: 1px solid ${PALETTE.borderLight};
+    padding: 0.05rem 0.4rem;
+    border-radius: 999px;
+  }
+  h1 {
+    font-family: ${FONT_SERIF};
+    font-weight: 400;
+    font-size: 1.75rem;
+    line-height: 1.2;
+    margin: 0 0 0.4rem;
+    color: ${PALETTE.fg};
+  }
+  .subtitle { margin: 0; color: ${PALETTE.fgMuted}; font-size: 0.95rem; }
+
+  .auth-form { display: flex; flex-direction: column; gap: 0.9rem; }
+  .field { display: flex; flex-direction: column; gap: 0.35rem; }
+  .field-label {
+    font-size: 0.85rem;
+    font-weight: 500;
+    color: ${PALETTE.fgMuted};
+    letter-spacing: 0.01em;
+    font-family: ${FONT_MONO};
+  }
+  input[type=text], input[type=password] {
+    font: inherit;
+    width: 100%;
+    padding: 0.6rem 0.75rem;
+    border: 1px solid ${PALETTE.border};
+    border-radius: 6px;
+    background: ${PALETTE.bg};
+    color: ${PALETTE.fg};
+    transition: border-color 0.15s ease, background 0.15s ease;
+  }
+  input[type=text]:focus, input[type=password]:focus {
+    outline: none;
+    border-color: ${PALETTE.accent};
+    background: ${PALETTE.cardBg};
+    box-shadow: 0 0 0 3px ${PALETTE.accentSoft};
+  }
+
+  .btn {
+    font: inherit;
+    font-weight: 500;
+    padding: 0.65rem 1.25rem;
+    border-radius: 6px;
+    border: 1px solid transparent;
+    cursor: pointer;
+    transition: background 0.15s ease, color 0.15s ease, border-color 0.15s ease;
+    min-height: 2.5rem;
+  }
+  .btn-primary {
+    background: ${PALETTE.accent};
+    color: ${PALETTE.cardBg};
+    margin-top: 0.4rem;
+  }
+  .btn-primary:hover { background: ${PALETTE.accentHover}; }
+
+  .error-banner {
+    background: ${PALETTE.dangerSoft};
+    border: 1px solid ${PALETTE.danger};
+    border-radius: 6px;
+    color: ${PALETTE.danger};
+    padding: 0.6rem 0.8rem;
+    margin: 0 0 1rem;
+    font-size: 0.9rem;
+  }
+  .error-title { color: ${PALETTE.danger}; }
+
+  @media (max-width: 480px) {
+    main { padding: 0.75rem; }
+    .card { padding: 1.5rem 1.25rem; border-radius: 10px; }
+    h1 { font-size: 1.5rem; }
+  }
+
+  @media (prefers-color-scheme: dark) {
+    body { background: #1a1815; color: #e8e4dc; }
+    .card { background: #25221d; border-color: #3a362f; box-shadow: 0 8px 24px rgba(0, 0, 0, 0.3); }
+    h1 { color: #f0ece4; }
+    .subtitle, .field-label { color: #a8a29a; }
+    input[type=text], input[type=password] {
+      background: #1f1c18; border-color: #3a362f; color: #e8e4dc;
+    }
+    input[type=text]:focus, input[type=password]:focus {
+      background: #25221d;
+    }
+    .brand-tag { border-color: #3a362f; color: #a8a29a; }
+  }
+`;

package/src/admin-vault-admin-token.ts

@@ -55,7 +55,7 @@ export async function handleVaultAdminToken(
   const sid = parseSessionCookie(req.headers.get("cookie"));
   const session = sid ? findSession(deps.db, sid) : null;
   if (!session) {
-    return jsonError(401, "unauthenticated", "no admin session — sign in at /admin/login first");
+    return jsonError(401, "unauthenticated", "no admin session — sign in at /login first");
   }
   const scope = `vault:${vaultName}:admin`;
   // Per-vault audience: vault validates the JWT's `aud` claim against

package/src/api-me.ts

@@ -0,0 +1,124 @@
+/**
+ * `GET /api/me` — public who-am-I endpoint for hub-served surfaces.
+ *
+ * Reads the `parachute_hub_session` cookie. If present and active, returns
+ * the user identity AND a CSRF token bound to the existing CSRF cookie (or
+ * a freshly-minted one). Otherwise returns the minimal `{ hasSession: false }`
+ * payload.
+ *
+ * Public — no auth required (returns "not signed in" rather than 401 when
+ * no session, so the SPA / discovery page can render a consistent affordance
+ * regardless of auth state). No CORS — same-origin only; hub-served UIs
+ * are same-origin.
+ *
+ * Response shape:
+ *
+ *   { hasSession: false }
+ *   { hasSession: true, user: { id, displayName }, csrf: "<token>" }
+ *
+ * `displayName` is the user's `username` today — there's no separate
+ * display-name field on the User shape. Surfaced under a different key
+ * here so a future profile-name migration can land without breaking
+ * SPA / discovery consumers.
+ *
+ * Why include the CSRF token only when signed in: there's nothing to
+ * sign-out (or otherwise mutate) without a session. Minting a token in
+ * the unsigned-in case would just bloat the response and prime a cookie
+ * the consumer has no use for.
+ *
+ * Why a dedicated endpoint rather than probing a session-gated SPA page:
+ * those redirect to /login when unauthenticated, which is exactly the
+ * wrong UX for an unconditionally-fetched "show sign-in affordance" call.
+ * `/api/me` cleanly returns either state without a bounce.
+ *
+ * The CSRF token returned here is the same token any same-session
+ * `<form>` would carry — the consumer (SPA fetch POST or
+ * server-rendered discovery form) submits it back as `__csrf` against
+ * the existing logout / mutation handlers.
+ */
+import type { Database } from "bun:sqlite";
+import { ensureCsrfToken } from "./csrf.ts";
+import { findActiveSession } from "./sessions.ts";
+import { getUserById } from "./users.ts";
+
+export interface ApiMeDeps {
+  db: Database;
+}
+
+interface SignedInUser {
+  id: string;
+  displayName: string;
+}
+
+/**
+ * Discriminated union mirroring the client-side `MeResponse` shape in
+ * `web/ui/src/lib/api.ts`. The two early returns below (no-session,
+ * deleted-user) construct the `false` arm; the success path constructs
+ * the `true` arm. Typing it as a union (rather than an interface with
+ * optional fields) means the compiler refuses any future construction
+ * that mixes states — e.g. `{ hasSession: false, user: staleUser }`
+ * fails at the type-check, not just at code-review.
+ */
+type ApiMeResponse = { hasSession: false } | { hasSession: true; user: SignedInUser; csrf: string };
+
+export function handleApiMe(req: Request, deps: ApiMeDeps): Response {
+  if (req.method !== "GET") {
+    return jsonError(405, "method_not_allowed", "use GET");
+  }
+
+  const session = findActiveSession(deps.db, req);
+  if (!session) {
+    return ok({ hasSession: false });
+  }
+
+  const user = getUserById(deps.db, session.userId);
+  if (!user) {
+    // Session row points at a deleted user — treat as not signed in.
+    // The session row should be cleaned up by some future sweep, but
+    // surfacing a stale identity to the UI would be worse than a
+    // momentary "signed out" affordance.
+    return ok({ hasSession: false });
+  }
+
+  // Mint a CSRF token (or reuse the existing cookie's). When this is the
+  // first request to set the cookie, attach Set-Cookie so the browser
+  // stores it for future logout submission.
+  const csrf = ensureCsrfToken(req);
+  const headers: Record<string, string> = {
+    "content-type": "application/json",
+    // Don't cache — session can change at any time (login, logout,
+    // expiry). The endpoint is cheap; revalidate on every request.
+    "cache-control": "no-store",
+  };
+  if (csrf.setCookie) headers["set-cookie"] = csrf.setCookie;
+
+  const body: ApiMeResponse = {
+    hasSession: true,
+    user: {
+      id: user.id,
+      displayName: user.username,
+    },
+    csrf: csrf.token,
+  };
+  return new Response(JSON.stringify(body), { status: 200, headers });
+}
+
+function ok(body: ApiMeResponse): Response {
+  return new Response(JSON.stringify(body), {
+    status: 200,
+    headers: {
+      "content-type": "application/json",
+      "cache-control": "no-store",
+    },
+  });
+}
+
+function jsonError(status: number, error: string, description: string): Response {
+  return new Response(JSON.stringify({ error, error_description: description }), {
+    status,
+    headers: {
+      "content-type": "application/json",
+      "cache-control": "no-store",
+    },
+  });
+}

package/src/api-mint-token.ts

@@ -0,0 +1,239 @@
+/**
+ * `POST /api/auth/mint-token` — HTTP companion to `parachute auth mint-token`.
+ *
+ * Same arg/return shape as the CLI; just the network path. Used by:
+ *
+ *   - automation that doesn't have CLI access (CI runners, cloud agents)
+ *     but does hold an operator-bearer with `parachute:host:auth` scope;
+ *   - the future admin SPA when the operator wants to mint a one-shot
+ *     scope-narrow token without dropping to a terminal.
+ *
+ * Auth: `Authorization: Bearer <token>` where `token`'s `scope` claim
+ * contains `parachute:host:auth`. The operator's local operator.token
+ * (admin scope-set) covers this; a narrow `--scope-set=auth` operator
+ * token also covers this.
+ *
+ * Why a separate endpoint instead of extending /admin/host-admin-token:
+ * that endpoint is session-cookie-gated for the SPA's needs and only
+ * mints `parachute:host:admin`. This endpoint is bearer-gated for
+ * automation and mints arbitrary scope/permissions tuples per request.
+ *
+ * Every successful mint writes a row to the `tokens` registry
+ * (`created_via='cli_mint'` — same provenance as the CLI path, since
+ * HTTP mint is just CLI-by-network). Powers the
+ * `/.well-known/parachute-revocation.json` endpoint.
+ */
+import type { Database } from "bun:sqlite";
+import { inferAudience } from "./jwt-audience.ts";
+import { recordTokenMint, signAccessToken, validateAccessToken } from "./jwt-sign.ts";
+import { isNonRequestableScope } from "./scope-explanations.ts";
+
+/** Default lifetime when --expires-in / `expires_in` is omitted. Matches the CLI. */
+export const API_MINT_TOKEN_DEFAULT_TTL_SECONDS = 90 * 24 * 60 * 60;
+/** Hard cap. Matches the CLI's --expires-in upper bound. */
+export const API_MINT_TOKEN_MAX_TTL_SECONDS = 365 * 24 * 60 * 60;
+/** Scope required on the bearer token to call this endpoint. */
+export const API_MINT_TOKEN_REQUIRED_SCOPE = "parachute:host:auth";
+/** client_id stamped on minted tokens. Matches the CLI flow's value. */
+export const API_MINT_TOKEN_CLIENT_ID = "parachute-hub";
+
+export interface ApiMintTokenDeps {
+  db: Database;
+  /** Hub origin — written into the JWT `iss` of minted tokens AND used to validate the bearer. */
+  issuer: string;
+  /** Test seam for time. */
+  now?: () => Date;
+}
+
+interface MintTokenRequest {
+  scope?: unknown;
+  audience?: unknown;
+  expires_in?: unknown;
+  subject?: unknown;
+  permissions?: unknown;
+}
+
+export async function handleApiMintToken(req: Request, deps: ApiMintTokenDeps): Promise<Response> {
+  if (req.method !== "POST") {
+    return jsonError(405, "method_not_allowed", "use POST");
+  }
+
+  // 1. Bearer presence + parsing.
+  const auth = req.headers.get("authorization");
+  if (!auth || !auth.startsWith("Bearer ")) {
+    return jsonError(401, "unauthenticated", "Authorization: Bearer <token> required");
+  }
+  const bearer = auth.slice("Bearer ".length).trim();
+  if (!bearer) {
+    return jsonError(401, "unauthenticated", "empty bearer token");
+  }
+
+  // 2. Bearer validation (signature, issuer, expiry, revocation).
+  let bearerSub: string;
+  let bearerScopes: string[];
+  try {
+    const validated = await validateAccessToken(deps.db, bearer, deps.issuer);
+    const sub = validated.payload.sub;
+    if (typeof sub !== "string" || sub.length === 0) {
+      return jsonError(401, "unauthenticated", "bearer token has no sub claim");
+    }
+    bearerSub = sub;
+    bearerScopes =
+      typeof validated.payload.scope === "string"
+        ? validated.payload.scope.split(/\s+/).filter((s) => s.length > 0)
+        : [];
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return jsonError(401, "unauthenticated", `bearer token invalid — ${msg}`);
+  }
+
+  // 3. Scope gate.
+  if (!bearerScopes.includes(API_MINT_TOKEN_REQUIRED_SCOPE)) {
+    return jsonError(
+      403,
+      "insufficient_scope",
+      `bearer token lacks ${API_MINT_TOKEN_REQUIRED_SCOPE}`,
+    );
+  }
+
+  // 4. Body parsing.
+  let body: MintTokenRequest;
+  try {
+    body = (await req.json()) as MintTokenRequest;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return jsonError(400, "invalid_request", `body must be valid JSON — ${msg}`);
+  }
+  if (typeof body !== "object" || body === null) {
+    return jsonError(400, "invalid_request", "body must be a JSON object");
+  }
+
+  // 5. Required + typed field extraction.
+  if (typeof body.scope !== "string" || body.scope.trim().length === 0) {
+    return jsonError(400, "invalid_request", "scope is required and must be a non-empty string");
+  }
+  const scopes = body.scope.split(/\s+/).filter((s) => s.length > 0);
+  if (scopes.length === 0) {
+    return jsonError(400, "invalid_request", "scope must contain at least one scope");
+  }
+
+  // Privilege-diffusion guard: mint paths cannot themselves mint tokens
+  // carrying non-requestable scopes (parachute:host:admin, the host:*
+  // narrow scopes, vault:<name>:admin). Holder of `parachute:host:auth`
+  // can mint vault/scribe/agent verb scopes for downstream services, but
+  // cannot mint another `:auth` (or any other non-requestable) without
+  // forced re-auth via the operator.token rotation path. Same set the
+  // public OAuth flow already rejects.
+  const blocked = scopes.filter((s) => isNonRequestableScope(s));
+  if (blocked.length > 0) {
+    return jsonError(
+      400,
+      "invalid_scope",
+      `scope ${blocked.join(", ")} is not requestable via mint-token; use OAuth flow or operator rotation`,
+    );
+  }
+
+  let audience: string;
+  if (body.audience === undefined) {
+    audience = inferAudience(scopes);
+  } else if (typeof body.audience === "string" && body.audience.length > 0) {
+    audience = body.audience;
+  } else {
+    return jsonError(400, "invalid_request", "audience must be a non-empty string when present");
+  }
+
+  let ttlSeconds = API_MINT_TOKEN_DEFAULT_TTL_SECONDS;
+  if (body.expires_in !== undefined) {
+    if (typeof body.expires_in !== "number" || !Number.isFinite(body.expires_in)) {
+      return jsonError(400, "invalid_request", "expires_in must be a positive integer (seconds)");
+    }
+    if (!Number.isInteger(body.expires_in) || body.expires_in <= 0) {
+      return jsonError(400, "invalid_request", "expires_in must be a positive integer (seconds)");
+    }
+    if (body.expires_in > API_MINT_TOKEN_MAX_TTL_SECONDS) {
+      return jsonError(
+        400,
+        "invalid_request",
+        `expires_in exceeds 365d cap (${API_MINT_TOKEN_MAX_TTL_SECONDS} seconds)`,
+      );
+    }
+    ttlSeconds = body.expires_in;
+  }
+
+  let subject: string;
+  if (body.subject === undefined) {
+    subject = bearerSub;
+  } else if (typeof body.subject === "string" && body.subject.length > 0) {
+    subject = body.subject;
+  } else {
+    return jsonError(400, "invalid_request", "subject must be a non-empty string when present");
+  }
+
+  let permissionsClaim: Record<string, unknown> | undefined;
+  let permissionsCanonical: string | undefined;
+  if (body.permissions !== undefined) {
+    if (
+      typeof body.permissions !== "object" ||
+      body.permissions === null ||
+      Array.isArray(body.permissions)
+    ) {
+      return jsonError(400, "invalid_request", "permissions must be a JSON object");
+    }
+    permissionsClaim = body.permissions as Record<string, unknown>;
+    permissionsCanonical = JSON.stringify(permissionsClaim);
+  }
+
+  // 6. Mint + register.
+  const minted = await signAccessToken(deps.db, {
+    sub: subject,
+    scopes,
+    audience,
+    clientId: API_MINT_TOKEN_CLIENT_ID,
+    issuer: deps.issuer,
+    ttlSeconds,
+    ...(permissionsClaim !== undefined ? { extraClaims: { permissions: permissionsClaim } } : {}),
+    ...(deps.now !== undefined ? { now: deps.now } : {}),
+  });
+
+  recordTokenMint(deps.db, {
+    jti: minted.jti,
+    createdVia: "cli_mint",
+    subject,
+    // user_id intentionally omitted — CLI-mint rows store subject only,
+    // matching the CLI path's shape (so HTTP and CLI mints look identical
+    // in the registry). The bearer's user identity is implicit via the
+    // bearer's own user_id (which is in its own tokens row).
+    clientId: API_MINT_TOKEN_CLIENT_ID,
+    scopes,
+    expiresAt: minted.expiresAt,
+    ...(permissionsCanonical !== undefined ? { permissions: permissionsCanonical } : {}),
+    ...(deps.now !== undefined ? { now: deps.now } : {}),
+  });
+
+  return new Response(
+    JSON.stringify({
+      jti: minted.jti,
+      token: minted.token,
+      expires_at: minted.expiresAt,
+      scope: scopes.join(" "),
+      ...(permissionsClaim !== undefined ? { permissions: permissionsClaim } : {}),
+    }),
+    {
+      status: 200,
+      headers: {
+        "content-type": "application/json",
+        "cache-control": "no-store",
+      },
+    },
+  );
+}
+
+function jsonError(status: number, error: string, description: string): Response {
+  return new Response(JSON.stringify({ error, error_description: description }), {
+    status,
+    headers: {
+      "content-type": "application/json",
+      "cache-control": "no-store",
+    },
+  });
+}

package/src/api-revocation-list.ts

@@ -0,0 +1,59 @@
+/**
+ * `GET /.well-known/parachute-revocation.json` — public list of revoked,
+ * not-yet-expired token jtis. Resource servers (vault, scribe, agent)
+ * fetch this on a 60s TTL and reject any presented JWT whose jti appears.
+ *
+ * Public endpoint (no auth). The list itself is harmless to expose: it's
+ * a list of opaque IDs whose only utility is "this token shouldn't be
+ * accepted." A leaked list doesn't enable any new attack — at worst, an
+ * attacker learns which compromise the operator already cleaned up.
+ *
+ * Already-expired jtis are filtered out: every consumer checks `exp`
+ * itself, so listing expired tokens just bloats the response. The
+ * revocation list exists for *unexpired* tokens whose validity got cut
+ * short. Once `exp` passes, a row falls off the list naturally.
+ *
+ * Caching: 60s `Cache-Control: max-age=60` matches the consumer's
+ * polling cadence (Phase 4 wires the 60s TTL on the resource-server
+ * side). Shorter cache = revocation propagates faster but burns more
+ * CPU on this endpoint; 60s is the published convergence target.
+ */
+import type { Database } from "bun:sqlite";
+import { listActiveRevocations } from "./jwt-sign.ts";
+
+export const REVOCATION_LIST_MOUNT = "/.well-known/parachute-revocation.json";
+/** Consumer cache TTL in seconds. Resource servers should poll on this cadence. */
+export const REVOCATION_LIST_CACHE_SECONDS = 60;
+
+export interface RevocationListDeps {
+  db: Database;
+  /** Test seam for time. */
+  now?: () => Date;
+}
+
+interface RevocationListBody {
+  generated_at: string;
+  jtis: string[];
+}
+
+export function handleRevocationList(req: Request, deps: RevocationListDeps): Response {
+  if (req.method !== "GET") {
+    return new Response(JSON.stringify({ error: "method_not_allowed" }), {
+      status: 405,
+      headers: { "content-type": "application/json" },
+    });
+  }
+  const now = deps.now?.() ?? new Date();
+  const jtis = listActiveRevocations(deps.db, now);
+  const body: RevocationListBody = {
+    generated_at: now.toISOString(),
+    jtis,
+  };
+  return new Response(JSON.stringify(body), {
+    status: 200,
+    headers: {
+      "content-type": "application/json",
+      "cache-control": `public, max-age=${REVOCATION_LIST_CACHE_SECONDS}`,
+    },
+  });
+}