@openwop/openwop-conformance 1.0.0 → 1.1.0

package/src/lib/behavior-gate.ts

@@ -0,0 +1,68 @@
+/**
+ * Behavior-gate helper for capability-gated conformance scenarios.
+ *
+ * Some scenarios in `conformance/src/scenarios/` validate optional profiles
+ * — audit-log integrity, rate-limit envelope, multi-region idempotency,
+ * `configurableSchema`, webhook signature versioning, pause/resume, etc.
+ * When a host doesn't advertise the profile, those scenarios have two
+ * defensible modes:
+ *
+ *   - **Default (skip):** log a warning and return early. The suite still
+ *     passes overall, reflecting what the host has implemented. This is
+ *     what `@openwop/openwop-conformance` runs by default so a v1.0-only
+ *     host doesn't suddenly fail the suite when new optional profiles ship.
+ *
+ *   - **Behavior-required (fail):** set `OPENWOP_REQUIRE_BEHAVIOR=true` to
+ *     turn missing advertisements into hard failures. A "passing" run with
+ *     this flag means the host advertises every optional profile AND every
+ *     scenario exercises real behavior — useful for hosts that want to
+ *     claim full coverage in `INTEROP-MATRIX.md`.
+ *
+ * Usage:
+ *
+ *   ```ts
+ *   import { behaviorGate } from '../lib/behavior-gate.js';
+ *
+ *   it('host that claims the profile advertises the right fields', async () => {
+ *     const advertised = await isProfileAdvertised();
+ *     if (!behaviorGate('openwop-audit-log-integrity', advertised)) {
+ *       return; // skipped in default mode; FAIL'd in strict mode
+ *     }
+ *
+ *     // ... assertions ...
+ *   });
+ *   ```
+ *
+ * In strict mode, `behaviorGate` throws an assertion error with a citation
+ * to the relevant spec section so the failure message is self-explanatory.
+ */
+
+import { expect } from 'vitest';
+import { loadEnv } from './env.js';
+
+/**
+ * Returns true if the scenario should proceed with assertions (advertised),
+ * false if the scenario should `return` early (default-mode skip). In strict
+ * mode (`OPENWOP_REQUIRE_BEHAVIOR=true`), throws if not advertised — so the
+ * caller never actually receives `false` in that mode.
+ */
+export function behaviorGate(profileName: string, advertised: boolean): boolean {
+  if (advertised) return true;
+
+  const env = loadEnv();
+  if (env.requireBehavior) {
+    expect(
+      advertised,
+      `OPENWOP_REQUIRE_BEHAVIOR=true: host MUST advertise the ${profileName} profile for this scenario to run. ` +
+        `See conformance/coverage.md §"Capability-gated scenarios".`,
+    ).toBe(true);
+    // expect.toBe(true) throws; we won't reach here.
+  }
+
+  // Default-mode soft-skip.
+  // eslint-disable-next-line no-console
+  console.warn(
+    `[${profileName}] profile not advertised; skipping (set OPENWOP_REQUIRE_BEHAVIOR=true to fail)`,
+  );
+  return false;
+}

package/src/lib/env.ts

@@ -8,6 +8,14 @@
  * Optional (cosmetic — surfaced in failure messages):
  *   OPENWOP_IMPLEMENTATION_NAME    — e.g., "acme-openwop-server"
  *   OPENWOP_IMPLEMENTATION_VERSION — e.g., "1.0"
+ *
+ * Optional (behavior-gate strictness):
+ *   OPENWOP_REQUIRE_BEHAVIOR=true — capability-gated scenarios (audit-log
+ *     integrity, rate-limit envelope, multi-region idempotency, etc.) FAIL
+ *     instead of skipping when the host doesn't advertise the profile.
+ *     Default is false — scenarios skip with a warning so default conformance
+ *     runs cover what the host has implemented. See `lib/behavior-gate.ts`
+ *     and `conformance/coverage.md` §"Capability-gated scenarios".
  */
 
 export interface ConformanceEnv {
@@ -15,6 +23,7 @@ export interface ConformanceEnv {
   readonly apiKey: string;
   readonly implementationName: string;
   readonly implementationVersion: string;
+  readonly requireBehavior: boolean;
 }
 
 let cached: ConformanceEnv | null = null;
@@ -44,6 +53,7 @@ export function loadEnv(): ConformanceEnv {
     apiKey,
     implementationName: process.env.OPENWOP_IMPLEMENTATION_NAME?.trim() ?? 'unknown',
     implementationVersion: process.env.OPENWOP_IMPLEMENTATION_VERSION?.trim() ?? 'unknown',
+    requireBehavior: process.env.OPENWOP_REQUIRE_BEHAVIOR === 'true',
   };
   return cached;
 }

package/src/lib/grpc-framing.test.ts

@@ -0,0 +1,96 @@
+/**
+ * Unit tests for `grpc-framing.ts` — gRPC HTTP/2 message framing.
+ *
+ * @see grpc-framing.ts
+ */
+
+import { describe, it, expect } from 'vitest';
+import { frameMessage, unframeMessages } from './grpc-framing.js';
+
+describe('grpc-framing: frameMessage', () => {
+  it('prepends a 5-byte header to a single payload', () => {
+    const payload = new Uint8Array([0xab, 0xcd, 0xef]);
+    const framed = frameMessage(payload);
+    expect(framed.byteLength).toBe(8);
+    expect(framed[0]).toBe(0); // identity compression
+    expect(framed[1]).toBe(0);
+    expect(framed[2]).toBe(0);
+    expect(framed[3]).toBe(0);
+    expect(framed[4]).toBe(3); // length = 3
+    expect(framed[5]).toBe(0xab);
+    expect(framed[6]).toBe(0xcd);
+    expect(framed[7]).toBe(0xef);
+  });
+
+  it('frames a zero-length payload as a 5-byte header alone', () => {
+    const framed = frameMessage(new Uint8Array(0));
+    expect(framed.byteLength).toBe(5);
+    expect(framed[0]).toBe(0);
+    expect(framed[4]).toBe(0);
+  });
+
+  it('encodes lengths > 256 in big-endian order', () => {
+    const payload = new Uint8Array(300);
+    const framed = frameMessage(payload);
+    // length = 300 = 0x0000012C, big-endian: 00 00 01 2C
+    expect(framed[1]).toBe(0);
+    expect(framed[2]).toBe(0);
+    expect(framed[3]).toBe(1);
+    expect(framed[4]).toBe(0x2c);
+  });
+});
+
+describe('grpc-framing: unframeMessages', () => {
+  it('parses a single frame', () => {
+    const payload = new Uint8Array([0x01, 0x02, 0x03, 0x04]);
+    const framed = frameMessage(payload);
+    const messages = unframeMessages(framed);
+    expect(messages.length).toBe(1);
+    expect(Array.from(messages[0]!)).toEqual([0x01, 0x02, 0x03, 0x04]);
+  });
+
+  it('parses multiple concatenated frames', () => {
+    const a = frameMessage(new Uint8Array([0xaa, 0xab]));
+    const b = frameMessage(new Uint8Array([0xbb]));
+    const c = frameMessage(new Uint8Array([0xcc, 0xcd, 0xce, 0xcf]));
+    const combined = new Uint8Array(a.byteLength + b.byteLength + c.byteLength);
+    combined.set(a, 0);
+    combined.set(b, a.byteLength);
+    combined.set(c, a.byteLength + b.byteLength);
+    const messages = unframeMessages(combined);
+    expect(messages.length).toBe(3);
+    expect(Array.from(messages[0]!)).toEqual([0xaa, 0xab]);
+    expect(Array.from(messages[1]!)).toEqual([0xbb]);
+    expect(Array.from(messages[2]!)).toEqual([0xcc, 0xcd, 0xce, 0xcf]);
+  });
+
+  it('parses an empty buffer as zero frames', () => {
+    expect(unframeMessages(new Uint8Array(0))).toEqual([]);
+  });
+
+  it('throws on truncated header', () => {
+    // Only 3 bytes of a 5-byte header.
+    const buf = new Uint8Array([0, 0, 0]);
+    expect(() => unframeMessages(buf)).toThrow(/frame truncated/i);
+  });
+
+  it('throws on truncated payload', () => {
+    // 5-byte header declares 10 bytes of payload but only 4 follow.
+    const buf = new Uint8Array([0, 0, 0, 0, 10, 1, 2, 3, 4]);
+    expect(() => unframeMessages(buf)).toThrow(/payload truncated/i);
+  });
+
+  it('throws on unsupported compression flag', () => {
+    // Flag = 1 → compression negotiated, which we don't implement.
+    const buf = new Uint8Array([1, 0, 0, 0, 0]);
+    expect(() => unframeMessages(buf)).toThrow(/compression flag/i);
+  });
+
+  it('round-trips: frame → unframe yields original payload', () => {
+    const original = new Uint8Array([0x0a, 0x05, 0x68, 0x65, 0x6c, 0x6c, 0x6f]); // protobuf "hello"
+    const framed = frameMessage(original);
+    const unframed = unframeMessages(framed);
+    expect(unframed.length).toBe(1);
+    expect(Array.from(unframed[0]!)).toEqual(Array.from(original));
+  });
+});

package/src/lib/grpc-framing.ts

@@ -0,0 +1,76 @@
+/**
+ * gRPC HTTP/2 message framing primitive — Track 11 OTLP/gRPC.
+ *
+ * gRPC over HTTP/2 wraps each protobuf message in a 5-byte frame
+ * prefix:
+ *
+ *   ┌──────────┬───────────────────────┬─────────────────────┐
+ *   │ 1 byte   │ 4 bytes               │ N bytes             │
+ *   │ flags    │ length (big-endian)   │ payload             │
+ *   └──────────┴───────────────────────┴─────────────────────┘
+ *
+ * `flags` is `0x00` for uncompressed (the only mode we implement).
+ * `0x01` indicates a per-message compression scheme negotiated via
+ * the `grpc-encoding` header; we reject this since the conformance
+ * collector advertises identity encoding only.
+ *
+ * Multiple frames MAY be concatenated in a stream; for OTLP Export
+ * unary calls the request and response both carry exactly one frame.
+ *
+ * Pure stdlib — no `@grpc/grpc-js` dependency. Matches the
+ * zero-new-deps stance of `otlp-protobuf.ts` (the hand-rolled
+ * decoder for the OTLP message bodies).
+ *
+ * @see https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md
+ */
+
+/** Length-prefix a single protobuf payload with the gRPC 5-byte frame. */
+export function frameMessage(payload: Uint8Array): Uint8Array {
+  const out = new Uint8Array(5 + payload.byteLength);
+  out[0] = 0; // compression flag — identity
+  // Big-endian 32-bit length
+  out[1] = (payload.byteLength >>> 24) & 0xff;
+  out[2] = (payload.byteLength >>> 16) & 0xff;
+  out[3] = (payload.byteLength >>> 8) & 0xff;
+  out[4] = payload.byteLength & 0xff;
+  out.set(payload, 5);
+  return out;
+}
+
+/**
+ * Parse one or more gRPC-framed messages from a concatenated buffer.
+ * Throws if any frame uses a compression scheme we don't implement,
+ * or if the buffer truncates mid-frame.
+ */
+export function unframeMessages(buf: Uint8Array): Uint8Array[] {
+  const out: Uint8Array[] = [];
+  let i = 0;
+  while (i < buf.byteLength) {
+    if (i + 5 > buf.byteLength) {
+      throw new Error(
+        `gRPC frame truncated: need 5-byte header at offset ${i}, have ${buf.byteLength - i}`,
+      );
+    }
+    const flag = buf[i]!;
+    if (flag !== 0) {
+      throw new Error(
+        `gRPC frame at offset ${i} has compression flag ${flag}; only identity (0) is supported`,
+      );
+    }
+    const len =
+      ((buf[i + 1]! << 24) >>> 0) |
+      ((buf[i + 2]! << 16) >>> 0) |
+      ((buf[i + 3]! << 8) >>> 0) |
+      buf[i + 4]!;
+    const payloadStart = i + 5;
+    const payloadEnd = payloadStart + len;
+    if (payloadEnd > buf.byteLength) {
+      throw new Error(
+        `gRPC frame payload truncated: declared length ${len} at offset ${i + 1}, but only ${buf.byteLength - payloadStart} bytes remain`,
+      );
+    }
+    out.push(buf.subarray(payloadStart, payloadEnd));
+    i = payloadEnd;
+  }
+  return out;
+}

package/src/lib/oidc-issuer.test.ts

@@ -0,0 +1,328 @@
+/**
+ * Server-free unit tests for the synthetic OIDC issuer harness.
+ *
+ * The harness is real cryptographic code (RS256 + ES256 JWS signing,
+ * JWKS export, JWT compact serialization). If the signing or encoding
+ * is wrong, every scenario that uses the harness silently misreports —
+ * the OIDC validation scenarios soft-skip behavior portions when the
+ * host doesn't trust the harness, so a malformed token would simply
+ * cause the host to reject and the test to "pass" via soft-skip path.
+ *
+ * These unit tests round-trip every token through `node:crypto.createVerify`
+ * to confirm the harness output is parseable by an independent verifier.
+ * Run server-free; doesn't depend on OPENWOP_BASE_URL.
+ *
+ * @see conformance/src/lib/oidc-issuer.ts
+ * @see RFCS/0010-auth-profile-conformance.md §E
+ */
+
+import { describe, it, expect } from 'vitest';
+import { createPublicKey, createVerify, type JsonWebKey } from 'node:crypto';
+import { createSyntheticOIDCIssuer } from './oidc-issuer.js';
+
+function base64UrlDecode(input: string): Buffer {
+  const pad = input.length % 4 === 0 ? 0 : 4 - (input.length % 4);
+  const padded = input + '='.repeat(pad);
+  const std = padded.replace(/-/g, '+').replace(/_/g, '/');
+  return Buffer.from(std, 'base64');
+}
+
+function decodeJwt(token: string): {
+  header: Record<string, unknown>;
+  payload: Record<string, unknown>;
+  signature: Buffer;
+  signingInput: string;
+} {
+  const parts = token.split('.');
+  if (parts.length !== 3) throw new Error(`malformed JWT: ${parts.length} segments`);
+  const [h, p, s] = parts;
+  return {
+    header: JSON.parse(base64UrlDecode(h).toString('utf8')) as Record<string, unknown>,
+    payload: JSON.parse(base64UrlDecode(p).toString('utf8')) as Record<string, unknown>,
+    signature: base64UrlDecode(s),
+    signingInput: `${h}.${p}`,
+  };
+}
+
+function verifyToken(
+  token: string,
+  jwksJson: string,
+  algorithm: 'RS256' | 'ES256',
+): boolean {
+  const decoded = decodeJwt(token);
+  const jwks = JSON.parse(jwksJson) as { keys: JsonWebKey[] };
+  const kid = decoded.header.kid;
+  const key = jwks.keys.find((k) => k.kid === kid);
+  if (!key) throw new Error(`no JWKS key matches kid=${String(kid)}`);
+
+  const publicKey = createPublicKey({ key, format: 'jwk' });
+  const digest = algorithm === 'RS256' ? 'RSA-SHA256' : 'SHA256';
+  const verifier = createVerify(digest);
+  verifier.update(decoded.signingInput);
+  verifier.end();
+  return verifier.verify(
+    algorithm === 'RS256'
+      ? publicKey
+      : { key: publicKey, dsaEncoding: 'ieee-p1363' },
+    decoded.signature,
+  );
+}
+
+describe('oidc-issuer: harness construction', () => {
+  it('requires issuer and audience', () => {
+    expect(() =>
+      createSyntheticOIDCIssuer({ issuer: '', audience: 'openwop' }),
+    ).toThrow(/issuer and audience/);
+    expect(() =>
+      createSyntheticOIDCIssuer({ issuer: 'https://x', audience: '' }),
+    ).toThrow(/issuer and audience/);
+  });
+
+  it('defaults to RS256 + canonical keyId', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+    });
+    expect(issuer.algorithm).toBe('RS256');
+    expect(issuer.keyId).toBe('openwop-conformance-key-1');
+    expect(issuer.issuer).toBe('https://harness.example');
+    expect(issuer.audience).toBe('openwop');
+  });
+
+  it('rejects unsupported algorithm at runtime (defensive)', () => {
+    expect(() =>
+      createSyntheticOIDCIssuer({
+        issuer: 'https://x',
+        audience: 'y',
+        algorithm: 'HS256',
+      }),
+    ).toThrow(/unsupported algorithm/);
+  });
+});
+
+describe('oidc-issuer: JWKS + discovery shape', () => {
+  it('publishes a well-formed JWKS for RS256', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+    });
+    const jwks = JSON.parse(issuer.jwksJson) as { keys: JsonWebKey[] };
+    expect(Array.isArray(jwks.keys)).toBe(true);
+    expect(jwks.keys.length).toBe(1);
+    const key = jwks.keys[0];
+    expect(key.kty).toBe('RSA');
+    expect(key.alg).toBe('RS256');
+    expect(key.use).toBe('sig');
+    expect(key.kid).toBe(issuer.keyId);
+    // RSA JWK MUST have n (modulus) and e (exponent).
+    expect(typeof key.n).toBe('string');
+    expect(typeof key.e).toBe('string');
+  });
+
+  it('publishes a well-formed JWKS for ES256', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+      algorithm: 'ES256',
+    });
+    const jwks = JSON.parse(issuer.jwksJson) as { keys: JsonWebKey[] };
+    const key = jwks.keys[0];
+    expect(key.kty).toBe('EC');
+    expect(key.alg).toBe('ES256');
+    expect(key.crv).toBe('P-256');
+    expect(typeof key.x).toBe('string');
+    expect(typeof key.y).toBe('string');
+  });
+
+  it('publishes OIDC discovery doc with correct shape', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example/oauth',
+      audience: 'openwop',
+    });
+    const disco = JSON.parse(issuer.discoveryJson) as {
+      issuer: string;
+      jwks_uri: string;
+      response_types_supported: string[];
+      subject_types_supported: string[];
+      id_token_signing_alg_values_supported: string[];
+    };
+    expect(disco.issuer).toBe('https://harness.example/oauth');
+    expect(disco.jwks_uri).toBe('https://harness.example/oauth/.well-known/jwks.json');
+    expect(disco.id_token_signing_alg_values_supported).toContain('RS256');
+  });
+
+  it('discovery doc strips trailing slash before appending jwks path', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example/',
+      audience: 'openwop',
+    });
+    const disco = JSON.parse(issuer.discoveryJson) as { jwks_uri: string };
+    expect(disco.jwks_uri).toBe('https://harness.example/.well-known/jwks.json');
+  });
+});
+
+describe('oidc-issuer: mint defaults', () => {
+  it('fills iss / aud / iat / exp when not supplied', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+    });
+    const before = Math.floor(Date.now() / 1000);
+    const { claims } = issuer.mint({ sub: 'test-sub' });
+    const after = Math.floor(Date.now() / 1000);
+
+    expect(claims.iss).toBe('https://harness.example');
+    expect(claims.aud).toBe('openwop');
+    expect(claims.sub).toBe('test-sub');
+    expect(typeof claims.iat).toBe('number');
+    expect(typeof claims.exp).toBe('number');
+    expect(claims.iat).toBeGreaterThanOrEqual(before);
+    expect(claims.iat).toBeLessThanOrEqual(after);
+    // Default lifetime is 300s.
+    expect((claims.exp as number) - (claims.iat as number)).toBe(300);
+  });
+
+  it('caller claims override defaults', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+    });
+    const { claims } = issuer.mint({
+      iss: 'override-issuer',
+      aud: 'override-audience',
+      sub: 'test-sub',
+    });
+    expect(claims.iss).toBe('override-issuer');
+    expect(claims.aud).toBe('override-audience');
+  });
+
+  it('negative expiresInSeconds mints already-expired token', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+    });
+    const now = Math.floor(Date.now() / 1000);
+    const { claims } = issuer.mint(
+      { sub: 'test-sub' },
+      { expiresInSeconds: -3600 },
+    );
+    expect((claims.exp as number) < now).toBe(true);
+  });
+});
+
+describe('oidc-issuer: signature round-trip', () => {
+  it('RS256 token verifies against published JWKS', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+      algorithm: 'RS256',
+    });
+    const { token } = issuer.mint({ sub: 'test-sub' });
+    const verified = verifyToken(token, issuer.jwksJson, 'RS256');
+    expect(verified).toBe(true);
+  });
+
+  it('ES256 token verifies against published JWKS', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+      algorithm: 'ES256',
+    });
+    const { token } = issuer.mint({ sub: 'test-sub' });
+    const verified = verifyToken(token, issuer.jwksJson, 'ES256');
+    expect(verified).toBe(true);
+  });
+
+  it('header alg matches issuer algorithm by default', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+      algorithm: 'ES256',
+    });
+    const { token } = issuer.mint({ sub: 'test-sub' });
+    const decoded = decodeJwt(token);
+    expect(decoded.header.alg).toBe('ES256');
+  });
+
+  it('mint opts.algorithm override appears in header (alg-spoof scenario)', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+      algorithm: 'RS256',
+    });
+    const { token } = issuer.mint(
+      { sub: 'test-sub' },
+      { algorithm: 'HS256' },
+    );
+    const decoded = decodeJwt(token);
+    expect(decoded.header.alg).toBe('HS256');
+    // The signature is still RS256-bytes (the harness doesn't actually
+    // honor the alg override for the signature itself — that's the spoof:
+    // the header lies, the bytes don't match). Verification with RS256
+    // succeeds, which is the test scenario's correct behavior: it lets
+    // the OAuth2-CC negative-case scenario assert the host rejects
+    // because the header claims HS256 outside supportedAlgorithms.
+    const verified = verifyToken(
+      // Pull alg from header for verification — but the verify path
+      // is RS256 because that's the actual key. Re-decode and verify
+      // by extracting the alg-from-issuer rather than alg-from-header.
+      token,
+      issuer.jwksJson,
+      'RS256',
+    );
+    expect(verified).toBe(true);
+  });
+
+  it('keyId override sets header.kid without changing signing key (unknown-kid scenario)', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+    });
+    const { token } = issuer.mint(
+      { sub: 'test-sub' },
+      { keyId: 'never-published-kid' },
+    );
+    const decoded = decodeJwt(token);
+    expect(decoded.header.kid).toBe('never-published-kid');
+    // The JWKS doesn't publish this kid; verifyToken throws.
+    expect(() => verifyToken(token, issuer.jwksJson, 'RS256')).toThrow(/no JWKS key/);
+  });
+});
+
+describe('oidc-issuer: key rotation', () => {
+  it('rotateKey() changes the published keyId', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+    });
+    const firstKid = issuer.keyId;
+    issuer.rotateKey();
+    expect(issuer.keyId).not.toBe(firstKid);
+    expect(issuer.keyId).toBe('openwop-conformance-key-2');
+  });
+
+  it('tokens minted before rotation no longer verify against new JWKS', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+    });
+    const beforeRotation = issuer.mint({ sub: 'test-sub' });
+    issuer.rotateKey();
+    // The JWKS now publishes a different key. The old token's header
+    // kid still references the pre-rotation kid, which isn't published.
+    expect(() =>
+      verifyToken(beforeRotation.token, issuer.jwksJson, 'RS256'),
+    ).toThrow(/no JWKS key/);
+  });
+
+  it('tokens minted after rotation verify against new JWKS', () => {
+    const issuer = createSyntheticOIDCIssuer({
+      issuer: 'https://harness.example',
+      audience: 'openwop',
+    });
+    issuer.rotateKey();
+    const afterRotation = issuer.mint({ sub: 'test-sub' });
+    const verified = verifyToken(afterRotation.token, issuer.jwksJson, 'RS256');
+    expect(verified).toBe(true);
+  });
+});