Fix session JWT expiration validation

Author: cursoragent

internal/crypto/sessionjwt/manager.go

@@ -82,7 +82,7 @@ func (m *Manager) Verify(raw string) (*core.SessionClaims, error) {
 	}, nil
 }
 
-func (c *claims) Valid() error {
+func (c *claims) Validate() error {
 	if c.ExpiresAt == nil {
 		return fmt.Errorf("%w: missing exp", core.ErrUnauthorized)
 	}

internal/crypto/sessionjwt/manager_test.go

@@ -0,0 +1,48 @@
+package sessionjwt
+
+import (
+	"crypto/ed25519"
+	"errors"
+	"strings"
+	"testing"
+
+	"github.com/evalops/asb/internal/core"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func TestManager_VerifyRejectsTokenWithoutExpiration(t *testing.T) {
+	t.Parallel()
+
+	_, privateKey, err := ed25519.GenerateKey(nil)
+	if err != nil {
+		t.Fatalf("GenerateKey() error = %v", err)
+	}
+
+	manager, err := NewManager(privateKey)
+	if err != nil {
+		t.Fatalf("NewManager() error = %v", err)
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, jwt.MapClaims{
+		"sid":       "sess_123",
+		"tenant_id": "t_acme",
+		"agent_id":  "agent_123",
+		"run_id":    "run_123",
+		"tool_context": []string{
+			"github",
+		},
+		"workload_hash": "sha256:test",
+	})
+	raw, err := token.SignedString(privateKey)
+	if err != nil {
+		t.Fatalf("SignedString() error = %v", err)
+	}
+
+	if _, err := manager.Verify(raw); err == nil {
+		t.Fatal("Verify() error = nil, want non-nil")
+	} else if !errors.Is(err, core.ErrUnauthorized) {
+		t.Fatalf("Verify() error = %v, want unauthorized", err)
+	} else if !strings.Contains(err.Error(), "missing exp") {
+		t.Fatalf("Verify() error = %v, want missing exp", err)
+	}
+}