Docs: Document token lifecycle, capping mechanisms, and default TTLs#377
Merged
Docs: Document token lifecycle, capping mechanisms, and default TTLs#377
Conversation
Adds comprehensive token lifecycle documentation covering the dual token loop between muster and Dex, access token capping via capTokenExpiry, refresh token alignment with Dex's absoluteLifetime, and default TTL values. Updates security operations guide, configuration reference, and CLI auth reference with cross-references. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/operations/security.mdfrom a stub into a comprehensive token lifecycle guide covering the dual token loop (agent-muster and muster-Dex), access token capping viacapTokenExpiry, refresh token alignment with Dex'sabsoluteLifetime, and all default TTL valuesAccess Token TTLsection todocs/reference/configuration.mdexplaining the capping mechanism and clarifies the rolling-vs-absolute distinction in the session duration warningToken Expiredtroubleshooting section indocs/reference/cli/auth.mdwith explanations of what "Expires" and "Session" mean, and cross-references to the new security guideContext
Analysis of the token lifecycle (see token TTL analysis plan) identified that while the code correctly aligns muster's default TTLs with Dex (30m access tokens, 30d session duration), the documentation didn't explain the capping mechanism, the dual token loop, or the default values. The existing docs warned about the rolling-vs-absolute mismatch but treated it purely as a configuration concern without explaining the underlying architecture.
Test plan
Made with Cursor