SignedXhtmlStateTransferCodec
Tamper-evident, optionally replay-protected {@see StateTransferCodecInterface}: wraps an inner unsigned codec (typically {@see \Milpa\Live\Transport\XhtmlStateTransferCodec}), signing its output with a {@see StateSignerInterface} and, on decode, verifying the signature before delegating back to the inner codec. This is the codec {@see \Milpa\Live\Http\LiveEndpoint} trusts to prove a client-echoed `<milpa-state>` envelope hasn't been altered since this server last signed it — see the endpoint's trust-model docblock.
SignedXhtmlStateTransferCodec::__construct()
public function __construct(Milpa\Live\Contracts\Transport\StateTransferCodecInterface $inner, Milpa\Live\Contracts\Security\StateSignerInterface $signer, ?Milpa\Live\Contracts\Security\NonceStoreInterface $nonces = null):Parameters
| Name | Type | Description |
|---|---|---|
| $inner | Milpa\Live\Contracts\Transport\StateTransferCodecInterface | |
| $signer | Milpa\Live\Contracts\Security\StateSignerInterface | |
| $nonces | (NonceStoreInterface | null) | When given, every successfully signature-verified envelope has its `sig-nonce` consumed against this store before decoding proceeds — a second decode of the exact same signed envelope (a captured, replayed request) throws {@see ReplayedNonceException} instead of succeeding a second time. `null` preserves the original tamper-evidence-only behavior (no replay protection), e.g. for isolated codec unit tests. |
SignedXhtmlStateTransferCodec::encodeState()
public function encodeState(Milpa\Live\ValueObjects\StateSnapshot $snapshot): stringEncodes `$snapshot` via the inner codec, then signs the resulting envelope with `kind`/`componentId`/`componentName` claims bound in.
Parameters
| Name | Type | Description |
|---|---|---|
| $snapshot | Milpa\Live\ValueObjects\StateSnapshot |
SignedXhtmlStateTransferCodec::decodeState()
public function decodeState(string $encoded): Milpa\Live\ValueObjects\StateSnapshotVerifies the envelope's signature (and, when a {@see NonceStoreInterface} is configured, consumes its nonce — a second decode of the exact same envelope throws {@see ReplayedNonceException}), then delegates to the inner codec. Throws `RuntimeException` on an invalid signature or a component id/name claim mismatch against the decoded snapshot.
Parameters
| Name | Type | Description |
|---|---|---|
| $encoded | string |
SignedXhtmlStateTransferCodec::encodeInteraction()
public function encodeInteraction(Milpa\Live\ValueObjects\InteractionRequest $request): stringEncodes `$request` via the inner codec, then signs the resulting envelope with `kind`/`componentId`/`componentName`/`action` claims bound in.
Parameters
| Name | Type | Description |
|---|---|---|
| $request | Milpa\Live\ValueObjects\InteractionRequest |
SignedXhtmlStateTransferCodec::decodeInteraction()
public function decodeInteraction(string $encoded): Milpa\Live\ValueObjects\InteractionRequestVerifies the envelope's signature (and consumes its nonce when replay protection is configured, as in {@see decodeState()}), then delegates to the inner codec. Throws `RuntimeException` on an invalid signature or a component id/name/action claim mismatch against the decoded request.
Parameters
| Name | Type | Description |
|---|---|---|
| $encoded | string |