createConnectReceiver (from @phosra/gatekeeper/next, v0.6.0+) collapses the OCSS connect
receiver to one route file and one allowlist. It verifies every delivery to the pinned
OCSS root — the same root your gatekeeper already pins to fetch enforcement profiles — so
the provider’s signature is the authentication. There is no shared HMAC secret to mint,
store, sync, or rotate.
This is purely additive. The low-level
createGatekeeper() and every existing gatekeeper
export are unchanged — see the Platform Quickstart (gatekeeper)
for the enforce/confirm loop. This page covers the connect leg the receiver handles.The entire receiver
/api/ocss/connect route. The provider’s Ed25519 signature, verified to
the root, is the auth; the allowlist is the authorization. Revoke a provider by removing its
DID from authorize — no key exchange, no rotation.
Config
| Field | Required | Meaning |
|---|---|---|
env | yes | "sandbox" | "production" — selects the bundled census URL and the pinned trust root (no trust-on-first-use). |
did | yes | Your platform DID. Also the RFC 8707 audience_did deliveries must bind to (replay to a different receiver fails). |
seed | yes | Your platform Ed25519 seed, base64url-raw (32 bytes) — the OCSS_SENDER_SEED_B64URL you registered. |
authorize | yes | The provider-DID allowlist. Required by construction so “signed with no allowlist” is unrepresentable — role-gating alone (any accredited enforcement-agent) is never the ship state. |
store | yes | Your ConnectSessionStore — the §3.6 state machine over your own child/session table. |
onBound | yes | (label, childRef, provision?) => void | Promise<void> — fires after each 2xx per bound label; materialize the enforcement caps here. |
onError | no | (err, ctx) => void — surfaces a throwing onBound without failing the delivery. |
legacyHmacSecret | no | Opt-in HMAC lane → posture "both". Absent = signed-only (the default). Only for a migration drain window — see Migration. |
censusUrl / trustRootXB64Url | no | Advanced overrides for the env preset (pass together). |
keyId | no | Writer key-id fragment; defaults to the current YYYY-MM. |
createdSkewSec | no | Signed-delivery freshness window in seconds (default 300). |
How a delivery is verified — nothing you write
createConnectReceiver reads the raw request body once and dispatches by shape:
- Signed provision delivery (
isSignedProvisionDelivery(body)) →verifyProvisionDelivery→ create-or-adopt N age-banded profiles, thenonBoundper profile. This is the create-and-link fan-out from the provider. - Signed connect envelope /
{ endpoint_id_label, state }→handleConnect→ bind the single label, thenonBound(label, childRef). - Legacy
ocss-ext01/provision.v1HMAC batch → the HMAC lane — only whenlegacyHmacSecretis set.
did),
created-freshness (within createdSkewSec), and the authorize gate from the
verified envelope — all before your onBound runs. You verify nothing by hand.
onBound fires post-2xx, per bound label. On the batch path each call carries a
ProvisionContext so you know the age band and whether to auto-set an adult PIN; on the
single-bind path provision is undefined. A throwing onBound is routed to onError and
does not fail the delivery (the binding already landed).
After the connect leg — enforce
Receiving the connection is only the connect leg. The boundendpoint_id_label is your
profile-poll target: fetch and verify the signed enforcement profile, decide locally, and
confirm — all with the low-level @phosra/gatekeeper:
isAllowed → confirm loop (including the two-endpoint_id_label gotcha
and the fail-closed rules) is documented in the
gatekeeper Platform Quickstart.
Trust-list liveness
Signed verification role-gates the signer to an active accredited enforcement-agent and verifies to root, so the connect leg now depends on Trust-List availability and accreditation freshness (the 7-day attestation TTL) — a coupling the old HMAC path never had. This is a deliberate trade, not a surprise: cache the last-known-good Trust List so a transient census blip doesn’t reject a legitimate, still-accredited provider. Name it in your ops runbook. See Migration → Liveness.Branding is an assessed conformance item
Two parts, both checked at accreditation: (1) co-brand your OAuth leg — the authorize page the parent hits during the ceremony MUST readPhosra Link · <Platform>, never a bare
auth form; (2) provenance — once a profile is bound, surface a persistent “Managed via
Phosra” label on the managed account. See the
Phosra Link Branding Requirement.
What the provider (your partner) must do
Almost nothing new lands on the provider — the signed model is symmetric with what they already sign:- Add your platform DID to their
createLinkconnect target (they calllink.connect.finish/link.provisionwithplatformDid: "did:ocss:<you>"). - Deliver with their own writer key — no secret from you. If their delivery
401s, the fix is you adding their DID toauthorize, not a secret exchange. - That’s it. See Provider Quickstart.
Next
- Provider Quickstart · createLink — the sending side
- Migrating HMAC → Signed — retire your connect secret safely
- gatekeeper Platform Quickstart — the enforce/confirm loop