Retire legacy mock-server endpoints + /v1/mint-aws-creds + /v1/auth/exchange (closes #77, #72, #78)

crates/agentkeys-broker-server/src/auth.rs

@@ -1,55 +1,3 @@
-use crate::error::{BrokerError, BrokerResult};
-
-#[derive(Debug, Clone)]
-pub struct ValidatedSession {
-    pub wallet: String,
-}
-
 pub fn extract_bearer_token(header: &str) -> Option<&str> {
     header.strip_prefix("Bearer ")
 }
-
-pub async fn validate_bearer_token(
-    http: &reqwest::Client,
-    backend_url: &str,
-    token: &str,
-) -> BrokerResult<ValidatedSession> {
-    let url = format!("{}/session/validate", backend_url.trim_end_matches('/'));
-    let response = http
-        .get(&url)
-        .header("Authorization", format!("Bearer {}", token))
-        .send()
-        .await
-        .map_err(|e| BrokerError::BackendUnreachable(e.to_string()))?;
-
-    let status = response.status();
-    if status == reqwest::StatusCode::UNAUTHORIZED {
-        let body: serde_json::Value = response.json().await.unwrap_or(serde_json::Value::Null);
-        let msg = body
-            .get("message")
-            .and_then(|v| v.as_str())
-            .unwrap_or("session not valid")
-            .to_string();
-        return Err(BrokerError::Unauthorized(msg));
-    }
-    if !status.is_success() {
-        return Err(BrokerError::BackendUnreachable(format!(
-            "backend returned {}",
-            status
-        )));
-    }
-
-    let body: serde_json::Value = response
-        .json()
-        .await
-        .map_err(|e| BrokerError::BackendUnreachable(format!("parse validate response: {}", e)))?;
-    let wallet = body
-        .get("wallet")
-        .and_then(|v| v.as_str())
-        .ok_or_else(|| {
-            BrokerError::BackendUnreachable("validate response missing wallet field".into())
-        })?
-        .to_string();
-
-    Ok(ValidatedSession { wallet })
-}

crates/agentkeys-broker-server/src/boot.rs

@@ -260,11 +260,10 @@ pub struct Tier2Profile {
     pub strict: bool,
     pub email_link_enabled: bool,
     pub audit_evm_enabled: bool,
-    pub backend_url: String,
 }
 
 impl Tier2Profile {
-    pub fn from_config(config: &BrokerConfig) -> Self {
+    pub fn from_config(_config: &BrokerConfig) -> Self {
         let strict = std::env::var(env::BROKER_REFUSE_TO_BOOT_STRICT)
             .map(|v| v == "true")
             .unwrap_or(false);
@@ -276,7 +275,6 @@ impl Tier2Profile {
             strict,
             email_link_enabled: methods.split(',').any(|m| m.trim() == "email_link"),
             audit_evm_enabled: anchors.split(',').any(|a| a.trim() == "evm_testnet"),
-            backend_url: config.backend_url.clone(),
         }
     }
 }
@@ -755,11 +753,9 @@ mod tests {
     fn config_with(audit_db: PathBuf, oidc_issuer: &str, oidc_kp_path: PathBuf) -> BrokerConfig {
         BrokerConfig {
             data_role_arn: "arn:aws:iam::000:role/test".into(),
-            backend_url: "http://localhost:8080".into(),
             audit_db_path: audit_db,
             aws_region: "us-east-1".into(),
             session_duration_seconds: 3600,
-            backend_request_timeout_seconds: 10,
             shutdown_grace_seconds: 30,
             oidc_issuer: oidc_issuer.to_string(),
             oidc_keypair_path: oidc_kp_path,

crates/agentkeys-broker-server/src/config.rs

@@ -5,12 +5,9 @@ use crate::env;
 #[derive(Debug, Clone)]
 pub struct BrokerConfig {
     pub data_role_arn: String,
-    pub backend_url: String,
     pub audit_db_path: PathBuf,
     pub aws_region: String,
     pub session_duration_seconds: i32,
-    /// Timeout for HTTP calls to the backend's /session/validate.
-    pub backend_request_timeout_seconds: u64,
     /// Hard cap on graceful-shutdown drain time.
     pub shutdown_grace_seconds: u64,
     /// Public URL the broker advertises as the OIDC issuer.
@@ -45,8 +42,6 @@ impl BrokerConfig {
                 env::ACCOUNT_ID,
             ))?;
 
-        let backend_url = required_env(env::BROKER_BACKEND_URL)?;
-
         let audit_db_path = std::env::var(env::BROKER_AUDIT_DB_PATH)
             .ok()
             .map(PathBuf::from)
@@ -68,11 +63,6 @@ impl BrokerConfig {
             );
         }
 
-        let backend_request_timeout_seconds = parse_int_env_with_default(
-            env::BROKER_BACKEND_TIMEOUT_SECONDS,
-            10u64,
-        )?;
-
         let shutdown_grace_seconds = parse_int_env_with_default(
             env::BROKER_SHUTDOWN_GRACE_SECONDS,
             30u64,
@@ -98,11 +88,9 @@ impl BrokerConfig {
 
         Ok(Self {
             data_role_arn,
-            backend_url,
             audit_db_path,
             aws_region,
             session_duration_seconds,
-            backend_request_timeout_seconds,
             shutdown_grace_seconds,
             oidc_issuer,
             oidc_keypair_path,

crates/agentkeys-broker-server/src/env.rs

@@ -43,8 +43,6 @@ pub enum Group {
 // Core
 // ---------------------------------------------------------------------------
 
-/// Required. Base URL for the legacy backend session/validate endpoint.
-pub const BROKER_BACKEND_URL: &str = "BROKER_BACKEND_URL";
 /// Required (or derive from `ACCOUNT_ID`). The role the broker assumes via STS for users.
 pub const BROKER_DATA_ROLE_ARN: &str = "BROKER_DATA_ROLE_ARN";
 /// Optional. Path to the audit-log SQLite DB. Defaults to `~/.agentkeys/broker/audit.sqlite`.
@@ -53,8 +51,6 @@ pub const BROKER_AUDIT_DB_PATH: &str = "BROKER_AUDIT_DB_PATH";
 pub const BROKER_AWS_REGION: &str = "BROKER_AWS_REGION";
 /// Optional. Lifetime in seconds of minted AWS sessions. Range \[900, 43200\]. Default 3600.
 pub const BROKER_SESSION_DURATION_SECONDS: &str = "BROKER_SESSION_DURATION_SECONDS";
-/// Optional. HTTP timeout in seconds for backend `/session/validate` calls. Default 10.
-pub const BROKER_BACKEND_TIMEOUT_SECONDS: &str = "BROKER_BACKEND_TIMEOUT_SECONDS";
 /// Optional. SIGTERM-to-exit grace window in seconds. Default 30.
 pub const BROKER_SHUTDOWN_GRACE_SECONDS: &str = "BROKER_SHUTDOWN_GRACE_SECONDS";
 /// Optional. When `true`, relaxes the HTTPS-only OIDC-issuer rule. Logged loudly. Default `false`.
@@ -215,12 +211,10 @@ pub const REGION: &str = "REGION";
 pub const fn all() -> &'static [(&'static str, &'static str, Group)] {
     &[
         // Core
-        (BROKER_BACKEND_URL, "Base URL for legacy backend session validation.", Group::Core),
         (BROKER_DATA_ROLE_ARN, "Role the broker assumes via STS for users.", Group::Core),
         (BROKER_AUDIT_DB_PATH, "Path to audit-log SQLite DB.", Group::Core),
         (BROKER_AWS_REGION, "AWS region for STS calls.", Group::Core),
         (BROKER_SESSION_DURATION_SECONDS, "Lifetime in seconds of minted AWS sessions [900, 43200].", Group::Core),
-        (BROKER_BACKEND_TIMEOUT_SECONDS, "HTTP timeout for backend /session/validate.", Group::Core),
         (BROKER_SHUTDOWN_GRACE_SECONDS, "SIGTERM-to-exit grace window seconds.", Group::Core),
         (BROKER_DEV_MODE, "Relaxes HTTPS-only OIDC-issuer rule (logged loudly).", Group::Core),
         (BROKER_REFUSE_TO_BOOT_STRICT, "Promotes Tier-2 reachability to Tier-1 refuse-to-boot.", Group::Core),
@@ -315,7 +309,6 @@ mod tests {
     fn all_includes_required_phase0_vars() {
         let names: Vec<&str> = all().iter().map(|(n, _, _)| *n).collect();
         for required in [
-            BROKER_BACKEND_URL,
             BROKER_DATA_ROLE_ARN,
             BROKER_OIDC_ISSUER,
             BROKER_OIDC_KEYPAIR_PATH,

crates/agentkeys-broker-server/src/handlers/auth/mod.rs

@@ -2,10 +2,7 @@
 //!
 //! - `POST /v1/auth/wallet/start` — SIWE challenge.
 //! - `POST /v1/auth/wallet/verify` — SIWE verify → session JWT.
-//! - `POST /v1/auth/exchange` — backward-compat shim that exchanges a
-//!   legacy backend-validated bearer for a new session JWT.
 
-pub mod exchange;
 #[cfg(feature = "auth-email-link")]
 pub mod email_landing;
 #[cfg(feature = "auth-email-link")]

crates/agentkeys-broker-server/src/handlers/broker_status.rs

@@ -39,7 +39,6 @@ pub async fn readyz(State(state): State<SharedState>) -> impl IntoResponse {
     let (overall_plugin_state, plugin_checks) = state.registry.aggregate_readiness();
 
     // Tier-2 reachability flags (set by spawn_tier2_probes in main.rs).
-    let backend_reachable = state.tier2.backend_reachable.load(Ordering::Relaxed);
     let ses_verified = state.tier2.ses_verified.load(Ordering::Relaxed);
     let evm_rpc_reachable = state.tier2.evm_rpc_reachable.load(Ordering::Relaxed);
     let evm_fee_payer_funded = state.tier2.evm_fee_payer_funded.load(Ordering::Relaxed);
@@ -69,20 +68,6 @@ pub async fn readyz(State(state): State<SharedState>) -> impl IntoResponse {
         }
     }
 
-    // Tier-2 backend probe (always relevant — the broker calls
-    // BROKER_BACKEND_URL/session/validate during legacy auth).
-    if backend_reachable {
-        ready_names.push("tier2/backend".into());
-    } else {
-        unready = true;
-        checks.push(json!({
-            "name": "tier2/backend",
-            "status": "unready",
-            "reason": "BROKER_BACKEND_URL/healthz not yet reachable since boot",
-            "docs": runbook_anchor("backend-reachability"),
-        }));
-    }
-
     // Tier-2 SES probe — only reported when email-link auth is enabled.
     if state.registry.auth.contains_key("email_link") {
         if ses_verified {