pub fn check(
policy: &ReplayDefensePolicy,
state: &ReplayDefenseState,
input: &ReplayDefenseCheckInput,
) -> ReplayDefenseDecisionExpand description
Evaluate policy + state against input and return a
deterministic ReplayDefenseDecision.
Precedence:
- Domain mismatch is checked first (cheap, structural).
- Signature drift is checked next so a rotated signature never silently slips through on an unexpired session.
- Nonce rotation (state nonce != observed nonce) is checked before the nonce age so a nonce that was explicitly rotated is reported distinctly from a nonce that simply aged out.
- Nonce age (
nonce_age >= nonce_validity_window). - Rotation age (
elapsed >= rotation_interval).
The decision is fully determined by (policy, state, input) —
no I/O, no clock reads.