Hardens the factory credential lifecycle (§12):
- Token expiry: tokens now carry an absolute expiresAt (FLEET_TOKEN_TTL_DAYS,
default 90; 0 disables). verifyToken rejects an expired token regardless of
status, bounding the blast radius of a leak.
- Enforcement default: factoryTokenEnforcementEnabled now defaults ON in
production and OFF in development/test (an explicit FLEET_REQUIRE_FACTORY_TOKEN
still wins) — real deployments are secure by default while the local prototype
and the test suite keep working without enrollment.
- Token GC: pruneInvalidatedTokens deletes revoked, expired, and rotating-past-
grace tokens; wired into the hourly fleet GC sweep (SweepResult.tokensDeleted)
so the credential store stays bounded.
Covered by new enrollment.test.ts cases (expiry, TTL=0, enforcement default
matrix, prune) and the reaper/sweep accounting.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
493027fbad