PROP-220: add repl_created_at to GovalReplIdentity + CertificateClaim

[pellicceama]

Why

PROP-220: the OpenInt-side proto change (replit/goval#19555) added a repl_created_at field to GovalReplIdentity. Consumers using this external module to verify identities — most notably goval's own cmd/vault-plugin-goval/path_identity.go, which re-issues short-lived identities from a long-lived renewal token — currently strip the field on reissue because their publicapi.GovalReplIdentity type doesn't know about it.

Mirroring the proto changes here unblocks the Vault renewal handler fix and any other external consumer that wants to preserve the value.

What changed

Three proto additions, all optional and additive:

• GovalReplIdentity.repl_created_at = 15 (google.protobuf.Timestamp) — when the upstream chain stamped a creation timestamp on the identity, this lets downstream Go consumers see it.
• CertificateClaim.repl_created_at = 9 (google.protobuf.Timestamp) — the chain-bound version. Verifiers compare the body's repl_created_at to this and reject the token if they disagree.
• FlagClaim.ANY_REPL_CREATED_AT = 13 — parent-cert wildcard. Conman's identity authority cert is signed once and reused for every repl; it can't pre-enumerate each repl's timestamp. This wildcard lets the parent say "any value is fine here" the same way ANY_REPLID/ANY_USER do for their fields.

protos/external/goval/api/signing.pb.go is regenerated via the existing make target.

Test plan

• make regenerates the bindings deterministically.
• go test ./... — clean.
• go vet ./... — the one pre-existing warning in verify.go:183 is unrelated to this change.

Rollout

Additive proto change. Old consumers ignore the new fields; new consumers tolerate absence (legacy tokens). No protocol break.

Sequence:

1. Land + tag a release of go-replidentity carrying this change.
2. Goval bumps the go-replidentity dep and updates cmd/vault-plugin-goval/path_identity.go to preserve repl_created_at across renewals (separate goval PR, stacked).
3. OpenInt (already open as replit/openint#1661) starts enforcing the cutoff once the rollout signal in Datadog is steady.

Related

• Source proto: replit/goval#19555
• Consumer: replit/openint#1661
• Linear: PROP-220

~ written by Zerg 👾 (savage-probe-7551)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.36%. Comparing base (2966ea2) to head (0a687f0).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #48   +/-   ##
=======================================
  Coverage   50.36%   50.36%           
=======================================
  Files           7        7           
  Lines         691      691           
=======================================
  Hits          348      348           
  Misses        293      293           
  Partials       50       50           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.