Context
Upstream auths (branch dev-security) is remediating red-team findings RT-002 and A.4:
- RT-002 — the stateless/embedded verifier replayed a KEL by structure only and never checked that each event carried a valid signature from the controlling key-state. A forged/unsigned KEL handed to a verifier (e.g. a CI
--identity-bundle) could verify. The fix authenticates KEL events via their CESR signatures.
- A.4 — identity bundles are now evidence-only: a bundle's root must be present in an independent trust pin (
.auths/roots / self-trust), never self-pinned.
These change the IdentityBundle wire format and the verifier's behavior, so this widget (a downstream consumer of the auths-verifier WASM + *.auths.json identity bundles) needs review.
What changed upstream that touches this repo
IdentityBundle gained kel_attachments: string[] — one hex-encoded CESR signature attachment per KEL event (serde-optional). The CLI/embedded verifier now authenticates the bundle's KEL using these and fails closed if they are missing, length-mismatched, or forged. Bundles must be re-exported with the updated auths id export-bundle.
- Verifier is evidence-only (A.4) — a bundle no longer establishes its own trust root; the root must be independently pinned.
- WASM KEL-replay exports (
validateKelJson, verifyDeviceLink) are being changed to require CESR signature attachments (fail-closed on unsigned). NOTE: this widget currently uses verifyChainJson / verifyAttestationWithResult (attestation-chain verification, not KEL replay) and only extracts public_key_hex from bundles, so it is likely unaffected — but this must be confirmed against the new WASM build.
Action items
Related
The auths-dev/verify GitHub Action wraps the auths CLI directly and inherits the new behavior (pre-RT-002 bundles without kel_attachments now fail closed; bundles are evidence-only). It likely needs its own migration note — consider a companion issue there.
Upstream reference: red-team findings RT-002 / A.4 (docs/prompts/red_team_2026_06_10.md in the auths repo).
Context
Upstream auths (branch
dev-security) is remediating red-team findings RT-002 and A.4:--identity-bundle) could verify. The fix authenticates KEL events via their CESR signatures..auths/roots/ self-trust), never self-pinned.These change the
IdentityBundlewire format and the verifier's behavior, so this widget (a downstream consumer of theauths-verifierWASM +*.auths.jsonidentity bundles) needs review.What changed upstream that touches this repo
IdentityBundlegainedkel_attachments: string[]— one hex-encoded CESR signature attachment per KEL event (serde-optional). The CLI/embedded verifier now authenticates the bundle's KEL using these and fails closed if they are missing, length-mismatched, or forged. Bundles must be re-exported with the updatedauths id export-bundle.validateKelJson,verifyDeviceLink) are being changed to require CESR signature attachments (fail-closed on unsigned). NOTE: this widget currently usesverifyChainJson/verifyAttestationWithResult(attestation-chain verification, not KEL replay) and only extractspublic_key_hexfrom bundles, so it is likely unaffected — but this must be confirmed against the new WASM build.Action items
auths-verifierWASM and run the e2e/vitest suites — confirmverifyChainJson/verifyAttestationWithResultare unchanged and still pass.src/resolvers/github.ts,gitlab.ts) tolerate the new additivekel_attachmentsfield (they should, since they readpublic_key_hex— verify there's no strict-schema rejection).kel_attachmentsto the WASM; track thevalidateKelJson→ signed variant.*.auths.jsonbundle must be re-exported with the post-RT-002authsCLI, or it will fail closed.Related
The
auths-dev/verifyGitHub Action wraps theauthsCLI directly and inherits the new behavior (pre-RT-002 bundles withoutkel_attachmentsnow fail closed; bundles are evidence-only). It likely needs its own migration note — consider a companion issue there.Upstream reference: red-team findings RT-002 / A.4 (
docs/prompts/red_team_2026_06_10.mdin theauthsrepo).