Skip to content

RT-002 / A.4: align widget with auths verifier KEL-signature authentication + bundle wire change #4

Description

@bordumb

Context

Upstream auths (branch dev-security) is remediating red-team findings RT-002 and A.4:

  • RT-002 — the stateless/embedded verifier replayed a KEL by structure only and never checked that each event carried a valid signature from the controlling key-state. A forged/unsigned KEL handed to a verifier (e.g. a CI --identity-bundle) could verify. The fix authenticates KEL events via their CESR signatures.
  • A.4 — identity bundles are now evidence-only: a bundle's root must be present in an independent trust pin (.auths/roots / self-trust), never self-pinned.

These change the IdentityBundle wire format and the verifier's behavior, so this widget (a downstream consumer of the auths-verifier WASM + *.auths.json identity bundles) needs review.

What changed upstream that touches this repo

  1. IdentityBundle gained kel_attachments: string[] — one hex-encoded CESR signature attachment per KEL event (serde-optional). The CLI/embedded verifier now authenticates the bundle's KEL using these and fails closed if they are missing, length-mismatched, or forged. Bundles must be re-exported with the updated auths id export-bundle.
  2. Verifier is evidence-only (A.4) — a bundle no longer establishes its own trust root; the root must be independently pinned.
  3. WASM KEL-replay exports (validateKelJson, verifyDeviceLink) are being changed to require CESR signature attachments (fail-closed on unsigned). NOTE: this widget currently uses verifyChainJson / verifyAttestationWithResult (attestation-chain verification, not KEL replay) and only extracts public_key_hex from bundles, so it is likely unaffected — but this must be confirmed against the new WASM build.

Action items

  • Rebuild against the updated auths-verifier WASM and run the e2e/vitest suites — confirm verifyChainJson / verifyAttestationWithResult are unchanged and still pass.
  • Confirm the bundle resolvers (src/resolvers/github.ts, gitlab.ts) tolerate the new additive kel_attachments field (they should, since they read public_key_hex — verify there's no strict-schema rejection).
  • If/when the widget ever performs KEL-replay verification (not just attestation chains), it MUST pass kel_attachments to the WASM; track the validateKelJson → signed variant.
  • Docs/user note: any embedded or fetched *.auths.json bundle must be re-exported with the post-RT-002 auths CLI, or it will fail closed.

Related

The auths-dev/verify GitHub Action wraps the auths CLI directly and inherits the new behavior (pre-RT-002 bundles without kel_attachments now fail closed; bundles are evidence-only). It likely needs its own migration note — consider a companion issue there.

Upstream reference: red-team findings RT-002 / A.4 (docs/prompts/red_team_2026_06_10.md in the auths repo).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions