Skip to content

Stream C — auths-verify-widget GTM: resolver-doc truth + embed/SRI/playground (fn-1)#3

Merged
bordumb merged 7 commits into
mainfrom
fn-152-c1
Jun 9, 2026
Merged

Stream C — auths-verify-widget GTM: resolver-doc truth + embed/SRI/playground (fn-1)#3
bordumb merged 7 commits into
mainfrom
fn-152-c1

Conversation

@bordumb

@bordumb bordumb commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Stream C — auths-verify-widget GTM

Makes the widget's surface tell the truth about the substance, standardizes the embed, and adds the SRI / version-pinning + interactive-playground polish. From roadmap/go_to_market/go_to_market.md → Stream C (G0.5/G4.1 · G4.4 · G4.5), planned and executed as Flow epic fn-1.

Scope discipline: zero new product features — drift-elimination, packaging, and UX polish only. One repo. example-verify-badge (Stream D) is intentionally untouched.

What's in here

  • P-256 key extraction (b83d528, fn-1.6) — the in-flight did-utils change landed as the foundational commit: did:key (0x80 0x24) + CESR (1AAJ/1AAI) decode to 33-byte compressed SEC1, dispatched on the in-band curve tag. Mirrors Rust KeriPublicKey::parse.
  • Resolver-doc reconciliation — the P0 credibility fix (ca8553e, fn-1.1, D-5) — the GitHub resolver fetches *.auths.json from GitHub Releases, not git refs. Corrected README Quick Start + "How It Works" (now forge-split), CHANGELOG ([0.3.0] pivot entry), auto-resolve.html, the adapter.ts comment, and the executable drift in tests/e2e/live-resolve.test.ts (it asserted listAuthsRefs() git-refs behavior that can't pass). Gitea/GitLab refs wording left intact — they're legitimately refs-based.
  • repo= normalization (01bbb61, fn-1.2) — detectForge now reduces full URLs (.git, trailing /, /tree/main, ?query#hash), protocol-less hosts, and owner/repo[.git] shorthand to one {owner, repo}. Standardized docs on the full-URL form.
  • SRI + pinned-version CDN guidance (78c3761, fn-1.3) — version-pinned @0.3.0 snippet with integrity + crossorigin for unpkg & jsDelivr, plus scripts/sri.mjs (npm run sri) to keep the hash reproducible. Investigated and documented the slim build honestly: it inlines WASM too (byte-identical to full), so one hash covers the whole runtime — no separate .wasm fetch.
  • Embed Builder (43a01a9, fn-1.4) — paste a repo URL → copy a canonical, pinned, SRI-protected <auths-verify> snippet. Logic in examples/embed-snippet.ts reuses detectForge (no duplicated parser); accessible copy button (real <button>, aria-label, aria-live "Copied", secure-context fallback). Deep-linkable via ?repo=.
  • Live preview + Pages deploy (f8f3f83, fn-1.5) — sandboxed iframe srcdoc renders the real badge from the pinned CDN bundle (debounced + deduped to respect GitHub's 60/hr unauthenticated limit). vite.pages.config.ts + npm run build:pages + .github/workflows/pages.yml ship it to GitHub Pages; README links it.

Verification

npm run typecheck clean · 93/93 unit tests · npm run build (full+slim) + npm run build:pages succeed · npm run sri reproduces the documented hash · drift grep (refs/auths/identity|refs/auths/devices/nodes) clean across README/CHANGELOG/examples.

Manual follow-ups (cannot be done from this PR)

  • Enable GitHub Pages: Settings → Pages → Source = "GitHub Actions". The deploy step fails until then (noted in pages.yml).
  • D-6 / Stream D: the live "Verified" demo needs example-verify-badge to publish a real *.auths.json Release asset (different repo).
  • SRI hash at release: the documented hash is from a local build of this source — re-run npm run sri against the published bytes when cutting the release and confirm it matches.

🤖 Generated with Claude Code

bordumb added 7 commits June 8, 2026 23:38
Dispatch curve on the in-band tag (multicodec varint for did:key, derivation
code for CESR), never on byte length. Ed25519 (0xED01 / D,B) stays 32 bytes;
P-256 (0x8024 / 1AAJ,1AAI) returns 33-byte compressed SEC1. Adds base64url +
multicodec helpers and explicit unsupported-tag errors. Mirrors Rust
KeriPublicKey::parse.
…eality

The GitHub adapter resolves attestations from GitHub Release assets
(*.auths.json), not Git refs. Correct the stale git-refs claims:
- README Quick Start, How It Works (now forge-split: GitHub=Release assets,
  Gitea=refs, GitLab=unsupported), prerequisite, supported-forges, and the
  manual-mode public-key row (Ed25519 or P-256).
- CHANGELOG: add [0.3.0] documenting the refs->Releases pivot + P-256;
  mark the 0.1.1 GitHub-adapter line superseded.
- examples/auto-resolve.html: forge-accurate wording.
- adapter.ts: forge-neutral interface doc.
- e2e live-resolve test: GitHub listAuthsRefs is a [] stub; resolve asserts a
  well-formed bundle OR well-formed 'no asset' error (asset pending D-6).

Gitea/GitLab refs wording left intact (legitimately refs-based).
detectForge now reduces the messy forms users paste to one {owner, repo}:
full URLs (+ .git, trailing slash, /tree/main, ?query#hash), protocol-less
hosts (github.com/org/repo), and owner/repo[.git] shorthand. Strips the .git
clone suffix on the shorthand path (was producing repo='repo.git'). Documents
full URL as canonical and the GitLab-subgroup limitation. Adds 8 normalization
unit tests (10 -> 18).
- README: replace the unpinned unpkg snippet with a version-pinned (@0.3.0),
  integrity + crossorigin one for both unpkg and jsDelivr; explain why pinning
  is mandatory with SRI and why crossorigin is required.
- Document the slim-vs-full SRI truth: both builds inline the WASM into a single
  .mjs (verified: byte-identical, same hash), so one integrity hash covers the
  whole runtime — there is no separate .wasm fetch. Corrects the stale 'slim
  loads .wasm separately' claim.
- Add scripts/sri.mjs + 'npm run sri' to generate the sha384 from the built
  bundle so the documented hash stays reproducible per release.
Paste a repo URL (full or owner/repo) -> copy a canonical, version-pinned,
SRI-protected <auths-verify> embed. Logic extracted to examples/embed-snippet.ts
(buildEmbed) which reuses detectForge for normalization (no duplicated parser);
the page is DOM + clipboard wiring only. Accessible copy button: real <button>,
aria-label, aria-live 'Copied' status, secure-context guard with a transient-
textarea execCommand fallback. Config is reflected in the URL query for deep
linking. Adds 9 unit tests; linked from examples/index.html.
- Add a sandboxed-iframe live preview (iframe srcdoc, sandbox=allow-scripts)
  that renders the real badge from the pinned CDN bundle. previewDocument()
  lives in embed-snippet.ts and reuses buildEmbed's forgeAttr so snippet and
  preview agree; integrity is omitted in the preview so it always loads the
  published bytes.
- Rate-limit hygiene: preview is debounced (800ms) and deduped by canonical
  repo URL so it doesn't fire a GitHub API call per keystroke; page notes the
  ~60/hr unauthenticated limit. Defaults to the example repo on load.
- Add vite.pages.config.ts + 'npm run build:pages' (bundles only the
  detect/snippet logic — no WASM) and .github/workflows/pages.yml to deploy to
  GitHub Pages. Enabling Pages (Settings -> Pages -> Source: GitHub Actions) is
  a one-time manual step, noted in the workflow.
- README links to the hosted Embed Builder. Adds 4 previewDocument tests.
@bordumb bordumb merged commit 330e39f into main Jun 9, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant