Context
When auths-auth-server was open-sourced (#317) and realigned to current crate APIs, the verifier's chain-level capability function verify_chain_with_capability no longer existed — capability scoping moved to commit/agent verification (commit_kel.rs: OutsideAgentScope, agent scope), and Attestation no longer carries role/capabilities.
As a result, domain/verification.rs::verify_keri_receipt currently authorizes any valid KERI chain rooted at the supplied key for RFC 7591 client registration. The granular oidc:client:register capability gate is dropped (flagged in code).
Task
Re-introduce a granular registration-authorization check using the current capability model. Determine how a registering identity proves the oidc:client:register capability now (commit/agent scope, role-based authorization at member-authorization time, or a registration-specific attestation) and enforce it.
Acceptance
- Registration authorizes only identities granted
oidc:client:register (per the current model), failing closed otherwise (per meta_prompt §III).
- Adversarial test: a valid chain without the capability is rejected (per meta_prompt §V).
REGISTRATION_CAPABILITY enforcement is restored or the constant removed.
See crates/auths-auth-server/src/domain/verification.rs.
Context
When
auths-auth-serverwas open-sourced (#317) and realigned to current crate APIs, the verifier's chain-level capability functionverify_chain_with_capabilityno longer existed — capability scoping moved to commit/agent verification (commit_kel.rs:OutsideAgentScope, agent scope), andAttestationno longer carriesrole/capabilities.As a result,
domain/verification.rs::verify_keri_receiptcurrently authorizes any valid KERI chain rooted at the supplied key for RFC 7591 client registration. The granularoidc:client:registercapability gate is dropped (flagged in code).Task
Re-introduce a granular registration-authorization check using the current capability model. Determine how a registering identity proves the
oidc:client:registercapability now (commit/agent scope, role-based authorization at member-authorization time, or a registration-specific attestation) and enforce it.Acceptance
oidc:client:register(per the current model), failing closed otherwise (per meta_prompt §III).REGISTRATION_CAPABILITYenforcement is restored or the constant removed.See
crates/auths-auth-server/src/domain/verification.rs.