Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
102 commits
Select commit Hold shift + click to select a range
adea55f
feat(keri): KERI wire-format spec compliance — Epic A (A.1,2,4,6,8,9,…
bordumb Jun 1, 2026
45e96b3
fix(keri): restore std::fmt import + InvalidBackerDelta variant
bordumb Jun 1, 2026
79ffea0
feat(core): use OsRng.fill_bytes for salt/nonce (replace rand::random)
bordumb Jun 1, 2026
16cce1f
build: exact-pin p256/blake3/argon2 to lock versions (E.3)
bordumb Jun 1, 2026
ec75012
feat(git): disable gc.auto + gc.pruneExpire on repo init (F.2)
bordumb Jun 1, 2026
0f9c011
feat(keri): reject silent RB<->NRB backer role flips in rotation (F-23)
bordumb Jun 1, 2026
3d0a0fd
docs(keri): add SPEC.md conformance spec + per-event-type field-set v…
bordumb Jun 1, 2026
224af93
docs(keri): sync identity-model + cryptography docs to post-hardening…
bordumb Jun 1, 2026
5ac8a43
fix(keri): honor weighted backer threshold in KAWA agreement (F-31)
bordumb Jun 1, 2026
6857684
docs: dormant/deferred crate dependency audit (H.2, no deletion)
bordumb Jun 1, 2026
aa471f0
docs: launch-readiness critical-path unblock list (B-H)
bordumb Jun 1, 2026
54a1bc2
refactor: deviceDid to CanonicalDid
bordumb Jun 1, 2026
5b44f0e
feat(verifier): enforce delegation scope on standalone attestations (…
bordumb Jun 1, 2026
ad4ae53
test(keri): witness-flow integration tests — quorum, recovery, conver…
bordumb Jun 1, 2026
508524e
docs: rewrite launch-readiness into a self-contained build plan
bordumb Jun 1, 2026
f985f6e
docs: add §1.5 validation strategy to the build plan
bordumb Jun 1, 2026
9354fba
test(keri): pin cesride CESR encoding against keripy 1.3.4 reference
bordumb Jun 1, 2026
3dc28a6
docs: add Wave 0 (CESR encoding alignment / Option A) to the build plan
bordumb Jun 1, 2026
74dcf5b
feat(keri): add always-on cesride encoding helpers + KeriPublicKey::t…
bordumb Jun 1, 2026
6efef5b
refactor(keri): type the next-key in compute_next_commitment/verify_c…
bordumb Jun 1, 2026
2ad5cd0
feat(keri): SAID + commitment digests are now keripy-byte-identical (…
bordumb Jun 1, 2026
8fe1d2a
docs: update Wave 0 §1.6 with Part 1+2a done, Part 2b resume steps
bordumb Jun 1, 2026
d29862c
feat(keri): verkeys are keripy-byte-identical CESR qb64 (Wave 0, part…
bordumb Jun 2, 2026
fe658ea
chore(test-utils): stop re-exporting curve-specific seeded_p256_keypair
bordumb Jun 2, 2026
405d47f
feat(keri): require a non-empty SAID d on the wire (A.3)
bordumb Jun 2, 2026
8a01f87
refactor(keri): remove unused DelegateIsDelegator config trait (A.13)
bordumb Jun 2, 2026
f2d0f7b
docs: mark Wave 1 (A.3, A.13) complete in launch-readiness plan
bordumb Jun 2, 2026
b52659a
test(keri): commit keripy 1.3.4 dual-index removal-rotation fixtures …
bordumb Jun 2, 2026
9b07f82
feat(keri): add optional prior_index to IndexedSignature (B.1, F-19)
bordumb Jun 2, 2026
a55301b
feat(keri): code-directed attachment parser; populate prior_index (B.…
bordumb Jun 2, 2026
ad91961
feat(keri): dual-index CESR emission (B.2, F-19)
bordumb Jun 2, 2026
432dc69
feat(keri): dual-index rotation validator + drop non-conformant rot/d…
bordumb Jun 2, 2026
723a232
style(keri): rustfmt the B.1/B.4 attachment + validator edits
bordumb Jun 2, 2026
3f38ddc
test(verifier): update rot field-order pin after dropping c (B.4 foll…
bordumb Jun 2, 2026
b5f83e0
fix(keri): bind-check before the asymmetric-rotation guard (B.5 prep)
bordumb Jun 2, 2026
eecbb45
feat(id): true-remove a controller via a dual-index shrink rotation (…
bordumb Jun 2, 2026
f2ccc68
docs(architecture): record the device-model decision (attestations vs…
bordumb Jun 2, 2026
a960d31
docs(architecture): add the "what KERI-only actually costs" roadmap
bordumb Jun 2, 2026
9e6acdf
docs(architecture): rewrite roadmap goal-down (device-bound supply-ch…
bordumb Jun 2, 2026
69f3133
feat(id): append a provided (paired-device) controller in a growth ro…
bordumb Jun 2, 2026
a1d0352
docs(architecture): re-ground multi-device on KERI delegation (Model D)
bordumb Jun 3, 2026
03852ba
revert: drop superseded shared-k[] add_controllers (Epic A → delegation)
bordumb Jun 3, 2026
bb3797c
feat(id): incept a device as a KERI delegated identifier anchored by …
bordumb Jun 3, 2026
ddb50f9
feat(sdk): add_device workflow — incept a delegated device, anchored …
bordumb Jun 3, 2026
170002d
feat(sdk): remove_device — root anchors a delegation revocation
bordumb Jun 3, 2026
389de25
feat(cli): wire `device remove` to delegation revocation; retire Remo…
bordumb Jun 3, 2026
39d2df3
feat(sdk): read the delegation set (live devices) + make load_identit…
bordumb Jun 3, 2026
549f09e
docs(architecture): add Epic A2 (device add + delegation pairing); re…
bordumb Jun 3, 2026
6050c6c
feat(cli): auths device add — delegate a local device (resolve add/Li…
bordumb Jun 3, 2026
8418587
feat(id): delegated device key rotation (drt) — device rotates its ow…
bordumb Jun 3, 2026
1f462ab
refactor(id): split delegated-device inception into joiner + initiato…
bordumb Jun 3, 2026
a5c85a5
feat(pairing): wire device pairing onto KERI delegation
bordumb Jun 3, 2026
83718e5
feat(cli): device list + status read from the delegation set
bordumb Jun 3, 2026
fa26168
feat(pairing): device recovery — pair replacement + revoke old (deleg…
bordumb Jun 3, 2026
2b77ad7
chore(keri): Epic A2 close-out — fmt + drop a task-id comment
bordumb Jun 3, 2026
4958712
feat(sdk): resolve_local_signer — local signer identity on root + del…
bordumb Jun 3, 2026
fb1a25b
feat(cli): write Auths-Id / Auths-Device trailers on signed commits (B1)
bordumb Jun 3, 2026
e7ae53b
feat(sdk): trusted-root pin (.auths/roots) — the trust anchor for KEL…
bordumb Jun 3, 2026
c028218
feat(id): resolve_kel_events for the verifier + fix Ed25519-hardcoded…
bordumb Jun 3, 2026
1625921
feat(verifier): KEL-native commit verdict (verify_commit_against_kel)…
bordumb Jun 3, 2026
d9e9eec
feat(verify): KEL-native commit verification replaces ssh-keygen + al…
bordumb Jun 3, 2026
1715c4b
refactor(verify): drop allowed_signers entirely — KEL replay is the o…
bordumb Jun 3, 2026
3ac81ee
fix(verify): KEL-native verify works end-to-end for the default curve
bordumb Jun 3, 2026
0aee643
test(verify): migrate CLI suite to KEL-native + reconcile docs (Epic B)
bordumb Jun 3, 2026
30ace9f
test: epic B KEL-native signing
bordumb Jun 3, 2026
f0fa137
remove test file
bordumb Jun 3, 2026
a123298
feat(verify): Epic C1+C2 — native KEL distribution (git-remote + OOBI)
bordumb Jun 3, 2026
59dc5b6
feat(keri): Epic C3 — Key-State Notice (signed key-state snapshot)
bordumb Jun 3, 2026
6073acb
feat(witness): Epic D.1 — witness identity as a pinned AID
bordumb Jun 3, 2026
54dff17
feat(witness): Epic D.5 — sync WitnessReceiptLookup trait in auths-keri
bordumb Jun 3, 2026
8ae752f
test(witness): Epic D.3 — icp witness designation + replay round-trip
bordumb Jun 3, 2026
b03ebcb
feat(witness): Epic D.4 — rot witness-set deltas (br/ba)
bordumb Jun 3, 2026
3035a4a
feat(witness): Epic D.2 — receipt signing, provenance & collection-ti…
bordumb Jun 3, 2026
5b120ca
feat(witness): Epic D.6 — receipt-gated KEL replay (M-of-N -> KeyState)
bordumb Jun 4, 2026
2a76639
feat(witness): Epic D.7 — wire receipt gate into verify with verifier…
bordumb Jun 4, 2026
d9ab31a
feat(witness): Epic D.8 — cross-source & witnessed duplicity in the r…
bordumb Jun 4, 2026
c064546
feat(witness): Epic D.9 — surface witness quorum + fork status in ver…
bordumb Jun 4, 2026
3de69cd
feat(witness): Epic D.13 — KSN witness-hardening (KsnTrust::Witnessed)
bordumb Jun 4, 2026
5348612
docs(witness): Epic D.11 — ADR, accepted-risk, roadmap & fn-138 recon…
bordumb Jun 4, 2026
49ecf39
test(witness): Epic D.12 — end-to-end witness convergence through the…
bordumb Jun 4, 2026
ef45e13
feat(witness): Epic D.10 (part 1) — CESR -L/-K receipt couplets, keri…
bordumb Jun 4, 2026
2765258
feat(witness): Epic D.10 (part 2) — OOBI receipts round-trip (receipt…
bordumb Jun 4, 2026
d85f28d
fix(witness): D.10 — curve-agnostic signature encoder (check-curve-ag…
bordumb Jun 4, 2026
162a220
feat(keri): agent & org identity via KERI delegation (Epic E) + bindi…
bordumb Jun 4, 2026
cd81d75
fix(python): curve-aware in-memory keypair (P-256) + xfail broken pai…
bordumb Jun 5, 2026
9e7ff8e
test(keri): F.9 — Epic-D witness pre-flight for Epic-F revocation
bordumb Jun 5, 2026
f8c4cf0
feat(keri): F.1 — ACDC credential type + parameterized SAID + schema …
bordumb Jun 5, 2026
2a6ec1a
feat(keri): F.2 — backerless TEL events (vcp/iss/rev) + SAID + chain …
bordumb Jun 5, 2026
5accc2f
feat(credentials): Epic F.3 — TEL registry storage + KEL anchoring (l…
bordumb Jun 5, 2026
d7caaca
feat(credentials): Epic F.5 — pure WASM-safe ACDC verification + life…
bordumb Jun 5, 2026
6ea1f3a
feat(credentials): Epic F.4 — SDK credentials issue/revoke/list/verif…
bordumb Jun 5, 2026
47e3d48
feat(credentials): Epic F.8 — holder-binding + presentation signature…
bordumb Jun 5, 2026
71777e2
feat(credentials): Epic F.6 — context_from_credential holder-proof po…
bordumb Jun 5, 2026
4d6e41a
feat(credentials): Epic F.10 — migrate caps/role authority readers of…
bordumb Jun 5, 2026
71f6d26
refactor: update sdks
bordumb Jun 6, 2026
f23ab54
refactor: update sdks
bordumb Jun 6, 2026
e5e80fc
fix(ci): resync schemas, patch rustls-webpki, approve esbuild build
bordumb Jun 6, 2026
d6378ad
fix(node-sdk): move esbuild build approval to pnpm-workspace.yaml
bordumb Jun 6, 2026
4e4892b
docs: fix links
bordumb Jun 6, 2026
6b08764
ci(verify-commits): pass KEL-native identity bundle to verify action
bordumb Jun 6, 2026
732380e
chore(auths): pin trusted root in .auths/roots, retire allowed_signers
bordumb Jun 6, 2026
bd3f43e
chore(audit): ignore RUSTSEC-2026-0104 (rustls-webpki 0.101.7, AWS SD…
bordumb Jun 6, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
4 changes: 0 additions & 4 deletions .auths/allowed_signers

This file was deleted.

1 change: 1 addition & 0 deletions .auths/roots
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
did:keri:ECHoDk6bcHtZm3rngCXNpANJNh-U-3Bd5bSO1YVx6Fac
8 changes: 8 additions & 0 deletions .cargo/audit.toml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ ignore = [
# Waiting for AWS SDK to ship with rustls 0.23+.
"RUSTSEC-2026-0098",
"RUSTSEC-2026-0099",

# rustls-webpki 0.101.7 reachable panic parsing a CRL with an empty
# onlySomeReasons BIT STRING — same aws-smithy-http-client -> rustls 0.21 ->
# rustls-webpki 0.101.7 legacy AWS SDK path. Not exploitable: auths doesn't
# use CRLs and the AWS SDK's TLS path doesn't parse them. The 0.103.x copy is
# already patched to 0.103.13; this 0.101.7 copy is pinned until the AWS SDK
# ships rustls 0.23+.
"RUSTSEC-2026-0104",
]

[yanked]
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/verify-commits.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,13 @@ jobs:

- uses: auths-dev/verify@v1
with:
# Stateless KEL-native verification: the committed identity bundle
# carries the identity + authorization chain so the runner can verify
# commit signatures without ~/.auths. Regenerate when keys rotate or
# the bundle's TTL lapses:
# auths id export-bundle --alias main \
# --output .auths/ci-bundle.json --max-age-secs 31536000
token: .auths/ci-bundle.json
fail-on-unsigned: true
post-pr-comment: 'true'
github-token: ${{ secrets.GITHUB_TOKEN }}
6 changes: 6 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,12 @@ my-artifact.txt.auths.json
tests/e2e/.auths-ci/
.capsec-cache

# === Auths trust anchors ===
# .auths/roots (pinned trusted roots) and .auths/ci-bundle.json are committed.
# .auths/allowed_signers is an auths-managed local file from the legacy
# ssh-keygen verification model — unused by KEL-native commit verification.
.auths/allowed_signers

# jnkn
.jnkn/
jnkn.db
Expand Down
3 changes: 3 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,10 @@ repos:
rev: v5.0.0
hooks:
- id: trailing-whitespace
# Byte-exact keripy oracle fixtures must not be reformatted.
exclude: '^crates/auths-keri/tests/fixtures/keripy/'
- id: end-of-file-fixer
exclude: '^crates/auths-keri/tests/fixtures/keripy/'
- id: check-yaml
args: [--unsafe]
- id: check-toml
Expand Down
49 changes: 7 additions & 42 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@ schemars = "0.8"
# version and the `rand::thread_rng` / `rand::random` clippy bans cannot be
# bypassed by version skew.
rand = "0.8"

# -------------------------------------------------------------------------
# fn-128.T9: EXACT-PINNED crypto crates.
#
Expand Down
Loading
Loading