Skip to content

Dev recursive improvements#267

Merged
bordumb merged 32 commits into
mainfrom
dev-recursiveImprovements
Jun 13, 2026
Merged

Dev recursive improvements#267
bordumb merged 32 commits into
mainfrom
dev-recursiveImprovements

Conversation

@bordumb

@bordumb bordumb commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Platform hardening: verification, transparency, identity, supply-chain signing

Batch of platform changes hardening the verification, transparency, and
identity surfaces. Every change is gated by the demos' behavioral harnesses
plus the full AST/clippy/test suite.

Highlights

  • Verification everywhere — offline org-bundle + evidence-pack verification moved down into auths-verifier and exported to WASM; stateless commit-bundle verify (verifyCommitJson) in the browser; signature-only ephemeral verify for scrubbed CI runners.
  • Transparency log — RFC 6962 log writer (append + inclusion proofs), pinned log-operator-key checkpoint attestation, and artifact verify --log-evidence for offline transparency anchoring.
  • Agent & org identity — KEL-anchored OIDC-subject policy, delegation attestations on agent add, SOC 2 / ISO 27001 control predicates, offline authenticated org key-state.
  • Device / mobile — read-only KEL verify in the mobile FFI, delegated device-link verification, offline "prove-alive" auth-challenge verifier, host-applied phone-driven shared-KEL rotation (new POST /v1/pairing/sessions/{id}/shared-kel-rot), cross-machine registry propagation over git.
  • Supply-chain signing — SLSA-shaped CI provenance, --curve flag on ephemeral signing, signing success now actually verified (no more false "✔ Signed"), trailer-replace on re-sign.
  • Tooling / CI — xtask AST checks no longer recurse into nested git worktrees (phantom curve-agnostic violations); api-spec + cargo-deny + error-docs brought current.

Notes

  • Per-cycle commits are unsigned in this branch — squash/re-sign at merge.
  • Verified green end-to-end: demo behavioral harnesses + cargo xtask AST checks + clippy + tests, no regressions.

🤖 Generated with Claude Code

@vercel

vercel Bot commented Jun 12, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auths Ready Ready Preview, Comment Jun 13, 2026 4:23pm

@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
b012d7a0 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
4e4c73cf ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).

Result: ❌ 0/2 commits verified


How to fix

Commit b012d7a0 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
f0a69dbf ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
dadacd4b ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
286d1e74 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
ea9f6b2f ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
d94c327f ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
b012d7a0 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
4e4c73cf ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).

Result: ❌ 0/7 commits verified


How to fix

Commit f0a69dbf has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
1697a512 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
df8998e6 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
8b76a2a7 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
f49c6471 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
bf9c2b61 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
15a2f3ee ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
bc68d277 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
8e7ed0fc ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
5d5fd81a ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
874dbd65 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
a747b469 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
9470f334 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
60be98ab ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
1ef2ccc0 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
c174812e ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
a497aa13 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
505c4723 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
3d28d911 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
36a5d6d6 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
2829578e ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
ed6dbf3a ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
2f646085 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
f0a69dbf ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
dadacd4b ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
286d1e74 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
ea9f6b2f ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
d94c327f ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
b012d7a0 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
4e4c73cf ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).

Result: ❌ 0/29 commits verified


How to fix

Commit 1697a512 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

bordumb and others added 23 commits June 13, 2026 17:07
…-of-band delivery

The auths://pair?... URI existed only inside the rendered QR (offline mode
printed it unconditionally; LAN and online not at all). One flag-gated helper
(print_token_uri in pair/common.rs) now serves all three initiate paths:

- lan: printed after the tokened endpoint is set, before the wait loop
- online: printed inside the SessionCreated status callback
- offline: the previously unconditional URI line is now gated by the flag

Composable with --no-qr. Closes demo gap LTL-4 (lost-the-laptop): scripts can
capture the URI and deliver it via simctl openurl instead of scraping
endpoint+code and re-synthesizing the URI in the app.

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…, PWNTS-1, V-WASM, AITFC-6

Platform sculpts from seven recursive-improvement cycles, each gated on
probe GREEN + fleet matrix + demo behavioral harness:

- AITFC-1/AITFC-6 (auditor-in-the-faraday-cage): compliance anchored
  releases — attest_release anchors a kind-tagged ReleaseAttestation in
  the org KEL with content-addressed blob storage; discover_releases
  derives signed_at from the anchoring position; CLI compliance
  attest / report --discover
- DOTAK-1 (death-of-the-api-key): OIDC artifact policy join —
  oidc_policy verifier, artifact oidc CLI, infra-http OIDC platforms
- LTL-6b/LTL-R1 (lost-the-laptop): delegated inception FFI context and
  phone-driven shared-KEL rotation (pairing daemon + mobile FFI)
- PWNTS-1 (pipeline-with-nothing-to-steal): signed-artifact machine
  identity in CI workflows
- V-WASM (verify-the-world): closed as free win (fix already upstream)

525/525 sdk+cli tests, workspace clippy clean at cycle 7 gate.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
AttestationInput gained an oidc_binding field and all in-tree call sites were updated, but the two binding-package initializers were missed, leaving the tree uncompilable under the pre-commit hook (E0063). Add oidc_binding: None to match the in-tree default.

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…apability codec

issue/list/verify carried two divergent grammars for the a.capability claim (comma-joined on issuance, comma-split on list, single-wrapped on verify), so a credential with more than one capability verified as schema_invalid. Add Capability::join_claim/parse_claim — an exact encode/decode inverse pair, the one source of truth — and route all three consumers through it; delete the inline join/split and the verifier's single-wrap. A malformed claim now fails closed to SchemaInvalid rather than fail-wrong. Round-trip and edge-case tests added.

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…nance

The signing CiEnvironment struct gains repository, sha, and a
fully-qualified workflow_ref, populated at the CLI boundary in
detect_ci_environment from GITHUB_REPOSITORY / GITHUB_WORKFLOW_REF
(canonical, falling back to GITHUB_WORKFLOW) / GITHUB_SHA, with the
GitLab and CircleCI equivalents. All fields are signature-covered in the
ephemeral attestation payload, so provenance is SLSA-shaped: source
identity (repository + sha) plus builder identity (workflow_ref) plus
run, rather than a bare commit_sha the verifier must trust the runner
for.

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…olution

Expose the org's authenticated key state derived from a bundled org KEL as a
single public call: AirGappedOrgBundle::authenticated_org_state(). It
authenticates the embedded org KEL (RT-002) and returns the resolved KeyState
— the only trust-rooted source of the org's current verkey available offline.

authenticate_bundled_kel is widened to pub and re-exported from domains::org
so callers holding a bare BundledKel share the same primitive instead of
reconstructing SignedEvents and replaying validate_signed_kel. The offline
DSSE compliance-verify path routes through the new method (one source of
truth). Adds a regression test covering resolve-and-fail-closed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Add ComplianceFramework::Soc2 and ::Iso27001 with build_soc2 / build_iso27001,
each mapping the already-classified evidence rows to its framework's control
IDs (SOC 2 CC6.1/6.2/6.3, CC7.2; ISO 27001:2022 A.5.16/A.5.18/A.8.4/A.8.28)
through one shared ControlMapping shape and the existing DSSE in-toto statement
path. Wired through CliFramework and the compliance report --framework selector;
help and tests cover both. Mirrors the existing CRA->SSDF mapping.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…hs-verifier, exported to WASM

Move the pure offline-verification core down into auths-verifier so every
surface (native CLI, FFI, browser) shares one implementation:
- tlog: RFC 6962 Merkle proof math, checkpoint/proof wire types, and
  TransparencyError, moved from auths-transparency (which now re-exports).
- org_bundle: AirGappedOrgBundle/BundledKel wire types, off-boarding record
  verification, RT-002 bundled-KEL authentication, authority-by-KEL-position
  classification, and verify_org_bundle, moved from auths-sdk (which keeps
  the registry-bound builder and re-exports the rest).
- evidence_pack: pack wire types, per-row authority re-derivation, Merkle
  transparency checks, and verify_evidence_pack_offline, likewise.
- wasm: new verifyOrgBundle / verifyEvidencePackOffline exports — sync,
  panic-free, tagged-union verdicts with 16 MiB input ceilings.

Focused fail-closed error types OrgBundleError (AUTHS-E2201..6) and
EvidencePackError (AUTHS-E2301..3) replace OrgError::Bundle* (E5619-21
retired in registry.lock); error docs regenerated via xtask.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…ow verification

The transparency log grows its write half: LogWriter appends leaf hashes
into C2SP level-0 tiles through the TileStore port (filesystem or S3),
signs a fresh checkpoint over the C2SP note body with an Ed25519
LogSigningKey, and mints inclusion evidence directly against that
checkpoint. State is re-derived from tiles and re-verified against the
stored root on every operation, so a corrupted store fails closed.

- prove_inclusion (RFC 6962 PATH) joins compute_root in the one shared
  Merkle implementation in auths_verifier::tlog; generation and
  verification can never drift.
- Evidence-pack row verification now BINDS each transparency proof to its
  row: leaf_hash must re-derive from the row's own artifact digest, so a
  valid proof minted for a different artifact no longer counts.
- CLI: auths log append/prove operate a local log dir (signing key
  created on first append, 0600), emitting TransparencyInclusion JSON
  ready to embed in release rows.

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…dence-pack verification

verify_evidence_pack_offline (native/WASM/CLI) now takes a pinned log-operator
key: every row's SignedCheckpoint signature is verified against it, upgrading
'in the log' from bare Merkle membership to operator-attested non-repudiation.
SignedCheckpoint::verify_log_signature is the one shared implementation (the
transparency bundle verifier's Ed25519 arm now delegates to it), the CLI gains
'compliance verify --log-key <file>', and RowVerdict reports the new
checkpoint_attested axis honestly (None when no key is pinned).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…attachment-pairing core

- auths-keri: pair_kel_attachments — the single fail-closed definition pairing
  a KEL with its per-event CESR signature groups (count mismatch = the KEL is
  unauthenticated = refused; never a structural-only fallback), plus the
  AttachmentError::CountMismatch variant.
- auths-verifier (wasm): validateKelJson now hex-decodes its wire and routes
  through pair_kel_attachments; the inline mismatch/zip copy is deleted.
- auths-mobile-ffi: new kel_verification module — validate_kel_json
  authenticates a registry KEL (validate_signed_kel; dip/drt fail closed) and
  returns a typed VerifiedKeyState record; new KelVerificationFailed error;
  six unit tests (P-256 happy paths + unauthenticated/forged/tampered/
  malformed rejections); one-line fix of the deprecated GenericArray::as_slice
  so the crate is clippy-clean under -D warnings.

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…e registry's in-force key

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
- auths-sdk identity::shared_rot::apply_shared_kel_rot: decode the held
  envelope, replay the registry KEL to prior key state, validate SAID/
  sequence/chain + signing threshold + prior next-commitment reveals,
  then append — the host contributes only its registry, never authorship
- auths-sdk pairing::lan::wait_for_shared_kel_rot: race-free await/take
  of the daemon-held rotation (notify interest registered before take)
- auths id rotate --from-device: ephemeral LAN session (QR/short code/
  --print-uri), receives the co-signed rotation, applies it against
  prior state, refreshes commit trailers; conflicts with all local-
  authoring flags — no local key material is read or written
- cli lan-pairing feature now enables auths-sdk/lan-pairing (one facade,
  no daemon re-wrap); sdk lan-pairing pulls tokio for the waiter

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…licy writer + verify --oidc-policy-did resolver

The OIDC-subject policy's source of truth moves from a verifier-pinned file
to the org's witnessed log: `auths org anchor-oidc-policy` parses the policy
(never anchors an invalid one), stores the source as a content-addressed blob,
and seals its SHA-256 digest on the org KEL (an oidcpolicy: digest seal,
distinct from every existing marker). `auths artifact verify
--oidc-policy-did <org-did>` resolves the latest anchored policy from the
local registry, refuses digest mismatches (tampered blob = verdict, exit 1),
and JOINs it against the attestation's signed OIDC binding. Rotation is an
auditable KEL event — the latest anchored policy wins.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…n WASM export over a parsed BundleTrust anchor; P-256 SSH verify through the provider port

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
agents::add_scoped now issues a signed attestation for every delegated
agent (issuer = delegating root, subject = the agent, co-signed by the
agent's key) and persists + anchors it through the same
anchor_and_persist_via_backend path device links use. Programmatically
minted identity bundles now carry a walkable attestation chain instead
of only KEL events, so stateless chain verifiers (verifyChainJson) get a
second, independent provenance leg.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…poll loop, git fetch adapter for refs/auths/*

A relying party verifies against its own registry replica; revocation
freshness is the pull cadence. auths-rp now owns that cadence: the
RegistrySync port (one pull, typed SyncOutcome), the RegistryWatcher
background loop, and GitRegistrySync (feature git-sync) — a non-forced
fetch of refs/auths/* that fails loud on a rewound remote instead of
rolling the replica back below a revocation.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…ush/pull with validated KEL merge

push publishes refs/auths/registry fast-forward-only (append-only registry;
divergence refused, never forced). pull fetches the remote registry into a
throwaway snapshot and merges every KEL into the local trusted floor under
four guards: prefix binding, authenticated replay (validate_signed_kel with
delegator seal lookup), rollback floor, and same-sequence fork refusal —
nothing from a remote persists unvalidated, and signature attachments travel
with the events. One capped untrusted-read primitive (collect_kel_capped)
now serves both the remote KEL fetch and the merge.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…log-evidence under a pinned log key

artifact verify now consumes the offline Merkle inclusion evidence that
'auths log prove --out' mints and decides the verdict's anchored field by
proof: Anchored only when the evidence binds to THIS artifact's canonical
digest, the inclusion/consistency proof verifies, and the checkpoint is
attested by the operator key the verifier pinned out of band. Bad evidence
is a verdict (exit 1), never a skip; --log-evidence/--log-key are enforced
as a pair at the clap boundary.

The verdict logic lives in auths-verifier (verify_artifact_log_inclusion),
composed from the same binding+inclusion helper the evidence-pack row
verdicts now share — one source of truth for 'this proof is FOR this
artifact'.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Add validate_delegated_kel_json — the delegated/device-link counterpart of
validate_kel_json. It carries the delegator (root) KEL alongside the device
KEL, authenticates the delegator first, seeds a KelSealIndex from its proven
anchoring seals, then replays the device's dip against it. The -G source-seal
couple now travels in the device attachment and is rehydrated onto dip/drt
events, so the bilateral delegation binding survives the JSON wire. Pairing is
delegation-aware and shared with validate_kel_json (one source of truth). A
forged delegator, unanchored dip, or back-reference mismatch all fail closed;
the single-KEL entrypoint still refuses a dip by design.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
The ephemeral CI signer minted its one-time key on a hard-coded P-256
curve. Add a --curve <p256|ed25519> option to `artifact sign --ci`,
parsed into a typed CurveType and threaded through EphemeralSignRequest
into sign_artifact_ephemeral, which now mints the key on the requested
curve. P-256 remains the default.

- CurveType gains a single FromStr (the one source of truth for parsing
  a curve name) plus a ParseCurveError; clap derives the value parser
  from it.
- TypedSeed::from_curve builds (curve, bytes) -> TypedSeed in one place;
  sign_artifact_ephemeral and sign_artifact_raw both route through it.
- EphemeralSignRequest carries a parsed curve field so the signer never
  branches on a string.

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
An ephemeral (did:key) CI signature trust-chains to a maintainer through
its commit_sha; resolving that leg needs the maintainer's repo and pinned
roots. The scrubbed runner that produced the signature has neither, so it
could not confirm what it just emitted (verify forced the commit-anchor
leg and returned valid=false).

Add a typed EphemeralAnchor (Required | SignatureOnly) and an
`artifact verify --signature-only` flag (conflicts with --verify-commit).
SignatureOnly confines the verdict to digest-match + signature and defers
the commit-anchor leg — the signer's self-check. It is not fail-open: a
tampered payload still fails on the digest. The default (full chain) is
unchanged.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
The org create/add-member/revoke-member/policy/compliance commands each
reconstructed the org's keychain alias from a slug, but create derived it
from the org NAME while the others derived it from the org DID — so the
documented happy path failed with 'Key not found' for any org whose name
differs from its DID.

Add resolve_org_signing_alias() in the org domain as the one source of
truth: the org's Primary key is stored keyed by its controller DID, so the
keychain itself reports which alias holds it. Route every org-signing CLI
command and compliance::resolve_org_signing through it; collapse the three
divergent org_slug_alias copies to one fallback. An explicit --key still
overrides, and a wrong alias still fails closed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
bordumb and others added 8 commits June 13, 2026 17:09
The reference MCP tool executors pinned their sandbox root to a /tmp const,
so a relying party could not root tool execution at its own workspace.

Make the root a parsed config value: McpServerConfig gains sandbox_root
(default /tmp, builder with_sandbox_root, env AUTHS_MCP_SANDBOX_ROOT). The
file-touching executors now take a tools::Sandbox — a once-canonicalized
root parsed at the boundary so every resolve() can trust it (the traversal
guard moves onto Sandbox::resolve). The route handler opens the Sandbox
from config and passes it to the executors. Deletes the /tmp const.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Challenge nonces are base64url and can begin with '-', but the clap
args for the nonce flags lacked allow_hyphen_values, so the natural
space form (--nonce -Pabc...) was parsed as an unknown short flag.
Set allow_hyphen_values on every challenge-nonce flag: credential
present --nonce, auth challenge --nonce, and auth verify --nonce.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
`auths sign <ref>` ran `git commit --amend` to embed the signer trailers and
asked git to sign, but git only attaches a signature when a signing program is
configured. With none configured the amend rewrote the commit unsigned, yet the
CLI still printed "✔ Signed" — which `auths verify` then contradicted with
"No signature found".

After the amend, read each rewritten commit object and confirm a gpgsig SSH
block actually landed (auths_verifier::commit_object_is_signed, the same
detection the verdict path uses to call a commit unsigned). When none did,
return an actionable error pointing at `auths doctor --fix` instead of claiming
success, so the CLI's success line can never disagree with the verifier.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…solver

Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…f appending

git commit --amend --trailer defaults to addIfDifferentNeighbor, which appended a
fresh Auths-Id/Auths-Device (and Auths-Anchor-Seq/Auths-Scope) pair on every
re-sign rather than replacing — a twice-signed commit accreted duplicate trailers.
Amend now runs with -c trailer.ifexists=replace on both the single-commit and the
git rebase --exec range paths, so an existing Auths-* trailer is replaced in place
and a re-signed commit keeps exactly one trailer per token (the latest value).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…-walks

Six checks (curve-agnostic, anchor-discipline, verify-path-completeness,
rfc6979, constant-time ×2) walked the repo root and recursed into nested
git worktrees under .worktrees/, false-positiving on that checkout's
legitimately curve-specific crypto-provider code (123 phantom violations).
The directory filter now skips all hidden dirs — matching the existing
"skip hidden dirs" comment that the code never actually honored — while
keeping target/ and node_modules. Scans drop from 1740 → ~730 files
(current tree only); all six report 0 violations.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
- docs/api-spec.yaml: add POST /v1/pairing/sessions/{id}/shared-kel-rot
  (device-authored shared-KEL rotation submission) + SubmitSharedKelRotRequest
  schema — resolves the spec-drift gate (ADR 004) for the daemon API change.
- deny.toml: add auths-rp to the git2 wrapper allowlist — its git2 use is the
  optional, feature-gated (git-sync) registry-fetch adapter, confined to the
  adapter layer exactly as the ban's reason permits.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
@bordumb bordumb force-pushed the dev-recursiveImprovements branch from 1697a51 to 578f5a9 Compare June 13, 2026 16:20
@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
578f5a9d ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
79d1890d ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
0ca88ec7 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
eee627c0 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
3f747a79 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
768c36df ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
fa42f1f0 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
ac415e84 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
eb638af3 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
1bef4d0b ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
4afcffab ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
fa241976 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
cea89bf0 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
d6c7b352 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
4747df21 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
ee32fa28 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
96de9d52 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
9c7108af ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
ef5fb569 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
8b68749b ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
df69939e ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
7832a2e2 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
a65c40d3 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
eafdb9d0 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
48b9765e ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
3791a750 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
922fee78 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
e1162f18 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
8dabb79a ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
051cd23c ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
0f040bac ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG

Result: ❌ 0/31 commits verified


How to fix

Commit 578f5a9d is signed, but its signer could not be verified against the trusted identity.
Make sure the CI identity bundle is present and current, then pass it via the identity-bundle input:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
0b7e80e3 ❌ Failed Commit carries no Auths-Id/Auths-Device trailer. The prepare-commit-msg hook installed by auths init adds these on every commit — if this repo sets its own core.hooksPath (e.g. husky), the hook is bypassed; run auths doctor to check. Backfill existing commits with auths sign <ref> (rewrites the commit).
578f5a9d ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
79d1890d ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
0ca88ec7 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
eee627c0 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
3f747a79 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
768c36df ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
fa42f1f0 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
ac415e84 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
eb638af3 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
1bef4d0b ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
4afcffab ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
fa241976 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
cea89bf0 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
d6c7b352 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
4747df21 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
ee32fa28 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
96de9d52 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
9c7108af ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
ef5fb569 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
8b68749b ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
df69939e ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
7832a2e2 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
a65c40d3 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
eafdb9d0 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
48b9765e ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
3791a750 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
922fee78 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
e1162f18 ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
8dabb79a ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
051cd23c ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
0f040bac ❌ Failed Device KEL for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG could not be resolved: KEL not found for did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG

Result: ❌ 0/32 commits verified


How to fix

Commit 0b7e80e3 is signed, but its signer could not be verified against the trusted identity.
Make sure the CI identity bundle is present and current, then pass it via the identity-bundle input:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

@bordumb bordumb merged commit 2197d51 into main Jun 13, 2026
23 of 24 checks passed
@bordumb bordumb deleted the dev-recursiveImprovements branch June 13, 2026 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant