Dev recursive improvements#267
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Auths Commit Verification
Result: ❌ 0/2 commits verified How to fixCommit 1. Install auths macOS: 2. One-time setup (creates your identity and configures Git) auths init3. Sign this branch and push auths sign origin/main..HEAD
git push --force-with-leaseFor CI to verify the signer, commit an identity bundle: auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
Auths Commit Verification
Result: ❌ 0/7 commits verified How to fixCommit 1. Install auths macOS: 2. One-time setup (creates your identity and configures Git) auths init3. Sign this branch and push auths sign origin/main..HEAD
git push --force-with-leaseFor CI to verify the signer, commit an identity bundle: auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
Auths Commit Verification
Result: ❌ 0/29 commits verified How to fixCommit 1. Install auths macOS: 2. One-time setup (creates your identity and configures Git) auths init3. Sign this branch and push auths sign origin/main..HEAD
git push --force-with-leaseFor CI to verify the signer, commit an identity bundle: auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
…-of-band delivery The auths://pair?... URI existed only inside the rendered QR (offline mode printed it unconditionally; LAN and online not at all). One flag-gated helper (print_token_uri in pair/common.rs) now serves all three initiate paths: - lan: printed after the tokened endpoint is set, before the wait loop - online: printed inside the SessionCreated status callback - offline: the previously unconditional URI line is now gated by the flag Composable with --no-qr. Closes demo gap LTL-4 (lost-the-laptop): scripts can capture the URI and deliver it via simctl openurl instead of scraping endpoint+code and re-synthesizing the URI in the app. Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…, PWNTS-1, V-WASM, AITFC-6 Platform sculpts from seven recursive-improvement cycles, each gated on probe GREEN + fleet matrix + demo behavioral harness: - AITFC-1/AITFC-6 (auditor-in-the-faraday-cage): compliance anchored releases — attest_release anchors a kind-tagged ReleaseAttestation in the org KEL with content-addressed blob storage; discover_releases derives signed_at from the anchoring position; CLI compliance attest / report --discover - DOTAK-1 (death-of-the-api-key): OIDC artifact policy join — oidc_policy verifier, artifact oidc CLI, infra-http OIDC platforms - LTL-6b/LTL-R1 (lost-the-laptop): delegated inception FFI context and phone-driven shared-KEL rotation (pairing daemon + mobile FFI) - PWNTS-1 (pipeline-with-nothing-to-steal): signed-artifact machine identity in CI workflows - V-WASM (verify-the-world): closed as free win (fix already upstream) 525/525 sdk+cli tests, workspace clippy clean at cycle 7 gate. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
AttestationInput gained an oidc_binding field and all in-tree call sites were updated, but the two binding-package initializers were missed, leaving the tree uncompilable under the pre-commit hook (E0063). Add oidc_binding: None to match the in-tree default. Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…apability codec issue/list/verify carried two divergent grammars for the a.capability claim (comma-joined on issuance, comma-split on list, single-wrapped on verify), so a credential with more than one capability verified as schema_invalid. Add Capability::join_claim/parse_claim — an exact encode/decode inverse pair, the one source of truth — and route all three consumers through it; delete the inline join/split and the verifier's single-wrap. A malformed claim now fails closed to SchemaInvalid rather than fail-wrong. Round-trip and edge-case tests added. Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…nance The signing CiEnvironment struct gains repository, sha, and a fully-qualified workflow_ref, populated at the CLI boundary in detect_ci_environment from GITHUB_REPOSITORY / GITHUB_WORKFLOW_REF (canonical, falling back to GITHUB_WORKFLOW) / GITHUB_SHA, with the GitLab and CircleCI equivalents. All fields are signature-covered in the ephemeral attestation payload, so provenance is SLSA-shaped: source identity (repository + sha) plus builder identity (workflow_ref) plus run, rather than a bare commit_sha the verifier must trust the runner for. Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…olution Expose the org's authenticated key state derived from a bundled org KEL as a single public call: AirGappedOrgBundle::authenticated_org_state(). It authenticates the embedded org KEL (RT-002) and returns the resolved KeyState — the only trust-rooted source of the org's current verkey available offline. authenticate_bundled_kel is widened to pub and re-exported from domains::org so callers holding a bare BundledKel share the same primitive instead of reconstructing SignedEvents and replaying validate_signed_kel. The offline DSSE compliance-verify path routes through the new method (one source of truth). Adds a regression test covering resolve-and-fail-closed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Add ComplianceFramework::Soc2 and ::Iso27001 with build_soc2 / build_iso27001, each mapping the already-classified evidence rows to its framework's control IDs (SOC 2 CC6.1/6.2/6.3, CC7.2; ISO 27001:2022 A.5.16/A.5.18/A.8.4/A.8.28) through one shared ControlMapping shape and the existing DSSE in-toto statement path. Wired through CliFramework and the compliance report --framework selector; help and tests cover both. Mirrors the existing CRA->SSDF mapping. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…hs-verifier, exported to WASM Move the pure offline-verification core down into auths-verifier so every surface (native CLI, FFI, browser) shares one implementation: - tlog: RFC 6962 Merkle proof math, checkpoint/proof wire types, and TransparencyError, moved from auths-transparency (which now re-exports). - org_bundle: AirGappedOrgBundle/BundledKel wire types, off-boarding record verification, RT-002 bundled-KEL authentication, authority-by-KEL-position classification, and verify_org_bundle, moved from auths-sdk (which keeps the registry-bound builder and re-exports the rest). - evidence_pack: pack wire types, per-row authority re-derivation, Merkle transparency checks, and verify_evidence_pack_offline, likewise. - wasm: new verifyOrgBundle / verifyEvidencePackOffline exports — sync, panic-free, tagged-union verdicts with 16 MiB input ceilings. Focused fail-closed error types OrgBundleError (AUTHS-E2201..6) and EvidencePackError (AUTHS-E2301..3) replace OrgError::Bundle* (E5619-21 retired in registry.lock); error docs regenerated via xtask. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…ow verification The transparency log grows its write half: LogWriter appends leaf hashes into C2SP level-0 tiles through the TileStore port (filesystem or S3), signs a fresh checkpoint over the C2SP note body with an Ed25519 LogSigningKey, and mints inclusion evidence directly against that checkpoint. State is re-derived from tiles and re-verified against the stored root on every operation, so a corrupted store fails closed. - prove_inclusion (RFC 6962 PATH) joins compute_root in the one shared Merkle implementation in auths_verifier::tlog; generation and verification can never drift. - Evidence-pack row verification now BINDS each transparency proof to its row: leaf_hash must re-derive from the row's own artifact digest, so a valid proof minted for a different artifact no longer counts. - CLI: auths log append/prove operate a local log dir (signing key created on first append, 0600), emitting TransparencyInclusion JSON ready to embed in release rows. Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…dence-pack verification verify_evidence_pack_offline (native/WASM/CLI) now takes a pinned log-operator key: every row's SignedCheckpoint signature is verified against it, upgrading 'in the log' from bare Merkle membership to operator-attested non-repudiation. SignedCheckpoint::verify_log_signature is the one shared implementation (the transparency bundle verifier's Ed25519 arm now delegates to it), the CLI gains 'compliance verify --log-key <file>', and RowVerdict reports the new checkpoint_attested axis honestly (None when no key is pinned). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…attachment-pairing core - auths-keri: pair_kel_attachments — the single fail-closed definition pairing a KEL with its per-event CESR signature groups (count mismatch = the KEL is unauthenticated = refused; never a structural-only fallback), plus the AttachmentError::CountMismatch variant. - auths-verifier (wasm): validateKelJson now hex-decodes its wire and routes through pair_kel_attachments; the inline mismatch/zip copy is deleted. - auths-mobile-ffi: new kel_verification module — validate_kel_json authenticates a registry KEL (validate_signed_kel; dip/drt fail closed) and returns a typed VerifiedKeyState record; new KelVerificationFailed error; six unit tests (P-256 happy paths + unauthenticated/forged/tampered/ malformed rejections); one-line fix of the deprecated GenericArray::as_slice so the crate is clippy-clean under -D warnings. Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…e registry's in-force key Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
- auths-sdk identity::shared_rot::apply_shared_kel_rot: decode the held envelope, replay the registry KEL to prior key state, validate SAID/ sequence/chain + signing threshold + prior next-commitment reveals, then append — the host contributes only its registry, never authorship - auths-sdk pairing::lan::wait_for_shared_kel_rot: race-free await/take of the daemon-held rotation (notify interest registered before take) - auths id rotate --from-device: ephemeral LAN session (QR/short code/ --print-uri), receives the co-signed rotation, applies it against prior state, refreshes commit trailers; conflicts with all local- authoring flags — no local key material is read or written - cli lan-pairing feature now enables auths-sdk/lan-pairing (one facade, no daemon re-wrap); sdk lan-pairing pulls tokio for the waiter Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…licy writer + verify --oidc-policy-did resolver The OIDC-subject policy's source of truth moves from a verifier-pinned file to the org's witnessed log: `auths org anchor-oidc-policy` parses the policy (never anchors an invalid one), stores the source as a content-addressed blob, and seals its SHA-256 digest on the org KEL (an oidcpolicy: digest seal, distinct from every existing marker). `auths artifact verify --oidc-policy-did <org-did>` resolves the latest anchored policy from the local registry, refuses digest mismatches (tampered blob = verdict, exit 1), and JOINs it against the attestation's signed OIDC binding. Rotation is an auditable KEL event — the latest anchored policy wins. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…n WASM export over a parsed BundleTrust anchor; P-256 SSH verify through the provider port Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
agents::add_scoped now issues a signed attestation for every delegated agent (issuer = delegating root, subject = the agent, co-signed by the agent's key) and persists + anchors it through the same anchor_and_persist_via_backend path device links use. Programmatically minted identity bundles now carry a walkable attestation chain instead of only KEL events, so stateless chain verifiers (verifyChainJson) get a second, independent provenance leg. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…poll loop, git fetch adapter for refs/auths/* A relying party verifies against its own registry replica; revocation freshness is the pull cadence. auths-rp now owns that cadence: the RegistrySync port (one pull, typed SyncOutcome), the RegistryWatcher background loop, and GitRegistrySync (feature git-sync) — a non-forced fetch of refs/auths/* that fails loud on a rewound remote instead of rolling the replica back below a revocation. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…ush/pull with validated KEL merge push publishes refs/auths/registry fast-forward-only (append-only registry; divergence refused, never forced). pull fetches the remote registry into a throwaway snapshot and merges every KEL into the local trusted floor under four guards: prefix binding, authenticated replay (validate_signed_kel with delegator seal lookup), rollback floor, and same-sequence fork refusal — nothing from a remote persists unvalidated, and signature attachments travel with the events. One capped untrusted-read primitive (collect_kel_capped) now serves both the remote KEL fetch and the merge. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…log-evidence under a pinned log key artifact verify now consumes the offline Merkle inclusion evidence that 'auths log prove --out' mints and decides the verdict's anchored field by proof: Anchored only when the evidence binds to THIS artifact's canonical digest, the inclusion/consistency proof verifies, and the checkpoint is attested by the operator key the verifier pinned out of band. Bad evidence is a verdict (exit 1), never a skip; --log-evidence/--log-key are enforced as a pair at the clap boundary. The verdict logic lives in auths-verifier (verify_artifact_log_inclusion), composed from the same binding+inclusion helper the evidence-pack row verdicts now share — one source of truth for 'this proof is FOR this artifact'. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Add validate_delegated_kel_json — the delegated/device-link counterpart of validate_kel_json. It carries the delegator (root) KEL alongside the device KEL, authenticates the delegator first, seeds a KelSealIndex from its proven anchoring seals, then replays the device's dip against it. The -G source-seal couple now travels in the device attachment and is rehydrated onto dip/drt events, so the bilateral delegation binding survives the JSON wire. Pairing is delegation-aware and shared with validate_kel_json (one source of truth). A forged delegator, unanchored dip, or back-reference mismatch all fail closed; the single-KEL entrypoint still refuses a dip by design. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
The ephemeral CI signer minted its one-time key on a hard-coded P-256 curve. Add a --curve <p256|ed25519> option to `artifact sign --ci`, parsed into a typed CurveType and threaded through EphemeralSignRequest into sign_artifact_ephemeral, which now mints the key on the requested curve. P-256 remains the default. - CurveType gains a single FromStr (the one source of truth for parsing a curve name) plus a ParseCurveError; clap derives the value parser from it. - TypedSeed::from_curve builds (curve, bytes) -> TypedSeed in one place; sign_artifact_ephemeral and sign_artifact_raw both route through it. - EphemeralSignRequest carries a parsed curve field so the signer never branches on a string. Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
An ephemeral (did:key) CI signature trust-chains to a maintainer through its commit_sha; resolving that leg needs the maintainer's repo and pinned roots. The scrubbed runner that produced the signature has neither, so it could not confirm what it just emitted (verify forced the commit-anchor leg and returned valid=false). Add a typed EphemeralAnchor (Required | SignatureOnly) and an `artifact verify --signature-only` flag (conflicts with --verify-commit). SignatureOnly confines the verdict to digest-match + signature and defers the commit-anchor leg — the signer's self-check. It is not fail-open: a tampered payload still fails on the digest. The default (full chain) is unchanged. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
The org create/add-member/revoke-member/policy/compliance commands each reconstructed the org's keychain alias from a slug, but create derived it from the org NAME while the others derived it from the org DID — so the documented happy path failed with 'Key not found' for any org whose name differs from its DID. Add resolve_org_signing_alias() in the org domain as the one source of truth: the org's Primary key is stored keyed by its controller DID, so the keychain itself reports which alias holds it. Route every org-signing CLI command and compliance::resolve_org_signing through it; collapse the three divergent org_slug_alias copies to one fallback. An explicit --key still overrides, and a wrong alias still fails closed. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
The reference MCP tool executors pinned their sandbox root to a /tmp const, so a relying party could not root tool execution at its own workspace. Make the root a parsed config value: McpServerConfig gains sandbox_root (default /tmp, builder with_sandbox_root, env AUTHS_MCP_SANDBOX_ROOT). The file-touching executors now take a tools::Sandbox — a once-canonicalized root parsed at the boundary so every resolve() can trust it (the traversal guard moves onto Sandbox::resolve). The route handler opens the Sandbox from config and passes it to the executors. Deletes the /tmp const. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Challenge nonces are base64url and can begin with '-', but the clap args for the nonce flags lacked allow_hyphen_values, so the natural space form (--nonce -Pabc...) was parsed as an unknown short flag. Set allow_hyphen_values on every challenge-nonce flag: credential present --nonce, auth challenge --nonce, and auth verify --nonce. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
`auths sign <ref>` ran `git commit --amend` to embed the signer trailers and asked git to sign, but git only attaches a signature when a signing program is configured. With none configured the amend rewrote the commit unsigned, yet the CLI still printed "✔ Signed" — which `auths verify` then contradicted with "No signature found". After the amend, read each rewritten commit object and confirm a gpgsig SSH block actually landed (auths_verifier::commit_object_is_signed, the same detection the verdict path uses to call a commit unsigned). When none did, return an actionable error pointing at `auths doctor --fix` instead of claiming success, so the CLI's success line can never disagree with the verifier. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…solver Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…f appending git commit --amend --trailer defaults to addIfDifferentNeighbor, which appended a fresh Auths-Id/Auths-Device (and Auths-Anchor-Seq/Auths-Scope) pair on every re-sign rather than replacing — a twice-signed commit accreted duplicate trailers. Amend now runs with -c trailer.ifexists=replace on both the single-commit and the git rebase --exec range paths, so an existing Auths-* trailer is replaced in place and a re-signed commit keeps exactly one trailer per token (the latest value). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
…-walks Six checks (curve-agnostic, anchor-discipline, verify-path-completeness, rfc6979, constant-time ×2) walked the repo root and recursed into nested git worktrees under .worktrees/, false-positiving on that checkout's legitimately curve-specific crypto-provider code (123 phantom violations). The directory filter now skips all hidden dirs — matching the existing "skip hidden dirs" comment that the code never actually honored — while keeping target/ and node_modules. Scans drop from 1740 → ~730 files (current tree only); all six report 0 violations. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
- docs/api-spec.yaml: add POST /v1/pairing/sessions/{id}/shared-kel-rot
(device-authored shared-KEL rotation submission) + SubmitSharedKelRotRequest
schema — resolves the spec-drift gate (ADR 004) for the daemon API change.
- deny.toml: add auths-rp to the git2 wrapper allowlist — its git2 use is the
optional, feature-gated (git-sync) registry-fetch adapter, confined to the
adapter layer exactly as the ban's reason permits.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
Auths-Id: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG Auths-Device: did:keri:ELv6uW2irGkclnFq8lAsAexmoLwZ-3k-ocwjpFBZsIEG
1697a51 to
578f5a9
Compare
Auths Commit Verification
Result: ❌ 0/31 commits verified How to fixCommit auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
Auths Commit Verification
Result: ❌ 0/32 commits verified How to fixCommit auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
Platform hardening: verification, transparency, identity, supply-chain signing
Batch of platform changes hardening the verification, transparency, and
identity surfaces. Every change is gated by the demos' behavioral harnesses
plus the full AST/clippy/test suite.
Highlights
auths-verifierand exported to WASM; stateless commit-bundle verify (verifyCommitJson) in the browser; signature-only ephemeral verify for scrubbed CI runners.artifact verify --log-evidencefor offline transparency anchoring.POST /v1/pairing/sessions/{id}/shared-kel-rot), cross-machine registry propagation over git.--curveflag on ephemeral signing, signing success now actually verified (no more false "✔ Signed"), trailer-replace on re-sign.Notes
cargo xtaskAST checks + clippy + tests, no regressions.🤖 Generated with Claude Code