From 287f0919e76711c92f5203522c443fed49daf1fb Mon Sep 17 00:00:00 2001 From: bordumb Date: Sun, 5 Apr 2026 19:27:22 -0700 Subject: [PATCH 1/2] refactor: move all auths-* imports from cli to sdk --- .pre-commit-config.yaml | 7 +++ Cargo.lock | 3 -- crates/auths-cli/Cargo.toml | 5 +- crates/auths-cli/src/adapters/agent.rs | 4 +- crates/auths-cli/src/adapters/config_store.rs | 2 +- crates/auths-cli/src/adapters/doctor_fixes.rs | 2 +- crates/auths-cli/src/adapters/ssh_agent.rs | 2 +- crates/auths-cli/src/bin/sign.rs | 26 ++++----- crates/auths-cli/src/commands/agent/mod.rs | 18 +++---- .../src/commands/artifact/batch_sign.rs | 6 +-- crates/auths-cli/src/commands/artifact/mod.rs | 4 +- .../auths-cli/src/commands/artifact/sign.rs | 8 +-- crates/auths-cli/src/commands/auth.rs | 16 +++--- crates/auths-cli/src/commands/cache.rs | 6 +-- crates/auths-cli/src/commands/ci/mod.rs | 4 +- crates/auths-cli/src/commands/ci/rotate.rs | 14 ++--- crates/auths-cli/src/commands/ci/setup.rs | 24 ++++----- crates/auths-cli/src/commands/config.rs | 4 +- .../src/commands/device/authorization.rs | 29 +++++----- .../src/commands/device/pair/common.rs | 23 ++++---- .../src/commands/device/pair/join.rs | 14 ++--- .../auths-cli/src/commands/device/pair/lan.rs | 16 +++--- .../src/commands/device/pair/lan_server.rs | 6 +-- .../auths-cli/src/commands/device/pair/mod.rs | 4 +- .../src/commands/device/pair/offline.rs | 6 +-- .../src/commands/device/pair/online.rs | 10 ++-- .../src/commands/device/verify_attestation.rs | 2 +- crates/auths-cli/src/commands/doctor.rs | 12 ++--- crates/auths-cli/src/commands/emergency.rs | 44 +++++++-------- crates/auths-cli/src/commands/git.rs | 2 +- crates/auths-cli/src/commands/id/claim.rs | 6 +-- crates/auths-cli/src/commands/id/identity.rs | 54 +++++++++---------- crates/auths-cli/src/commands/id/migrate.rs | 24 ++++----- crates/auths-cli/src/commands/id/register.rs | 8 +-- crates/auths-cli/src/commands/index.rs | 2 +- crates/auths-cli/src/commands/init/display.rs | 6 +-- crates/auths-cli/src/commands/init/gather.rs | 10 ++-- crates/auths-cli/src/commands/init/helpers.rs | 4 +- crates/auths-cli/src/commands/init/mod.rs | 6 +-- crates/auths-cli/src/commands/init/prompts.rs | 18 +++---- crates/auths-cli/src/commands/key.rs | 10 ++-- crates/auths-cli/src/commands/key_detect.rs | 14 ++--- crates/auths-cli/src/commands/log.rs | 2 +- crates/auths-cli/src/commands/namespace.rs | 14 ++--- crates/auths-cli/src/commands/org.rs | 44 +++++++-------- crates/auths-cli/src/commands/provision.rs | 12 ++--- crates/auths-cli/src/commands/sign.rs | 4 +- crates/auths-cli/src/commands/sign_commit.rs | 2 +- crates/auths-cli/src/commands/signers.rs | 2 +- crates/auths-cli/src/commands/status.rs | 33 ++++++------ crates/auths-cli/src/commands/trust.rs | 2 +- crates/auths-cli/src/commands/utils.rs | 2 +- crates/auths-cli/src/commands/whoami.rs | 6 +-- crates/auths-cli/src/commands/witness.rs | 10 ++-- crates/auths-cli/src/config.rs | 4 +- crates/auths-cli/src/core/provider.rs | 4 +- crates/auths-cli/src/core/pubkey_cache.rs | 2 +- crates/auths-cli/src/errors/renderer.rs | 14 ++--- crates/auths-cli/src/factories/mod.rs | 8 +-- crates/auths-cli/src/factories/storage.rs | 20 +++---- crates/auths-cli/tests/cases/key_rotation.rs | 4 +- crates/auths-cli/tests/cases/preset.rs | 9 ++-- crates/auths-sdk/Cargo.toml | 9 +++- crates/auths-sdk/src/agent_core.rs | 7 +++ crates/auths-sdk/src/attestation.rs | 7 +++ crates/auths-sdk/src/core_config.rs | 5 ++ crates/auths-sdk/src/crypto.rs | 8 +++ crates/auths-sdk/src/error.rs | 13 ++++- crates/auths-sdk/src/ffi.rs | 3 ++ crates/auths-sdk/src/freeze.rs | 5 ++ crates/auths-sdk/src/identity.rs | 14 +++++ crates/auths-sdk/src/keri.rs | 4 ++ crates/auths-sdk/src/keychain.rs | 12 +++++ crates/auths-sdk/src/lib.rs | 35 ++++++++++++ crates/auths-sdk/src/pairing/mod.rs | 11 +++- crates/auths-sdk/src/paths.rs | 3 ++ crates/auths-sdk/src/ports/mod.rs | 15 ++++++ crates/auths-sdk/src/signing.rs | 7 +++ crates/auths-sdk/src/storage.rs | 9 ++++ crates/auths-sdk/src/storage_layout.rs | 7 +++ crates/auths-sdk/src/trust.rs | 5 ++ crates/auths-sdk/src/witness.rs | 6 +++ scripts/check_sdk_boundary.sh | 21 ++++++++ 83 files changed, 533 insertions(+), 356 deletions(-) create mode 100644 crates/auths-sdk/src/agent_core.rs create mode 100644 crates/auths-sdk/src/attestation.rs create mode 100644 crates/auths-sdk/src/core_config.rs create mode 100644 crates/auths-sdk/src/crypto.rs create mode 100644 crates/auths-sdk/src/ffi.rs create mode 100644 crates/auths-sdk/src/freeze.rs create mode 100644 crates/auths-sdk/src/identity.rs create mode 100644 crates/auths-sdk/src/keri.rs create mode 100644 crates/auths-sdk/src/keychain.rs create mode 100644 crates/auths-sdk/src/paths.rs create mode 100644 crates/auths-sdk/src/storage.rs create mode 100644 crates/auths-sdk/src/storage_layout.rs create mode 100644 crates/auths-sdk/src/trust.rs create mode 100644 crates/auths-sdk/src/witness.rs create mode 100755 scripts/check_sdk_boundary.sh diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 72c1f9a9..b82e2740 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -21,6 +21,13 @@ repos: # ── Fast gates (commit) ────────────────────────────────────────────── # These run on every `git commit`. They should take < 3 seconds incrementally. + - id: check-sdk-boundary + name: SDK boundary check (CLI must not import core/id/storage) + entry: bash scripts/check_sdk_boundary.sh + language: system + files: crates/auths-cli/src/.*\.rs$ + pass_filenames: false + - id: cargo-fmt name: cargo fmt entry: cargo fmt --all diff --git a/Cargo.lock b/Cargo.lock index 3ff86853..5d7180f4 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -339,9 +339,7 @@ version = "0.1.0" dependencies = [ "anyhow", "assert_cmd", - "auths-core", "auths-crypto", - "auths-id", "auths-index", "auths-infra-git", "auths-infra-http", @@ -349,7 +347,6 @@ dependencies = [ "auths-pairing-protocol", "auths-policy", "auths-sdk", - "auths-storage", "auths-telemetry", "auths-transparency", "auths-utils", diff --git a/crates/auths-cli/Cargo.toml b/crates/auths-cli/Cargo.toml index 796efb8d..e549e62c 100644 --- a/crates/auths-cli/Cargo.toml +++ b/crates/auths-cli/Cargo.toml @@ -33,13 +33,10 @@ anyhow = "1" hex = "0.4.3" gethostname = "1.1.0" glob.workspace = true -auths-core = { workspace = true, features = ["witness-server"] } -auths-id = { workspace = true, features = ["witness-client", "indexed-storage"] } -auths-storage = { workspace = true, features = ["backend-git"] } auths-policy.workspace = true auths-index.workspace = true auths-crypto.workspace = true -auths-sdk.workspace = true +auths-sdk = { workspace = true, features = ["backend-git", "witness-server", "witness-client", "indexed-storage"] } auths-transparency = { workspace = true, features = ["native"] } auths-pairing-protocol.workspace = true auths-telemetry = { workspace = true, features = ["sink-http"] } diff --git a/crates/auths-cli/src/adapters/agent.rs b/crates/auths-cli/src/adapters/agent.rs index b728ff37..083f08c1 100644 --- a/crates/auths-cli/src/adapters/agent.rs +++ b/crates/auths-cli/src/adapters/agent.rs @@ -5,9 +5,9 @@ //! with `sign_with_seed()`. #[cfg(unix)] -use auths_core::agent::{AgentStatus, add_identity, agent_sign, check_agent_status}; +use auths_sdk::agent_core::{AgentStatus, add_identity, agent_sign, check_agent_status}; #[cfg(unix)] -use auths_core::crypto::ssh::{construct_sshsig_pem, construct_sshsig_signed_data}; +use auths_sdk::crypto::{construct_sshsig_pem, construct_sshsig_signed_data}; use auths_sdk::ports::agent::{AgentSigningError, AgentSigningPort}; #[cfg(unix)] diff --git a/crates/auths-cli/src/adapters/config_store.rs b/crates/auths-cli/src/adapters/config_store.rs index 789c52c2..22c94309 100644 --- a/crates/auths-cli/src/adapters/config_store.rs +++ b/crates/auths-cli/src/adapters/config_store.rs @@ -2,7 +2,7 @@ use std::path::Path; -use auths_core::ports::config_store::{ConfigStore, ConfigStoreError}; +use auths_sdk::ports::{ConfigStore, ConfigStoreError}; /// Reads and writes config files from the local filesystem. pub struct FileConfigStore; diff --git a/crates/auths-cli/src/adapters/doctor_fixes.rs b/crates/auths-cli/src/adapters/doctor_fixes.rs index 4cbfa429..c73df58a 100644 --- a/crates/auths-cli/src/adapters/doctor_fixes.rs +++ b/crates/auths-cli/src/adapters/doctor_fixes.rs @@ -3,8 +3,8 @@ use std::path::PathBuf; use auths_sdk::ports::diagnostics::{CheckResult, DiagnosticError, DiagnosticFix}; +use auths_sdk::storage::RegistryAttestationStorage; use auths_sdk::workflows::allowed_signers::AllowedSigners; -use auths_storage::git::RegistryAttestationStorage; /// Regenerates the allowed_signers file from attestation storage. /// diff --git a/crates/auths-cli/src/adapters/ssh_agent.rs b/crates/auths-cli/src/adapters/ssh_agent.rs index fb5cba42..ce020c6c 100644 --- a/crates/auths-cli/src/adapters/ssh_agent.rs +++ b/crates/auths-cli/src/adapters/ssh_agent.rs @@ -1,6 +1,6 @@ //! CLI adapter for system SSH agent key registration via `ssh-add`. -use auths_core::ports::ssh_agent::{SshAgentError, SshAgentPort}; +use auths_sdk::ports::{SshAgentError, SshAgentPort}; use std::path::Path; use std::process::Command; diff --git a/crates/auths-cli/src/bin/sign.rs b/crates/auths-cli/src/bin/sign.rs index 0c784597..b5db8959 100644 --- a/crates/auths-cli/src/bin/sign.rs +++ b/crates/auths-cli/src/bin/sign.rs @@ -32,10 +32,10 @@ use clap::Parser; use auths_cli::adapters::config_store::FileConfigStore; use auths_cli::core::pubkey_cache::get_cached_pubkey; use auths_cli::factories::build_agent_provider; -use auths_core::config::{EnvironmentConfig, load_config}; -use auths_core::signing::{KeychainPassphraseProvider, PassphraseProvider}; -use auths_core::storage::keychain::get_platform_keychain; -use auths_core::storage::passphrase_cache::{get_passphrase_cache, parse_duration_str}; +use auths_sdk::core_config::{EnvironmentConfig, load_config}; +use auths_sdk::keychain::get_platform_keychain; +use auths_sdk::keychain::{get_passphrase_cache, parse_duration_str}; +use auths_sdk::signing::{KeychainPassphraseProvider, PassphraseProvider}; use auths_sdk::workflows::signing::{ CommitSigningContext, CommitSigningParams, CommitSigningWorkflow, }; @@ -133,7 +133,9 @@ fn build_signing_context(alias: &str) -> Result { let passphrase_provider: Arc = if let Some(passphrase) = env_config.keychain.passphrase.clone() { - Arc::new(auths_core::PrefilledPassphraseProvider::new(&passphrase)) + Arc::new(auths_sdk::signing::PrefilledPassphraseProvider::new( + &passphrase, + )) } else { let config = load_config(&FileConfigStore); let cache = get_passphrase_cache(config.passphrase.biometric); @@ -277,7 +279,7 @@ fn run_sign(args: &Args) -> Result<()> { let pubkey = get_cached_pubkey(&alias).ok().flatten().unwrap_or_default(); - let repo_path = auths_id::storage::layout::resolve_repo_path(None).ok(); + let repo_path = auths_sdk::storage_layout::resolve_repo_path(None).ok(); let ctx = build_signing_context(&alias)?; let mut params = CommitSigningParams::new(&alias, namespace, data).with_pubkey(pubkey); @@ -300,8 +302,8 @@ fn run_sign(args: &Args) -> Result<()> { #[cfg(test)] mod tests { use super::*; - use auths_core::crypto::ssh::construct_sshsig_signed_data; use auths_crypto::Pkcs8Der; + use auths_sdk::crypto::construct_sshsig_signed_data; #[test] fn test_args_accepts_o_flag() { @@ -411,7 +413,7 @@ mod tests { #[test] fn test_sshsig_format() { - use auths_core::crypto::ssh::SecureSeed; + use auths_sdk::crypto::SecureSeed; let seed = SecureSeed::new([ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, @@ -420,7 +422,7 @@ mod tests { ]); let data = b"test data to sign"; - let result = auths_core::crypto::ssh::create_sshsig(&seed, data, "git"); + let result = auths_sdk::crypto::create_sshsig(&seed, data, "git"); assert!(result.is_ok(), "SSHSIG creation failed: {:?}", result.err()); @@ -431,7 +433,7 @@ mod tests { #[test] fn test_encode_ssh_pubkey() { - use auths_core::crypto::ssh::encode_ssh_pubkey; + use auths_sdk::crypto::encode_ssh_pubkey; let pubkey = [0x42u8; 32]; let blob = encode_ssh_pubkey(&pubkey); @@ -471,7 +473,7 @@ mod tests { #[test] fn test_extract_seed_from_pkcs8_ring_generated_key() { - use auths_core::crypto::ssh::extract_seed_from_pkcs8; + use auths_sdk::crypto::extract_seed_from_pkcs8; use ring::rand::SystemRandom; use ring::signature::{Ed25519KeyPair, KeyPair}; @@ -502,7 +504,7 @@ mod tests { #[test] fn test_extract_seed_from_pkcs8_rejects_invalid_input() { - use auths_core::crypto::ssh::extract_seed_from_pkcs8; + use auths_sdk::crypto::extract_seed_from_pkcs8; let bad_input = Pkcs8Der::new(vec![0u8; 50]); let result = extract_seed_from_pkcs8(&bad_input); diff --git a/crates/auths-cli/src/commands/agent/mod.rs b/crates/auths-cli/src/commands/agent/mod.rs index d6515ab2..842e9b15 100644 --- a/crates/auths-cli/src/commands/agent/mod.rs +++ b/crates/auths-cli/src/commands/agent/mod.rs @@ -216,7 +216,7 @@ fn parse_timeout(s: &str) -> Result { } fn get_auths_dir() -> Result { - auths_core::paths::auths_home().map_err(|e| anyhow!(e)) + auths_sdk::paths::auths_home().map_err(|e| anyhow!(e)) } /// Get the default socket path. @@ -286,7 +286,7 @@ fn run_agent_foreground( env_path: &std::path::Path, timeout: std::time::Duration, ) -> Result<()> { - use auths_core::AgentHandle; + use auths_sdk::agent_core::AgentHandle; use std::sync::Arc; let pid = std::process::id(); @@ -323,7 +323,7 @@ fn run_agent_foreground( let rt = tokio::runtime::Runtime::new().context("Failed to create tokio runtime")?; let result = rt.block_on(async { - auths_core::api::start_agent_listener_with_handle(handle.clone()).await + auths_sdk::agent_core::start_agent_listener_with_handle(handle.clone()).await }); cleanup_stale_files(&[pid_path, env_path, socket]); @@ -511,7 +511,7 @@ fn lock_agent() -> Result<()> { } let socket_path = get_default_socket_path()?; - auths_core::agent::remove_all_identities(&socket_path) + auths_sdk::agent_core::remove_all_identities(&socket_path) .map_err(|e| anyhow!("Failed to lock agent: {}", e))?; eprintln!("Agent locked — all keys removed from memory."); @@ -539,21 +539,19 @@ fn unlock_agent(key_alias: &str) -> Result<()> { let socket_path = get_default_socket_path()?; - let keychain = auths_core::storage::keychain::get_platform_keychain() + let keychain = auths_sdk::keychain::get_platform_keychain() .map_err(|e| anyhow!("Failed to get platform keychain: {}", e))?; let (_identity_did, _role, encrypted_data) = keychain - .load_key(&auths_core::storage::keychain::KeyAlias::new_unchecked( - key_alias, - )) + .load_key(&auths_sdk::keychain::KeyAlias::new_unchecked(key_alias)) .map_err(|e| anyhow!("Failed to load key '{}': {}", key_alias, e))?; let passphrase = rpassword::prompt_password(format!("Passphrase for '{}': ", key_alias)) .context("Failed to read passphrase")?; - let key_bytes = auths_core::crypto::signer::decrypt_keypair(&encrypted_data, &passphrase) + let key_bytes = auths_sdk::crypto::decrypt_keypair(&encrypted_data, &passphrase) .map_err(|e| anyhow!("Failed to decrypt key '{}': {}", key_alias, e))?; - auths_core::agent::add_identity(&socket_path, &key_bytes) + auths_sdk::agent_core::add_identity(&socket_path, &key_bytes) .map_err(|e| anyhow!("Failed to add key to agent: {}", e))?; eprintln!("Agent unlocked — key '{}' loaded.", key_alias); diff --git a/crates/auths-cli/src/commands/artifact/batch_sign.rs b/crates/auths-cli/src/commands/artifact/batch_sign.rs index e4b99fea..f4759648 100644 --- a/crates/auths-cli/src/commands/artifact/batch_sign.rs +++ b/crates/auths-cli/src/commands/artifact/batch_sign.rs @@ -4,8 +4,8 @@ use anyhow::{Context, Result}; use std::path::PathBuf; use std::sync::Arc; -use auths_core::config::EnvironmentConfig; -use auths_core::signing::PassphraseProvider; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::signing::PassphraseProvider; use auths_sdk::workflows::ci::batch_attest::{ BatchEntry, BatchEntryResult, BatchSignConfig, batch_sign_artifacts, default_attestation_path, }; @@ -43,7 +43,7 @@ pub fn handle_batch_sign( passphrase_provider: Arc, env_config: &EnvironmentConfig, ) -> Result<()> { - let repo_path = auths_id::storage::layout::resolve_repo_path(repo_opt)?; + let repo_path = auths_sdk::storage_layout::resolve_repo_path(repo_opt)?; let ctx = build_auths_context(&repo_path, env_config, Some(passphrase_provider))?; let paths = expand_glob(pattern)?; diff --git a/crates/auths-cli/src/commands/artifact/mod.rs b/crates/auths-cli/src/commands/artifact/mod.rs index 89aa8a48..296c135a 100644 --- a/crates/auths-cli/src/commands/artifact/mod.rs +++ b/crates/auths-cli/src/commands/artifact/mod.rs @@ -10,8 +10,8 @@ use std::path::{Path, PathBuf}; use std::sync::Arc; use anyhow::{Result, bail}; -use auths_core::config::EnvironmentConfig; -use auths_core::signing::PassphraseProvider; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::signing::PassphraseProvider; use auths_sdk::signing::validate_commit_sha; #[derive(Args, Debug, Clone)] diff --git a/crates/auths-cli/src/commands/artifact/sign.rs b/crates/auths-cli/src/commands/artifact/sign.rs index 7cc631c9..8d8b2507 100644 --- a/crates/auths-cli/src/commands/artifact/sign.rs +++ b/crates/auths-cli/src/commands/artifact/sign.rs @@ -2,12 +2,12 @@ use anyhow::{Context, Result}; use std::path::{Path, PathBuf}; use std::sync::Arc; -use auths_core::config::EnvironmentConfig; -use auths_core::signing::PassphraseProvider; -use auths_core::storage::keychain::KeyAlias; +use auths_sdk::core_config::EnvironmentConfig; use auths_sdk::domains::signing::service::{ ArtifactSigningParams, SigningKeyMaterial, sign_artifact, }; +use auths_sdk::keychain::KeyAlias; +use auths_sdk::signing::PassphraseProvider; use super::file::FileArtifact; use crate::factories::storage::build_auths_context; @@ -26,7 +26,7 @@ pub fn handle_sign( passphrase_provider: Arc, env_config: &EnvironmentConfig, ) -> Result<()> { - let repo_path = auths_id::storage::layout::resolve_repo_path(repo_opt)?; + let repo_path = auths_sdk::storage_layout::resolve_repo_path(repo_opt)?; let ctx = build_auths_context(&repo_path, env_config, Some(passphrase_provider))?; diff --git a/crates/auths-cli/src/commands/auth.rs b/crates/auths-cli/src/commands/auth.rs index 611fc498..a74635a1 100644 --- a/crates/auths-cli/src/commands/auth.rs +++ b/crates/auths-cli/src/commands/auth.rs @@ -1,15 +1,15 @@ use anyhow::{Context, Result, anyhow}; use clap::{Parser, Subcommand}; -use auths_core::crypto::provider_bridge; -use auths_core::crypto::signer::decrypt_keypair; -use auths_core::crypto::ssh::extract_seed_from_pkcs8; -use auths_core::storage::keychain::{KeyStorage, get_platform_keychain_with_config}; use auths_crypto::Pkcs8Der; -use auths_id::storage::identity::IdentityStorage; -use auths_id::storage::layout; +use auths_sdk::crypto::decrypt_keypair; +use auths_sdk::crypto::extract_seed_from_pkcs8; +use auths_sdk::crypto::provider_bridge; +use auths_sdk::keychain::{KeyStorage, get_platform_keychain_with_config}; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::storage::RegistryIdentityStorage; +use auths_sdk::storage_layout::layout; use auths_sdk::workflows::auth::sign_auth_challenge; -use auths_storage::git::RegistryIdentityStorage; use crate::commands::executable::ExecutableCommand; use crate::config::CliConfig; @@ -68,7 +68,7 @@ fn handle_auth_challenge(nonce: &str, domain: &str, ctx: &CliConfig) -> Result<( let key_alias_str = super::key_detect::auto_detect_device_key(ctx.repo_path.as_deref(), &ctx.env_config)?; - let key_alias = auths_core::storage::keychain::KeyAlias::new(&key_alias_str) + let key_alias = auths_sdk::keychain::KeyAlias::new(&key_alias_str) .map_err(|e| anyhow!("Invalid key alias: {e}"))?; let keychain = get_platform_keychain_with_config(&ctx.env_config)?; diff --git a/crates/auths-cli/src/commands/cache.rs b/crates/auths-cli/src/commands/cache.rs index 641f8d0b..251372a9 100644 --- a/crates/auths-cli/src/commands/cache.rs +++ b/crates/auths-cli/src/commands/cache.rs @@ -5,8 +5,8 @@ use anyhow::{Context, Result}; use clap::{Parser, Subcommand}; -use auths_core::config::EnvironmentConfig; -use auths_id::keri::cache; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::keri::cache; #[derive(Parser, Debug, Clone)] #[command(about = "Manage local identity history cache")] @@ -34,7 +34,7 @@ enum CacheSubcommand { } pub fn handle_cache(cmd: CacheCommand, env_config: &EnvironmentConfig) -> Result<()> { - let auths_home = auths_core::paths::auths_home_with_config(env_config) + let auths_home = auths_sdk::paths::auths_home_with_config(env_config) .context("Failed to resolve auths home directory")?; match cmd.command { CacheSubcommand::List => handle_list(&auths_home), diff --git a/crates/auths-cli/src/commands/ci/mod.rs b/crates/auths-cli/src/commands/ci/mod.rs index ee2fe3f0..a10af439 100644 --- a/crates/auths-cli/src/commands/ci/mod.rs +++ b/crates/auths-cli/src/commands/ci/mod.rs @@ -8,8 +8,8 @@ use anyhow::Result; use clap::{Args, Subcommand}; use std::sync::Arc; -use auths_core::signing::PassphraseProvider; -use auths_id::storage::layout; +use auths_sdk::signing::PassphraseProvider; +use auths_sdk::storage_layout::layout; use crate::commands::executable::ExecutableCommand; use crate::config::CliConfig; diff --git a/crates/auths-cli/src/commands/ci/rotate.rs b/crates/auths-cli/src/commands/ci/rotate.rs index 4c52d0e6..dbafcf2f 100644 --- a/crates/auths-cli/src/commands/ci/rotate.rs +++ b/crates/auths-cli/src/commands/ci/rotate.rs @@ -4,13 +4,13 @@ use anyhow::{Context, Result, anyhow}; use std::path::Path; use std::sync::Arc; -use auths_core::config::EnvironmentConfig; -use auths_core::signing::PassphraseProvider; -use auths_core::storage::keychain::{KeyAlias, get_platform_keychain}; use auths_crypto::did_key::ed25519_pubkey_to_did_key; +use auths_sdk::core_config::EnvironmentConfig; use auths_sdk::domains::ci::bundle::build_identity_bundle; use auths_sdk::domains::ci::forge::Forge; use auths_sdk::domains::ci::token::CiToken; +use auths_sdk::keychain::{KeyAlias, get_platform_keychain}; +use auths_sdk::signing::PassphraseProvider; use ring::signature::KeyPair; use zeroize::Zeroizing; @@ -99,9 +99,9 @@ pub fn run_rotate( let (_, _, encrypted_key) = keychain .load_key(&key_alias) .context("Failed to load CI device key")?; - let pkcs8 = auths_core::crypto::signer::decrypt_keypair(&encrypted_key, &ci_pass) + let pkcs8 = auths_sdk::crypto::decrypt_keypair(&encrypted_key, &ci_pass) .context("Failed to decrypt CI device key")?; - let kp = auths_id::identity::helpers::load_keypair_from_der_or_seed(&pkcs8)?; + let kp = auths_sdk::identity::load_keypair_from_der_or_seed(&pkcs8)?; let pub_bytes: [u8; 32] = kp .public_key() .as_ref() @@ -117,8 +117,8 @@ pub fn run_rotate( // Re-export verify bundle let identity_storage = - auths_storage::git::RegistryIdentityStorage::new(repo_path.to_path_buf()); - let identity = auths_id::storage::identity::IdentityStorage::load_identity(&identity_storage) + auths_sdk::storage::RegistryIdentityStorage::new(repo_path.to_path_buf()); + let identity = auths_sdk::ports::IdentityStorage::load_identity(&identity_storage) .context("Failed to load identity")?; let identity_did_str = identity.controller_did.to_string(); diff --git a/crates/auths-cli/src/commands/ci/setup.rs b/crates/auths-cli/src/commands/ci/setup.rs index a5dfecd3..ec51f7fa 100644 --- a/crates/auths-cli/src/commands/ci/setup.rs +++ b/crates/auths-cli/src/commands/ci/setup.rs @@ -4,19 +4,17 @@ use anyhow::{Context, Result, anyhow}; use std::path::Path; use std::sync::Arc; -use auths_core::config::EnvironmentConfig; -use auths_core::signing::PassphraseProvider; -use auths_core::storage::encrypted_file::EncryptedFileStorage; -use auths_core::storage::keychain::{ - IdentityDID, KeyAlias, KeyRole, KeyStorage, get_platform_keychain, -}; use auths_crypto::did_key::ed25519_pubkey_to_did_key; -use auths_id::storage::attestation::AttestationSource; -use auths_id::storage::identity::IdentityStorage; +use auths_sdk::core_config::EnvironmentConfig; use auths_sdk::domains::ci::bundle::{build_identity_bundle, generate_ci_passphrase}; use auths_sdk::domains::ci::forge::Forge; use auths_sdk::domains::ci::token::CiToken; -use auths_storage::git::{RegistryAttestationStorage, RegistryIdentityStorage}; +use auths_sdk::keychain::EncryptedFileStorage; +use auths_sdk::keychain::{IdentityDID, KeyAlias, KeyRole, KeyStorage, get_platform_keychain}; +use auths_sdk::ports::AttestationSource; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::signing::PassphraseProvider; +use auths_sdk::storage::{RegistryAttestationStorage, RegistryIdentityStorage}; use auths_verifier::IdentityBundle; use ring::signature::KeyPair; use zeroize::Zeroizing; @@ -150,9 +148,9 @@ pub fn run_setup( let (_, _, encrypted_key) = keychain .load_key(&key_alias) .context("Failed to load CI device key")?; - let pkcs8 = auths_core::crypto::signer::decrypt_keypair(&encrypted_key, &ci_pass) + let pkcs8 = auths_sdk::crypto::decrypt_keypair(&encrypted_key, &ci_pass) .context("Failed to decrypt CI device key")?; - let kp = auths_id::identity::helpers::load_keypair_from_der_or_seed(&pkcs8)?; + let kp = auths_sdk::identity::load_keypair_from_der_or_seed(&pkcs8)?; let pub_bytes: [u8; 32] = kp .public_key() .as_ref() @@ -313,7 +311,7 @@ fn link_ci_device( auths_sdk::domains::device::service::link_device( link_config, &ctx, - &auths_core::ports::clock::SystemClock, + &auths_sdk::ports::SystemClock, ) .map_err(|e| anyhow!("Failed to link CI device: {e}"))?; @@ -337,7 +335,7 @@ pub(super) fn build_verify_bundle( let now = chrono::Utc::now(); #[allow(clippy::disallowed_methods)] - let identity_did = auths_core::storage::keychain::IdentityDID::new_unchecked(identity_did_str); + let identity_did = auths_sdk::keychain::IdentityDID::new_unchecked(identity_did_str); #[allow(clippy::disallowed_methods)] let public_key_hex = auths_verifier::PublicKeyHex::new_unchecked(hex::encode(public_key_bytes)); diff --git a/crates/auths-cli/src/commands/config.rs b/crates/auths-cli/src/commands/config.rs index 209fc032..4ac0e23c 100644 --- a/crates/auths-cli/src/commands/config.rs +++ b/crates/auths-cli/src/commands/config.rs @@ -3,7 +3,7 @@ use crate::commands::executable::ExecutableCommand; use crate::config::CliConfig; use anyhow::{Result, bail}; -use auths_core::config::{AuthsConfig, PassphraseCachePolicy, load_config, save_config}; +use auths_sdk::core_config::{AuthsConfig, PassphraseCachePolicy, load_config, save_config}; use crate::adapters::config_store::FileConfigStore; use clap::{Parser, Subcommand}; @@ -71,7 +71,7 @@ fn execute_set(key: &str, value: &str) -> Result<()> { config.passphrase.cache = parse_cache_policy(value)?; } "passphrase.duration" => { - auths_core::storage::passphrase_cache::parse_duration_str(value).ok_or_else(|| { + auths_sdk::keychain::parse_duration_str(value).ok_or_else(|| { anyhow::anyhow!( "Invalid duration '{}'. Use formats like '7d', '24h', '30m', '3600s'.", value diff --git a/crates/auths-cli/src/commands/device/authorization.rs b/crates/auths-cli/src/commands/device/authorization.rs index 922a4bc5..da84cc37 100644 --- a/crates/auths-cli/src/commands/device/authorization.rs +++ b/crates/auths-cli/src/commands/device/authorization.rs @@ -7,17 +7,16 @@ use std::fs; use std::path::{Path, PathBuf}; use std::sync::Arc; -use auths_core::config::EnvironmentConfig; -use auths_core::signing::{PassphraseProvider, UnifiedPassphraseProvider}; -use auths_core::storage::keychain::KeyAlias; -use auths_id::attestation::group::AttestationGroup; -use auths_id::identity::helpers::ManagedIdentity; -use auths_id::storage::attestation::AttestationSource; -use auths_id::storage::identity::IdentityStorage; -use auths_id::storage::layout::{self, StorageLayoutConfig}; -use auths_storage::git::{ +use auths_sdk::attestation::AttestationGroup; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::identity::ManagedIdentity; +use auths_sdk::keychain::KeyAlias; +use auths_sdk::ports::{AttestationSource, IdentityStorage}; +use auths_sdk::signing::{PassphraseProvider, UnifiedPassphraseProvider}; +use auths_sdk::storage::{ GitRegistryBackend, RegistryAttestationStorage, RegistryConfig, RegistryIdentityStorage, }; +use auths_sdk::storage_layout::{StorageLayoutConfig, layout}; use chrono::Utc; use crate::commands::registry_overrides::RegistryOverrides; @@ -276,7 +275,7 @@ pub fn handle_device( let result = auths_sdk::domains::device::service::link_device( link_config, &ctx, - &auths_core::ports::clock::SystemClock, + &auths_sdk::ports::SystemClock, ) .map_err(anyhow::Error::new)?; @@ -305,7 +304,7 @@ pub fn handle_device( &identity_key_alias, &ctx, note, - &auths_core::ports::clock::SystemClock, + &auths_sdk::ports::SystemClock, ) .map_err(anyhow::Error::new)?; @@ -452,7 +451,7 @@ fn handle_extend( let result = auths_sdk::domains::device::service::extend_device( config, &ctx, - &auths_core::ports::clock::SystemClock, + &auths_sdk::ports::SystemClock, ) .with_context(|| format!("Failed to extend device authorization for '{}'", device_did))?; @@ -490,8 +489,8 @@ fn list_devices( let attestation_storage = RegistryAttestationStorage::new(repo_path.to_path_buf()); let backend = Arc::new(GitRegistryBackend::from_config_unchecked( RegistryConfig::single_tenant(repo_path), - )) as Arc; - let resolver = auths_id::identity::resolve::RegistryDidResolver::new(backend); + )) as Arc; + let resolver = auths_sdk::identity::RegistryDidResolver::new(backend); let identity: ManagedIdentity = identity_storage .load_identity() @@ -511,7 +510,7 @@ fn list_devices( .expect("Grouped attestations should not be empty"); let verification_result = - auths_id::attestation::verify::verify_with_resolver(now, &resolver, latest, None); + auths_sdk::attestation::verify_with_resolver(now, &resolver, latest, None); let status_string = match verification_result { Ok(()) => { diff --git a/crates/auths-cli/src/commands/device/pair/common.rs b/crates/auths-cli/src/commands/device/pair/common.rs index 06350dc1..a0e7937c 100644 --- a/crates/auths-cli/src/commands/device/pair/common.rs +++ b/crates/auths-cli/src/commands/device/pair/common.rs @@ -8,10 +8,10 @@ use anyhow::{Context, Result, anyhow}; use console::{Emoji, style}; use indicatif::{ProgressBar, ProgressStyle}; -use auths_core::config::EnvironmentConfig; -use auths_core::pairing::PairingSession; -use auths_core::pairing::types::SubmitResponseRequest; -use auths_core::signing::PassphraseProvider; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::pairing::PairingSession; +use auths_sdk::pairing::SubmitResponseRequest; +use auths_sdk::signing::PassphraseProvider; use crate::core::fs::{create_restricted_dir, write_sensitive_file}; @@ -134,7 +134,7 @@ pub(crate) fn handle_pairing_response( capabilities: &[String], env_config: &EnvironmentConfig, ) -> Result<()> { - use auths_core::storage::keychain::get_platform_keychain_with_config; + use auths_sdk::keychain::get_platform_keychain_with_config; use auths_sdk::pairing::{self, DecryptedPairingResponse, PairingCompletionResult}; println!(); @@ -235,9 +235,9 @@ pub(crate) fn handle_pairing_response( } // Resolve identity key alias and collect passphrase before spinner - use auths_id::attestation::export::AttestationSink; - use auths_id::storage::identity::IdentityStorage; - use auths_storage::git::{RegistryAttestationStorage, RegistryIdentityStorage}; + use auths_sdk::attestation::AttestationSink; + use auths_sdk::ports::IdentityStorage; + use auths_sdk::storage::{RegistryAttestationStorage, RegistryIdentityStorage}; let identity_store = Arc::new(RegistryIdentityStorage::new(auths_dir.to_path_buf())); let controller_did = pairing::load_controller_did(identity_store.as_ref()) .map_err(anyhow::Error::from) @@ -252,7 +252,7 @@ pub(crate) fn handle_pairing_response( let keychain = get_platform_keychain_with_config(env_config)?; #[allow(clippy::disallowed_methods)] // INVARIANT: controller_did from managed identity let controller_identity_did = - auths_core::storage::keychain::IdentityDID::new_unchecked(controller_did.clone()); + auths_sdk::keychain::IdentityDID::new_unchecked(controller_did.clone()); let aliases = keychain .list_aliases_for_identity(&controller_identity_did) .context("Failed to list key aliases")?; @@ -270,8 +270,7 @@ pub(crate) fn handle_pairing_response( .context("Failed to get passphrase")?; let passphrase_provider: Arc = Arc::new(PrefilledPassphraseProvider::new(passphrase)); - let key_storage: Arc = - Arc::from(keychain); + let key_storage: Arc = Arc::from(keychain); let attest_spinner = create_wait_spinner(&format!("{GEAR}Creating device attestation...")); @@ -296,7 +295,7 @@ pub(crate) fn handle_pairing_response( attestation_sink, key_storage, passphrase_provider, - &auths_core::ports::clock::SystemClock, + &auths_sdk::ports::SystemClock, ) .map_err(anyhow::Error::from) .context("Pairing completion failed")? diff --git a/crates/auths-cli/src/commands/device/pair/join.rs b/crates/auths-cli/src/commands/device/pair/join.rs index 8071df6b..926111e5 100644 --- a/crates/auths-cli/src/commands/device/pair/join.rs +++ b/crates/auths-cli/src/commands/device/pair/join.rs @@ -1,13 +1,13 @@ //! Join mode — join an existing pairing session via short code. use anyhow::{Context, Result}; -use auths_core::config::EnvironmentConfig; -use auths_core::pairing::types::Base64UrlEncoded; -use auths_core::pairing::{PairingResponse, PairingToken}; -use auths_core::ports::pairing::PairingRelayClient; use auths_infra_http::HttpPairingRelayClient; use auths_pairing_protocol::sas; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::pairing::Base64UrlEncoded; +use auths_sdk::pairing::{PairingResponse, PairingToken}; use auths_sdk::pairing::{load_device_signing_material, validate_short_code}; +use auths_sdk::ports::pairing::PairingRelayClient; use console::style; use crate::core::provider::CliPassphraseProvider; @@ -42,7 +42,7 @@ pub(crate) async fn handle_join( let relay = HttpPairingRelayClient::new(); - let auths_dir = auths_core::paths::auths_home_with_config(env_config) + let auths_dir = auths_sdk::paths::auths_home_with_config(env_config) .context("Could not determine Auths home directory. Check $AUTHS_HOME or $HOME.")?; if !auths_dir.exists() { @@ -50,7 +50,7 @@ pub(crate) async fn handle_join( } let passphrase_provider: std::sync::Arc< - dyn auths_core::signing::PassphraseProvider + Send + Sync, + dyn auths_sdk::signing::PassphraseProvider + Send + Sync, > = std::sync::Arc::new(CliPassphraseProvider::new()); let key_spinner = create_wait_spinner(&format!("{GEAR}Loading local device key...")); @@ -129,7 +129,7 @@ pub(crate) async fn handle_join( ); // Submit the response to the relay - let submit_req = auths_core::pairing::types::SubmitResponseRequest { + let submit_req = auths_sdk::pairing::SubmitResponseRequest { device_x25519_pubkey: Base64UrlEncoded::from_raw( pairing_response.device_x25519_pubkey.clone(), ), diff --git a/crates/auths-cli/src/commands/device/pair/lan.rs b/crates/auths-cli/src/commands/device/pair/lan.rs index 7b5702f7..4d741914 100644 --- a/crates/auths-cli/src/commands/device/pair/lan.rs +++ b/crates/auths-cli/src/commands/device/pair/lan.rs @@ -8,9 +8,9 @@ use std::time::Duration; use anyhow::{Context, Result}; use console::style; -use auths_core::config::EnvironmentConfig; -use auths_core::pairing::types::CreateSessionRequest; -use auths_core::pairing::{PairingToken, QrOptions, render_qr}; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::pairing::CreateSessionRequest; +use auths_sdk::pairing::{PairingToken, QrOptions, render_qr}; use super::common::*; use super::lan_server::{LanPairingServer, detect_lan_ip}; @@ -32,10 +32,10 @@ pub async fn handle_initiate_lan( capabilities: &[String], env_config: &EnvironmentConfig, ) -> Result<()> { - let auths_dir = auths_core::paths::auths_home_with_config(env_config) + let auths_dir = auths_sdk::paths::auths_home_with_config(env_config) .context("Could not determine Auths home directory. Check $AUTHS_HOME or $HOME.")?; - let identity_storage = auths_storage::git::RegistryIdentityStorage::new(auths_dir.clone()); + let identity_storage = auths_sdk::storage::RegistryIdentityStorage::new(auths_dir.clone()); let controller_did = auths_sdk::pairing::load_controller_did(&identity_storage).map_err(anyhow::Error::from)?; @@ -62,7 +62,7 @@ pub async fn handle_initiate_lan( let request = CreateSessionRequest { session_id: session_id.clone(), controller_did: session.token.controller_did.clone(), - ephemeral_pubkey: auths_core::pairing::types::Base64UrlEncoded::from_raw( + ephemeral_pubkey: auths_sdk::pairing::Base64UrlEncoded::from_raw( session.token.ephemeral_pubkey.clone(), ), short_code: session.token.short_code.clone(), @@ -196,7 +196,7 @@ pub async fn handle_initiate_lan( env_config, )?; } - Err(auths_core::pairing::PairingError::LanTimeout) => { + Err(auths_sdk::error::PairingError::LanTimeout) => { wait_spinner.finish_with_message(format!("{}", style("Session expired.").yellow())); if let Some(adv) = _advertiser { adv.shutdown(); @@ -220,7 +220,7 @@ pub async fn handle_join_lan( code: &str, env_config: &EnvironmentConfig, ) -> Result<()> { - use auths_core::pairing::normalize_short_code; + use auths_sdk::pairing::normalize_short_code; let normalized = normalize_short_code(code); if normalized.len() != 6 { diff --git a/crates/auths-cli/src/commands/device/pair/lan_server.rs b/crates/auths-cli/src/commands/device/pair/lan_server.rs index 0967f9f9..e962b02c 100644 --- a/crates/auths-cli/src/commands/device/pair/lan_server.rs +++ b/crates/auths-cli/src/commands/device/pair/lan_server.rs @@ -5,8 +5,8 @@ use std::time::Duration; use tokio_util::sync::CancellationToken; -use auths_core::pairing::types::{CreateSessionRequest, SubmitResponseRequest}; use auths_pairing_daemon::{PairingDaemonBuilder, PairingDaemonHandle}; +use auths_sdk::pairing::{CreateSessionRequest, SubmitResponseRequest}; /// Detect the LAN IP address of this machine. pub fn detect_lan_ip() -> std::io::Result { @@ -98,7 +98,7 @@ impl LanPairingServer { pub async fn wait_for_response( self, timeout: Duration, - ) -> Result { + ) -> Result { self.cancel.cancel(); self.handle @@ -106,7 +106,7 @@ impl LanPairingServer { .await .map_err(|e| match e { auths_pairing_daemon::DaemonError::Pairing(pe) => pe, - other => auths_core::pairing::PairingError::LocalServerError(other.to_string()), + other => auths_sdk::error::PairingError::LocalServerError(other.to_string()), }) } } diff --git a/crates/auths-cli/src/commands/device/pair/mod.rs b/crates/auths-cli/src/commands/device/pair/mod.rs index 0a218467..a253dca4 100644 --- a/crates/auths-cli/src/commands/device/pair/mod.rs +++ b/crates/auths-cli/src/commands/device/pair/mod.rs @@ -13,7 +13,7 @@ mod offline; mod online; use anyhow::Result; -use auths_core::config::EnvironmentConfig; +use auths_sdk::core_config::EnvironmentConfig; use chrono::Utc; use clap::Parser; @@ -164,7 +164,7 @@ pub fn handle_pair(cmd: PairCommand, env_config: &EnvironmentConfig) -> Result<( #[cfg(test)] mod tests { - use auths_core::pairing::normalize_short_code; + use auths_sdk::pairing::normalize_short_code; #[test] fn test_code_normalization() { diff --git a/crates/auths-cli/src/commands/device/pair/offline.rs b/crates/auths-cli/src/commands/device/pair/offline.rs index 4f46bb60..5af19025 100644 --- a/crates/auths-cli/src/commands/device/pair/offline.rs +++ b/crates/auths-cli/src/commands/device/pair/offline.rs @@ -5,7 +5,7 @@ use std::time::Duration; use anyhow::{Context, Result}; use console::style; -use auths_core::pairing::{PairingToken, QrOptions, render_qr}; +use auths_sdk::pairing::{PairingToken, QrOptions, render_qr}; use super::common::*; @@ -17,11 +17,11 @@ pub(crate) fn handle_initiate_offline( capabilities: &[String], ) -> Result<()> { // Try to load controller DID, fall back to placeholder - let auths_dir = auths_core::paths::auths_home() + let auths_dir = auths_sdk::paths::auths_home() .context("Could not determine Auths home directory. Check $AUTHS_HOME or $HOME.")?; let controller_did = if auths_dir.exists() { - let storage = auths_storage::git::RegistryIdentityStorage::new(auths_dir.clone()); + let storage = auths_sdk::storage::RegistryIdentityStorage::new(auths_dir.clone()); auths_sdk::pairing::load_controller_did(&storage) .unwrap_or_else(|_| "did:keri:offline-test".to_string()) } else { diff --git a/crates/auths-cli/src/commands/device/pair/online.rs b/crates/auths-cli/src/commands/device/pair/online.rs index c99e7180..b32bad83 100644 --- a/crates/auths-cli/src/commands/device/pair/online.rs +++ b/crates/auths-cli/src/commands/device/pair/online.rs @@ -1,9 +1,9 @@ //! Online pairing mode — uses a registry relay server. use anyhow::{Context, Result}; -use auths_core::config::EnvironmentConfig; -use auths_core::pairing::{QrOptions, render_qr}; +use auths_sdk::core_config::EnvironmentConfig; use auths_sdk::pairing::{PairingSessionParams, PairingStatus, initiate_online_pairing}; +use auths_sdk::pairing::{QrOptions, render_qr}; use console::style; use indicatif::ProgressBar; @@ -23,17 +23,17 @@ pub(crate) async fn handle_initiate_online( capabilities: &[String], env_config: &EnvironmentConfig, ) -> Result<()> { - let auths_dir = auths_core::paths::auths_home_with_config(env_config) + let auths_dir = auths_sdk::paths::auths_home_with_config(env_config) .context("Could not determine Auths home directory. Check $AUTHS_HOME or $HOME.")?; - let identity_storage = auths_storage::git::RegistryIdentityStorage::new(auths_dir.clone()); + let identity_storage = auths_sdk::storage::RegistryIdentityStorage::new(auths_dir.clone()); let controller_did = auths_sdk::pairing::load_controller_did(&identity_storage).map_err(anyhow::Error::from)?; print_pairing_header("ONLINE", registry, &controller_did); let passphrase_provider: std::sync::Arc< - dyn auths_core::signing::PassphraseProvider + Send + Sync, + dyn auths_sdk::signing::PassphraseProvider + Send + Sync, > = std::sync::Arc::new(CliPassphraseProvider::new()); let ctx = build_auths_context(&auths_dir, env_config, Some(passphrase_provider)) diff --git a/crates/auths-cli/src/commands/device/verify_attestation.rs b/crates/auths-cli/src/commands/device/verify_attestation.rs index b270b27a..7c99d23a 100644 --- a/crates/auths-cli/src/commands/device/verify_attestation.rs +++ b/crates/auths-cli/src/commands/device/verify_attestation.rs @@ -1,6 +1,6 @@ use crate::ux::format::is_json_mode; use anyhow::{Context, Result, anyhow}; -use auths_core::trust::{PinnedIdentity, PinnedIdentityStore, RootsFile, TrustLevel, TrustPolicy}; +use auths_sdk::trust::{PinnedIdentity, PinnedIdentityStore, RootsFile, TrustLevel, TrustPolicy}; use auths_verifier::Capability; use auths_verifier::core::Attestation; use auths_verifier::verify::{ diff --git a/crates/auths-cli/src/commands/doctor.rs b/crates/auths-cli/src/commands/doctor.rs index 50ca256e..e39fe991 100644 --- a/crates/auths-cli/src/commands/doctor.rs +++ b/crates/auths-cli/src/commands/doctor.rs @@ -4,7 +4,7 @@ use crate::adapters::doctor_fixes::{AllowedSignersFix, GitSigningConfigFix}; use crate::adapters::system_diagnostic::PosixDiagnosticAdapter; use crate::ux::format::{JsonResponse, Output, is_json_mode}; use anyhow::Result; -use auths_core::storage::keychain; +use auths_sdk::keychain; use auths_sdk::ports::diagnostics::{ CheckCategory, CheckResult, ConfigIssue, DiagnosticFix, FixApplied, }; @@ -256,7 +256,7 @@ fn apply_fixes(checks: &[Check], out: Option<&Output>) -> Vec { fn build_available_fixes() -> Vec> { let mut fixes: Vec> = Vec::new(); - if let Ok(repo_path) = auths_core::paths::auths_home() { + if let Ok(repo_path) = auths_sdk::paths::auths_home() { fixes.push(Box::new(AllowedSignersFix::new(repo_path))); } @@ -355,7 +355,7 @@ fn check_keychain_accessible() -> Check { } fn check_auths_repo() -> Check { - let (passed, detail, suggestion) = match auths_core::paths::auths_home() { + let (passed, detail, suggestion) = match auths_sdk::paths::auths_home() { Ok(path) => { if !path.exists() { ( @@ -447,10 +447,10 @@ enum ExpiryStatus { } fn check_attestation_expiry(now: DateTime) -> ExpiryStatus { - use auths_id::storage::attestation::AttestationSource; - use auths_storage::git::RegistryAttestationStorage; + use auths_sdk::ports::AttestationSource; + use auths_sdk::storage::RegistryAttestationStorage; - let repo_path = match auths_core::paths::auths_home() { + let repo_path = match auths_sdk::paths::auths_home() { Ok(p) if p.exists() => p, _ => return ExpiryStatus::NoAttestations, }; diff --git a/crates/auths-cli/src/commands/emergency.rs b/crates/auths-cli/src/commands/emergency.rs index b61edcb6..1152a0ac 100644 --- a/crates/auths-cli/src/commands/emergency.rs +++ b/crates/auths-cli/src/commands/emergency.rs @@ -292,15 +292,15 @@ fn handle_revoke_device( now: chrono::DateTime, ctx: &crate::config::CliConfig, ) -> Result<()> { - use auths_core::signing::StorageSigner; - use auths_core::storage::keychain::{KeyAlias, get_platform_keychain}; - use auths_id::attestation::export::AttestationSink; - use auths_id::attestation::revoke::create_signed_revocation; - use auths_id::identity::helpers::ManagedIdentity; - use auths_id::storage::attestation::AttestationSource; - use auths_id::storage::identity::IdentityStorage; - use auths_id::storage::layout; - use auths_storage::git::{RegistryAttestationStorage, RegistryIdentityStorage}; + use auths_sdk::attestation::AttestationSink; + use auths_sdk::attestation::create_signed_revocation; + use auths_sdk::identity::ManagedIdentity; + use auths_sdk::keychain::{KeyAlias, get_platform_keychain}; + use auths_sdk::ports::AttestationSource; + use auths_sdk::ports::IdentityStorage; + use auths_sdk::signing::StorageSigner; + use auths_sdk::storage::{RegistryAttestationStorage, RegistryIdentityStorage}; + use auths_sdk::storage_layout::layout; use auths_verifier::Ed25519PublicKey; use auths_verifier::types::DeviceDID; @@ -427,9 +427,9 @@ fn handle_rotate_now( now: chrono::DateTime, ctx: &crate::config::CliConfig, ) -> Result<()> { - use auths_core::storage::keychain::{KeyAlias, get_platform_keychain}; - use auths_id::identity::rotate::rotate_keri_identity; - use auths_id::storage::layout::{self, StorageLayoutConfig}; + use auths_sdk::identity::rotate_keri_identity; + use auths_sdk::keychain::{KeyAlias, get_platform_keychain}; + use auths_sdk::storage_layout::{StorageLayoutConfig, layout}; let out = Output::new(); @@ -527,8 +527,8 @@ fn handle_rotate_now( /// Handle freeze operation — temporarily disables all signing. fn handle_freeze(cmd: FreezeCommand, now: chrono::DateTime) -> Result<()> { - use auths_id::freeze::{FreezeState, load_active_freeze, parse_duration, store_freeze}; - use auths_id::storage::layout; + use auths_sdk::freeze::{FreezeState, load_active_freeze, parse_duration, store_freeze}; + use auths_sdk::storage_layout::layout; let out = Output::new(); @@ -625,8 +625,8 @@ fn handle_freeze(cmd: FreezeCommand, now: chrono::DateTime) -> Resu /// Handle unfreeze — cancel an active freeze early. fn handle_unfreeze(cmd: UnfreezeCommand, now: chrono::DateTime) -> Result<()> { - use auths_id::freeze::{load_active_freeze, remove_freeze}; - use auths_id::storage::layout; + use auths_sdk::freeze::{load_active_freeze, remove_freeze}; + use auths_sdk::storage_layout::layout; let out = Output::new(); @@ -665,11 +665,11 @@ fn handle_unfreeze(cmd: UnfreezeCommand, now: chrono::DateTime) -> /// Handle incident report generation. fn handle_report(cmd: ReportCommand, now: chrono::DateTime) -> Result<()> { - use auths_id::identity::helpers::ManagedIdentity; - use auths_id::storage::attestation::AttestationSource; - use auths_id::storage::identity::IdentityStorage; - use auths_id::storage::layout; - use auths_storage::git::{RegistryAttestationStorage, RegistryIdentityStorage}; + use auths_sdk::identity::ManagedIdentity; + use auths_sdk::ports::AttestationSource; + use auths_sdk::ports::IdentityStorage; + use auths_sdk::storage::{RegistryAttestationStorage, RegistryIdentityStorage}; + use auths_sdk::storage_layout::layout; let out = Output::new(); @@ -909,7 +909,7 @@ mod tests { assert!(dir.path().join("freeze.json").exists()); // Verify the freeze is active - let state = auths_id::freeze::load_active_freeze(dir.path(), chrono::Utc::now()).unwrap(); + let state = auths_sdk::freeze::load_active_freeze(dir.path(), chrono::Utc::now()).unwrap(); assert!(state.is_some()); } diff --git a/crates/auths-cli/src/commands/git.rs b/crates/auths-cli/src/commands/git.rs index 03d60ebe..23fa2c19 100644 --- a/crates/auths-cli/src/commands/git.rs +++ b/crates/auths-cli/src/commands/git.rs @@ -1,8 +1,8 @@ //! Git integration commands for Auths. use anyhow::{Context, Result, bail}; +use auths_sdk::storage::RegistryAttestationStorage; use auths_sdk::workflows::allowed_signers::AllowedSigners; -use auths_storage::git::RegistryAttestationStorage; use auths_utils::path::expand_tilde; use clap::{Parser, Subcommand}; #[cfg(unix)] diff --git a/crates/auths-cli/src/commands/id/claim.rs b/crates/auths-cli/src/commands/id/claim.rs index b2c9ea0f..20a310ed 100644 --- a/crates/auths-cli/src/commands/id/claim.rs +++ b/crates/auths-cli/src/commands/id/claim.rs @@ -2,11 +2,11 @@ use std::path::Path; use std::sync::Arc; use anyhow::{Context, Result}; -use auths_core::config::EnvironmentConfig; -use auths_core::signing::PassphraseProvider; use auths_infra_http::{ HttpGistPublisher, HttpGitHubOAuthProvider, HttpNpmAuthProvider, HttpRegistryClaimClient, }; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::signing::PassphraseProvider; use auths_sdk::workflows::platform::{ GitHubClaimConfig, NpmClaimConfig, PypiClaimConfig, claim_github_identity, claim_npm_identity, claim_pypi_identity, @@ -84,7 +84,7 @@ pub fn handle_claim( scopes: "read:user gist".to_string(), }; - let on_device_code = |code: &auths_core::ports::platform::DeviceCodeResponse| { + let on_device_code = |code: &auths_sdk::ports::platform::DeviceCodeResponse| { println!(); println!(" Copy this code: {}", style(&code.user_code).bold().cyan()); println!(" At: {}", style(&code.verification_uri).cyan()); diff --git a/crates/auths-cli/src/commands/id/identity.rs b/crates/auths-cli/src/commands/id/identity.rs index ee82316b..a6ee5492 100644 --- a/crates/auths-cli/src/commands/id/identity.rs +++ b/crates/auths-cli/src/commands/id/identity.rs @@ -7,10 +7,10 @@ use std::fs; use std::path::PathBuf; use std::sync::Arc; -use auths_core::{ - config::EnvironmentConfig, +use auths_sdk::{ + core_config::EnvironmentConfig, + keychain::{KeyAlias, get_platform_keychain}, signing::PassphraseProvider, - storage::keychain::{KeyAlias, get_platform_keychain}, }; use auths_verifier::{IdentityBundle, IdentityDID, Prefix}; use clap::ValueEnum; @@ -27,18 +27,14 @@ struct IdShowResponse { metadata: Option, } -use auths_id::{ - identity::initialize::initialize_registry_identity, - ports::registry::RegistryBackend, - storage::{ - attestation::AttestationSource, - identity::IdentityStorage, - layout::{self, StorageLayoutConfig}, - }, -}; -use auths_storage::git::{ +use auths_sdk::storage::{ GitRegistryBackend, RegistryAttestationStorage, RegistryConfig, RegistryIdentityStorage, }; +use auths_sdk::{ + identity::initialize_registry_identity, + ports::{AttestationSource, IdentityStorage, RegistryBackend}, + storage_layout::{StorageLayoutConfig, layout}, +}; /// Storage layout presets for different ecosystems. #[derive(Debug, Clone, Copy, ValueEnum, Default)] @@ -538,16 +534,15 @@ pub fn handle_id( next_key_alias: next_key_alias.map(KeyAlias::new_unchecked), }; let rotation_ctx = { - use auths_core::storage::keychain::get_platform_keychain_with_config; - use auths_id::attestation::export::AttestationSink; - use auths_id::storage::attestation::AttestationSource; - use auths_id::storage::identity::IdentityStorage; + use auths_sdk::attestation::AttestationSink; use auths_sdk::context::AuthsContext; - use auths_storage::git::{ + use auths_sdk::keychain::get_platform_keychain_with_config; + use auths_sdk::ports::{AttestationSource, IdentityStorage}; + use auths_sdk::storage::{ GitRegistryBackend, RegistryAttestationStorage, RegistryConfig, RegistryIdentityStorage, }; - let backend: Arc = + let backend: Arc = Arc::new(GitRegistryBackend::from_config_unchecked( RegistryConfig::single_tenant(&repo_path), )); @@ -558,15 +553,14 @@ pub fn handle_id( Arc::clone(&attestation_store) as Arc; let attestation_source: Arc = attestation_store as Arc; - let key_storage: Arc = - Arc::from( - get_platform_keychain_with_config(env_config) - .context("Failed to access keychain")?, - ); + let key_storage: Arc = Arc::from( + get_platform_keychain_with_config(env_config) + .context("Failed to access keychain")?, + ); AuthsContext::builder() .registry(backend) .key_storage(key_storage) - .clock(Arc::new(auths_core::ports::clock::SystemClock)) + .clock(Arc::new(auths_sdk::ports::SystemClock)) .identity_storage(identity_storage) .attestation_sink(attestation_sink) .attestation_source(attestation_source) @@ -576,7 +570,7 @@ pub fn handle_id( let result = auths_sdk::workflows::rotation::rotate_identity( rotation_config, &rotation_ctx, - &auths_core::ports::clock::SystemClock, + &auths_sdk::ports::SystemClock, ) .with_context(|| "Failed to rotate KERI identity keys")?; @@ -633,9 +627,9 @@ pub fn handle_id( // Decrypt to get public key let pass = passphrase_provider .get_passphrase(&format!("Enter passphrase for key '{}':", alias))?; - let pkcs8_bytes = auths_core::crypto::signer::decrypt_keypair(&encrypted_key, &pass) + let pkcs8_bytes = auths_sdk::crypto::decrypt_keypair(&encrypted_key, &pass) .context("Failed to decrypt key")?; - let keypair = auths_id::identity::helpers::load_keypair_from_der_or_seed(&pkcs8_bytes)?; + let keypair = auths_sdk::identity::load_keypair_from_der_or_seed(&pkcs8_bytes)?; #[allow(clippy::disallowed_methods)] // INVARIANT: hex::encode of Ed25519 pubkey always produces valid hex let public_key_hex = auths_verifier::PublicKeyHex::new_unchecked(hex::encode( @@ -691,9 +685,9 @@ pub fn handle_id( } use crate::constants::GITHUB_SSH_UPLOAD_SCOPES; - use auths_core::ports::platform::OAuthDeviceFlowProvider; - use auths_core::storage::keychain::extract_public_key_bytes; use auths_infra_http::{HttpGitHubOAuthProvider, HttpGitHubSshKeyUploader}; + use auths_sdk::keychain::extract_public_key_bytes; + use auths_sdk::ports::platform::OAuthDeviceFlowProvider; use std::time::Duration; const GITHUB_CLIENT_ID: &str = "Ov23lio2CiTHBjM2uIL4"; diff --git a/crates/auths-cli/src/commands/id/migrate.rs b/crates/auths-cli/src/commands/id/migrate.rs index 9b55b35a..f35ffd76 100644 --- a/crates/auths-cli/src/commands/id/migrate.rs +++ b/crates/auths-cli/src/commands/id/migrate.rs @@ -351,11 +351,11 @@ fn perform_gpg_migration( out: &Output, now: chrono::DateTime, ) -> Result<()> { - use auths_core::error::AgentError; - use auths_core::storage::keychain::{KeyAlias, get_platform_keychain}; - use auths_id::identity::initialize::initialize_registry_identity; - use auths_id::ports::registry::RegistryBackend; - use auths_storage::git::{GitRegistryBackend, RegistryConfig}; + use auths_sdk::error::AgentError; + use auths_sdk::identity::initialize_registry_identity; + use auths_sdk::keychain::{KeyAlias, get_platform_keychain}; + use auths_sdk::ports::RegistryBackend; + use auths_sdk::storage::{GitRegistryBackend, RegistryConfig}; use std::fs; use std::sync::Arc; use zeroize::Zeroizing; @@ -415,7 +415,7 @@ fn perform_gpg_migration( // Create a simple passphrase provider that prompts if needed struct MigrationPassphraseProvider; - impl auths_core::signing::PassphraseProvider for MigrationPassphraseProvider { + impl auths_sdk::signing::PassphraseProvider for MigrationPassphraseProvider { fn get_passphrase(&self, prompt: &str) -> Result, AgentError> { // For migration, we create unencrypted keys by default // Return empty passphrase @@ -754,11 +754,11 @@ fn perform_ssh_migration( out: &Output, now: chrono::DateTime, ) -> Result<()> { - use auths_core::error::AgentError; - use auths_core::storage::keychain::{KeyAlias, get_platform_keychain}; - use auths_id::identity::initialize::initialize_registry_identity; - use auths_id::ports::registry::RegistryBackend; - use auths_storage::git::{GitRegistryBackend, RegistryConfig}; + use auths_sdk::error::AgentError; + use auths_sdk::identity::initialize_registry_identity; + use auths_sdk::keychain::{KeyAlias, get_platform_keychain}; + use auths_sdk::ports::RegistryBackend; + use auths_sdk::storage::{GitRegistryBackend, RegistryConfig}; use std::sync::Arc; use zeroize::Zeroizing; @@ -813,7 +813,7 @@ fn perform_ssh_migration( // Create a simple passphrase provider struct MigrationPassphraseProvider; - impl auths_core::signing::PassphraseProvider for MigrationPassphraseProvider { + impl auths_sdk::signing::PassphraseProvider for MigrationPassphraseProvider { fn get_passphrase(&self, prompt: &str) -> Result, AgentError> { let _ = prompt; Ok(Zeroizing::new(String::new())) diff --git a/crates/auths-cli/src/commands/id/register.rs b/crates/auths-cli/src/commands/id/register.rs index 28fa88a8..8545596c 100644 --- a/crates/auths-cli/src/commands/id/register.rs +++ b/crates/auths-cli/src/commands/id/register.rs @@ -5,14 +5,14 @@ use anyhow::{Result, bail}; use auths_verifier::IdentityDID; use serde::Serialize; -use auths_id::ports::registry::RegistryBackend; -use auths_id::storage::attestation::AttestationSource; -use auths_id::storage::identity::IdentityStorage; use auths_infra_http::HttpRegistryClient; use auths_sdk::domains::identity::error::RegistrationError; pub use auths_sdk::domains::identity::registration::DEFAULT_REGISTRY_URL; use auths_sdk::domains::identity::types::RegistrationOutcome; -use auths_storage::git::{ +use auths_sdk::ports::AttestationSource; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::ports::RegistryBackend; +use auths_sdk::storage::{ GitRegistryBackend, RegistryAttestationStorage, RegistryConfig, RegistryIdentityStorage, }; diff --git a/crates/auths-cli/src/commands/index.rs b/crates/auths-cli/src/commands/index.rs index ad7b2b3f..4fb6b76a 100644 --- a/crates/auths-cli/src/commands/index.rs +++ b/crates/auths-cli/src/commands/index.rs @@ -2,8 +2,8 @@ use anyhow::{Context, Result}; use clap::{Args, Subcommand}; use std::path::PathBuf; -use auths_id::storage::layout::{self, StorageLayoutConfig}; use auths_index::{AttestationIndex, rebuild_attestations_from_git}; +use auths_sdk::storage_layout::{self as layout, StorageLayoutConfig}; #[derive(Args, Debug, Clone)] #[command(about = "Manage the device authorization index for fast lookups.")] diff --git a/crates/auths-cli/src/commands/init/display.rs b/crates/auths-cli/src/commands/init/display.rs index c3a9cf09..0c8595f3 100644 --- a/crates/auths-cli/src/commands/init/display.rs +++ b/crates/auths-cli/src/commands/init/display.rs @@ -87,14 +87,14 @@ pub(crate) fn display_agent_dry_run( } out.newline(); out.print_info("TOML config that would be generated:"); - let provisioning_config = auths_id::agent_identity::AgentProvisioningConfig { + let provisioning_config = auths_sdk::identity::AgentProvisioningConfig { agent_name: config.alias.to_string(), capabilities: config.capabilities.iter().map(|c| c.to_string()).collect(), expires_in: config.expires_in, delegated_by: None, - storage_mode: auths_id::agent_identity::AgentStorageMode::Persistent { repo_path: None }, + storage_mode: auths_sdk::identity::AgentStorageMode::Persistent { repo_path: None }, }; - out.println(&auths_id::agent_identity::format_agent_toml( + out.println(&auths_sdk::identity::format_agent_toml( "did:keri:E", "agent-key", &provisioning_config, diff --git a/crates/auths-cli/src/commands/init/gather.rs b/crates/auths-cli/src/commands/init/gather.rs index 9801b80d..b8ebe49c 100644 --- a/crates/auths-cli/src/commands/init/gather.rs +++ b/crates/auths-cli/src/commands/init/gather.rs @@ -4,14 +4,14 @@ use anyhow::{Context, Result, anyhow}; use std::path::Path; use std::sync::Arc; -use auths_core::storage::keychain::{KeyAlias, KeyStorage, get_platform_keychain}; -use auths_id::storage::attestation::AttestationSource; -use auths_id::storage::identity::IdentityStorage; use auths_infra_http::HttpRegistryClient; -use auths_sdk::types::{CiEnvironment, CiIdentityConfig, CreateDeveloperIdentityConfig}; -use auths_storage::git::{ +use auths_sdk::keychain::{KeyAlias, KeyStorage, get_platform_keychain}; +use auths_sdk::ports::AttestationSource; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::storage::{ GitRegistryBackend, RegistryAttestationStorage, RegistryConfig, RegistryIdentityStorage, }; +use auths_sdk::types::{CiEnvironment, CiIdentityConfig, CreateDeveloperIdentityConfig}; use super::InitCommand; use super::helpers::{ diff --git a/crates/auths-cli/src/commands/init/helpers.rs b/crates/auths-cli/src/commands/init/helpers.rs index d22706b7..3421ee27 100644 --- a/crates/auths-cli/src/commands/init/helpers.rs +++ b/crates/auths-cli/src/commands/init/helpers.rs @@ -7,15 +7,15 @@ use std::io::Write; use std::path::{Path, PathBuf}; use std::process::Command; +use auths_sdk::storage::RegistryAttestationStorage; use auths_sdk::workflows::allowed_signers::AllowedSigners; use auths_sdk::workflows::diagnostics::{MIN_GIT_VERSION, parse_git_version}; -use auths_storage::git::RegistryAttestationStorage; use crate::subprocess::git_command; use crate::ux::format::Output; pub(crate) fn get_auths_repo_path() -> Result { - auths_core::paths::auths_home().map_err(|e| anyhow!(e)) + auths_sdk::paths::auths_home().map_err(|e| anyhow!(e)) } pub(crate) fn check_git_version(out: &Output) -> Result<()> { diff --git a/crates/auths-cli/src/commands/init/mod.rs b/crates/auths-cli/src/commands/init/mod.rs index 314b8c85..9561a466 100644 --- a/crates/auths-cli/src/commands/init/mod.rs +++ b/crates/auths-cli/src/commands/init/mod.rs @@ -15,15 +15,15 @@ use std::io::IsTerminal; use std::path::PathBuf; use std::sync::Arc; -use auths_core::PrefilledPassphraseProvider; -use auths_core::signing::StorageSigner; -use auths_core::storage::keychain::KeyStorage; use auths_sdk::domains::identity::registration::DEFAULT_REGISTRY_URL; use auths_sdk::domains::identity::service::initialize; use auths_sdk::domains::identity::types::IdentityConfig; use auths_sdk::domains::identity::types::InitializeResult; use auths_sdk::domains::signing::types::GitSigningScope; +use auths_sdk::keychain::KeyStorage; use auths_sdk::ports::git_config::GitConfigProvider; +use auths_sdk::signing::PrefilledPassphraseProvider; +use auths_sdk::signing::StorageSigner; use crate::adapters::git_config::SystemGitConfigProvider; use crate::config::CliConfig; diff --git a/crates/auths-cli/src/commands/init/prompts.rs b/crates/auths-cli/src/commands/init/prompts.rs index 1824e0e9..8c776925 100644 --- a/crates/auths-cli/src/commands/init/prompts.rs +++ b/crates/auths-cli/src/commands/init/prompts.rs @@ -5,11 +5,11 @@ use dialoguer::{Confirm, Input, Select}; use std::path::Path; use std::sync::Arc; -use auths_core::signing::PassphraseProvider; -use auths_core::storage::keychain::IdentityDID; -use auths_id::storage::identity::IdentityStorage; +use auths_sdk::keychain::IdentityDID; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::signing::PassphraseProvider; +use auths_sdk::storage::RegistryIdentityStorage; use auths_sdk::types::{GitSigningScope, IdentityConflictPolicy}; -use auths_storage::git::RegistryIdentityStorage; use super::InitCommand; use super::InitProfile; @@ -118,7 +118,7 @@ pub(crate) fn prompt_for_git_scope(interactive: bool) -> Result pub(crate) fn prompt_platform_verification( out: &Output, passphrase_provider: Arc, - env_config: &auths_core::config::EnvironmentConfig, + env_config: &auths_sdk::core_config::EnvironmentConfig, now: chrono::DateTime, ) -> Result> { let items = [ @@ -146,16 +146,16 @@ pub(crate) fn prompt_platform_verification( fn run_github_verification( out: &Output, passphrase_provider: Arc, - env_config: &auths_core::config::EnvironmentConfig, + env_config: &auths_sdk::core_config::EnvironmentConfig, now: chrono::DateTime, ) -> Result> { use std::time::Duration; use crate::constants::GITHUB_SSH_UPLOAD_SCOPES; - use auths_core::ports::platform::OAuthDeviceFlowProvider; - use auths_core::ports::platform::PlatformProofPublisher; - use auths_core::storage::keychain::extract_public_key_bytes; use auths_infra_http::{HttpGistPublisher, HttpGitHubOAuthProvider, HttpGitHubSshKeyUploader}; + use auths_sdk::keychain::extract_public_key_bytes; + use auths_sdk::ports::platform::OAuthDeviceFlowProvider; + use auths_sdk::ports::platform::PlatformProofPublisher; use auths_sdk::workflows::platform::create_signed_platform_claim; const GITHUB_CLIENT_ID: &str = "Ov23lio2CiTHBjM2uIL4"; diff --git a/crates/auths-cli/src/commands/key.rs b/crates/auths-cli/src/commands/key.rs index 0ccee49d..a235289e 100644 --- a/crates/auths-cli/src/commands/key.rs +++ b/crates/auths-cli/src/commands/key.rs @@ -5,12 +5,10 @@ use std::ffi::CString; use std::fs; use std::path::PathBuf; -use auths_core::api::ffi; -use auths_core::error::AgentError; -use auths_core::storage::encrypted_file::EncryptedFileStorage; -use auths_core::storage::keychain::{ - IdentityDID, KeyAlias, KeyRole, KeyStorage, get_platform_keychain, -}; +use auths_sdk::error::AgentError; +use auths_sdk::ffi::ffi; +use auths_sdk::keychain::EncryptedFileStorage; +use auths_sdk::keychain::{IdentityDID, KeyAlias, KeyRole, KeyStorage, get_platform_keychain}; use zeroize::{Zeroize, Zeroizing}; use crate::core::types::ExportFormat; diff --git a/crates/auths-cli/src/commands/key_detect.rs b/crates/auths-cli/src/commands/key_detect.rs index 35b79b29..db70c029 100644 --- a/crates/auths-cli/src/commands/key_detect.rs +++ b/crates/auths-cli/src/commands/key_detect.rs @@ -3,10 +3,10 @@ use std::path::Path; use anyhow::{Context, Result, anyhow}; -use auths_core::config::EnvironmentConfig; -use auths_core::storage::keychain::{KeyAlias, KeyStorage}; -use auths_id::storage::identity::IdentityStorage; -use auths_storage::git::RegistryIdentityStorage; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::keychain::{KeyAlias, KeyStorage}; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::storage::RegistryIdentityStorage; use dialoguer::Select; use std::io::IsTerminal; @@ -51,13 +51,13 @@ pub fn auto_detect_device_key( env_config: &EnvironmentConfig, ) -> Result { let repo_path = - auths_id::storage::layout::resolve_repo_path(repo_opt.map(|p| p.to_path_buf()))?; + auths_sdk::storage_layout::resolve_repo_path(repo_opt.map(|p| p.to_path_buf()))?; let identity_storage = RegistryIdentityStorage::new(repo_path.clone()); let identity = identity_storage .load_identity() .map_err(|_| anyhow!("No identity found. Run `auths init` to get started."))?; - let keychain = auths_core::storage::keychain::get_platform_keychain_with_config(env_config) + let keychain = auths_sdk::keychain::get_platform_keychain_with_config(env_config) .context("Failed to access keychain")?; let aliases = keychain .list_aliases_for_identity(&identity.controller_did) @@ -91,7 +91,7 @@ pub fn auto_detect_device_key( #[cfg(test)] mod tests { use super::*; - use auths_core::storage::keychain::KeyAlias; + use auths_sdk::keychain::KeyAlias; #[test] fn filter_removes_next_aliases() { diff --git a/crates/auths-cli/src/commands/log.rs b/crates/auths-cli/src/commands/log.rs index affa7d24..aa11b743 100644 --- a/crates/auths-cli/src/commands/log.rs +++ b/crates/auths-cli/src/commands/log.rs @@ -1,8 +1,8 @@ use std::time::Duration; use anyhow::{Context, Result, bail}; -use auths_core::ports::network::RegistryClient; use auths_infra_http::HttpRegistryClient; +use auths_sdk::ports::RegistryClient; use auths_transparency::SignedCheckpoint; use clap::{Args, Subcommand}; use serde::Serialize; diff --git a/crates/auths-cli/src/commands/namespace.rs b/crates/auths-cli/src/commands/namespace.rs index 3ace22d4..baeba648 100644 --- a/crates/auths-cli/src/commands/namespace.rs +++ b/crates/auths-cli/src/commands/namespace.rs @@ -5,20 +5,20 @@ use clap::{Parser, Subcommand}; use crate::commands::executable::ExecutableCommand; use crate::config::CliConfig; -use auths_core::ports::namespace::{Ecosystem, PackageName}; -use auths_core::signing::StorageSigner; -use auths_core::storage::keychain::{KeyAlias, get_platform_keychain}; use auths_crypto::AuthsErrorInfo; -use auths_id::storage::identity::IdentityStorage; -use auths_id::storage::layout; use auths_infra_http::resolve_verified_platform_context; use auths_sdk::domains::identity::registration::DEFAULT_REGISTRY_URL; +use auths_sdk::keychain::{KeyAlias, get_platform_keychain}; use auths_sdk::namespace_registry::NamespaceVerifierRegistry; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::ports::{Ecosystem, PackageName}; +use auths_sdk::signing::StorageSigner; +use auths_sdk::storage::RegistryIdentityStorage; +use auths_sdk::storage_layout::layout; use auths_sdk::workflows::namespace::{ DelegateNamespaceCommand, TransferNamespaceCommand, initiate_namespace_claim, parse_claim_response, parse_lookup_response, sign_namespace_delegate, sign_namespace_transfer, }; -use auths_storage::git::RegistryIdentityStorage; use auths_verifier::CanonicalDid; /// Manage namespace claims in package ecosystems. @@ -276,7 +276,7 @@ pub fn handle_namespace(cmd: NamespaceCommand, ctx: &CliConfig) -> Result<()> { Err(auths_sdk::workflows::namespace::NamespaceError::VerificationFailed( ref verify_err, )) => { - use auths_core::ports::namespace::NamespaceVerifyError; + use auths_sdk::ports::NamespaceVerifyError; match verify_err { NamespaceVerifyError::OwnershipNotConfirmed { ecosystem, .. } if attempt + 1 < max_retries => diff --git a/crates/auths-cli/src/commands/org.rs b/crates/auths-cli/src/commands/org.rs index 540cd6d9..af73fc74 100644 --- a/crates/auths-cli/src/commands/org.rs +++ b/crates/auths-cli/src/commands/org.rs @@ -1,35 +1,29 @@ use anyhow::{Context, Result, anyhow}; -use auths_core::crypto::signer::decrypt_keypair; -use auths_id::attestation::create::create_signed_attestation; -use auths_id::attestation::revoke::create_signed_revocation; -use auths_id::identity::initialize::initialize_registry_identity; -use auths_id::identity::resolve::DidResolver; +use auths_sdk::attestation::create_signed_attestation; +use auths_sdk::attestation::create_signed_revocation; +use auths_sdk::crypto::decrypt_keypair; +use auths_sdk::identity::DidResolver; +use auths_sdk::identity::initialize_registry_identity; use chrono::{DateTime, Utc}; use clap::{ArgAction, Parser, Subcommand}; use serde_json; use std::fs; use std::path::PathBuf; -use auths_core::signing::StorageSigner; -use auths_core::storage::keychain::{KeyAlias, get_platform_keychain}; -use auths_id::{ - attestation::{export::AttestationSink, group::AttestationGroup, verify::verify_with_resolver}, - identity::resolve::DefaultDidResolver, - storage::git_refs::AttestationMetadata, - storage::{ - attestation::AttestationSource, - identity::IdentityStorage, - layout::{self, StorageLayoutConfig}, - }, -}; +use auths_sdk::attestation::{AttestationGroup, AttestationSink, verify_with_resolver}; +use auths_sdk::identity::DefaultDidResolver; +use auths_sdk::keychain::{KeyAlias, get_platform_keychain}; +use auths_sdk::ports::{AttestationMetadata, AttestationSource, IdentityStorage}; +use auths_sdk::signing::StorageSigner; +use auths_sdk::storage_layout::{StorageLayoutConfig, layout}; +use auths_sdk::storage::{ + GitRegistryBackend, RegistryAttestationStorage, RegistryConfig, RegistryIdentityStorage, +}; use auths_sdk::workflows::org::{ AddMemberCommand, OrgContext, RevokeMemberCommand, Role, add_organization_member, member_role_order, revoke_organization_member, }; -use auths_storage::git::{ - GitRegistryBackend, RegistryAttestationStorage, RegistryConfig, RegistryIdentityStorage, -}; use auths_verifier::types::DeviceDID; use auths_verifier::{Capability, Ed25519PublicKey, Prefix, PublicKeyHex}; @@ -719,13 +713,13 @@ pub fn handle_org( let org_prefix = org.strip_prefix("did:keri:").unwrap_or(&org).to_string(); let signer = StorageSigner::new(key_storage); - let uuid_provider = auths_core::ports::id::SystemUuidProvider; + let uuid_provider = auths_sdk::ports::SystemUuidProvider; let org_ctx = OrgContext { registry: &*std::sync::Arc::new(GitRegistryBackend::from_config_unchecked( RegistryConfig::single_tenant(&repo_path), )), - clock: &auths_core::ports::clock::SystemClock, + clock: &auths_sdk::ports::SystemClock, uuid_provider: &uuid_provider, signer: &signer, passphrase_provider: passphrase_provider.as_ref(), @@ -826,13 +820,13 @@ pub fn handle_org( let org_prefix = org.strip_prefix("did:keri:").unwrap_or(&org).to_string(); let signer = StorageSigner::new(key_storage); - let uuid_provider = auths_core::ports::id::SystemUuidProvider; + let uuid_provider = auths_sdk::ports::SystemUuidProvider; let org_ctx = OrgContext { registry: &*std::sync::Arc::new(GitRegistryBackend::from_config_unchecked( RegistryConfig::single_tenant(&repo_path), )), - clock: &auths_core::ports::clock::SystemClock, + clock: &auths_sdk::ports::SystemClock, uuid_provider: &uuid_provider, signer: &signer, passphrase_provider: passphrase_provider.as_ref(), @@ -1040,7 +1034,7 @@ fn handle_join(code: &str, registry: &str) -> Result<()> { let pkcs8_bytes = decrypt_keypair(&encrypted_key, &passphrase).context("wrong passphrase")?; let pkcs8 = auths_crypto::Pkcs8Der::new(&pkcs8_bytes[..]); - let seed = auths_core::crypto::ssh::extract_seed_from_pkcs8(&pkcs8) + let seed = auths_sdk::crypto::extract_seed_from_pkcs8(&pkcs8) .context("failed to extract seed from key material")?; // Create a signed bearer payload: { did, timestamp, signature } diff --git a/crates/auths-cli/src/commands/provision.rs b/crates/auths-cli/src/commands/provision.rs index 725ba84b..50f1fd4b 100644 --- a/crates/auths-cli/src/commands/provision.rs +++ b/crates/auths-cli/src/commands/provision.rs @@ -6,13 +6,13 @@ use crate::ux::format::Output; use anyhow::{Context, Result, anyhow}; -use auths_core::signing::PassphraseProvider; -use auths_core::storage::keychain::get_platform_keychain; -use auths_id::ports::registry::RegistryBackend; -use auths_id::storage::identity::IdentityStorage; -use auths_id::storage::registry::install_linearity_hook; +use auths_sdk::keychain::get_platform_keychain; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::ports::RegistryBackend; +use auths_sdk::signing::PassphraseProvider; +use auths_sdk::storage::{GitRegistryBackend, RegistryConfig, RegistryIdentityStorage}; +use auths_sdk::storage_layout::install_linearity_hook; use auths_sdk::workflows::provision::{IdentityConfig, NodeConfig, enforce_identity_state}; -use auths_storage::git::{GitRegistryBackend, RegistryConfig, RegistryIdentityStorage}; use clap::Parser; use config::{Config, Environment, File}; use std::path::{Path, PathBuf}; diff --git a/crates/auths-cli/src/commands/sign.rs b/crates/auths-cli/src/commands/sign.rs index 107a4e03..f6c59cde 100644 --- a/crates/auths-cli/src/commands/sign.rs +++ b/crates/auths-cli/src/commands/sign.rs @@ -5,8 +5,8 @@ use clap::Parser; use std::path::{Path, PathBuf}; use std::sync::Arc; -use auths_core::config::EnvironmentConfig; -use auths_core::signing::PassphraseProvider; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::signing::PassphraseProvider; use super::artifact::sign::handle_sign as handle_artifact_sign; diff --git a/crates/auths-cli/src/commands/sign_commit.rs b/crates/auths-cli/src/commands/sign_commit.rs index 84b73c63..6e4c1cc8 100644 --- a/crates/auths-cli/src/commands/sign_commit.rs +++ b/crates/auths-cli/src/commands/sign_commit.rs @@ -1,7 +1,7 @@ //! Sign a Git commit with machine identity and OIDC binding. use anyhow::{Result, anyhow}; -use auths_core::paths::auths_home_with_config; +use auths_sdk::paths::auths_home_with_config; use clap::Parser; use serde::Serialize; diff --git a/crates/auths-cli/src/commands/signers.rs b/crates/auths-cli/src/commands/signers.rs index f1d1db2c..acf2d603 100644 --- a/crates/auths-cli/src/commands/signers.rs +++ b/crates/auths-cli/src/commands/signers.rs @@ -1,10 +1,10 @@ //! Signer management commands for Auths. use anyhow::{Context, Result}; +use auths_sdk::storage::RegistryAttestationStorage; use auths_sdk::workflows::allowed_signers::{ AllowedSigners, AllowedSignersError, EmailAddress, SignerPrincipal, SignerSource, SyncReport, }; -use auths_storage::git::RegistryAttestationStorage; use auths_verifier::core::Ed25519PublicKey; use clap::{Parser, Subcommand}; use ssh_key::PublicKey as SshPublicKey; diff --git a/crates/auths-cli/src/commands/status.rs b/crates/auths-cli/src/commands/status.rs index 55d72bc2..5e832ab6 100644 --- a/crates/auths-cli/src/commands/status.rs +++ b/crates/auths-cli/src/commands/status.rs @@ -2,12 +2,12 @@ use crate::ux::format::{JsonResponse, Output, is_json_mode}; use anyhow::{Result, anyhow}; -use auths_core::config::EnvironmentConfig; -use auths_core::storage::keychain::KeyStorage; -use auths_id::storage::attestation::AttestationSource; -use auths_id::storage::identity::IdentityStorage; -use auths_id::storage::layout; -use auths_storage::git::{RegistryAttestationStorage, RegistryIdentityStorage}; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::keychain::KeyStorage; +use auths_sdk::ports::AttestationSource; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::storage::{RegistryAttestationStorage, RegistryIdentityStorage}; +use auths_sdk::storage_layout::layout; use chrono::{DateTime, Duration, Utc}; use clap::Parser; use serde::Serialize; @@ -292,16 +292,15 @@ fn load_identity_status( let storage = RegistryIdentityStorage::new(repo_path); match storage.load_identity() { Ok(identity) => { - let key_aliases = - auths_core::storage::keychain::get_platform_keychain_with_config(env_config) - .ok() - .and_then(|keychain| { - keychain - .list_aliases_for_identity(&identity.controller_did) - .ok() - }) - .map(|aliases| aliases.iter().map(|a| a.as_str().to_string()).collect()) - .unwrap_or_default(); + let key_aliases = auths_sdk::keychain::get_platform_keychain_with_config(env_config) + .ok() + .and_then(|keychain| { + keychain + .list_aliases_for_identity(&identity.controller_did) + .ok() + }) + .map(|aliases| aliases.iter().map(|a| a.as_str().to_string()).collect()) + .unwrap_or_default(); Some(IdentityStatus { controller_did: identity.controller_did.to_string(), @@ -454,7 +453,7 @@ fn compute_device_status( /// Get the auths directory path (~/.auths), respecting AUTHS_HOME. fn get_auths_dir() -> Result { - auths_core::paths::auths_home().map_err(|e| anyhow!(e)) + auths_sdk::paths::auths_home().map_err(|e| anyhow!(e)) } /// Resolve the repository path from optional argument or default (~/.auths). diff --git a/crates/auths-cli/src/commands/trust.rs b/crates/auths-cli/src/commands/trust.rs index 3018d5d9..ca1302a5 100644 --- a/crates/auths-cli/src/commands/trust.rs +++ b/crates/auths-cli/src/commands/trust.rs @@ -4,7 +4,7 @@ use crate::ux::format::{JsonResponse, Output, is_json_mode}; use anyhow::{Context, Result, anyhow}; -use auths_core::trust::{PinnedIdentity, PinnedIdentityStore, TrustLevel}; +use auths_sdk::trust::{PinnedIdentity, PinnedIdentityStore, TrustLevel}; use auths_verifier::PublicKeyHex; use chrono::{DateTime, Utc}; use clap::{Parser, Subcommand}; diff --git a/crates/auths-cli/src/commands/utils.rs b/crates/auths-cli/src/commands/utils.rs index 0ddfc4a4..05fef142 100644 --- a/crates/auths-cli/src/commands/utils.rs +++ b/crates/auths-cli/src/commands/utils.rs @@ -5,7 +5,7 @@ use std::convert::TryInto; use std::path::PathBuf; use auths_crypto::{ed25519_pubkey_to_did_key, openssh_pub_to_raw_ed25519}; -use auths_id::identity::helpers::{encode_seed_as_pkcs8, load_keypair_from_der_or_seed}; +use auths_sdk::identity::{encode_seed_as_pkcs8, load_keypair_from_der_or_seed}; use crate::commands::device::verify_attestation::handle_verify_attestation; diff --git a/crates/auths-cli/src/commands/whoami.rs b/crates/auths-cli/src/commands/whoami.rs index af106435..c5b882db 100644 --- a/crates/auths-cli/src/commands/whoami.rs +++ b/crates/auths-cli/src/commands/whoami.rs @@ -1,7 +1,7 @@ use anyhow::{Result, anyhow}; -use auths_id::storage::identity::IdentityStorage; -use auths_id::storage::layout; -use auths_storage::git::RegistryIdentityStorage; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::storage::RegistryIdentityStorage; +use auths_sdk::storage_layout as layout; use clap::Parser; use serde::Serialize; diff --git a/crates/auths-cli/src/commands/witness.rs b/crates/auths-cli/src/commands/witness.rs index 057e4a27..6fb32655 100644 --- a/crates/auths-cli/src/commands/witness.rs +++ b/crates/auths-cli/src/commands/witness.rs @@ -7,10 +7,10 @@ use anyhow::{Result, anyhow}; use auths_utils::path::expand_tilde; use clap::{Parser, Subcommand}; -use auths_core::witness::{WitnessServerConfig, WitnessServerState, run_server}; -use auths_id::storage::identity::IdentityStorage; -use auths_id::witness_config::WitnessConfig; -use auths_storage::git::RegistryIdentityStorage; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::storage::RegistryIdentityStorage; +use auths_sdk::witness::WitnessConfig; +use auths_sdk::witness::{WitnessServerConfig, WitnessServerState, run_server}; /// Manage the KERI witness server. #[derive(Parser, Debug, Clone)] @@ -68,7 +68,7 @@ pub fn handle_witness(cmd: WitnessCommand, repo_opt: Option) -> Result< rt.block_on(async { let state = { let (seed, pubkey) = - auths_core::crypto::provider_bridge::generate_ed25519_keypair_sync() + auths_sdk::crypto::provider_bridge::generate_ed25519_keypair_sync() .map_err(|e| anyhow::anyhow!("Failed to generate keypair: {}", e))?; let witness_did = if let Some(did) = witness_did { diff --git a/crates/auths-cli/src/config.rs b/crates/auths-cli/src/config.rs index 3477f24d..2518e5c1 100644 --- a/crates/auths-cli/src/config.rs +++ b/crates/auths-cli/src/config.rs @@ -1,8 +1,8 @@ use std::path::PathBuf; use std::sync::Arc; -use auths_core::config::EnvironmentConfig; -use auths_core::signing::PassphraseProvider; +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::signing::PassphraseProvider; #[derive(Debug, Clone, Copy, Default, clap::ValueEnum)] pub enum OutputFormat { diff --git a/crates/auths-cli/src/core/provider.rs b/crates/auths-cli/src/core/provider.rs index 2f5e76bd..5dd57077 100644 --- a/crates/auths-cli/src/core/provider.rs +++ b/crates/auths-cli/src/core/provider.rs @@ -1,6 +1,6 @@ use anyhow::Context; -use auths_core::error::AgentError; -use auths_core::signing::PassphraseProvider; +use auths_sdk::error::AgentError; +use auths_sdk::signing::PassphraseProvider; use zeroize::Zeroizing; /// A PassphraseProvider implementation that prompts the user on the command line. diff --git a/crates/auths-cli/src/core/pubkey_cache.rs b/crates/auths-cli/src/core/pubkey_cache.rs index 38dc42da..a03560f8 100644 --- a/crates/auths-cli/src/core/pubkey_cache.rs +++ b/crates/auths-cli/src/core/pubkey_cache.rs @@ -13,7 +13,7 @@ use super::fs::{create_restricted_dir, write_sensitive_file}; /// Get the pubkey cache directory path (~/.auths/pubkeys), respecting AUTHS_HOME. fn get_pubkey_cache_dir() -> Result { - Ok(auths_core::paths::auths_home() + Ok(auths_sdk::paths::auths_home() .map_err(|e| anyhow!(e))? .join("pubkeys")) } diff --git a/crates/auths-cli/src/errors/renderer.rs b/crates/auths-cli/src/errors/renderer.rs index f1db597b..8d8525e3 100644 --- a/crates/auths-cli/src/errors/renderer.rs +++ b/crates/auths-cli/src/errors/renderer.rs @@ -1,15 +1,15 @@ use anyhow::Error; -use auths_core::error::TrustError as CoreTrustError; -use auths_core::error::{AgentError, AuthsErrorInfo}; -use auths_core::pairing::PairingError; -use auths_id::error::StorageError as IdStorageError; -use auths_id::error::{FreezeError, InitError}; -use auths_id::storage::StorageError as IdDriverStorageError; use auths_sdk::domains::signing::service::{ArtifactSigningError, SigningError}; +use auths_sdk::error::CoreTrustError; +use auths_sdk::error::IdDriverStorageError; +use auths_sdk::error::IdStorageError; +use auths_sdk::error::PairingError; +use auths_sdk::error::{AgentError, AuthsErrorInfo}; use auths_sdk::error::{ ApprovalError, DeviceError, DeviceExtensionError, McpAuthError, OrgError, RegistrationError, RotationError, SdkStorageError, SetupError, TrustError, }; +use auths_sdk::error::{FreezeError, InitError}; use auths_sdk::workflows::allowed_signers::AllowedSignersError; use auths_sdk::workflows::auth::AuthChallengeError; use auths_verifier::{AttestationError, CommitVerificationError}; @@ -290,7 +290,7 @@ mod tests { #[test] fn setup_error_storage_delegates_to_inner_code() { - let inner = auths_id::error::StorageError::NotFound("test".into()); + let inner = IdStorageError::NotFound("test".into()); let sdk_err = auths_sdk::error::SdkStorageError::Identity(inner); let setup_err = SetupError::StorageError(sdk_err); let err = Error::new(setup_err); diff --git a/crates/auths-cli/src/factories/mod.rs b/crates/auths-cli/src/factories/mod.rs index 0cba425f..aac4b19d 100644 --- a/crates/auths-cli/src/factories/mod.rs +++ b/crates/auths-cli/src/factories/mod.rs @@ -5,11 +5,11 @@ use std::sync::Arc; use anyhow::Result; -use auths_core::config::{EnvironmentConfig, load_config}; -use auths_core::paths::auths_home; -use auths_core::signing::{KeychainPassphraseProvider, PassphraseProvider}; -use auths_core::storage::passphrase_cache::{get_passphrase_cache, parse_duration_str}; +use auths_sdk::core_config::{EnvironmentConfig, load_config}; +use auths_sdk::keychain::{get_passphrase_cache, parse_duration_str}; +use auths_sdk::paths::auths_home; use auths_sdk::ports::agent::AgentSigningPort; +use auths_sdk::signing::{KeychainPassphraseProvider, PassphraseProvider}; use auths_telemetry::TelemetryShutdown; use auths_telemetry::config::{build_sinks_from_config, load_audit_config}; use auths_telemetry::sinks::composite::CompositeSink; diff --git a/crates/auths-cli/src/factories/storage.rs b/crates/auths-cli/src/factories/storage.rs index 9efeaabc..a82cafc1 100644 --- a/crates/auths-cli/src/factories/storage.rs +++ b/crates/auths-cli/src/factories/storage.rs @@ -2,18 +2,18 @@ use std::path::Path; use std::sync::Arc; use anyhow::Result; -use auths_core::config::EnvironmentConfig; -use auths_core::ports::clock::SystemClock; -use auths_core::ports::storage::StorageError; -use auths_core::signing::PassphraseProvider; -use auths_core::storage::keychain::get_platform_keychain_with_config; -use auths_id::attestation::export::AttestationSink; -use auths_id::ports::registry::RegistryBackend; -use auths_id::storage::attestation::AttestationSource; -use auths_id::storage::identity::IdentityStorage; use auths_infra_git::GitRepo; +use auths_sdk::attestation::AttestationSink; use auths_sdk::context::AuthsContext; -use auths_storage::git::{ +use auths_sdk::core_config::EnvironmentConfig; +use auths_sdk::keychain::get_platform_keychain_with_config; +use auths_sdk::ports::AttestationSource; +use auths_sdk::ports::CoreStorageError as StorageError; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::ports::RegistryBackend; +use auths_sdk::ports::SystemClock; +use auths_sdk::signing::PassphraseProvider; +use auths_sdk::storage::{ GitRegistryBackend, RegistryAttestationStorage, RegistryConfig, RegistryIdentityStorage, }; diff --git a/crates/auths-cli/tests/cases/key_rotation.rs b/crates/auths-cli/tests/cases/key_rotation.rs index 778b40ee..7d9b5f63 100644 --- a/crates/auths-cli/tests/cases/key_rotation.rs +++ b/crates/auths-cli/tests/cases/key_rotation.rs @@ -1,7 +1,7 @@ use tempfile::tempdir; -use auths_id::identity::events::KeyRotationEvent; -use auths_id::storage::keri::KeriGitStorage; +use auths_sdk::identity::KeyRotationEvent; +use auths_sdk::keri::KeriGitStorage; use auths_verifier::keri::Prefix; use chrono::Utc; diff --git a/crates/auths-cli/tests/cases/preset.rs b/crates/auths-cli/tests/cases/preset.rs index bbaf1e39..492211a1 100644 --- a/crates/auths-cli/tests/cases/preset.rs +++ b/crates/auths-cli/tests/cases/preset.rs @@ -1,8 +1,7 @@ -use auths_id::storage::attestation::AttestationSource; -use auths_id::storage::identity::IdentityStorage; -use auths_id::storage::layout::StorageLayoutConfig; -use auths_id::storage::layout::{attestation_ref_for_device, identity_ref}; -use auths_storage::git::{GitAttestationStorage, GitIdentityStorage}; +use auths_sdk::ports::AttestationSource; +use auths_sdk::ports::IdentityStorage; +use auths_sdk::storage::{GitAttestationStorage, GitIdentityStorage}; +use auths_sdk::storage_layout::{StorageLayoutConfig, attestation_ref_for_device, identity_ref}; use auths_verifier::types::DeviceDID; use tempfile::tempdir; diff --git a/crates/auths-sdk/Cargo.toml b/crates/auths-sdk/Cargo.toml index 8019c8d3..38db320a 100644 --- a/crates/auths-sdk/Cargo.toml +++ b/crates/auths-sdk/Cargo.toml @@ -12,8 +12,9 @@ categories = ["cryptography", "authentication"] [dependencies] async-trait = "0.1" -auths-core.workspace = true -auths-id.workspace = true +auths-core = { workspace = true, public = true } +auths-id = { workspace = true, public = true } +auths-storage = { workspace = true, optional = true, public = true } auths-infra-http.workspace = true auths-oidc-port = { path = "../auths-oidc-port", version = "0.1.0" } auths-telemetry.workspace = true @@ -49,6 +50,10 @@ auths-pairing-daemon = { workspace = true, optional = true } test-utils = ["auths-id/test-utils"] mcp = ["dep:reqwest"] lan-pairing = ["dep:auths-pairing-daemon"] +backend-git = ["dep:auths-storage", "auths-storage/backend-git"] +witness-server = ["auths-core/witness-server"] +witness-client = ["auths-id/witness-client"] +indexed-storage = ["auths-id/indexed-storage"] [dev-dependencies] auths-sdk = { path = ".", features = ["test-utils"] } diff --git a/crates/auths-sdk/src/agent_core.rs b/crates/auths-sdk/src/agent_core.rs new file mode 100644 index 00000000..1c4af521 --- /dev/null +++ b/crates/auths-sdk/src/agent_core.rs @@ -0,0 +1,7 @@ +//! Re-exports of agent types from `auths-core`. + +pub use auths_core::AgentHandle; +pub use auths_core::agent::{ + AgentStatus, add_identity, agent_sign, check_agent_status, remove_all_identities, +}; +pub use auths_core::api::start_agent_listener_with_handle; diff --git a/crates/auths-sdk/src/attestation.rs b/crates/auths-sdk/src/attestation.rs new file mode 100644 index 00000000..d801b132 --- /dev/null +++ b/crates/auths-sdk/src/attestation.rs @@ -0,0 +1,7 @@ +//! Re-exports of attestation types and operations from `auths-id`. + +pub use auths_id::attestation::create::create_signed_attestation; +pub use auths_id::attestation::export::AttestationSink; +pub use auths_id::attestation::group::AttestationGroup; +pub use auths_id::attestation::revoke::create_signed_revocation; +pub use auths_id::attestation::verify::verify_with_resolver; diff --git a/crates/auths-sdk/src/core_config.rs b/crates/auths-sdk/src/core_config.rs new file mode 100644 index 00000000..a23049b0 --- /dev/null +++ b/crates/auths-sdk/src/core_config.rs @@ -0,0 +1,5 @@ +//! Re-exports of configuration types from `auths-core`. + +pub use auths_core::config::{ + AuthsConfig, EnvironmentConfig, PassphraseCachePolicy, load_config, save_config, +}; diff --git a/crates/auths-sdk/src/crypto.rs b/crates/auths-sdk/src/crypto.rs new file mode 100644 index 00000000..16f88a39 --- /dev/null +++ b/crates/auths-sdk/src/crypto.rs @@ -0,0 +1,8 @@ +//! Re-exports of cryptographic utilities from `auths-core`. + +pub use auths_core::crypto::provider_bridge; +pub use auths_core::crypto::signer::decrypt_keypair; +pub use auths_core::crypto::ssh::{ + SecureSeed, construct_sshsig_pem, construct_sshsig_signed_data, create_sshsig, + encode_ssh_pubkey, extract_seed_from_pkcs8, +}; diff --git a/crates/auths-sdk/src/error.rs b/crates/auths-sdk/src/error.rs index 1911f13d..215eaa69 100644 --- a/crates/auths-sdk/src/error.rs +++ b/crates/auths-sdk/src/error.rs @@ -1,4 +1,4 @@ -use auths_core::error::AuthsErrorInfo; +pub use auths_core::error::AuthsErrorInfo; use thiserror::Error; /// Typed storage errors originating from the `auths-id` layer. @@ -72,3 +72,14 @@ pub use crate::domains::compliance::error::ApprovalError; /// Re-export from `auths-core` — defined there to avoid a circular dependency with /// `auths-infra-http` (which implements the platform port traits). pub use auths_core::ports::platform::PlatformError; + +// Re-exported error types from auths-core for CLI error rendering +pub use auths_core::error::AgentError; +pub use auths_core::error::TrustError as CoreTrustError; +pub use auths_core::pairing::PairingError; + +// Re-exported error types from auths-id for CLI error rendering +pub use auths_id::error::FreezeError; +pub use auths_id::error::InitError; +pub use auths_id::error::StorageError as IdStorageError; +pub use auths_id::storage::StorageError as IdDriverStorageError; diff --git a/crates/auths-sdk/src/ffi.rs b/crates/auths-sdk/src/ffi.rs new file mode 100644 index 00000000..7bef2401 --- /dev/null +++ b/crates/auths-sdk/src/ffi.rs @@ -0,0 +1,3 @@ +//! Re-exports of FFI types from `auths-core`. + +pub use auths_core::api::ffi; diff --git a/crates/auths-sdk/src/freeze.rs b/crates/auths-sdk/src/freeze.rs new file mode 100644 index 00000000..a3e46e9e --- /dev/null +++ b/crates/auths-sdk/src/freeze.rs @@ -0,0 +1,5 @@ +//! Re-exports of freeze types from `auths-id`. + +pub use auths_id::freeze::{ + FreezeState, load_active_freeze, parse_duration, remove_freeze, store_freeze, +}; diff --git a/crates/auths-sdk/src/identity.rs b/crates/auths-sdk/src/identity.rs new file mode 100644 index 00000000..f10ee1ee --- /dev/null +++ b/crates/auths-sdk/src/identity.rs @@ -0,0 +1,14 @@ +//! Re-exports of identity types and operations from `auths-id`. + +pub use auths_id::identity::helpers::{ + ManagedIdentity, encode_seed_as_pkcs8, load_keypair_from_der_or_seed, +}; +pub use auths_id::identity::initialize::initialize_registry_identity; +pub use auths_id::identity::resolve::{DefaultDidResolver, DidResolver, RegistryDidResolver}; +pub use auths_id::identity::rotate::rotate_keri_identity; + +// Agent identity types +pub use auths_id::agent_identity::{AgentProvisioningConfig, AgentStorageMode, format_agent_toml}; + +// Identity events (used in tests) +pub use auths_id::identity::events::KeyRotationEvent; diff --git a/crates/auths-sdk/src/keri.rs b/crates/auths-sdk/src/keri.rs new file mode 100644 index 00000000..f4544089 --- /dev/null +++ b/crates/auths-sdk/src/keri.rs @@ -0,0 +1,4 @@ +//! Re-exports of KERI cache module from `auths-id`. + +pub use auths_id::keri::cache; +pub use auths_id::storage::keri::KeriGitStorage; diff --git a/crates/auths-sdk/src/keychain.rs b/crates/auths-sdk/src/keychain.rs new file mode 100644 index 00000000..950db621 --- /dev/null +++ b/crates/auths-sdk/src/keychain.rs @@ -0,0 +1,12 @@ +//! Re-exports of keychain, encrypted file storage, and passphrase cache types from `auths-core`. + +pub use auths_core::storage::encrypted_file::EncryptedFileStorage; +pub use auths_core::storage::keychain; +pub use auths_core::storage::keychain::{ + KeyAlias, KeyRole, KeyStorage, extract_public_key_bytes, get_platform_keychain, + get_platform_keychain_with_config, +}; +pub use auths_core::storage::passphrase_cache::{get_passphrase_cache, parse_duration_str}; + +// IdentityDID is re-exported from keychain +pub use auths_core::storage::keychain::IdentityDID; diff --git a/crates/auths-sdk/src/lib.rs b/crates/auths-sdk/src/lib.rs index bcbc9d89..16c249e5 100644 --- a/crates/auths-sdk/src/lib.rs +++ b/crates/auths-sdk/src/lib.rs @@ -18,6 +18,41 @@ //! SDK functions accept typed configs and return structured `Result` types. //! They never prompt for input, print to stdout, or call `process::exit()`. +// ── Re-export modules: types from auths-core, auths-id, auths-storage ── +// These allow CLI and API consumers to import through auths-sdk instead of +// depending on lower-layer crates directly. + +/// Re-exports of agent process types from `auths-core`. +pub mod agent_core; +/// Re-exports of attestation operations from `auths-id`. +pub mod attestation; +/// Re-exports of configuration types from `auths-core`. +pub mod core_config; +/// Re-exports of cryptographic utilities from `auths-core`. +pub mod crypto; +/// Re-exports of FFI types from `auths-core`. +pub mod ffi; +/// Re-exports of freeze types from `auths-id`. +pub mod freeze; +/// Re-exports of identity types and operations from `auths-id`. +pub mod identity; +/// Re-exports of KERI cache module from `auths-id`. +pub mod keri; +/// Re-exports of keychain and key storage types from `auths-core`. +pub mod keychain; +/// Re-exports of path utilities from `auths-core`. +pub mod paths; +/// Re-exports of Git storage backend types from `auths-storage`. +pub mod storage; +/// Re-exports of storage layout types from `auths-id`. +pub mod storage_layout; +/// Re-exports of trust and pinned identity types from `auths-core`. +pub mod trust; +/// Re-exports of witness server and config types. +pub mod witness; + +// ── SDK modules ── + /// Audit event emission convenience for SDK operations. pub mod audit; /// Runtime dependency container (`AuthsContext`) for injecting infrastructure adapters. diff --git a/crates/auths-sdk/src/pairing/mod.rs b/crates/auths-sdk/src/pairing/mod.rs index a78fd1bf..198e28fe 100644 --- a/crates/auths-sdk/src/pairing/mod.rs +++ b/crates/auths-sdk/src/pairing/mod.rs @@ -7,8 +7,15 @@ #[cfg(feature = "lan-pairing")] pub mod lan; -use auths_core::pairing::types::{Base64UrlEncoded, SubmitResponseRequest}; -use auths_core::pairing::{PairingResponse, PairingToken, SessionStatus, normalize_short_code}; +// Re-exports of pairing types from auths-core for CLI consumption +pub use auths_core::pairing::types::{ + Base64UrlEncoded, CreateSessionRequest, SubmitResponseRequest, +}; +pub use auths_core::pairing::{ + PairingResponse, PairingSession, PairingToken, QrOptions, normalize_short_code, render_qr, +}; + +use auths_core::pairing::SessionStatus; use auths_core::ports::clock::ClockProvider; use auths_core::ports::pairing::PairingRelayClient; use auths_core::signing::PassphraseProvider; diff --git a/crates/auths-sdk/src/paths.rs b/crates/auths-sdk/src/paths.rs new file mode 100644 index 00000000..0e9bf18a --- /dev/null +++ b/crates/auths-sdk/src/paths.rs @@ -0,0 +1,3 @@ +//! Re-exports of path utilities from `auths-core`. + +pub use auths_core::paths::{auths_home, auths_home_with_config}; diff --git a/crates/auths-sdk/src/ports/mod.rs b/crates/auths-sdk/src/ports/mod.rs index cc04b2ca..21fcfc9b 100644 --- a/crates/auths-sdk/src/ports/mod.rs +++ b/crates/auths-sdk/src/ports/mod.rs @@ -14,3 +14,18 @@ pub mod git_config; pub mod pairing; /// Platform claim port traits for OAuth device flow, proof publishing, and registry submission. pub mod platform; + +// Re-exports from auths-core ports +pub use auths_core::ports::clock::SystemClock; +pub use auths_core::ports::config_store::{ConfigStore, ConfigStoreError}; +pub use auths_core::ports::id::{SystemUuidProvider, UuidProvider}; +pub use auths_core::ports::namespace::{Ecosystem, NamespaceVerifyError, PackageName}; +pub use auths_core::ports::network::RegistryClient; +pub use auths_core::ports::ssh_agent::{SshAgentError, SshAgentPort}; +pub use auths_core::ports::storage::StorageError as CoreStorageError; + +// Re-exports from auths-id ports +pub use auths_id::ports::registry::RegistryBackend; +pub use auths_id::storage::attestation::AttestationSource; +pub use auths_id::storage::git_refs::AttestationMetadata; +pub use auths_id::storage::identity::IdentityStorage; diff --git a/crates/auths-sdk/src/signing.rs b/crates/auths-sdk/src/signing.rs index 102befc2..ab98783d 100644 --- a/crates/auths-sdk/src/signing.rs +++ b/crates/auths-sdk/src/signing.rs @@ -5,3 +5,10 @@ pub use crate::domains::signing::service::{ SigningError, SigningKeyMaterial, construct_signature_payload, sign_artifact, sign_artifact_raw, sign_with_seed, validate_commit_sha, validate_freeze_state, }; + +// Signing primitives from auths-core +pub use auths_core::PrefilledPassphraseProvider; +pub use auths_core::signing::{ + KeychainPassphraseProvider, PassphraseProvider, SecureSigner, StorageSigner, + UnifiedPassphraseProvider, +}; diff --git a/crates/auths-sdk/src/storage.rs b/crates/auths-sdk/src/storage.rs new file mode 100644 index 00000000..0a213f92 --- /dev/null +++ b/crates/auths-sdk/src/storage.rs @@ -0,0 +1,9 @@ +//! Re-exports of Git storage backend types from `auths-storage`. +//! +//! Gated behind the `backend-git` feature. + +#[cfg(feature = "backend-git")] +pub use auths_storage::git::{ + GitAttestationStorage, GitIdentityStorage, GitRegistryBackend, RegistryAttestationStorage, + RegistryConfig, RegistryIdentityStorage, +}; diff --git a/crates/auths-sdk/src/storage_layout.rs b/crates/auths-sdk/src/storage_layout.rs new file mode 100644 index 00000000..eb653f23 --- /dev/null +++ b/crates/auths-sdk/src/storage_layout.rs @@ -0,0 +1,7 @@ +//! Re-exports of storage layout types from `auths-id`. + +pub use auths_id::storage::layout; +pub use auths_id::storage::layout::{ + StorageLayoutConfig, attestation_ref_for_device, identity_ref, resolve_repo_path, +}; +pub use auths_id::storage::registry::install_linearity_hook; diff --git a/crates/auths-sdk/src/trust.rs b/crates/auths-sdk/src/trust.rs new file mode 100644 index 00000000..6a5b257b --- /dev/null +++ b/crates/auths-sdk/src/trust.rs @@ -0,0 +1,5 @@ +//! Re-exports of trust and pinned identity types from `auths-core`. + +pub use auths_core::trust::{ + PinnedIdentity, PinnedIdentityStore, RootsFile, TrustLevel, TrustPolicy, +}; diff --git a/crates/auths-sdk/src/witness.rs b/crates/auths-sdk/src/witness.rs new file mode 100644 index 00000000..0da1a556 --- /dev/null +++ b/crates/auths-sdk/src/witness.rs @@ -0,0 +1,6 @@ +//! Re-exports of witness server and config types. + +pub use auths_id::witness_config::WitnessConfig; + +#[cfg(feature = "witness-server")] +pub use auths_core::witness::{WitnessServerConfig, WitnessServerState, run_server}; diff --git a/scripts/check_sdk_boundary.sh b/scripts/check_sdk_boundary.sh new file mode 100755 index 00000000..2529e8cf --- /dev/null +++ b/scripts/check_sdk_boundary.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -euo pipefail + +# Hard ban: CLI must not reference core/id/storage directly. +# Zero exceptions. Pre-launch, zero users, no reason to bypass. +# Covers ALL of auths-cli/src/, including test code. + +# Check both `use` imports AND inline qualified paths +VIOLATIONS=$(grep -rn "auths_core::\|auths_id::\|auths_storage::" \ + crates/auths-cli/src/ \ + --include='*.rs' || true) + +if [ -n "$VIOLATIONS" ]; then + echo "BLOCKED: CLI referencing core/id/storage directly." + echo "Route all imports through auths-sdk modules." + echo "" + echo "$VIOLATIONS" + exit 1 +fi + +echo "OK: No direct core/id/storage references in CLI." From 4d501ccc8cb94b7f5f8914a2bf6fc8d89e0cccd3 Mon Sep 17 00:00:00 2001 From: bordumb Date: Sun, 5 Apr 2026 19:47:34 -0700 Subject: [PATCH 2/2] refactor: route all CLI imports through SDK and replace manual storage wiring with build_auths_context --- crates/auths-cli/src/commands/auth.rs | 19 ++-- crates/auths-cli/src/commands/emergency.rs | 115 +++++++-------------- crates/auths-cli/src/commands/namespace.rs | 34 +++--- crates/auths-cli/src/commands/provision.rs | 23 ++--- 4 files changed, 78 insertions(+), 113 deletions(-) diff --git a/crates/auths-cli/src/commands/auth.rs b/crates/auths-cli/src/commands/auth.rs index a74635a1..e4873340 100644 --- a/crates/auths-cli/src/commands/auth.rs +++ b/crates/auths-cli/src/commands/auth.rs @@ -5,10 +5,10 @@ use auths_crypto::Pkcs8Der; use auths_sdk::crypto::decrypt_keypair; use auths_sdk::crypto::extract_seed_from_pkcs8; use auths_sdk::crypto::provider_bridge; -use auths_sdk::keychain::{KeyStorage, get_platform_keychain_with_config}; -use auths_sdk::ports::IdentityStorage; -use auths_sdk::storage::RegistryIdentityStorage; +use auths_sdk::keychain::KeyStorage; use auths_sdk::storage_layout::layout; + +use crate::factories::storage::build_auths_context; use auths_sdk::workflows::auth::sign_auth_challenge; use crate::commands::executable::ExecutableCommand; @@ -59,8 +59,13 @@ fn handle_auth_challenge(nonce: &str, domain: &str, ctx: &CliConfig) -> Result<( let repo_path = layout::resolve_repo_path(ctx.repo_path.clone())?; let passphrase_provider = ctx.passphrase_provider.clone(); - let identity_storage = RegistryIdentityStorage::new(repo_path.clone()); - let managed = identity_storage + let auths_ctx = build_auths_context( + &repo_path, + &ctx.env_config, + Some(ctx.passphrase_provider.clone()), + )?; + let managed = auths_ctx + .identity_storage .load_identity() .context("No identity found. Run `auths init` first.")?; @@ -71,8 +76,8 @@ fn handle_auth_challenge(nonce: &str, domain: &str, ctx: &CliConfig) -> Result<( let key_alias = auths_sdk::keychain::KeyAlias::new(&key_alias_str) .map_err(|e| anyhow!("Invalid key alias: {e}"))?; - let keychain = get_platform_keychain_with_config(&ctx.env_config)?; - let (_stored_did, _role, encrypted_key) = keychain + let (_stored_did, _role, encrypted_key) = auths_ctx + .key_storage .load_key(&key_alias) .with_context(|| format!("Failed to load key '{}'", key_alias_str))?; diff --git a/crates/auths-cli/src/commands/emergency.rs b/crates/auths-cli/src/commands/emergency.rs index 1152a0ac..7fe7095f 100644 --- a/crates/auths-cli/src/commands/emergency.rs +++ b/crates/auths-cli/src/commands/emergency.rs @@ -14,6 +14,7 @@ use dialoguer::{Confirm, Input, Select}; use serde::{Deserialize, Serialize}; use std::io::IsTerminal; use std::path::PathBuf; +use std::sync::Arc; /// Emergency incident response commands. #[derive(Parser, Debug, Clone)] @@ -289,20 +290,11 @@ fn handle_interactive_flow(ctx: &crate::config::CliConfig) -> Result<()> { /// Handle device revocation using the real revocation code path. fn handle_revoke_device( cmd: RevokeDeviceCommand, - now: chrono::DateTime, + _now: chrono::DateTime, ctx: &crate::config::CliConfig, ) -> Result<()> { - use auths_sdk::attestation::AttestationSink; - use auths_sdk::attestation::create_signed_revocation; - use auths_sdk::identity::ManagedIdentity; - use auths_sdk::keychain::{KeyAlias, get_platform_keychain}; - use auths_sdk::ports::AttestationSource; - use auths_sdk::ports::IdentityStorage; - use auths_sdk::signing::StorageSigner; - use auths_sdk::storage::{RegistryAttestationStorage, RegistryIdentityStorage}; + use auths_sdk::keychain::KeyAlias; use auths_sdk::storage_layout::layout; - use auths_verifier::Ed25519PublicKey; - use auths_verifier::types::DeviceDID; let out = Output::new(); @@ -360,59 +352,24 @@ fn handle_revoke_device( } } - // Resolve repository and load identity let repo_path = layout::resolve_repo_path(cmd.repo)?; - - let identity_storage = RegistryIdentityStorage::new(repo_path.clone()); - let managed_identity: ManagedIdentity = identity_storage - .load_identity() - .with_context(|| format!("Failed to load identity from repo {:?}", repo_path))?; - - let controller_did = managed_identity.controller_did; - let rid = managed_identity.storage_id; - - #[allow(clippy::disallowed_methods)] // INVARIANT: device_did from managed identity storage - let device_did_obj = DeviceDID::new_unchecked(device_did.clone()); - - // Look up the device's public key from existing attestations - let attestation_storage = RegistryAttestationStorage::new(repo_path.clone()); - let existing_attestations = attestation_storage - .load_attestations_for_device(&device_did_obj) - .with_context(|| format!("Failed to load attestations for device {}", device_did_obj))?; - let device_public_key = existing_attestations - .iter() - .find(|a| !a.device_public_key.is_zero()) - .map(|a| a.device_public_key) - .unwrap_or_else(|| Ed25519PublicKey::from_bytes([0u8; 32])); - - let secure_signer = StorageSigner::new(get_platform_keychain()?); - - let revocation_timestamp = now; + let auths_ctx = crate::factories::storage::build_auths_context( + &repo_path, + &ctx.env_config, + Some(Arc::clone(&ctx.passphrase_provider)), + )?; + let identity_key_alias = KeyAlias::new_unchecked(identity_key_alias); out.print_info("Creating signed revocation attestation..."); - let identity_key_alias = KeyAlias::new_unchecked(identity_key_alias); - let revocation_attestation = create_signed_revocation( - &rid, - &controller_did, - &device_did_obj, - device_public_key.as_bytes(), - cmd.note, - None, - revocation_timestamp, - &secure_signer, - ctx.passphrase_provider.as_ref(), + auths_sdk::domains::device::service::revoke_device( + &device_did, &identity_key_alias, + &auths_ctx, + cmd.note, + &auths_sdk::ports::SystemClock, ) - .map_err(anyhow::Error::from) - .context("Failed to create revocation attestation")?; - - out.print_info("Saving revocation to Git repository..."); - let attestation_storage = RegistryAttestationStorage::new(repo_path); - attestation_storage - .export( - &auths_verifier::VerifiedAttestation::dangerous_from_unchecked(revocation_attestation), - ) - .context("Failed to save revocation attestation to Git repository")?; + .map_err(anyhow::Error::new) + .context("Failed to revoke device")?; out.print_success(&format!("Device {} has been revoked", device_did)); out.newline(); @@ -424,12 +381,12 @@ fn handle_revoke_device( /// Handle emergency key rotation using the real rotation code path. fn handle_rotate_now( cmd: RotateNowCommand, - now: chrono::DateTime, + _now: chrono::DateTime, ctx: &crate::config::CliConfig, ) -> Result<()> { - use auths_sdk::identity::rotate_keri_identity; - use auths_sdk::keychain::{KeyAlias, get_platform_keychain}; - use auths_sdk::storage_layout::{StorageLayoutConfig, layout}; + use auths_sdk::domains::identity::types::IdentityRotationConfig; + use auths_sdk::keychain::KeyAlias; + use auths_sdk::storage_layout::layout; let out = Output::new(); @@ -491,30 +448,30 @@ fn handle_rotate_now( } } - // Resolve repository let repo_path = layout::resolve_repo_path(cmd.repo)?; - let config = StorageLayoutConfig::default(); - - let keychain = get_platform_keychain()?; + let rotation_config = IdentityRotationConfig { + repo_path: repo_path.clone(), + identity_key_alias: Some(KeyAlias::new_unchecked(current_alias)), + next_key_alias: Some(KeyAlias::new_unchecked(next_alias)), + }; + let auths_ctx = crate::factories::storage::build_auths_context( + &repo_path, + &ctx.env_config, + Some(Arc::clone(&ctx.passphrase_provider)), + )?; out.print_info("Rotating key..."); - let current_alias = KeyAlias::new_unchecked(current_alias); - let next_alias = KeyAlias::new_unchecked(next_alias); - let rotation_info = rotate_keri_identity( - &repo_path, - ¤t_alias, - &next_alias, - ctx.passphrase_provider.as_ref(), - &config, - keychain.as_ref(), - None, - now, + let rotation_result = auths_sdk::domains::identity::rotation::rotate_identity( + rotation_config, + &auths_ctx, + &auths_sdk::ports::SystemClock, ) + .map_err(anyhow::Error::new) .context("Key rotation failed")?; out.print_success(&format!( "Key rotation complete (new sequence: {})", - rotation_info.sequence + rotation_result.sequence )); out.newline(); out.println("Next steps:"); diff --git a/crates/auths-cli/src/commands/namespace.rs b/crates/auths-cli/src/commands/namespace.rs index baeba648..e6fce844 100644 --- a/crates/auths-cli/src/commands/namespace.rs +++ b/crates/auths-cli/src/commands/namespace.rs @@ -5,15 +5,14 @@ use clap::{Parser, Subcommand}; use crate::commands::executable::ExecutableCommand; use crate::config::CliConfig; +use crate::factories::storage::build_auths_context; use auths_crypto::AuthsErrorInfo; use auths_infra_http::resolve_verified_platform_context; use auths_sdk::domains::identity::registration::DEFAULT_REGISTRY_URL; -use auths_sdk::keychain::{KeyAlias, get_platform_keychain}; +use auths_sdk::keychain::KeyAlias; use auths_sdk::namespace_registry::NamespaceVerifierRegistry; -use auths_sdk::ports::IdentityStorage; use auths_sdk::ports::{Ecosystem, PackageName}; use auths_sdk::signing::StorageSigner; -use auths_sdk::storage::RegistryIdentityStorage; use auths_sdk::storage_layout::layout; use auths_sdk::workflows::namespace::{ DelegateNamespaceCommand, TransferNamespaceCommand, initiate_namespace_claim, @@ -147,10 +146,19 @@ fn resolve_registry_url(registry_url: Option) -> String { fn load_identity_and_alias( ctx: &CliConfig, key: Option, -) -> Result<(auths_verifier::types::IdentityDID, KeyAlias)> { +) -> Result<( + auths_verifier::types::IdentityDID, + KeyAlias, + auths_sdk::context::AuthsContext, +)> { let repo_path = layout::resolve_repo_path(ctx.repo_path.clone())?; - let identity_storage = RegistryIdentityStorage::new(repo_path); - let managed_identity = identity_storage + let auths_ctx = build_auths_context( + &repo_path, + &ctx.env_config, + Some(ctx.passphrase_provider.clone()), + )?; + let managed_identity = auths_ctx + .identity_storage .load_identity() .context("Failed to load identity. Run `auths init` first.")?; @@ -173,7 +181,7 @@ fn load_identity_and_alias( }); let key_alias = KeyAlias::new_unchecked(alias_str); - Ok((controller_did, key_alias)) + Ok((controller_did, key_alias, auths_ctx)) } fn post_signed_entry(registry_url: &str, body: serde_json::Value) -> Result { @@ -213,8 +221,8 @@ pub fn handle_namespace(cmd: NamespaceCommand, ctx: &CliConfig) -> Result<()> { key, } => { let registry_url = resolve_registry_url(registry_url); - let (controller_did, key_alias) = load_identity_and_alias(ctx, key)?; - let signer = StorageSigner::new(get_platform_keychain()?); + let (controller_did, key_alias, auths_ctx) = load_identity_and_alias(ctx, key)?; + let signer = StorageSigner::new(std::sync::Arc::clone(&auths_ctx.key_storage)); let passphrase_provider = ctx.passphrase_provider.clone(); let eco = Ecosystem::parse(&ecosystem).context("Failed to parse ecosystem")?; @@ -369,8 +377,8 @@ pub fn handle_namespace(cmd: NamespaceCommand, ctx: &CliConfig) -> Result<()> { key, } => { let registry_url = resolve_registry_url(registry_url); - let (controller_did, key_alias) = load_identity_and_alias(ctx, key)?; - let signer = StorageSigner::new(get_platform_keychain()?); + let (controller_did, key_alias, auths_ctx) = load_identity_and_alias(ctx, key)?; + let signer = StorageSigner::new(std::sync::Arc::clone(&auths_ctx.key_storage)); let passphrase_provider = ctx.passphrase_provider.clone(); println!( @@ -412,8 +420,8 @@ pub fn handle_namespace(cmd: NamespaceCommand, ctx: &CliConfig) -> Result<()> { key, } => { let registry_url = resolve_registry_url(registry_url); - let (controller_did, key_alias) = load_identity_and_alias(ctx, key)?; - let signer = StorageSigner::new(get_platform_keychain()?); + let (controller_did, key_alias, auths_ctx) = load_identity_and_alias(ctx, key)?; + let signer = StorageSigner::new(std::sync::Arc::clone(&auths_ctx.key_storage)); let passphrase_provider = ctx.passphrase_provider.clone(); println!( diff --git a/crates/auths-cli/src/commands/provision.rs b/crates/auths-cli/src/commands/provision.rs index 50f1fd4b..6fa0aa47 100644 --- a/crates/auths-cli/src/commands/provision.rs +++ b/crates/auths-cli/src/commands/provision.rs @@ -4,13 +4,10 @@ //! to match. Secrets are handled via environment variable overrides layered //! automatically by the `config` crate, never passed as CLI arguments. +use crate::factories::storage::build_auths_context; use crate::ux::format::Output; use anyhow::{Context, Result, anyhow}; -use auths_sdk::keychain::get_platform_keychain; -use auths_sdk::ports::IdentityStorage; -use auths_sdk::ports::RegistryBackend; use auths_sdk::signing::PassphraseProvider; -use auths_sdk::storage::{GitRegistryBackend, RegistryConfig, RegistryIdentityStorage}; use auths_sdk::storage_layout::install_linearity_hook; use auths_sdk::workflows::provision::{IdentityConfig, NodeConfig, enforce_identity_state}; use clap::Parser; @@ -78,21 +75,19 @@ pub fn handle_provision( out.print_info("Initializing identity..."); let repo_path = Path::new(&config.identity.repo_path); - let registry: Arc = Arc::new( - GitRegistryBackend::from_config_unchecked(RegistryConfig::single_tenant(repo_path)), - ); - let identity_storage: Arc = - Arc::new(RegistryIdentityStorage::new(repo_path.to_path_buf())); - let keychain = - get_platform_keychain().map_err(|e| anyhow!("Failed to access keychain: {}", e))?; + let auths_ctx = build_auths_context( + repo_path, + &Default::default(), + Some(passphrase_provider.clone()), + )?; match enforce_identity_state( &config, cmd.force, passphrase_provider.as_ref(), - keychain.as_ref(), - registry, - identity_storage, + auths_ctx.key_storage.as_ref(), + Arc::clone(&auths_ctx.registry), + Arc::clone(&auths_ctx.identity_storage), ) .map_err(anyhow::Error::from)? {