auths-dev · bordumb · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -21,6 +21,13 @@ repos:
       # ── Fast gates (commit) ──────────────────────────────────────────────
       # These run on every `git commit`. They should take < 3 seconds incrementally.
 
+      - id: check-sdk-boundary
+        name: SDK boundary check (CLI must not import core/id/storage)
+        entry: bash scripts/check_sdk_boundary.sh
+        language: system
+        files: crates/auths-cli/src/.*\.rs$
+        pass_filenames: false
+
       - id: cargo-fmt
         name: cargo fmt
         entry: cargo fmt --all

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/auths-cli/Cargo.toml b/crates/auths-cli/Cargo.toml
@@ -33,13 +33,10 @@ anyhow = "1"
 hex = "0.4.3"
 gethostname = "1.1.0"
 glob.workspace = true
-auths-core = { workspace = true, features = ["witness-server"] }
-auths-id = { workspace = true, features = ["witness-client", "indexed-storage"] }
-auths-storage = { workspace = true, features = ["backend-git"] }
 auths-policy.workspace = true
 auths-index.workspace = true
 auths-crypto.workspace = true
-auths-sdk.workspace = true
+auths-sdk = { workspace = true, features = ["backend-git", "witness-server", "witness-client", "indexed-storage"] }
 auths-transparency = { workspace = true, features = ["native"] }
 auths-pairing-protocol.workspace = true
 auths-telemetry = { workspace = true, features = ["sink-http"] }

diff --git a/crates/auths-cli/src/adapters/agent.rs b/crates/auths-cli/src/adapters/agent.rs
@@ -5,9 +5,9 @@
 //! with `sign_with_seed()`.
 
 #[cfg(unix)]
-use auths_core::agent::{AgentStatus, add_identity, agent_sign, check_agent_status};
+use auths_sdk::agent_core::{AgentStatus, add_identity, agent_sign, check_agent_status};
 #[cfg(unix)]
-use auths_core::crypto::ssh::{construct_sshsig_pem, construct_sshsig_signed_data};
+use auths_sdk::crypto::{construct_sshsig_pem, construct_sshsig_signed_data};
 use auths_sdk::ports::agent::{AgentSigningError, AgentSigningPort};
 
 #[cfg(unix)]

diff --git a/crates/auths-cli/src/adapters/config_store.rs b/crates/auths-cli/src/adapters/config_store.rs
@@ -2,7 +2,7 @@
 
 use std::path::Path;
 
-use auths_core::ports::config_store::{ConfigStore, ConfigStoreError};
+use auths_sdk::ports::{ConfigStore, ConfigStoreError};
 
 /// Reads and writes config files from the local filesystem.
 pub struct FileConfigStore;

diff --git a/crates/auths-cli/src/adapters/doctor_fixes.rs b/crates/auths-cli/src/adapters/doctor_fixes.rs
@@ -3,8 +3,8 @@
 use std::path::PathBuf;
 
 use auths_sdk::ports::diagnostics::{CheckResult, DiagnosticError, DiagnosticFix};
+use auths_sdk::storage::RegistryAttestationStorage;
 use auths_sdk::workflows::allowed_signers::AllowedSigners;
-use auths_storage::git::RegistryAttestationStorage;
 
 /// Regenerates the allowed_signers file from attestation storage.
 ///

diff --git a/crates/auths-cli/src/adapters/ssh_agent.rs b/crates/auths-cli/src/adapters/ssh_agent.rs
@@ -1,6 +1,6 @@
 //! CLI adapter for system SSH agent key registration via `ssh-add`.
 
-use auths_core::ports::ssh_agent::{SshAgentError, SshAgentPort};
+use auths_sdk::ports::{SshAgentError, SshAgentPort};
 use std::path::Path;
 use std::process::Command;
 

diff --git a/crates/auths-cli/src/bin/sign.rs b/crates/auths-cli/src/bin/sign.rs
@@ -32,10 +32,10 @@ use clap::Parser;
 use auths_cli::adapters::config_store::FileConfigStore;
 use auths_cli::core::pubkey_cache::get_cached_pubkey;
 use auths_cli::factories::build_agent_provider;
-use auths_core::config::{EnvironmentConfig, load_config};
-use auths_core::signing::{KeychainPassphraseProvider, PassphraseProvider};
-use auths_core::storage::keychain::get_platform_keychain;
-use auths_core::storage::passphrase_cache::{get_passphrase_cache, parse_duration_str};
+use auths_sdk::core_config::{EnvironmentConfig, load_config};
+use auths_sdk::keychain::get_platform_keychain;
+use auths_sdk::keychain::{get_passphrase_cache, parse_duration_str};
+use auths_sdk::signing::{KeychainPassphraseProvider, PassphraseProvider};
 use auths_sdk::workflows::signing::{
     CommitSigningContext, CommitSigningParams, CommitSigningWorkflow,
 };
@@ -133,7 +133,9 @@ fn build_signing_context(alias: &str) -> Result<CommitSigningContext> {
 
     let passphrase_provider: Arc<dyn PassphraseProvider + Send + Sync> =
         if let Some(passphrase) = env_config.keychain.passphrase.clone() {
-            Arc::new(auths_core::PrefilledPassphraseProvider::new(&passphrase))
+            Arc::new(auths_sdk::signing::PrefilledPassphraseProvider::new(
+                &passphrase,
+            ))
         } else {
             let config = load_config(&FileConfigStore);
             let cache = get_passphrase_cache(config.passphrase.biometric);
@@ -277,7 +279,7 @@ fn run_sign(args: &Args) -> Result<()> {
 
     let pubkey = get_cached_pubkey(&alias).ok().flatten().unwrap_or_default();
 
-    let repo_path = auths_id::storage::layout::resolve_repo_path(None).ok();
+    let repo_path = auths_sdk::storage_layout::resolve_repo_path(None).ok();
 
     let ctx = build_signing_context(&alias)?;
     let mut params = CommitSigningParams::new(&alias, namespace, data).with_pubkey(pubkey);
@@ -300,8 +302,8 @@ fn run_sign(args: &Args) -> Result<()> {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use auths_core::crypto::ssh::construct_sshsig_signed_data;
     use auths_crypto::Pkcs8Der;
+    use auths_sdk::crypto::construct_sshsig_signed_data;
 
     #[test]
     fn test_args_accepts_o_flag() {
@@ -411,7 +413,7 @@ mod tests {
 
     #[test]
     fn test_sshsig_format() {
-        use auths_core::crypto::ssh::SecureSeed;
+        use auths_sdk::crypto::SecureSeed;
 
         let seed = SecureSeed::new([
             0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
@@ -420,7 +422,7 @@ mod tests {
         ]);
 
         let data = b"test data to sign";
-        let result = auths_core::crypto::ssh::create_sshsig(&seed, data, "git");
+        let result = auths_sdk::crypto::create_sshsig(&seed, data, "git");
 
         assert!(result.is_ok(), "SSHSIG creation failed: {:?}", result.err());
 
@@ -431,7 +433,7 @@ mod tests {
 
     #[test]
     fn test_encode_ssh_pubkey() {
-        use auths_core::crypto::ssh::encode_ssh_pubkey;
+        use auths_sdk::crypto::encode_ssh_pubkey;
 
         let pubkey = [0x42u8; 32];
         let blob = encode_ssh_pubkey(&pubkey);
@@ -471,7 +473,7 @@ mod tests {
 
     #[test]
     fn test_extract_seed_from_pkcs8_ring_generated_key() {
-        use auths_core::crypto::ssh::extract_seed_from_pkcs8;
+        use auths_sdk::crypto::extract_seed_from_pkcs8;
         use ring::rand::SystemRandom;
         use ring::signature::{Ed25519KeyPair, KeyPair};
 
@@ -502,7 +504,7 @@ mod tests {
 
     #[test]
     fn test_extract_seed_from_pkcs8_rejects_invalid_input() {
-        use auths_core::crypto::ssh::extract_seed_from_pkcs8;
+        use auths_sdk::crypto::extract_seed_from_pkcs8;
 
         let bad_input = Pkcs8Der::new(vec![0u8; 50]);
         let result = extract_seed_from_pkcs8(&bad_input);

diff --git a/crates/auths-cli/src/commands/agent/mod.rs b/crates/auths-cli/src/commands/agent/mod.rs
@@ -216,7 +216,7 @@ fn parse_timeout(s: &str) -> Result<std::time::Duration> {
 }
 
 fn get_auths_dir() -> Result<PathBuf> {
-    auths_core::paths::auths_home().map_err(|e| anyhow!(e))
+    auths_sdk::paths::auths_home().map_err(|e| anyhow!(e))
 }
 
 /// Get the default socket path.
@@ -286,7 +286,7 @@ fn run_agent_foreground(
     env_path: &std::path::Path,
     timeout: std::time::Duration,
 ) -> Result<()> {
-    use auths_core::AgentHandle;
+    use auths_sdk::agent_core::AgentHandle;
     use std::sync::Arc;
 
     let pid = std::process::id();
@@ -323,7 +323,7 @@ fn run_agent_foreground(
 
     let rt = tokio::runtime::Runtime::new().context("Failed to create tokio runtime")?;
     let result = rt.block_on(async {
-        auths_core::api::start_agent_listener_with_handle(handle.clone()).await
+        auths_sdk::agent_core::start_agent_listener_with_handle(handle.clone()).await
     });
 
     cleanup_stale_files(&[pid_path, env_path, socket]);
@@ -511,7 +511,7 @@ fn lock_agent() -> Result<()> {
     }
 
     let socket_path = get_default_socket_path()?;
-    auths_core::agent::remove_all_identities(&socket_path)
+    auths_sdk::agent_core::remove_all_identities(&socket_path)
         .map_err(|e| anyhow!("Failed to lock agent: {}", e))?;
 
     eprintln!("Agent locked — all keys removed from memory.");
@@ -539,21 +539,19 @@ fn unlock_agent(key_alias: &str) -> Result<()> {
 
     let socket_path = get_default_socket_path()?;
 
-    let keychain = auths_core::storage::keychain::get_platform_keychain()
+    let keychain = auths_sdk::keychain::get_platform_keychain()
         .map_err(|e| anyhow!("Failed to get platform keychain: {}", e))?;
     let (_identity_did, _role, encrypted_data) = keychain
-        .load_key(&auths_core::storage::keychain::KeyAlias::new_unchecked(
-            key_alias,
-        ))
+        .load_key(&auths_sdk::keychain::KeyAlias::new_unchecked(key_alias))
         .map_err(|e| anyhow!("Failed to load key '{}': {}", key_alias, e))?;
 
     let passphrase = rpassword::prompt_password(format!("Passphrase for '{}': ", key_alias))
         .context("Failed to read passphrase")?;
 
-    let key_bytes = auths_core::crypto::signer::decrypt_keypair(&encrypted_data, &passphrase)
+    let key_bytes = auths_sdk::crypto::decrypt_keypair(&encrypted_data, &passphrase)
         .map_err(|e| anyhow!("Failed to decrypt key '{}': {}", key_alias, e))?;
 
-    auths_core::agent::add_identity(&socket_path, &key_bytes)
+    auths_sdk::agent_core::add_identity(&socket_path, &key_bytes)
         .map_err(|e| anyhow!("Failed to add key to agent: {}", e))?;
 
     eprintln!("Agent unlocked — key '{}' loaded.", key_alias);

diff --git a/crates/auths-cli/src/commands/artifact/batch_sign.rs b/crates/auths-cli/src/commands/artifact/batch_sign.rs
@@ -4,8 +4,8 @@ use anyhow::{Context, Result};
 use std::path::PathBuf;
 use std::sync::Arc;
 
-use auths_core::config::EnvironmentConfig;
-use auths_core::signing::PassphraseProvider;
+use auths_sdk::core_config::EnvironmentConfig;
+use auths_sdk::signing::PassphraseProvider;
 use auths_sdk::workflows::ci::batch_attest::{
     BatchEntry, BatchEntryResult, BatchSignConfig, batch_sign_artifacts, default_attestation_path,
 };
@@ -43,7 +43,7 @@ pub fn handle_batch_sign(
     passphrase_provider: Arc<dyn PassphraseProvider + Send + Sync>,
     env_config: &EnvironmentConfig,
 ) -> Result<()> {
-    let repo_path = auths_id::storage::layout::resolve_repo_path(repo_opt)?;
+    let repo_path = auths_sdk::storage_layout::resolve_repo_path(repo_opt)?;
     let ctx = build_auths_context(&repo_path, env_config, Some(passphrase_provider))?;
 
     let paths = expand_glob(pattern)?;

diff --git a/crates/auths-cli/src/commands/artifact/mod.rs b/crates/auths-cli/src/commands/artifact/mod.rs
@@ -10,8 +10,8 @@ use std::path::{Path, PathBuf};
 use std::sync::Arc;
 
 use anyhow::{Result, bail};
-use auths_core::config::EnvironmentConfig;
-use auths_core::signing::PassphraseProvider;
+use auths_sdk::core_config::EnvironmentConfig;
+use auths_sdk::signing::PassphraseProvider;
 use auths_sdk::signing::validate_commit_sha;
 
 #[derive(Args, Debug, Clone)]

diff --git a/crates/auths-cli/src/commands/artifact/sign.rs b/crates/auths-cli/src/commands/artifact/sign.rs
@@ -2,12 +2,12 @@ use anyhow::{Context, Result};
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
 
-use auths_core::config::EnvironmentConfig;
-use auths_core::signing::PassphraseProvider;
-use auths_core::storage::keychain::KeyAlias;
+use auths_sdk::core_config::EnvironmentConfig;
 use auths_sdk::domains::signing::service::{
     ArtifactSigningParams, SigningKeyMaterial, sign_artifact,
 };
+use auths_sdk::keychain::KeyAlias;
+use auths_sdk::signing::PassphraseProvider;
 
 use super::file::FileArtifact;
 use crate::factories::storage::build_auths_context;
@@ -26,7 +26,7 @@ pub fn handle_sign(
     passphrase_provider: Arc<dyn PassphraseProvider + Send + Sync>,
     env_config: &EnvironmentConfig,
 ) -> Result<()> {
-    let repo_path = auths_id::storage::layout::resolve_repo_path(repo_opt)?;
+    let repo_path = auths_sdk::storage_layout::resolve_repo_path(repo_opt)?;
 
     let ctx = build_auths_context(&repo_path, env_config, Some(passphrase_provider))?;
 

diff --git a/crates/auths-cli/src/commands/auth.rs b/crates/auths-cli/src/commands/auth.rs
@@ -1,15 +1,15 @@
 use anyhow::{Context, Result, anyhow};
 use clap::{Parser, Subcommand};
 
-use auths_core::crypto::provider_bridge;
-use auths_core::crypto::signer::decrypt_keypair;
-use auths_core::crypto::ssh::extract_seed_from_pkcs8;
-use auths_core::storage::keychain::{KeyStorage, get_platform_keychain_with_config};
 use auths_crypto::Pkcs8Der;
-use auths_id::storage::identity::IdentityStorage;
-use auths_id::storage::layout;
+use auths_sdk::crypto::decrypt_keypair;
+use auths_sdk::crypto::extract_seed_from_pkcs8;
+use auths_sdk::crypto::provider_bridge;
+use auths_sdk::keychain::KeyStorage;
+use auths_sdk::storage_layout::layout;
+
+use crate::factories::storage::build_auths_context;
 use auths_sdk::workflows::auth::sign_auth_challenge;
-use auths_storage::git::RegistryIdentityStorage;
 
 use crate::commands::executable::ExecutableCommand;
 use crate::config::CliConfig;
@@ -59,20 +59,25 @@ fn handle_auth_challenge(nonce: &str, domain: &str, ctx: &CliConfig) -> Result<(
     let repo_path = layout::resolve_repo_path(ctx.repo_path.clone())?;
     let passphrase_provider = ctx.passphrase_provider.clone();
 
-    let identity_storage = RegistryIdentityStorage::new(repo_path.clone());
-    let managed = identity_storage
+    let auths_ctx = build_auths_context(
+        &repo_path,
+        &ctx.env_config,
+        Some(ctx.passphrase_provider.clone()),
+    )?;
+    let managed = auths_ctx
+        .identity_storage
         .load_identity()
         .context("No identity found. Run `auths init` first.")?;
 
     let controller_did = &managed.controller_did;
 
     let key_alias_str =
         super::key_detect::auto_detect_device_key(ctx.repo_path.as_deref(), &ctx.env_config)?;
-    let key_alias = auths_core::storage::keychain::KeyAlias::new(&key_alias_str)
+    let key_alias = auths_sdk::keychain::KeyAlias::new(&key_alias_str)
         .map_err(|e| anyhow!("Invalid key alias: {e}"))?;
 
-    let keychain = get_platform_keychain_with_config(&ctx.env_config)?;
-    let (_stored_did, _role, encrypted_key) = keychain
+    let (_stored_did, _role, encrypted_key) = auths_ctx
+        .key_storage
         .load_key(&key_alias)
         .with_context(|| format!("Failed to load key '{}'", key_alias_str))?;
 

diff --git a/crates/auths-cli/src/commands/cache.rs b/crates/auths-cli/src/commands/cache.rs
@@ -5,8 +5,8 @@
 use anyhow::{Context, Result};
 use clap::{Parser, Subcommand};
 
-use auths_core::config::EnvironmentConfig;
-use auths_id::keri::cache;
+use auths_sdk::core_config::EnvironmentConfig;
+use auths_sdk::keri::cache;
 
 #[derive(Parser, Debug, Clone)]
 #[command(about = "Manage local identity history cache")]
@@ -34,7 +34,7 @@ enum CacheSubcommand {
 }
 
 pub fn handle_cache(cmd: CacheCommand, env_config: &EnvironmentConfig) -> Result<()> {
-    let auths_home = auths_core::paths::auths_home_with_config(env_config)
+    let auths_home = auths_sdk::paths::auths_home_with_config(env_config)
         .context("Failed to resolve auths home directory")?;
     match cmd.command {
         CacheSubcommand::List => handle_list(&auths_home),

diff --git a/crates/auths-cli/src/commands/ci/mod.rs b/crates/auths-cli/src/commands/ci/mod.rs
@@ -8,8 +8,8 @@ use anyhow::Result;
 use clap::{Args, Subcommand};
 use std::sync::Arc;
 
-use auths_core::signing::PassphraseProvider;
-use auths_id::storage::layout;
+use auths_sdk::signing::PassphraseProvider;
+use auths_sdk::storage_layout::layout;
 
 use crate::commands::executable::ExecutableCommand;
 use crate::config::CliConfig;