diff --git a/crates/auths-cli/src/commands/artifact/mod.rs b/crates/auths-cli/src/commands/artifact/mod.rs index 296c135a..c13a556c 100644 --- a/crates/auths-cli/src/commands/artifact/mod.rs +++ b/crates/auths-cli/src/commands/artifact/mod.rs @@ -181,16 +181,16 @@ pub enum ArtifactSubcommand { #[arg(long, value_parser)] identity_bundle: Option, - /// Path to witness receipts JSON file. - #[arg(long)] + /// Path to witness signatures JSON file. + #[arg(long = "witness-signatures")] witness_receipts: Option, /// Witness public keys as DID:hex pairs (e.g., "did:key:z6Mk...:abcd1234..."). #[arg(long, num_args = 1..)] witness_keys: Vec, - /// Witness quorum threshold (default: 1). - #[arg(long, default_value = "1")] + /// Number of witnesses required (default: 1). + #[arg(long = "witnesses-required", default_value = "1")] witness_threshold: usize, /// Also verify the source commit's signing attestation. diff --git a/crates/auths-cli/src/commands/cache.rs b/crates/auths-cli/src/commands/cache.rs index 251372a9..c93e3899 100644 --- a/crates/auths-cli/src/commands/cache.rs +++ b/crates/auths-cli/src/commands/cache.rs @@ -9,7 +9,7 @@ use auths_sdk::core_config::EnvironmentConfig; use auths_sdk::keri::cache; #[derive(Parser, Debug, Clone)] -#[command(about = "Manage local identity history cache")] +#[command(about = "Manage cached identity snapshots")] pub struct CacheCommand { #[command(subcommand)] command: CacheSubcommand, @@ -47,15 +47,15 @@ fn handle_list(auths_home: &std::path::Path) -> Result<()> { let entries = cache::list_cached_entries(auths_home)?; if entries.is_empty() { - println!("No cached identity states found."); + println!("No cached snapshots found."); return Ok(()); } - println!("Cached identity states:\n"); + println!("Cached identity snapshots:\n"); for entry in entries { println!(" Identity ID: {}", entry.did); println!(" Sequence: {}", entry.sequence); - println!(" Validated against: {}", entry.validated_against_tip_said); + println!(" Verified against: {}", entry.validated_against_tip_said); println!(" Commit OID: {}", entry.last_commit_oid); println!(" Cached at: {}", entry.cached_at); println!(" File: {}", entry.path.display()); @@ -73,15 +73,17 @@ fn handle_inspect(auths_home: &std::path::Path, did: &str) -> Result<()> { println!("Identity ID: {}", cached.did); println!("Sequence: {}", cached.sequence); println!( - "Validated against tip: {}", + "Verified against log entry: {}", cached.validated_against_tip_said ); println!("Last commit OID: {}", cached.last_commit_oid); println!("Cached at: {}", cached.cached_at); println!("\nKey State:"); - println!(" Prefix: {}", cached.state.prefix); println!(" Current keys: {:?}", cached.state.current_keys); - println!(" Next commitment: {:?}", cached.state.next_commitment); + println!( + " Pre-committed rotation key: {:?}", + cached.state.next_commitment + ); println!(" Is abandoned: {}", cached.state.is_abandoned); println!( "\nCache file: {}", diff --git a/crates/auths-cli/src/commands/ci/rotate.rs b/crates/auths-cli/src/commands/ci/rotate.rs index 1a996c93..80ae4f11 100644 --- a/crates/auths-cli/src/commands/ci/rotate.rs +++ b/crates/auths-cli/src/commands/ci/rotate.rs @@ -189,7 +189,7 @@ pub fn run_rotate( super::setup::humanize_duration(max_age_secs) ); println!( - "To revoke: auths device revoke --device-did {} --key {}", + "To revoke: auths device revoke --device {} --key {}", device_did, identity_key_alias ); diff --git a/crates/auths-cli/src/commands/ci/setup.rs b/crates/auths-cli/src/commands/ci/setup.rs index 4f312776..9011c618 100644 --- a/crates/auths-cli/src/commands/ci/setup.rs +++ b/crates/auths-cli/src/commands/ci/setup.rs @@ -252,7 +252,7 @@ pub fn run_setup( ); println!("To rotate: auths ci rotate"); println!( - "To revoke: auths device revoke --device-did {} --key {}", + "To revoke: auths device revoke --device {} --key {}", device_did, identity_key_alias ); diff --git a/crates/auths-cli/src/commands/device/authorization.rs b/crates/auths-cli/src/commands/device/authorization.rs index da84cc37..c8d04508 100644 --- a/crates/auths-cli/src/commands/device/authorization.rs +++ b/crates/auths-cli/src/commands/device/authorization.rs @@ -38,18 +38,17 @@ struct DeviceEntry { #[derive(Args, Debug, Clone)] #[command( - about = "Manage device authorizations within an identity repository.", + about = "Manage which devices can sign with your identity.", after_help = "Examples: - auths device list # List all linked devices - auths device link --key identity-key --device-key device-key --device-did did:key:... - # Link a new device to your identity - auths device revoke # Revoke a device authorization + auths device list # List authorized devices + auths device link --key identity-key --device-key device-key --device did:key:... + # Authorize a new device + auths device revoke # Revoke a device auths device extend # Extend device expiry Related: - auths pair — Pair a new device with your identity auths status — Show device status and expiry - auths init — Set up identity and linking" + auths init — Set up identity and signing" )] pub struct DeviceCommand { #[command(subcommand)] @@ -74,19 +73,19 @@ pub enum DeviceSubcommand { /// Authorize a new device to act on behalf of the identity. #[command(visible_alias = "add")] Link { - #[arg(long, help = "Local alias of the *identity's* key (used for signing).")] + #[arg(long, help = "Your identity's key name.")] key: String, #[arg( long, - help = "Local alias of the *new device's* key (must be imported first)." + help = "The new device's key name (import first with: auths key import)." )] device_key: String, #[arg( long, visible_alias = "device", - help = "Identity ID of the new device being authorized (must match --device-key)." + help = "The device's ID (must match --device-key)." )] device_did: String, @@ -128,17 +127,10 @@ pub enum DeviceSubcommand { /// Revoke an existing device authorization using the identity key. Revoke { - #[arg( - long, - visible_alias = "device", - help = "Identity ID of the device authorization to revoke." - )] + #[arg(long, visible_alias = "device", help = "The device's ID to revoke.")] device_did: String, - #[arg( - long, - help = "Local alias of the *identity's* key (required to authorize revocation)." - )] + #[arg(long, help = "Your identity's key name.")] key: String, #[arg(long, help = "Optional note explaining the revocation.")] @@ -148,12 +140,12 @@ pub enum DeviceSubcommand { dry_run: bool, }, - /// Resolve a device DID to its controller identity DID. + /// Resolve a device to its owner identity. Resolve { #[arg( long, visible_alias = "device", - help = "The device DID to resolve (e.g. did:key:z6Mk...)." + help = "The device ID to resolve (e.g. did:key:z6Mk...)." )] device_did: String, }, @@ -167,11 +159,7 @@ pub enum DeviceSubcommand { /// Extend the expiration date of an existing device authorization. Extend { - #[arg( - long, - visible_alias = "device", - help = "Identity ID of the device authorization to extend." - )] + #[arg(long, visible_alias = "device", help = "The device's ID to extend.")] device_did: String, /// Duration in seconds until expiration (per RFC 6749). @@ -182,16 +170,10 @@ pub enum DeviceSubcommand { )] expires_in: u64, - #[arg( - long, - help = "Local alias of the *identity's* key (required for re-signing)." - )] + #[arg(long, help = "Your identity's key name.")] key: String, - #[arg( - long, - help = "Local alias of the *device's* key (required for re-signing)." - )] + #[arg(long, help = "The device's key name.")] device_key: String, }, } @@ -331,11 +313,11 @@ pub fn handle_device( fn display_link_result( result: &auths_sdk::result::DeviceLinkResult, - device_did: &str, + _device_did: &str, ) -> Result<()> { println!( - "\n✅ Successfully linked device {} (attestation: {})", - device_did, result.attestation_id + "\n✅ Device authorized. (Attestation: {})", + result.attestation_id ); Ok(()) } @@ -577,7 +559,7 @@ fn list_devices( .map_err(anyhow::Error::from); } - println!("Devices for identity: {}", identity.controller_did); + println!("Authorized devices for: {}", identity.controller_did); if entries.is_empty() { if include_revoked { println!(" No authorized devices found."); diff --git a/crates/auths-cli/src/commands/device/pair/common.rs b/crates/auths-cli/src/commands/device/pair/common.rs index a0e7937c..ae0d83b6 100644 --- a/crates/auths-cli/src/commands/device/pair/common.rs +++ b/crates/auths-cli/src/commands/device/pair/common.rs @@ -323,7 +323,7 @@ pub(crate) fn handle_pairing_response( println!(" You can manually link this device using:"); println!( " {}", - style(format!("auths device link --device-did {} ...", device_did)).dim() + style(format!("auths device link --device {} ...", device_did)).dim() ); save_device_info(now, auths_dir, &response)?; } diff --git a/crates/auths-cli/src/commands/device/pair/online.rs b/crates/auths-cli/src/commands/device/pair/online.rs index b32bad83..75d87a16 100644 --- a/crates/auths-cli/src/commands/device/pair/online.rs +++ b/crates/auths-cli/src/commands/device/pair/online.rs @@ -142,7 +142,7 @@ pub(crate) async fn handle_initiate_online( println!(" You can manually link this device using:"); println!( " {}", - style(format!("auths device link --device-did {} ...", device_did)).dim() + style(format!("auths device link --device {} ...", device_did)).dim() ); } } diff --git a/crates/auths-cli/src/commands/device/verify_attestation.rs b/crates/auths-cli/src/commands/device/verify_attestation.rs index 7c99d23a..abbef960 100644 --- a/crates/auths-cli/src/commands/device/verify_attestation.rs +++ b/crates/auths-cli/src/commands/device/verify_attestation.rs @@ -32,18 +32,18 @@ pub struct VerifyCommand { #[arg(long, value_parser, required = true)] pub attestation: String, - /// Issuer public key in hex format (64 hex chars = 32 bytes). + /// Signer public key in hex format (64 hex chars = 32 bytes). /// /// If provided, bypasses trust resolution and uses this key directly. - /// Takes precedence over --issuer-did and trust policy. - #[arg(long = "issuer-pk", value_parser)] + /// Takes precedence over --signer and trust policy. + #[arg(long = "signer-key", value_parser)] pub issuer_pk: Option, - /// Issuer identity ID for trust-based key resolution. + /// Signer identity ID for trust-based key resolution. /// /// Looks up the public key from pinned identity store or roots.json. /// Uses --trust policy to determine behavior for unknown identities. - #[arg(long = "issuer-did", visible_alias = "issuer", value_parser)] + #[arg(long = "signer", visible_alias = "issuer-did", value_parser)] pub issuer_did: Option, /// Trust policy for unknown identities. @@ -68,12 +68,12 @@ pub struct VerifyCommand { #[arg(long = "require-capability")] pub require_capability: Option, - /// Path to witness receipts JSON file. - #[arg(long)] + /// Path to witness signatures JSON file. + #[arg(long = "witness-signatures")] pub witness_receipts: Option, - /// Witness quorum threshold (default: 1). - #[arg(long, default_value = "1")] + /// Number of witnesses required (default: 1). + #[arg(long = "witnesses-required", default_value = "1")] pub witness_threshold: usize, /// Witness public keys as DID:hex pairs (e.g., "did:key:z6Mk...:abcd1234..."). @@ -243,7 +243,7 @@ fn resolve_issuer_key( // The attestation itself doesn't contain the issuer's public key directly, // so we need it from --issuer-pk or the user needs to provide it anyhow::bail!( - "Unknown identity '{}'. Provide --issuer-pk to trust on first use, \ + "Unknown identity '{}'. Provide --signer-key to trust on first use, \ or add to .auths/roots.json for explicit trust.", did ); @@ -254,7 +254,7 @@ fn resolve_issuer_key( Options:\n \ 1. Add to .auths/roots.json in the repository\n \ 2. Pin manually: auths trust pin --did {} --key \n \ - 3. Provide --issuer-pk to bypass trust resolution", + 3. Provide --signer-key to bypass trust resolution", did, did ); diff --git a/crates/auths-cli/src/commands/emergency.rs b/crates/auths-cli/src/commands/emergency.rs index 7fe7095f..4d347149 100644 --- a/crates/auths-cli/src/commands/emergency.rs +++ b/crates/auths-cli/src/commands/emergency.rs @@ -47,7 +47,7 @@ pub enum EmergencySubcommand { /// Revoke a compromised device. #[derive(Parser, Debug, Clone)] pub struct RevokeDeviceCommand { - /// Device DID to revoke. + /// Device ID to revoke. #[arg(long)] pub device: Option, @@ -306,7 +306,7 @@ fn handle_revoke_device( did } else if std::io::stdin().is_terminal() { Input::new() - .with_prompt("Enter device DID to revoke") + .with_prompt("Enter device ID to revoke") .interact_text()? } else { return Err(anyhow!("--device is required in non-interactive mode")); @@ -426,7 +426,7 @@ fn handle_rotate_now( out.print_info("Dry run mode - no changes will be made"); out.newline(); out.println("Would perform the following actions:"); - out.println(" 1. Generate new Ed25519 keypair"); + out.println(" 1. Generate new signing key"); out.println(" 2. Create rotation event in identity log"); out.println(" 3. Update key alias mappings"); return Ok(()); diff --git a/crates/auths-cli/src/commands/id/identity.rs b/crates/auths-cli/src/commands/id/identity.rs index a6ee5492..4e8d094a 100644 --- a/crates/auths-cli/src/commands/id/identity.rs +++ b/crates/auths-cli/src/commands/id/identity.rs @@ -12,7 +12,7 @@ use auths_sdk::{ keychain::{KeyAlias, get_platform_keychain}, signing::PassphraseProvider, }; -use auths_verifier::{IdentityBundle, IdentityDID, Prefix}; +use auths_verifier::{IdentityBundle, IdentityDID}; use clap::ValueEnum; use crate::commands::registry_overrides::RegistryOverrides; @@ -61,7 +61,7 @@ impl LayoutPreset { #[derive(Parser, Debug, Clone)] #[command( - about = "Manage identities stored in Git repositories.", + about = "Manage your signing identity.", after_help = "Examples: auths id show # Show current identity details auths id list # List identities (same as show) @@ -83,7 +83,7 @@ pub struct IdCommand { #[derive(Subcommand, Debug, Clone)] pub enum IdSubcommand { - /// Create a new cryptographic identity with secure key storage. + /// Create a new signing identity. #[command(name = "create")] Create { /// Path to JSON file with arbitrary identity metadata. @@ -94,11 +94,8 @@ pub enum IdSubcommand { )] metadata_file: PathBuf, - /// Alias for storing the NEWLY generated private key in the secure keychain. - #[arg( - long, - help = "Alias for storing the NEWLY generated private key in the secure keychain." - )] + /// Name for the new signing key in secure storage. + #[arg(long, help = "Name for the new signing key in secure storage.")] local_key_alias: String, /// Storage layout preset for ecosystem compatibility. @@ -121,42 +118,42 @@ pub enum IdSubcommand { /// Rotate identity keys. Stores the new key under a new alias. Rotate { - /// Alias of the identity key to rotate. If provided alone, next-key-alias defaults to -rotated-. - #[arg(long, help = "Alias of the identity key to rotate.")] + /// Name of the key to rotate. Defaults to the next rotation key automatically. + #[arg(long, help = "Name of the key to rotate.")] alias: Option, - /// Alias of the CURRENT private key controlling the identity (alternative to --alias). + /// Current signing key name (alternative to --alias). #[arg( long, - help = "Alias of the CURRENT private key controlling the identity.", + help = "Current signing key name (alternative to --alias).", conflicts_with = "alias" )] current_key_alias: Option, - /// Alias to store the NEWLY generated private key under. - #[arg(long, help = "Alias to store the NEWLY generated private key under.")] + /// Name for the new signing key after rotation. + #[arg(long, help = "Name for the new signing key after rotation.")] next_key_alias: Option, - /// Verification server prefix to add (e.g., B...). Can be specified multiple times. + /// Add a witness server address (repeatable). #[arg( long, action = ArgAction::Append, - help = "Verification server prefix to add (e.g., B...). Can be specified multiple times." + help = "Add a witness server address (repeatable)." )] add_witness: Vec, - /// Verification server prefix to remove (e.g., B...). Can be specified multiple times. + /// Remove a witness server address (repeatable). #[arg( long, action = ArgAction::Append, - help = "Verification server prefix to remove (e.g., B...). Can be specified multiple times." + help = "Remove a witness server address (repeatable)." )] remove_witness: Vec, - /// New simple verification threshold count (e.g., 1 for 1-of-N). If omitted, the existing simple count is reused if possible. + /// Number of witnesses required to accept this rotation (e.g., 1). #[arg( long, - help = "New simple verification threshold count (e.g., 1 for 1-of-N)." + help = "Number of witnesses required to accept this rotation (e.g., 1)." )] witness_threshold: Option, @@ -233,9 +230,9 @@ fn display_dry_run_rotate( "current_key_alias": current_alias, "next_key_alias": next_alias, "actions": [ - "Generate new Ed25519 keypair", - "Create rotation event in KERI event log", - "Update key alias mappings", + "Generate new signing key", + "Record rotation in identity log", + "Update key name mappings", "All devices will need to re-authorize" ] }), @@ -248,16 +245,16 @@ fn display_dry_run_rotate( out.newline(); out.println(&format!(" Repository: {:?}", repo_path)); if let Some(alias) = current_alias { - out.println(&format!(" Current Key Alias: {}", alias)); + out.println(&format!(" Current key name: {}", alias)); } if let Some(alias) = next_alias { - out.println(&format!(" New Key Alias: {}", alias)); + out.println(&format!(" New key name: {}", alias)); } out.newline(); out.println("Would perform the following actions:"); - out.println(" 1. Generate new Ed25519 keypair"); - out.println(" 2. Create rotation event in KERI event log"); - out.println(" 3. Update key alias mappings"); + out.println(" 1. Generate new signing key"); + out.println(" 2. Record rotation in identity log"); + out.println(" 3. Update key name mappings"); out.println(" 4. All devices will need to re-authorize"); Ok(()) } @@ -321,12 +318,10 @@ pub fn handle_id( let metadata_file_path = metadata_file; // --- Common Setup: Repo Init Check & Metadata Loading --- - println!("🔐 Creating new cryptographic identity..."); + println!("🔐 Creating identity..."); println!(" Repository path: {:?}", repo_path); - println!(" Local Key Alias: {}", local_key_alias); + println!(" Key name: {}", local_key_alias); println!(" Metadata File: {:?}", metadata_file_path); - println!(" Using Identity Ref: '{}'", config.identity_ref); - println!(" Using Identity Blob: '{}'", config.identity_blob_name); // Ensure Git Repository Exists and is Initialized use crate::factories::storage::{ensure_git_repo, open_git_repo}; @@ -393,7 +388,6 @@ pub fn handle_id( println!(" Metadata loaded successfully from file."); // --- Always Use KERI Initialization Logic --- - println!(" Initializing using did:keri method (default)..."); // Call the initialize_registry_identity function from auths_id let _metadata_value = metadata_value; // metadata stored separately if needed @@ -410,38 +404,23 @@ pub fn handle_id( None, ) { Ok((controller_did_keri, alias)) => { - println!("\n✅ Identity (did:keri) initialized successfully!"); + println!("\n✅ Identity created."); println!( " Repository: {:?}", repo_path .canonicalize() .unwrap_or_else(|_| repo_path.clone()) ); - println!(" Controller DID: {}", controller_did_keri); + println!(" Identity: {}", controller_did_keri); println!( - " Local Key Alias: {} (Use this for local signing/rotations)", + " Key name: {} (use this for signing and rotations)", alias ); - let did_prefix = controller_did_keri - .as_str() - .strip_prefix("did:keri:") - .unwrap_or(""); - if !did_prefix.is_empty() { - println!( - " KEL Ref Used: '{}'", - layout::keri_kel_ref(&Prefix::new_unchecked(did_prefix.to_string())) - ); - } - println!(" Identity Ref Used: '{}'", config.identity_ref); - println!( - " Identity Blob Used: '{}'", - layout::identity_blob_name(&config) - ); println!(" Metadata stored from: {:?}", metadata_file_path); println!("🔑 Keep your passphrase secure!"); Ok(()) } - Err(e) => Err(e).context("Failed to initialize KERI identity"), + Err(e) => Err(e).context("Failed to create identity"), } } @@ -468,14 +447,9 @@ pub fn handle_id( ); response.print()?; } else { - println!("Showing identity details..."); - println!(" Using Repository: {:?}", repo_path); - println!(" Using Identity Ref: '{}'", config.identity_ref); - println!(" Using Identity Blob: '{}'", config.identity_blob_name); - - println!("Controller DID: {}", identity.controller_did); - println!("Storage ID (RID): {}", identity.storage_id); - println!("Metadata (raw JSON, interpretation depends on convention):"); + println!("Identity: {}", identity.controller_did); + println!("Storage ID: {}", identity.storage_id); + println!("Metadata:"); if let Some(meta) = &identity.metadata { println!( "{}", @@ -510,22 +484,22 @@ pub fn handle_id( ); } - println!("🔄 Rotating KERI identity keys..."); + println!("🔄 Rotating keys..."); println!(" Using Repository: {:?}", repo_path); if let Some(ref a) = identity_key_alias { - println!(" Current Key Alias: {}", a); + println!(" Current key name: {}", a); } if let Some(ref a) = next_key_alias { - println!(" New Key Alias: {}", a); + println!(" New key name: {}", a); } if !add_witness.is_empty() { - println!(" Witnesses to Add: {:?}", add_witness); + println!(" Adding witnesses: {:?}", add_witness); } if !remove_witness.is_empty() { - println!(" Witnesses to Remove: {:?}", remove_witness); + println!(" Removing witnesses: {:?}", remove_witness); } if let Some(thresh) = witness_threshold { - println!(" New Witness Threshold: {}", thresh); + println!(" Witnesses required: {}", thresh); } let rotation_config = auths_sdk::types::IdentityRotationConfig { @@ -572,17 +546,17 @@ pub fn handle_id( &rotation_ctx, &auths_sdk::ports::SystemClock, ) - .with_context(|| "Failed to rotate KERI identity keys")?; + .with_context(|| "Failed to rotate keys")?; - println!("\n✅ KERI identity keys rotated successfully!"); - println!(" Identity DID: {}", result.controller_did); + println!("\n✅ Keys rotated."); + println!(" Identity: {}", result.controller_did); println!( " Old key fingerprint: {}...", result.previous_key_fingerprint ); println!(" New key fingerprint: {}...", result.new_key_fingerprint); println!( - "⚠️ The previous key alias is no longer the active signing key for this identity." + "⚠️ Your old key name is no longer active. Update any scripts that reference it." ); log::info!( @@ -601,7 +575,7 @@ pub fn handle_id( } => { println!("📦 Exporting identity bundle..."); println!(" Using Repository: {:?}", repo_path); - println!(" Key Alias: {}", alias); + println!(" Key name: {}", alias); println!(" Output File: {:?}", output_file); // Load identity diff --git a/crates/auths-cli/src/commands/init/display.rs b/crates/auths-cli/src/commands/init/display.rs index 09090578..ee7017e4 100644 --- a/crates/auths-cli/src/commands/init/display.rs +++ b/crates/auths-cli/src/commands/init/display.rs @@ -15,7 +15,7 @@ pub(crate) fn display_developer_result( } out.newline(); out.println(&format!(" Identity: {}", out.info(&result.identity_did))); - out.println(&format!(" Key alias: {}", out.info(&result.key_alias))); + out.println(&format!(" Key name: {}", out.info(&result.key_alias))); if let Some(registry) = registered { out.println(&format!(" Registry: {}", out.info(registry))); let did_prefix = result diff --git a/crates/auths-cli/src/commands/init/mod.rs b/crates/auths-cli/src/commands/init/mod.rs index 9561a466..3f4e7b83 100644 --- a/crates/auths-cli/src/commands/init/mod.rs +++ b/crates/auths-cli/src/commands/init/mod.rs @@ -49,9 +49,9 @@ const DEFAULT_KEY_ALIAS: &str = "main"; pub enum InitProfile { /// Full local development setup with keychain, identity, device linking, and git signing Developer, - /// Ephemeral identity for CI/CD pipelines + /// Temporary signing identity for CI/CD pipelines Ci, - /// Scoped identity for AI agents with capability restrictions + /// Restricted signing identity for AI agents Agent, } @@ -80,16 +80,16 @@ impl std::fmt::Display for InitProfile { #[derive(Args, Debug, Clone)] #[command( name = "init", - about = "Set up your cryptographic identity and Git signing", + about = "Create your signing identity and configure Git", after_help = "Examples: auths init # Interactive setup wizard auths init --profile developer # Developer profile with prompts auths init --profile ci --non-interactive # Automated CI setup Profiles: - developer — Full development environment: local keys, device linking, Git signing - ci — Ephemeral identity for CI/CD pipelines with environment variables - agent — Scoped identity for AI agents with capability restrictions + developer — Local setup: keychain, Git signing, platform identity + ci — Temporary signing identity for CI/CD runners + agent — Restricted signing identity for AI agents Related: auths status — Check setup completion @@ -237,13 +237,16 @@ fn run_developer_setup( _ => unreachable!(), }; - out.print_success(&format!("Identity ready: {}", &result.identity_did)); - out.print_success(&format!("Device linked: {}", result.device_did.as_str())); + out.print_success(&format!("Identity created: {}", &result.identity_did)); + out.print_success(&format!( + "This device authorized: {}", + result.device_did.as_str() + )); // PLATFORM VERIFICATION guide.section("Platform Verification"); let proof_url = if interactive && cmd.register { - out.print_info("Claim your Developer Passport"); + out.print_info("Link your GitHub account"); out.newline(); match prompt_platform_verification( out, @@ -252,7 +255,7 @@ fn run_developer_setup( now, )? { Some((url, _username)) => { - out.print_success(&format!("Proof anchored: {}", url)); + out.print_success(&format!("GitHub identity linked: {}", url)); Some(url) } None => { diff --git a/crates/auths-cli/src/commands/init/prompts.rs b/crates/auths-cli/src/commands/init/prompts.rs index 8c776925..58a51cb0 100644 --- a/crates/auths-cli/src/commands/init/prompts.rs +++ b/crates/auths-cli/src/commands/init/prompts.rs @@ -22,9 +22,9 @@ pub(crate) fn prompt_profile(out: &Output) -> Result { out.newline(); let items = [ - "Developer - Full local setup with keychain and git signing", - "CI - Ephemeral identity for CI/CD pipelines", - "Agent - Scoped identity for AI agents", + "Developer — Local setup: keychain, Git signing, platform identity", + "CI — Temporary signing identity for CI/CD runners", + "Agent — Restricted signing identity for AI agents", ]; let selection = Select::new() @@ -43,7 +43,7 @@ pub(crate) fn prompt_profile(out: &Output) -> Result { pub(crate) fn prompt_for_alias(interactive: bool, cmd: &InitCommand) -> Result { if interactive { Ok(Input::new() - .with_prompt("Key alias") + .with_prompt("Key name") .default(cmd.key_alias.clone()) .interact_text()?) } else { @@ -122,13 +122,13 @@ pub(crate) fn prompt_platform_verification( now: chrono::DateTime, ) -> Result> { let items = [ - "GitHub — link your GitHub identity (recommended)", + "GitHub — link your GitHub account (recommended)", "GitLab — coming soon", "Anonymous — skip platform verification", ]; let selection = Select::new() - .with_prompt("Claim your Developer Passport") + .with_prompt("Link your GitHub account") .items(items) .default(0) .interact()?; @@ -232,7 +232,10 @@ fn run_github_verification( .block_on(publisher.publish_proof(&access_token, &claim_json)) .map_err(|e| anyhow::anyhow!("{e}"))?; - out.print_success(&format!("Published proof Gist: {}", out.info(&proof_url))); + out.print_success(&format!( + "GitHub identity verified: {}", + out.info(&proof_url) + )); // Try to upload SSH signing key to GitHub (non-fatal if it fails) #[allow(clippy::disallowed_methods)] diff --git a/crates/auths-cli/src/commands/key.rs b/crates/auths-cli/src/commands/key.rs index a235289e..eb6af641 100644 --- a/crates/auths-cli/src/commands/key.rs +++ b/crates/auths-cli/src/commands/key.rs @@ -17,7 +17,7 @@ use crate::ux::format::{JsonResponse, is_json_mode}; #[derive(Parser, Debug, Clone)] #[command( name = "key", - about = "Manage local cryptographic keys in secure storage (list, import, export, delete).", + about = "Manage signing keys stored on this device.", after_help = "Examples: auths key list # List all stored key aliases auths key import --key-alias mykey --seed seed.bin @@ -96,10 +96,10 @@ pub enum KeySubcommand { )] seed_file: PathBuf, - /// Controller DID (e.g., did:key:...) to associate with the imported key. + /// Your identity to associate with this key (e.g., did:keri:E...). #[arg( long, - help = "Controller DID (e.g., did:key:...) to associate with the imported key." + help = "Your identity to associate with this key (e.g., did:keri:E...)." )] controller_did: String, }, diff --git a/crates/auths-cli/src/commands/learn.rs b/crates/auths-cli/src/commands/learn.rs index 952b71ac..d80013b4 100644 --- a/crates/auths-cli/src/commands/learn.rs +++ b/crates/auths-cli/src/commands/learn.rs @@ -520,7 +520,10 @@ fn section_revoking_access() -> Result<()> { println!(); println!(" To revoke a device:"); println!(); - println!(" {}", "$ auths device revoke ".cyan()); + println!( + " {}", + "$ auths device revoke --device ".cyan() + ); println!(); println!(" This creates a revocation record that:"); println!(); diff --git a/crates/auths-cli/src/commands/org.rs b/crates/auths-cli/src/commands/org.rs index af73fc74..ac59f559 100644 --- a/crates/auths-cli/src/commands/org.rs +++ b/crates/auths-cli/src/commands/org.rs @@ -93,7 +93,7 @@ pub enum OrgSubcommand { metadata_file: Option, }, Attest { - #[arg(long = "subject-did", visible_alias = "subject")] + #[arg(long = "subject", visible_alias = "subject-did")] subject_did: String, #[arg(long)] payload_file: PathBuf, @@ -105,7 +105,7 @@ pub enum OrgSubcommand { key: Option, }, Revoke { - #[arg(long = "subject-did", visible_alias = "subject")] + #[arg(long = "subject", visible_alias = "subject-did")] subject_did: String, #[arg(long)] note: Option, @@ -113,7 +113,7 @@ pub enum OrgSubcommand { key: Option, }, Show { - #[arg(long = "subject-did", visible_alias = "subject")] + #[arg(long = "subject", visible_alias = "subject-did")] subject_did: String, #[arg(long, action = ArgAction::SetTrue)] include_revoked: bool, @@ -129,7 +129,7 @@ pub enum OrgSubcommand { org: String, /// Member identity ID to add - #[arg(long = "member-did", visible_alias = "member")] + #[arg(long = "member", visible_alias = "member-did")] member_did: String, /// Role to assign (admin, member, readonly) @@ -156,7 +156,7 @@ pub enum OrgSubcommand { org: String, /// Member identity ID to revoke - #[arg(long = "member-did", visible_alias = "member")] + #[arg(long = "member", visible_alias = "member-did")] member_did: String, /// Reason for revocation diff --git a/crates/auths-cli/src/commands/provision.rs b/crates/auths-cli/src/commands/provision.rs index 6fa0aa47..0a94dbda 100644 --- a/crates/auths-cli/src/commands/provision.rs +++ b/crates/auths-cli/src/commands/provision.rs @@ -99,11 +99,11 @@ pub fn handle_provision( out.print_success("Identity provisioned successfully."); out.println(&format!( " {}", - out.key_value("Controller DID", &result.controller_did) + out.key_value("Identity", &result.controller_did) )); out.println(&format!( " {}", - out.key_value("Key alias", &result.key_alias) + out.key_value("Key name", &result.key_alias) )); } } diff --git a/crates/auths-cli/src/commands/trust.rs b/crates/auths-cli/src/commands/trust.rs index ca1302a5..fa691c50 100644 --- a/crates/auths-cli/src/commands/trust.rs +++ b/crates/auths-cli/src/commands/trust.rs @@ -14,7 +14,7 @@ use serde::Serialize; #[derive(Parser, Debug, Clone)] #[command( name = "trust", - about = "Manage trusted identity roots", + about = "Pin identities you trust for verification", after_help = "Examples: auths trust list # Show all pinned trusted identities auths trust pin --did did:keri:EExample --key 7f8c9d0e1a2b3c4d... @@ -64,7 +64,7 @@ pub struct TrustPinCommand { #[clap(long, required = true)] pub key: String, - /// Optional KEL tip SAID for rotation tracking. + /// Identity log checkpoint for tracking key changes (optional, advanced). #[clap(long)] pub kel_tip: Option, @@ -295,10 +295,10 @@ fn handle_show(cmd: TrustShowCommand) -> Result<()> { )); out.println(&format!("Origin: {}", pin.origin)); if let Some(ref tip) = pin.kel_tip_said { - out.println(&format!("KEL Tip: {}", tip)); + out.println(&format!("Log checkpoint: {}", tip)); } if let Some(seq) = pin.kel_sequence { - out.println(&format!("KEL Sequence: {}", seq)); + out.println(&format!("Log sequence: {}", seq)); } } diff --git a/crates/auths-cli/src/commands/unified_verify.rs b/crates/auths-cli/src/commands/unified_verify.rs index b5641a47..ee6cbb3d 100644 --- a/crates/auths-cli/src/commands/unified_verify.rs +++ b/crates/auths-cli/src/commands/unified_verify.rs @@ -104,20 +104,20 @@ pub struct UnifiedVerifyCommand { #[arg(long, value_parser)] pub identity_bundle: Option, - /// Issuer public key in hex format (attestation verification). - #[arg(long = "issuer-pk")] + /// Signer public key in hex format (attestation verification). + #[arg(long = "signer-key")] pub issuer_pk: Option, - /// Issuer identity ID for attestation trust-based key resolution. - #[arg(long = "issuer-did", visible_alias = "issuer")] + /// Signer identity ID for attestation trust-based key resolution. + #[arg(long = "signer", visible_alias = "issuer-did")] pub issuer_did: Option, - /// Path to witness receipts JSON file. - #[arg(long)] + /// Path to witness signatures JSON file. + #[arg(long = "witness-signatures")] pub witness_receipts: Option, - /// Witness quorum threshold. - #[arg(long, default_value = "1")] + /// Number of witnesses required. + #[arg(long = "witnesses-required", default_value = "1")] pub witness_threshold: usize, /// Witness public keys as DID:hex pairs. diff --git a/crates/auths-cli/src/commands/verify_commit.rs b/crates/auths-cli/src/commands/verify_commit.rs index 764a15b3..56276d9d 100644 --- a/crates/auths-cli/src/commands/verify_commit.rs +++ b/crates/auths-cli/src/commands/verify_commit.rs @@ -37,12 +37,12 @@ pub struct VerifyCommitCommand { #[arg(long, value_parser, help = "Path to identity bundle JSON (for CI)")] pub identity_bundle: Option, - /// Path to witness receipts JSON file. - #[arg(long)] + /// Path to witness signatures JSON file. + #[arg(long = "witness-signatures")] pub witness_receipts: Option, - /// Witness quorum threshold (default: 1). - #[arg(long, default_value = "1")] + /// Number of witnesses required (default: 1). + #[arg(long = "witnesses-required", default_value = "1")] pub witness_threshold: usize, /// Witness public keys as DID:hex pairs (e.g., "did:key:z6Mk...:abcd1234..."). diff --git a/crates/auths-cli/src/commands/witness.rs b/crates/auths-cli/src/commands/witness.rs index 6fb32655..90be35a0 100644 --- a/crates/auths-cli/src/commands/witness.rs +++ b/crates/auths-cli/src/commands/witness.rs @@ -12,7 +12,7 @@ use auths_sdk::storage::RegistryIdentityStorage; use auths_sdk::witness::WitnessConfig; use auths_sdk::witness::{WitnessServerConfig, WitnessServerState, run_server}; -/// Manage the KERI witness server. +/// Manage identity witness servers. #[derive(Parser, Debug, Clone)] pub struct WitnessCommand { #[command(subcommand)] @@ -33,7 +33,7 @@ pub enum WitnessSubcommand { #[clap(long, default_value = "witness.db")] db_path: PathBuf, - /// Witness DID (auto-generated if not provided). + /// Witness server identity (auto-generated if not provided). #[clap(long, visible_alias = "witness")] witness_did: Option, }, @@ -90,7 +90,7 @@ pub fn handle_witness(cmd: WitnessCommand, repo_opt: Option) -> Result< }; println!( - "Witness server starting on {} (DID: {})", + "Witness server started at {} (identity: {})", bind, state.witness_did() ); @@ -120,7 +120,7 @@ pub fn handle_witness(cmd: WitnessCommand, repo_opt: Option) -> Result< save_witness_config(&repo_path, &config)?; println!("Added witness: {}", url); println!( - " Total witnesses: {}, threshold: {}", + " Witnesses: {}, required: {}", config.witness_urls.len(), config.threshold ); @@ -146,7 +146,7 @@ pub fn handle_witness(cmd: WitnessCommand, repo_opt: Option) -> Result< save_witness_config(&repo_path, &config)?; println!("Removed witness: {}", url); println!( - " Remaining witnesses: {}, threshold: {}", + " Remaining witnesses: {}, required: {}", config.witness_urls.len(), config.threshold ); @@ -165,7 +165,7 @@ pub fn handle_witness(cmd: WitnessCommand, repo_opt: Option) -> Result< println!(" {}. {}", i + 1, url); } println!( - "\nThreshold: {}/{} (policy: {:?})", + "\nRequired: {}/{} (policy: {:?})", config.threshold, config.witness_urls.len(), config.policy diff --git a/crates/auths-cli/src/errors/registry.rs b/crates/auths-cli/src/errors/registry.rs index c923e727..e653ff85 100644 --- a/crates/auths-cli/src/errors/registry.rs +++ b/crates/auths-cli/src/errors/registry.rs @@ -837,7 +837,7 @@ pub fn explain(code: &str) -> Option<&'static str> { "# AUTHS-E5103\n\n**Crate:** `auths-sdk` \n**Type:** `DeviceError::AttestationError`\n\n## Message\n\nattestation error: {0}\n", ), "AUTHS-E5105" => Some( - "# AUTHS-E5105\n\n**Crate:** `auths-sdk` \n**Type:** `DeviceError::DeviceDidMismatch`\n\n## Message\n\ndevice DID mismatch: expected {expected}, got {actual}\n\n## Suggestion\n\nCheck that --device-did matches the key alias\n", + "# AUTHS-E5105\n\n**Crate:** `auths-sdk` \n**Type:** `DeviceError::DeviceDidMismatch`\n\n## Message\n\ndevice DID mismatch: expected {expected}, got {actual}\n\n## Suggestion\n\nCheck that --device matches the key name\n", ), // --- auths-sdk (DeviceExtensionError) --- diff --git a/crates/auths-cli/tests/cases/revocation.rs b/crates/auths-cli/tests/cases/revocation.rs index c59a2fe2..ba29ae6c 100644 --- a/crates/auths-cli/tests/cases/revocation.rs +++ b/crates/auths-cli/tests/cases/revocation.rs @@ -3,7 +3,9 @@ use super::helpers::TestEnv; fn extract_device_did(init_output: &[u8]) -> Option { let stdout = String::from_utf8_lossy(init_output); for line in stdout.lines() { - if (line.contains("Device linked:") || line.contains("Device:")) + if (line.contains("Device linked:") + || line.contains("Device:") + || line.contains("This device authorized:")) && let Some(did) = line.split_whitespace().find(|w| w.starts_with("did:key:")) { return Some(did.to_string()); diff --git a/crates/auths-cli/tests/cases/verify.rs b/crates/auths-cli/tests/cases/verify.rs index 0385c718..1d342ac2 100644 --- a/crates/auths-cli/tests/cases/verify.rs +++ b/crates/auths-cli/tests/cases/verify.rs @@ -63,7 +63,7 @@ fn test_verify_valid_attestation_returns_exit_code_0() { let mut cmd = Command::cargo_bin("auths").unwrap(); cmd.arg("verify") .arg(file.path()) - .arg("--issuer-pk") + .arg("--signer-key") .arg(&pk_hex); cmd.assert().success(); @@ -82,7 +82,7 @@ fn test_verify_invalid_attestation_returns_exit_code_1() { let mut cmd = Command::cargo_bin("auths").unwrap(); cmd.arg("verify") .arg(file.path()) - .arg("--issuer-pk") + .arg("--signer-key") .arg(&wrong_pk_hex); cmd.assert().code(1); @@ -98,7 +98,7 @@ fn test_verify_invalid_json_returns_exit_code_2() { let mut cmd = Command::cargo_bin("auths").unwrap(); cmd.arg("verify") .arg(file.path()) - .arg("--issuer-pk") + .arg("--signer-key") .arg("a".repeat(64)); cmd.assert().code(2); @@ -115,7 +115,7 @@ fn test_verify_json_output_valid() { let mut cmd = Command::cargo_bin("auths").unwrap(); cmd.arg("verify") .arg(file.path()) - .arg("--issuer-pk") + .arg("--signer-key") .arg(&pk_hex) .arg("--json"); @@ -141,7 +141,7 @@ fn test_verify_json_output_invalid() { let mut cmd = Command::cargo_bin("auths").unwrap(); cmd.arg("verify") .arg(file.path()) - .arg("--issuer-pk") + .arg("--signer-key") .arg(&wrong_pk_hex) .arg("--json"); @@ -166,7 +166,7 @@ fn test_verify_stdin_input() { let mut cmd = Command::cargo_bin("auths").unwrap(); cmd.arg("verify") .arg("-") - .arg("--issuer-pk") + .arg("--signer-key") .arg(&pk_hex) .write_stdin(json); @@ -181,7 +181,7 @@ fn test_verify_help_shows_usage() { cmd.assert() .success() .stdout(predicates::str::contains("attestation")) - .stdout(predicates::str::contains("issuer-pk")); + .stdout(predicates::str::contains("signer-key")); } #[test] @@ -285,7 +285,7 @@ fn test_verify_issuer_did_with_pinned_store() { let mut cmd = Command::cargo_bin("auths").unwrap(); cmd.arg("verify") .arg(att_file.path()) - .arg("--issuer-pk") + .arg("--signer-key") .arg(&pk_hex); cmd.assert().success(); @@ -300,7 +300,7 @@ fn test_verify_help_shows_unified_options() { cmd.assert() .success() - .stdout(predicates::str::contains("--issuer-did")) - .stdout(predicates::str::contains("--issuer-pk")) + .stdout(predicates::str::contains("--signer")) + .stdout(predicates::str::contains("--signer-key")) .stdout(predicates::str::contains("--allowed-signers")); } diff --git a/crates/auths-core/src/trust/resolve.rs b/crates/auths-core/src/trust/resolve.rs index 07a48fac..2e07ae0d 100644 --- a/crates/auths-core/src/trust/resolve.rs +++ b/crates/auths-core/src/trust/resolve.rs @@ -180,7 +180,7 @@ pub fn resolve_trust( Options:\n \ 1. Add to .auths/roots.json in the repository\n \ 2. Pin manually: auths trust pin {} --key {}\n \ - 3. Provide --issuer-pk {} to bypass trust resolution", + 3. Provide --signer-key {} to bypass trust resolution", did, did, pk_hex, pk_hex ))) } diff --git a/crates/auths-sdk/src/domains/device/error.rs b/crates/auths-sdk/src/domains/device/error.rs index 1268d1ad..465e0666 100644 --- a/crates/auths-sdk/src/domains/device/error.rs +++ b/crates/auths-sdk/src/domains/device/error.rs @@ -116,7 +116,7 @@ impl AuthsErrorInfo for DeviceError { Self::AttestationError(_) => Some( "The attestation operation failed; run `auths device list` to check device status", ), - Self::DeviceDidMismatch { .. } => Some("Check that --device-did matches the key alias"), + Self::DeviceDidMismatch { .. } => Some("Check that --device matches the key name"), Self::CryptoError(e) => e.suggestion(), Self::StorageError(e) => e.suggestion(), } diff --git a/docs/contributing/glossary.md b/docs/contributing/glossary.md index 65807e40..f753c1ed 100644 --- a/docs/contributing/glossary.md +++ b/docs/contributing/glossary.md @@ -13,7 +13,7 @@ | **Inception event** | The first event in a KERI Key Event Log. Creates the identity, commits to the initial public key, and pre-commits to the first rotation key via a hash. The inception event's content hash becomes the permanent identity prefix (AID). | | **KEL** | Key Event Log. A hash-linked, append-only sequence of KERI events (inception, rotation, interaction). Stored in Auths as a Git commit chain at `refs/did/keri//kel`. | | **KERI** | Key Event Receipt Infrastructure. A protocol for decentralized key management with pre-rotation, enabling key rotation without changing the identifier. | -| **Key alias** | A human-readable name for a key stored in the platform keychain (e.g., `my-key`, `laptop-key`). Maps to a `SecureSeed` in the OS-native credential store. | +| **Key name** | A human-readable name for a key stored in the platform keychain (e.g., `my-key`, `laptop-key`). Maps to a `SecureSeed` in the OS-native credential store. Also referred to as "key alias" in internal API types. | | **Pre-rotation** | A KERI mechanism where the hash of the next rotation key is committed in the current event. An attacker who compromises the current key cannot rotate the identity because they lack the pre-image of the next-key commitment. | | **Rotation** | Replacing the active signing key while preserving the identity DID. Recorded as a rotation event in the KEL. The new key must match the previously committed next-key hash. | | **SAID** | Self-Addressing Identifier. A content-addressed hash that uniquely identifies a KERI event. Computed over the canonicalized event data. | diff --git a/docs/errors/AUTHS-E5105.md b/docs/errors/AUTHS-E5105.md index a14efa3c..8f64e066 100644 --- a/docs/errors/AUTHS-E5105.md +++ b/docs/errors/AUTHS-E5105.md @@ -9,4 +9,4 @@ device DID mismatch: expected {expected}, got {actual} ## Suggestion -Check that --device-did matches the key alias +Check that --device matches the key name diff --git a/docs/getting-started/delegation.md b/docs/getting-started/delegation.md index 0e9dbc50..6bb8ae5a 100644 --- a/docs/getting-started/delegation.md +++ b/docs/getting-started/delegation.md @@ -48,7 +48,7 @@ The human creates a scoped, time-limited attestation granting specific capabilit ```bash auths device link \ - --device-did did:key:z6MkAgentDevice... \ + --device did:key:z6MkAgentDevice... \ --key my-key \ --capabilities "sign:commit,deploy:staging" \ --expires-in 24h diff --git a/docs/getting-started/identity-lifecycle.md b/docs/getting-started/identity-lifecycle.md index 3624540e..5494145f 100644 --- a/docs/getting-started/identity-lifecycle.md +++ b/docs/getting-started/identity-lifecycle.md @@ -121,7 +121,7 @@ After rotation: When a device is compromised or decommissioned, its attestation is revoked. Revocation is a signed event: the identity key signs a new attestation with the `revoked_at` field set. ``` -auths device revoke --device-did --key +auths device revoke --device --key ``` The revoked attestation replaces the original at the same Git ref path. The revocation is anchored in the KEL via an interaction event. After revocation, signatures from that device will fail verification (the verifier checks the `revoked_at` field). diff --git a/docs/getting-started/sharing-your-identity.md b/docs/getting-started/sharing-your-identity.md index 1da26128..ccbe0578 100644 --- a/docs/getting-started/sharing-your-identity.md +++ b/docs/getting-started/sharing-your-identity.md @@ -100,7 +100,7 @@ A human operator issues an attestation granting the CI agent specific capabiliti ```bash auths device link \ - --device-did did:key:z6MkCIRunner... \ + --device did:key:z6MkCIRunner... \ --key my-key \ --capabilities "sign:commit,sign:release" \ --expires-in 7d diff --git a/docs/getting-started/your-first-identity.md b/docs/getting-started/your-first-identity.md index 34b5bfec..4f38290e 100644 --- a/docs/getting-started/your-first-identity.md +++ b/docs/getting-started/your-first-identity.md @@ -69,7 +69,7 @@ auths id show ``` ``` -Controller DID: did:keri:EAbcd1234... +Identity: did:keri:EAbcd1234... Storage ID (RID): EAbcd1234 ``` diff --git a/docs/guides/git/verifying-commits.md b/docs/guides/git/verifying-commits.md index 66f2a9af..c7e4d7a2 100644 --- a/docs/guides/git/verifying-commits.md +++ b/docs/guides/git/verifying-commits.md @@ -12,7 +12,7 @@ For commit verification, `auths verify`: 2. Looks up the signer's principal against the `--allowed-signers` file 3. Verifies the signature cryptographically using `ssh-keygen` 4. Optionally verifies the attestation chain (when `--identity-bundle` is provided) -5. Optionally verifies witness receipts (when `--witness-receipts` is provided) +5. Optionally verifies witness signatures (when `--witness-signatures` is provided) ## Verifying a Single Commit @@ -128,12 +128,12 @@ Witnesses provide additional assurance by countersigning attestations. To verify ```bash auths verify HEAD \ --identity-bundle bundle.json \ - --witness-receipts receipts.json \ - --witness-threshold 2 \ + --witness-signatures receipts.json \ + --witnesses-required 2 \ --witness-keys "did:key:z6Mk...:abcd1234..." ``` -The `--witness-threshold` specifies how many witness signatures must be valid. If the quorum is not met, verification fails. +The `--witnesses-required` specifies how many witness signatures must be valid. If the quorum is not met, verification fails. ## CI Integration @@ -229,10 +229,10 @@ The `auths verify` command also verifies attestation JSON files: ```bash # Verify an attestation file -auths verify attestation.json --issuer-pk abcdef1234... +auths verify attestation.json --signer-key abcdef1234... # Verify from stdin -cat attestation.json | auths verify - --issuer-did did:keri:E... +cat attestation.json | auths verify - --signer did:keri:E... ``` ## Verification Library (auths-verifier) diff --git a/docs/guides/identity/backup-and-recovery.md b/docs/guides/identity/backup-and-recovery.md index b68f7691..510a45c1 100644 --- a/docs/guides/identity/backup-and-recovery.md +++ b/docs/guides/identity/backup-and-recovery.md @@ -96,7 +96,7 @@ If you have another device linked to the same identity: ```bash auths device revoke \ - --device-did "did:key:z6Mk..." \ + --device "did:key:z6Mk..." \ --key my-key \ --note "Device lost" ``` @@ -129,7 +129,7 @@ If the lost device was your only device but you have a backup of the keychain an auths key import \ --alias my-key \ --seed-file /path/to/backup/seed \ - --controller-did "did:keri:E..." + --identity "did:keri:E..." ``` Or, if you used `copy-backend` to create a file-based keychain backup, set the environment to use it: diff --git a/docs/guides/identity/key-rotation.md b/docs/guides/identity/key-rotation.md index 066e8f63..bf927f01 100644 --- a/docs/guides/identity/key-rotation.md +++ b/docs/guides/identity/key-rotation.md @@ -75,14 +75,14 @@ The `--current-key-alias` flag is equivalent to `--alias` and cannot be combined ```bash auths id rotate --alias my-key \ --add-witness "B" \ - --witness-threshold 1 + --witnesses-required 1 ``` | Flag | Description | |------|-------------| | `--add-witness ` | Add a witness prefix (repeatable) | | `--remove-witness ` | Remove a witness prefix (repeatable) | -| `--witness-threshold ` | New threshold count for witness receipts | +| `--witnesses-required ` | Number of witnesses required to accept this rotation | ## Emergency rotation diff --git a/docs/guides/identity/multi-device.md b/docs/guides/identity/multi-device.md index 797fab20..81d7ad87 100644 --- a/docs/guides/identity/multi-device.md +++ b/docs/guides/identity/multi-device.md @@ -117,12 +117,12 @@ Use manual linking when you need full control over key material or cannot run a ### 1. Import the device key on the new device ```bash -CONTROLLER_DID=$(auths id show | grep 'Controller DID:' | awk -F': ' '{print $2}') +IDENTITY=$(auths id show | grep 'Identity:' | awk '{print $NF}') auths key import \ --alias laptop-key \ --seed-file ~/device_key.seed \ - --controller-did "$CONTROLLER_DID" + --identity "$IDENTITY" ``` The seed file must contain exactly 32 bytes of raw Ed25519 key material. You will be prompted for a passphrase to encrypt the key before storing it in the platform keychain. @@ -133,7 +133,7 @@ The seed file must contain exactly 32 bytes of raw Ed25519 key material. You wil auths device link \ --key my-key \ --device-key laptop-key \ - --device-did "$DEVICE_DID" \ + --device "$DEVICE_DID" \ --note "Work Laptop" \ --expires-in 7776000 ``` @@ -187,7 +187,7 @@ auths device list --include-revoked ```bash auths device extend \ - --device-did "$DEVICE_DID" \ + --device "$DEVICE_DID" \ --expires-in 7776000 \ --key my-key \ --device-key laptop-key @@ -197,7 +197,7 @@ auths device extend \ ```bash auths device revoke \ - --device-did "$DEVICE_DID" \ + --device "$DEVICE_DID" \ --key my-key \ --note "Laptop retired" ``` @@ -214,7 +214,7 @@ auths key delete --alias laptop-key auths device verify --attestation path/to/attestation.json ``` -The `--attestation` flag accepts a path to a device authorization JSON file, or `-` to read from stdin. You can optionally pass `--issuer-did` or `--issuer-pk` to specify the expected issuer. +The `--attestation` flag accepts a path to a device authorization JSON file, or `-` to read from stdin. You can optionally pass `--signer` or `--signer-key` to specify the expected signer. ## Troubleshooting diff --git a/docs/guides/identity/profiles.md b/docs/guides/identity/profiles.md index 7f0e87ee..16d0fc83 100644 --- a/docs/guides/identity/profiles.md +++ b/docs/guides/identity/profiles.md @@ -26,16 +26,16 @@ What it does: 1. Verifies keychain access (macOS Keychain, Linux Secret Service, Windows Credential Manager, or encrypted file fallback) 2. Checks Git version compatibility -3. Prompts for a key alias (default: `main`) +3. Prompts for a key name (default: `main`) 4. Generates an Ed25519 keypair with KERI pre-rotation 5. Links the current device to the identity 6. Configures Git signing (`gpg.format`, `gpg.ssh.program`, `user.signingKey`, `commit.gpgSign`) -7. Optionally claims a Developer Passport by linking a GitHub identity +7. Optionally links your GitHub account for identity verification 8. Optionally registers the identity on the public Auths Registry Interactive prompts include: -- **Key alias** -- the local name for your signing key +- **Key name** -- the local name for your signing key - **Conflict policy** -- reuse an existing identity or create a new one - **Git scope** -- configure signing for this repository only (`--local`) or all repositories (`--global`) - **Platform verification** -- link your GitHub account for identity discovery diff --git a/docs/guides/platforms/ci-cd.md b/docs/guides/platforms/ci-cd.md index b7f5e461..f37976b8 100644 --- a/docs/guides/platforms/ci-cd.md +++ b/docs/guides/platforms/ci-cd.md @@ -136,20 +136,20 @@ Exit codes: `0` for valid, `1` for invalid/unsigned, `2` for errors. Verify a signed artifact by passing the artifact file directly — `auths` finds the `.auths.json` sidecar automatically: ```bash -auths verify myproject.tar.gz --issuer-pk +auths verify myproject.tar.gz --signer-key ``` Or using the issuer's DID: ```bash -auths verify myproject.tar.gz --issuer-did did:keri:EaBcDeFg... +auths verify myproject.tar.gz --signer did:keri:EaBcDeFg... ``` You can also pass the attestation file directly, or override the sidecar path: ```bash -auths verify myproject.tar.gz.auths.json --issuer-pk -auths verify myproject.tar.gz --signature /path/to/custom.auths.json --issuer-pk +auths verify myproject.tar.gz.auths.json --signer-key +auths verify myproject.tar.gz --signature /path/to/custom.auths.json --signer-key ``` ### JSON output for CI parsing @@ -211,7 +211,7 @@ To revoke a CI device at any time: ```bash auths device revoke \ - --device-did \ + --device \ --key ``` diff --git a/docs/guides/platforms/radicle.md b/docs/guides/platforms/radicle.md index a02074c5..7bfcb5e0 100644 --- a/docs/guides/platforms/radicle.md +++ b/docs/guides/platforms/radicle.md @@ -65,13 +65,13 @@ auths id show --repo "$RAD_REPO_PATH" Import a device key and link it to your identity: ```bash -CONTROLLER_DID=$(auths id show --repo "$RAD_REPO_PATH" \ - | grep 'Controller DID:' | awk -F': ' '{print $2}') +IDENTITY=$(auths id show --repo "$RAD_REPO_PATH" \ + | grep 'Identity:' | awk '{print $NF}') auths key import \ --alias rad_device_key \ --seed-file ~/rad_device.seed \ - --controller-did "$CONTROLLER_DID" + --identity "$IDENTITY" ``` Then link the device: @@ -81,7 +81,7 @@ auths device link \ --repo "$RAD_REPO_PATH" \ --key radicle_id_key \ --device-key rad_device_key \ - --device-did "$DEVICE_DID" \ + --device "$DEVICE_DID" \ --note "Radicle Laptop Key" ``` diff --git a/docs/sdk/rust/quickstart.md b/docs/sdk/rust/quickstart.md index 45347d08..815adf9b 100644 --- a/docs/sdk/rust/quickstart.md +++ b/docs/sdk/rust/quickstart.md @@ -64,7 +64,7 @@ fn main() -> Result<(), Box> { println!("Identity DID: {}", result.identity_did); println!("Device DID: {}", result.device_did); - println!("Key alias: {}", result.key_alias); + println!("Key name: {}", result.key_alias); Ok(()) }