auths-dev
diff --git a/‎e2e/widget.spec.ts‎
Lines changed: 34 additions & 42 deletions b/‎e2e/widget.spec.ts‎
Lines changed: 34 additions & 42 deletions
diff --git a/‎src/resolvers/did-utils.ts‎
Lines changed: 22 additions & 0 deletions b/‎src/resolvers/did-utils.ts‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎src/resolvers/gitea.ts‎
Lines changed: 42 additions & 56 deletions b/‎src/resolvers/gitea.ts‎
Lines changed: 42 additions & 56 deletions
@@ -1,30 +1,40 @@
 import { test, expect, type Page } from '@playwright/test';
 
 // ---------------------------------------------------------------------------
-// Mock data — matches the structure the GitHub adapter expects
+// Mock data — matches the registry format (refs/auths/registry)
 // ---------------------------------------------------------------------------
 
-const TEST_DID = 'did:key:z6MkiTBz1ymuepAQ4HEHYSF1H8quG5GLVVQR3djdX3mDooWp';
+const TEST_KERI_PREFIX = 'EXrBYxo2ovC9iZIKgXZhbiDvD21eAVwoLnlziitHeTiM';
+const TEST_CESR_KEY = 'DQIS37c2Ar3CzozrmU9KpbUWBYWMJhBWPV-wN50i-RGI';
+
+const STATE_JSON = JSON.stringify({
+  version: 1,
+  state: {
+    prefix: TEST_KERI_PREFIX,
+    current_keys: [TEST_CESR_KEY],
+    sequence: 0,
+  },
+});
 
-const IDENTITY_JSON = JSON.stringify({ controller_did: TEST_DID });
 const ATTESTATION_JSON = JSON.stringify({
   version: 1,
-  rid: 'test-rid',
-  issuer: TEST_DID,
+  rid: '.auths',
+  issuer: `did:keri:${TEST_KERI_PREFIX}`,
   subject: 'did:key:z6MkDev1Device',
-  iat: '2025-01-01T00:00:00Z',
-  signature: 'deadbeef',
+  device_public_key: 'abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234',
+  identity_signature: 'deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef',
+  device_signature: 'deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef',
+  timestamp: '2025-01-01T00:00:00Z',
 });
 
-const IDENTITY_B64 = btoa(IDENTITY_JSON);
+const STATE_B64 = btoa(STATE_JSON);
 const ATTESTATION_B64 = btoa(ATTESTATION_JSON);
 
 // ---------------------------------------------------------------------------
-// Route handler: mocks the GitHub REST API for forge adapter
+// Route handler: mocks the GitHub REST API for forge adapter (registry format)
 // ---------------------------------------------------------------------------
 
 async function mockGitHubAPI(page: Page) {
-  // Intercept all requests to api.github.com
   await page.route('https://api.github.com/**', async (route) => {
     const url = route.request().url();
 
@@ -34,8 +44,7 @@ async function mockGitHubAPI(page: Page) {
         status: 200,
         contentType: 'application/json',
         body: JSON.stringify([
-          { ref: 'refs/auths/identity', object: { sha: 'commit-id-1' } },
-          { ref: 'refs/auths/keys/dev1/signatures', object: { sha: 'commit-att-1' } },
+          { ref: 'refs/auths/registry', object: { sha: 'commit-registry' } },
         ]),
       });
     }
@@ -50,49 +59,35 @@ async function mockGitHubAPI(page: Page) {
     }
 
     // 2. Get commit → tree SHA
-    if (url.includes('git/commits/commit-id-1')) {
-      return route.fulfill({
-        status: 200,
-        contentType: 'application/json',
-        body: JSON.stringify({ tree: { sha: 'tree-identity' } }),
-      });
-    }
-
-    if (url.includes('git/commits/commit-att-1')) {
+    if (url.includes('git/commits/commit-registry')) {
       return route.fulfill({
         status: 200,
         contentType: 'application/json',
-        body: JSON.stringify({ tree: { sha: 'tree-attestation' } }),
+        body: JSON.stringify({ tree: { sha: 'tree-registry' } }),
       });
     }
 
-    // 3. Get tree → blob entries
-    if (url.includes('git/trees/tree-identity')) {
+    // 3. Get recursive tree → all blobs in registry
+    if (url.includes('git/trees/tree-registry')) {
       return route.fulfill({
         status: 200,
         contentType: 'application/json',
         body: JSON.stringify({
-          tree: [{ path: 'identity.json', sha: 'blob-identity' }],
-        }),
-      });
-    }
-
-    if (url.includes('git/trees/tree-attestation')) {
-      return route.fulfill({
-        status: 200,
-        contentType: 'application/json',
-        body: JSON.stringify({
-          tree: [{ path: 'attestation.json', sha: 'blob-attestation' }],
+          tree: [
+            { path: `v1/identities/EX/rB/${TEST_KERI_PREFIX}/state.json`, sha: 'blob-state', type: 'blob' },
+            { path: `v1/devices/z6/Mk/did_key_z6MkDev1Device/attestation.json`, sha: 'blob-attestation', type: 'blob' },
+            { path: 'v1/metadata.json', sha: 'blob-meta', type: 'blob' },
+          ],
         }),
       });
     }
 
     // 4. Read blobs
-    if (url.includes('git/blobs/blob-identity')) {
+    if (url.includes('git/blobs/blob-state')) {
       return route.fulfill({
         status: 200,
         contentType: 'application/json',
-        body: JSON.stringify({ content: IDENTITY_B64, encoding: 'base64' }),
+        body: JSON.stringify({ content: STATE_B64, encoding: 'base64' }),
       });
     }
 
@@ -136,11 +131,11 @@ test.describe('auths-verify widget E2E', () => {
     await page.goto('/e2e/fixture.html');
   });
 
-  test('badge mode: resolves identity from mocked GitHub API and reaches terminal state', async ({ page }) => {
+  test('badge mode: resolves identity from mocked registry and reaches terminal state', async ({ page }) => {
     await waitForState(page, '#badge-repo');
 
     const state = await page.getAttribute('#badge-repo', 'data-state');
-    // The widget fetched refs, read identity.json, attempted WASM verification.
+    // The widget fetched registry, read state.json, attempted WASM verification.
     // With fake crypto data the result is either 'verified', 'invalid', or 'error'
     // — any of these proves the pipeline ran end-to-end.
     expect(['verified', 'invalid', 'error']).toContain(state);
@@ -197,7 +192,6 @@ test.describe('auths-verify widget E2E', () => {
   });
 
   test('events: widget emits auths-verified or auths-error', async ({ page }) => {
-    // Collect events from the badge-repo widget
     const events = await page.evaluate(() => {
       return new Promise<{ type: string; detail: unknown }[]>((resolve) => {
         const collected: { type: string; detail: unknown }[] = [];
@@ -211,7 +205,6 @@ test.describe('auths-verify widget E2E', () => {
           collected.push({ type: 'auths-error', detail: (e as CustomEvent).detail });
         });
 
-        // Wait for event (widget auto-verifies on connect)
         setTimeout(() => resolve(collected), 10_000);
       });
     });
@@ -245,5 +238,4 @@ test.describe('auths-verify widget E2E', () => {
     });
     expect(expanded).toBe('false');
   });
-
 });
@@ -65,6 +65,28 @@ export function didKeyToPublicKeyHex(didKey: string): string {
   return bytesToHex(decoded.slice(2, 34));
 }
 
+/**
+ * Decode a CESR-encoded Ed25519 public key to hex.
+ *
+ * CESR uses a 1-char type code prefix that replaces base64 padding.
+ * For Ed25519 keys: prefix 'D', total 44 chars.
+ * To decode: replace prefix with 'A' (zero byte), base64url-decode → 33 bytes,
+ * skip first byte, remaining 32 bytes are the raw key.
+ */
+export function cesrToPublicKeyHex(cesr: string): string {
+  if (cesr.length !== 44 || cesr[0] !== 'D') {
+    throw new Error(`Expected 44-char CESR Ed25519 key (D prefix), got: ${cesr}`);
+  }
+  const b64url = 'A' + cesr.slice(1);
+  const b64 = b64url.replace(/-/g, '+').replace(/_/g, '/');
+  const binary = atob(b64);
+  const bytes = new Uint8Array(32);
+  for (let i = 0; i < 32; i++) {
+    bytes[i] = binary.charCodeAt(i + 1);
+  }
+  return bytesToHex(bytes);
+}
+
 /**
  * Sanitize a DID for use in Git ref paths.
  * Matches Rust: layout.rs:247-251 — replace non-alphanumeric with '_'
 
@@ -1,21 +1,18 @@
 /**
  * Gitea adapter — resolves auths identity data via Gitea REST API.
  *
- * Mirrors the GitHub adapter with Gitea-specific API paths:
- *   /api/v1/repos/{owner}/{repo}/git/...
+ * Reads from refs/auths/registry — structured tree with:
+ *   v1/identities/XX/YY/<prefix>/state.json  (KERI identity state)
+ *   v1/devices/XX/YY/<did>/attestation.json   (device attestations)
  *
  * Base URL is configurable for self-hosted instances.
  */
 
 import type { ForgeAdapter } from './adapter';
 import type { ForgeConfig, RefEntry, ResolveResult } from './types';
-import { didKeyToPublicKeyHex } from './did-utils';
+import { cesrToPublicKeyHex } from './did-utils';
 
-// Git ref constants — mirrors auths-id/src/storage/layout.rs
-const IDENTITY_REF = 'refs/auths/identity';
-const DEVICE_PREFIX = 'refs/auths/keys';
-const IDENTITY_BLOB = 'identity.json';
-const ATTESTATION_BLOB = 'attestation.json';
+const REGISTRY_REF = 'refs/auths/registry';
 
 async function giteaFetch(url: string): Promise<Response> {
   const res = await fetch(url, {
@@ -29,11 +26,9 @@ async function giteaFetch(url: string): Promise<Response> {
 
 export const giteaAdapter: ForgeAdapter = {
   async listAuthsRefs(config: ForgeConfig): Promise<RefEntry[]> {
-    // Gitea API: GET /api/v1/repos/{owner}/{repo}/git/refs/auths
     const url = `${config.baseUrl}/api/v1/repos/${config.owner}/${config.repo}/git/refs/auths`;
     const res = await giteaFetch(url);
     const data: Array<{ ref: string; object: { sha: string } }> = await res.json();
-    // Gitea may return a single object or array depending on version
     const entries = Array.isArray(data) ? data : [data];
     return entries.map((entry) => ({ ref: entry.ref, sha: entry.object.sha }));
   },
@@ -55,55 +50,65 @@ export const giteaAdapter: ForgeAdapter = {
         return { bundle: null, error: 'No auths refs found in this repository' };
       }
 
-      // Find and read identity ref
-      const identityRef = refs.find((r) => r.ref === IDENTITY_REF);
-      if (!identityRef) {
-        return { bundle: null, error: 'No identity ref found (refs/auths/identity)' };
+      const registryRef = refs.find((r) => r.ref === REGISTRY_REF);
+      if (!registryRef) {
+        return { bundle: null, error: 'No registry ref found (refs/auths/registry)' };
       }
 
-      // Follow commit → tree → identity.json blob
-      const identityBlob = await resolveTreeBlob(config, identityRef.sha, IDENTITY_BLOB);
-      if (!identityBlob) {
-        return { bundle: null, error: 'Could not read identity.json from identity ref' };
-      }
+      const commitUrl = `${config.baseUrl}/api/v1/repos/${config.owner}/${config.repo}/git/commits/${registryRef.sha}`;
+      const commitRes = await giteaFetch(commitUrl);
+      const commit: { tree: { sha: string } } = await commitRes.json();
 
-      const identity = JSON.parse(identityBlob);
-      const controllerDid: string = identity.controller_did ?? identity.identity_did;
+      const treeUrl = `${config.baseUrl}/api/v1/repos/${config.owner}/${config.repo}/git/trees/${commit.tree.sha}?recursive=1`;
+      const treeRes = await giteaFetch(treeUrl);
+      const tree: { tree: Array<{ path: string; sha: string; type: string }> } = await treeRes.json();
 
-      if (!controllerDid) {
-        return { bundle: null, error: 'No controller_did found in identity.json' };
+      const stateEntry = tree.tree.find(
+        (e) => e.type === 'blob' && /^v1\/identities\/[^/]{2}\/[^/]{2}\/[^/]+\/state\.json$/.test(e.path),
+      );
+      if (!stateEntry) {
+        return { bundle: null, error: 'No identity state found in registry' };
       }
 
+      const keriPrefix = stateEntry.path.split('/')[4];
+      const controllerDid = `did:keri:${keriPrefix}`;
+
       if (identityFilter && controllerDid !== identityFilter) {
         return {
           bundle: null,
           error: `Identity ${controllerDid} does not match filter ${identityFilter}`,
         };
       }
 
-      // Extract public key from DID
+      const stateBlob = await this.readBlob(config, stateEntry.sha);
+      const state = JSON.parse(stateBlob);
+      const currentKeyCesr: string | undefined = state.state?.current_keys?.[0];
+
+      if (!currentKeyCesr) {
+        return { bundle: null, error: 'No current key found in identity state' };
+      }
+
       let publicKeyHex: string;
-      if (controllerDid.startsWith('did:key:z')) {
-        publicKeyHex = didKeyToPublicKeyHex(controllerDid);
-      } else {
+      try {
+        publicKeyHex = cesrToPublicKeyHex(currentKeyCesr);
+      } catch (err) {
         return {
           bundle: null,
-          error: `Cannot extract public key from ${controllerDid}. Only did:key is supported for auto-resolve.`,
+          error: `Failed to decode CESR key: ${err instanceof Error ? err.message : String(err)}`,
         };
       }
 
-      // Discover device attestation refs
-      const deviceRefs = refs.filter((r) => r.ref.startsWith(DEVICE_PREFIX + '/'));
-      const attestationChain: object[] = [];
+      const attestationEntries = tree.tree.filter(
+        (e) => e.type === 'blob' && /^v1\/devices\/[^/]{2}\/[^/]{2}\/[^/]+\/attestation\.json$/.test(e.path),
+      );
 
-      for (const deviceRef of deviceRefs) {
+      const attestationChain: object[] = [];
+      for (const entry of attestationEntries) {
         try {
-          const attestBlob = await resolveTreeBlob(config, deviceRef.sha, ATTESTATION_BLOB);
-          if (attestBlob) {
-            attestationChain.push(JSON.parse(attestBlob));
-          }
+          const blob = await this.readBlob(config, entry.sha);
+          attestationChain.push(JSON.parse(blob));
         } catch {
-          // Skip unreadable device refs
+          // Skip unreadable attestations
         }
       }
 
@@ -122,22 +127,3 @@ export const giteaAdapter: ForgeAdapter = {
     }
   },
 };
-
-async function resolveTreeBlob(
-  config: ForgeConfig,
-  commitSha: string,
-  blobName: string,
-): Promise<string | null> {
-  const commitUrl = `${config.baseUrl}/api/v1/repos/${config.owner}/${config.repo}/git/commits/${commitSha}`;
-  const commitRes = await giteaFetch(commitUrl);
-  const commit: { tree: { sha: string } } = await commitRes.json();
-
-  const treeUrl = `${config.baseUrl}/api/v1/repos/${config.owner}/${config.repo}/git/trees/${commit.tree.sha}`;
-  const treeRes = await giteaFetch(treeUrl);
-  const tree: { tree: Array<{ path: string; sha: string }> } = await treeRes.json();
-
-  const blobEntry = tree.tree.find((t) => t.path === blobName);
-  if (!blobEntry) return null;
-
-  return giteaAdapter.readBlob(config, blobEntry.sha);
-}