feat: add automated resolver

Author: Test User

CHANGELOG.md

@@ -0,0 +1,47 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- **resolver:** Auto-resolve identity and attestation data from a repository URL via new `repo` attribute. No more manual JSON — `<auths-verify repo="https://github.com/user/repo">` just works.
+- **resolver:** `forge` attribute to override auto-detection of forge type (`github`, `gitea`, `gitlab`).
+- **resolver:** `identity` attribute to filter to a specific DID when a repository has multiple identities.
+- **resolver:** GitHub adapter — resolves `refs/auths/identity` and `refs/auths/devices/nodes/*/` via GitHub REST API, extracts public key from `did:key:z...`, reads attestation chain.
+- **resolver:** Gitea adapter — mirrors GitHub adapter with `/api/v1/` prefix and configurable base URL for self-hosted instances.
+- **resolver:** GitLab stub — returns descriptive error explaining GitLab does not expose custom Git refs via its REST API.
+- **resolver:** Pure TypeScript `did:key:z...` to Ed25519 public key hex extraction (inline base58btc decoder, multicodec prefix stripping). Runs before WASM loads.
+- **resolver:** URL parser with auto-detection: `github.com` → GitHub, `gitlab.com` → GitLab, unknown hosts → Gitea.
+- **resolver:** In-memory cache with 5-minute TTL prevents redundant API calls when multiple widgets point to the same repo.
+- **resolver:** Dynamic import (`import('./resolvers/index')`) — zero bundle size impact when `repo` attribute is not used.
+- **resolver:** DID sanitization helper matching Rust `layout.rs` (`replace(/[^a-zA-Z0-9]/g, '_')`).
+- **tests:** 29 new resolver tests — `detect.test.ts` (10), `did-utils.test.ts` (7), `github.test.ts` (7), `gitea.test.ts` (5).
+- **examples:** `auto-resolve.html` demonstrating the `repo` attribute with GitHub, Gitea, forge hints, and identity filters.
+
+### Changed
+
+- **widget:** `#hasInput()` now returns `true` when `repo` is set, even without manual `attestation`/`public-key` data.
+- **widget:** `verify()` resolves from forge before loading WASM when `repo` is set but attestation data is missing.
+- **README:** Updated quick start to recommend `repo` attribute. Added new attributes to the attribute table.
+
+## [0.1.0] - 2026-02-16
+
+### Added
+
+- Initial release of `<auths-verify>` web component.
+- Three display modes: `badge` (default), `detail` (expandable chain table), `tooltip` (hover summary).
+- Three badge sizes: `sm`, `md`, `lg`.
+- WASM-powered Ed25519 attestation chain verification via `@auths/verifier`.
+- Dual build outputs: full bundle (WASM base64-inlined) and slim bundle (separate WASM file).
+- Singleton WASM initialization with coalesced loading.
+- CSS custom property theming for all states and typography.
+- Accessibility: `role="status"`, `aria-live="polite"`, `aria-expanded`, focus-visible outlines, forced-colors support.
+- Custom events: `auths-verified`, `auths-error`.
+- JavaScript API: `verify()`, `getReport()`.
+- Auto-verify on connect and attribute change (debounced).
+- SVG icons for all 7 component states.

README.md

@@ -7,17 +7,25 @@ A drop-in web component for decentralized commit verification — the decentrali
 
 ## Quick Start
 
+### Auto-resolve from a repository (recommended)
+
 ```html
 <script type="module" src="https://unpkg.com/auths-verify/dist/auths-verify.mjs"></script>
 
+<auths-verify repo="https://github.com/user/repo"></auths-verify>
+```
+
+The widget fetches identity and attestation data from the forge's Git refs automatically, loads WASM, and verifies.
+
+### Manual data (advanced)
+
+```html
 <auths-verify
   attestation='{"version":1,"rid":"...","issuer":"did:keri:...","subject":"did:key:z...","device_public_key":"...","identity_signature":"...","device_signature":"...","revoked":false}'
   public-key="aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899"
 ></auths-verify>
 ```
 
-The widget loads WASM and verifies the attestation automatically on mount.
-
 ## Display Modes
 
 ### Badge (default)
@@ -48,14 +56,19 @@ Badge with a hover tooltip summarizing verification status.
 
 | Attribute | Type | Default | Description |
 |---|---|---|---|
-| `attestation` | JSON string | `""` | Single attestation to verify |
-| `attestations` | JSON array string | `""` | Chain of attestations to verify |
-| `public-key` | hex string | `""` | Root/issuer Ed25519 public key |
+| `repo` | URL string | `""` | Repository URL — auto-resolves identity and attestations from forge |
+| `forge` | `github\|gitea\|gitlab` | auto | Override forge type auto-detection |
+| `identity` | DID string | `""` | Filter to a specific identity DID when repo has multiple |
+| `attestation` | JSON string | `""` | Single attestation to verify (manual mode) |
+| `attestations` | JSON array string | `""` | Chain of attestations to verify (manual mode) |
+| `public-key` | hex string | `""` | Root/issuer Ed25519 public key (manual mode) |
 | `mode` | `badge\|detail\|tooltip` | `badge` | Display mode |
 | `size` | `sm\|md\|lg` | `md` | Badge size |
 | `wasm-url` | string | `""` | Optional WASM URL override |
 | `auto-verify` | boolean | `true` | Verify on connect/attribute change |
 
+When `repo` is set, the widget auto-resolves `attestations` and `public-key` from the forge before running WASM verification. GitHub and Gitea are supported. GitLab does not expose custom Git refs — use manual attributes for GitLab repos.
+
 ## JavaScript API
 
 ```js

examples/auto-resolve.html

@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>auths-verify — Auto-Resolve Example</title>
+  <style>
+    body { font-family: system-ui, sans-serif; max-width: 600px; margin: 60px auto; padding: 0 20px; }
+    h1 { font-size: 20px; }
+    h2 { font-size: 16px; margin-top: 32px; color: #6b7280; }
+    code { background: #f3f4f6; padding: 2px 6px; border-radius: 4px; font-size: 13px; }
+    .demo { display: flex; gap: 12px; flex-wrap: wrap; align-items: center; margin-top: 12px; }
+    p { font-size: 14px; color: #4b5563; }
+    pre { background: #f9fafb; border: 1px solid #e5e7eb; border-radius: 6px; padding: 12px; overflow-x: auto; font-size: 13px; }
+    .log { font-size: 12px; color: #6b7280; margin-top: 4px; }
+  </style>
+</head>
+<body>
+  <h1>Auto-Resolve from Repository</h1>
+  <p>
+    Instead of supplying raw attestation JSON and a public key hex string,
+    just point the widget at a repository URL. The widget automatically
+    fetches identity and attestation data from the forge's Git refs.
+  </p>
+
+  <h2>GitHub Repository</h2>
+  <p>Uses the <code>repo</code> attribute to auto-resolve from GitHub:</p>
+  <pre>&lt;auths-verify repo="https://github.com/bordumb/auths"&gt;&lt;/auths-verify&gt;</pre>
+  <div class="demo">
+    <auths-verify
+      id="github-demo"
+      repo="https://github.com/bordumb/auths"
+    ></auths-verify>
+  </div>
+  <p class="log" id="github-log">Waiting...</p>
+
+  <h2>With Tooltip Mode</h2>
+  <p>Combine <code>repo</code> with display modes:</p>
+  <pre>&lt;auths-verify repo="https://github.com/bordumb/auths" mode="tooltip"&gt;&lt;/auths-verify&gt;</pre>
+  <div class="demo">
+    <auths-verify
+      repo="https://github.com/bordumb/auths"
+      mode="tooltip"
+    ></auths-verify>
+  </div>
+
+  <h2>Gitea Instance (Self-Hosted)</h2>
+  <p>For Gitea or other self-hosted forges, auto-detection picks the right adapter:</p>
+  <pre>&lt;auths-verify repo="https://git.example.com/user/repo"&gt;&lt;/auths-verify&gt;</pre>
+  <div class="demo">
+    <auths-verify
+      repo="https://git.example.com/user/repo"
+      auto-verify="false"
+      data-state="idle"
+    ></auths-verify>
+    <span style="font-size:13px;color:#9ca3af;">(auto-verify off — no live server)</span>
+  </div>
+
+  <h2>Forge Hint Override</h2>
+  <p>Use <code>forge</code> to override auto-detection:</p>
+  <pre>&lt;auths-verify repo="https://git.custom.io/org/repo" forge="gitea"&gt;&lt;/auths-verify&gt;</pre>
+
+  <h2>Identity Filter</h2>
+  <p>Use <code>identity</code> to resolve a specific identity when a repo has multiple:</p>
+  <pre>&lt;auths-verify repo="https://github.com/bordumb/auths" identity="did:key:z6Mk..."&gt;&lt;/auths-verify&gt;</pre>
+
+  <script type="module" src="../src/auths-verify.ts"></script>
+  <script>
+    const demo = document.getElementById('github-demo');
+    const log = document.getElementById('github-log');
+    demo.addEventListener('auths-verified', (e) => {
+      log.textContent = `Verified! Status: ${e.detail.status.type}, Chain: ${e.detail.chain.length} link(s)`;
+    });
+    demo.addEventListener('auths-error', (e) => {
+      log.textContent = `Error: ${e.detail.error}`;
+    });
+  </script>
+</body>
+</html>

src/auths-verify.ts

@@ -15,7 +15,7 @@ const DEBOUNCE_MS = 50;
 
 class AuthsVerify extends HTMLElement {
   static get observedAttributes(): string[] {
-    return ['attestation', 'attestations', 'public-key', 'mode', 'size', 'wasm-url', 'auto-verify'];
+    return ['attestation', 'attestations', 'public-key', 'mode', 'size', 'wasm-url', 'auto-verify', 'repo', 'forge', 'identity'];
   }
 
   // --- Private state ---
@@ -112,6 +112,27 @@ class AuthsVerify extends HTMLElement {
     }
   }
 
+  get repo(): string {
+    return this.getAttribute('repo') ?? '';
+  }
+  set repo(v: string) {
+    this.setAttribute('repo', v);
+  }
+
+  get forge(): string {
+    return this.getAttribute('forge') ?? '';
+  }
+  set forge(v: string) {
+    this.setAttribute('forge', v);
+  }
+
+  get identity(): string {
+    return this.getAttribute('identity') ?? '';
+  }
+  set identity(v: string) {
+    this.setAttribute('identity', v);
+  }
+
   // --- Public API ---
 
   /** Trigger verification manually. */
@@ -124,6 +145,21 @@ class AuthsVerify extends HTMLElement {
     this.#setState('loading');
 
     try {
+      // If repo is set but attestation data is missing, resolve from forge
+      if (this.repo && !this.attestation && !this.attestations) {
+        const { resolveFromRepo } = await import('./resolvers/index');
+        const result = await resolveFromRepo(
+          this.repo,
+          this.forge || undefined,
+          this.identity || undefined,
+        );
+        if (!result.bundle) {
+          throw new Error(result.error ?? 'Could not resolve identity from repository');
+        }
+        this.publicKey = result.bundle.public_key_hex;
+        this.attestations = JSON.stringify(result.bundle.attestation_chain);
+      }
+
       await ensureInit(this.wasmUrl || undefined);
 
       const pk = this.publicKey;
@@ -177,7 +213,7 @@ class AuthsVerify extends HTMLElement {
   // --- Internals ---
 
   #hasInput(): boolean {
-    return !!(this.publicKey && (this.attestation || this.attestations));
+    return !!(this.repo || (this.publicKey && (this.attestation || this.attestations)));
   }
 
   #setState(state: ComponentState): void {

src/resolvers/adapter.ts

@@ -0,0 +1,8 @@
+import type { ForgeConfig, ResolveResult, RefEntry } from './types';
+
+/** Forge-specific adapter for resolving auths identity data via Git refs */
+export interface ForgeAdapter {
+  resolve(config: ForgeConfig, identityFilter?: string): Promise<ResolveResult>;
+  listAuthsRefs(config: ForgeConfig): Promise<RefEntry[]>;
+  readBlob(config: ForgeConfig, sha: string): Promise<string>;
+}

src/resolvers/cache.ts

@@ -0,0 +1,28 @@
+import type { ResolveResult } from './types';
+
+const TTL_MS = 5 * 60 * 1000; // 5 minutes
+
+interface CacheEntry {
+  data: ResolveResult;
+  expires: number;
+}
+
+const store = new Map<string, CacheEntry>();
+
+export function cacheGet(key: string): ResolveResult | null {
+  const entry = store.get(key);
+  if (!entry) return null;
+  if (Date.now() > entry.expires) {
+    store.delete(key);
+    return null;
+  }
+  return entry.data;
+}
+
+export function cacheSet(key: string, data: ResolveResult): void {
+  store.set(key, { data, expires: Date.now() + TTL_MS });
+}
+
+export function cacheClear(): void {
+  store.clear();
+}

src/resolvers/detect.ts

@@ -0,0 +1,59 @@
+import type { ForgeConfig, ForgeType } from './types';
+
+/**
+ * Parse a repository URL and detect the forge type.
+ *
+ * - github.com → github
+ * - gitlab.com → gitlab
+ * - Unknown host → defaults to gitea (self-hosted)
+ * - forgeHint overrides auto-detection
+ */
+export function detectForge(repoUrl: string, forgeHint?: string): ForgeConfig | null {
+  let url: URL;
+  try {
+    url = new URL(repoUrl);
+  } catch {
+    return null;
+  }
+
+  // Strip .git suffix and trailing slash from pathname
+  const path = url.pathname.replace(/\.git$/, '').replace(/\/$/, '');
+  const segments = path.split('/').filter(Boolean);
+
+  if (segments.length < 2) return null;
+
+  const owner = segments[0];
+  const repo = segments[1];
+
+  let type: ForgeType;
+  let baseUrl: string;
+
+  if (forgeHint) {
+    type = forgeHint as ForgeType;
+  } else {
+    const host = url.hostname.toLowerCase();
+    if (host === 'github.com') {
+      type = 'github';
+    } else if (host === 'gitlab.com') {
+      type = 'gitlab';
+    } else {
+      type = 'gitea';
+    }
+  }
+
+  switch (type) {
+    case 'github':
+      baseUrl = 'https://api.github.com';
+      break;
+    case 'gitlab':
+      baseUrl = `${url.protocol}//${url.host}`;
+      break;
+    case 'gitea':
+      baseUrl = `${url.protocol}//${url.host}`;
+      break;
+    default:
+      return null;
+  }
+
+  return { type, baseUrl, owner, repo };
+}