fix: correct e2e tests

Author: bordumb

.auths/allowed_signers

@@ -1,4 +1,8 @@
 # auths:managed — do not edit manually
 # auths:attestation
+<<<<<<< Updated upstream
 zDnaeTDAGwQd8YFykWwyeQEQC8hrHHWbeb9AsoJanKqheTQ9g@auths.local namespaces="git" ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBClLNRlBdgjEEPozFdM4rZh556aLyLCJLj77b+Ru5ACTaqMmXLuRlUWkonba8LKP2NKBWNme+4+tRLYngOaDDxo=
+=======
+zDnaeQaiejhv26gSRpcw2GuXyFwnBsg5d4LnEYmwswkL6xqNq@auths.local namespaces="git" ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAI983sl/v/wrXA3Eh6z1pbEUrSISl90Ydt6pagriWA6af/KRqhnahp5ZfUFLDxBNRRLHj8y/aWvWO9NqCQWRXI=
+>>>>>>> Stashed changes
 # auths:manual

.pre-commit-config.yaml

@@ -51,14 +51,14 @@ repos:
 
       - id: cargo-clippy
         name: cargo clippy
-        entry: cargo clippy --all-targets --all-features -- -D warnings
+        entry: cargo clippy --all-targets --all-features --keep-going -- -D warnings
         language: system
         types: [rust]
         pass_filenames: false
 
       - id: cargo-clippy-packages
         name: cargo clippy (packages/)
-        entry: bash -c 'for d in packages/auths-node packages/auths-python packages/auths-verifier-swift; do [ -f "$d/Cargo.toml" ] && CARGO_TARGET_DIR=../../target cargo clippy --manifest-path "$d/Cargo.toml" --all-targets -- -D warnings || exit 1; done'
+        entry: bash -c 'failed=0; for d in packages/auths-node packages/auths-python packages/auths-verifier-swift; do [ -f "$d/Cargo.toml" ] || continue; CARGO_TARGET_DIR=../../target cargo clippy --manifest-path "$d/Cargo.toml" --all-targets --keep-going -- -D warnings || failed=1; done; exit $failed'
         language: system
         types: [rust]
         pass_filenames: false

crates/auths-cli/src/commands/artifact/verify.rs

@@ -310,20 +310,26 @@ pub async fn handle_verify(
 fn resolve_identity_key(
     identity_bundle: &Option<PathBuf>,
     attestation: &Attestation,
-) -> Result<(Vec<u8>, CanonicalDid)> {
+) -> Result<(auths_verifier::DevicePublicKey, CanonicalDid)> {
     if let Some(bundle_path) = identity_bundle {
         let bundle_content = fs::read_to_string(bundle_path)
             .with_context(|| format!("Failed to read identity bundle: {:?}", bundle_path))?;
         let bundle: IdentityBundle = serde_json::from_str(&bundle_content)
             .with_context(|| format!("Failed to parse identity bundle: {:?}", bundle_path))?;
-        let pk = hex::decode(bundle.public_key_hex.as_str())
+        let pk_bytes = hex::decode(bundle.public_key_hex.as_str())
             .context("Invalid public key hex in bundle")?;
+        let curve = auths_crypto::CurveType::from_public_key_len(pk_bytes.len())
+            .ok_or_else(|| anyhow!("Invalid bundle public key length: {}", pk_bytes.len()))?;
+        let pk = auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes)
+            .map_err(|e| anyhow!("Invalid bundle public key: {e}"))?;
         Ok((pk, bundle.identity_did.into()))
     } else {
         // Resolve public key from the issuer DID
         let issuer = &attestation.issuer;
-        let (pk, _curve) = resolve_pk_from_did(issuer)
+        let (pk_bytes, curve) = resolve_pk_from_did(issuer)
             .with_context(|| format!("Failed to resolve public key from issuer DID '{}'. Use --identity-bundle for stateless verification.", issuer))?;
+        let pk = auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes)
+            .map_err(|e| anyhow!("Invalid issuer public key resolved from DID: {e}"))?;
         Ok((pk, issuer.clone()))
     }
 }
@@ -357,7 +363,7 @@ fn resolve_pk_from_did(did: &str) -> Result<(Vec<u8>, auths_crypto::CurveType)>
 /// Verify witness receipts if provided.
 async fn verify_witnesses(
     chain: &[Attestation],
-    root_pk: &[u8],
+    root_pk: &auths_verifier::DevicePublicKey,
     receipts_path: &Option<PathBuf>,
     witness_keys_raw: &[String],
     threshold: usize,

crates/auths-cli/src/commands/device/verify_attestation.rs

@@ -165,36 +165,38 @@ fn effective_trust_policy(cmd: &VerifyCommand) -> TrustPolicy {
     }
 }
 
+/// Wrap raw pubkey bytes from a trust store (pin or roots.json) into a curve-tagged
+/// `DevicePublicKey`. Infers the curve from length via `CurveType::from_public_key_len`.
+fn bytes_to_device_public_key(
+    bytes: &[u8],
+    source: &str,
+) -> Result<auths_verifier::DevicePublicKey> {
+    let curve = auths_crypto::CurveType::from_public_key_len(bytes.len())
+        .ok_or_else(|| anyhow!("Invalid {} public key length: {}", source, bytes.len()))?;
+    auths_verifier::DevicePublicKey::try_new(curve, bytes)
+        .map_err(|e| anyhow!("Invalid {} public key: {e}", source))
+}
+
 /// Resolve the issuer public key from various sources.
 ///
 /// Resolution precedence:
-/// 1. --issuer-pk (direct key, bypasses trust)
+/// 1. `--issuer-pk` (direct key, bypasses trust)
 /// 2. Pinned identity store
-/// 3. roots.json file
+/// 3. `roots.json` file
 /// 4. Trust policy (TOFU prompt or explicit rejection)
 fn resolve_issuer_key(
     now: chrono::DateTime<Utc>,
     cmd: &VerifyCommand,
     att: &Attestation,
-) -> Result<Vec<u8>> {
+) -> Result<auths_verifier::DevicePublicKey> {
     // 1. Direct key takes precedence
     if let Some(ref pk_hex) = cmd.issuer_pk {
         let pk_bytes =
             hex::decode(pk_hex).context("Invalid hex string provided for issuer public key")?;
-        let curve = match pk_bytes.len() {
-            32 => auths_crypto::CurveType::Ed25519,
-            33 | 65 => auths_crypto::CurveType::P256,
-            _ => {
-                return Err(anyhow!(
-                    "Invalid issuer public key length: {}",
-                    pk_bytes.len()
-                ));
-            }
-        };
-        // Validate via DevicePublicKey type system
-        auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes)
-            .map_err(|e| anyhow!("Invalid issuer public key: {e}"))?;
-        return Ok(pk_bytes);
+        let curve = auths_crypto::CurveType::from_public_key_len(pk_bytes.len())
+            .ok_or_else(|| anyhow!("Invalid issuer public key length: {}", pk_bytes.len()))?;
+        return auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes)
+            .map_err(|e| anyhow!("Invalid issuer public key: {e}"));
     }
 
     // Determine the DID to look up
@@ -209,7 +211,7 @@ fn resolve_issuer_key(
         if !is_json_mode() {
             println!("Using pinned identity: {}", did);
         }
-        return Ok(pin.public_key_bytes()?);
+        return bytes_to_device_public_key(&pin.public_key_bytes()?, "pinned identity");
     }
 
     // 3. Check roots.json file
@@ -240,7 +242,7 @@ fn resolve_issuer_key(
                 trust_level: TrustLevel::OrgPolicy,
             };
             store.pin(pin)?;
-            return Ok(root.public_key_bytes()?);
+            return bytes_to_device_public_key(&root.public_key_bytes()?, "roots.json");
         }
     }
 
@@ -297,7 +299,7 @@ async fn run_verify(now: chrono::DateTime<Utc>, cmd: &VerifyCommand) -> Result<V
     }
 
     // 3. Resolve issuer public key
-    let issuer_pk_bytes = resolve_issuer_key(now, cmd, &att)?;
+    let issuer_pk = resolve_issuer_key(now, cmd, &att)?;
 
     let required_capability: Option<Capability> = cmd.require_capability.as_ref().map(|cap| {
         cap.parse::<Capability>().unwrap_or_else(|e| {
@@ -308,9 +310,9 @@ async fn run_verify(now: chrono::DateTime<Utc>, cmd: &VerifyCommand) -> Result<V
 
     // 5. Verify the attestation (with or without capability check)
     let verify_result = if let Some(ref cap) = required_capability {
-        verify_with_capability(&att, cap, &issuer_pk_bytes).await
+        verify_with_capability(&att, cap, &issuer_pk).await
     } else {
-        verify_with_keys(&att, &issuer_pk_bytes).await
+        verify_with_keys(&att, &issuer_pk).await
     };
 
     match verify_result {
@@ -330,13 +332,10 @@ async fn run_verify(now: chrono::DateTime<Utc>, cmd: &VerifyCommand) -> Result<V
                     threshold: cmd.witness_threshold,
                 };
 
-                let report = verify_chain_with_witnesses(
-                    std::slice::from_ref(&att),
-                    &issuer_pk_bytes,
-                    &config,
-                )
-                .await
-                .context("Witness chain verification failed")?;
+                let report =
+                    verify_chain_with_witnesses(std::slice::from_ref(&att), &issuer_pk, &config)
+                        .await
+                        .context("Witness chain verification failed")?;
 
                 if !report.is_valid() {
                     if !is_json_mode()
@@ -447,21 +446,9 @@ pub async fn handle_verify_attestation(
 
     let issuer_pk_bytes = hex::decode(issuer_pubkey_hex)
         .context("Invalid hex string provided for issuer public key")?;
+    let issuer_pk = bytes_to_device_public_key(&issuer_pk_bytes, "issuer")?;
 
-    let curve = match issuer_pk_bytes.len() {
-        32 => auths_crypto::CurveType::Ed25519,
-        33 | 65 => auths_crypto::CurveType::P256,
-        _ => {
-            return Err(anyhow!(
-                "Invalid issuer public key length: {}",
-                issuer_pk_bytes.len()
-            ));
-        }
-    };
-    auths_verifier::DevicePublicKey::try_new(curve, &issuer_pk_bytes)
-        .map_err(|e| anyhow!("Invalid issuer public key: {e}"))?;
-
-    match verify_with_keys(&att, &issuer_pk_bytes).await {
+    match verify_with_keys(&att, &issuer_pk).await {
         Ok(_) => {
             println!("Attestation verified successfully.");
             Ok(())

crates/auths-cli/src/commands/verify_commit.rs

@@ -455,7 +455,7 @@ async fn verify_bundle_chain(
         );
     }
 
-    let root_pk = match hex::decode(bundle.public_key_hex.as_str()) {
+    let root_pk_bytes = match hex::decode(bundle.public_key_hex.as_str()) {
         Ok(pk) => pk,
         Err(e) => {
             return (
@@ -465,6 +465,15 @@ async fn verify_bundle_chain(
             );
         }
     };
+    let root_pk = match auths_crypto::CurveType::from_public_key_len(root_pk_bytes.len())
+        .ok_or_else(|| format!("Invalid bundle public key length: {}", root_pk_bytes.len()))
+        .and_then(|curve| {
+            auths_verifier::DevicePublicKey::try_new(curve, &root_pk_bytes)
+                .map_err(|e| format!("Invalid bundle public key: {e}"))
+        }) {
+        Ok(pk) => pk,
+        Err(msg) => return (Some(false), None, vec![msg]),
+    };
 
     match verify_chain(&bundle.attestation_chain, &root_pk).await {
         Ok(report) => {
@@ -525,8 +534,12 @@ async fn verify_witnesses(
     if let Some(bundle) = bundle
         && !bundle.attestation_chain.is_empty()
     {
-        let root_pk = hex::decode(bundle.public_key_hex.as_str())
+        let root_pk_bytes = hex::decode(bundle.public_key_hex.as_str())
             .context("Invalid public key hex in bundle")?;
+        let curve = auths_crypto::CurveType::from_public_key_len(root_pk_bytes.len())
+            .ok_or_else(|| anyhow!("Invalid bundle public key length: {}", root_pk_bytes.len()))?;
+        let root_pk = auths_verifier::DevicePublicKey::try_new(curve, &root_pk_bytes)
+            .map_err(|e| anyhow!("Invalid bundle public key: {e}"))?;
 
         let report = verify_chain_with_witnesses(&bundle.attestation_chain, &root_pk, &config)
             .await

crates/auths-crypto/src/provider.rs

@@ -267,4 +267,22 @@ impl CurveType {
             Self::P256 => P256_SIGNATURE_LEN,
         }
     }
+
+    /// Infer the curve from a raw public key's byte length.
+    ///
+    /// Used only at external ingestion boundaries (FFI, WASM, CLI flags) where
+    /// the caller supplies raw bytes and no typed curve signal is available.
+    /// Returns `None` for lengths that do not match any supported curve.
+    ///
+    /// Accepts:
+    /// - 32 bytes → Ed25519
+    /// - 33 bytes → P-256 (compressed SEC1)
+    /// - 65 bytes → P-256 (uncompressed SEC1)
+    pub fn from_public_key_len(len: usize) -> Option<Self> {
+        match len {
+            ED25519_PUBLIC_KEY_LEN => Some(Self::Ed25519),
+            P256_PUBLIC_KEY_LEN | 65 => Some(Self::P256),
+            _ => None,
+        }
+    }
 }

crates/auths-id/tests/cases/lifecycle.rs

@@ -9,7 +9,14 @@ use auths_id::storage::git_refs::AttestationMetadata;
 use auths_id::storage::layout::StorageLayoutConfig;
 use auths_id::testing::fakes::FakeIdentityStorage;
 use auths_verifier::verify::{verify_at_time, verify_with_keys};
-use auths_verifier::{DeviceDID, VerificationStatus, verify_chain, verify_device_authorization};
+use auths_verifier::{
+    DeviceDID, DevicePublicKey, VerificationStatus, verify_chain, verify_device_authorization,
+};
+
+/// Wrap a raw Ed25519 public key (32 bytes) into a `DevicePublicKey` for tests.
+fn ed(pk: &[u8]) -> DevicePublicKey {
+    DevicePublicKey::try_new(auths_crypto::CurveType::Ed25519, pk).unwrap()
+}
 
 use chrono::Utc;
 use git2::Repository;
@@ -211,7 +218,7 @@ async fn test_full_identity_lifecycle() {
     );
 
     // 4. Verify the attestation with the identity's public key
-    verify_with_keys(&attestation, &identity_pk)
+    verify_with_keys(&attestation, &ed(&identity_pk))
         .await
         .expect("Attestation should verify");
 
@@ -221,7 +228,7 @@ async fn test_full_identity_lifecycle() {
     // 6. Verify OLD attestation still passes with historical key (sequence 0)
     let old_pk = resolve_identity_public_key_at_sequence(&repo_path, &identity_did, 0);
     assert_eq!(old_pk, identity_pk, "Historical key should match original");
-    verify_at_time(&attestation, &old_pk, attestation.timestamp.unwrap())
+    verify_at_time(&attestation, &ed(&old_pk), attestation.timestamp.unwrap())
         .await
         .expect("Old attestation should verify with historical key");
 
@@ -246,7 +253,7 @@ async fn test_full_identity_lifecycle() {
     );
 
     // 8. Verify new attestation with new public key
-    verify_with_keys(&new_attestation, &new_identity_pk)
+    verify_with_keys(&new_attestation, &ed(&new_identity_pk))
         .await
         .expect("New attestation should verify with rotated key");
 }
@@ -294,7 +301,7 @@ async fn test_attestation_chain_after_rotation() {
     );
 
     // Verify 2-link chain
-    let report = verify_chain(&[att1.clone(), att2], &identity_pk)
+    let report = verify_chain(&[att1.clone(), att2], &ed(&identity_pk))
         .await
         .expect("Chain verify failed");
     assert!(report.is_valid(), "Chain should be valid");
@@ -305,7 +312,7 @@ async fn test_attestation_chain_after_rotation() {
 
     // Verify the first link still works with historical key
     let old_pk = resolve_identity_public_key_at_sequence(&repo_path, &identity_did, 0);
-    verify_at_time(&att1, &old_pk, att1.timestamp.unwrap())
+    verify_at_time(&att1, &ed(&old_pk), att1.timestamp.unwrap())
         .await
         .expect("First chain link should still verify with historical key");
 }
@@ -341,7 +348,7 @@ async fn test_verify_device_authorization_lifecycle() {
         &identity_did,
         &device_did,
         std::slice::from_ref(&attestation),
-        &identity_pk,
+        &ed(&identity_pk),
     )
     .await
     .expect("verify_device_authorization failed");
@@ -351,10 +358,14 @@ async fn test_verify_device_authorization_lifecycle() {
     let mut revoked_att = attestation;
     revoked_att.revoked_at = Some(Utc::now());
 
-    let report =
-        verify_device_authorization(&identity_did, &device_did, &[revoked_att], &identity_pk)
-            .await
-            .expect("verify_device_authorization failed");
+    let report = verify_device_authorization(
+        &identity_did,
+        &device_did,
+        &[revoked_att],
+        &ed(&identity_pk),
+    )
+    .await
+    .expect("verify_device_authorization failed");
     assert!(
         !report.is_valid(),
         "Revoked device should not be authorized"
@@ -393,7 +404,7 @@ async fn test_multiple_rotations_maintain_verification() {
     );
 
     // Verify initial attestation
-    verify_with_keys(&original_attestation, &original_pk)
+    verify_with_keys(&original_attestation, &ed(&original_pk))
         .await
         .expect("Original attestation should verify");
 
@@ -407,7 +418,7 @@ async fn test_multiple_rotations_maintain_verification() {
     assert_eq!(historical_pk, original_pk);
     verify_at_time(
         &original_attestation,
-        &historical_pk,
+        &ed(&historical_pk),
         original_attestation.timestamp.unwrap(),
     )
     .await
@@ -434,7 +445,7 @@ async fn test_multiple_rotations_maintain_verification() {
     );
 
     // Verify new attestation with current key
-    verify_with_keys(&new_attestation, &current_pk)
+    verify_with_keys(&new_attestation, &ed(&current_pk))
         .await
         .expect("New attestation should verify with current key");
 }

crates/auths-sdk/tests/cases/ephemeral_signing.rs

@@ -175,10 +175,15 @@ fn tamper_commit_sha_breaks_signature() {
 
     // Extract the pubkey from the issuer DID for verification
     let issuer_did = att.issuer.as_str();
-    let pk = match auths_crypto::did_key_decode(issuer_did).expect("should resolve did:key") {
-        auths_crypto::DecodedDidKey::Ed25519(k) => k.to_vec(),
-        auths_crypto::DecodedDidKey::P256(k) => k,
-    };
+    let (pk_bytes, curve): (Vec<u8>, auths_crypto::CurveType) =
+        match auths_crypto::did_key_decode(issuer_did).expect("should resolve did:key") {
+            auths_crypto::DecodedDidKey::Ed25519(k) => {
+                (k.to_vec(), auths_crypto::CurveType::Ed25519)
+            }
+            auths_crypto::DecodedDidKey::P256(k) => (k, auths_crypto::CurveType::P256),
+        };
+    let pk =
+        auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes).expect("valid device pubkey");
 
     // Verify the tampered attestation — should fail because signature covers commit_sha
     let rt = tokio::runtime::Runtime::new().unwrap();