Merge pull request #174 from auths-dev/dev-curveAgnosticism114

Dev curve agnosticism114

Author: bordumb

Cargo.lock

@@ -10,6 +10,19 @@ disallowed-methods = [
   { path = "auths_verifier::types::CanonicalDid::new_unchecked", reason = "Use CanonicalDid::parse() for external input. Use #[allow(clippy::disallowed_methods)] with INVARIANT comment for proven-safe paths.", allow-invalid = true },
   { path = "auths_verifier::core::CommitOid::new_unchecked", reason = "Use CommitOid::parse() for external input. Use #[allow(clippy::disallowed_methods)] with INVARIANT comment for proven-safe paths.", allow-invalid = true },
   { path = "auths_verifier::core::PublicKeyHex::new_unchecked", reason = "Use PublicKeyHex::parse() for external input. Use #[allow(clippy::disallowed_methods)] with INVARIANT comment for proven-safe paths.", allow-invalid = true },
+
+  # === Curve-agnostic refactor (fn-114) — ban Ed25519-hardcoded APIs ===
+  # Removed in fn-114.40 cleanup after all sweeps complete.
+  { path = "ring::signature::Ed25519KeyPair::from_pkcs8", reason = "use TypedSignerKey::from_pkcs8 — dispatches on curve.", allow-invalid = true },
+  { path = "ring::signature::Ed25519KeyPair::from_seed_unchecked", reason = "use auths_crypto::sign(&TypedSeed, msg).", allow-invalid = true },
+  { path = "ring::signature::Ed25519KeyPair::generate_pkcs8", reason = "use inception::generate_keypair_for_init(curve).", allow-invalid = true },
+  { path = "ring::signature::UnparsedPublicKey::new", reason = "use DevicePublicKey::verify — dispatches on curve.", allow-invalid = true },
+  { path = "auths_crypto::parse_ed25519_seed", reason = "use parse_key_material — returns TypedSeed.", allow-invalid = true },
+  { path = "auths_crypto::parse_ed25519_key_material", reason = "use parse_key_material — returns TypedSeed.", allow-invalid = true },
+  { path = "auths_core::crypto::provider_bridge::sign_ed25519_sync", reason = "use auths_crypto::sign(&TypedSeed, msg).", allow-invalid = true },
+  { path = "auths_core::crypto::provider_bridge::ed25519_public_key_from_seed_sync", reason = "use auths_crypto::public_key(&TypedSeed) or TypedSignerKey::public_key().", allow-invalid = true },
+  { path = "auths_crypto::did_key_to_ed25519", reason = "use did_key_decode — returns DecodedDidKey.", allow-invalid = true },
+  { path = "auths_id::identity::resolve::ed25519_to_did_key", reason = "use did_key_decode + DecodedDidKey::P256/Ed25519.", allow-invalid = true },
 ]
 allow-unwrap-in-tests = true
 allow-expect-in-tests = true

clippy.toml

@@ -18,4 +18,17 @@ disallowed-methods = [
   { path = "auths_verifier::types::CanonicalDid::new_unchecked", reason = "Use CanonicalDid::parse() for external input. Use #[allow(clippy::disallowed_methods)] with INVARIANT comment for proven-safe paths.", allow-invalid = true },
   { path = "auths_verifier::core::CommitOid::new_unchecked", reason = "Use CommitOid::parse() for external input. Use #[allow(clippy::disallowed_methods)] with INVARIANT comment for proven-safe paths.", allow-invalid = true },
   { path = "auths_verifier::core::PublicKeyHex::new_unchecked", reason = "Use PublicKeyHex::parse() for external input. Use #[allow(clippy::disallowed_methods)] with INVARIANT comment for proven-safe paths.", allow-invalid = true },
+
+  # === Curve-agnostic refactor (fn-114) — ban Ed25519-hardcoded APIs ===
+  # Removed in fn-114.40 cleanup after all sweeps complete.
+  { path = "ring::signature::Ed25519KeyPair::from_pkcs8", reason = "use TypedSignerKey::from_pkcs8 — dispatches on curve.", allow-invalid = true },
+  { path = "ring::signature::Ed25519KeyPair::from_seed_unchecked", reason = "use auths_crypto::sign(&TypedSeed, msg).", allow-invalid = true },
+  { path = "ring::signature::Ed25519KeyPair::generate_pkcs8", reason = "use inception::generate_keypair_for_init(curve).", allow-invalid = true },
+  { path = "ring::signature::UnparsedPublicKey::new", reason = "use DevicePublicKey::verify — dispatches on curve.", allow-invalid = true },
+  { path = "auths_crypto::parse_ed25519_seed", reason = "use parse_key_material — returns TypedSeed.", allow-invalid = true },
+  { path = "auths_crypto::parse_ed25519_key_material", reason = "use parse_key_material — returns TypedSeed.", allow-invalid = true },
+  { path = "auths_core::crypto::provider_bridge::sign_ed25519_sync", reason = "use auths_crypto::sign(&TypedSeed, msg).", allow-invalid = true },
+  { path = "auths_core::crypto::provider_bridge::ed25519_public_key_from_seed_sync", reason = "use auths_crypto::public_key(&TypedSeed) or TypedSignerKey::public_key().", allow-invalid = true },
+  { path = "auths_crypto::did_key_to_ed25519", reason = "use did_key_decode — returns DecodedDidKey.", allow-invalid = true },
+  { path = "auths_id::identity::resolve::ed25519_to_did_key", reason = "use did_key_decode + DecodedDidKey::P256/Ed25519.", allow-invalid = true },
 ]

crates/auths-cli/clippy.toml

@@ -1,4 +1,6 @@
 #![allow(clippy::print_stdout, clippy::print_stderr, clippy::exit)]
+// allow during curve-agnostic refactor
+#![allow(clippy::disallowed_methods)]
 //! auths-sign: Git SSH signing program compatible with `gpg.ssh.program`
 //!
 //! Git calls this binary with ssh-keygen compatible arguments:

crates/auths-cli/src/bin/sign.rs

@@ -1,3 +1,5 @@
+// allow during curve-agnostic refactor
+#![allow(clippy::disallowed_methods)]
 #![allow(clippy::print_stdout, clippy::print_stderr, clippy::exit)]
 //! auths-verify: SSH signature verification for Auths identities
 //!

crates/auths-cli/src/bin/verify.rs

@@ -345,23 +345,25 @@ pub fn handle_artifact(
                     None => bail!("--ci requires --commit <sha>. Pass the commit SHA explicitly."),
                 };
 
-                let ci_env = match detect_ci_environment() {
-                    Some(env) => env,
-                    None => match ci_platform.as_deref() {
-                        Some("local") => CiEnvironment {
-                            platform: CiPlatform::Local,
-                            workflow_ref: None,
-                            run_id: None,
-                            actor: None,
-                            runner_os: None,
-                        },
-                        Some(name) => CiEnvironment {
-                            platform: CiPlatform::Generic,
-                            workflow_ref: None,
-                            run_id: None,
-                            actor: None,
-                            runner_os: Some(name.to_string()),
-                        },
+                // Explicit --ci-platform takes precedence over auto-detection so
+                // tests can opt out of the CI runner's auto-detected platform.
+                let ci_env = match ci_platform.as_deref() {
+                    Some("local") => CiEnvironment {
+                        platform: CiPlatform::Local,
+                        workflow_ref: None,
+                        run_id: None,
+                        actor: None,
+                        runner_os: None,
+                    },
+                    Some(name) => CiEnvironment {
+                        platform: CiPlatform::Generic,
+                        workflow_ref: None,
+                        run_id: None,
+                        actor: None,
+                        runner_os: Some(name.to_string()),
+                    },
+                    None => match detect_ci_environment() {
+                        Some(env) => env,
                         None => bail!(
                             "No CI environment detected. If this is intentional (e.g., testing), \
                              pass --ci-platform local. Otherwise run inside GitHub Actions, \

crates/auths-cli/src/commands/artifact/mod.rs

@@ -491,8 +491,35 @@ fn list_devices(
             .last()
             .expect("Grouped attestations should not be empty");
 
-        let verification_result =
-            auths_sdk::attestation::verify_with_resolver(now, &resolver, latest, None);
+        // single verifier path via auths_verifier::verify_with_keys.
+        // Callers resolve the DID and pass the typed key directly.
+        let verification_result: Result<(), auths_verifier::AttestationError> = {
+            use auths_sdk::identity::DidResolver;
+            use auths_verifier::AttestationError;
+            match resolver.resolve(latest.issuer.as_str()) {
+                Ok(resolved) => {
+                    let pk_bytes: Vec<u8> = resolved.public_key_bytes().to_vec();
+                    match auths_verifier::decode_public_key_bytes(&pk_bytes) {
+                        Ok(issuer_pk) => {
+                            #[allow(clippy::expect_used)]
+                            let rt = tokio::runtime::Builder::new_current_thread()
+                                .enable_all()
+                                .build()
+                                .expect("tokio runtime");
+                            rt.block_on(auths_verifier::verify_with_keys(latest, &issuer_pk))
+                                .map(|_| ())
+                        }
+                        Err(e) => Err(AttestationError::DidResolutionError(format!(
+                            "invalid issuer key: {e}"
+                        ))),
+                    }
+                }
+                Err(e) => Err(AttestationError::DidResolutionError(format!(
+                    "Resolver error for {}: {}",
+                    latest.issuer, e
+                ))),
+            }
+        };
 
         let status_string = match verification_result {
             Ok(()) => {

crates/auths-cli/src/commands/device/authorization.rs

@@ -235,6 +235,7 @@ fn resolve_issuer_key(
             let pin = PinnedIdentity {
                 did: did.to_string(),
                 public_key_hex: root.public_key_hex.clone(),
+                curve: root.curve,
                 kel_tip_said: root.kel_tip_said.clone(),
                 kel_sequence: None,
                 first_seen: now,

crates/auths-cli/src/commands/device/verify_attestation.rs

@@ -9,7 +9,7 @@ use serde_json;
 use std::fs;
 use std::path::PathBuf;
 
-use auths_sdk::attestation::{AttestationGroup, AttestationSink, verify_with_resolver};
+use auths_sdk::attestation::{AttestationGroup, AttestationSink};
 use auths_sdk::identity::DefaultDidResolver;
 use auths_sdk::keychain::{KeyAlias, get_platform_keychain};
 use auths_sdk::ports::{AttestationMetadata, AttestationSource, IdentityStorage};
@@ -194,6 +194,36 @@ pub enum OrgSubcommand {
     },
 }
 
+/// single-verifier helper. Resolves the issuer DID,
+/// constructs a typed `DevicePublicKey`, and calls `auths_verifier::verify_with_keys`.
+/// Returns one of: "✅ valid", "🛑 revoked", "⌛ expired", "❌ invalid".
+fn verify_attestation_via_resolver(
+    att: &auths_verifier::Attestation,
+    resolver: &auths_sdk::identity::DefaultDidResolver,
+) -> &'static str {
+    use auths_sdk::identity::DidResolver;
+    let resolved = match resolver.resolve(att.issuer.as_str()) {
+        Ok(r) => r,
+        Err(_) => return "❌ invalid",
+    };
+    let pk_bytes: Vec<u8> = resolved.public_key_bytes().to_vec();
+    let issuer_pk = match auths_verifier::decode_public_key_bytes(&pk_bytes) {
+        Ok(pk) => pk,
+        Err(_) => return "❌ invalid",
+    };
+    #[allow(clippy::expect_used)]
+    let rt = tokio::runtime::Builder::new_current_thread()
+        .enable_all()
+        .build()
+        .expect("tokio runtime");
+    match rt.block_on(auths_verifier::verify_with_keys(att, &issuer_pk)) {
+        Ok(_) => "✅ valid",
+        Err(e) if e.to_string().contains("revoked") => "🛑 revoked",
+        Err(e) if e.to_string().contains("expired") => "⌛ expired",
+        Err(_) => "❌ invalid",
+    }
+}
+
 /// Handles `org` commands for issuing or revoking member authorizations.
 pub fn handle_org(
     cmd: OrgCommand,
@@ -589,12 +619,7 @@ pub fn handle_org(
                         continue;
                     }
 
-                    let status = match verify_with_resolver(now, &resolver, att, None) {
-                        Ok(_) => "✅ valid",
-                        Err(e) if e.to_string().contains("revoked") => "🛑 revoked",
-                        Err(e) if e.to_string().contains("expired") => "⌛ expired",
-                        Err(_) => "❌ invalid",
-                    };
+                    let status = verify_attestation_via_resolver(att, &resolver);
 
                     println!("{i}. [{}] @ {}", status, att.timestamp.unwrap_or(now));
                     if let Some(note) = &att.note {
@@ -626,12 +651,7 @@ pub fn handle_org(
                     continue;
                 }
 
-                let status = match verify_with_resolver(now, &resolver, latest, None) {
-                    Ok(_) => "✅ valid",
-                    Err(e) if e.to_string().contains("revoked") => "🛑 revoked",
-                    Err(e) if e.to_string().contains("expired") => "⌛ expired",
-                    Err(_) => "❌ invalid",
-                };
+                let status = verify_attestation_via_resolver(latest, &resolver);
 
                 println!("- {} [{}]", subject, status);
             }

crates/auths-cli/src/commands/org.rs

@@ -195,7 +195,13 @@ fn handle_pin(cmd: TrustPinCommand, now: DateTime<Utc>) -> Result<()> {
 
     let pin = PinnedIdentity {
         did: cmd.did.clone(),
-        public_key_hex,
+        public_key_hex: public_key_hex.clone(),
+        curve: auths_crypto::CurveType::from_public_key_len(
+            hex::decode(public_key_hex.as_str())
+                .map(|b| b.len())
+                .unwrap_or(0),
+        )
+        .unwrap_or(auths_crypto::CurveType::Ed25519),
         kel_tip_said: cmd.kel_tip,
         kel_sequence: None,
         first_seen: now,