feat: Attested Signatures + UCAN Principal Clarification#7
Conversation
1a8e384 to
12d7455
Compare
Call libforge's reusable go-workspace-test workflow so PRs that share a branch name with sibling repos are tested against those siblings' branches. Add a `test` target (`go test ./...`) so the workspace job has a single, repo-owned test command to run. Unit tests only — the Docker-backed e2e suite stays gated behind the `e2e` tag in its own workflow. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
03f95a9 to
a98e670
Compare
* `multikey` and `absentee` go up a level to the root. * `verification.NewIssuer()` is gone; we can use `multikey.NewIssuer()` in every case we have. * The verifier factory types move `validator`. They're not inherent to *validation*, they're just used to configure the validator.
a98e670 to
17d4d3d
Compare
|
Copilot added some changes to fix a build issue. @frrist, can you take a look at those two commits and see if they make any sense? It looks like the wrong way to solve this to me, but I don't have enough context in my head to understand where the right change should be. Copilot's change description follows: The e2e CI job ( FixPinned The pin comment describes what needs to be fixed upstream: piri's DI wiring needs to be updated to use |
|
@Peeja the issue here requires a fix in Piri, I think. I believe fil-forge/piri#18 broke the |
Update libforge from eb26d871 (the commit just before the fix) to 2b55dbcf, which is fil-forge/libforge#43 "verify attested signatures from did:web authorities". This is the fix for the post–Attested-Signatures `guppy login` failure the e2e suite hit: `/access/claim` rejected the did:mailto account delegation with `InvalidSignature` ("did:web:upload: signature mismatch") because the attestation verifier re-resolved the did:web authority with the default did:key-only resolver. libforge#43 verifies the attestation invocation with the already-resolved authority verifier. The login-path verifier is sprue (upload), whose :main image already carries this libforge version (sprue@41a47b0c). Bumping smelt's own module keeps the unit/workspace tests building against the same libforge. This supersedes the two reverted Copilot commits, which misdiagnosed the failure as a piri fx dependency-injection regression and pinned the piri image to an old digest — a workaround that did not fix the e2e (the run failed at login, before piri is ever exercised). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_017yUxrDH8gWAA4ufwzuq657
sprue's S3 agent store now defaults storage.s3.use_path_style to false (virtual-hosted addressing: <bucket>.minio:9000), which does not resolve on the compose network — the upload service crashes at startup with `creating S3 bucket "agent-message": ... Put "http://agent-message.minio:9000/": dial tcp: lookup agent-message.minio ... no such host` (upload hook exits 137). MinIO only serves path-style requests (minio:9000/<bucket>), so set storage.s3.use_path_style: true in the upload config. This regression is unrelated to the attested-signature work; it surfaced because bumping to a current sprue:main image pulled in sprue's newer S3 addressing defaults. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_017yUxrDH8gWAA4ufwzuq657
e43f95d to
a91d686
Compare
|
fil-forge/piri#29 and fil-forge/indexing-service#8 landing should make this go green. 🤞🏻 |
Handoff — one step left to get this green (cc @frrist)Petra had to step away, so Forrest this is yours to land. Summary of where things are and the single remaining step. Done & merged
Verified via E2EDispatching The one remaining blocker: the delegator's DID documentLatest run (28686738331) still fails at The "or v1" wording confirms the rebuilt I couldn't do this one myself — Steps to finish
Every 🤖 Generated with Claude Code Generated by Claude Code |
See fil-forge/ucantone#30