From 567ee199c486db5b6a358ed67fa56294a2699592 Mon Sep 17 00:00:00 2001 From: bordumb Date: Fri, 27 Mar 2026 03:10:44 -0700 Subject: [PATCH] refactor: rename key aliases --- .github/workflows/release.yml | 2 +- crates/auths-cli/src/commands/artifact/mod.rs | 38 ++++++------- .../auths-cli/src/commands/artifact/sign.rs | 9 ++- .../src/commands/device/authorization.rs | 55 ++++++++----------- crates/auths-cli/src/commands/emergency.rs | 10 ++-- crates/auths-cli/src/commands/key_detect.rs | 2 +- crates/auths-cli/src/commands/namespace.rs | 22 ++++---- crates/auths-cli/src/commands/org.rs | 34 ++++++------ crates/auths-cli/src/commands/sign.rs | 8 +-- crates/auths-cli/tests/cases/revocation.rs | 2 +- crates/xtask/src/ci_setup.rs | 6 +- docs/cli/commands/advanced.md | 24 ++++---- docs/cli/commands/primary.md | 4 +- docs/guides/git/team-workflows.md | 2 +- docs/guides/identity/backup-and-recovery.md | 2 +- docs/guides/identity/multi-device.md | 10 ++-- docs/guides/identity/profiles.md | 2 +- docs/guides/platforms/ci-cd.md | 4 +- docs/guides/platforms/radicle.md | 6 +- docs/smoketests/end_to_end.py | 6 +- scripts/.github/workflows/release.yml | 2 +- scripts/auths_workflows/artifact_signing.py | 8 +-- scripts/radicle-e2e.sh | 12 ++-- tests/e2e/test_device_attestation.py | 6 +- tests/e2e/test_key_rotation.py | 4 +- 25 files changed, 134 insertions(+), 146 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 040cd029..132c3c06 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -129,7 +129,7 @@ jobs: fi auths artifact sign ${{ matrix.asset_name }}${{ matrix.ext }} \ - --device-key-alias ci-release-device \ + --device-key ci-release-device \ --note "GitHub Actions release — ${{ github.ref_name }}" \ --repo /tmp/auths-identity diff --git a/crates/auths-cli/src/commands/artifact/mod.rs b/crates/auths-cli/src/commands/artifact/mod.rs index 0303c104..c6e27a84 100644 --- a/crates/auths-cli/src/commands/artifact/mod.rs +++ b/crates/auths-cli/src/commands/artifact/mod.rs @@ -34,19 +34,17 @@ pub enum ArtifactSubcommand { /// Local alias of the identity key (used for signing). Omit for CI device-only signing. #[arg( long, - visible_alias = "ika", help = "Local alias of the identity key. Omit for device-only CI signing." )] - identity_key_alias: Option, + key: Option, /// Local alias of the device key (used for dual-signing). /// Auto-detected when only one key exists for the identity. #[arg( long, - visible_alias = "dka", help = "Local alias of the device key. Auto-detected when only one key exists." )] - device_key_alias: Option, + device_key: Option, /// Duration in seconds until expiration (per RFC 6749). #[arg(long = "expires-in", value_name = "N")] @@ -78,12 +76,12 @@ pub enum ArtifactSubcommand { registry: String, /// Local alias of the identity key. Omit for device-only CI signing. - #[arg(long, visible_alias = "ika")] - identity_key_alias: Option, + #[arg(long)] + key: Option, /// Local alias of the device key. Auto-detected when only one key exists. - #[arg(long, visible_alias = "dka")] - device_key_alias: Option, + #[arg(long)] + device_key: Option, /// Duration in seconds until expiration. #[arg(long = "expires-in", value_name = "N")] @@ -133,12 +131,12 @@ pub fn handle_artifact( ArtifactSubcommand::Sign { file, sig_output, - identity_key_alias, - device_key_alias, + key, + device_key, expires_in, note, } => { - let resolved_alias = match device_key_alias { + let resolved_alias = match device_key { Some(alias) => alias, None => crate::commands::key_detect::auto_detect_device_key( repo_opt.as_deref(), @@ -148,7 +146,7 @@ pub fn handle_artifact( sign::handle_sign( &file, sig_output, - identity_key_alias.as_deref(), + key.as_deref(), &resolved_alias, expires_in, note, @@ -162,8 +160,8 @@ pub fn handle_artifact( signature, package, registry, - identity_key_alias, - device_key_alias, + key, + device_key, expires_in, note, } => { @@ -174,7 +172,7 @@ pub fn handle_artifact( if default_sig.exists() { default_sig } else { - let resolved_alias = match device_key_alias { + let resolved_alias = match device_key { Some(alias) => alias, None => crate::commands::key_detect::auto_detect_device_key( repo_opt.as_deref(), @@ -184,7 +182,7 @@ pub fn handle_artifact( sign::handle_sign( artifact, None, - identity_key_alias.as_deref(), + key.as_deref(), &resolved_alias, expires_in, note, @@ -348,14 +346,14 @@ mod tests { .unwrap(); match cli.command { ArtifactSubcommand::Publish { - identity_key_alias, - device_key_alias, + key, + device_key, expires_in, note, .. } => { - assert_eq!(identity_key_alias.as_deref(), Some("main")); - assert_eq!(device_key_alias.as_deref(), Some("device-1")); + assert_eq!(key.as_deref(), Some("main")); + assert_eq!(device_key.as_deref(), Some("device-1")); assert_eq!(expires_in, Some(3600)); assert_eq!(note.as_deref(), Some("release build")); } diff --git a/crates/auths-cli/src/commands/artifact/sign.rs b/crates/auths-cli/src/commands/artifact/sign.rs index 2e1a07b7..6d164b02 100644 --- a/crates/auths-cli/src/commands/artifact/sign.rs +++ b/crates/auths-cli/src/commands/artifact/sign.rs @@ -15,8 +15,8 @@ use crate::factories::storage::build_auths_context; pub fn handle_sign( file: &Path, output: Option, - identity_key_alias: Option<&str>, - device_key_alias: &str, + key: Option<&str>, + device_key: &str, expires_in: Option, note: Option, repo_opt: Option, @@ -29,9 +29,8 @@ pub fn handle_sign( let params = ArtifactSigningParams { artifact: Arc::new(FileArtifact::new(file)), - identity_key: identity_key_alias - .map(|a| SigningKeyMaterial::Alias(KeyAlias::new_unchecked(a))), - device_key: SigningKeyMaterial::Alias(KeyAlias::new_unchecked(device_key_alias)), + identity_key: key.map(|a| SigningKeyMaterial::Alias(KeyAlias::new_unchecked(a))), + device_key: SigningKeyMaterial::Alias(KeyAlias::new_unchecked(device_key)), expires_in, note, }; diff --git a/crates/auths-cli/src/commands/device/authorization.rs b/crates/auths-cli/src/commands/device/authorization.rs index 75bb15e4..ddc5b894 100644 --- a/crates/auths-cli/src/commands/device/authorization.rs +++ b/crates/auths-cli/src/commands/device/authorization.rs @@ -62,24 +62,19 @@ pub enum DeviceSubcommand { /// Authorize a new device to act on behalf of the identity. #[command(visible_alias = "add")] Link { - #[arg( - long, - visible_alias = "ika", - help = "Local alias of the *identity's* key (used for signing)." - )] - identity_key_alias: String, + #[arg(long, help = "Local alias of the *identity's* key (used for signing).")] + key: String, #[arg( long, - visible_alias = "dka", help = "Local alias of the *new device's* key (must be imported first)." )] - device_key_alias: String, + device_key: String, #[arg( long, visible_alias = "device", - help = "Identity ID of the new device being authorized (must match device-key-alias)." + help = "Identity ID of the new device being authorized (must match --device-key)." )] device_did: String, @@ -132,7 +127,7 @@ pub enum DeviceSubcommand { long, help = "Local alias of the *identity's* key (required to authorize revocation)." )] - identity_key_alias: String, + key: String, #[arg(long, help = "Optional note explaining the revocation.")] note: Option, @@ -176,18 +171,16 @@ pub enum DeviceSubcommand { expires_in: u64, #[arg( - long = "identity-key-alias", - visible_alias = "ika", + long, help = "Local alias of the *identity's* key (required for re-signing)." )] - identity_key_alias: String, + key: String, #[arg( - long = "device-key-alias", - visible_alias = "dka", + long, help = "Local alias of the *device's* key (required for re-signing)." )] - device_key_alias: String, + device_key: String, }, } @@ -231,8 +224,8 @@ pub fn handle_device( rt.block_on(super::verify_attestation::handle_verify(verify_cmd)) } DeviceSubcommand::Link { - identity_key_alias, - device_key_alias, + key, + device_key, device_did, payload: payload_path_opt, schema: schema_path_opt, @@ -250,8 +243,8 @@ pub fn handle_device( .collect(); let link_config = auths_sdk::types::DeviceLinkConfig { - identity_key_alias: KeyAlias::new_unchecked(identity_key_alias), - device_key_alias: Some(KeyAlias::new_unchecked(device_key_alias)), + identity_key_alias: KeyAlias::new_unchecked(key), + device_key_alias: Some(KeyAlias::new_unchecked(device_key)), device_did: Some(device_did.clone()), capabilities: caps, expires_in, @@ -279,12 +272,12 @@ pub fn handle_device( DeviceSubcommand::Revoke { device_did, - identity_key_alias, + key, note, dry_run, } => { if dry_run { - return display_dry_run_revoke(&device_did, &identity_key_alias); + return display_dry_run_revoke(&device_did, &key); } let ctx = build_auths_context( @@ -293,7 +286,7 @@ pub fn handle_device( Some(Arc::clone(&passphrase_provider)), )?; - let identity_key_alias = KeyAlias::new_unchecked(identity_key_alias); + let identity_key_alias = KeyAlias::new_unchecked(key); auths_sdk::device::revoke_device( &device_did, &identity_key_alias, @@ -309,15 +302,15 @@ pub fn handle_device( DeviceSubcommand::Extend { device_did, expires_in, - identity_key_alias, - device_key_alias, + key, + device_key, } => handle_extend( &repo_path, &config, &device_did, expires_in, - &identity_key_alias, - &device_key_alias, + &key, + &device_key, passphrase_provider, env_config, ), @@ -428,8 +421,8 @@ fn handle_extend( _config: &StorageLayoutConfig, device_did: &str, expires_in: u64, - identity_key_alias: &str, - device_key_alias: &str, + key: &str, + device_key: &str, passphrase_provider: Arc, env_config: &EnvironmentConfig, ) -> Result<()> { @@ -438,8 +431,8 @@ fn handle_extend( #[allow(clippy::disallowed_methods)] // INVARIANT: device_did from CLI arg validated upstream device_did: auths_verifier::types::DeviceDID::new_unchecked(device_did), expires_in, - identity_key_alias: KeyAlias::new_unchecked(identity_key_alias), - device_key_alias: Some(KeyAlias::new_unchecked(device_key_alias)), + identity_key_alias: KeyAlias::new_unchecked(key), + device_key_alias: Some(KeyAlias::new_unchecked(device_key)), }; let ctx = build_auths_context(repo_path, env_config, Some(passphrase_provider))?; diff --git a/crates/auths-cli/src/commands/emergency.rs b/crates/auths-cli/src/commands/emergency.rs index 227d8150..b61edcb6 100644 --- a/crates/auths-cli/src/commands/emergency.rs +++ b/crates/auths-cli/src/commands/emergency.rs @@ -52,7 +52,7 @@ pub struct RevokeDeviceCommand { /// Local alias of the identity's key (used for signing the revocation). #[arg(long)] - pub identity_key_alias: Option, + pub key: Option, /// Optional note explaining the revocation. #[arg(long)] @@ -229,7 +229,7 @@ fn handle_interactive_flow(ctx: &crate::config::CliConfig) -> Result<()> { handle_revoke_device( RevokeDeviceCommand { device: None, - identity_key_alias: None, + key: None, note: None, yes: false, dry_run: false, @@ -321,16 +321,14 @@ fn handle_revoke_device( }; // Get identity key alias - let identity_key_alias = if let Some(alias) = cmd.identity_key_alias { + let identity_key_alias = if let Some(alias) = cmd.key { alias } else if std::io::stdin().is_terminal() { Input::new() .with_prompt("Enter identity key alias") .interact_text()? } else { - return Err(anyhow!( - "--identity-key-alias is required in non-interactive mode" - )); + return Err(anyhow!("--key is required in non-interactive mode")); }; out.println(&format!("Device to revoke: {}", out.info(&device_did))); diff --git a/crates/auths-cli/src/commands/key_detect.rs b/crates/auths-cli/src/commands/key_detect.rs index 0f204341..35b79b29 100644 --- a/crates/auths-cli/src/commands/key_detect.rs +++ b/crates/auths-cli/src/commands/key_detect.rs @@ -79,7 +79,7 @@ pub fn auto_detect_device_key( } else { let alias_list: Vec<&str> = signing_aliases.iter().map(|a| a.as_str()).collect(); Err(anyhow!( - "Multiple device keys found. Specify with --device-key-alias.\n\n\ + "Multiple device keys found. Specify with --device-key.\n\n\ Available aliases: {}", alias_list.join(", ") )) diff --git a/crates/auths-cli/src/commands/namespace.rs b/crates/auths-cli/src/commands/namespace.rs index 4e66846f..7eed177a 100644 --- a/crates/auths-cli/src/commands/namespace.rs +++ b/crates/auths-cli/src/commands/namespace.rs @@ -51,7 +51,7 @@ pub enum NamespaceSubcommand { /// Alias of the signing key in keychain #[arg(long)] - signer_alias: Option, + key: Option, }, /// Delegate namespace authority to another identity @@ -74,7 +74,7 @@ pub enum NamespaceSubcommand { /// Alias of the signing key in keychain #[arg(long)] - signer_alias: Option, + key: Option, }, /// Transfer namespace ownership to another identity @@ -97,7 +97,7 @@ pub enum NamespaceSubcommand { /// Alias of the signing key in keychain #[arg(long)] - signer_alias: Option, + key: Option, }, /// Look up namespace information @@ -129,7 +129,7 @@ fn resolve_registry_url(registry_url: Option) -> String { fn load_identity_and_alias( ctx: &CliConfig, - signer_alias: Option, + key: Option, ) -> Result<(auths_verifier::types::IdentityDID, KeyAlias)> { let repo_path = layout::resolve_repo_path(ctx.repo_path.clone())?; let identity_storage = RegistryIdentityStorage::new(repo_path); @@ -139,7 +139,7 @@ fn load_identity_and_alias( let controller_did = managed_identity.controller_did; - let alias_str = signer_alias.unwrap_or_else(|| { + let alias_str = key.unwrap_or_else(|| { let prefix = controller_did .as_str() .strip_prefix("did:keri:") @@ -193,10 +193,10 @@ pub fn handle_namespace(cmd: NamespaceCommand, ctx: &CliConfig) -> Result<()> { ecosystem, package_name, registry_url, - signer_alias, + key, } => { let registry_url = resolve_registry_url(registry_url); - let (controller_did, key_alias) = load_identity_and_alias(ctx, signer_alias)?; + let (controller_did, key_alias) = load_identity_and_alias(ctx, key)?; let signer = StorageSigner::new(get_platform_keychain()?); let passphrase_provider = ctx.passphrase_provider.clone(); @@ -349,10 +349,10 @@ pub fn handle_namespace(cmd: NamespaceCommand, ctx: &CliConfig) -> Result<()> { package_name, delegate_did, registry_url, - signer_alias, + key, } => { let registry_url = resolve_registry_url(registry_url); - let (controller_did, key_alias) = load_identity_and_alias(ctx, signer_alias)?; + let (controller_did, key_alias) = load_identity_and_alias(ctx, key)?; let signer = StorageSigner::new(get_platform_keychain()?); let passphrase_provider = ctx.passphrase_provider.clone(); @@ -392,10 +392,10 @@ pub fn handle_namespace(cmd: NamespaceCommand, ctx: &CliConfig) -> Result<()> { package_name, new_owner_did, registry_url, - signer_alias, + key, } => { let registry_url = resolve_registry_url(registry_url); - let (controller_did, key_alias) = load_identity_and_alias(ctx, signer_alias)?; + let (controller_did, key_alias) = load_identity_and_alias(ctx, key)?; let signer = StorageSigner::new(get_platform_keychain()?); let passphrase_provider = ctx.passphrase_provider.clone(); diff --git a/crates/auths-cli/src/commands/org.rs b/crates/auths-cli/src/commands/org.rs index 8749750f..f64e7d85 100644 --- a/crates/auths-cli/src/commands/org.rs +++ b/crates/auths-cli/src/commands/org.rs @@ -77,7 +77,7 @@ pub enum OrgSubcommand { /// Alias for the local signing key (auto-generated if not provided) #[arg(long)] - local_key_alias: Option, + key: Option, /// Optional metadata file (if provided, merged with org metadata) #[arg(long)] @@ -93,7 +93,7 @@ pub enum OrgSubcommand { #[arg(long)] expires_at: Option, #[arg(long)] - signer_alias: Option, + key: Option, }, Revoke { #[arg(long = "subject-did", visible_alias = "subject")] @@ -101,7 +101,7 @@ pub enum OrgSubcommand { #[arg(long)] note: Option, #[arg(long)] - signer_alias: Option, + key: Option, }, Show { #[arg(long = "subject-did", visible_alias = "subject")] @@ -133,7 +133,7 @@ pub enum OrgSubcommand { /// Alias of the signing key in keychain #[arg(long)] - signer_alias: Option, + key: Option, /// Optional note for the authorization #[arg(long)] @@ -156,7 +156,7 @@ pub enum OrgSubcommand { /// Alias of the signing key in keychain #[arg(long)] - signer_alias: Option, + key: Option, /// Preview actions without making changes. #[arg(long)] @@ -215,11 +215,11 @@ pub fn handle_org( match cmd.subcommand { OrgSubcommand::Create { name, - local_key_alias, + key, metadata_file, } => { // Generate a key alias if not provided - let key_alias = local_key_alias.unwrap_or_else(|| { + let key_alias = key.unwrap_or_else(|| { format!( "org-{}", name.chars() @@ -408,10 +408,10 @@ pub fn handle_org( payload_file, // Path to the JSON payload note, // Optional note (String) expires_at, // Optional RFC3339 expiration string - signer_alias, // Alias of the org's signing key in keychain + key, // Alias of the org's signing key in keychain } => { - let signer_alias = signer_alias - .ok_or_else(|| anyhow!("Signer key alias must be provided with --signer-alias"))?; + let signer_alias = + key.ok_or_else(|| anyhow!("Signer key alias must be provided with --key"))?; let signer_alias = KeyAlias::new_unchecked(signer_alias); let identity_storage = RegistryIdentityStorage::new(repo_path.clone()); @@ -503,7 +503,7 @@ pub fn handle_org( OrgSubcommand::Revoke { subject_did, note, - signer_alias, + key, } => { println!("🛑 Revoking org authorization for subject: {subject_did}"); println!(" Using Repository: {:?}", repo_path); @@ -513,8 +513,8 @@ pub fn handle_org( config.device_attestation_prefix ); - let signer_alias = signer_alias - .ok_or_else(|| anyhow!("Signer key alias must be provided for revocation"))?; + let signer_alias = + key.ok_or_else(|| anyhow!("Signer key alias must be provided for revocation"))?; let signer_alias = KeyAlias::new_unchecked(signer_alias); let identity_storage = RegistryIdentityStorage::new(repo_path.clone()); @@ -649,7 +649,7 @@ pub fn handle_org( member_did: member, role: cli_role, capabilities, - signer_alias, + key, note, } => { let role = Role::from(cli_role); @@ -658,7 +658,7 @@ pub fn handle_org( println!(" Member: {}", member); println!(" Role: {}", role); - let signer_alias = KeyAlias::new_unchecked(signer_alias.unwrap_or_else(|| { + let signer_alias = KeyAlias::new_unchecked(key.unwrap_or_else(|| { format!( "org-{}", org.chars() @@ -757,14 +757,14 @@ pub fn handle_org( org, member_did: member, note, - signer_alias, + key, dry_run, } => { println!("🛑 Revoking member from organization..."); println!(" Org: {}", org); println!(" Member: {}", member); - let signer_alias = KeyAlias::new_unchecked(signer_alias.unwrap_or_else(|| { + let signer_alias = KeyAlias::new_unchecked(key.unwrap_or_else(|| { format!( "org-{}", org.chars() diff --git a/crates/auths-cli/src/commands/sign.rs b/crates/auths-cli/src/commands/sign.rs index a0cfa7ab..84724381 100644 --- a/crates/auths-cli/src/commands/sign.rs +++ b/crates/auths-cli/src/commands/sign.rs @@ -101,11 +101,11 @@ pub struct SignCommand { /// Local alias of the identity key (for artifact signing). #[arg(long)] - pub identity_key_alias: Option, + pub key: Option, /// Local alias of the device key (for artifact signing, required for files). #[arg(long)] - pub device_key_alias: Option, + pub device_key: Option, /// Duration in seconds until expiration (per RFC 6749). #[arg(long = "expires-in", value_name = "N")] @@ -130,14 +130,14 @@ pub fn handle_sign_unified( ) -> Result<()> { match parse_sign_target(&cmd.target) { SignTarget::Artifact(path) => { - let device_key_alias = match cmd.device_key_alias.as_deref() { + let device_key_alias = match cmd.device_key.as_deref() { Some(alias) => alias.to_string(), None => super::key_detect::auto_detect_device_key(repo_opt.as_deref(), env_config)?, }; handle_artifact_sign( &path, cmd.sig_output, - cmd.identity_key_alias.as_deref(), + cmd.key.as_deref(), &device_key_alias, cmd.expires_in, cmd.note, diff --git a/crates/auths-cli/tests/cases/revocation.rs b/crates/auths-cli/tests/cases/revocation.rs index f9793b77..b70f8fef 100644 --- a/crates/auths-cli/tests/cases/revocation.rs +++ b/crates/auths-cli/tests/cases/revocation.rs @@ -73,7 +73,7 @@ fn test_emergency_revoke_device() { "revoke-device", "--device", &device_did, - "--identity-key-alias", + "--key", "main", "--yes", ]) diff --git a/crates/xtask/src/ci_setup.rs b/crates/xtask/src/ci_setup.rs index 08847adc..783904d2 100644 --- a/crates/xtask/src/ci_setup.rs +++ b/crates/xtask/src/ci_setup.rs @@ -189,9 +189,9 @@ pub fn run() -> Result<()> { &[ "device", "link", - "--identity-key-alias", + "--key", &identity_key_alias, - "--device-key-alias", + "--device-key", "ci-release-device", "--device-did", &device_did, @@ -252,7 +252,7 @@ pub fn run() -> Result<()> { println!(); println!("\x1b[1mTo revoke CI access at any time:\x1b[0m"); - println!(" \x1b[0;36mauths device revoke --device-did {device_did} --identity-key-alias {identity_key_alias}\x1b[0m"); + println!(" \x1b[0;36mauths device revoke --device-did {device_did} --key {identity_key_alias}\x1b[0m"); println!(); Ok(()) diff --git a/docs/cli/commands/advanced.md b/docs/cli/commands/advanced.md index 205b1882..be9e75b1 100644 --- a/docs/cli/commands/advanced.md +++ b/docs/cli/commands/advanced.md @@ -13,9 +13,9 @@ Authorize a new device to act on behalf of the identity | Flag | Default | Description | |------|---------|-------------| -| `--identity-key-alias ` | — | Local alias of the *identity's* key (used for signing). [aliases: --ika] | -| `--device-key-alias ` | — | Local alias of the *new device's* key (must be imported first). [aliases: --dka] | -| `--device-did ` | — | Identity ID of the new device being authorized (must match device-key-alias). [aliases: --device] | +| `--key ` | — | Local alias of the *identity's* key (used for signing). | +| `--device-key ` | — | Local alias of the *new device's* key (must be imported first). | +| `--device-did ` | — | Identity ID of the new device being authorized (must match device-key). [aliases: --device] | | `--payload ` | — | Optional path to a JSON file containing arbitrary payload data for the authorization. | | `--schema ` | — | Optional path to a JSON schema for validating the payload (experimental). | | `--expires-in ` | — | Optional number of seconds until this device authorization expires. | @@ -40,7 +40,7 @@ Revoke an existing device authorization using the identity key | Flag | Default | Description | |------|---------|-------------| | `--device-did ` | — | Identity ID of the device authorization to revoke. [aliases: --device] | -| `--identity-key-alias ` | — | Local alias of the *identity's* key (required to authorize revocation). | +| `--key ` | — | Local alias of the *identity's* key (required to authorize revocation). | | `--note ` | — | Optional note explaining the revocation. | | `--dry-run` | — | Preview actions without making changes. | | `--json` | — | Emit machine-readable JSON | @@ -63,8 +63,8 @@ Extend the expiration date of an existing device authorization |------|---------|-------------| | `--device-did ` | — | Identity ID of the device authorization to extend. [aliases: --device] | | `--expires-in ` | — | Number of seconds to extend the expiration by (from now). | -| `--identity-key-alias ` | — | Local alias of the *identity's* key (required for re-signing). [aliases: --ika] | -| `--device-key-alias ` | — | Local alias of the *device's* key (required for re-signing). [aliases: --dka] | +| `--key ` | — | Local alias of the *identity's* key (required for re-signing). | +| `--device-key ` | — | Local alias of the *device's* key (required for re-signing). | | `--json` | — | Emit machine-readable JSON | | `-q, --quiet` | — | Suppress non-essential output | | `--repo ` | — | Override the local storage directory (default: ~/.auths) | @@ -252,7 +252,7 @@ Revoke a compromised device immediately | Flag | Default | Description | |------|---------|-------------| | `--device ` | — | Device DID to revoke | -| `--identity-key-alias ` | — | Local alias of the identity's key (used for signing the revocation) | +| `--key ` | — | Local alias of the identity's key (used for signing the revocation) | | `--note ` | — | Optional note explaining the revocation | | `-y, --yes` | — | Skip confirmation prompt | | `--dry-run` | — | Preview actions without making changes | @@ -463,7 +463,7 @@ Create a new organization identity | Flag | Default | Description | |------|---------|-------------| | `--name ` | — | Organization name | -| `--local-key-alias ` | — | Alias for the local signing key (auto-generated if not provided) | +| `--key ` | — | Alias for the local signing key (auto-generated if not provided) | | `--metadata-file ` | — | Optional metadata file (if provided, merged with org metadata) | | `--json` | — | Emit machine-readable JSON | | `-q, --quiet` | — | Suppress non-essential output | @@ -487,7 +487,7 @@ Add a member to an organization | `--member-did ` | — | Member identity ID to add [aliases: --member] | | `--role ` | — | Role to assign (admin, member, readonly) | | `--capabilities ` | — | Override default capabilities (comma-separated) | -| `--signer-alias ` | — | Alias of the signing key in keychain | +| `--key ` | — | Alias of the signing key in keychain | | `--note ` | — | Optional note for the authorization | | `--json` | — | Emit machine-readable JSON | | `-q, --quiet` | — | Suppress non-essential output | @@ -510,7 +510,7 @@ Revoke a member from an organization | `--org ` | — | Organization identity ID | | `--member-did ` | — | Member identity ID to revoke [aliases: --member] | | `--note ` | — | Reason for revocation | -| `--signer-alias ` | — | Alias of the signing key in keychain | +| `--key ` | — | Alias of the signing key in keychain | | `--dry-run` | — | Preview actions without making changes | | `--json` | — | Emit machine-readable JSON | | `-q, --quiet` | — | Suppress non-essential output | @@ -1059,8 +1059,8 @@ Sign an artifact file with your Auths identity |------|---------|-------------| | `` | — | Path to the artifact file to sign. | | `--sig-output ` | — | Output path for the signature file. Defaults to .auths.json | -| `--identity-key-alias ` | — | Local alias of the identity key. Omit for device-only CI signing. [aliases: --ika] | -| `--device-key-alias ` | — | Local alias of the device key. Auto-detected when only one key exists. [aliases: --dka] | +| `--key ` | — | Local alias of the identity key. Omit for device-only CI signing. | +| `--device-key ` | — | Local alias of the device key. Auto-detected when only one key exists. | | `--expires-in ` | — | Duration in seconds until expiration (per RFC 6749) | | `--note ` | — | Optional note to embed in the attestation | | `--json` | — | Emit machine-readable JSON | diff --git a/docs/cli/commands/primary.md b/docs/cli/commands/primary.md index 5bfa4b3d..1a6589a8 100644 --- a/docs/cli/commands/primary.md +++ b/docs/cli/commands/primary.md @@ -39,8 +39,8 @@ Sign a Git commit or artifact file. |------|---------|-------------| | `` | — | Commit ref, range, or artifact file path | | `--sig-output ` | — | Output path for the signature file. Defaults to .auths.json | -| `--identity-key-alias ` | — | Local alias of the identity key (for artifact signing) | -| `--device-key-alias ` | — | Local alias of the device key (for artifact signing, required for files) | +| `--key ` | — | Local alias of the identity key (for artifact signing) | +| `--device-key ` | — | Local alias of the device key (for artifact signing, required for files) | | `--expires-in ` | — | Duration in seconds until expiration (per RFC 6749) | | `--note ` | — | Optional note to embed in the attestation (for artifact signing) | | `--json` | — | Emit machine-readable JSON | diff --git a/docs/guides/git/team-workflows.md b/docs/guides/git/team-workflows.md index a01a2cf3..f5eec1b7 100644 --- a/docs/guides/git/team-workflows.md +++ b/docs/guides/git/team-workflows.md @@ -121,7 +121,7 @@ Options: ```bash # Custom key alias -auths org init --name "my-org" --local-key-alias org-myorg +auths org init --name "my-org" --key org-myorg # With additional metadata auths org init --name "my-org" --metadata-file org-metadata.json diff --git a/docs/guides/identity/backup-and-recovery.md b/docs/guides/identity/backup-and-recovery.md index f31751f1..b68f7691 100644 --- a/docs/guides/identity/backup-and-recovery.md +++ b/docs/guides/identity/backup-and-recovery.md @@ -97,7 +97,7 @@ If you have another device linked to the same identity: ```bash auths device revoke \ --device-did "did:key:z6Mk..." \ - --identity-key-alias my-key \ + --key my-key \ --note "Device lost" ``` diff --git a/docs/guides/identity/multi-device.md b/docs/guides/identity/multi-device.md index 0a9281b3..f933e2a8 100644 --- a/docs/guides/identity/multi-device.md +++ b/docs/guides/identity/multi-device.md @@ -131,8 +131,8 @@ The seed file must contain exactly 32 bytes of raw Ed25519 key material. You wil ```bash auths device link \ - --identity-key-alias my-key \ - --device-key-alias laptop-key \ + --key my-key \ + --device-key laptop-key \ --device-did "$DEVICE_DID" \ --note "Work Laptop" \ --expires-in 7776000 @@ -189,8 +189,8 @@ auths device list --include-revoked auths device extend \ --device-did "$DEVICE_DID" \ --days 90 \ - --identity-key-alias my-key \ - --device-key-alias laptop-key + --key my-key \ + --device-key laptop-key ``` ### Revoke a device @@ -198,7 +198,7 @@ auths device extend \ ```bash auths device revoke \ --device-did "$DEVICE_DID" \ - --identity-key-alias my-key \ + --key my-key \ --note "Laptop retired" ``` diff --git a/docs/guides/identity/profiles.md b/docs/guides/identity/profiles.md index 033b8244..12eaf415 100644 --- a/docs/guides/identity/profiles.md +++ b/docs/guides/identity/profiles.md @@ -126,7 +126,7 @@ Optionally provide a custom key alias or additional metadata: ```bash auths org init \ --name "my-org" \ - --local-key-alias org-myorg \ + --key org-myorg \ --metadata-file org-metadata.json ``` diff --git a/docs/guides/platforms/ci-cd.md b/docs/guides/platforms/ci-cd.md index cbb13faa..9c7d0217 100644 --- a/docs/guides/platforms/ci-cd.md +++ b/docs/guides/platforms/ci-cd.md @@ -87,7 +87,7 @@ jobs: - name: Sign release artifact run: | auths sign myproject.tar.gz \ - --device-key-alias ci-release-device + --device-key ci-release-device - name: Upload release uses: softprops/action-gh-release@v2 @@ -224,7 +224,7 @@ To revoke a CI device at any time: ```bash auths device revoke \ --device-did \ - --identity-key-alias + --key ``` The device DID and identity key alias are printed by `cargo xt ci-setup` when the device is created. After revocation, the CI device key can no longer produce valid attestations, even if the secrets remain in GitHub. diff --git a/docs/guides/platforms/radicle.md b/docs/guides/platforms/radicle.md index ee7c9600..a02074c5 100644 --- a/docs/guides/platforms/radicle.md +++ b/docs/guides/platforms/radicle.md @@ -51,7 +51,7 @@ Then initialize your identity: ```bash auths id create \ --metadata-file ~/radicle_meta.json \ - --local-key-alias radicle_id_key + --key radicle_id_key ``` ### 2. View identity details @@ -79,8 +79,8 @@ Then link the device: ```bash auths device link \ --repo "$RAD_REPO_PATH" \ - --identity-key-alias radicle_id_key \ - --device-key-alias rad_device_key \ + --key radicle_id_key \ + --device-key rad_device_key \ --device-did "$DEVICE_DID" \ --note "Radicle Laptop Key" ``` diff --git a/docs/smoketests/end_to_end.py b/docs/smoketests/end_to_end.py index 302ab840..921e323c 100755 --- a/docs/smoketests/end_to_end.py +++ b/docs/smoketests/end_to_end.py @@ -463,7 +463,7 @@ def phase_2_create_identity(ws: Workspace, bins: dict[str, Path]) -> None: [ auths, "--repo", str(ws.auths_home), "id", "create", "--metadata-file", str(ws.metadata_file), - "--local-key-alias", "identity-key", + "--key", "identity-key", ], env=ws.auths_env(), check=False, @@ -527,8 +527,8 @@ def phase_3_link_devices(ws: Workspace, bins: dict[str, Path]) -> None: run( [ auths, "--repo", str(ws.auths_home), "device", "link", - "--identity-key-alias", "identity-key", - "--device-key-alias", alias, + "--key", "identity-key", + "--device-key", alias, "--device-did", did, "--note", note, ], diff --git a/scripts/.github/workflows/release.yml b/scripts/.github/workflows/release.yml index 6ffc7804..e871d62b 100644 --- a/scripts/.github/workflows/release.yml +++ b/scripts/.github/workflows/release.yml @@ -143,7 +143,7 @@ jobs: fi auths artifact sign ${{ matrix.asset_name }}${{ matrix.ext }} \ - --device-key-alias ci-release-device \ + --device-key ci-release-device \ --note "GitHub Actions release — ${{ github.ref_name }}" \ --repo /tmp/auths-identity diff --git a/scripts/auths_workflows/artifact_signing.py b/scripts/auths_workflows/artifact_signing.py index 7be57af5..dde2d977 100644 --- a/scripts/auths_workflows/artifact_signing.py +++ b/scripts/auths_workflows/artifact_signing.py @@ -126,14 +126,14 @@ def main() -> None: # Ask user which device key alias to use print() - device_alias = input(f" {BOLD}Enter device-key-alias to use for signing:{RESET} ").strip() + device_alias = input(f" {BOLD}Enter device-key to use for signing:{RESET} ").strip() if not device_alias: fail("No alias provided.") sys.exit(1) # Optionally ask for identity key alias identity_alias = input( - f" {BOLD}Enter identity-key-alias (leave blank for device-only):{RESET} " + f" {BOLD}Enter key (leave blank for device-only):{RESET} " ).strip() # ── Step 2: Build ── @@ -195,11 +195,11 @@ def main() -> None: step(5, "Signing artifact with auths") sign_cmd = [ "auths", "artifact", "sign", str(tarball), - "--device-key-alias", device_alias, + "--device-key", device_alias, "--note", "Local signing test", ] if identity_alias: - sign_cmd.extend(["--identity-key-alias", identity_alias]) + sign_cmd.extend(["--key", identity_alias]) result = run(sign_cmd, cwd=REPO_ROOT) if result.returncode != 0: diff --git a/scripts/radicle-e2e.sh b/scripts/radicle-e2e.sh index a9789fa2..ef99756e 100755 --- a/scripts/radicle-e2e.sh +++ b/scripts/radicle-e2e.sh @@ -222,7 +222,7 @@ METAJSON info "Creating identity (RIP-X layout is the default)..." CREATE_OUTPUT=$("$AUTHS_BIN" --repo "$AUTHS_HOME" id create \ --metadata-file "$DEMO_DIR/metadata.json" \ - --local-key-alias identity-key \ + --key identity-key \ 2>&1) || true echo "$CREATE_OUTPUT" | sed 's/^/ /' @@ -253,8 +253,8 @@ echo "$IMPORT1_OUTPUT" | sed 's/^/ /' info "Linking node 1 as a device..." LINK1_OUTPUT=$("$AUTHS_BIN" --repo "$AUTHS_HOME" device link \ - --identity-key-alias identity-key \ - --device-key-alias node1-key \ + --key identity-key \ + --device-key node1-key \ --device-did "$NODE1_DID" \ --note "Radicle Node 1" \ 2>&1) || { echo "$LINK1_OUTPUT" | sed 's/^/ /'; phase_fail "device link node1"; exit 1; } @@ -281,8 +281,8 @@ echo "$IMPORT2_OUTPUT" | sed 's/^/ /' info "Linking node 2 as a device..." LINK2_OUTPUT=$("$AUTHS_BIN" --repo "$AUTHS_HOME" device link \ - --identity-key-alias identity-key \ - --device-key-alias node2-key \ + --key identity-key \ + --device-key node2-key \ --device-did "$NODE2_DID" \ --note "Radicle Node 2" \ --capabilities sign_commit \ @@ -729,7 +729,7 @@ phase_start "Phase 8: Revoke device 2" info "Revoking node 2..." REVOKE_OUTPUT=$("$AUTHS_BIN" --repo "$AUTHS_HOME" device revoke \ --device-did "$NODE2_DID" \ - --identity-key-alias identity-key \ + --key identity-key \ --note "E2E revocation test" \ 2>&1) || { echo "$REVOKE_OUTPUT" | sed 's/^/ /'; phase_fail "device revoke node2"; exit 1; } echo "$REVOKE_OUTPUT" | sed 's/^/ /' diff --git a/tests/e2e/test_device_attestation.py b/tests/e2e/test_device_attestation.py index a4cb8606..8a010f1b 100644 --- a/tests/e2e/test_device_attestation.py +++ b/tests/e2e/test_device_attestation.py @@ -11,9 +11,9 @@ def _link_device(auths_bin, env, *, capabilities=None, expires_in=None): args = [ "device", "link", - "--identity-key-alias", + "--key", "main", - "--device-key-alias", + "--device-key", "main", "--device-did", did, @@ -55,7 +55,7 @@ def test_device_revoke(self, auths_bin, init_identity): "revoke", "--device-did", did, - "--identity-key-alias", + "--key", "main", ], env=init_identity, diff --git a/tests/e2e/test_key_rotation.py b/tests/e2e/test_key_rotation.py index 51ccfc31..73410465 100644 --- a/tests/e2e/test_key_rotation.py +++ b/tests/e2e/test_key_rotation.py @@ -34,9 +34,9 @@ def _link_device(auths_bin, env, *, capabilities=None): args = [ "device", "link", - "--identity-key-alias", + "--key", "main", - "--device-key-alias", + "--device-key", "main", "--device-did", did,