d0db6f00f1
KEZ is a portable, decentralized identity graph: a person signs claims
linking their many accounts, publishes those claims in places only the
claimed account can publish to, and anyone can verify the connections
without trusting a central server.
Layout
------
- SPEC.md Language-agnostic protocol spec (v0.2)
- rust/ Rust implementation: kez-core, kez-channels, kez-cli
- nodejs/ TypeScript port at full parity
- rust-sig-server/ Optional axum + SQLite storage server for sigchains
- crosstest.sh Cross-implementation interop harness
Capabilities (both implementations, byte-compatible)
----------------------------------------------------
- Two primary-key algorithms: nostr/secp256k1 Schnorr (BIP-340) and
Ed25519 (RFC 8032). Identifiers: nostr:npub1... and ed25519:<hex>.
- JCS (RFC 8785) canonicalization for everything signed.
- Four proof encodings: JSON envelope, compact (kez:z1:<base64url(zstd(json))>),
Markdown fence, DNS TXT.
- Five channel plugins (no API keys, no auth needed for any of them):
dns: system resolver, _kez.<domain> TXT records
github: public gist scan + <user>/<user> profile README fallback
nostr: kind-30078 events from default relays
bluesky: public AppView author feed
ap: WebFinger + actor JSON (alias mastodon:)
- Identical CLI surface:
kez identity new [--key-type nostr|ed25519]
kez claim create <subject> (--nsec | --ed25519-seed) [--format ...] [--out ...]
kez claim dns <domain> (--nsec | --ed25519-seed)
kez verify file <path>
kez verify id <identifier>
kez sigchain add|revoke|show|export|publish
- Sigchains: append-only signed log per primary, hash-chained per spec §6,
stored locally at ~/.kez/sigchains/, exportable as JSONL or kez:zc1: bundle.
- Sigchain publish destinations: chain server, web (file dump), DNS (zone
record print), nostr (kind-30078 wrapping event).
kez-sig-server
--------------
Optional storage tier. Axum + SQLite, single binary, no external deps.
- No auth — the cryptography is the access control. The server validates
every signature, every seq, every prev hash before storing.
- REST API: POST /v1/sigchains/{scheme}/{id}/events (append signed event,
201 with new head hash or 4xx); GET /{scheme}/{id} (full chain as JSONL);
GET /head; GET /healthz.
- Designed for one central instance for now; the design doesn't preclude
running more later (clients gain a configurable list, verifiers
reconcile per spec §6.2).
- Channel-based publishing remains the always-available fallback if the
server is unavailable.
Tests
-----
- rust/ 99 tests
- rust-sig-server/ 10 integration tests (real HTTP, real SQLite)
- nodejs/ 91 tests (vitest)
- crosstest.sh 19 cross-impl scenarios — proves JCS bytes,
Schnorr + Ed25519 sigs, all four claim encodings,
and the sigchain JSONL bundle are byte-compatible
between Rust and Node in both directions.
What's not done yet
-------------------
- verify id consulting the sigchain for revocations (data path exists,
just not wired into the verifier output).
- rotate and add_device sigchain ops (types reserved).
- expires_at enforcement during claim verification.
- Typed VerificationStatus.status reflecting the five failure modes.
- Auth-required publishers (GitHub gist, Bluesky, ActivityPub).
131 lines
4.3 KiB
TypeScript
131 lines
4.3 KiB
TypeScript
// GitHub channel: scans the user's public gists, falls back to `<user>/<user>`
|
|
// profile README. No auth needed.
|
|
|
|
import type { Identity } from "@kez/core";
|
|
import { ChannelError, type Channel, type ChannelHit, parseAndVerifyFor } from "./index.js";
|
|
|
|
const DEFAULT_API_BASE = "https://api.github.com";
|
|
const DEFAULT_RAW_BASE = "https://raw.githubusercontent.com";
|
|
const USER_AGENT = "kez-channels-node/0.1 (+https://example.invalid/kez)";
|
|
|
|
export interface GithubChannelOptions {
|
|
apiBase?: string;
|
|
rawBase?: string;
|
|
fetch?: typeof fetch;
|
|
}
|
|
|
|
export class GithubChannel implements Channel {
|
|
readonly system = "github";
|
|
private readonly apiBase: string;
|
|
private readonly rawBase: string;
|
|
private readonly fetch: typeof fetch;
|
|
|
|
constructor(opts: GithubChannelOptions = {}) {
|
|
this.apiBase = opts.apiBase ?? DEFAULT_API_BASE;
|
|
this.rawBase = opts.rawBase ?? DEFAULT_RAW_BASE;
|
|
this.fetch = opts.fetch ?? globalThis.fetch;
|
|
}
|
|
|
|
async fetchAndVerify(identity: Identity): Promise<ChannelHit> {
|
|
const user = identity.id;
|
|
if (!user) throw ChannelError.other("github identity has empty user");
|
|
|
|
let lastError: ChannelError | undefined;
|
|
|
|
// 1. gists
|
|
try {
|
|
const candidates = await this.fetchGistCandidates(user);
|
|
for (const url of candidates) {
|
|
try {
|
|
const body = await this.fetchText(url);
|
|
return parseAndVerifyFor(body, identity);
|
|
} catch (e) {
|
|
lastError = e instanceof ChannelError ? e : ChannelError.other((e as Error).message, e);
|
|
}
|
|
}
|
|
} catch (e) {
|
|
lastError = e instanceof ChannelError ? e : ChannelError.other((e as Error).message, e);
|
|
}
|
|
|
|
// 2. profile README fallback (main, then master)
|
|
for (const branch of ["main", "master"]) {
|
|
const url = `${this.rawBase}/${user}/${user}/${branch}/README.md`;
|
|
try {
|
|
const body = await this.fetchText(url);
|
|
return parseAndVerifyFor(body, identity);
|
|
} catch (e) {
|
|
if (e instanceof ChannelError && e.kind === "Unreachable") continue;
|
|
lastError = e instanceof ChannelError ? e : ChannelError.other((e as Error).message, e);
|
|
}
|
|
}
|
|
|
|
throw lastError ?? ChannelError.notFound(identity);
|
|
}
|
|
|
|
private async fetchText(url: string): Promise<string> {
|
|
let resp: Response;
|
|
try {
|
|
resp = await this.fetch(url, { headers: { "User-Agent": USER_AGENT } });
|
|
} catch (e) {
|
|
throw ChannelError.unreachable(`GET ${url}: ${(e as Error).message}`, e);
|
|
}
|
|
if (!resp.ok) throw ChannelError.unreachable(`GET ${url}: ${resp.status}`);
|
|
return resp.text();
|
|
}
|
|
|
|
private async fetchGistCandidates(user: string): Promise<string[]> {
|
|
const url = gistsUrl(this.apiBase, user);
|
|
let resp: Response;
|
|
try {
|
|
resp = await this.fetch(url, {
|
|
headers: {
|
|
"User-Agent": USER_AGENT,
|
|
Accept: "application/vnd.github+json",
|
|
},
|
|
});
|
|
} catch (e) {
|
|
throw ChannelError.unreachable(`GET ${url}: ${(e as Error).message}`, e);
|
|
}
|
|
if (!resp.ok) throw ChannelError.unreachable(`GET ${url}: ${resp.status}`);
|
|
const body = (await resp.json()) as unknown;
|
|
return parseGistCandidates(body);
|
|
}
|
|
}
|
|
|
|
export function looksLikeKezFilename(name: string): boolean {
|
|
const lower = name.toLowerCase();
|
|
return (
|
|
lower.endsWith(".kez") ||
|
|
lower.endsWith(".kez.md") ||
|
|
lower.endsWith(".kez.json") ||
|
|
lower.includes("kez")
|
|
);
|
|
}
|
|
|
|
export function gistsUrl(apiBase: string, user: string): string {
|
|
return `${apiBase}/users/${user}/gists?per_page=100`;
|
|
}
|
|
|
|
export function profileReadmeUrls(rawBase: string, user: string): string[] {
|
|
return [
|
|
`${rawBase}/${user}/${user}/main/README.md`,
|
|
`${rawBase}/${user}/${user}/master/README.md`,
|
|
];
|
|
}
|
|
|
|
export function parseGistCandidates(body: unknown): string[] {
|
|
if (!Array.isArray(body)) return [];
|
|
const out: string[] = [];
|
|
for (const gist of body) {
|
|
if (typeof gist !== "object" || gist === null) continue;
|
|
const files = (gist as Record<string, unknown>).files;
|
|
if (typeof files !== "object" || files === null) continue;
|
|
for (const [name, file] of Object.entries(files)) {
|
|
if (!looksLikeKezFilename(name)) continue;
|
|
const rawUrl = (file as Record<string, unknown>)?.raw_url;
|
|
if (typeof rawUrl === "string") out.push(rawUrl);
|
|
}
|
|
}
|
|
return out;
|
|
}
|