Problem
There is no read-only auths command to validate/replay the local identity's KEL under the current encoder. The only ways to discover that a local KEL is invalid are:
- run
auths verify against a trailer-bearing commit and read a cryptic Root KEL failed to replay, or
- write a throwaway Rust test calling
verify_said / validate_kel (what I had to do).
Concrete motivation
After the Wave 0 CESR-encoding alignment (SAIDs + commitment digests made keripy-byte-identical — commits 2ad5cd0, d29862c), any identity created before that work has a KEL whose stored SAIDs no longer match the current computation. A real on-disk identity, checked event-by-event:
| event |
stored SAID |
recomputed by current encoder |
icp (= prefix) |
Eonuem1eQ6H6CZI1S-CzUJgeC8FG-YNd8Hb6gV6xIdbo |
EKJ7nptXkOh-gmSNUvgs1CYHgvBRvmDXfB2-oFesSHW6 |
ixn (seq 1) |
EZKBtFf4p0KKeyLZDhrHtjNn-dnvY9SdfvmlD1QSoWnQ |
EGSgbRX-KdCinsi2Q4ax7YzZ_nZ72PUnX75pQ9UEqFp0 |
Both SaidMismatch. The KEL is dead under the current validator, but nothing tells the user that directly — they have to infer it from a downstream verify failure. (The verkey even carried the modern 1AAI P-256 code, so eyeballing the event didn't reveal it.)
Proposed
auths id verify (or auths id check): replay the local identity's KEL via validate_kel and report valid / the first failing event + reason. Read-only, no keychain needed (SAID checks don't touch the signing key).- and/or make
auths doctor / auths status replay the local KEL and, on SaidMismatch, surface a clear "your identity was created under an older encoding — re-initialize with auths init" hint (matches the documented rm -rf ~/.auths && auths init migration).
This turns a silent/cryptic failure into a one-command diagnosis.
Context
Surfaced while validating an existing identity against Epic B (#200) KEL-native verification.
Problem
There is no read-only
authscommand to validate/replay the local identity's KEL under the current encoder. The only ways to discover that a local KEL is invalid are:auths verifyagainst a trailer-bearing commit and read a crypticRoot KEL failed to replay, orverify_said/validate_kel(what I had to do).Concrete motivation
After the Wave 0 CESR-encoding alignment (SAIDs + commitment digests made keripy-byte-identical — commits
2ad5cd0,d29862c), any identity created before that work has a KEL whose stored SAIDs no longer match the current computation. A real on-disk identity, checked event-by-event:icp(= prefix)Eonuem1eQ6H6CZI1S-CzUJgeC8FG-YNd8Hb6gV6xIdboEKJ7nptXkOh-gmSNUvgs1CYHgvBRvmDXfB2-oFesSHW6ixn(seq 1)EZKBtFf4p0KKeyLZDhrHtjNn-dnvY9SdfvmlD1QSoWnQEGSgbRX-KdCinsi2Q4ax7YzZ_nZ72PUnX75pQ9UEqFp0Both
SaidMismatch. The KEL is dead under the current validator, but nothing tells the user that directly — they have to infer it from a downstream verify failure. (The verkey even carried the modern1AAIP-256 code, so eyeballing the event didn't reveal it.)Proposed
auths id verify(orauths id check): replay the local identity's KEL viavalidate_keland reportvalid/ the first failing event + reason. Read-only, no keychain needed (SAID checks don't touch the signing key).auths doctor/auths statusreplay the local KEL and, onSaidMismatch, surface a clear "your identity was created under an older encoding — re-initialize withauths init" hint (matches the documentedrm -rf ~/.auths && auths initmigration).This turns a silent/cryptic failure into a one-command diagnosis.
Context
Surfaced while validating an existing identity against Epic B (#200) KEL-native verification.