From 7d4ffdb13f7ae5e6e8366f9efaee26a6e1d9d05f Mon Sep 17 00:00:00 2001 From: Divine Date: Thu, 23 Apr 2026 11:31:03 -0400 Subject: [PATCH 1/7] chore: add justfile for dev task runner Build, test, stack, CLI, and utility recipes for common development workflows. Mirrors existing scripts/gates.sh patterns with convenient shortcuts. --- justfile | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 justfile diff --git a/justfile b/justfile new file mode 100644 index 0000000..ef62572 --- /dev/null +++ b/justfile @@ -0,0 +1,121 @@ +# AgentAuth Core — Task Runner +# Install: brew install just + +# --- Variables (override via env or `just --set key value`) --- + +admin_secret := env_var_or_default("AA_ADMIN_SECRET", "") +broker_url := env_var_or_default("BROKER_URL", "http://localhost:8080") +host_port := env_var_or_default("AA_HOST_PORT", "8080") + +# --- Build --- + +# Build both binaries to ./bin/ +build: + go build -o bin/broker ./cmd/broker + go build -o bin/awrit ./cmd/awrit + +# Build only the broker binary +build-broker: + go build -o bin/broker ./cmd/broker + +# Build only the CLI tool +build-awrit: + go build -o bin/awrit ./cmd/awrit + +# Build the Docker image locally (dev mode) +image: + docker compose build --no-cache broker + +# --- Test --- + +# Unit tests (short mode) +test: + go test -short -count=1 ./... + +# Unit tests with race detector +test-race: + go test -race -count=1 ./... + +# Fast dev-loop gates (build/vet/lint/format/tests/security) +gate-task: + ./scripts/gates.sh task + +# Full CI-mirror gates (task + race + docker + smoke + sbom) +gate-full: + ./scripts/gates.sh full + +# L4 regression — runs all tests/*/regression.sh +gate-regression: + ./scripts/gates.sh regression + +# L2.5 smoke test (broker must be running) +smoke: + ./scripts/smoke/core-contract.sh + +# --- Stack (Docker) --- + +# Build image and bring up the broker +up: + ./scripts/stack_up.sh + +# Tear down the broker stack +down: + ./scripts/stack_down.sh + +# Follow broker logs +logs: + docker compose logs -f broker + +# --- Stack (VPS mode — bare binary) --- + +# Build and run broker directly (requires AA_ADMIN_SECRET) +run: build-broker + ./bin/broker --admin-secret "{{admin_secret}}" + +# --- Operator CLI (awrit) --- + +# Initialize config and generate admin secret +init mode="dev": + ./bin/awrit init --mode {{mode}} + +# Register an app (prints client_id + client_secret) +app-register name scopes: + ./bin/awrit app register --name {{name}} --scopes {{scopes}} + +# List registered apps +app-list: + ./bin/awrit app list + +# Query audit trail (optional filters) +audit *args: + ./bin/awrit audit {{args}} + +# Release (self-revoke) a token +token-release token: + ./bin/awrit token release --token {{token}} + +# --- Utilities --- + +# Check broker health +health: + curl -sf {{broker_url}}/v1/health | jq . + +# Format all Go code +fmt: + gofmt -w . + +# Run go vet +vet: + go vet ./... + +# Run linter +lint: + golangci-lint run ./... + +# Generate a random admin secret +secret: + openssl rand -base64 32 + +# Show gate list (for CI parity checks) +gates: + ./scripts/gates.sh --list-gates From 022a3e27b8b98cbdf6475f8cb8c856e992564be8 Mon Sep 17 00:00:00 2001 From: Divine Date: Thu, 23 Apr 2026 11:37:16 -0400 Subject: [PATCH 2/7] Revert "chore: add justfile for dev task runner" --- justfile | 121 ------------------------------------------------------- 1 file changed, 121 deletions(-) delete mode 100644 justfile diff --git a/justfile b/justfile deleted file mode 100644 index ef62572..0000000 --- a/justfile +++ /dev/null @@ -1,121 +0,0 @@ -# AgentAuth Core — Task Runner -# Install: brew install just - -# --- Variables (override via env or `just --set key value`) --- - -admin_secret := env_var_or_default("AA_ADMIN_SECRET", "") -broker_url := env_var_or_default("BROKER_URL", "http://localhost:8080") -host_port := env_var_or_default("AA_HOST_PORT", "8080") - -# --- Build --- - -# Build both binaries to ./bin/ -build: - go build -o bin/broker ./cmd/broker - go build -o bin/awrit ./cmd/awrit - -# Build only the broker binary -build-broker: - go build -o bin/broker ./cmd/broker - -# Build only the CLI tool -build-awrit: - go build -o bin/awrit ./cmd/awrit - -# Build the Docker image locally (dev mode) -image: - docker compose build --no-cache broker - -# --- Test --- - -# Unit tests (short mode) -test: - go test -short -count=1 ./... - -# Unit tests with race detector -test-race: - go test -race -count=1 ./... - -# Fast dev-loop gates (build/vet/lint/format/tests/security) -gate-task: - ./scripts/gates.sh task - -# Full CI-mirror gates (task + race + docker + smoke + sbom) -gate-full: - ./scripts/gates.sh full - -# L4 regression — runs all tests/*/regression.sh -gate-regression: - ./scripts/gates.sh regression - -# L2.5 smoke test (broker must be running) -smoke: - ./scripts/smoke/core-contract.sh - -# --- Stack (Docker) --- - -# Build image and bring up the broker -up: - ./scripts/stack_up.sh - -# Tear down the broker stack -down: - ./scripts/stack_down.sh - -# Follow broker logs -logs: - docker compose logs -f broker - -# --- Stack (VPS mode — bare binary) --- - -# Build and run broker directly (requires AA_ADMIN_SECRET) -run: build-broker - ./bin/broker --admin-secret "{{admin_secret}}" - -# --- Operator CLI (awrit) --- - -# Initialize config and generate admin secret -init mode="dev": - ./bin/awrit init --mode {{mode}} - -# Register an app (prints client_id + client_secret) -app-register name scopes: - ./bin/awrit app register --name {{name}} --scopes {{scopes}} - -# List registered apps -app-list: - ./bin/awrit app list - -# Query audit trail (optional filters) -audit *args: - ./bin/awrit audit {{args}} - -# Release (self-revoke) a token -token-release token: - ./bin/awrit token release --token {{token}} - -# --- Utilities --- - -# Check broker health -health: - curl -sf {{broker_url}}/v1/health | jq . - -# Format all Go code -fmt: - gofmt -w . - -# Run go vet -vet: - go vet ./... - -# Run linter -lint: - golangci-lint run ./... - -# Generate a random admin secret -secret: - openssl rand -base64 32 - -# Show gate list (for CI parity checks) -gates: - ./scripts/gates.sh --list-gates From 34a94747de7ef112ac2355b2757b26e87570ca7b Mon Sep 17 00:00:00 2001 From: Divine Date: Wed, 13 May 2026 15:54:37 -0400 Subject: [PATCH 3/7] fix(brand): rename current AgentAuth text surfaces to AgentWrit Refs #78 --- .github/workflows/contribution-policy.yml | 4 ++-- .gitignore | 2 +- .golangci.yml | 2 +- README.md | 6 +++--- cmd/awrit/main.go | 2 +- cmd/awrit/root.go | 4 ++-- cmd/broker/main.go | 4 ++-- docs/python-sdk.md | 6 +++--- internal/authz/scope.go | 2 +- internal/cfg/configfile_test.go | 2 +- internal/identity/spiffe.go | 4 ++-- internal/mutauth/mut_auth_hdl.go | 2 +- internal/obs/obs.go | 2 +- internal/revoke/rev_svc.go | 2 +- internal/token/tkn_claims.go | 6 +++--- scripts/gates.sh | 2 +- 16 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/contribution-policy.yml b/.github/workflows/contribution-policy.yml index c3971bc..5b8d13b 100644 --- a/.github/workflows/contribution-policy.yml +++ b/.github/workflows/contribution-policy.yml @@ -82,9 +82,9 @@ jobs: core.info(`Author ${author} not exempt — closing PR per Decision 014`); const policy_comment = [ - `Hi @${author}, thank you for your interest in AgentAuth!`, + `Hi @${author}, thank you for your interest in AgentWrit!`, '', - 'Per our contribution policy ([Decision 014](https://github.com/' + owner + '/' + repo + '/blob/develop/CONTRIBUTING.md)), AgentAuth does not accept external code contributions at this time — including bug fixes.', + 'Per our contribution policy ([Decision 014](https://github.com/' + owner + '/' + repo + '/blob/develop/CONTRIBUTING.md)), AgentWrit does not accept external code contributions at this time — including bug fixes.', '', 'We actively welcome:', '- **Bug reports** — please [open an issue](https://github.com/' + owner + '/' + repo + '/issues/new)', diff --git a/.gitignore b/.gitignore index b5f199e..6762515 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,7 @@ /awrit /aactl /broker -/agentauth-broker +/agentwrit-broker /smoketest bin/ diff --git a/.golangci.yml b/.golangci.yml index 4f107e5..0714e6a 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,4 +1,4 @@ -# .golangci.yml — golangci-lint configuration for agentauth-core +# .golangci.yml — golangci-lint configuration for agentwrit-core # # M-sec linter set: security-aware defaults plus the core Go linters. # diff --git a/README.md b/README.md index 525acbe..a15ce2b 100644 --- a/README.md +++ b/README.md @@ -156,14 +156,14 @@ The Python SDK includes **MedAssist AI**: a FastAPI web app where a local LLM dy | Language | Repo | Install | Status | |----------|------|---------|--------| -| **Python** | [agentwrit-python](docs/python-sdk.md) | `pip install agentauth` *(PyPI rename pending)* | v0.3.0 — 15 acceptance tests passing | +| **Python** | [agentwrit-python](docs/python-sdk.md) | `pip install agentwrit` | v0.3.0 — 15 acceptance tests passing | | **TypeScript** | Coming soon | — | Planned | ```python -from agentauth import AgentAuthApp +from agentwrit import AgentWritApp # The SDK hides the Ed25519 challenge-response flow -agent = AgentAuthApp(broker_url="http://localhost:8080").register( +agent = AgentWritApp(broker_url="http://localhost:8080").register( launch_token=LAUNCH_TOKEN, task_id="read-customer-42", requested_scope=["read:data:customers:42"], diff --git a/cmd/awrit/main.go b/cmd/awrit/main.go index 932c033..db14fdb 100644 --- a/cmd/awrit/main.go +++ b/cmd/awrit/main.go @@ -1,6 +1,6 @@ // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0 -// Command awrit is the operator CLI for the AgentAuth broker. +// Command awrit is the operator CLI for the AgentWrit broker. package main // main is the entry point for the awrit binary. diff --git a/cmd/awrit/root.go b/cmd/awrit/root.go index 4635c39..5160006 100644 --- a/cmd/awrit/root.go +++ b/cmd/awrit/root.go @@ -16,8 +16,8 @@ var jsonOutput bool // rootCmd is the top-level cobra command that all subcommands are attached to. var rootCmd = &cobra.Command{ Use: "awrit", - Short: "AgentAuth operator CLI", - Long: "awrit is the operator CLI for managing the AgentAuth broker.", + Short: "AgentWrit operator CLI", + Long: "awrit is the operator CLI for managing the AgentWrit broker.", } func init() { diff --git a/cmd/broker/main.go b/cmd/broker/main.go index dbe7a8d..46bad93 100644 --- a/cmd/broker/main.go +++ b/cmd/broker/main.go @@ -1,6 +1,6 @@ // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0 -// Command broker starts the AgentAuth broker HTTP server. +// Command broker starts the AgentWrit broker HTTP server. // // It wires all internal services together, registers routes on an // [http.ServeMux], and listens on the port configured by AA_PORT (default @@ -222,7 +222,7 @@ func main() { obs.Warn("BROKER", "main", "binding to 0.0.0.0 without TLS — use AA_TLS_MODE=tls in production") } obs.Ok("BROKER", "main", "starting broker", "addr="+addr, "version="+version) - fmt.Printf("AgentAuth broker v%s listening on %s\n", version, addr) + fmt.Printf("AgentWrit broker v%s listening on %s\n", version, addr) if err := serve(c, addr, rootHandler, func() { if err := sqlStore.Close(); err != nil { diff --git a/docs/python-sdk.md b/docs/python-sdk.md index d0533be..0acc79f 100644 --- a/docs/python-sdk.md +++ b/docs/python-sdk.md @@ -7,9 +7,9 @@ The Python SDK wraps the broker's Ed25519 challenge-response registration flow into simple function calls. You don't need to manage nonces, signatures, or token renewal manually. ```python -from agentauth import AgentAuthApp +from agentwrit import AgentWritApp -agent = AgentAuthApp(broker_url="http://localhost:8080").register( +agent = AgentWritApp(broker_url="http://localhost:8080").register( launch_token=LAUNCH_TOKEN, task_id="read-customer-42", requested_scope=["read:data:customers:42"], @@ -27,7 +27,7 @@ agent.release() - **v0.3.0** — 15 acceptance tests passing against a live broker - Full agent lifecycle: register, renew, delegate, release - Scope checking and validation helpers -- `pip install agentauth` *(PyPI rename to `agentwrit` pending)* +- `pip install agentwrit` ## In the meantime diff --git a/internal/authz/scope.go b/internal/authz/scope.go index cf3bd79..28adfd3 100644 --- a/internal/authz/scope.go +++ b/internal/authz/scope.go @@ -1,7 +1,7 @@ // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0 // Package authz provides scope-based authorization and Bearer token -// validation middleware for the AgentAuth broker. +// validation middleware for the AgentWrit broker. // // # Scope Model // diff --git a/internal/cfg/configfile_test.go b/internal/cfg/configfile_test.go index 789f25d..169a840 100644 --- a/internal/cfg/configfile_test.go +++ b/internal/cfg/configfile_test.go @@ -14,7 +14,7 @@ import ( func TestLoadConfigFile_ValidDevConfig(t *testing.T) { dir := t.TempDir() cfgPath := filepath.Join(dir, "config") - content := "# AgentAuth Configuration\nMODE=development\nADMIN_SECRET=my-test-secret\n" + content := "# AgentWrit Configuration\nMODE=development\nADMIN_SECRET=my-test-secret\n" if err := os.WriteFile(cfgPath, []byte(content), 0600); err != nil { t.Fatal(err) } diff --git a/internal/identity/spiffe.go b/internal/identity/spiffe.go index 682de43..ed8163e 100644 --- a/internal/identity/spiffe.go +++ b/internal/identity/spiffe.go @@ -9,7 +9,7 @@ import ( "github.com/spiffe/go-spiffe/v2/spiffeid" ) -// NewSpiffeId constructs a SPIFFE ID in the AgentAuth canonical format: +// NewSpiffeId constructs a SPIFFE ID in the AgentWrit canonical format: // // spiffe://{trustDomain}/agent/{orchID}/{taskID}/{instanceID} // @@ -31,7 +31,7 @@ func NewSpiffeId(trustDomain, orchID, taskID, instanceID string) (string, error) } // ParseSpiffeId validates a SPIFFE ID string and extracts its path -// components. The path must follow the AgentAuth format +// components. The path must follow the AgentWrit format // /agent/{orchID}/{taskID}/{instanceID}. It returns an error if the ID // is malformed or does not match the expected structure. func ParseSpiffeId(id string) (orchID, taskID, instanceID string, err error) { diff --git a/internal/mutauth/mut_auth_hdl.go b/internal/mutauth/mut_auth_hdl.go index c0c02f7..0e27696 100644 --- a/internal/mutauth/mut_auth_hdl.go +++ b/internal/mutauth/mut_auth_hdl.go @@ -4,7 +4,7 @@ // three-step cryptographic handshake protocol. // // The protocol guarantees that both communicating agents hold valid -// AgentAuth tokens and registered Ed25519 key pairs. The three steps are: +// AgentWrit tokens and registered Ed25519 key pairs. The three steps are: // // 1. [MutAuthHdl.InitiateHandshake] — the initiator verifies its own // token and the target agent's registration, then produces a diff --git a/internal/obs/obs.go b/internal/obs/obs.go index a70a226..0eeec43 100644 --- a/internal/obs/obs.go +++ b/internal/obs/obs.go @@ -1,7 +1,7 @@ // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0 // Package obs provides structured logging and Prometheus metrics for the -// AgentAuth broker. +// AgentWrit broker. // // # Logging // diff --git a/internal/revoke/rev_svc.go b/internal/revoke/rev_svc.go index dcab052..6d1a1cc 100644 --- a/internal/revoke/rev_svc.go +++ b/internal/revoke/rev_svc.go @@ -1,6 +1,6 @@ // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0 -// Package revoke provides four-level token revocation for the AgentAuth +// Package revoke provides four-level token revocation for the AgentWrit // broker. // // Revocation operates at four granularity levels: diff --git a/internal/token/tkn_claims.go b/internal/token/tkn_claims.go index 614c236..33ccb2c 100644 --- a/internal/token/tkn_claims.go +++ b/internal/token/tkn_claims.go @@ -1,11 +1,11 @@ // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0 // Package token implements EdDSA (Ed25519) JWT token issuance, verification, -// and renewal for the AgentAuth broker. +// and renewal for the AgentWrit broker. // // Tokens follow the compact JWT serialization (header.payload.signature) with // algorithm "EdDSA". Claims include standard fields (iss, sub, exp, nbf, iat, -// jti) plus AgentAuth extensions (scope, task_id, orch_id, delegation_chain). +// jti) plus AgentWrit extensions (scope, task_id, orch_id, delegation_chain). // // The issuer (iss claim) is operator-configured via cfg.Issuer (env: AA_ISSUER). // Empty cfg.Issuer skips issuer enforcement on verify, mirroring the Audience @@ -28,7 +28,7 @@ var ( ErrNoExpiry = errors.New("token has no expiry") ) -// TknClaims represents the JWT payload for an AgentAuth token. Standard +// TknClaims represents the JWT payload for an AgentWrit token. Standard // registered claims (iss, sub, aud, exp, nbf, iat, jti) are complemented // by private claims for scope enforcement, task tracking, and delegation. type TknClaims struct { diff --git a/scripts/gates.sh b/scripts/gates.sh index 0ecf45d..8f37ed4 100755 --- a/scripts/gates.sh +++ b/scripts/gates.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -euo pipefail -# gates.sh — quality gate runner for AgentAuth (M-sec) +# gates.sh — quality gate runner for AgentWrit Core (M-sec) # # Usage: # ./scripts/gates.sh task Fast dev-loop gates (build/vet/lint/format/ From b38c640bd6fcdf8f8ab3adb6daab31962a74d26a Mon Sep 17 00:00:00 2001 From: Divine Date: Wed, 13 May 2026 15:55:24 -0400 Subject: [PATCH 4/7] fix(tls): align compose cert mounts with AgentWrit cert generator Refs #78 --- docker-compose.mtls.yml | 4 ++-- docker-compose.tls.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docker-compose.mtls.yml b/docker-compose.mtls.yml index f180264..0d6fe75 100644 --- a/docker-compose.mtls.yml +++ b/docker-compose.mtls.yml @@ -1,6 +1,6 @@ # mTLS overlay — mutual TLS (broker requires client cert). # Usage: docker compose -f docker-compose.yml -f docker-compose.mtls.yml up -d -# Requires certs in /tmp/agentauth-certs (run scripts/gen_test_certs.sh first). +# Requires certs in /tmp/agentwrit-certs (run scripts/gen_test_certs.sh first). services: broker: environment: @@ -9,6 +9,6 @@ services: - AA_TLS_KEY=/certs/broker-key.pem - AA_TLS_CLIENT_CA=/certs/ca.pem volumes: - - /tmp/agentauth-certs:/certs:ro + - /tmp/agentwrit-certs:/certs:ro healthcheck: test: ["CMD", "curl", "-sf", "--cacert", "/certs/ca.pem", "--cert", "/certs/client.pem", "--key", "/certs/client-key.pem", "https://localhost:8080/v1/health"] diff --git a/docker-compose.tls.yml b/docker-compose.tls.yml index b6cbf2a..31a46a0 100644 --- a/docker-compose.tls.yml +++ b/docker-compose.tls.yml @@ -1,6 +1,6 @@ # TLS overlay — one-way TLS (broker serves HTTPS). # Usage: docker compose -f docker-compose.yml -f docker-compose.tls.yml up -d -# Requires certs in /tmp/agentauth-certs (run scripts/gen_test_certs.sh first). +# Requires certs in /tmp/agentwrit-certs (run scripts/gen_test_certs.sh first). services: broker: environment: @@ -8,6 +8,6 @@ services: - AA_TLS_CERT=/certs/broker.pem - AA_TLS_KEY=/certs/broker-key.pem volumes: - - /tmp/agentauth-certs:/certs:ro + - /tmp/agentwrit-certs:/certs:ro healthcheck: test: ["CMD", "curl", "-sf", "--cacert", "/certs/ca.pem", "https://localhost:8080/v1/health"] From 11e81d6ddf231cb60a8d06503faf891fec68ac7a Mon Sep 17 00:00:00 2001 From: Divine Date: Wed, 13 May 2026 15:59:04 -0400 Subject: [PATCH 5/7] test(sec-l2b): refresh AgentWrit setup and evidence Refs #78 --- tests/sec-l2b/env.sh | 2 +- tests/sec-l2b/evidence/story-S2-generic-revoked-error.md | 6 +++--- tests/sec-l2b/evidence/story-S3-renew-tampered-generic.md | 4 ++-- tests/sec-l2b/integration.sh | 4 ++-- tests/sec-l2b/user-stories.md | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/sec-l2b/env.sh b/tests/sec-l2b/env.sh index 283ef75..86763e4 100644 --- a/tests/sec-l2b/env.sh +++ b/tests/sec-l2b/env.sh @@ -3,7 +3,7 @@ # Source this once before running stories: source tests/sec-l2b/env.sh export AA_ADMIN_SECRET="live-test-secret-32bytes-long-ok" -export AA_DB_PATH="/tmp/aa-sec-l2b/agentauth.db" +export AA_DB_PATH="/tmp/aa-sec-l2b/agentwrit.db" export AA_SIGNING_KEY_PATH="/tmp/aa-sec-l2b/signing.key" export AA_BIND_ADDRESS="127.0.0.1" export BROKER_URL="http://127.0.0.1:8080" diff --git a/tests/sec-l2b/evidence/story-S2-generic-revoked-error.md b/tests/sec-l2b/evidence/story-S2-generic-revoked-error.md index d56f0dd..5bdf58c 100644 --- a/tests/sec-l2b/evidence/story-S2-generic-revoked-error.md +++ b/tests/sec-l2b/evidence/story-S2-generic-revoked-error.md @@ -32,14 +32,14 @@ message "token is invalid or expired" — NOT "token has been revoked". Admin token: eyJhbGciOiJFZERTQSIsInR5cCI6Ik... --- Step 2: Create launch token and register agent --- -Agent ID: spiffe://agentauth.local/agent/s2-orch/s2-task/d72568a5b27b3fab +Agent ID: spiffe://agentwrit.local/agent/s2-orch/s2-task/790501763e589167 Agent token: eyJhbGciOiJFZERTQSIsInR5cCI6Ik... --- Step 3: Operator revokes the agent --- { "revoked": true, "level": "agent", - "target": "spiffe://agentauth.local/agent/s2-orch/s2-task/d72568a5b27b3fab", + "target": "spiffe://agentwrit.local/agent/s2-orch/s2-task/790501763e589167", "count": 1 } @@ -51,4 +51,4 @@ Agent token: eyJhbGciOiJFZERTQSIsInR5cCI6Ik... ## Verdict -PASS — The operator revoked agent spiffe://agentauth.local/agent/s2-orch/s2-task/d72568a5b27b3fab. When the app then validated the revoked token, the broker returned the generic message "token is invalid or expired" — identical to what it returns for any other bad token. The response does NOT say "token has been revoked". An attacker cannot tell whether the token was ever valid. +PASS — The operator revoked agent spiffe://agentwrit.local/agent/s2-orch/s2-task/790501763e589167. When the app then validated the revoked token, the broker returned the generic message "token is invalid or expired" — identical to what it returns for any other bad token. The response does NOT say "token has been revoked". An attacker cannot tell whether the token was ever valid. diff --git a/tests/sec-l2b/evidence/story-S3-renew-tampered-generic.md b/tests/sec-l2b/evidence/story-S3-renew-tampered-generic.md index fbb3dcf..e8758ab 100644 --- a/tests/sec-l2b/evidence/story-S3-renew-tampered-generic.md +++ b/tests/sec-l2b/evidence/story-S3-renew-tampered-generic.md @@ -36,13 +36,13 @@ Tampered token: eyJhbGciOiJFZERTQSIsInR5cCI6Ik...tampered HTTP response: jq: parse error: Invalid numeric literal at line 3, column 5 { - "type": "urn:agentauth:error:unauthorized", + "type": "urn:agentwrit:error:unauthorized", "title": "Unauthorized", "status": 401, "detail": "token verification failed", "instance": "/v1/token/renew", "error_code": "unauthorized", - "request_id": "599341393453d4a0" + "request_id": "e29a2963bd5e8f66" } ## Verdict diff --git a/tests/sec-l2b/integration.sh b/tests/sec-l2b/integration.sh index d841c41..ed3bf3d 100755 --- a/tests/sec-l2b/integration.sh +++ b/tests/sec-l2b/integration.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # ───────────────────────────────────────────────────────────────── # SEC-L2b: Error Handling & Headers — Acceptance + Regression Tests -# Adapted for agentauth-core (no OIDC, no HITL, no sidecar, no cloud) +# Adapted for agentwrit-core (no OIDC, no HITL, no sidecar, no cloud) # ───────────────────────────────────────────────────────────────── # # Usage: @@ -50,7 +50,7 @@ skip() { SKIP=$((SKIP + 1)) } -banner "SEC-L2b Acceptance + Regression Tests (agentauth-core)" +banner "SEC-L2b Acceptance + Regression Tests (agentwrit-core)" echo " Broker: ${BROKER_URL}" echo " Date: $(date -u +%Y-%m-%dT%H:%M:%SZ)" diff --git a/tests/sec-l2b/user-stories.md b/tests/sec-l2b/user-stories.md index 3266433..10096f4 100644 --- a/tests/sec-l2b/user-stories.md +++ b/tests/sec-l2b/user-stories.md @@ -1,6 +1,6 @@ -# SEC-L2b: Error Handling & Headers — Acceptance Stories (agentauth-core) +# SEC-L2b: Error Handling & Headers — Acceptance Stories (agentwrit-core) -Adapted from legacy `agentauth/tests/fix-sec-l2b/user-stories.md`. +Adapted from the legacy pre-rename SEC-L2b test suite. Removed S5 (HSTS/TLS — optional, cert-dependent) and S7 (JWKS Cache-Control — OIDC, not in core). ## Precondition From ea5537dae5d96e2c92be1ac098b796597587c3f6 Mon Sep 17 00:00:00 2001 From: Divine Date: Wed, 13 May 2026 16:04:27 -0400 Subject: [PATCH 6/7] docs(changelog): record AgentAuth reference cleanup Refs #78 --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5808b81..3a35238 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed — remaining current-surface AgentAuth references (2026-05-13) + +- Replaced stale current-surface `AgentAuth` / `agentauth` references with `AgentWrit` / `agentwrit` in CLI text, broker startup output, Go comments, Python SDK examples, config headers, contribution-policy text, and SEC-L2b setup files. +- Aligned TLS and mTLS compose overlays with `scripts/gen_test_certs.sh` by changing cert mounts from `/tmp/agentauth-certs` to `/tmp/agentwrit-certs`. +- Refreshed SEC-L2b S2/S3 evidence so recorded current runtime output uses `spiffe://agentwrit.local/...` and `urn:agentwrit:error:unauthorized`. +- Preserved older changelog history and the CI/gates watchdog regexes that intentionally mention legacy `agentauth` strings. + ### Fixed — Delegation framing aligned with non-strict subset behavior (2026-04-15) - Comments and docs in 9 places claimed delegation enforces strict narrowing ("strict subset", "only narrow", "narrower-scoped"). The actual `authz.ScopeIsSubset` is a non-strict containment check — equal scopes pass, and same-scope delegation is a deliberate pattern (e.g., fan-out to workers carrying the parent's full authority, verified by SDK acceptance Story 8). Wording corrected across `internal/deleg/deleg_svc.go`, `internal/authz/scope.go`, `README.md`, `docs/security-topology.md`, `docs/architecture.md`, `docs/roles.md`, `docs/common-tasks.md`, `docs/integration-patterns.md`, and the `docs/diagrams/security-topology.svg` callout label. Two source-file docstrings now carry a back-reference to issue #41 explaining why this is not a strict-subset check. Closes #41. From 9240ec11ee88f649721cb11462b78182abaa8f3c Mon Sep 17 00:00:00 2001 From: Divine Date: Wed, 13 May 2026 16:06:48 -0400 Subject: [PATCH 7/7] chore(ci): bump Go toolchain for govulncheck Refs #78 --- .github/workflows/ci.yml | 4 ++-- CHANGELOG.md | 1 + go.mod | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b49f2f1..2d8bbc6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -66,10 +66,10 @@ jobs: # DO NOT use golangci/golangci-lint-action here. Its pre-built # binaries are compiled against an older Go toolchain (≤ 1.23) # and exit 3 on our code because the go.mod toolchain directive - # is 1.25.9 — the embedded linter can't parse 1.25 stdlib/SSA. + # is 1.25.10 — the embedded linter can't parse 1.25 stdlib/SSA. # # Instead, `go install` golangci-lint from source. This compiles - # it with the CI runner's Go (matching our toolchain.go1.25.9) + # it with the CI runner's Go (matching our toolchain.go1.25.10) # so it parses the same way as local developers' brew-installed # binary. Migration to golangci-lint v2 (which fixes this) is # tracked for a later cycle. diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a35238..5008cc1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Replaced stale current-surface `AgentAuth` / `agentauth` references with `AgentWrit` / `agentwrit` in CLI text, broker startup output, Go comments, Python SDK examples, config headers, contribution-policy text, and SEC-L2b setup files. - Aligned TLS and mTLS compose overlays with `scripts/gen_test_certs.sh` by changing cert mounts from `/tmp/agentauth-certs` to `/tmp/agentwrit-certs`. - Refreshed SEC-L2b S2/S3 evidence so recorded current runtime output uses `spiffe://agentwrit.local/...` and `urn:agentwrit:error:unauthorized`. +- Bumped the pinned Go toolchain from `go1.25.9` to `go1.25.10` so `govulncheck` no longer reports fixed standard-library vulnerabilities in CI. - Preserved older changelog history and the CI/gates watchdog regexes that intentionally mention legacy `agentauth` strings. ### Fixed — Delegation framing aligned with non-strict subset behavior (2026-04-15) diff --git a/go.mod b/go.mod index 1d97f8e..3f25d39 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/devonartis/agentwrit go 1.24.0 -toolchain go1.25.9 +toolchain go1.25.10 require ( github.com/prometheus/client_golang v1.23.2