devonartis · devonartis · May 13, 2026 · Apr 23, 2026 · Apr 23, 2026 · May 13, 2026
@@ -66,10 +66,10 @@ jobs:
       # DO NOT use golangci/golangci-lint-action here. Its pre-built
       # binaries are compiled against an older Go toolchain (≤ 1.23)
       # and exit 3 on our code because the go.mod toolchain directive
-      # is 1.25.9 — the embedded linter can't parse 1.25 stdlib/SSA.
+      # is 1.25.10 — the embedded linter can't parse 1.25 stdlib/SSA.
       #
       # Instead, `go install` golangci-lint from source. This compiles
-      # it with the CI runner's Go (matching our toolchain.go1.25.9)
+      # it with the CI runner's Go (matching our toolchain.go1.25.10)
       # so it parses the same way as local developers' brew-installed
       # binary. Migration to golangci-lint v2 (which fixes this) is
       # tracked for a later cycle.

@@ -82,9 +82,9 @@ jobs:
             core.info(`Author ${author} not exempt — closing PR per Decision 014`);
 
             const policy_comment = [
-              `Hi @${author}, thank you for your interest in AgentAuth!`,
+              `Hi @${author}, thank you for your interest in AgentWrit!`,
               '',
-              'Per our contribution policy ([Decision 014](https://github.com/' + owner + '/' + repo + '/blob/develop/CONTRIBUTING.md)), AgentAuth does not accept external code contributions at this time — including bug fixes.',
+              'Per our contribution policy ([Decision 014](https://github.com/' + owner + '/' + repo + '/blob/develop/CONTRIBUTING.md)), AgentWrit does not accept external code contributions at this time — including bug fixes.',
               '',
               'We actively welcome:',
               '- **Bug reports** — please [open an issue](https://github.com/' + owner + '/' + repo + '/issues/new)',

@@ -10,7 +10,7 @@
 /awrit
 /aactl
 /broker
-/agentauth-broker
+/agentwrit-broker
 /smoketest
 bin/
 

@@ -1,4 +1,4 @@
-# .golangci.yml — golangci-lint configuration for agentauth-core
+# .golangci.yml — golangci-lint configuration for agentwrit-core
 #
 # M-sec linter set: security-aware defaults plus the core Go linters.
 #

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed — remaining current-surface AgentAuth references (2026-05-13)
+
+- Replaced stale current-surface `AgentAuth` / `agentauth` references with `AgentWrit` / `agentwrit` in CLI text, broker startup output, Go comments, Python SDK examples, config headers, contribution-policy text, and SEC-L2b setup files.
+- Aligned TLS and mTLS compose overlays with `scripts/gen_test_certs.sh` by changing cert mounts from `/tmp/agentauth-certs` to `/tmp/agentwrit-certs`.
+- Refreshed SEC-L2b S2/S3 evidence so recorded current runtime output uses `spiffe://agentwrit.local/...` and `urn:agentwrit:error:unauthorized`.
+- Bumped the pinned Go toolchain from `go1.25.9` to `go1.25.10` so `govulncheck` no longer reports fixed standard-library vulnerabilities in CI.
+- Preserved older changelog history and the CI/gates watchdog regexes that intentionally mention legacy `agentauth` strings.
+
 ### Fixed — Delegation framing aligned with non-strict subset behavior (2026-04-15)
 
 - Comments and docs in 9 places claimed delegation enforces strict narrowing ("strict subset", "only narrow", "narrower-scoped"). The actual `authz.ScopeIsSubset` is a non-strict containment check — equal scopes pass, and same-scope delegation is a deliberate pattern (e.g., fan-out to workers carrying the parent's full authority, verified by SDK acceptance Story 8). Wording corrected across `internal/deleg/deleg_svc.go`, `internal/authz/scope.go`, `README.md`, `docs/security-topology.md`, `docs/architecture.md`, `docs/roles.md`, `docs/common-tasks.md`, `docs/integration-patterns.md`, and the `docs/diagrams/security-topology.svg` callout label. Two source-file docstrings now carry a back-reference to issue #41 explaining why this is not a strict-subset check. Closes #41.

@@ -156,14 +156,14 @@ The Python SDK includes **MedAssist AI**: a FastAPI web app where a local LLM dy
 
 | Language | Repo | Install | Status |
 |----------|------|---------|--------|
-| **Python** | [agentwrit-python](docs/python-sdk.md) | `pip install agentauth` *(PyPI rename pending)* | v0.3.0 — 15 acceptance tests passing |
+| **Python** | [agentwrit-python](docs/python-sdk.md) | `pip install agentwrit` | v0.3.0 — 15 acceptance tests passing |
 | **TypeScript** | Coming soon | — | Planned |
 
 ```python
-from agentauth import AgentAuthApp
+from agentwrit import AgentWritApp
 
 # The SDK hides the Ed25519 challenge-response flow
-agent = AgentAuthApp(broker_url="http://localhost:8080").register(
+agent = AgentWritApp(broker_url="http://localhost:8080").register(
     launch_token=LAUNCH_TOKEN,
     task_id="read-customer-42",
     requested_scope=["read:data:customers:42"],

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0
 
-// Command awrit is the operator CLI for the AgentAuth broker.
+// Command awrit is the operator CLI for the AgentWrit broker.
 package main
 
 // main is the entry point for the awrit binary.

@@ -16,8 +16,8 @@ var jsonOutput bool
 // rootCmd is the top-level cobra command that all subcommands are attached to.
 var rootCmd = &cobra.Command{
 	Use:   "awrit",
-	Short: "AgentAuth operator CLI",
-	Long:  "awrit is the operator CLI for managing the AgentAuth broker.",
+	Short: "AgentWrit operator CLI",
+	Long:  "awrit is the operator CLI for managing the AgentWrit broker.",
 }
 
 func init() {

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0
 
-// Command broker starts the AgentAuth broker HTTP server.
+// Command broker starts the AgentWrit broker HTTP server.
 //
 // It wires all internal services together, registers routes on an
 // [http.ServeMux], and listens on the port configured by AA_PORT (default
@@ -222,7 +222,7 @@ func main() {
 		obs.Warn("BROKER", "main", "binding to 0.0.0.0 without TLS — use AA_TLS_MODE=tls in production")
 	}
 	obs.Ok("BROKER", "main", "starting broker", "addr="+addr, "version="+version)
-	fmt.Printf("AgentAuth broker v%s listening on %s\n", version, addr)
+	fmt.Printf("AgentWrit broker v%s listening on %s\n", version, addr)
 
 	if err := serve(c, addr, rootHandler, func() {
 		if err := sqlStore.Close(); err != nil {

@@ -1,6 +1,6 @@
 # mTLS overlay — mutual TLS (broker requires client cert).
 # Usage: docker compose -f docker-compose.yml -f docker-compose.mtls.yml up -d
-# Requires certs in /tmp/agentauth-certs (run scripts/gen_test_certs.sh first).
+# Requires certs in /tmp/agentwrit-certs (run scripts/gen_test_certs.sh first).
 services:
   broker:
     environment:
@@ -9,6 +9,6 @@ services:
       - AA_TLS_KEY=/certs/broker-key.pem
       - AA_TLS_CLIENT_CA=/certs/ca.pem
     volumes:
-      - /tmp/agentauth-certs:/certs:ro
+      - /tmp/agentwrit-certs:/certs:ro
     healthcheck:
       test: ["CMD", "curl", "-sf", "--cacert", "/certs/ca.pem", "--cert", "/certs/client.pem", "--key", "/certs/client-key.pem", "https://localhost:8080/v1/health"]
@@ -1,13 +1,13 @@
 # TLS overlay — one-way TLS (broker serves HTTPS).
 # Usage: docker compose -f docker-compose.yml -f docker-compose.tls.yml up -d
-# Requires certs in /tmp/agentauth-certs (run scripts/gen_test_certs.sh first).
+# Requires certs in /tmp/agentwrit-certs (run scripts/gen_test_certs.sh first).
 services:
   broker:
     environment:
       - AA_TLS_MODE=tls
       - AA_TLS_CERT=/certs/broker.pem
       - AA_TLS_KEY=/certs/broker-key.pem
     volumes:
-      - /tmp/agentauth-certs:/certs:ro
+      - /tmp/agentwrit-certs:/certs:ro
     healthcheck:
       test: ["CMD", "curl", "-sf", "--cacert", "/certs/ca.pem", "https://localhost:8080/v1/health"]
@@ -7,9 +7,9 @@
 The Python SDK wraps the broker's Ed25519 challenge-response registration flow into simple function calls. You don't need to manage nonces, signatures, or token renewal manually.
 
 ```python
-from agentauth import AgentAuthApp
+from agentwrit import AgentWritApp
 
-agent = AgentAuthApp(broker_url="http://localhost:8080").register(
+agent = AgentWritApp(broker_url="http://localhost:8080").register(
     launch_token=LAUNCH_TOKEN,
     task_id="read-customer-42",
     requested_scope=["read:data:customers:42"],
@@ -27,7 +27,7 @@ agent.release()
 - **v0.3.0** — 15 acceptance tests passing against a live broker
 - Full agent lifecycle: register, renew, delegate, release
 - Scope checking and validation helpers
-- `pip install agentauth` *(PyPI rename to `agentwrit` pending)*
+- `pip install agentwrit`
 
 ## In the meantime
 

@@ -2,7 +2,7 @@ module github.com/devonartis/agentwrit
 
 go 1.24.0
 
-toolchain go1.25.9
+toolchain go1.25.10
 
 require (
 	github.com/prometheus/client_golang v1.23.2

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0
 
 // Package authz provides scope-based authorization and Bearer token
-// validation middleware for the AgentAuth broker.
+// validation middleware for the AgentWrit broker.
 //
 // # Scope Model
 //

@@ -14,7 +14,7 @@ import (
 func TestLoadConfigFile_ValidDevConfig(t *testing.T) {
 	dir := t.TempDir()
 	cfgPath := filepath.Join(dir, "config")
-	content := "# AgentAuth Configuration\nMODE=development\nADMIN_SECRET=my-test-secret\n"
+	content := "# AgentWrit Configuration\nMODE=development\nADMIN_SECRET=my-test-secret\n"
 	if err := os.WriteFile(cfgPath, []byte(content), 0600); err != nil {
 		t.Fatal(err)
 	}

@@ -9,7 +9,7 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 )
 
-// NewSpiffeId constructs a SPIFFE ID in the AgentAuth canonical format:
+// NewSpiffeId constructs a SPIFFE ID in the AgentWrit canonical format:
 //
 //	spiffe://{trustDomain}/agent/{orchID}/{taskID}/{instanceID}
 //
@@ -31,7 +31,7 @@ func NewSpiffeId(trustDomain, orchID, taskID, instanceID string) (string, error)
 }
 
 // ParseSpiffeId validates a SPIFFE ID string and extracts its path
-// components. The path must follow the AgentAuth format
+// components. The path must follow the AgentWrit format
 // /agent/{orchID}/{taskID}/{instanceID}. It returns an error if the ID
 // is malformed or does not match the expected structure.
 func ParseSpiffeId(id string) (orchID, taskID, instanceID string, err error) {

@@ -4,7 +4,7 @@
 // three-step cryptographic handshake protocol.
 //
 // The protocol guarantees that both communicating agents hold valid
-// AgentAuth tokens and registered Ed25519 key pairs. The three steps are:
+// AgentWrit tokens and registered Ed25519 key pairs. The three steps are:
 //
 //  1. [MutAuthHdl.InitiateHandshake] — the initiator verifies its own
 //     token and the target agent's registration, then produces a

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0
 
 // Package obs provides structured logging and Prometheus metrics for the
-// AgentAuth broker.
+// AgentWrit broker.
 //
 // # Logging
 //

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0
 
-// Package revoke provides four-level token revocation for the AgentAuth
+// Package revoke provides four-level token revocation for the AgentWrit
 // broker.
 //
 // Revocation operates at four granularity levels:

@@ -1,11 +1,11 @@
 // SPDX-License-Identifier: LicenseRef-PolyForm-Internal-Use-1.0.0
 
 // Package token implements EdDSA (Ed25519) JWT token issuance, verification,
-// and renewal for the AgentAuth broker.
+// and renewal for the AgentWrit broker.
 //
 // Tokens follow the compact JWT serialization (header.payload.signature) with
 // algorithm "EdDSA". Claims include standard fields (iss, sub, exp, nbf, iat,
-// jti) plus AgentAuth extensions (scope, task_id, orch_id, delegation_chain).
+// jti) plus AgentWrit extensions (scope, task_id, orch_id, delegation_chain).
 //
 // The issuer (iss claim) is operator-configured via cfg.Issuer (env: AA_ISSUER).
 // Empty cfg.Issuer skips issuer enforcement on verify, mirroring the Audience
@@ -28,7 +28,7 @@ var (
 	ErrNoExpiry         = errors.New("token has no expiry")
 )
 
-// TknClaims represents the JWT payload for an AgentAuth token. Standard
+// TknClaims represents the JWT payload for an AgentWrit token. Standard
 // registered claims (iss, sub, aud, exp, nbf, iat, jti) are complemented
 // by private claims for scope enforcement, task tracking, and delegation.
 type TknClaims struct {

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# gates.sh — quality gate runner for AgentAuth (M-sec)
+# gates.sh — quality gate runner for AgentWrit Core (M-sec)
 #
 # Usage:
 #   ./scripts/gates.sh task          Fast dev-loop gates (build/vet/lint/format/

@@ -3,7 +3,7 @@
 # Source this once before running stories:  source tests/sec-l2b/env.sh
 
 export AA_ADMIN_SECRET="live-test-secret-32bytes-long-ok"
-export AA_DB_PATH="/tmp/aa-sec-l2b/agentauth.db"
+export AA_DB_PATH="/tmp/aa-sec-l2b/agentwrit.db"
 export AA_SIGNING_KEY_PATH="/tmp/aa-sec-l2b/signing.key"
 export AA_BIND_ADDRESS="127.0.0.1"
 export BROKER_URL="http://127.0.0.1:8080"

@@ -32,14 +32,14 @@ message "token is invalid or expired" — NOT "token has been revoked".
 Admin token: eyJhbGciOiJFZERTQSIsInR5cCI6Ik...
 
 --- Step 2: Create launch token and register agent ---
-Agent ID: spiffe://agentauth.local/agent/s2-orch/s2-task/d72568a5b27b3fab
+Agent ID: spiffe://agentwrit.local/agent/s2-orch/s2-task/790501763e589167
 Agent token: eyJhbGciOiJFZERTQSIsInR5cCI6Ik...
 
 --- Step 3: Operator revokes the agent ---
 {
   "revoked": true,
   "level": "agent",
-  "target": "spiffe://agentauth.local/agent/s2-orch/s2-task/d72568a5b27b3fab",
+  "target": "spiffe://agentwrit.local/agent/s2-orch/s2-task/790501763e589167",
   "count": 1
 }
 
@@ -51,4 +51,4 @@ Agent token: eyJhbGciOiJFZERTQSIsInR5cCI6Ik...
 
 ## Verdict
 
-PASS — The operator revoked agent spiffe://agentauth.local/agent/s2-orch/s2-task/d72568a5b27b3fab. When the app then validated the revoked token, the broker returned the generic message "token is invalid or expired" — identical to what it returns for any other bad token. The response does NOT say "token has been revoked". An attacker cannot tell whether the token was ever valid.
+PASS — The operator revoked agent spiffe://agentwrit.local/agent/s2-orch/s2-task/790501763e589167. When the app then validated the revoked token, the broker returned the generic message "token is invalid or expired" — identical to what it returns for any other bad token. The response does NOT say "token has been revoked". An attacker cannot tell whether the token was ever valid.
@@ -36,13 +36,13 @@ Tampered token: eyJhbGciOiJFZERTQSIsInR5cCI6Ik...tampered
 HTTP response:
 jq: parse error: Invalid numeric literal at line 3, column 5
 {
-  "type": "urn:agentauth:error:unauthorized",
+  "type": "urn:agentwrit:error:unauthorized",
   "title": "Unauthorized",
   "status": 401,
   "detail": "token verification failed",
   "instance": "/v1/token/renew",
   "error_code": "unauthorized",
-  "request_id": "599341393453d4a0"
+  "request_id": "e29a2963bd5e8f66"
 }
 
 ## Verdict

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # ─────────────────────────────────────────────────────────────────
 # SEC-L2b: Error Handling & Headers — Acceptance + Regression Tests
-# Adapted for agentauth-core (no OIDC, no HITL, no sidecar, no cloud)
+# Adapted for agentwrit-core (no OIDC, no HITL, no sidecar, no cloud)
 # ─────────────────────────────────────────────────────────────────
 #
 # Usage:
@@ -50,7 +50,7 @@ skip() {
   SKIP=$((SKIP + 1))
 }
 
-banner "SEC-L2b Acceptance + Regression Tests (agentauth-core)"
+banner "SEC-L2b Acceptance + Regression Tests (agentwrit-core)"
 echo "  Broker: ${BROKER_URL}"
 echo "  Date:   $(date -u +%Y-%m-%dT%H:%M:%SZ)"
 

@@ -1,6 +1,6 @@
-# SEC-L2b: Error Handling & Headers — Acceptance Stories (agentauth-core)
+# SEC-L2b: Error Handling & Headers — Acceptance Stories (agentwrit-core)
 
-Adapted from legacy `agentauth/tests/fix-sec-l2b/user-stories.md`.
+Adapted from the legacy pre-rename SEC-L2b test suite.
 Removed S5 (HSTS/TLS — optional, cert-dependent) and S7 (JWKS Cache-Control — OIDC, not in core).
 
 ## Precondition
-Original file line number
+Diff line change
@@ Expand Up / @@ -10,7 +10,7 @@ @@
     /awrit
     /aactl
     /broker
-    /agentauth-broker
+    /agentwrit-broker
     /smoketest
     bin/
@@ Expand Down @@