Skip to main content

auths_cli/commands/
verify_helpers.rs

1use anyhow::{Context, Result, anyhow};
2
3/// The project's pinned trusted roots, read from `<git-toplevel>/.auths/roots` — the
4/// committed trust declaration seeded by `auths init`. Empty when run outside a repo or
5/// when nothing is pinned (so every commit is `RootNotPinned` until a root is pinned).
6///
7/// Usage:
8/// ```ignore
9/// let roots = load_project_pinned_roots();
10/// ```
11pub fn load_project_pinned_roots() -> Vec<String> {
12    let Ok(output) = crate::subprocess::git_command(&["rev-parse", "--show-toplevel"]).output()
13    else {
14        return Vec::new();
15    };
16    if !output.status.success() {
17        return Vec::new();
18    }
19    let root = std::path::PathBuf::from(String::from_utf8_lossy(&output.stdout).trim());
20    auths_sdk::workflows::roots::load_pinned_roots(
21        &crate::adapters::config_store::FileConfigStore,
22        &root.join(".auths"),
23    )
24    .unwrap_or_default()
25}
26
27/// Parse witness key arguments ("did:key:z6Mk...:abcd1234...") into (DID, pk_bytes) tuples.
28pub fn parse_witness_keys(keys: &[String]) -> Result<Vec<(String, Vec<u8>)>> {
29    keys.iter()
30        .map(|s| {
31            // Find the last ':' to split DID from hex key
32            let last_colon = s
33                .rfind(':')
34                .ok_or_else(|| anyhow!("Invalid witness key format '{}': expected format: <did>:<public_key_hex> (e.g. did:key:z6Mk...:abcd1234)", s))?;
35            let did = &s[..last_colon];
36            let pk_hex = &s[last_colon + 1..];
37            let pk_bytes = hex::decode(pk_hex)
38                .with_context(|| format!("Invalid hex in witness key for '{}'", did))?;
39            Ok((did.to_string(), pk_bytes))
40        })
41        .collect()
42}