Expand description
Local identity and keystore: the per-machine keypair, signing, and on-disk state.
Owns everything under ~/.config/conclave (Constant::CONFIG_DIR_NAME): the machine’s own
Ed25519 keypair (the 32-byte seed wrapped in a secrecy SecretBox, never logged), and the
local config.toml — known-server registrations (username + machine name) and the permission
config (default level + per-(server, channel) / whisper overrides, DESIGN.md §9).
Auth is challenge-response: the machine signs a server-issued nonce and the server resolves the
public key to a (user, machine) (DESIGN.md §5). Keys are generated from OS entropy via ring’s
system RNG and the key pair is reconstructed from the seed on demand, so the private seed is only
ever materialized transiently for a signature.
Structs§
- Config
- The local machine configuration: identity-adjacent state and the permission policy.
- Identity
- This machine’s Ed25519 identity: a
secrecy-wrapped seed plus the derived public key. - Permission
Override - A local permission override, keyed by
(server, scope)(DESIGN.md §9). - Server
Registration - This machine’s registration on one server (DESIGN.md §5).
Enums§
- Auth
Error - Errors at the authentication / identity boundary (DESIGN.md §16), matched on by the server.
- Scope
- The scope a permission level resolves for.
Functions§
- decode_
key - Decodes a URL-safe base64 key string back to bytes.
- default_
config_ dir - The default keystore / config directory,
~/.config/conclave(Constant::CONFIG_DIR_NAME). - default_
handle - The default session handle for a working directory — its final path component (DESIGN.md §5).
- encode_
key - Encodes raw key bytes as a URL-safe base64 string — the canonical on-wire / on-disk key
encoding, symmetric with
decode_key. The server stores machine public keys this way. - generate_
challenge - Generates a fresh random challenge nonce (server-side, DESIGN.md §5).
- generate_
token - Mints a fresh, opaque invite token: 24 bytes of OS entropy, URL-safe base64 (DESIGN.md §6).
- load_
config - Loads the local configuration from
dir/config.toml, returning the default if it is absent. - load_
identity - Loads the identity whose seed is stored at
dir/key. - save_
config - Writes the local configuration to
dir/config.toml. - save_
identity - Writes the identity’s seed to
dir/keywith owner-only (0600) permissions. - session_
path - Builds a full participant path from a registration and a session handle.
- verify
- Verifies
signatureovermessageagainst the rawpublic_key.