Skip to main content

Module identity

Module identity 

Source
Expand description

Local identity and keystore: the per-machine keypair, signing, and on-disk state.

Owns everything under ~/.config/conclave (Constant::CONFIG_DIR_NAME): the machine’s own Ed25519 keypair (the 32-byte seed wrapped in a secrecy SecretBox, never logged), and the local config.toml — known-server registrations (username + machine name) and the permission config (default level + per-(server, channel) / whisper overrides, DESIGN.md §9).

Auth is challenge-response: the machine signs a server-issued nonce and the server resolves the public key to a (user, machine) (DESIGN.md §5). Keys are generated from OS entropy via ring’s system RNG and the key pair is reconstructed from the seed on demand, so the private seed is only ever materialized transiently for a signature.

Structs§

Config
The local machine configuration: identity-adjacent state and the permission policy.
Identity
This machine’s Ed25519 identity: a secrecy-wrapped seed plus the derived public key.
PermissionOverride
A local permission override, keyed by (server, scope) (DESIGN.md §9).
ServerRegistration
This machine’s registration on one server (DESIGN.md §5).

Enums§

AuthError
Errors at the authentication / identity boundary (DESIGN.md §16), matched on by the server.
Scope
The scope a permission level resolves for.

Functions§

decode_key
Decodes a URL-safe base64 key string back to bytes.
default_config_dir
The default keystore / config directory, ~/.config/conclave (Constant::CONFIG_DIR_NAME).
default_handle
The default session handle for a working directory — its final path component (DESIGN.md §5).
encode_key
Encodes raw key bytes as a URL-safe base64 string — the canonical on-wire / on-disk key encoding, symmetric with decode_key. The server stores machine public keys this way.
generate_challenge
Generates a fresh random challenge nonce (server-side, DESIGN.md §5).
generate_token
Mints a fresh, opaque invite token: 24 bytes of OS entropy, URL-safe base64 (DESIGN.md §6).
load_config
Loads the local configuration from dir/config.toml, returning the default if it is absent.
load_identity
Loads the identity whose seed is stored at dir/key.
save_config
Writes the local configuration to dir/config.toml.
save_identity
Writes the identity’s seed to dir/key with owner-only (0600) permissions.
session_path
Builds a full participant path from a registration and a session handle.
verify
Verifies signature over message against the raw public_key.