agentic-identity 0.2.4

Cryptographic identity anchor for AI agents — persistent identity, signed actions, revocable trust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

//! Receipt chain verification.
//!
//! Verifies the integrity of a sequence of chained receipts
//! by walking the `previous_receipt` links.

use super::receipt::ActionReceipt;
use super::verify::verify_receipt;
use crate::error::{IdentityError, Result};

/// Verify a chain of receipts (ordered from oldest to newest).
///
/// Checks that each receipt's `previous_receipt` correctly references
/// the preceding receipt, and that every signature is valid.
pub fn verify_chain(chain: &[ActionReceipt]) -> Result<bool> {
    if chain.is_empty() {
        return Ok(true);
    }

    // First receipt should have no previous
    if chain[0].previous_receipt.is_some() {
        // It's valid to verify a partial chain, so we don't fail here
    }

    for i in 0..chain.len() {
        // Verify each receipt's signature
        let verification = verify_receipt(&chain[i])?;
        if !verification.signature_valid {
            return Err(IdentityError::InvalidChain);
        }

        // For receipts after the first, verify chain links
        if i > 0 {
            let expected_prev = &chain[i - 1].id;
            match &chain[i].previous_receipt {
                Some(prev) if prev == expected_prev => {}
                _ => return Err(IdentityError::InvalidChain),
            }
        }
    }

    Ok(true)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::identity::IdentityAnchor;
    use crate::receipt::action::{ActionContent, ActionType};
    use crate::receipt::receipt::ReceiptBuilder;

    #[test]
    fn test_verify_chain_valid() {
        let anchor = IdentityAnchor::new(None);

        let r1 = ReceiptBuilder::new(
            anchor.id(),
            ActionType::Observation,
            ActionContent::new("step 1"),
        )
        .sign(anchor.signing_key())
        .unwrap();

        let r2 = ReceiptBuilder::new(
            anchor.id(),
            ActionType::Decision,
            ActionContent::new("step 2"),
        )
        .chain_to(r1.id.clone())
        .sign(anchor.signing_key())
        .unwrap();

        let r3 = ReceiptBuilder::new(
            anchor.id(),
            ActionType::Mutation,
            ActionContent::new("step 3"),
        )
        .chain_to(r2.id.clone())
        .sign(anchor.signing_key())
        .unwrap();

        assert!(verify_chain(&[r1, r2, r3]).is_ok());
    }

    #[test]
    fn test_verify_chain_broken_link() {
        let anchor = IdentityAnchor::new(None);

        let r1 = ReceiptBuilder::new(
            anchor.id(),
            ActionType::Observation,
            ActionContent::new("step 1"),
        )
        .sign(anchor.signing_key())
        .unwrap();

        let r2 = ReceiptBuilder::new(
            anchor.id(),
            ActionType::Decision,
            ActionContent::new("step 2"),
        )
        .chain_to(r1.id.clone())
        .sign(anchor.signing_key())
        .unwrap();

        // r3 chains to r1 instead of r2 — broken chain
        let r3 = ReceiptBuilder::new(
            anchor.id(),
            ActionType::Mutation,
            ActionContent::new("step 3"),
        )
        .chain_to(r1.id.clone())
        .sign(anchor.signing_key())
        .unwrap();

        assert!(verify_chain(&[r1, r2, r3]).is_err());
    }

    #[test]
    fn test_verify_chain_5_receipts() {
        let anchor = IdentityAnchor::new(None);
        let mut chain = Vec::new();

        let r = ReceiptBuilder::new(
            anchor.id(),
            ActionType::Decision,
            ActionContent::new("receipt 0"),
        )
        .sign(anchor.signing_key())
        .unwrap();
        chain.push(r);

        for i in 1..5 {
            let prev_id = chain.last().unwrap().id.clone();
            let r = ReceiptBuilder::new(
                anchor.id(),
                ActionType::Decision,
                ActionContent::new(format!("receipt {i}")),
            )
            .chain_to(prev_id)
            .sign(anchor.signing_key())
            .unwrap();
            chain.push(r);
        }

        assert!(verify_chain(&chain).is_ok());
    }
}