Skip to main content

auths_cli/commands/
demo.rs

1use std::time::Instant;
2
3use anyhow::{Context, Result, anyhow};
4use chrono::Utc;
5use serde_json::Value;
6
7use auths_sdk::domains::signing::service::sign_artifact_ephemeral;
8
9use crate::commands::executable::ExecutableCommand;
10use crate::config::CliConfig;
11use crate::ux::format::Output;
12
13/// Synthetic commit SHA stamped into the demo attestation.
14///
15/// `sign_artifact_ephemeral` binds provenance to a 40/64-hex commit SHA, but the
16/// demo signs ad-hoc bytes rather than a real commit — this recognizable placeholder
17/// keeps the call valid without pretending to reference a real commit.
18const DEMO_COMMIT_SHA: &str = "0000000000000000000000000000000000000000";
19
20#[derive(Debug, clap::Args)]
21#[command(about = "Sign and verify a demo artifact — works offline, no setup or registry needed")]
22pub struct DemoCommand {}
23
24impl ExecutableCommand for DemoCommand {
25    fn execute(&self, _ctx: &CliConfig) -> Result<()> {
26        let out = Output::new();
27        let data = b"Hello, Auths!\n";
28
29        // Sign with an ephemeral in-process key: no identity, no keychain, no Secure
30        // Enclave — so the "aha" works the instant the binary is installed and never
31        // blocks on a Touch ID prompt (even on a TTY-less CI shell).
32        let t_sign = Instant::now();
33        let sign_result = sign_artifact_ephemeral(
34            Utc::now(),
35            data,
36            Some("demo.txt".into()),
37            DEMO_COMMIT_SHA.into(),
38            None,
39            Some("auths demo — local only".into()),
40            None,
41        )
42        .map_err(|e| anyhow!("{}", e))?;
43        let sign_ms = t_sign.elapsed().as_millis();
44
45        // Verify locally: the digest the attestation commits to must match what we signed.
46        let t_verify = Instant::now();
47        let attestation: Value = serde_json::from_str(&sign_result.attestation_json)
48            .context("failed to parse attestation")?;
49        let stored_digest = attestation
50            .pointer("/payload/digest/hex")
51            .and_then(|v| v.as_str())
52            .context("attestation missing payload digest")?;
53        if stored_digest != sign_result.digest {
54            anyhow::bail!(
55                "demo verification failed: digest mismatch\n  expected: {}\n  got:      {}",
56                sign_result.digest,
57                stored_digest
58            );
59        }
60        let verify_ms = t_verify.elapsed().as_millis();
61
62        let issuer = attestation
63            .pointer("/issuer")
64            .and_then(|v| v.as_str())
65            .unwrap_or("(unknown)");
66
67        out.print_heading("Auths Demo");
68        out.println("");
69        out.println(&out.key_value("Demo identity", issuer));
70        out.println(&out.key_value("Signed in", &format!("{sign_ms}ms")));
71        out.println(&out.key_value("Verified in", &format!("{verify_ms}ms")));
72        out.println("");
73        out.print_success("Signed + verified locally — no network, no setup required.");
74        out.println("");
75        out.println(
76            "This used a throwaway demo key. Run `auths init` to sign with your real identity.",
77        );
78
79        Ok(())
80    }
81}