tenzro-identity
Unified identity protocol for humans and machines on the Tenzro Network.
Overview
tenzro-identity implements the Tenzro Decentralized Identity Protocol (TDIP), providing a comprehensive identity system that treats humans and AI agents as first-class citizens. The crate supports W3C DID Documents, verifiable credentials with recursive trust chain verification, fine-grained delegation scopes, cascading revocation, and automatic FROST-Ed25519 threshold wallet provisioning for every identity.
The protocol recognises three identity classes under the did:tenzro: namespace:
- Human —
did:tenzro:human:{uuid}, KYC-tiered, controls zero or more delegated agents - Delegated agent —
did:tenzro:machine:{controller}:{uuid}, machine under a human controller, scoped byDelegationScope - Autonomous agent —
did:tenzro:machine:{uuid}, self-sovereign machine, no controller
Key Types
- TenzroIdentity — Unified identity type for both human and machine identities with JSON serialization (
to_bytes()/from_bytes()) - TenzroDid — DID parser/formatter supporting all three identity classes:
did:tenzro:human:{uuid},did:tenzro:machine:{controller}:{uuid}(delegated),did:tenzro:machine:{uuid}(autonomous). Three constructors:new_human(),new_machine(controller_id),new_autonomous_machine() - IdentityData — Enum distinguishing Human (display_name, KYC tier, controlled_machines) from Machine (capabilities, delegation_scope, controller_did, reputation, tenzro_agent_id,
is_seed_agent). The two machine sub-classes (delegated vs autonomous) are distinguished bycontroller_did: Option<String>—Some(human_did)= delegated,None= autonomous. is_seed_agent— Immutable boolean onIdentityData::Machineset at registration, exposed viaTenzroIdentity::is_seed_agent(). Drives the SeedAgent counterparty filter (CounterpartyFilter::deny_other_seed_agents) and lets organic-activity metrics exclude protocol-owned bootstrap traffic during the 12-month earmark window.- IdentityRegistry — Thread-safe central store using DashMap with cascading revocation, pluggable
DidResolutionBackendandRevocationBroadcaster, username registry, and RocksDB write-through persistence viaKvStore - IdentityVerifier — Trust chain verifier with recursive
verify_credential_chain(), cycle detection, configurable depth bound (default 10), and trust-root anchoring - VerifiableCredential — W3C VC-compatible credential issuance, inheritance via
inherit_credential(), and cryptographic proof verification - CredentialProof — Ed25519/Secp256k1 signature proofs with
verify()method usingtenzro_crypto::signatures::verify() - DelegationScope — Fine-grained permissions: max_transaction_value, max_daily_spend, allowed_operations, allowed_contracts, time_bound, allowed_payment_protocols, allowed_chains
- DelegationEntry — Delegation record with grantor, grantee, scope, and revocation status
- DidDocument — W3C DID Document export/import for interoperability via
identity_to_did_document()andextract_public_keys_from_document() - WalletBinder — Automatic FROST-Ed25519 wallet provisioning for every identity (2-of-3 threshold, RFC 9591)
- KycTier — Verification levels: Unverified (0), Basic (1), Enhanced (2), Full (3) — upgradable via
update_kyc_tier_with_credential()
Features
- 10 modules: credential, delegation, did, document, error, identity, registry, verification, w3c, wallet_binding
- W3C Standards: Full DID Core 1.0 and Verifiable Credentials Data Model v2.0 support
- Unified Protocol: Single
TenzroIdentitytype covering all three identity classes (human / delegated agent / autonomous agent) - Delegation Enforcement: Fine-grained permission scopes with
enforce_operation()returning typedDelegationViolationerrors - Credential Inheritance: Machine agents inherit credentials from controllers via
inherit_credential() - Recursive Trust Chain Verification:
IdentityVerifier::verify_credential_chain()with cycle detection, depth bound, and trust-root anchoring - Cascading Revocation: Revoking a human identity automatically revokes all controlled machines via
apply_remote_revocation() - Right to Erasure (GDPR Article 17): Two-phase flow —
revoke_identitypropagates the status change, thenforget_identityhard-deletes fromCF_IDENTITIESand the in-memory registry. The DID must already be inRevokedstatus. Surfaced astenzro_forgetIdentityRPC, MCPforget_identitytool, and CLItenzro identity forget <did>. - Pluggable Backends:
DidResolutionBackendfor RPC fallback,RevocationBroadcasterfor cross-node propagation - Credential-Gated KYC:
update_kyc_tier_with_credential()requires valid KYC credential to upgrade tier - Username Registry: Unique lowercase alphanumeric + underscore names (3-20 chars) with
register_username()/resolve_username() - Auto-Provisioned Wallets: Every identity gets a 2-of-3 FROST-Ed25519 threshold wallet (RFC 9591) via
WalletBinder - Write-Through Persistence: RocksDB storage via
KvStoretrait withCF_IDENTITIEScolumn family - ERC-8004 Trustless Agents Registry (cross-VM trio): Three adapter modules drive a single ERC-8004 v0.6+ semantic across all three VMs from one TDIP
register_machine_with_feewrite. The TDIPIdentityData::Machine.erc8004_agent_idfield captures the EVM allocation (sequentialuint256, 1-indexed, server-allocated); SVM and DAML use their own per-backend id shapes (32-byte Pubkey, 8-byte LE u64). Reverse DID → id lookup viaOnChainAgentRegistry::lookup_agent_id_by_did(EVM) /OnChainAgentSvmRegistry::lookup_agent_id_by_did(SVM) /OnChainAgentDamlRegistry::lookup_agent_id_by_did(DAML).erc8004— EVM adapter: calldata encoders forregister()/register(string)/register(string,(string,bytes)[])/getAgent/submitFeedback/validationRequest/validationResponse(full v0.6+ surface) plus ABI decoders. Selectors are byte-identical to the Tenzro VM precompiles0x101a/0x101b/0x101c, so the same calldata works against either the native registry or an Ethereum mirror. Canonical OpenZeppelin-ERC721 upgradeable proxies deployed at genesis ataddresses::{IDENTITY_REGISTRY, REPUTATION_REGISTRY, VALIDATION_REGISTRY}.erc8004_svm— SVM adapter: emits Anchor-formatted instruction calldata via theOnChainAgentSvmRegistrytrait, targeting the vendored QuantuLabs Anchor program (https://github.com/QuantuLabs/erc-8004-svm). Nosolana-sdkdep is pulled into this crate by design — the operator-side mirror buffers payloads and drains to a Solana RPC.erc8004_daml— DAML adapter: emits Canton Ledger JSON API v2submit-and-waitcommands asserde_json::Valuevia theOnChainAgentDamlRegistrytrait, targeting the Tenzro-authored Canton package atvendor/erc8004-daml/daml/Tenzro/Erc8004/{Identity,Reputation,Validation}.daml. Notonicor Canton-client deps in this crate by design. Two-party admin+controller signatory model preserves "single canonical state" without amsg.senderequivalent. Package id (= SHA-256 of compiled.dar) is supplied at registry construction viaDamlPackageIds.
- 85 Tests: Comprehensive unit and integration tests covering all features
Usage
use ;
use KycTier;
use Arc;
async
Dependencies
- tenzro-types — Core types and primitives (KycTier, PaymentProtocolId, IdentityType, Address)
- tenzro-crypto — Cryptographic operations (Ed25519, Secp256k1, signatures::verify)
- tenzro-wallet — FROST-Ed25519 threshold wallet provisioning (2-of-3, RFC 9591, Argon2id keystore)
- tenzro-storage — KvStore trait for RocksDB write-through persistence
Production Features
All features confirmed production-ready (85 passing tests):
- Delegation Enforcement:
enforce_operation()returns typedDelegationViolationspecifying max_value, protocol, chain, or time_bound violations - Pluggable Resolution:
DidResolutionBackendtrait for blockchain/RPC fallback when DIDs not found locally - Credential-Gated KYC:
update_kyc_tier_with_credential()requires valid KYC credential to upgrade tier - Pluggable Revocation Broadcasting:
RevocationBroadcastertrait for cross-node cascading revocation + inboundapply_remote_revocation() - Recursive Trust Chain Verification:
IdentityVerifier::verify_credential_chain()with cycle detection (HashSet), depth bound (default 10), trust-root anchoring - RocksDB Persistence: Write-through to
CF_IDENTITIESviaKvStoretrait, JSON serialization for identity records - Username Registry: Unique lowercase alphanumeric + underscore names (3-20 chars), bidirectional DID↔username mapping
License
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.