Module attest_factory 

Factory helpers for building a Signer from CLI / config inputs.

The attest / verify-attest commands each need to turn a (algorithm, signer_kind, Config) quartet into a concrete Box<dyn Signer>. Centralising the dispatch keeps the commands thin and makes the algorithm -> signer-impl mapping a single place to audit.

Key material layout on disk (per docs/SPEC-ATTESTATIONS.md §6.1):

• Ed25519 — path resolved from cfg.signing_key (default .mkit/keys/default.key). Shared with the commit signer. Not auto-generated — the caller must run mkit keygen first, matching mkit commit’s contract. This is the same property that closes the C1 attack surface (see docs/THREAT-MODEL.md): no command silently creates a key file from a path the config could control.
• secp256k1 / p256 — path resolved from attest.{secp256k1,p256}_key_path (user-scoped only; default .mkit/keys/<algo>.key). Raw 32-byte secret, mode 0600. Same no-auto-generate contract; absent file → clear error.

The external signer kind handles all three algorithms via a single subprocess binary; the algorithm is recorded so verification can dispatch the right crypto path without reparsing the keyid.

Enums

FactoryError

Errors the factory surfaces. Mapped to CLI exit codes by the caller.

Functions

build_signer

Build a signer.

parse_algorithm

Parse "ed25519" | "secp256k1" | "p256" into an Algorithm.