Module enroll 

RFC-001 — operator / organization enrollment (producer side).

The verifier side (org_membership, pair_decision, org_policy) consumes identity claims; this is the half that produces them. Pure over the supplied keypairs — key STORAGE (where the operator’s / org’s private keys live on disk) is the CLI’s concern, deliberately not here, so this stays unit-testable and reusable by the CLI, the live agent, and the e2e alike.

Two operations:

• an org issues a membership cert for an operator (issue_member_cert): the org key signs the operator’s op_did;
• an operator assembles its session claims (build_member_claims): signs op_cert over the session DID and carries op_pubkey + each org’s pubkey inline so the resulting card verifies fully offline (#94).

Structs

MemberOf

One org membership an operator holds, ready to assemble into card claims. member_cert is produced by the org via issue_member_cert.

Functions

build_member_claims

Assemble the v3.2 IdentityClaims a session presents.

issue_member_cert

An org issues a membership cert for an operator: the org’s key signs the operator’s op_did (UTF-8 bytes). The operator carries the returned base64 cert in its card; a receiver verifies it with identity::verify_member_cert against the inline org_pubkey.

rebuild_card_with_current_claims

Rebuild the on-disk agent card with the current enrollment state and re-sign it. Closes the enroll-after-init DX gap: claims are normally attached at card-build time (init::init_self_idempotent / cli.rs init via with_op_claims_if_enrolled), but an operator who enrolls AFTER init has a stored card that pre-dates the claims. This reads the stored card, strips any pre-existing identity-claim fields + signature, overlays the current claims via the same helper used at init, re-signs with the existing session key, and writes the card back. Pure rebuild — does NOT publish; callers (the wire enroll republish CLI dispatcher) chain the existing republish_card_to_phonebook to push to the phonebook. Bails if wire init hasn’t run; idempotent when not enrolled (strips stale claims → identical to a freshly-init’d non-enrolled card → re-signed → written).

with_op_claims_if_enrolled

Card-emit (RFC-001 Phase 1b): if this machine has an enrolled operator (op.key present), attach the operator’s identity claims + stored org memberships to card. Returns the card unchanged when not enrolled, so card-build stays correct for the common case. The returned card is UNSIGNED; the caller signs it (sign_agent_card). Malformed stored memberships are skipped, not fatal.