pub async fn write_agent_identity(
pod_root: &Path,
pubkey_hex: &str,
privkey_hex: Option<&str>,
) -> Result<AgentIdentityWritten, GitError>Expand description
Write the canonical agent.did.json to pod_root and, when a secret
key is supplied, run git config --local nostr.privkey <privkey_hex>
in the pod repo.
pubkey_hex is the 32-byte BIP-340 x-only public key in lowercase hex
(the canonical identity, I1). privkey_hex, when Some, is the matching
32-byte secret key in hex; it is stored ONLY in the repo-local git config
(never written to agent.did.json, never committed).
The DID document is rendered by the canonical
render_did_document — identical bytes to every other ecosystem
emitter. agent.did.json is written to the repo root so it is a
first-class, committable file (the deploy ritual: edit → validate →
commit → git-mark → push).
§Errors
GitError::PathTraversalifpubkey_hexis not a valid 32-byte x-only hex pubkey (cannot render the canonical doc — refuse rather than emit a keyless / malformed document, mirroring the interop D-1 rule).GitError::Ioif the doc cannot be written to disk.
The git config nostr.privkey step is best-effort: a missing git
binary or a non-repo pod_root is logged and reported as
privkey_configured: false, never an error — identity provisioning must
not be blocked by a transient git-config failure (the privkey can be
re-set on the next provisioning pass).