Skip to content

feat(network): add transparent request signing (bot-auth)#1062

Merged
chaliy merged 4 commits intomainfrom
claude/transparent-request-signing-H0Pj3
Apr 4, 2026
Merged

feat(network): add transparent request signing (bot-auth)#1062
chaliy merged 4 commits intomainfrom
claude/transparent-request-signing-H0Pj3

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented Apr 4, 2026

Summary

  • Implement Ed25519 request signing per RFC 9421 / web-bot-auth profile, per toolkit library contract section 9
  • Feature-gated behind bot-auth cargo feature (implies http_client) — zero crypto deps when disabled
  • Signing is fully transparent: all outbound HTTP requests from curl/wget/http builtins get Signature, Signature-Input, and optional Signature-Agent headers automatically
  • Non-blocking: signing failures never prevent requests (sent unsigned)
  • Follows fetchkit's reference implementation (BotAuthConfig shape, signing format, header names)
  • Includes derive_bot_auth_public_key() for consumer key directory serving

Test plan

  • 10 unit tests in bot_auth.rs covering seed construction, base64 decoding, signing, Ed25519 verification, JWK thumbprint, validity window, public key derivation
  • cargo fmt --check passes
  • cargo clippy --all-targets --features bot-auth -p bashkit -- -D warnings passes (zero warnings)
  • cargo test --features bot-auth -p bashkit — 2042+ tests pass, 0 failures
  • Builds cleanly with no features, http_client only, and bot-auth
  • CI green

Closes #1032

chaliy added 4 commits April 4, 2026 13:53
@chaliy
feat(network): add transparent request signing (bot-auth)
e31c1c2 
Implement Ed25519 request signing per RFC 9421 / web-bot-auth profile,
matching the toolkit library contract section 9 and fetchkit's reference
implementation.

- Feature-gated behind `bot-auth` cargo feature (implies `http_client`)
- BotAuthConfig: from_seed, from_base64_seed, agent_fqdn, validity_secs
- Transparent: all outbound HTTP requests signed automatically
- Non-blocking: signing failures never prevent requests
- derive_bot_auth_public_key() for consumer key directory serving
- JWK Thumbprint (RFC 7638) as key identity
- 10 unit tests covering signing, verification, key derivation

Closes #1032
@chaliy
chore(audit): add cargo-vet exemptions for bot-auth crypto deps
1163194 
Add safe-to-deploy exemptions for 17 transitive dependencies
introduced by ed25519-dalek (curve25519-dalek, fiat-crypto, etc.).
@chaliy
chore(audit): fix cargo-vet exemption ordering
9f3f166 
Reorder exemptions to match cargo-vet's expected alphabetical sort.
@chaliy
docs(specs): document signing coverage for all HTTP paths
26eca8c 
- 017-request-signing: add table showing all HTTP paths are signed
  (request_with_headers, request_with_timeouts, custom HttpHandler, redirects)
- 005-builtins: add http builtin docs, note bot-auth coverage for all network builtins
- 006-threat-model: add TM-NET-021 for bot identity spoofing mitigation
- network/mod.rs: mention request signing in security model docs
@chaliy chaliy merged commit 01cda4c into main Apr 4, 2026
27 checks passed
@chaliy chaliy deleted the claude/transparent-request-signing-H0Pj3 branch April 4, 2026 20:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: add request signing support (bot-auth)

1 participant

@chaliy