security: audit doc line-by-line pass — all test checklist items complete

auth.py: - run_keygen now rejects duplicate identity without --force (guards both human and agent entries by checking load_identity before proceeding)

tests/test_hd_keygen_unified.py: - Remove 8 failing PEM-asserting tests (test_pem_written, test_pem_mode_600, test_agent_pem_*, test_agent_key_different_from_human_key, etc.) - Add hermetic keychain patching to _keygen and _setup_operator helpers - Replace with: test_no_pem_written, test_hd_path_in_identity_toml, test_agent_no_pem_written, test_agent_hd_path_in_identity_toml, fingerprint-based key-distinctness tests - Remove test_generate_hd_keypair_exists (pinned vestigial function)

tests/test_cmd_auth_keygen_hd.py: - Replace test_pem_file_written / test_pem_is_valid_ed25519_key with test_derive_hd_public_info_* (no disk writes) - test_second_keygen_succeeds_without_force → test_second_keygen_without_force_rejected - Remove stale key_path fields from IdentityEntry literals - Remove stale load_pem_private_key import

tests/test_agent_signing.py: - Delete TestLoadPrivateKeyFromPem class - Remove stale key_path fields from identity entries - Remove Encoding/NoEncryption/PrivateFormat imports

tests/test_core_keychain.py: - Remove stale key_path fields from IdentityEntry test data

tests/test_security_key_permissions.py: - DELETED — tested _load_private_key_from_path permission checks (PEM arch)

tests/test_security_no_pem_on_disk.py: - NEW — NP-1 through NP-5: keygen writes no PEM, resolve needs no keys/, security-check passes, fresh install is clean

tests/test_resolve_signing_identity_keychain_path.py: - NEW — KC-1 through KC-7: full keychain→derive→sign→verify chain, graceful None returns, determinism

docs/key-material-security-audit.md: - Current State section updated to reflect phases 1-7 complete - H5 marked Fixed (Phase 5); M1 marked Fixed (Phase 6) - Test Checklist fully updated; Files to Delete table shows blockers

sha256:794449e7457b82dc5e2c97854618810e77aa6d13267acffe12cb9f85daeb2a17 sha

sha256:1c8e1e9d9b0fc025911eb3d7a9f43776daa72e023912a1aa0310785e67568263 parent

sha256:dd045f90da933d42fa0d6501cfc2e9f3c33c29a37c28e0f1a0a92907610b77cc snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:794449e7457b82dc5e2c97854618810e77aa6d13267acffe12cb9f85daeb2a17 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:dd045f90da933d42fa0d6501cfc2e9f3c33c29a37c28e0f1a0a92907610b77cc

Files 0

Browse tree at this commit →

Commit

SHA sha256:794449e7457b82dc5e2c97854618810e77aa6d13267acffe12cb9f85daeb2a17

Parent

sha256:1c8e1e9d9b0fc025911eb3d7a9f43776daa72e023912a1aa0310785e67568263

Branch dev