security(phase-2): derive Ed25519 key from mnemonic at sign time — no PEM read

resolve_signing_identity now derives the private key from the OS keychain mnemonic via SLIP-0010 HD derivation at call time. No PEM file is read or written. Returns None when the entry lacks hd_path or the keychain has no mnemonic. Old TestResolveSigningIdentity tests updated to use the mnemonic- based path; new TestResolveSigningIdentityPhase2 (P2-1..P2-6) all green.

sha256:86d1d97a0143ab6c55133f029dae9bb3ca95c28d2f77d7891198ebf88cebbe26 sha

sha256:d7b1648b47e3c68e7d1fa9c1638a323df53fa67ebee302d945cb643abc29f4e0 parent

sha256:1f7b352d088e10d71f675bad2f80c7d358c48daa4038a8dac3b77016c455fc38 snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:86d1d97a0143ab6c55133f029dae9bb3ca95c28d2f77d7891198ebf88cebbe26 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:1f7b352d088e10d71f675bad2f80c7d358c48daa4038a8dac3b77016c455fc38

Files 0

Browse tree at this commit →

Commit

SHA sha256:86d1d97a0143ab6c55133f029dae9bb3ca95c28d2f77d7891198ebf88cebbe26

Parent

sha256:d7b1648b47e3c68e7d1fa9c1638a323df53fa67ebee302d945cb643abc29f4e0

Branch dev