feat: add progressive re-signing to muse code migrate

- migrate() takes optional private_key; when supplied every commit is re-signed with a fresh Ed25519 sig over its new v2 commit ID - old signatures (over old IDs) are replaced — not preserved - signer_public_key is bound into the v2 commit ID before signing - CLI loads signing identity from repo hub config, then falls back to each configured remote URL — repos without [hub] url still sign - unsigned path remains valid for git-onboarding users without keys - MigrateResult gains commits_signed field - 5 new tests covering signed migration, signer_public_key binding, dry-run skip, and all-commits-signed count - _verify_commit_id docstring updated: repo_id/author/signer_public_key are NOW included in the commit ID (stale 'by design' comment removed)

sha256:bb9e7203e470365c85ba1d82ab3f45b5a8d0bc330018a117a82ea305959fc385 sha

sha256:a0f6e17e5426083e40fa9604b1be6364a795ffab404d9c83525de8970ab05ad6 parent

sha256:0db022a2773c788a3907449af9cc76d717ab15eda2c85992db45128b84c6a7f7 snapshot

← Older Oldest on task/migrate-signing

All commits Newer feat(migrate): sign unsigned commits during migration sha256:d5f79d21e6927f2763ca88b1d82fb4745702895174908ee8ca4fddde5656d5f3

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:bb9e7203e470365c85ba1d82ab3f45b5a8d0bc330018a117a82ea305959fc385 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump BREAKING

Agent claude-code

Breaking

muse/core/migrate.py::MigrateResultmuse/core/migrate.py::import::split_idmuse/core/migrate.py::migrate

Signature Cryptographically verified

Snapshot

ID sha256:0db022a2773c788a3907449af9cc76d717ab15eda2c85992db45128b84c6a7f7

Files 0

Browse tree at this commit →

Commit

SHA sha256:bb9e7203e470365c85ba1d82ab3f45b5a8d0bc330018a117a82ea305959fc385

Parent

sha256:a0f6e17e5426083e40fa9604b1be6364a795ffab404d9c83525de8970ab05ad6

Branch task/migrate-signing