feat(auth): rotate via POST /api/auth/keys — clean canonical API

Rotate now uses the dedicated add-key endpoint instead of the verify endpoint, which only supports fresh registrations.

Two proofs required: 1. MSign (old key) proves account ownership 2. Challenge-response (new key) proves new key ownership

Removed all legacy camelCase fallback reads — canonical snake_case only: challenge_token, is_new_key, identity_id, is_new_identity.

_json_post_raw gains extra_headers param for MSign Authorization. All 23 rotate tests pass.

sha256:d189939c0e50f4be4578d7452dcc3af816b36e91e37ae0b2c1d33d517243248a sha

sha256:f1b46bb89459a72e0bc9f7cafda555bb41e2a6ed8f8acdd1b1c1f2e79668fc0d parent

sha256:ba5dc248165f59bdacabd3e8de301a315ad01e6edbcd87ecc40ef9eab4b6b791 snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:d189939c0e50f4be4578d7452dcc3af816b36e91e37ae0b2c1d33d517243248a --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:ba5dc248165f59bdacabd3e8de301a315ad01e6edbcd87ecc40ef9eab4b6b791

Files 0

Browse tree at this commit →

Commit

SHA sha256:d189939c0e50f4be4578d7452dcc3af816b36e91e37ae0b2c1d33d517243248a

Parent

sha256:f1b46bb89459a72e0bc9f7cafda555bb41e2a6ed8f8acdd1b1c1f2e79668fc0d

Branch dev