feat: Phase 2 — key rotation commits to identity repo

- Add _commit_key_rotation_to_identity_repo() in musehub_auth.py: reads the current HEAD IdentityRecord, replaces pubkey with the newly rotated key, and commits the updated record to the identity repo's main branch. No-op when identity repo doesn't exist yet (migration-period safety).

- Wire into add_key_for_identity() immediately after the key DB row is committed, so every rotation produces a tamper-evident audit entry in the identity repo's commit history.

- Add tests/test_identity_repo_phase2.py: 7 TDD regression tests covering: second commit appears after rotation, third commit after second rotation, commit message contains handle, updated pubkey in HEAD record, original commit immutability, handle/type preserved, second rotation reflects latest pubkey. All 7 GREEN.

Closes #19 Phase 2

sha256:23bb5b9df34f65b3af3d477353e744877eda75e294268d06b7f497779b748d70 sha

sha256:fc7dd68fc1f263774922ef1016d57e4b6fd828cbdaab4e32fd8729c3b60eecc5 parent

sha256:658a4b9700b32f1bc558ba81a52435f9e610e2cf1493c53a7b641463df75c109 snapshot

← Older Oldest on task/identity-repo-phase2

All commits

Newer → Latest on task/identity-repo-phase2

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:23bb5b9df34f65b3af3d477353e744877eda75e294268d06b7f497779b748d70 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:658a4b9700b32f1bc558ba81a52435f9e610e2cf1493c53a7b641463df75c109

Files 0

Browse tree at this commit →

Commit

SHA sha256:23bb5b9df34f65b3af3d477353e744877eda75e294268d06b7f497779b748d70

Parent

sha256:fc7dd68fc1f263774922ef1016d57e4b6fd828cbdaab4e32fd8729c3b60eecc5

Branch task/identity-repo-phase2