feat(auth): add POST /api/auth/keys for secure key rotation

New endpoint: POST /api/auth/keys

Requires two proofs: 1. Authorization: MSign (existing key proves account ownership) 2. Body: challenge_token + public_key_b64 + signature_b64 (new key challenge-response proves new key ownership)

New model: RotateKeyRequest New service fn: add_key_for_identity (reuses challenge verification, adds key to existing identity without creating a new identity record)

Security: neither proof alone is sufficient — MSign without key proof lets an attacker inject a key; key proof without MSign lets an unauthenticated caller add a key to any handle.

Run: muse auth rotate --hub https://localhost:1337

sha256:b6b1074be3675c431c1acffa6f76a6cadbcb08c715ab2575e6f43dc5637076fc sha

sha256:9dcf8d543d11b8ffcdabb119ff3c6f44dd588bb8bc23515820f5550a2b85599b parent

sha256:3202371fe36e479e1e259e99bbdc72261521aed1f526df8238a2ee24fb24f197 snapshot

← Older Oldest on task/auth-rotate-endpoint

All commits

Newer → Latest on task/auth-rotate-endpoint

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:b6b1074be3675c431c1acffa6f76a6cadbcb08c715ab2575e6f43dc5637076fc --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:3202371fe36e479e1e259e99bbdc72261521aed1f526df8238a2ee24fb24f197

Files 0

Browse tree at this commit →

Commit

SHA sha256:b6b1074be3675c431c1acffa6f76a6cadbcb08c715ab2575e6f43dc5637076fc

Parent

sha256:9dcf8d543d11b8ffcdabb119ff3c6f44dd588bb8bc23515820f5550a2b85599b

Branch task/auth-rotate-endpoint