gabriel / musehub public
Closed #97
filed by gabriel human · 2 days ago

Identity Rotate

0 Anchors
Blast radius
Churn 30d
0 Proposals

Identity Rotate

I noticed that my staging identity is using an incorrect hd path. The domain value is incorrect. We're correctly using 1075233755 for the purpose. Localhost is correctly using 1660078172 for the identity but staging is still using 0 for identity. We need to fix the staging hd path to use the idiomatic identity number in the hd path. I know we have muse auth rotate but I'm not sure if that is the command we need or if we just need to manually update the indentity.toml file.

➜  musehub muse:(code:dev) cat ~/.muse/identity.toml
["localhost:1337"]
type = "human"
handle = "gabriel"
algorithm = "ed25519"
fingerprint = "sha256:d8faf8dfe4550a01610d2f39850c88700f3f6fb5c3a755f34c5bbaf6d401833f"
hd_path = "m/1075233755'/1660078172'/0'/0'/0'/0'"

["staging.musehub.ai"]
type = "human"
handle = "gabriel"
algorithm = "ed25519"
fingerprint = "sha256:220897cdf3e4f8f961fabcc3d0e85dad47f9a3cde098b00edf43c6f663e0f430"
hd_path = "m/1075233755'/0'/0'/0'/0'/0'"

Two things worth separating here:

Why manually editing identity.toml won't work alone: the hd_path field is informational — Muse uses it to re-derive the private key from the mnemonic every time it signs. If you change the path string without re-deriving, the code would derive a key whose public key doesn't match the fingerprint registered on staging, and every auth request would fail.

Why muse auth rotate is the wrong tool: rotate increments the last index (0' → 1' at the leaf), which doesn't touch the identity segment at all. You'd end up at m/1075233755'/0'/... with a fresh leaf key — still wrong.

The correct fix is a full re-keygen for staging:

muse auth logout --hub https://staging.musehub.ai   # decommission the old key
muse auth keygen --hub https://staging.musehub.ai   # re-derive from same mnemonic
muse auth register --hub https://staging.musehub.ai --handle gabriel

But before doing that, one critical question: what caused the identity segment to be 0 in the first place? If keygen has a bug that computes 0 when it should use 1660078172, running keygen again produces the same wrong path. The fix only works if whatever logic computes that identity number now produces the correct value.

Do you know if this was a keygen bug that's since been fixed, or was this key registered before that logic was implemented?

I'm not positive but I suspect this is just an ancient key that was generated perhaps before we settled on hashing the domain names for hd integers instead of just having auto incrementing values. So def need to tdd this if we don't already have tests in place because we need to be positive that we always correctly derive the identity segment. So let's start there. Let's just be double sure that we always generate the correct identity segment.

Activity1
gabriel opened this issue 2 days ago
gabriel 2 days ago

Resolved. The identity repo was lost in the June 7 DB reset — not due to key rotation itself, but because _commit_key_rotation_to_identity_repo has an explicit no-op guard when the identity repo doesn't exist. Recovery from the SQL dump was ruled out (R2 objects were also wiped).

Fix: TDD'd POST /api/admin/repair-identity-repo endpoint (tests AR_01–AR_05, all green). It recreates the canonical {handle}/identity private repo using the most recently registered key, idempotent. Deployed in image b59e2315-20260617150141. Called on staging — {"created": true} — identity repo now exists and is correct (domain_id=identity, visibility=private).

closed this issue 2 days ago