unibus

dataforge/unibus

Fork 0

Commit Graph

Author	SHA1	Message	Date
egutierrez	413dd61041	feat(busauth): Ed25519<->NATS nkey conversion with round-trip test A NATS nkey is an Ed25519 keypair, so the bus reuses each peer's signing identity for the data plane instead of minting new key material. ClientNkey derives the user nkey public string and a nonce-signing callback from the peer's Ed25519 private key (its first 32 bytes are the nkey seed); SignPubHexFromNkey maps a presented nkey back to the allowlist's hex key; NkeyPublicFromSignPub is the public-only derivation. This is NATS-specific transport glue kept in the app, not promoted to the registry, to avoid pulling nats-io/nkeys into the multi-domain registry module. The dedicated round-trip test runs first (spec requirement): it proves the nkey signature equals the identity's raw Ed25519 signature and that the nkey maps back to the identity's hex. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 12:37:46 +02:00

Author

SHA1

Message

Date

egutierrez

413dd61041

feat(busauth): Ed25519<->NATS nkey conversion with round-trip test

A NATS nkey is an Ed25519 keypair, so the bus reuses each peer's signing
identity for the data plane instead of minting new key material. ClientNkey
derives the user nkey public string and a nonce-signing callback from the
peer's Ed25519 private key (its first 32 bytes are the nkey seed);
SignPubHexFromNkey maps a presented nkey back to the allowlist's hex key;
NkeyPublicFromSignPub is the public-only derivation.

This is NATS-specific transport glue kept in the app, not promoted to the
registry, to avoid pulling nats-io/nkeys into the multi-domain registry
module. The dedicated round-trip test runs first (spec requirement): it
proves the nkey signature equals the identity's raw Ed25519 signature and
that the nkey maps back to the identity's hex.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-07 12:37:46 +02:00

1 Commits