Skip to content

Add Ed25519 signed license verification with key rotation and CI guard#50

Merged
sheeki03 merged 4 commits intomainfrom
feat/signed-license-verification
Feb 24, 2026
Merged

Add Ed25519 signed license verification with key rotation and CI guard#50
sheeki03 merged 4 commits intomainfrom
feat/signed-license-verification

Conversation

@sheeki03
Copy link
Owner

@sheeki03 sheeki03 commented Feb 24, 2026
edited by macroscopeapp bot
Loading

Summary

  • Implement Ed25519 signed license token verification with key rotation support
  • Add enforcement-check CI guard to release workflow
  • Add license key format diagnostics to tirith doctor
  • Document license tier verification in threat model and README
  • Fix all remaining deep-review findings across the codebase
  • Includes Parts 1-9 (full feature set) and bug fixes

Test plan

  • All existing tests pass

🤖 Generated with Claude Code

Note

Update tests::test_keyring_non_empty in crates::tirith_core::license to assert a local not_empty binding for Ed25519 signed license verification with key rotation and CI guard

Refactor the test in crates/tirith-core/src/license.rs to bind let not_empty = !KEYRING.is_empty(); with an inline #[allow(clippy::const_is_empty)] and assert the binding.

📍Where to Start

Start with the tests::test_keyring_non_empty test in crates/tirith-core/src/license.rs.

Macroscope summarized 88f87a0.

macroscopeapp[bot]
macroscopeapp bot reviewed Feb 24, 2026
View reviewed changes
macroscopeapp[bot]
macroscopeapp bot reviewed Feb 24, 2026
View reviewed changes
@sheeki03
Fix CI: cargo fmt, clippy lints, pin time 0.3.37, add RUSTSEC-2026-00…
bae5703 
…09 ignore

- Run cargo fmt --all
- Fix clippy lints: redundant closures, uninlined_format_args, approx_constant,
  const_is_empty in license keyring test
- Pin time crate to 0.3.37 (0.3.47 uses edition2024, incompatible with MSRV 1.83)
- Add .cargo/audit.toml ignoring RUSTSEC-2026-0009 (time crate DoS,
  not exploitable in our usage, fix requires Rust 1.88)
- Add same ignore to deny.toml
@sheeki03 sheeki03 force-pushed the feat/signed-license-verification branch from 4ba9786 to bae5703 Compare February 24, 2026 17:28
sheeki03 and others added 2 commits February 24, 2026 22:59
@sheeki03
Merge remote-tracking branch 'origin/main' into feat/signed-license-v…
a17b589 
…erification
@sheeki03 @claude
Fix review findings and merge main
43891c8 
- Merge origin/main (glibc build fix)
- Fix single & segment boundary in split_raw_words (security)
- Use exact match == TIRITH=0 (prevents false bypass)
- Skip flags in resolve_command_wrapper
- Remove dead code in is_tirith_command
- Remove quote-stripping from is_env_assignment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
macroscopeapp[bot]
macroscopeapp bot reviewed Feb 24, 2026
View reviewed changes
macroscopeapp[bot]
macroscopeapp bot reviewed Feb 24, 2026
View reviewed changes
@sheeki03 @claude
Merge origin/main into feat/signed-license-verification
88f87a0 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sheeki03 sheeki03 merged commit b995883 into main Feb 24, 2026
9 checks passed
@sheeki03 sheeki03 deleted the feat/signed-license-verification branch February 24, 2026 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sheeki03