Current state
Every commit on main is SSH-signed, but none carry Auths-Id / Auths-Device / Auths-Anchor-Seq trailers — spot-checked f4bc3e89, ae93d0f3, 83e82e82: zero trailers. auths verify HEAD on this repo fails with "Commit carries no Auths-Id/Auths-Device trailer".
In other words: the repo that builds the commit-identity product does not use the product to sign its own commits. verify-commits.yml runs with fail-on-unsigned: true and stays green only because the pinned 0.1.2-era verify action predates the KEL-native trailer model.
Why this matters
- Dogfooding is the best regression detector we have. The rotation-breaks-signing bug and the trailer-staleness bug both shipped because no maintainer workflow exercised the golden path daily. If our own
git commit went through the prepare-commit-msg hook, those would have been caught the same day they landed.
- Credibility. "Verify our commits with
auths verify" is the obvious first ask from any evaluator — today it fails on our own repo.
- The repo already pins the maintainer root in
.auths/roots, so strict verification has a trust anchor to work against.
Proposal
- Maintainers enable trailers locally (
auths init / auths doctor already wires core.hooksPath → ~/.auths/githooks with the prepare-commit-msg hook).
- Soak period: commits start carrying trailers;
verify-commits.yml stays in its current mode.
- Flip CI: bump the pinned verify action to the KEL-native model (≥0.1.3) and make missing-trailer commits fail on
main pushes from a cutover SHA forward (history before the cutover is exempt — same pattern as the did:key→did:keri trailer break).
- Document the maintainer setup in CONTRIBUTING.
Known wrinkles
- Merge commits made via the GitHub UI (merge queue, squash-merge) bypass local hooks — needs either bot signing, a cutover policy that exempts GitHub-authored merges, or local-merge discipline.
- External contributors without auths identities: gate strictness on push-to-main (maintainers), not PRs.
- Touch ID / Secretive-gated keys can stall non-interactive commits; hook must stay non-blocking when the trailer file is present.
Current state
Every commit on
mainis SSH-signed, but none carryAuths-Id/Auths-Device/Auths-Anchor-Seqtrailers — spot-checkedf4bc3e89,ae93d0f3,83e82e82: zero trailers.auths verify HEADon this repo fails with "Commit carries no Auths-Id/Auths-Device trailer".In other words: the repo that builds the commit-identity product does not use the product to sign its own commits.
verify-commits.ymlruns withfail-on-unsigned: trueand stays green only because the pinned 0.1.2-era verify action predates the KEL-native trailer model.Why this matters
git commitwent through the prepare-commit-msg hook, those would have been caught the same day they landed.auths verify" is the obvious first ask from any evaluator — today it fails on our own repo..auths/roots, so strict verification has a trust anchor to work against.Proposal
auths init/auths doctoralready wirescore.hooksPath→~/.auths/githookswith the prepare-commit-msg hook).verify-commits.ymlstays in its current mode.mainpushes from a cutover SHA forward (history before the cutover is exempt — same pattern as the did:key→did:keri trailer break).Known wrinkles