Rough edges hit while doing real work with the CLI (signing commits, exporting bundles, rotating, verifying). Filing per request — roughly ordered by impact.
1. Commit/auths sign hang silently on the Secure Enclave (no feedback, no timeout)
git commit (with the auths-sign SSH signer) and auths sign <ref> block indefinitely waiting for Touch ID / SE approval with zero output — no "waiting for Touch ID…", no spinner, no timeout. In a non-interactive or background context they hang forever; even interactively it's impossible to tell "working" from "hung". A status line + a sane timeout (or a --no-input/--timeout flag that fails fast) would help a lot. This was the single biggest friction point.
2. id export-bundle fails closed on pre-attachment identities with a drastic, migration-less remedy
On an identity created before signature attachments were stored, export aborts:
[ERROR] KEL event at seq 0 has no stored signature attachment;
cannot export a verifiable bundle (re-initialize this identity)
"Re-initialize this identity" means throw away your DID — there's no migration / backfill path (e.g. auths id backfill-attachments or a --allow-unsigned/legacy export mode). A long-lived identity shouldn't be un-exportable after a tooling upgrade. (Introduced by the RT-002 producer hardening.)
3. No prepare-commit-msg hook installed by default → commits silently lack Auths trailers → verify fails
Commits get the SSH signature but no Auths-Id/Auths-Device trailers when the prepare-commit-msg hook isn't installed (e.g. a fresh worktree, or core.hooksPath overridden by pre-commit/husky). There's no warning at commit time — it only surfaces later as verify/verify-commits failing with "Commit carries no Auths-Id/Auths-Device trailer." auths doctor should detect a missing/shadowed hook and warn, and ideally git commit should warn when it produces a signature without trailers.
4. Confusing & inconsistent identity-home resolution; hard to safely target a throwaway identity
auths id list prints Storage ID: .auths (looks repo-relative) while auths id export-bundle prints Using Repository: /Users/bordumb/.auths (global) — two subcommands describe the home differently.- It's unclear how to point a command at an isolated/throwaway identity:
auths sign documents --repo, but other id subcommands don't obviously honor an env var or a global --repo. This is a footgun: a quick local experiment can end up operating on the real ~/.auths identity (e.g. an accidental id rotate). A single documented mechanism (one env var and a global --repo/--home flag honored by every subcommand) + echoing the resolved home consistently would prevent mistakes.
5. Minor: auths init flag discoverability
auths init --non-interactive just prints usage with no hint that the flag is wrong / what the non-interactive path is. A clearer error ("unknown flag --non-interactive; for scripted setup use …") would help.
Context: encountered while landing the #263 security work and its CI follow-ups (schema regen, SCIM test allowlist, rotation attachment persistence). Items 2 & 3 are direct consequences of the RT-002 changes and are the most user-visible.
Rough edges hit while doing real work with the CLI (signing commits, exporting bundles, rotating, verifying). Filing per request — roughly ordered by impact.
1. Commit/
auths signhang silently on the Secure Enclave (no feedback, no timeout)git commit(with theauths-signSSH signer) andauths sign <ref>block indefinitely waiting for Touch ID / SE approval with zero output — no "waiting for Touch ID…", no spinner, no timeout. In a non-interactive or background context they hang forever; even interactively it's impossible to tell "working" from "hung". A status line + a sane timeout (or a--no-input/--timeoutflag that fails fast) would help a lot. This was the single biggest friction point.2.
id export-bundlefails closed on pre-attachment identities with a drastic, migration-less remedyOn an identity created before signature attachments were stored, export aborts:
"Re-initialize this identity" means throw away your DID — there's no migration / backfill path (e.g.
auths id backfill-attachmentsor a--allow-unsigned/legacy export mode). A long-lived identity shouldn't be un-exportable after a tooling upgrade. (Introduced by the RT-002 producer hardening.)3. No
prepare-commit-msghook installed by default → commits silently lack Auths trailers →verifyfailsCommits get the SSH signature but no
Auths-Id/Auths-Devicetrailers when theprepare-commit-msghook isn't installed (e.g. a fresh worktree, orcore.hooksPathoverridden by pre-commit/husky). There's no warning at commit time — it only surfaces later asverify/verify-commitsfailing with "Commit carries no Auths-Id/Auths-Device trailer."auths doctorshould detect a missing/shadowed hook and warn, and ideallygit commitshould warn when it produces a signature without trailers.4. Confusing & inconsistent identity-home resolution; hard to safely target a throwaway identity
auths id listprintsStorage ID: .auths(looks repo-relative) whileauths id export-bundleprintsUsing Repository: /Users/bordumb/.auths(global) — two subcommands describe the home differently.auths signdocuments--repo, but otheridsubcommands don't obviously honor an env var or a global--repo. This is a footgun: a quick local experiment can end up operating on the real~/.authsidentity (e.g. an accidentalid rotate). A single documented mechanism (one env var and a global--repo/--homeflag honored by every subcommand) + echoing the resolved home consistently would prevent mistakes.5. Minor:
auths initflag discoverabilityauths init --non-interactivejust prints usage with no hint that the flag is wrong / what the non-interactive path is. A clearer error ("unknown flag --non-interactive; for scripted setup use …") would help.Context: encountered while landing the #263 security work and its CI follow-ups (schema regen, SCIM test allowlist, rotation attachment persistence). Items 2 & 3 are direct consequences of the RT-002 changes and are the most user-visible.