Skip to content

feat(dev-bootstrap): auto-materialize INTERLACE_ROOT_PUBKEY via signet authority pubkey#69

Merged
jamestexas merged 1 commit into
mainfrom
chore/dev-bootstrap-interlace-pubkey-isolated
May 19, 2026
Merged

feat(dev-bootstrap): auto-materialize INTERLACE_ROOT_PUBKEY via signet authority pubkey#69
jamestexas merged 1 commit into
mainfrom
chore/dev-bootstrap-interlace-pubkey-isolated

Conversation

@jamestexas

Copy link
Copy Markdown
Contributor

Summary

Extends `scripts/dev-bootstrap.mjs` to populate `INTERLACE_ROOT_PUBKEY` in `.env.local` from `signet authority pubkey` — the new subcommand shipped in signet#131.

Before this PR, populating `INTERLACE_ROOT_PUBKEY` required:

  1. Start an authority (local Go binary, OCI image, or remote)
  2. Hand-fetch `/.well-known/ca-bundle.pem`
  3. `openssl x509 -pubkey -noout` to extract the pubkey
  4. Base64-encode the raw 32 bytes
  5. Paste into `.env.local`

A developer described the wiring as "unclear how / where / what's needed tbh." This PR closes that — task dev:bootstrap now does it.

What changes

`scripts/dev-bootstrap.mjs` (+88 / -1):

  1. After the existing `DEV_VAULT_KEK` step, run `signet authority pubkey` and capture stdout.
  2. Write the result to `INTERLACE_ROOT_PUBKEY` in `.env.local`.
  3. Idempotent: existing values are kept on re-runs. `INTERLACE_PUBKEY_REFRESH=1` forces a re-fetch.
  4. Graceful skip if signet isn't on PATH: prints an actionable install hint and leaves the lease gate off (dev mode). This is a supported workflow — many cloister dev sessions don't need lease verification.

Knobs

Env var Effect
`SIGNET_BIN` Override binary name/path (default: `signet`)
`SIGNET_AUTHORITY_URL` Fetch from a running authority via `/.well-known/ca-bundle.pem` instead of local keystore. Works against local Go authority OR remote notme worker.
`INTERLACE_PUBKEY_REFRESH=1` Force re-fetch even if already set

Outcomes tested (manual dogfood)

Scenario Expected Result
signet NOT on PATH Skip with install hint; lease gate stays off
signet on PATH + XDG keystore initialized Pubkey materialized; matches `signet authority pubkey` byte-for-byte (incl. trailing base64 `=` padding)
Idempotent second run Reuses existing value
`INTERLACE_PUBKEY_REFRESH=1` Forces re-fetch

Test plan

  • Manual dogfood of all 4 scenarios above
  • `task lint` clean (71 files, 1,122 tests pass) — script-only change

Companion

signet#131 — `signet authority pubkey` subcommand (merged 2026-05-19).

🤖 Generated with Claude Code

…T_PUBKEY via signet authority pubkey

Extends scripts/dev-bootstrap.mjs to populate INTERLACE_ROOT_PUBKEY in
.env.local from `signet authority pubkey` — the new subcommand shipped
in signet-PR #131 that emits the master Ed25519 public key as base64.

Before this, populating INTERLACE_ROOT_PUBKEY required: start an
authority somehow, hand-fetch /.well-known/ca-bundle.pem, openssl
x509 -pubkey -noout, parse the PEM, base64-encode the raw 32 bytes,
paste into .env.local. Four shell-foo steps that weren't documented
anywhere; a developer described the wiring as "unclear how / where /
what's needed tbh."

Now it's one command:

  task dev:bootstrap

The script:
  1. Runs `signet authority pubkey` (local keystore mode), or
     `signet authority pubkey --url $SIGNET_AUTHORITY_URL` when the
     env var is set (for fetching from a running authority — local Go
     binary or remote notme worker).
  2. Writes the result to INTERLACE_ROOT_PUBKEY in .env.local.
  3. Idempotent: existing values are kept on re-runs.
     INTERLACE_PUBKEY_REFRESH=1 forces a re-fetch.
  4. If signet isn't on PATH, skips gracefully with a hint pointing
     at signet-repo `task install`. Lease gate stays off (dev mode);
     this is supported.

## Knobs

  SIGNET_BIN=signet                              # override binary name/path
  SIGNET_AUTHORITY_URL=https://auth.notme.bot    # fetch from running authority instead of local keystore
  INTERLACE_PUBKEY_REFRESH=1                     # force re-fetch even if already set

## Outcomes tested (manual dogfood)

  TEST 1 (signet not on PATH): graceful skip, install hint, gate stays off
  TEST 2 (fresh fetch): pubkey materialized; matches `signet authority pubkey` stdout byte-for-byte (incl. trailing base64 '=' padding)
  TEST 3 (idempotent): second run reuses existing INTERLACE_ROOT_PUBKEY
  TEST 4 (refresh flag): INTERLACE_PUBKEY_REFRESH=1 forces re-fetch

## Test plan

  - [x] Manual dogfood of all 4 scenarios above
  - [x] `task lint` clean (71 files, 1122 tests pass) — script-only change

Companion to signet-PR #131 (signet authority pubkey subcommand).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@jamestexas jamestexas merged commit 32a0bcd into main May 19, 2026
2 checks passed
@jamestexas jamestexas deleted the chore/dev-bootstrap-interlace-pubkey-isolated branch May 19, 2026 03:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant