Summary#
- Phase 1 (crypto crate): Added
verify_genesis_oppure function andVerifiedGenesisOpstruct tocrates/crypto/src/plc.rs. Takes a signed genesis op JSON string and a rotation key, verifies the ECDSA-SHA256 signature, derives the DID (SHA-256 of signed CBOR → base32-lowercase, first 24 chars), and returns extracted op fields. - Phase 2 (relay crate): Rewrote
POST /v1/didshandler incrates/relay/src/routes/create_did.rs. Replaced relay-signing model with device-signing: client submits a pre-signed genesis op, relay verifies it and promotes the account. Added semantic validation (handle, PDS endpoint, rotation key match), retry resilience viapending_didpre-store, atomic account promotion transaction, and DID document construction from verified op fields. - Tests: 5 crypto unit tests (AC1.1–AC1.5) + 9 relay integration tests (AC2.1–AC2.6, AC3.1–AC3.7, AC4.1–AC4.3). All 269 workspace tests pass.
- Bruno: Updated
create-did.bruto new request shape (rotationKeyPublic+signedCreationOp).
Test Plan#
-
cargo test --workspace— 269 tests pass, 0 failures -
cargo clippy --workspace -- -D warnings— zero warnings -
cargo fmt --all --check— clean - Review
docs/test-plans/2026-03-13-MM-90.mdfor manual verification steps (Bruno API collection, end-to-end DID ceremony flow, semantic validation isolation scenarios)