Migrate DID method from did:claw to did:cdi

[vrknetha]

Summary

Hard cutover DID contract from legacy did:claw:* to DID v2:

did:cdi:<authority>:<agent|human>:<ulid>

Examples:

• did:cdi:registry.clawdentity.com:agent:01HG8ZBU11X7X8DN8O4X6GEYU5
• did:cdi:registry.clawdentity.com:human:01HF7YAT00W6W7CM7N3W5FDXT4
• did:cdi:id.acme.corp:agent:01HK9ABC22Y8Y9EO9P5Y7HFZV6

Final Contract (Authoritative)

• DID method is cdi.
• DID includes explicit entity segment (agent or human).
• DID includes authority host (<authority>) as trust boundary.
• No backward compatibility for did:claw:*.
• Single-authority-per-deployment model remains (no federation in this ticket).

Scope

Protocol

• parseDid() returns { method: "cdi", authority, entity, ulid }.
• makeAgentDid(authority, ulid) / makeHumanDid(authority, ulid) require authority.
• parseAgentDid() / parseHumanDid() enforce entity-specific DIDs.
• Authority format enforced as DNS hostname.

Claims / Validation

• AIT validation enforces:
  • sub is agent DID
  • ownerDid is human DID
  • issuer host matches DID authority
• CRL validation enforces:
  • revocation agentDid is agent DID
  • issuer host matches DID authority

Registry

• Agent/human DID issuance uses authority derived from issuer host.
• Ownership APIs enforce local-authority DID ownership (reject foreign-authority DIDs).

Proxy

• REGISTRY_URL / CLAWDENTITY_REGISTRY_URL are optional overrides.
• Default registry URL auto-resolves by environment:
  • production: https://registry.clawdentity.com
  • development/local: https://dev.registry.clawdentity.com
• Auth issuer expectation uses resolved registry origin (no hardcoded host special-casing).

Connector / CLI / Skill

• Connector runtime derives registry refresh origin from local AIT iss (no required runtime registryUrl input).
• CLI DID checks use protocol parsers (no string-prefix checks).
• OpenClaw skill peer DID parsing uses protocol parser (no duplicate legacy parser behavior).

Completion Checklist

• Protocol DID v2 rewrite completed.
• AIT/CRL validators migrated to entity-aware DID parsers and issuer-authority checks.
• Registry issuance/ownership enforcement updated to DID v2 semantics.
• Proxy registry URL autodiscovery and issuer expectation cleanup completed.
• Connector + CLI + skill DID/parser migrations completed.
• Legacy did:claw:* and .kind compatibility paths removed.
• Docs + AGENTS guidance updated to DID v2 contract.
• Validation gates passing: pnpm lint, pnpm -r typecheck, pnpm -r test, pnpm -r build.

Remaining Operational Tasks (Not Code)

• Recreate/reset D1 databases for environments.
• Re-run bootstrap + invite flows from empty state.
• Clear stale local identity/runtime state under ~/.clawdentity/states/* before re-onboarding.

Verification Notes

• Repository sweep confirms no legacy DID-v1 codepaths remain:
  • no did:claw literals
  • no .kind DID parsing fallback

[vrknetha]

Implemented additional Rust-side DID v2 cutover work on top of the TS cutover and merge-conflict resolution.

Added in this pass

• Migrated Rust core DID model to did:cdi:<authority>:<entity>:<ulid> in crates/clawdentity-core/src/identity/did.rs:
  • Added authority/entity-aware parser contract (DidEntity, ParsedDid { method, authority, entity, ulid })
  • Added parse_agent_did / parse_human_did
  • Added authority normalization + URL-host derivation helpers
  • Replaced legacy ClawDidKind assumptions
• Updated Rust validator callsites to new parser helpers:
  • verify.rs, registry/crl.rs, connector/frames.rs, runtime/server.rs, pairing/pairing.rs, pairing/peers.rs
• Enforced issuer-host to DID-authority checks in Rust AIT/CRL validation paths.
• Migrated Rust test fixtures and local harnesses from did:claw to did:cdi:
  • crates/clawdentity-core/src/** tests
  • crates/tests/local/mock-registry/src/** (DID authority derived from mock registry_url host)
  • crates/tests/local/mock-proxy/src/relay.rs
  • crates/tests/integration/scenarios/01-identity.sh regex updated for did:cdi
• Added Rust AGENTS guidance:
  • crates/clawdentity-core/src/AGENTS.md
  • crates/tests/local/mock-registry/src/AGENTS.md
  • crates/tests/local/mock-proxy/src/AGENTS.md
  • crates/tests/integration/scenarios/AGENTS.md

Test/Gate evidence

• Rust:
  • cargo test -p clawdentity-core ✅
  • cargo test --workspace ✅
• Workspace:
  • pnpm lint ✅ (existing non-blocking warnings only)
  • pnpm -r typecheck ✅
  • pnpm -r test ✅
  • pnpm -r build ✅

Additional fix folded in

• Proxy auth middleware tests were failing due issuer/config default mismatch after registry URL autodiscovery defaults.
• Fixed test harness config to pin REGISTRY_URL to the same issuer used in signed AIT/CRL fixtures:
  • apps/proxy/src/auth-middleware.test/helpers.ts
  • apps/proxy/src/auth-middleware.test/rotation.test.ts