Cut over DID handling to cdi authority-based flow

.codex/environments/AGENTS.md

@@ -0,0 +1,21 @@
+# AGENTS.md (.codex/environments)
+
+## Purpose
+- Define local Codex environment setup for deterministic worktree onboarding.
+- Keep environment bootstrap reproducible without committing secrets.
+
+## Rules
+- Keep setup script idempotent and fail-fast when required shared env keys are missing.
+- Keep `environment.toml` setup/actions aligned with workspace scripts in `package.json`.
+- Use `scripts/env/sync-worktree-env.sh` as the single generator for local `.env` files.
+- Do not commit secret-bearing `.env` files; only commit templates (`.env.example`).
+- If env contract keys change, update these together in one change:
+  - `scripts/env/sync-worktree-env.sh`
+  - `.env.example`
+  - `apps/*/.env.example`
+  - `README.md`
+  - repository/app `AGENTS.md` files with env guidance
+
+## Validation
+- `pnpm env:sync` should fail with a clear error when shared source is missing.
+- `pnpm env:sync` should produce deterministic output for root/app env files.

.codex/environments/environment.toml

@@ -0,0 +1,39 @@
+[setup_scripts]
+default_script = "bash ./scripts/env/sync-worktree-env.sh"
+default_script_macos = "bash ./scripts/env/sync-worktree-env.sh"
+default_script_windows = "powershell -NoProfile -ExecutionPolicy Bypass -Command \"bash ./scripts/env/sync-worktree-env.sh\""
+
+[[actions]]
+name = "Sync Env"
+icon = "gear"
+script = "pnpm env:sync"
+script_macos = "pnpm env:sync"
+script_windows = "pnpm env:sync"
+
+[[actions]]
+name = "Registry Local"
+icon = "play"
+script = "pnpm dev:registry:local"
+script_macos = "pnpm dev:registry:local"
+script_windows = "pnpm dev:registry:local"
+
+[[actions]]
+name = "Proxy Local"
+icon = "play"
+script = "pnpm dev:proxy:local"
+script_macos = "pnpm dev:proxy:local"
+script_windows = "pnpm dev:proxy:local"
+
+[[actions]]
+name = "Typecheck"
+icon = "check"
+script = "pnpm -r typecheck"
+script_macos = "pnpm -r typecheck"
+script_windows = "pnpm -r typecheck"
+
+[[actions]]
+name = "Tests"
+icon = "check"
+script = "pnpm -r test"
+script_macos = "pnpm -r test"
+script_windows = "pnpm -r test"

.dockerignore

@@ -0,0 +1,65 @@
+# Rust
+target/
+Cargo.lock
+**/*.rs.bk
+
+# Node
+node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+package-lock.json
+yarn.lock
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+env/
+venv/
+*.egg-info/
+dist/
+build/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Git
+.git/
+.gitignore
+
+# Testing
+*.test
+*.spec
+.coverage
+htmlcov/
+.pytest_cache/
+
+# Logs
+logs/
+*.log
+
+# Local test artifacts
+tests/local/mock-registry/target/
+tests/local/mock-proxy/target/
+
+# Docker
+Dockerfile*
+docker-compose*.yml
+.dockerignore
+
+# Docs build
+docs/_build/
+site/
+
+# Temporary files
+tmp/
+temp/
+*.tmp

.env.example

@@ -0,0 +1,55 @@
+# Clawdentity shared local env template
+#
+# Copy this file to ~/.clawdentity/worktree.env and set real values.
+# Then run: pnpm env:sync
+#
+# Optional override for non-default source path:
+#   export CLAWDENTITY_SHARED_ENV_FILE=/absolute/path/to/worktree.env
+
+# Required keys
+CLAWDENTITY_REGISTRY_URL=http://127.0.0.1:8788
+CLAWDENTITY_PROXY_URL=http://127.0.0.1:8787
+BOOTSTRAP_SECRET=replace-with-random-secret
+BOOTSTRAP_INTERNAL_SERVICE_ID=replace-with-internal-service-id
+BOOTSTRAP_INTERNAL_SERVICE_SECRET=replace-with-internal-service-secret
+REGISTRY_SIGNING_KEY=replace-with-base64url-ed25519-private-key
+REGISTRY_SIGNING_KEYS=[{"kid":"reg-dev-key-1","alg":"EdDSA","crv":"Ed25519","x":"replace-with-base64url-ed25519-public-key","status":"active"}]
+
+# Optional keys
+APP_VERSION=local-dev
+EVENT_BUS_BACKEND=memory
+OPENCLAW_BASE_URL=http://127.0.0.1:18789
+INJECT_IDENTITY_INTO_MESSAGE=true
+
+# CLI/user profile overrides
+# CLAWDENTITY_API_KEY=clw_pat_replace_me
+# CLAWDENTITY_HUMAN_NAME=Your Name
+
+# Connector/OpenClaw optional overrides
+# CLAWDENTITY_PROXY_WS_URL=ws://127.0.0.1:8787/v1/relay/connect
+# CLAWDENTITY_CONNECTOR_BASE_URL=http://127.0.0.1:19400
+# CLAWDENTITY_CONNECTOR_OUTBOUND_PATH=/v1/outbound
+# OPENCLAW_HOOK_PATH=/hooks/agent
+# OPENCLAW_HOOK_TOKEN=replace-with-random-token
+# OPENCLAW_GATEWAY_TOKEN=replace-with-openclaw-gateway-token
+# OPENCLAW_HOME=~/.openclaw
+# OPENCLAW_STATE_DIR=~/.openclaw
+# OPENCLAW_CONFIG_PATH=~/.openclaw/openclaw.json
+# CLAWDBOT_STATE_DIR=~/.clawdbot
+# CLAWDBOT_CONFIG_PATH=~/.clawdbot/clawdbot.json
+# OPENCLAW_GATEWAY_APPROVAL_COMMAND=openclaw
+
+# Proxy runtime tuning optional overrides
+# CRL_REFRESH_INTERVAL_MS=300000
+# CRL_MAX_AGE_MS=900000
+# CRL_STALE_BEHAVIOR=fail-open
+# AGENT_RATE_LIMIT_REQUESTS_PER_MINUTE=60
+# AGENT_RATE_LIMIT_WINDOW_MS=60000
+# RELAY_QUEUE_MAX_MESSAGES_PER_AGENT=500
+# RELAY_QUEUE_TTL_SECONDS=3600
+# RELAY_RETRY_INITIAL_MS=1000
+# RELAY_RETRY_MAX_MS=30000
+# RELAY_RETRY_MAX_ATTEMPTS=25
+# RELAY_RETRY_JITTER_RATIO=0.2
+# RELAY_MAX_IN_FLIGHT_DELIVERIES=5
+# RELAY_MAX_FRAME_BYTES=1048576

.github/AGENTS.md

@@ -2,13 +2,82 @@
 
 ## Purpose
 - Keep CI workflows deterministic and aligned with local tooling versions.
+- Keep deployment workflows explicit, auditable, and recoverable.
 
 ## CI Rules
 - Pin Node and pnpm versions explicitly in workflow steps.
 - Use `fetch-depth: 0` when running `nx affected`.
 - Compute and export `NX_BASE` and `NX_HEAD` before invoking affected commands.
 - Run root lint (`pnpm lint`) before affected tasks to keep style checks global.
+- Avoid duplicate CI runs for PR updates by limiting `push` triggers to long-lived branches (`main`, `develop`) and using `pull_request` for feature branches.
 
 ## Quality Gates
-- CI command order: install -> base/head setup -> lint -> affected checks.
+- CI command order: install -> base/head setup -> file-size guard (`pnpm check:file-size`) -> lint -> affected checks.
 - Affected checks in CI must include `lint`, `format`, `typecheck`, `test`, and `build`.
+- File-size guard scope: tracked source files under `apps/**` and `packages/**`, hard limit `800` lines, excluding `dist`, `.wrangler`, `worker-configuration.d.ts`, `drizzle/meta`, and `node_modules`.
+
+## Deployment Rules (Develop)
+- `deploy-develop.yml` runs on pushes to `develop`.
+- Run full quality gates before deployment: `pnpm lint`, `pnpm -r typecheck`, `pnpm -r build`, `pnpm -r test`.
+- Deploy both workers in the same workflow:
+  - registry (`apps/registry`, env `dev`) with D1 migration apply before deploy
+  - proxy (`apps/proxy`, env `dev`) after registry health passes
+- Install dependencies before any `pnpm exec wrangler ...` command so Wrangler is available on clean runners.
+- Regenerate Worker type bindings in CI with dotenv overlays disabled (`pnpm -F @clawdentity/registry run types:dev` and `pnpm -F @clawdentity/proxy run types:dev`) and fail on git diff drift for `worker-configuration.d.ts` to prevent stale runtime binding types from shipping.
+- Sync proxy internal-service credentials from GitHub secrets on every deploy:
+  - `BOOTSTRAP_INTERNAL_SERVICE_ID`
+  - `BOOTSTRAP_INTERNAL_SERVICE_SECRET`
+  - Push both values into proxy Worker secrets before proxy deploy.
+- Add a Wrangler preflight dry-run for both workers before mutating remote state (migrations/deploy):
+  - `wrangler deploy --env dev --dry-run --var APP_VERSION:<sha>`
+- Verify registry health at `https://dev.registry.clawdentity.com/health` and verify proxy health via deployed URL (workers.dev or explicit override) with expected `APP_VERSION`.
+- Add Wrangler deployment existence checks for both services after each deploy (`wrangler deployments list --env dev --json`) before endpoint health probes.
+- Health verification should use bounded retries (for example 3 minutes with 10-second polling) and `Cache-Control: no-cache` requests to tolerate short edge propagation delays after deploy.
+- When using Python `urllib` for health checks, always set explicit request headers (`Accept: application/json` and a custom `User-Agent` such as `Clawdentity-CI/1.0`) because Cloudflare may return `403`/`1010` for the default `Python-urllib/*` user agent.
+- Use workflow concurrency groups to prevent overlapping deploys for the same environment.
+- Run Wrangler through workspace tooling (`pnpm exec wrangler`) in CI so commands work without a global Wrangler install on GitHub runners.
+
+## Release Rules (CLI)
+- `publish-cli.yml` is manual (`workflow_dispatch`) and must accept `release_type` (`patch`/`minor`/`major`) + `dist_tag` inputs.
+- Compute the next CLI version in CI from the currently published npm `clawdentity` version (fallback `0.0.0` if first publish), then bump `apps/cli/package.json` in the workflow.
+- Fail publish early if the computed target version already exists on npm.
+- Serialize CLI publishes with a single global workflow concurrency group to avoid parallel release races across branches.
+- Build workspace libraries consumed by CLI tests (`@clawdentity/protocol`, `@clawdentity/sdk`, `@clawdentity/connector`) before running `pnpm -F clawdentity test` on clean runners.
+- Run CLI quality gates before publish: `pnpm -F clawdentity lint`, `typecheck`, `test`, `build`.
+- Run npm release commands (`pkg set`, `pack`, `publish`) with `working-directory: apps/cli`; avoid `npm --prefix apps/cli ...` for pack/publish because npm may target the workspace root manifest on monorepos missing a root `version`.
+- Validate packaged artifact contents using `npm pack --dry-run --json` file metadata (not grepping console notices), because npm file-list notices are not guaranteed on stdout.
+- Keep `npm pack --dry-run --json` deterministic by forcing `NPM_CONFIG_COLOR=false`, `NPM_CONFIG_LOGLEVEL=silent`, and `NPM_CONFIG_PROGRESS=false`, then parsing the `files` list instead of relying on noisy stderr/stdout lines that vary per npm version.
+- Keep `apps/cli/package.json` `repository.url` pinned to `https://github.com/vrknetha/clawdentity`; npm provenance publish will fail if repository metadata is missing or mismatched.
+- Publish only package `apps/cli` as npm package `clawdentity`.
+- Keep published runtime manifest free of `workspace:*` runtime dependencies.
+- Use npm provenance (`--provenance`) and require `NPM_TOKEN` secret.
+
+## Secrets and Permissions
+- Required deploy secrets:
+  - `CLOUDFLARE_API_TOKEN`
+  - `CLOUDFLARE_ACCOUNT_ID`
+  - `BOOTSTRAP_INTERNAL_SERVICE_ID`
+  - `BOOTSTRAP_INTERNAL_SERVICE_SECRET`
+- Mirror to `CF_API_TOKEN` and `CF_ACCOUNT_ID` for tooling compatibility.
+- Optional deploy secrets:
+  - `REGISTRY_HEALTH_URL` (only needed when dev registry health endpoint is not `https://dev.registry.clawdentity.com`; CI falls back to that URL by default).
+  - `PROXY_HEALTH_URL` (only needed when dev proxy health endpoint is not `https://dev.proxy.clawdentity.com`; CI now falls back to that URL if workers.dev output is unavailable).
+- Required publish secret: `NPM_TOKEN`.
+- Keep Cloudflare token scope minimal for current workflows:
+  - `Workers Scripts:Edit`
+  - `Workers Routes:Edit` (zone-level, custom domains)
+  - `D1:Edit`
+  - add `Cloudflare Pages:Edit` only when Pages deploy workflow is introduced.
+
+## Migration Rollback Strategy (Develop)
+- Capture pre-deploy artifacts:
+  - `pnpm exec wrangler --cwd apps/registry deployments list --env dev --json`
+  - `pnpm exec wrangler --cwd apps/proxy deployments list --env dev --json || true` (non-blocking for first deploy before proxy Worker exists)
+  - `pnpm exec wrangler d1 time-travel info clawdentity-db-dev --timestamp <predeploy-ts> --json`
+  - `pnpm exec wrangler d1 export clawdentity-db-dev --remote --output "${GITHUB_WORKSPACE}/artifacts/<file.sql>"`
+- Keep deploy snapshot collection non-blocking for Worker deployment listings (pre and post) so rollback artifact capture does not fail the workflow when a Worker has no prior deployment history.
+- Upload artifacts on every run for operator recovery.
+- On failed deploy:
+  - Registry rollback: `pnpm exec wrangler --cwd apps/registry rollback <version-id> --env dev`
+  - Proxy rollback: `pnpm exec wrangler --cwd apps/proxy rollback <version-id> --env dev`
+  - DB rollback: `pnpm exec wrangler d1 time-travel restore clawdentity-db-dev --env dev --timestamp <predeploy-ts>`

.github/workflows/ci.yml

@@ -1,6 +1,33 @@
 name: CI
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches:
+      - main
+      - develop
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 jobs:
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      rust: ${{ steps.filter.outputs.rust }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            rust:
+              - 'crates/**'
+
   check:
     runs-on: ubuntu-latest
     steps:
@@ -29,5 +56,21 @@ jobs:
             echo "NX_BASE=$BASE_SHA" >> "$GITHUB_ENV"
             echo "NX_HEAD=${{ github.sha }}" >> "$GITHUB_ENV"
           fi
+      - run: pnpm check:file-size
+      - run: pnpm check:structural || true
       - run: pnpm lint
       - run: pnpm affected:ci
+
+  rust:
+    needs: changes
+    if: needs.changes.outputs.rust == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: crates
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo check --workspace
+      - run: cargo clippy --workspace --all-targets -- -D warnings
+      - run: cargo test --workspace