Skip to content

feat(registry): add label signing#1922

Merged
ascorbic merged 1 commit into
feat/plugin-registry-labelling-servicefrom
feat/labeller-09-label-crypto
Jul 10, 2026
Merged

feat(registry): add label signing#1922
ascorbic merged 1 commit into
feat/plugin-registry-labelling-servicefrom
feat/labeller-09-label-crypto

Conversation

@ascorbic

Copy link
Copy Markdown
Collaborator

What does this PR do?

Adds real ATProto label v1 signing and verification to @emdash-cms/registry-moderation.

  • Binds a P-256 private scalar to its issuer DID's exact #atproto_label key before issuing labels.
  • Signs canonical DRISL CBOR with the correct high-level atcute API path.
  • Verifies labels against strict DID Multikey, scalar, signature, datetime, CID, and UTF-8 value validation.
  • Requires runtime-verified labels before release eligibility evaluation.
  • Adds 60 package tests, including independent @atproto/crypto cross-verification against the implemented signer.

Implements W1.4 from #1909. No routes or consumers are integrated in this PR.

Related to #1909 and #694.

Type of change

  • Bug fix
  • Feature (requires maintainer-approved Discussion)
  • Refactor (no behavior change)
  • Translation
  • Documentation
  • Performance improvement
  • Tests
  • Chore (dependencies, CI, tooling)

Checklist

  • I have read CONTRIBUTING.md
  • pnpm typecheck passes
  • pnpm lint passes
  • pnpm test passes (or targeted tests for my change)
  • pnpm format has been run
  • I have added/updated tests for my changes (if applicable)
  • User-visible strings in the admin UI are wrapped for translation (if applicable). Do not include messages.po changes except in translation PRs — a workflow extracts catalogs on merge to main.
  • I have added a changeset (if this PR changes a published package)
  • New features link to an approved Discussion: RFC RFC: Decentralized Plugin Registry #694

Admin i18n is not applicable because this package has no user interface.

AI-generated code disclosure

  • This PR includes AI-generated code — model/tool: OpenCode with GPT-5.6-sol and independent review subagents

Screenshots / test output

  • pnpm build passes
  • pnpm --filter @emdash-cms/registry-moderation typecheck passes
  • pnpm --filter @emdash-cms/registry-moderation test: 60 passed
  • pnpm test:unit: 4,599 passed, 3 skipped
  • pnpm lint passes
  • publint passes
  • git diff --check passes

attw --pack retains its existing internal filename crash after publint succeeds; the same crash reproduces in @emdash-cms/registry-client.

@changeset-bot

changeset-bot Bot commented Jul 10, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 625b173

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes changesets to release 1 package
Name Type
@emdash-cms/registry-moderation Patch

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions

Copy link
Copy Markdown
Contributor

Scope check

This PR changes 669 lines across 7 files. Large PRs are harder to review and more likely to be closed without review.

If this scope is intentional, no action needed. A maintainer will review it. If not, please consider splitting this into smaller PRs.

See CONTRIBUTING.md for contribution guidelines.

@github-actions github-actions Bot added the review/needs-review No maintainer or bot review yet label Jul 10, 2026
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
emdash-playground 625b173 Jul 10 2026, 03:35 PM

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
emdash-demo-do 625b173 Jul 10 2026, 03:39 PM

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
emdash-demo-cache 625b173 Jul 10 2026, 03:35 PM

@ascorbic ascorbic merged commit a01683b into feat/plugin-registry-labelling-service Jul 10, 2026
8 checks passed
@ascorbic ascorbic deleted the feat/labeller-09-label-crypto branch July 10, 2026 15:42

@emdashbot emdashbot Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a focused, well-structured addition of ATProto label v1 signing/verification to @emdash-cms/registry-moderation and I don’t see any blocking issues.

Approach judgment: The change matches the PR description and the referenced RFC #694. Requiring runtime-verified labels before release eligibility evaluation (via a module-private symbol brand) is the right defensive posture for a moderation package, and keeping the verify/evaluate split lets callers that already have verified labels skip redundant crypto work. Binding the signer’s private scalar against the issuer DID’s exact #atproto_label Multikey before signing, and round-trip-canonicalizing labels on verify, aligns with how ATProto signing is meant to work.

What I checked:

  • Full source file, tests, fixture, package.json, pnpm-lock.yaml, and the root pnpm-workspace.yaml catalog versions.
  • No other repo consumers call evaluateReleaseModeration/verifyAndEvaluateReleaseModeration yet, so the breaking change to the evaluator input type (ModerationLabel[]VerifiedModerationLabel[]) has no in-tree fallout.
  • Validation paths for DIDs, URIs, CID round-trips, RFC 3339 timestamps, printable UTF-8 label values, and the P-256 scalar range look correct.
  • The signature path signs canonical DRISL CBOR produced by validateLabelObject and verifies the same canonical bytes on the other side, so the signer/verifier pair is internally consistent.
  • The @atproto/crypto cross-check in label-crypto.test.ts exercises the produced signature against a separate implementation.
  • Package dependencies use workspace catalog versions already pinned at the desired releases; the lockfile churn is just deduplication of @atcute/cbor onto the catalog version.
  • Conventions: tabs/format match the repo, changeset is present, no admin UI strings to localize, no SQL/routes/migrations involved.

Unverified statically: I can’t run the test suite from this environment, so I’m taking the author’s reported test/lint/type results at face value. I also can’t independently assert that @atcute/cbor’s default encode() emits the exact byte-for-byte canonical form the broader ATProto ecosystem expects, but the signer and verifier use the same encoder and the cross-verification checks that the produced signature is valid for those bytes.

All told, this looks ready to land.

@github-actions github-actions Bot added review/approved Approved; no new commits since and removed review/needs-review No maintainer or bot review yet labels Jul 10, 2026
@ascorbic ascorbic mentioned this pull request Jul 10, 2026
81 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cla: signed review/approved Approved; no new commits since size/XL

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant