feat(nip-oa): Owner Attestation — cryptographic proof of agent authorization#406
Merged
Conversation
tlongwell-block
force-pushed
the
nip-oa-implementation
branch
3 times, most recently
from
f6c98e3 to
fb19ecc
Compare
…ization Implements NIP-OA (Owner Attestation) across the full agent pipeline: Desktop → ACP → MCP → signed events. Key features: - SDK crypto primitives: compute, verify, parse auth tags - Conditions validation per spec (kind=, created_at<, created_at>) - Canonical decimal enforcement, no leading zeros - MCP: sign_event() injection + send_event() defense-in-depth - Desktop: atomic key snapshot, fail-closed, profile sync injection - ACP: SPROUT_AUTH_TAG env var forwarding 94 SDK tests + 77 MCP tests. Codex CLI: 9.3/10 APPROVE.
tlongwell-block
force-pushed
the
nip-oa-implementation
branch
from
fb19ecc to
45ac2cd
Compare
* origin/main: Add multi-workspace support to desktop app (#409) feat(mobile): add #channel autocomplete to compose bar (#411) fix: close race window that dropped active channel messages (#410) feat(pulse): rich text editor with @mentions, media uploads, and formatting (#407) feat(mobile): multi-workspace support (#408) feat: always notify on DM messages like Slack/Discord (#405)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements NIP-OA (Owner Attestation) across the full agent pipeline: Desktop → ACP → MCP → signed events.
When a human creates an agent in the desktop app, the owner key signs a reusable Schnorr credential (
authtag) proving the agent was authorized. This tag is transparently injected into every event the agent publishes — zero agent awareness required.Tag Format
Verifiers confirm the signature to prove the agent was authorized — without the owner key ever touching the agent runtime.
Security Properties
sign_event()enforces exactly 0 or 1 auth tagssend_event()validates pubkey binding + tag contentFiles Changed (15)
nip_oa.rs(new)lib.rsmain.rsresolve_auth_tag()startup helper + 6 testsrelay_client.rssign_event()injection,send_event()validationserver.rssign_event()main.rsSPROUT_AUTH_TAGenv var + 4 testscommands/agents.rscommands/agent_models.rsmanaged_agents/types.rsauth_tagfield + serde compat + 2 testsmanaged_agents/runtime.rsrelay.rsbuild_profile_event()+ inject + 3 testsCargo.toml/Cargo.lockcheck-file-sizes.mjse2e_mcp.rsTest Coverage
resolve_auth_tag()startup helper (valid, missing, empty, malformed, bad sig, non-Unicode)sign_event()injection + boundary enforcementsend_event()defense-in-depth (forged tag, unconfigured, wrong pubkey)Design Decisions
sprout-sdkRelayClient::sign_event()Backward Compatibility
Pre-existing agents have
auth_tag: Nonevia#[serde(default)]. They work without attestation. Re-attestation requires agent recreation (v2 scope).Out of Scope (v1)
bottag in kind:0 profiles (separate PR)