refactor: MASSIVE refactor creating auths-api, separated concerns with auths-sdk

Cargo.toml

@@ -57,6 +57,7 @@ auths-index = { path = "crates/auths-index", version = "0.0.1-rc.9" }
 auths-telemetry = { path = "crates/auths-telemetry", version = "0.0.1-rc.9" }
 auths-crypto = { path = "crates/auths-crypto", version = "0.0.1-rc.9", default-features = false }
 auths-sdk = { path = "crates/auths-sdk", version = "0.0.1-rc.9" }
+auths-api = { path = "crates/auths-api", version = "0.0.1-rc.9" }
 auths-infra-git = { path = "crates/auths-infra-git", version = "0.0.1-rc.9" }
 auths-infra-http = { path = "crates/auths-infra-http", version = "0.0.1-rc.9" }
 auths-jwt = { path = "crates/auths-jwt", version = "0.0.1-rc.9" }

crates/auths-api/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "auths-api"
-edition = "2021"
+edition = "2024"
 version.workspace = true
 license.workspace = true
 rust-version.workspace = true
@@ -19,6 +19,10 @@ auths-sdk = { workspace = true }
 auths-core = { workspace = true }
 auths-policy = { workspace = true }
 auths-storage = { workspace = true }
+auths-verifier = { workspace = true, features = ["native"] }
+auths-transparency = { workspace = true, features = ["native"] }
+auths-oidc-port = { path = "../auths-oidc-port", version = "0.0.1-rc.9" }
+auths-infra-http = { workspace = true }
 
 # Domain services
 async-trait = "0.1"
@@ -33,19 +37,27 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 chrono = { version = "0.4", features = ["serde"] }
 uuid = { workspace = true, features = ["serde"] }
+json-canon = { workspace = true }
+html-escape = "0.2"
 
 # Crypto & hashing
 ring = { workspace = true }
 base64 = { workspace = true }
 sha2 = "0.10"
 subtle = { workspace = true }
+zeroize = "1.8"
+ssh-key = "0.6"
+hex = "0.4"
 
 # Error handling
 thiserror = { workspace = true }
 
 # Concurrency
 dashmap = "6"
 
+# Network
+url = { version = "2", features = ["serde"] }
+
 # Persistence
 redis = { version = "0.26", features = ["aio", "tokio-comp"] }
 
@@ -57,6 +69,9 @@ tracing-subscriber = "0.3"
 tokio = { version = "1", features = ["macros", "rt", "time"] }
 reqwest = { version = "0.12", features = ["json"] }
 serde_json = "1"
+tempfile = "3"
+auths-storage = { workspace = true, features = ["backend-git"] }
+git2 = { workspace = true }
 
 [lints]
 workspace = true

crates/auths-api/src/app.rs

@@ -3,19 +3,23 @@ use std::sync::Arc;
 
 use crate::domains::agents::routes as agent_routes;
 use crate::persistence::AgentPersistence;
+use auths_core::storage::keychain::KeyStorage;
+use auths_id::storage::registry::RegistryBackend;
 use auths_sdk::domains::agents::AgentRegistry;
 
 /// Application state shared across all handlers
 #[derive(Clone)]
 pub struct AppState {
     pub registry: Arc<AgentRegistry>,
     pub persistence: Arc<AgentPersistence>,
+    pub registry_backend: Arc<dyn RegistryBackend + Send + Sync>,
+    pub keychain: Arc<dyn KeyStorage + Send + Sync>,
 }
 
 /// Build the complete API router
 /// Composes routes from all domains
 pub fn build_router(state: AppState) -> Router {
-    Router::new().nest("/v1", agent_routes(state.clone()))
+    Router::new().nest("/v1", agent_routes::routes(state.clone()))
     // Future domains will be nested here:
     // .nest("/v1", developer_routes(state.clone()))
     // .nest("/v1", organization_routes(state.clone()))

crates/auths-api/src/domains/agents/handlers.rs

@@ -1,35 +1,118 @@
 use axum::{
+    Json,
     extract::{Path, State},
     http::StatusCode,
-    Json,
 };
 use serde::Serialize;
+use uuid::Uuid;
+use zeroize::Zeroizing;
 
 use crate::AppState;
+use auths_core::error::AgentError as CoreAgentError;
+use auths_core::signing::PassphraseProvider;
+use auths_core::storage::keychain::KeyAlias;
+use auths_id::identity::initialize::initialize_registry_identity;
 use auths_sdk::domains::agents::{
-    AgentService, AgentSession, AuthorizeRequest, AuthorizeResponse, ProvisionRequest,
+    AgentError, AgentService, AgentSession, AuthorizeRequest, AuthorizeResponse, ProvisionRequest,
     ProvisionResponse,
 };
+use auths_verifier::IdentityDID;
+
+/// Simple passphrase provider for agent key storage.
+/// Uses a fixed server-configured value.
+struct AgentPassphraseProvider {
+    passphrase: String,
+}
+
+impl PassphraseProvider for AgentPassphraseProvider {
+    fn get_passphrase(&self, _prompt: &str) -> Result<Zeroizing<String>, CoreAgentError> {
+        Ok(Zeroizing::new(self.passphrase.clone()))
+    }
+}
+
+/// Convert an AgentError to an HTTP response tuple.
+fn agent_error_to_http(error: &AgentError) -> (StatusCode, String) {
+    match error {
+        AgentError::AgentNotFound { agent_did } => (
+            StatusCode::NOT_FOUND,
+            format!("Agent not found: {}", agent_did),
+        ),
+        AgentError::AgentRevoked { agent_did } => (
+            StatusCode::UNAUTHORIZED,
+            format!("Agent is revoked: {}", agent_did),
+        ),
+        AgentError::AgentExpired { agent_did } => (
+            StatusCode::UNAUTHORIZED,
+            format!("Agent has expired: {}", agent_did),
+        ),
+        AgentError::CapabilityNotGranted { capability } => (
+            StatusCode::FORBIDDEN,
+            format!("Capability not granted: {}", capability),
+        ),
+        AgentError::DelegationViolation(e) => (
+            StatusCode::BAD_REQUEST,
+            format!("Delegation constraint violated: {}", e),
+        ),
+        AgentError::PersistenceError(e) => (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            format!("Persistence error: {}", e),
+        ),
+        _ => (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            "Unknown agent error".to_string(),
+        ),
+    }
+}
 
 /// Provision a new agent identity
 ///
 /// POST /v1/agents
 ///
-/// Request is signed with delegator's private key. Handler verifies signature,
-/// validates delegation constraints, provisions agent identity, and stores in registry + Redis.
+/// Creates a new KERI identity for the agent, stores encrypted keypairs in the keychain,
+/// validates delegation constraints, and stores the agent session in registry + Redis.
 pub async fn provision_agent(
     State(state): State<AppState>,
     Json(req): Json<ProvisionRequest>,
 ) -> Result<(StatusCode, Json<ProvisionResponse>), (StatusCode, String)> {
     #[allow(clippy::disallowed_methods)]
-    // INVARIANT: HTTP handler boundary, inject time at presentation layer
+    // INVARIANT: HTTP handler boundary, inject time and IDs at presentation layer
     let now = chrono::Utc::now();
 
+    #[allow(clippy::disallowed_methods)] // INVARIANT: HTTP handler boundary
+    let session_id = Uuid::new_v4();
+
+    // Create KERI identity for the agent at HTTP boundary
+    let passphrase_provider = AgentPassphraseProvider {
+        passphrase: "agent-key-secure-12chars".to_string(), // TODO: Use secure configuration
+    };
+    let key_alias = KeyAlias::new_unchecked(format!("agent-{}", session_id));
+
+    let (agent_did, _) = initialize_registry_identity(
+        state.registry_backend.clone(),
+        &key_alias,
+        &passphrase_provider,
+        &*state.keychain,
+        None, // no witness config for agents
+    )
+    .map_err(|e| {
+        (
+            StatusCode::INTERNAL_SERVER_ERROR,
+            format!("Failed to create agent identity: {}", e),
+        )
+    })?;
+
+    // Assign default capabilities if none provided (at HTTP boundary)
+    let mut provision_req = req;
+    if provision_req.capabilities.is_empty() {
+        use auths_verifier::Capability;
+        provision_req.capabilities = vec![Capability::sign_commit()];
+    }
+
     let service = AgentService::new(state.registry, state.persistence);
     let resp = service
-        .provision(req, now)
+        .provision(provision_req, session_id, agent_did, now)
         .await
-        .map_err(|e| (StatusCode::BAD_REQUEST, e))?;
+        .map_err(|e| agent_error_to_http(&e))?;
 
     Ok((StatusCode::CREATED, Json(resp)))
 }
@@ -59,7 +142,7 @@ pub async fn authorize_operation(
     let service = AgentService::new(state.registry, state.persistence);
     let resp = service
         .authorize(&req.agent_did, &req.capability, now)
-        .map_err(|e| (StatusCode::UNAUTHORIZED, e))?;
+        .map_err(|e| agent_error_to_http(&e))?;
 
     Ok((StatusCode::OK, Json(resp)))
 }
@@ -69,16 +152,19 @@ pub async fn authorize_operation(
 /// DELETE /v1/agents/{agent_did}
 pub async fn revoke_agent(
     State(state): State<AppState>,
-    Path(agent_did): Path<String>,
+    Path(agent_did_str): Path<String>,
 ) -> Result<StatusCode, (StatusCode, String)> {
     #[allow(clippy::disallowed_methods)] // INVARIANT: HTTP handler boundary
     let now = chrono::Utc::now();
 
+    let agent_did = IdentityDID::parse(&agent_did_str)
+        .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid agent DID: {}", e)))?;
+
     let service = AgentService::new(state.registry, state.persistence);
     service
         .revoke(&agent_did, now)
         .await
-        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e))?;
+        .map_err(|e| agent_error_to_http(&e))?;
 
     Ok(StatusCode::NO_CONTENT)
 }
@@ -143,11 +229,14 @@ pub async fn admin_stats(
 /// GET /v1/agents/{agent_did}
 pub async fn get_agent(
     State(state): State<AppState>,
-    Path(agent_did): Path<String>,
+    Path(agent_did_str): Path<String>,
 ) -> Result<(StatusCode, Json<AgentSession>), (StatusCode, String)> {
     #[allow(clippy::disallowed_methods)] // INVARIANT: HTTP handler boundary
     let now = chrono::Utc::now();
 
+    let agent_did = IdentityDID::parse(&agent_did_str)
+        .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid agent DID: {}", e)))?;
+
     let session = state
         .registry
         .get(&agent_did, now)

crates/auths-api/src/domains/agents/mod.rs

@@ -6,9 +6,8 @@
 pub mod handlers;
 pub mod routes;
 
-// Re-export SDK domain types for convenience
 pub use auths_sdk::domains::agents::{
-    AgentRegistry, AgentService, AgentSession, AgentStatus, AuthorizeRequest, AuthorizeResponse,
-    ProvisionRequest, ProvisionResponse,
+    AgentError, AgentRegistry, AgentService, AgentSession, AgentStatus, AuthorizeRequest,
+    AuthorizeResponse, ProvisionRequest, ProvisionResponse,
 };
 pub use routes::routes;

crates/auths-api/src/domains/agents/routes.rs

@@ -1,6 +1,6 @@
 use axum::{
-    routing::{delete, get, post},
     Router,
+    routing::{delete, get, post},
 };
 
 use super::handlers::{

crates/auths-api/src/domains/auth/error.rs

@@ -0,0 +1 @@
+// Auth domain error types - will be populated in fn-92.3

crates/auths-api/src/domains/auth/mod.rs

@@ -0,0 +1,6 @@
+//! Auth domain - authentication and approval workflows
+
+pub mod error;
+pub mod service;
+pub mod types;
+pub mod workflows;

crates/auths-api/src/domains/auth/service.rs

@@ -0,0 +1,2 @@
+// Auth domain service - filled in fn-91.4
+// Will implement authentication and approval logic

crates/auths-api/src/domains/auth/types.rs

@@ -0,0 +1,2 @@
+// Auth domain types - request/response structures
+// Will be populated in fn-91.2/fn-91.3