@awebai/pi 0.1.10 → 0.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -97,6 +97,7 @@ Bootstrap can be used in three broad modes:
|
|
|
97
97
|
|
|
98
98
|
- Use when you cannot or should not auto-provision from this run (for example, non-interactive environments or policy constraints).
|
|
99
99
|
- Bootstrap will print the next `aw init ...` commands to run inside each agent directory.
|
|
100
|
+
- If you are not already in an initialized aweb workspace, add --skip-roles and --skip-instructions so bootstrap does not try to install server-side state before any workspace is connected.
|
|
100
101
|
|
|
101
102
|
Policy guidance:
|
|
102
103
|
|
|
@@ -32,7 +32,9 @@ A workspace can hold any combination of these. For team-related files (`teams.ya
|
|
|
32
32
|
|
|
33
33
|
These two commands look similar and are not interchangeable. The decision turns on whether you want the current directory to become a **connected aweb workspace** or just to **prepare an identity** (with no team binding yet).
|
|
34
34
|
|
|
35
|
-
- **`aw id
|
|
35
|
+
- **`aw id namespace prepare-controller --domain <domain>`** — creates or reuses the local namespace controller key under `~/.awid/controllers/` and prints the `_awid.<domain>` DNS TXT value. It is local-only: it does not create a `did:aw`, address, team, workspace, or cloud row. Tell the human to keep `~/.awid` safe and backed up; this key controls the namespace.
|
|
36
|
+
- **`aw id namespace check-txt --domain <domain>`** — read-only DNS propagation check. It verifies that `_awid.<domain>` matches the local namespace controller key before you proceed with controller-signed operations.
|
|
37
|
+
- **`aw id create --domain <domain> --name <name>`** — creates a standalone global identity (`did:key` + `did:aw` + DNS-backed address) and registers it in AWID. Writes `.aw/identity.yaml` and `.aw/signing.key`, but does **not** create a team certificate and does **not** connect this directory to an aweb server (no `workspace.yaml` server binding, no `teams.yaml` membership entry, no `team-certs/*.pem`). Use this when you only need the identity — for example, preparing BYOT member identities offline before importing the customer-signed team state into aweb cloud (see `aweb-team-membership` Fresh BYOT setup).
|
|
36
38
|
|
|
37
39
|
- **`aw init`** — workspace onboarding. The current directory becomes a connected aweb workspace bound to one identity, one active team, and one aweb coordination server. Three onboarding flows are supported:
|
|
38
40
|
1. **Connect with an existing team certificate** — when `.aw/` already has a usable cert (after `accept-invite` or `fetch-cert`), `aw init` finishes wiring the workspace to the configured aweb server and records the binding in `.aw/workspace.yaml`. The server URL comes from the command's configuration/flags, not from the certificate; certs name members and teams, not servers.
|
|
@@ -45,7 +47,8 @@ These two commands look similar and are not interchangeable. The decision turns
|
|
|
45
47
|
When deciding which to run:
|
|
46
48
|
|
|
47
49
|
- "I want this directory to start coordinating with a team" → `aw init` (one of the three flows above).
|
|
48
|
-
- "I want to
|
|
50
|
+
- "I want to prepare namespace authority for a BYOT setup" → `aw id namespace prepare-controller`, publish the `_awid.<domain>` TXT, then `aw id namespace check-txt`.
|
|
51
|
+
- "I want to mint an identity I'll later attach to a BYOT team via controller-signed facts" → after the namespace TXT checks out, use `aw id create`. Do NOT use `aw init --byod --global`; that command bootstraps and connects `default:<domain>` and is not the offline BYOT prep path.
|
|
49
52
|
|
|
50
53
|
## Custodial vs self-custodial in practice
|
|
51
54
|
|
|
@@ -56,6 +59,8 @@ When deciding which to run:
|
|
|
56
59
|
|
|
57
60
|
A self-custodial agent has full control over its key — and full responsibility for backups. A custodial agent inherits aweb's account-level recovery story.
|
|
58
61
|
|
|
62
|
+
AWID controller keys are separate from worktree identity keys. Namespace and team controller keys live under `~/.awid/`; they are authority keys, not app config. Keep that directory safe and backed up. Worktree identity keys (`.aw/signing.key`) remain with the workspace they act from.
|
|
63
|
+
|
|
59
64
|
Do NOT promise that a local CLI command can recover a lost custodial key. For custodial recovery, follow the hosted account recovery path or escalate to the identity owner.
|
|
60
65
|
|
|
61
66
|
## Local vs global identities
|
|
@@ -141,8 +146,9 @@ Interpret failures by what's missing (file references assume a self-custodial CL
|
|
|
141
146
|
- **Reuse the same directory** — only if you intentionally want to discard the local identity and workspace state created by the mistaken `aw init`: back up `.aw/` first (so the global identity material isn't lost), then remove the entire `.aw/` directory, then run `aw id create` clean. `aw reset` is NOT enough here: it only detaches the workspace binding (`.aw/context` and `.aw/workspace.yaml`); it leaves `identity.yaml`, `signing.key`, `teams.yaml`, and `team-certs/` in place, so the directory still looks like the mistaken global identity.
|
|
142
147
|
- **Accept the `default:<domain>` team** — coordinate with the team owner about whether that team is acceptable for the workflow; no rollback needed in that case.
|
|
143
148
|
|
|
144
|
-
|
|
145
|
-
-
|
|
149
|
+
If the mistaken run claimed an address, created a disposable AWID team, or should fully deregister the namespace, the namespace controller holder can clean those facts with `aw id namespace delete-address --domain <domain> --name <name>`, `aw id team delete --namespace <domain> --team <team>`, and finally `aw id namespace delete --domain <domain>` after active certificates are revoked. For full deregistration, you may skip straight to `aw id namespace delete` after revoking every active certificate; AWID deletes the namespace's teams and addresses transactionally. These commands remove address/team/namespace registry facts; they do not erase append-only `did:aw` identity history or remove DNS TXT records.
|
|
150
|
+
- **`Signing key does not match DNS controller`** — the local namespace controller key does not match the DID published in the `_awid.<domain>` DNS TXT record. Check the authoritative DNS record with `dig +short TXT _awid.<domain>`. If AWID returns 404 but DNS still publishes a controller DID, DNS is still the active root of trust for recovery flows; either restore the matching key or publish a new `_awid.<domain>` TXT for the key you intend to use.
|
|
151
|
+
- **AWID resolver says the address is unbound** — the route is not registered or has been rotated away. Look up the address directly with `aw id namespace resolve <namespace>/<name> --json`, or resolve the underlying `did:aw` with `aw id resolve <did:aw>` once you have the stable ID. Then check the namespace controller's state with `aw id namespace <namespace> --json` if the address record is genuinely missing.
|
|
146
152
|
|
|
147
153
|
For team-membership-shaped failures (no team certificate, active-team mismatch, BYOT controller missing), load `aweb-team-membership`.
|
|
148
154
|
|
|
@@ -190,18 +190,29 @@ Vocabulary:
|
|
|
190
190
|
- Agents have addresses under the namespace, e.g. `juanreyero.com/alpha`.
|
|
191
191
|
- Do not call `personal:juanreyero.com` an agent; it is the team id.
|
|
192
192
|
|
|
193
|
-
Before starting, confirm `aw version`
|
|
193
|
+
Before starting, confirm `aw version` includes `aw id namespace prepare-controller` and `aw id namespace check-txt`; older `aw` versions make this flow hard to drive from non-interactive harnesses.
|
|
194
194
|
|
|
195
195
|
**Use `aw id create`, NOT `aw init --byod --global`, for the identity-prep commands in this section.** `aw init --byod --global` is workspace onboarding: it bootstraps the directory and connects it to the `default:<domain>` team on app.aweb.ai (the team created during BYOD onboarding), writing `workspace.yaml`, joining that team, and minting a team certificate. That short-circuits the controller-signed team-state import this section is about. `aw id create` only mints the identity in AWID and writes `.aw/identity.yaml` + `.aw/signing.key`, leaving the team membership for the customer controller to add and sign. If a user already ran the wrong command and needs to recover, see the matching diagnostic bullet in `aweb-identity`'s readiness checks.
|
|
196
196
|
|
|
197
|
-
|
|
197
|
+
Namespace controller setup (does not create an identity or team):
|
|
198
|
+
|
|
199
|
+
```bash
|
|
200
|
+
aw id namespace prepare-controller --domain <domain>
|
|
201
|
+
```
|
|
202
|
+
|
|
203
|
+
Pause and have the human add the printed `_awid.<domain>` TXT record. Do not invent DNS values. Tell the human to back up `~/.awid` now; it contains the namespace controller key. After DNS propagates, verify it:
|
|
204
|
+
|
|
205
|
+
```bash
|
|
206
|
+
aw id namespace check-txt --domain <domain>
|
|
207
|
+
```
|
|
208
|
+
|
|
209
|
+
Then create the BYOT team with the namespace controller key:
|
|
198
210
|
|
|
199
211
|
```bash
|
|
200
|
-
aw id create --domain <domain> --name <controller-name>
|
|
201
212
|
aw id team create --namespace <domain> --name <team> --display-name "<display name>"
|
|
202
213
|
```
|
|
203
214
|
|
|
204
|
-
|
|
215
|
+
After team creation, tell the human to back up `~/.awid` again; it now also contains the team controller key under `~/.awid/team-keys/<domain>/<team>.key`.
|
|
205
216
|
|
|
206
217
|
Add initial global agents:
|
|
207
218
|
|
|
@@ -24,6 +24,8 @@ In BYOT, the customer controls the DNS namespace controller and team controller.
|
|
|
24
24
|
Key command surfaces:
|
|
25
25
|
|
|
26
26
|
```bash
|
|
27
|
+
aw id namespace prepare-controller --domain <domain>
|
|
28
|
+
aw id namespace check-txt --domain <domain>
|
|
27
29
|
aw id create --name <name> --domain <domain>
|
|
28
30
|
aw id team create --namespace <namespace> --name <team>
|
|
29
31
|
aw id team request --team <team>:<namespace> --alias <alias>
|
|
@@ -32,7 +34,7 @@ aw id team fetch-cert --team <team> --namespace <namespace> --cert-id <id>
|
|
|
32
34
|
aw id team import-request --namespace <domain> --team <team> --organization-id <org>
|
|
33
35
|
```
|
|
34
36
|
|
|
35
|
-
Use current `aw ... --help` for exact flags. Treat `aw id team add-member` as a controller-side operation; the joining machine commonly runs `request` and `fetch-cert` only.
|
|
37
|
+
Use current `aw ... --help` for exact flags. Treat `aw id namespace prepare-controller` as namespace-authority setup, not identity creation. Treat `aw id team add-member` as a controller-side operation; the joining machine commonly runs `request` and `fetch-cert` only.
|
|
36
38
|
|
|
37
39
|
For the dashboard import/sync path:
|
|
38
40
|
|
|
@@ -51,7 +53,7 @@ Addressability and delivery authorization are separate:
|
|
|
51
53
|
- `team_and_contacts` accepts verified same-team senders plus exact active identity contacts for trusted non-team senders. Contacts do not create routes or resolver visibility.
|
|
52
54
|
- Legacy reachability fields may still appear in support or migration output, but they are compatibility/audit state, not live delivery authority.
|
|
53
55
|
- `aw contacts ...` manages saved contact relationships.
|
|
54
|
-
- `aw
|
|
56
|
+
- `aw id namespace resolve <domain>/<alias> --json` performs a workspace-free directory lookup.
|
|
55
57
|
|
|
56
58
|
## Multi-team safety checklist
|
|
57
59
|
|