@awebai/pi 0.1.7 → 0.1.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -118,6 +118,86 @@ The import request signs a `byoidt_import` payload with the local BYOT team cont
|
|
|
118
118
|
|
|
119
119
|
There is no supported middle ground where a customer brings a custom domain but aweb holds that domain's namespace/team controller private key.
|
|
120
120
|
|
|
121
|
+
### Fresh BYOT setup into aweb cloud
|
|
122
|
+
|
|
123
|
+
Use this flow when the user controls DNS for a domain and wants to create a customer-controlled AWID team, add agents, and import/sync it into app.aweb.ai.
|
|
124
|
+
|
|
125
|
+
Vocabulary:
|
|
126
|
+
|
|
127
|
+
- The namespace is the domain, e.g. `juanreyero.com`.
|
|
128
|
+
- The team is named inside that namespace, e.g. `personal`; its AWID team id is `personal:juanreyero.com`.
|
|
129
|
+
- Agents have addresses under the namespace, e.g. `juanreyero.com/alpha`.
|
|
130
|
+
- Do not call `personal:juanreyero.com` an agent; it is the team id.
|
|
131
|
+
|
|
132
|
+
Before starting, confirm `aw version` is at least `1.25.3`; older `aw` emitted a stale BYOT import payload.
|
|
133
|
+
|
|
134
|
+
Controller machine setup:
|
|
135
|
+
|
|
136
|
+
```bash
|
|
137
|
+
aw id create --domain <domain> --name <controller-name>
|
|
138
|
+
aw id team create --namespace <domain> --name <team> --display-name "<display name>"
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
If DNS verification is needed, pause and have the human add the TXT record that `aw id create` prints. Do not invent DNS values.
|
|
142
|
+
|
|
143
|
+
Add initial global agents:
|
|
144
|
+
|
|
145
|
+
```bash
|
|
146
|
+
aw id create --domain <domain> --name alpha
|
|
147
|
+
aw id team add-member --team <team> --namespace <domain> --did <alpha_did_key> --alias alpha --global --did-aw <alpha_did_aw>
|
|
148
|
+
|
|
149
|
+
aw id create --domain <domain> --name beta
|
|
150
|
+
aw id team add-member --team <team> --namespace <domain> --did <beta_did_key> --alias beta --global --did-aw <beta_did_aw>
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
Use the actual `did`/`did_aw` values printed by `aw id create`. Do not guess them.
|
|
154
|
+
|
|
155
|
+
Import into aweb cloud:
|
|
156
|
+
|
|
157
|
+
1. In app.aweb.ai, create or select the owner organization that should contain the imported team.
|
|
158
|
+
2. Open the BYOT import flow. Prefer the command shown by the dashboard because it contains the correct `--organization-id`.
|
|
159
|
+
3. First preview:
|
|
160
|
+
|
|
161
|
+
```bash
|
|
162
|
+
aw id team import-request --team <team> --namespace <domain> --organization-id <org-id>
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
Paste the signed output and use Preview.
|
|
166
|
+
|
|
167
|
+
4. If the preview is correct, regenerate an apply request:
|
|
168
|
+
|
|
169
|
+
```bash
|
|
170
|
+
aw id team import-request --team <team> --namespace <domain> --organization-id <org-id> --apply
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
Paste it and use Import / sync.
|
|
174
|
+
|
|
175
|
+
Sync later changes:
|
|
176
|
+
|
|
177
|
+
- After the team exists in aweb cloud, use `--cloud-team-id <cloud-team-id>` instead of `--organization-id`.
|
|
178
|
+
- The dashboard Connect / Sync page should show the exact command. Prefer that command.
|
|
179
|
+
|
|
180
|
+
```bash
|
|
181
|
+
aw id team import-request --team <team> --namespace <domain> --cloud-team-id <cloud-team-id> --apply
|
|
182
|
+
```
|
|
183
|
+
|
|
184
|
+
To add another self-custodial identity later, the identity machine uses the request/fetch flow; the controller machine signs membership; then the dashboard syncs the signed team state:
|
|
185
|
+
|
|
186
|
+
```bash
|
|
187
|
+
# joining identity machine
|
|
188
|
+
aw id team request --team <team>:<domain> --alias <alias>
|
|
189
|
+
|
|
190
|
+
# controller machine runs the printed add-member command
|
|
191
|
+
|
|
192
|
+
# joining identity machine
|
|
193
|
+
aw id team fetch-cert --namespace <domain> --team <team> --cert-id <id>
|
|
194
|
+
|
|
195
|
+
# controller machine or any machine with the team controller key
|
|
196
|
+
aw id team import-request --team <team> --namespace <domain> --cloud-team-id <cloud-team-id> --apply
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
To add a custodial browser identity to a BYOT team, start from the dashboard's "Create custodial request" action. The dashboard will print controller-side commands, including any namespace address assignment needed. Run exactly those commands on the controller machine, then sync with `aw id team import-request --cloud-team-id ... --apply`.
|
|
200
|
+
|
|
121
201
|
## Custodial vs self-custodial identity
|
|
122
202
|
|
|
123
203
|
Identity custody is independent of hosted vs BYOT team authority:
|
|
@@ -34,6 +34,13 @@ aw id team import-request --namespace <domain> --team <team> --organization-id <
|
|
|
34
34
|
|
|
35
35
|
Use current `aw ... --help` for exact flags. Treat `aw id team add-member` as a controller-side operation; the joining machine commonly runs `request` and `fetch-cert` only.
|
|
36
36
|
|
|
37
|
+
For the dashboard import/sync path:
|
|
38
|
+
|
|
39
|
+
- Use `--organization-id <org-id>` only for the first import into an owner organization.
|
|
40
|
+
- Use `--cloud-team-id <cloud-team-id>` for later syncs of an already-imported team.
|
|
41
|
+
- Omit `--apply` for preview; add `--apply` only after the preview is correct.
|
|
42
|
+
- The dashboard's Connect / Sync page should show the exact command for the current team. Prefer that command over reconstructing IDs by hand.
|
|
43
|
+
|
|
37
44
|
## Addressability, inbound mode, and contacts
|
|
38
45
|
|
|
39
46
|
Addressability and delivery authorization are separate:
|