Initialize repository snapshot

docs/VAULTMESH-IDENTITY-ENGINE.md

@@ -0,0 +1,635 @@
+# VAULTMESH-IDENTITY-ENGINE.md
+
+**Civilization Ledger Identity Primitive**
+
+> *Every actor has a provenance. Every credential has a receipt.*
+
+Identity is VaultMesh's trust anchor — managing decentralized identifiers (DIDs), verifiable credentials, authentication events, and authorization decisions with cryptographic proof chains.
+
+---
+
+## 1. Scroll Definition
+
+| Property              | Value                                                                                                                                           |
+| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Scroll Name**       | `Identity`                                                                                                                                      |
+| **JSONL Path**        | `receipts/identity/identity_events.jsonl`                                                                                                       |
+| **Root File**         | `ROOT.identity.txt`                                                                                                                             |
+| **Receipt Types**     | `identity_did_create`, `identity_did_rotate`, `identity_did_revoke`, `identity_credential_issue`, `identity_credential_revoke`, `identity_auth_event`, `identity_authz_decision` |
+
+---
+
+## 2. Core Concepts
+
+### 2.1 Decentralized Identifiers (DIDs)
+
+A **DID** is a self-sovereign identifier for any entity in the VaultMesh ecosystem.
+
+```json
+{
+  "did": "did:vm:user:sovereign",
+  "did_document": {
+    "@context": ["https://www.w3.org/ns/did/v1", "https://vaultmesh.io/ns/did/v1"],
+    "id": "did:vm:user:sovereign",
+    "controller": "did:vm:user:sovereign",
+    "verificationMethod": [
+      {
+        "id": "did:vm:user:sovereign#key-1",
+        "type": "Ed25519VerificationKey2020",
+        "controller": "did:vm:user:sovereign",
+        "publicKeyMultibase": "z6Mkf5rGMoatrSj1f..."
+      }
+    ],
+    "authentication": ["did:vm:user:sovereign#key-1"],
+    "assertionMethod": ["did:vm:user:sovereign#key-1"],
+    "capabilityInvocation": ["did:vm:user:sovereign#key-1"],
+    "capabilityDelegation": ["did:vm:user:sovereign#key-1"]
+  },
+  "created_at": "2025-01-15T00:00:00Z",
+  "updated_at": "2025-12-06T10:00:00Z",
+  "status": "active",
+  "metadata": {
+    "display_name": "Sovereign Operator",
+    "roles": ["admin", "operator"],
+    "organization": "did:vm:org:vaultmesh-hq"
+  }
+}
+```
+
+**DID types** (method-specific):
+- `did:vm:user:*` — human operators
+- `did:vm:node:*` — infrastructure nodes (BRICKs, portals)
+- `did:vm:service:*` — automated services, agents
+- `did:vm:org:*` — organizations, teams
+- `did:vm:device:*` — hardware devices, HSMs, YubiKeys
+
+### 2.2 Verifiable Credentials
+
+**Credentials** are signed attestations about a subject, issued by trusted parties.
+
+```json
+{
+  "credential_id": "vc:vm:2025-12-001",
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://vaultmesh.io/ns/credentials/v1"
+  ],
+  "type": ["VerifiableCredential", "VaultMeshOperatorCredential"],
+  "issuer": "did:vm:org:vaultmesh-hq",
+  "issuanceDate": "2025-12-01T00:00:00Z",
+  "expirationDate": "2026-12-01T00:00:00Z",
+  "credentialSubject": {
+    "id": "did:vm:user:sovereign",
+    "role": "administrator",
+    "permissions": ["anchor", "admin", "oracle"],
+    "clearance_level": "full",
+    "jurisdiction": ["eu-west", "us-east"]
+  },
+  "credentialStatus": {
+    "id": "https://vaultmesh.io/credentials/status/2025-12-001",
+    "type": "RevocationList2023"
+  },
+  "proof": {
+    "type": "Ed25519Signature2020",
+    "created": "2025-12-01T00:00:00Z",
+    "verificationMethod": "did:vm:org:vaultmesh-hq#key-1",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "z3FXQjecWufY..."
+  }
+}
+```
+
+**Credential types**:
+- `VaultMeshOperatorCredential` — human operator authorization
+- `VaultMeshNodeCredential` — node identity and capabilities
+- `VaultMeshServiceCredential` — service authentication
+- `VaultMeshComplianceCredential` — compliance attestations
+- `VaultMeshDelegationCredential` — delegated authority
+
+### 2.3 Authentication Events
+
+Every authentication attempt is logged with full context.
+
+```json
+{
+  "auth_event_id": "auth-2025-12-06-001",
+  "timestamp": "2025-12-06T14:30:00Z",
+  "subject": "did:vm:user:sovereign",
+  "method": "ed25519_challenge",
+  "result": "success",
+  "session_id": "session-abc123...",
+  "client": {
+    "ip": "10.77.1.100",
+    "user_agent": "VaultMesh-CLI/1.0",
+    "device_fingerprint": "blake3:fff..."
+  },
+  "node": "did:vm:node:portal-01",
+  "mfa_used": true,
+  "mfa_method": "yubikey",
+  "risk_score": 0.1,
+  "tags": ["cli", "internal", "mfa"]
+}
+```
+
+**Authentication methods**:
+- `ed25519_challenge` — cryptographic challenge-response
+- `passkey` — WebAuthn/FIDO2
+- `yubikey` — hardware security key
+- `totp` — time-based OTP (fallback)
+- `mtls` — mutual TLS (node-to-node)
+- `api_key` — service accounts (with rotation)
+
+### 2.4 Authorization Decisions
+
+Every access control decision is logged for audit trails.
+
+```json
+{
+  "authz_event_id": "authz-2025-12-06-001",
+  "timestamp": "2025-12-06T14:30:05Z",
+  "subject": "did:vm:user:sovereign",
+  "action": "anchor_submit",
+  "resource": "scroll:treasury",
+  "decision": "allow",
+  "policy_matched": "policy:admin-full-access",
+  "context": {
+    "session_id": "session-abc123...",
+    "node": "did:vm:node:portal-01",
+    "request_id": "req-xyz789..."
+  },
+  "credentials_presented": ["vc:vm:2025-12-001"],
+  "evaluation_time_ms": 2
+}
+```
+
+---
+
+## 3. Mapping to Eternal Pattern
+
+### 3.1 Experience Layer (L1)
+
+**CLI** (`vm-identity`):
+```bash
+# DID operations
+vm-identity did create --type user --name "operator-alpha"
+vm-identity did show did:vm:user:sovereign
+vm-identity did list --type user --status active
+vm-identity did rotate --did did:vm:user:sovereign --reason "scheduled rotation"
+vm-identity did revoke --did did:vm:user:operator-alpha --reason "offboarded"
+
+# Key management
+vm-identity key list --did did:vm:user:sovereign
+vm-identity key add --did did:vm:user:sovereign --type ed25519 --purpose authentication
+vm-identity key revoke --did did:vm:user:sovereign --key-id key-2 --reason "compromised"
+
+# Credential operations
+vm-identity credential issue --subject did:vm:user:operator-alpha --type operator --role viewer
+vm-identity credential list --subject did:vm:user:sovereign
+vm-identity credential verify vc:vm:2025-12-001
+vm-identity credential revoke vc:vm:2025-12-001 --reason "role change"
+
+# Authentication
+vm-identity auth login --method passkey
+vm-identity auth logout
+vm-identity auth sessions --did did:vm:user:sovereign
+vm-identity auth revoke-session session-abc123
+
+# Authorization
+vm-identity authz check --subject did:vm:user:sovereign --action anchor_submit --resource scroll:treasury
+vm-identity authz policies list
+vm-identity authz policy show policy:admin-full-access
+
+# Audit
+vm-identity audit --did did:vm:user:sovereign --from 2025-12-01
+vm-identity audit --type auth_event --result failure --last 24h
+```
+
+**MCP Tools**:
+- `identity_did_resolve` — resolve DID to DID document
+- `identity_credential_verify` — verify credential validity
+- `identity_auth_status` — current session status
+- `identity_authz_check` — check authorization
+- `identity_audit_query` — query identity events
+
+**Portal HTTP**:
+- `GET /identity/dids` — list DIDs
+- `GET /identity/dids/{did}` — resolve DID
+- `POST /identity/dids` — create DID
+- `POST /identity/dids/{did}/rotate` — rotate keys
+- `DELETE /identity/dids/{did}` — revoke DID
+- `GET /identity/credentials` — list credentials
+- `POST /identity/credentials` — issue credential
+- `GET /identity/credentials/{id}/verify` — verify credential
+- `DELETE /identity/credentials/{id}` — revoke credential
+- `POST /identity/auth/challenge` — initiate auth
+- `POST /identity/auth/verify` — verify auth response
+- `GET /identity/sessions` — list sessions
+- `DELETE /identity/sessions/{id}` — revoke session
+
+---
+
+### 3.2 Engine Layer (L2)
+
+#### Step 1 — Plan → `identity_operation_contract.json`
+
+**DID Creation Contract**:
+```json
+{
+  "operation_id": "identity-op-2025-12-06-001",
+  "operation_type": "did_create",
+  "initiated_by": "did:vm:user:sovereign",
+  "initiated_at": "2025-12-06T10:00:00Z",
+  "target": {
+    "did_type": "user",
+    "display_name": "Operator Bravo",
+    "initial_roles": ["operator"],
+    "key_type": "ed25519"
+  },
+  "approval_required": true,
+  "approvers": ["did:vm:user:sovereign"],
+  "constraints": {
+    "credential_auto_issue": true,
+    "credential_type": "VaultMeshOperatorCredential",
+    "credential_expiry": "365d"
+  }
+}
+```
+
+**Credential Issuance Contract**:
+```json
+{
+  "operation_id": "identity-op-2025-12-06-002",
+  "operation_type": "credential_issue",
+  "initiated_by": "did:vm:org:vaultmesh-hq",
+  "initiated_at": "2025-12-06T11:00:00Z",
+  "credential": {
+    "type": "VaultMeshOperatorCredential",
+    "subject": "did:vm:user:operator-bravo",
+    "claims": {
+      "role": "operator",
+      "permissions": ["storage", "compute"],
+      "jurisdiction": ["eu-west"]
+    },
+    "validity_period": "365d"
+  },
+  "approval_required": false
+}
+```
+
+#### Step 2 — Execute → `identity_operation_state.json`
+
+```json
+{
+  "operation_id": "identity-op-2025-12-06-001",
+  "status": "completed",
+  "created_at": "2025-12-06T10:00:00Z",
+  "updated_at": "2025-12-06T10:05:00Z",
+  "steps": [
+    {
+      "step": "generate_keypair",
+      "status": "completed",
+      "completed_at": "2025-12-06T10:01:00Z",
+      "result": {
+        "public_key": "z6Mkf5rGMoatrSj1f...",
+        "key_id": "key-1"
+      }
+    },
+    {
+      "step": "create_did_document",
+      "status": "completed",
+      "completed_at": "2025-12-06T10:02:00Z",
+      "result": {
+        "did": "did:vm:user:operator-bravo"
+      }
+    },
+    {
+      "step": "register_did",
+      "status": "completed",
+      "completed_at": "2025-12-06T10:03:00Z",
+      "result": {
+        "registered": true,
+        "registry_hash": "blake3:aaa..."
+      }
+    },
+    {
+      "step": "issue_credential",
+      "status": "completed",
+      "completed_at": "2025-12-06T10:04:00Z",
+      "result": {
+        "credential_id": "vc:vm:2025-12-002"
+      }
+    }
+  ],
+  "approvals": {
+    "did:vm:user:sovereign": {
+      "approved_at": "2025-12-06T10:00:30Z",
+      "signature": "ed25519:..."
+    }
+  }
+}
+```
+
+#### Step 3 — Seal → Receipts
+
+**DID Creation Receipt**:
+```json
+{
+  "type": "identity_did_create",
+  "did": "did:vm:user:operator-bravo",
+  "did_type": "user",
+  "timestamp": "2025-12-06T10:03:00Z",
+  "created_by": "did:vm:user:sovereign",
+  "operation_id": "identity-op-2025-12-06-001",
+  "public_key_fingerprint": "SHA256:abc123...",
+  "did_document_hash": "blake3:bbb222...",
+  "initial_roles": ["operator"],
+  "tags": ["identity", "did", "create", "user"],
+  "root_hash": "blake3:ccc333..."
+}
+```
+
+**DID Key Rotation Receipt**:
+```json
+{
+  "type": "identity_did_rotate",
+  "did": "did:vm:user:sovereign",
+  "timestamp": "2025-12-06T15:00:00Z",
+  "rotated_by": "did:vm:user:sovereign",
+  "old_key_fingerprint": "SHA256:old123...",
+  "new_key_fingerprint": "SHA256:new456...",
+  "reason": "scheduled rotation",
+  "old_key_status": "revoked",
+  "tags": ["identity", "did", "rotate", "key"],
+  "root_hash": "blake3:ddd444..."
+}
+```
+
+**Credential Issuance Receipt**:
+```json
+{
+  "type": "identity_credential_issue",
+  "credential_id": "vc:vm:2025-12-002",
+  "credential_type": "VaultMeshOperatorCredential",
+  "timestamp": "2025-12-06T10:04:00Z",
+  "issuer": "did:vm:org:vaultmesh-hq",
+  "subject": "did:vm:user:operator-bravo",
+  "claims_hash": "blake3:eee555...",
+  "expires_at": "2026-12-06T00:00:00Z",
+  "operation_id": "identity-op-2025-12-06-001",
+  "tags": ["identity", "credential", "issue", "operator"],
+  "root_hash": "blake3:fff666..."
+}
+```
+
+**Credential Revocation Receipt**:
+```json
+{
+  "type": "identity_credential_revoke",
+  "credential_id": "vc:vm:2025-12-002",
+  "timestamp": "2025-12-06T18:00:00Z",
+  "revoked_by": "did:vm:user:sovereign",
+  "reason": "role change",
+  "revocation_list_updated": true,
+  "tags": ["identity", "credential", "revoke"],
+  "root_hash": "blake3:ggg777..."
+}
+```
+
+**Authentication Event Receipt**:
+```json
+{
+  "type": "identity_auth_event",
+  "auth_event_id": "auth-2025-12-06-001",
+  "timestamp": "2025-12-06T14:30:00Z",
+  "subject": "did:vm:user:sovereign",
+  "method": "passkey",
+  "result": "success",
+  "session_id": "session-abc123...",
+  "node": "did:vm:node:portal-01",
+  "client_fingerprint": "blake3:hhh888...",
+  "mfa_used": true,
+  "risk_score": 0.1,
+  "tags": ["identity", "auth", "success", "mfa"],
+  "root_hash": "blake3:iii999..."
+}
+```
+
+**Authorization Decision Receipt** (for sensitive operations):
+```json
+{
+  "type": "identity_authz_decision",
+  "authz_event_id": "authz-2025-12-06-001",
+  "timestamp": "2025-12-06T14:30:05Z",
+  "subject": "did:vm:user:sovereign",
+  "action": "capability_grant",
+  "resource": "did:vm:node:brick-03",
+  "decision": "allow",
+  "policy_matched": "policy:admin-full-access",
+  "credentials_verified": ["vc:vm:2025-12-001"],
+  "tags": ["identity", "authz", "allow", "sensitive"],
+  "root_hash": "blake3:jjj000..."
+}
+```
+
+---
+
+### 3.3 Ledger Layer (L3)
+
+**Receipt Types**:
+
+| Type                        | When Emitted                          |
+| --------------------------- | ------------------------------------- |
+| `identity_did_create`       | New DID registered                    |
+| `identity_did_rotate`       | DID keys rotated                      |
+| `identity_did_revoke`       | DID revoked/deactivated               |
+| `identity_credential_issue` | New credential issued                 |
+| `identity_credential_revoke`| Credential revoked                    |
+| `identity_auth_event`       | Authentication attempt (success/fail) |
+| `identity_authz_decision`   | Sensitive authorization decision      |
+
+**Merkle Coverage**:
+- All receipts append to `receipts/identity/identity_events.jsonl`
+- `ROOT.identity.txt` updated after each append
+- Guardian anchors Identity root in anchor cycles
+
+---
+
+## 4. Query Interface
+
+`identity_query_events.py`:
+
+```bash
+# DID history
+vm-identity query --did did:vm:user:sovereign
+
+# All auth events for a subject
+vm-identity query --type auth_event --subject did:vm:user:sovereign
+
+# Failed authentications
+vm-identity query --type auth_event --result failure --last 7d
+
+# Credentials issued by an org
+vm-identity query --type credential_issue --issuer did:vm:org:vaultmesh-hq
+
+# Authorization denials
+vm-identity query --type authz_decision --decision deny
+
+# Date range
+vm-identity query --from 2025-12-01 --to 2025-12-06
+
+# Export for compliance audit
+vm-identity query --from 2025-01-01 --format csv > identity_audit_2025.csv
+```
+
+**DID Resolution History**:
+```bash
+# Show all versions of a DID document
+vm-identity did history did:vm:user:sovereign
+
+# Output:
+# Version 1: 2025-01-15T00:00:00Z (created)
+#   - Key: key-1 (ed25519)
+# Version 2: 2025-06-15T00:00:00Z (key rotation)
+#   - Key: key-1 (revoked), key-2 (ed25519)
+# Version 3: 2025-12-06T15:00:00Z (key rotation)
+#   - Key: key-2 (revoked), key-3 (ed25519)
+```
+
+---
+
+## 5. Design Gate Checklist
+
+| Question              | Identity Answer                                                  |
+| --------------------- | ---------------------------------------------------------------- |
+| Clear entrypoint?     | ✅ CLI (`vm-identity`), MCP tools, Portal HTTP                   |
+| Contract produced?    | ✅ `identity_operation_contract.json` for DID/credential ops     |
+| State object?         | ✅ `identity_operation_state.json` tracking multi-step operations |
+| Receipts emitted?     | ✅ Seven receipt types covering all identity events              |
+| Append-only JSONL?    | ✅ `receipts/identity/identity_events.jsonl`                     |
+| Merkle root?          | ✅ `ROOT.identity.txt`                                           |
+| Guardian anchor path? | ✅ Identity root included in ProofChain                          |
+| Query tool?           | ✅ `identity_query_events.py` + DID history                      |
+
+---
+
+## 6. Key Management
+
+### 6.1 Key Hierarchy
+
+```
+Root of Trust (Hardware)
+├── Organization Master Key (HSM-protected)
+│   ├── Node Signing Keys
+│   │   ├── did:vm:node:brick-01#key-1
+│   │   ├── did:vm:node:brick-02#key-1
+│   │   └── did:vm:node:portal-01#key-1
+│   ├── Service Keys
+│   │   ├── did:vm:service:guardian#key-1
+│   │   └── did:vm:service:oracle#key-1
+│   └── Credential Issuing Keys
+│       └── did:vm:org:vaultmesh-hq#issuer-key-1
+└── User Keys (Self-custodied)
+    ├── did:vm:user:sovereign#key-1
+    └── did:vm:user:operator-bravo#key-1
+```
+
+### 6.2 Key Rotation Policy
+
+| Key Type            | Rotation Period | Trigger Events                    |
+| ------------------- | --------------- | --------------------------------- |
+| User keys           | 365 days        | Compromise, role change           |
+| Node keys           | 180 days        | Compromise, node migration        |
+| Service keys        | 90 days         | Compromise, version upgrade       |
+| Credential issuers  | 730 days        | Compromise, policy change         |
+| Organization master | Manual only     | Compromise, leadership change     |
+
+### 6.3 Recovery Procedures
+
+```json
+{
+  "recovery_id": "recovery-2025-12-06-001",
+  "did": "did:vm:user:operator-bravo",
+  "reason": "lost_device",
+  "initiated_at": "2025-12-06T09:00:00Z",
+  "recovery_method": "social_recovery",
+  "guardians_required": 3,
+  "guardians_responded": [
+    {"guardian": "did:vm:user:sovereign", "approved_at": "2025-12-06T09:15:00Z"},
+    {"guardian": "did:vm:user:operator-alpha", "approved_at": "2025-12-06T09:20:00Z"},
+    {"guardian": "did:vm:user:operator-charlie", "approved_at": "2025-12-06T09:25:00Z"}
+  ],
+  "status": "completed",
+  "new_key_registered_at": "2025-12-06T09:30:00Z"
+}
+```
+
+---
+
+## 7. Policy Engine
+
+### 7.1 Policy Definition
+
+```json
+{
+  "policy_id": "policy:admin-full-access",
+  "name": "Administrator Full Access",
+  "description": "Full access to all VaultMesh operations",
+  "version": 1,
+  "effect": "allow",
+  "subjects": {
+    "match": "credential",
+    "credential_type": "VaultMeshOperatorCredential",
+    "claims": {
+      "role": "administrator"
+    }
+  },
+  "actions": ["*"],
+  "resources": ["*"],
+  "conditions": {
+    "mfa_required": true,
+    "allowed_hours": {"start": "00:00", "end": "23:59"},
+    "allowed_nodes": ["*"]
+  }
+}
+```
+
+### 7.2 Policy Evaluation
+
+```
+Request:
+  Subject: did:vm:user:sovereign
+  Action: anchor_submit
+  Resource: scroll:treasury
+
+Evaluation:
+  1. Resolve subject credentials
+  2. Match policies by subject claims
+  3. Check action/resource match
+  4. Evaluate conditions (MFA, time, location)
+  5. Log decision with full context
+  6. Return allow/deny with reason
+```
+
+---
+
+## 8. Integration Points
+
+| System           | Integration                                                                |
+| ---------------- | -------------------------------------------------------------------------- |
+| **Guardian**     | Uses Identity for anchor authentication; alerts on suspicious auth events |
+| **Mesh**         | Node DIDs registered via Identity; capability grants require valid credentials |
+| **Treasury**     | Account ownership linked to DIDs; transaction signing uses Identity keys  |
+| **Oracle**       | Oracle queries authenticated via Identity; responses signed with service DID |
+| **OffSec**       | Incident response can trigger emergency credential revocations            |
+| **Observability**| All identity events flow to observability for correlation                 |
+
+---
+
+## 9. Future Extensions
+
+- **Biometric binding**: Link credentials to biometric templates
+- **Delegation chains**: Transitive capability delegation with constraints
+- **Anonymous credentials**: Zero-knowledge proofs for privacy-preserving auth
+- **Cross-mesh identity**: Federated identity across VaultMesh instances
+- **Hardware attestation**: TPM/Secure Enclave binding for high-assurance
+- **Identity recovery DAO**: Decentralized recovery governance