Attestation iteration 1 — direction record (ADR 0005, plan, TOKEN-SPEC v0.2)#18
Merged
Conversation
Bring platform attestation of the Nodle app (Apple App Attest, Google Play Integrity) into trust-relay as an optional, additive control-plane feature with no chain, no registries, and no on-chain device identity. This reverses ADR 0004 §1/§5, which reserved exactly this additive path for an independent tier consumer — rate limiting and reward calculation are that consumer. ADR 0005 records the decision (optional/degrade-never-break, emit tier/att/level additively, wallet-keyed state with a separate validity clock, per-app policy for the Roole exemption, unattested != untrusted invariant). ATTESTATION-PLAN.md is the direction of record for future contributors: the full iteration-1 design, a critical evaluation of the prior beacon-relay work (incl. the unimplementable secp256k1-in-Keystore design and the too-tight 60s Android freshness window), the separate-refresh cadence policy, a Play Integrity quota sizing + resizing formula, resolved product decisions, and the PR plan. Co-Authored-By: Claude Opus 4.8 <[email protected]>
trust-relay now stamps tier="attested" and a compact att object (platform/app/level/attested_at) at every mint when the wallet holds a live attestation record. Backward-compatible: absence of tier still means wallet tier, verifiers ignore unknown claims, ver does not bump. Adds the attested-token example, the normative consumer invariant (MUST NOT penalize attestation absence alone — protects unsupported devices and reward-exempt apps like Roole), updates the RS checklist step 8, and rewrites §9 to describe the control-plane attestation contract in trust-relay (superseding the beacon-relay deferral text). Co-Authored-By: Claude Opus 4.8 <[email protected]>
Update ARCHITECTURE §13 to describe trust-relay's control-plane app attestation and the trust-relay/beacon-relay division of labor, principle 6 and the scope bullet, the roadmap (M7), the docs index, and an AGENTS.md pointer so future agents read ATTESTATION-PLAN + ADR 0005 before touching attestation code. Co-Authored-By: Claude Opus 4.8 <[email protected]>
Coverage reportThresholds: 80% line · 78% region (condition) ✅ Coverage meets the required threshold. Summary |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Docs-only. Records the decision and full plan to bring platform attestation of the Nodle app (Apple App Attest, Google Play Integrity) into trust-relay as an optional, additive control-plane feature — no chain, no registries, no on-chain device identity in iteration 1. Attestation only adds
tier/attclaims; it never gates a session.This reverses ADR 0004 §1/§5, which reserved exactly this additive path for an independent tier consumer. The two consumers — rate limiting and reward calculation — read the signal from the token, not from beacon-relay's data plane.
Record iteration-1 attestation directionTOKEN-SPEC v0.2tier/att/att.leveladditively; consumer invariant; RS checklist; §9 rewriteDocs cross-referenceKey decisions captured
generateAssertionlocal; Android fresh Play Integrity token), independent of the 1 h access token / 7 d refresh family. Also quota-critical — the 7-day cadence is what keeps Play Integrity under the 10k/day default.att.level(basic/device/strong) so rewards weight by strength.unattested ≠ untrustedinvariant to honor the Roole exemption (SDK app, no rewards, may stay unattested, must never be rate-limited).Critical findings on the prior beacon-relay design (recorded in the plan)
Test plan
mmdc(0 failures).🤖 Generated with Claude Code