WIP did-plc controller#47
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Caution MetaMask internal reviewing guidelines:
|
82270b1 to
e9ae33f
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit e9ae33f. Configure here.
| } | ||
| } | ||
| return Op{}, fmt.Errorf("operation with CID %s not found for %s", cid, c.didStr) | ||
| } |
There was a problem hiding this comment.
Mutating paths skip chain validation
Medium Severity
Update, Tombstone, and Recover load the audit log via fetchHead and fetchOpAtCID without calling validateChain, while Audit does. A tampered or internally inconsistent log can still supply a head CID and document state, so signed submissions may be built on unverified history until the registry rejects them or the caller runs Audit separately.
Reviewed by Cursor Bugbot for commit e9ae33f. Configure here.


Note
Medium Risk
Touches identity signing, rotation keys, and cryptographic chain validation; mistakes could allow invalid ops or break registry compatibility, though scope is a new package with tests.
Overview
Adds a new
controller/did-plcpackage that talks to the PLC registry (https://plc.directoryby default) to create DIDs, update documents, tombstone, recover from a fork CID, and audit the operation log with local chain checks.Operations are signed as DAG-CBOR via an internal
dagcborencoder, with CIDv1 / MSI derivation, low-S ECDSA signatures, and JSON submission over HTTP.Registryoptions cover custom URL, HTTP client, and allowed rotation key algorithms (default secp256k1 + P-256). Audit parsing supportsplc_operation,plc_tombstone, and legacycreateentries, skipping nullified ops while verifying CID,prevcontinuity, and signatures.go.modgains IPLD/multiformats deps (go-cid, multihash, multicodec, etc.). Tests use an in-memory fake registry plus DAG-CBOR unit tests; anExampledocuments the end-to-end flow.Reviewed by Cursor Bugbot for commit e9ae33f. Bugbot is set up for automated code reviews on this repo. Configure here.