edut/web
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
66d5ea07cd
web/backend/secretapi
History
Joshua 66d5ea07cd Add assurance policy regression tests for member channel
2026-02-18 14:21:21 -08:00
..
deploy Add secretapi member channel endpoints and deployment hardening 2026-02-17 20:48:19 -08:00
.env.example Emit entitlement calldata in quotes and verify tx payload 2026-02-18 13:28:01 -08:00
app_test.go Add assurance policy regression tests for member channel 2026-02-18 14:21:21 -08:00
app.go Add membership assurance levels and policy gates 2026-02-18 14:06:52 -08:00
assurance.go Add membership assurance levels and policy gates 2026-02-18 14:06:52 -08:00
chain.go Emit entitlement calldata in quotes and verify tx payload 2026-02-18 13:28:01 -08:00
config_test.go Validate secretapi config at startup for fail-closed deploys 2026-02-18 07:09:31 -08:00
config.go Emit entitlement calldata in quotes and verify tx payload 2026-02-18 13:28:01 -08:00
crypto.go Add secretapi member channel endpoints and deployment hardening 2026-02-17 20:48:19 -08:00
Dockerfile Add secretapi member channel endpoints and deployment hardening 2026-02-17 20:48:19 -08:00
go.mod Add secretapi member channel endpoints and deployment hardening 2026-02-17 20:48:19 -08:00
go.sum Add secretapi member channel endpoints and deployment hardening 2026-02-17 20:48:19 -08:00
main.go Validate secretapi config at startup for fail-closed deploys 2026-02-18 07:09:31 -08:00
marketplace_models.go Emit entitlement calldata in quotes and verify tx payload 2026-02-18 13:28:01 -08:00
marketplace.go Add membership assurance levels and policy gates 2026-02-18 14:06:52 -08:00
models.go Add membership assurance levels and policy gates 2026-02-18 14:06:52 -08:00
README.md Add membership assurance levels and policy gates 2026-02-18 14:06:52 -08:00
store.go Add membership assurance levels and policy gates 2026-02-18 14:06:52 -08:00

README.md

Secret API Backend (secretapi)

Deterministic backend for wallet-first designation, membership activation, and governance install authorization.

Run

cd /Users/vsg/Documents/VSG\ Codex/web/backend/secretapi
go run .

Default listen address is :8080.

Test

cd /Users/vsg/Documents/VSG\ Codex/web/backend/secretapi
go test ./...

Environment Template

Copy .env.example in this folder and set contract/runtime values before deploy. secretapi validates config at startup and fails closed if strict chain verification is enabled without RPC.

Endpoint Surface

Membership

  • POST /secret/wallet/intent
  • POST /secret/wallet/verify
  • POST /secret/membership/quote
  • POST /secret/membership/confirm
  • GET /secret/membership/status

Marketplace

  • GET /marketplace/offers
  • GET /marketplace/offers/{offer_id}
  • POST /marketplace/checkout/quote
  • POST /marketplace/checkout/confirm
  • GET /marketplace/entitlements

Governance install + availability

  • POST /governance/install/token
  • POST /governance/install/confirm
  • GET /governance/install/status
  • POST /governance/lease/heartbeat
  • POST /governance/lease/offline-renew

Member app channel

  • POST /member/channel/device/register
  • POST /member/channel/device/unregister
  • GET /member/channel/events
  • POST /member/channel/events/{event_id}/ack
  • POST /member/channel/support/ticket

Sponsorship Behavior

Membership quote supports ownership wallet and distinct payer wallet:

  • address: ownership wallet (required)
  • payer_wallet: optional payer wallet
  • payer_proof: required when payer differs from owner

Distinct payer proof uses owner-signed personal message:

EDUT-PAYER-AUTH:{designation_code}:{owner_wallet}:{payer_wallet}:{chain_id}

This enables company-sponsored mint flows while preserving deterministic owner authorization.

Company-first sponsor path is also supported:

  • If sponsor_org_root_id is provided and the payer_wallet is a stored org_root_owner principal for that org root with active entitlement status, quote issuance is allowed without payer_proof.

Identity Assurance Model

Membership activation and identity assurance are stored as separate facts:

  1. membership_status
  2. identity_assurance_level

Assurance levels:

  1. none
  2. crypto_direct_unattested
  3. sponsored_unattested
  4. onramp_attested

onramp_attested can be set during membership confirm only on self-paid quotes and requires identity_attested_by.

Policy gates:

  1. Store checkout requires active membership.
  2. Workspace admin install/support actions require onramp_attested assurance.

Key Environment Variables

Core

  • SECRET_API_LISTEN_ADDR (default :8080)
  • SECRET_API_DB_PATH (default ./secret.db)
  • SECRET_API_ALLOWED_ORIGIN (default https://edut.ai)
  • SECRET_API_MEMBER_POLL_INTERVAL_SECONDS (default 30)
  • SECRET_API_CHAIN_ID (default 84532)
  • SECRET_API_CHAIN_RPC_URL (optional, enables on-chain tx receipt verification)
  • SECRET_API_REQUIRE_ONCHAIN_TX_VERIFICATION (default false; when true, membership confirm and marketplace checkout confirm fail closed without chain receipt verification)
  • SECRET_API_ENTITLEMENT_CONTRACT (optional; when set, marketplace quote emits purchase calldata for entitlement settlement contract)

Membership

  • SECRET_API_INTENT_TTL_SECONDS (default 900)
  • SECRET_API_QUOTE_TTL_SECONDS (default 900)
  • SECRET_API_DOMAIN_NAME
  • SECRET_API_VERIFYING_CONTRACT
  • SECRET_API_MEMBERSHIP_CONTRACT
  • SECRET_API_MINT_CURRENCY (default USDC)
  • SECRET_API_MINT_AMOUNT_ATOMIC (default 100000000)
  • SECRET_API_MINT_DECIMALS (default 6)

Governance install

  • SECRET_API_INSTALL_TOKEN_TTL_SECONDS (default 900)
  • SECRET_API_LEASE_TTL_SECONDS (default 3600)
  • SECRET_API_OFFLINE_RENEW_TTL_SECONDS (default 2592000)
  • SECRET_API_GOV_RUNTIME_VERSION
  • SECRET_API_GOV_PACKAGE_URL
  • SECRET_API_GOV_PACKAGE_HASH
  • SECRET_API_GOV_PACKAGE_SIGNATURE
  • SECRET_API_GOV_SIGNER_KEY_ID
  • SECRET_API_GOV_POLICY_HASH
  • SECRET_API_GOV_ROLLOUT_CHANNEL (default stable)