You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Consent capture: request create --require-consent true gates signing on
each signer attesting intent-to-sign and accepting the electronic-records
(ESIGN) disclosure via approve --agree true --accept-disclosure true. The
canonical statement texts are versioned (sign consent show) and recorded in
the audit chain (request.consent_captured, request.esign_consent_captured)
with their SHA-256 and timestamp.
Signer email verification: request create --require-email-verification true gates signing on proof of mailbox control. New commands signer send-verification (6-digit code, hashed at rest, 15-min TTL, 5-attempt
lockout, optional delivery via SIGN_VERIFICATION_WEBHOOK_URL) and signer verify-email; approve --verification-code redeems in one step. Audit
events: request.signer_verification_issued, request.signer_email_verified.
Identity-assurance records: signer record-identity --identity-assurance method:...,verifier:...,reference:... (also inline on approve) records how
a signer's identity was checked out-of-band — the assertion, never the
evidence — as request.identity_assurance_recorded.
Both gates are enforced in the shared signing service, so the CLI sign
command, MCP sign tool, and POST /v1/sign all honor them; combining them
with --auto-approve is rejected. request show now includes a per-signer consent block. New docs: docs/reference/consent-and-identity.md.
Changed
sign demo now showcases the consent flow. Both gates are enabled on the
demo request; the demo drives real blocked sign attempts
(EMAIL_VERIFICATION_REQUIRED, CONSENT_REQUIRED), verifies the signer
email, captures the consent attestations + an identity-assurance record, then
approves and signs through the token path (no more --auto-approve +
provider auto-complete). The result gains a consent block; any configured SIGN_VERIFICATION_WEBHOOK_URL is ignored during the demo so codes never
leave the machine.