In [3]:
# Imports and Utility functions
import subprocess

def clear_keri():
    path = "/usr/local/var/keri/"
    confirm = input("🚨 This will clear your keystore. Are you sure? (y/n): ")
    if confirm.lower() == "y":
        print("Proceeding...")
        try:
            subprocess.run(["rm", "-rf", path], check=True)
            print(f"✅ Successfully removed: {path}")
        except subprocess.CalledProcessError as e:
            print(f"❌ Error removing {path}: {e}")
    else:
        print("Operation cancelled.")

## Creating a Keystore

Before you can create identifiers or perform many other actions with KLI, you need a keystore, an encrypted data store that holds the private keys for your identifiers. To initialize a keystore, you give it a name, protect it with a passcode, and provide a salt for generating the keys.

The command to do this is `kli init`. Here's an example:


In [5]:
# Choose a name for your keystore
keystore_name="my-first-key-store"
# Use a strong, randomly generated passcode ( from 'kli passcode generate')
keystore_passcode="xSLg286d4iWiRg2mzGYca"
# Use a random salt (from 'kli salt')
salt="0ABeuT2dErMrqFE5Dmrnc2Bq"

!kli init --name {keystore_name} --passcode {keystore_passcode} --salt {salt}

KERI Keystore created at: /usr/local/var/keri/ks/my-first-key-store
KERI Database created at: /usr/local/var/keri/db/my-first-key-store
KERI Credential Store created at: /usr/local/var/keri/reg/my-first-key-store
	aeid: BD-1udeJaXFzKbSUFb6nhmndaLlMj-pdlNvNoN562h3z


This command sets up the necessary file structures for your Keystore, ready for you to create and manage Identifiers within it. It creates the keystore, the database, and the credential store.  

<div class="alert alert-info">
  <b>ℹ️ NOTE</b><hr>
    <li>Depending on the context, the Keystore may also be referred to as a Habitat or Habery.</li> 
    <li>A Habery is a collection of Habs, a Hab is a keystore for one identifier.</li>
</div>

## Creating an Identifier

Now that you have a keystore, you can create your first identifier within it. In KERI, these are Autonomic Identifiers (AIDs). The command used is `kli incept`.

When you run `kli incept`, it generates the cryptographic keys for your identifier and outputs a unique string called a Prefix. This Prefix is the actual, usable representation of your AID.

Let's create one:

In [6]:
# Choose a human-readable alias for your identifier *within this keystore*
aid_alias = "my-first-aid"

# Create (incept) the identifier
# The parameters --icount, --isith, --ncount, --nsith, --toad control the key management thresholds.
# We use basic settings here; these will be explained in detail in a later section (TBD).
!kli incept --name {keystore_name} --alias {aid_alias} --passcode {keystore_passcode} \
    --icount 1 --isith 1 --ncount 1 --nsith 1 --toad 0

Prefix  BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC
	Public key 1:  BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC



**What just happened? AID vs. Prefix**

The command created an Autonomic Identifier (AID). The string `BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC` is the Prefix.
Here's the relationship:

1) AID is the Concept: An Autonomic Identifier (AID) is a type of identifier defined by its properties:
    - Self-Managing: You control its keys without the need for a central authority.
    - Self-Certifying: The AID itself provides the cryptographic information needed to verify its authenticity.
2) Prefix is the Representation: The Prefix is how an AID is encoded and represented as a string. It's constructed by combining:
    - A Derivation Code: Indicates how the key was generated and its type.
    - The Encoded Public Key: The public portion of the initial key pair.
3) Why Prefixes Matter: An AID must be self-certifying. The Prefix achieves this because it directly embeds the public key material within the identifier string itself. Anyone seeing the prefix can cryptographically verify signatures or messages associated with that AID.


🚧 mention incept parameters  
🚧 triple check the veracity of the statements

<div class="alert alert-prymary">
  <b>📝 SUMMARY</b><hr>
    <li>Think of the AID as the secure, self-managed identifier</li>
    <li>Think of the prefix as the actual text string you use to represent that AID, whose structure makes the AID's self-certifying property work</li>
    <li>Think of the alias (<code>my-first-aid</code> in our example) as just a local nickname within your keystore to easily refer to the complex Prefix</li>
    <li>The terms AID, identifier, prefix, and alias tend to be used interchangeably</li>
</div>




## Displaying the Identifier
You can check the status of the identifier you just created using `kli status` and its alias. This command will show details about the AID's current state, including its Alias, prefix (Identifier), sequence number, public keys, and additional information.

🚧the command output shows data that needs to be explained later

In [7]:
# Check the status of the AID using its alias
!kli status --name {keystore_name} --passcode {keystore_passcode} --alias {aid_alias}

Alias: 	my-first-aid
Identifier: BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC
Seq No:	0

Witnesses:
Count:		0
Receipts:	0
Threshold:	0

Public Keys:	
	1. BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC



You can also list all the identifiers managed within this keystore. To illustrate this, let's create an additional Identifier

In [8]:
!kli incept --name {keystore_name} --alias "my-second-aid" --passcode {keystore_passcode} \
    --icount 1 --isith 1 --ncount 1 --nsith 1 --toad 0

Prefix  BBuVNJvbJD2WNduQ0JUGRVGb6uKYrF5bO5T4gdGt_ezO
	Public key 1:  BBuVNJvbJD2WNduQ0JUGRVGb6uKYrF5bO5T4gdGt_ezO



Now use `kli list` to list all the identifiers managed by the keystore

In [9]:
# List all Identifiers in the keystore
!kli list --name {keystore_name} --passcode {keystore_passcode}

my-first-aid (BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC)
my-second-aid (BBuVNJvbJD2WNduQ0JUGRVGb6uKYrF5bO5T4gdGt_ezO)


<div class="alert alert-info">
  <b>💡 TIP</b><hr>
    <li>You can use <code>--verbose</code> parameter to show the key event messages.
    <li>To understand the meaning of the key event fields, refer to <a href="https://trustoverip.github.io/tswg-keri-specification/#keri-data-structures-and-labels">KERI Data Structures and Labels</a>
    <li>Key Event Fields:
      <ul>
        <li><code>v</code> – Version String</li>
        <li><code>t</code> – Message type (e.g., <code>icp</code>)</li>
        <li><code>k</code> – List of Signing Keys</li>
        <li><code>i</code> – Identifier Prefix (AID)</li>
      </ul>
    </li>
</div>

In [10]:
!kli status --name {keystore_name} --passcode {keystore_passcode} --alias {aid_alias} --verbose

Alias: 	my-first-aid
Identifier: BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC
Seq No:	0

Witnesses:
Count:		0
Receipts:	0
Threshold:	0

Public Keys:	
	1. BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC


Witnesses:	

{
 "v": "KERI10JSON0000fd_",
 "t": "icp",
 "d": "EG23dnLAUA4ywPcu2qbokplb2cb1XlIOw24iIKYtR3v4",
 "i": "BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC",
 "s": "0",
 "kt": "1",
 "k": [
  "BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC"
 ],
 "nt": "0",
 "n": [],
 "bt": "0",
 "b": [],
 "c": [],
 "a": []
}



--------------------------------------------------------------------------------------

<div class="alert alert-info">
  <b>💡 TIP</b><hr>
    <li>If you run <code>clear_keri()</code>, the keystore, database, and credential store directories are deleted.</li>  
    <li>This function is provided as an utility to clean your data for testing purposes.</li>
</div>

In [3]:
clear_keri()

🚨 This will clear your keystore. Are you sure? (y/n):  y


Proceeding...
✅ Successfully removed: /usr/local/var/keri/
