In [1]:
# Imports and Utility functions
import subprocess

def clear_keri():
    path = "/usr/local/var/keri/"
    confirm = input("🚨 This will clear your keystore. Are you sure? (y/n): ")
    if confirm.lower() == "y":
        print("Proceeding...")
        try:
            subprocess.run(["rm", "-rf", path], check=True)
            print(f"✅ Successfully removed: {path}")
        except subprocess.CalledProcessError as e:
            print(f"❌ Error removing {path}: {e}")
    else:
        print("Operation cancelled.")

# KERI Command Line Interface (KLI)

Throughout these notebooks, we will interact with the KERI protocol using the **KLI (KERI Command Line Interface)**. The KLI is the standard text-based tool for managing identitifiers and infrastructure directly from your computer's terminal.

**How we'll use KLI in Notebooks?**

Since we are working within Jupyter notebooks, we will execute KLI commands by prefixing them with an exclamation mark (`!`). This tells the notebook environment to run the command in the underlying system shell, rather than as Python code. So, you'll frequently see commands structured like this:

`!kli <command> [options]`  

**What can you do with KLI?**

The KLI provides a wide range of functionalities. Key capabilities you'll encounter or should be aware of include:
- **Core Identity Management:** Creating your identifiers, managing their cryptographic keys, and checking an identifier's history.
- **Advanced Identifier Operations:** Participating in more complex setups, such as identifiers with delegated authority or those requiring multiple signatures to authorize actions.
- **Infrastructure Operations:** Running essential KERI components like witnesses and watchers. (We will cover witnesses and watchers in more detail later).
- **Organized Control via Keystores:** Most KLI commands require you to specify a `--name` parameter. This refers to a Keystore, which acts like a dedicated profile containing the specific keys and configuration for the identifier you want that command to manage.



## Basic Utility Commands
Here are a few simple KLI commands you can run to get basic information or generate useful values:

**Check KLI Version:** See which version of the KLI tool you are using.

In [16]:
!kli version

Library version: 1.1.32


**Generate a Salt:** Create a new random salt. A salt (specifically, a qualified base64 salt in KERI) is a random value used as an input when generating cryptographic key pairs to help ensure their uniqueness and security.

In [19]:
# This will output a qualified base64 string representing the salt
!kli salt

0ABfWAzmekmz5zhCEn9JVwTV


**Generate a Passcode:** Create a new random passcode. This passcode is used to encrypt your keystore, providing an additional layer of protection.

In [20]:
# This will output a random string suitable for use as an encryption passcode
!kli passcode generate

WhFVkiBuMdG3LWvB7yNnz


## Creating a Keystore

Before you can create identifiers or perform many other actions with KLI, you need a keystore, an encrypted data store that holds the private keys for your identifiers. To initialize a keystore, you give it a name, protect it with a passcode, and provide a salt for generating the keys.

The command to do this is `kli init`. Here's an example:


In [21]:
# Choose a name for your keystore
keystore_name="my-first-key-store"
# Use a strong, randomly generated passcode ( from 'kli passcode generate')
keystore_passcode="xSLg286d4iWiRg2mzGYca"
# Use a random salt (from 'kli salt')
salt="0ABeuT2dErMrqFE5Dmrnc2Bq"

!kli init --name {keystore_name} --passcode {keystore_passcode} --salt {salt}

KERI Keystore created at: /usr/local/var/keri/ks/my-first-key-store
KERI Database created at: /usr/local/var/keri/db/my-first-key-store
KERI Credential Store created at: /usr/local/var/keri/reg/my-first-key-store
	aeid: BD-1udeJaXFzKbSUFb6nhmndaLlMj-pdlNvNoN562h3z


This command sets up the necessary file structures for your Keystore, ready for you to create and manage Identifiers within it. It creates the keystore, the database, and the credential store.  

<div class="alert alert-info">
  <b>ℹ️ NOTE:</b><hr>
    <li>Depending on the context, the Keystore may also be referred to as a Habitat or Habery.</li> 
    <li>A Habery is a collection of Habs, a Hab is a keystore for one identifier.</li>
</div>

<div class="alert alert-info">
  <b>💡 TIP:</b><hr>
    <li>If you run <code>clear_keri()</code>, the keystore, database, and credential store directories are deleted.</li>  
    <li>This function is provided as an utility to clean your data for testing purposes.</li>
</div>



<div class="alert alert-success">
  <b>🧠 EXERCISE:</b><hr>
    <li>Initializing a new keystore using the <code>kli passcode generate, kli salt, and kli init</code> command as shown above.</li> 
    <li>Then use commands <code>TBD</code> to change the passcode</li>
</div>

Let's create an identifier  
note the parameters:
`--icount 1 --isith 1 --ncount 1 --nsith 1 --toad 1`  
they will be explained later on section TBD


The relationship is straightforward: **The Prefix *is* the specific, encoded representation of an Autonomic Identifier (AID) in KERI.**

Here's the breakdown:

1.  **AID is the Concept:** An Autonomic Identifier (AID) is a type of identifier defined by its properties: it's self-managing (you control it without a central authority) and, crucially, **self-certifying** (meaning the identifier itself contains the information needed to verify its authenticity, typically the public key).

2.  **Prefix is the Encoding:** The **Prefix** is how an AID is actually written down or represented as a string of text. The prefix is constructed by combining:
    * A **Derivation Code** (how the key was made)
    * The **Encoded Public Key**

3.  **Connecting the Two:** An AID *must* be self-certifying. The Prefix achieves this requirement because it directly includes the encoded public key within the identifier string itself. This allows anyone who sees the prefix (the AID) to extract the public key and verify signatures or authenticate the identifier directly, without needing to look it up elsewhere.

**In simple terms:**

* Think of the **AID** as the *idea* of a secure, self-managed digital identifier.
* Think of the **Prefix** as the *actual text string* you use to represent that AID, whose structure (including the public key) makes the AID's self-certifying property possible.



In [14]:
AID_alias = "prefix"
!kli incept --name {keystore_name} --alias {AID_alias} --passcode {keystore_passcode} --icount 1 --isith 1 --ncount 1 --nsith 1 --toad 0

ERR: Already incepted pre=BKJTXe_SbMEczrFBrv5Mi4Zn-l436AMW6pr2lw35l9TZ.


In [13]:
!kli list --name {keystore} --passcode {passcode}

Keystore must already exist, exiting


In [8]:
!kli status --name {keystore} --passcode {passcode} --alias AID_alias

Keystore must already exist, exiting


In [9]:
!kli status -h

usage: kli status [-h] --name NAME [--base BASE] [--alias ALIAS]
                  [--passcode BRAN] [--verbose]

View status of a local AID

options:
  -h, --help            show this help message and exit
  --name NAME, -n NAME  keystore name and file location of KERI keystore
  --base BASE, -b BASE  additional optional prefix to file location of KERI
                        keystore
  --alias ALIAS, -a ALIAS
                        human readable alias for the new identifier prefix
  --passcode BRAN, -p BRAN
                        22 character encryption passcode for keystore (is not
                        saved)
  --verbose, -V         print JSON of all current events


In [10]:
clear_keri()

🚨 This will clear your keystore. Are you sure? (y/n):  y


Proceeding...
✅ Successfully removed: /usr/local/var/keri/
