v0.3.1 — rotation peer refresh (XFAIL killed)
Summary
Closes #4. Communication now survives key rotation. The XFAIL test that's been the most prominent unfixed bug in the case study is gone.
What changed
When `verify_message` fails AND the REQ includes a fresh `identity_doc`, the receiver now attempts a KERI-style continuity check:
```
hash(new_doc.public_key) == cached_doc.next_key_digest
```
If the proof holds, the cache is refreshed and verification retried. If it doesn't, rejected as `invalid_signature` (treat as attack — only the original key holder could have committed to the right `next_key_digest`).
Client contract
The rotated party MUST include their fresh `identity_doc` on the first post-rotation REQ:
```python
req = build_req(
from_private_key=identity._private_key,
from_id=identity.agent_id,
to_id=peer_id,
intent="task",
payload={"action": "ping"},
identity_doc=identity.to_identity_document(), # required after rotation
)
```
Subsequent REQs to the same peer don't need `identity_doc` — the cache is now fresh.
Test results
| v0.3.0 | v0.3.1 | |
|---|---|---|
| Tests passing | 129 | 131 |
| Documented xfails | 1 | 0 |
| CI | 3.11 / 3.12 / 3.13 green | 3.11 / 3.12 / 3.13 green |
Stats arc since v0.1.3
| v0.1.3 (case study era) | v0.3.1 | |
|---|---|---|
| Tests | 118 + 1 xfail | 131 |
| Critical auth bypasses | 3 | 0 |
| Durability gaps | 1 | 0 |
| Documented xfails | 1 | 0 |
Install
```bash
pip install --upgrade pact-passport
```