Background
Discovered while walking docs/stage7-demo-and-verification.md end-to-end against the live broker on claude/practical-noether-670bd8.
Symptom
agentkeys init \
--email alice@demo.example \
--broker-url $OIDC_ISSUER \
--signer-url $BACKEND_URL
# → broker rejected https://broker.litentry.org/v1/auth/email/request: status=404 body=
The CLI's agentkeys init was hard-cut in issue #74 step 1 to support only --email or --oauth2-google. The deployed broker returns 404 on /v1/auth/email/request. Net: the deployed broker can't be initialized via the CLI at all.
Root cause (3 layered gaps)
| Layer |
State on evm (pre-fix) |
Issue |
scripts/setup-broker-host.sh:452 |
cargo build --release (default features only) |
Broker built without auth-email-link → /v1/auth/email/* routes are gated by #[cfg(feature = "auth-email-link")] (lib.rs:90) and never registered. |
scripts/broker.env:55 |
BROKER_AUTH_METHODS=wallet_sig |
Even if compiled in, plugin not enabled — boot.rs:372 only constructs EmailLinkAuth when email_link is in the comma list. |
crates/agentkeys-broker-server/src/boot.rs:452 |
Arc::new(StubEmailSender::new()) |
Even if both above were fixed, StubEmailSender only records (to, landing_url) to an in-process Mutex<Vec<…>> (email_link.rs:80-117). No real delivery, no debug endpoint, operator has no way to retrieve the magic link. |
Fix
Closed by PR #75 (Pass 1 + Pass 2 of Option B):
- Pass 1 — real
SesEmailSender impl using aws-sdk-sesv2 SendEmail; address-level verify_sender_ready; end-to-end SES → S3 send-receive integration test (crates/agentkeys-broker-server/tests/ses_email_flow.rs).
- Pass 2 — wire SesEmailSender into broker boot (
BROKER_EMAIL_SENDER=stub|ses env var); setup-broker-host.sh builds with --features auth-email-link + mints HMAC key + sets BROKER_AUTH_METHODS=wallet_sig,email_link; helper script scripts/ses-verify-sender.sh automates per-address SES identity verification by exploiting the existing receipt rule.
Operator setup (post-PR)
# Workstation
awsp agentkeys-admin
set -a; source scripts/operator-workstation.env; set +a
bash scripts/ses-verify-sender.sh # registers + verifies noreply-test@bots.litentry.org
# Broker host
ssh agentkey@$BROKER_HOST
cd ~/agentKeys && git pull
sudo bash scripts/setup-broker-host.sh --yes
Then agentkeys init --email alice@demo.example --broker-url $OIDC_ISSUER --signer-url $BACKEND_URL works end-to-end.
Verification
- Integration test (
tests/ses_email_flow.rs) sends a magic-link via real SES, polls S3 for the inbound MIME, asserts the body contains the unique per-test UUID + landing URL, deletes the test object on completion. Production-safe via UUID-only matching.
cargo test -p agentkeys-broker-server --features auth-email-link --lib → 161 passed.- Manual:
agentkeys init --email … against the deployed broker now delivers a real magic link to the operator's inbox.
Background
Discovered while walking
docs/stage7-demo-and-verification.mdend-to-end against the live broker onclaude/practical-noether-670bd8.Symptom
The CLI's
agentkeys initwas hard-cut in issue #74 step 1 to support only--emailor--oauth2-google. The deployed broker returns 404 on/v1/auth/email/request. Net: the deployed broker can't be initialized via the CLI at all.Root cause (3 layered gaps)
evm(pre-fix)scripts/setup-broker-host.sh:452cargo build --release(default features only)auth-email-link→/v1/auth/email/*routes are gated by#[cfg(feature = "auth-email-link")](lib.rs:90) and never registered.scripts/broker.env:55BROKER_AUTH_METHODS=wallet_sigEmailLinkAuthwhenemail_linkis in the comma list.crates/agentkeys-broker-server/src/boot.rs:452Arc::new(StubEmailSender::new())StubEmailSenderonly records(to, landing_url)to an in-processMutex<Vec<…>>(email_link.rs:80-117). No real delivery, no debug endpoint, operator has no way to retrieve the magic link.Fix
Closed by PR #75 (Pass 1 + Pass 2 of Option B):
SesEmailSenderimpl usingaws-sdk-sesv2SendEmail; address-levelverify_sender_ready; end-to-end SES → S3 send-receive integration test (crates/agentkeys-broker-server/tests/ses_email_flow.rs).BROKER_EMAIL_SENDER=stub|sesenv var);setup-broker-host.shbuilds with--features auth-email-link+ mints HMAC key + setsBROKER_AUTH_METHODS=wallet_sig,email_link; helper scriptscripts/ses-verify-sender.shautomates per-address SES identity verification by exploiting the existing receipt rule.Operator setup (post-PR)
Then
agentkeys init --email alice@demo.example --broker-url $OIDC_ISSUER --signer-url $BACKEND_URLworks end-to-end.Verification
tests/ses_email_flow.rs) sends a magic-link via real SES, polls S3 for the inbound MIME, asserts the body contains the unique per-test UUID + landing URL, deletes the test object on completion. Production-safe via UUID-only matching.cargo test -p agentkeys-broker-server --features auth-email-link --lib→ 161 passed.agentkeys init --email …against the deployed broker now delivers a real magic link to the operator's inbox.