[codex] rework stale docs PR follow-ups#190
Conversation
The root rust job runs the full cargo deny check (advisories gated via scoped deny.toml ignores), and the current release manifest is beta-9. CONTRIBUTING still described the pre-ignore posture and validated beta-6. Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e3ac4e0fa3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 476808d7c9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ba40a1f6cf
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| holder cannot present an undisclosed field. Holder binding defaults to `did:jwk` for | ||
| credential profiles; where a profile keeps binding enabled, and on the self-attestation | ||
| issuance path, which requires it, the holder is bound by a fresh audience-bound | ||
| proof-of-possession. An operator can explicitly configure `holder_binding.mode: none` for |
There was a problem hiding this comment.
Scope holder proof to profiles that require it
Fresh evidence in this diff is that this threat-model paragraph still applies the fresh proof-of-possession guarantee to any profile that keeps holder binding enabled. For direct /v1/credentials issuance with the new default profile, HolderBindingConfig::default() leaves proof_of_possession as None, and validate_holder_request only validates holder.proof when the profile sets proof_of_possession: required, so default did:jwk profiles require a holder DID but do not verify a fresh audience-bound proof. Please limit this claim to self-attestation or profiles that explicitly require proof of possession.
Useful? React with 👍 / 👎.
Summary
doctorwarnings.astropinned to7.0.2because7.0.5reproduced a static-route regression for/accessibility.md/.CONTRIBUTING.mdcorrection so the cargo-deny gate description matches the root CI behavior.Security notes
holder_bindingnow emits the securedid+did:jwkbinding profile, while explicitmode: noneremains available for intentional unbound credentials.Validation
cargo fmt --checkcargo test --locked -p registry-notary-core holder_bindingcargo test --locked -p registry-notary --test doctor_cli doctor_json_warns_on_explicit_unbound_credential_profilecargo test --locked -p registry-notary-server issued_sd_jwt_disclosure_uses_view_claim_redacted_object_valuecd docs/site && npm run generatecd docs/site && npm testcd docs/site && npm run check:contentcd docs/site && npm run check:markdowncd docs/site && npm run check:style(passed with existing generated-doc warnings only)cd docs/site && npm run buildcd docs/site && npm run checkgit diff --checkcd docs/site && npm ls @astrojs/starlight astro starlight-openapi @redocly/cli markdownlint-cli2 starlight-llms-txt @astrojs/markdown-remark --depth=0