fix(bootstrap): auto-complete bootstrap when workspace self-trusts its signing key (#738)#598
Merged
dollspace-gay merged 1 commit intoMay 14, 2026
Conversation
…s signing key (#738) PR #597 (GH#585) made configure_signing() silently auto-add the workspace's active signing key to trust/allowed_signers. Because trust pending classifies a published key as "approved" when its principal is in allowed_signers, every published key now reports as approved — yet complete_bootstrap() was only called from crosslink trust approve. Net result: after a fresh init+sync the hub stays at bootstrap.status="pending" forever, and with signing_enforcement="enforced" every subsequent sync bails with guidance that is impossible to follow (trust pending shows nothing, no agent-id to approve). Treat the workspace self-trust event as the moral equivalent of trust approve on the operator's own key: when register_active_key_as_trusted actually adds a new entry while bootstrap is pending, flip bootstrap to "complete" and stage meta/bootstrap.json into the same atomic unsigned commit. Also extend BOOTSTRAP_MESSAGE_PREFIXES so that commit ("trust: register signing key for ...") is correctly filtered by signing audit going forward. sync_cmd prints the parity message "Bootstrap complete — signing enforcement is now active." when the flip happens on its watch. Two new unit tests prove the flip happens on first call and that completed_at is not rewritten on subsequent calls. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
crosslink init+crosslink syncleavesmeta/bootstrap.jsonatstatus: "pending"forever —trust pendingshows nothing (the workspace key was already auto-trusted), andsigning_enforcement: "enforced"bails every sync with guidance that's impossible to follow.trust approveon the operator's own key: whenregister_active_key_as_trustedactually adds a new entry while bootstrap is pending, flips bootstrap tocompleteand stagesmeta/bootstrap.jsoninto the same atomic unsigned commit."trust: register signing key"toBOOTSTRAP_MESSAGE_PREFIXESso the unsigned self-trust commit is correctly filtered by signing audit going forward.sync_cmdsnapshots bootstrap state before/afterconfigure_signingand printsBootstrap complete — signing enforcement is now active.for UX parity withtrust approve.Repro before the fix
Test plan
cargo build --libcleancargo fmt --checkcleancargo clippy --libcleancargo test --lib sync::— 145/145 pass (includes two new GH#738 tests + GH#585 tests covering the same path)crosslink init→crosslink syncno longer leaves bootstrap pending; a secondcrosslink syncsucceeds withSigning audit: all N recent commit(s) are signed.🤖 Generated with Claude Code