Implement agent identity profile v01 (Signature-Agent + x509 delegation)

.nvmrc

@@ -0,0 +1 @@
+20

README.md

@@ -109,7 +109,8 @@ openbotauth/
 │  └─ neon/                     ✅ Neon migrations
 └─ docs/
    ├─ ARCHITECTURE.md           ✅ System architecture
-   └─ A2A_CARD.md               ✅ A2A discovery documentation
+   ├─ A2A_CARD.md               ✅ A2A discovery documentation
+   └─ BREAKING_CHANGES.md       ✅ Behavior changes by PR/release
 ```
 
 ---

apps/registry-portal/public/skill.md

@@ -46,9 +46,9 @@ const spki = publicKey.export({ type: 'spki', format: 'der' });
 if (spki.length !== 44) throw new Error(`Unexpected SPKI length: ${spki.length}`);
 const rawPub = spki.subarray(12, 44);
 const x = rawPub.toString('base64url');
-const thumbprint = JSON.stringify({ kty: 'OKP', crv: 'Ed25519', x });
+const thumbprint = JSON.stringify({ crv: 'Ed25519', kty: 'OKP', x });
 const hash = crypto.createHash('sha256').update(thumbprint).digest();
-const kid = hash.toString('base64url').slice(0, 16);
+const kid = hash.toString('base64url');
 
 // Save securely
 const dir = path.join(os.homedir(), '.config', 'openbotauth');

apps/registry-portal/src/components/AddAgentModal.tsx

@@ -24,6 +24,9 @@ const AddAgentModal = ({ open, onOpenChange, onSuccess }: AddAgentModalProps) =>
   const [privateKey, setPrivateKey] = useState<any>(null);
   const [isGenerating, setIsGenerating] = useState(false);
   const [isCreating, setIsCreating] = useState(false);
+  const [obaAgentId, setObaAgentId] = useState("");
+  const [obaParentAgentId, setObaParentAgentId] = useState("");
+  const [obaPrincipal, setObaPrincipal] = useState("");
 
   const generateKeyPair = async () => {
     setIsGenerating(true);
@@ -111,6 +114,9 @@ const AddAgentModal = ({ open, onOpenChange, onSuccess }: AddAgentModalProps) =>
         description: description || undefined,
         agent_type: agentType,
         public_key: publicKey,
+        oba_agent_id: obaAgentId || undefined,
+        oba_parent_agent_id: obaParentAgentId || undefined,
+        oba_principal: obaPrincipal || undefined,
       });
 
       // Download private key
@@ -127,6 +133,9 @@ const AddAgentModal = ({ open, onOpenChange, onSuccess }: AddAgentModalProps) =>
       setAgentType("");
       setPublicKey(null);
       setPrivateKey(null);
+      setObaAgentId("");
+      setObaParentAgentId("");
+      setObaPrincipal("");
 
       onSuccess();
       onOpenChange(false);
@@ -220,6 +229,45 @@ const AddAgentModal = ({ open, onOpenChange, onSuccess }: AddAgentModalProps) =>
             </Alert>
           )}
 
+          <div className="space-y-2 pt-2">
+            <Label>Agent Identity (Optional)</Label>
+            <div className="grid grid-cols-1 gap-3">
+              <div className="space-y-1">
+                <Label htmlFor="oba-agent-id" className="text-xs text-muted-foreground">
+                  OBA Agent ID
+                </Label>
+                <Input
+                  id="oba-agent-id"
+                  placeholder="agent:alice@example.com"
+                  value={obaAgentId}
+                  onChange={(e) => setObaAgentId(e.target.value)}
+                />
+              </div>
+              <div className="space-y-1">
+                <Label htmlFor="oba-parent-agent-id" className="text-xs text-muted-foreground">
+                  OBA Parent Agent ID
+                </Label>
+                <Input
+                  id="oba-parent-agent-id"
+                  placeholder="agent:parent@example.com"
+                  value={obaParentAgentId}
+                  onChange={(e) => setObaParentAgentId(e.target.value)}
+                />
+              </div>
+              <div className="space-y-1">
+                <Label htmlFor="oba-principal" className="text-xs text-muted-foreground">
+                  OBA Principal
+                </Label>
+                <Input
+                  id="oba-principal"
+                  placeholder="principal:owner@example.com"
+                  value={obaPrincipal}
+                  onChange={(e) => setObaPrincipal(e.target.value)}
+                />
+              </div>
+            </div>
+          </div>
+
           <div className="flex gap-2 pt-4">
             <Button
               variant="outline"

apps/registry-portal/src/lib/api.ts

@@ -39,6 +39,9 @@ export interface Agent {
   agent_type: string;
   status: string;
   public_key: Record<string, unknown>;
+  oba_agent_id: string | null;
+  oba_parent_agent_id: string | null;
+  oba_principal: string | null;
   created_at: string;
   updated_at: string;
 }
@@ -62,6 +65,33 @@ export interface Session {
   profile: Profile;
 }
 
+export interface AgentCertificate {
+  id: string;
+  agent_id: string;
+  kid: string;
+  serial: string;
+  fingerprint_sha256: string;
+  not_before: string;
+  not_after: string;
+  revoked_at: string | null;
+  revoked_reason: string | null;
+  created_at: string;
+  is_active?: boolean;
+}
+
+export interface AgentCertificateDetail extends AgentCertificate {
+  cert_pem: string;
+  chain_pem: string;
+  x5c: string[];
+}
+
+export interface ListCertsResponse {
+  items: AgentCertificate[];
+  total: number;
+  limit: number;
+  offset: number;
+}
+
 // Radar types
 export interface RadarOverview {
   window: 'today' | '7d';
@@ -226,6 +256,9 @@ class RegistryAPI {
     description?: string;
     agent_type: string;
     public_key: Record<string, unknown>;
+    oba_agent_id?: string | null;
+    oba_parent_agent_id?: string | null;
+    oba_principal?: string | null;
   }): Promise<Agent> {
     const response = await this.fetch('/agents', {
       method: 'POST',
@@ -304,6 +337,63 @@ class RegistryAPI {
     }
   }
 
+  /**
+   * List issued certificates for the current user (optionally filtered)
+   */
+  async listAgentCerts(params: {
+    agent_id?: string;
+    kid?: string;
+    status?: 'active' | 'revoked' | 'all';
+    limit?: number;
+    offset?: number;
+  } = {}): Promise<ListCertsResponse> {
+    const searchParams = new URLSearchParams();
+    if (params.agent_id) searchParams.set('agent_id', params.agent_id);
+    if (params.kid) searchParams.set('kid', params.kid);
+    if (params.status) searchParams.set('status', params.status);
+    if (typeof params.limit === 'number') searchParams.set('limit', String(params.limit));
+    if (typeof params.offset === 'number') searchParams.set('offset', String(params.offset));
+
+    const query = searchParams.toString();
+    const response = await this.fetch(query ? `/v1/certs?${query}` : '/v1/certs');
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({ error: response.statusText }));
+      throw new Error(error.error || 'Failed to list certificates');
+    }
+    return await response.json();
+  }
+
+  /**
+   * Get one certificate (metadata + PEM chain + x5c) by serial.
+   */
+  async getCertBySerial(serial: string): Promise<AgentCertificateDetail> {
+    const response = await this.fetch(`/v1/certs/${encodeURIComponent(serial)}`);
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({ error: response.statusText }));
+      throw new Error(error.error || 'Failed to fetch certificate');
+    }
+    return await response.json();
+  }
+
+  /**
+   * Revoke one or more certificates by serial or kid.
+   */
+  async revokeCert(data: {
+    serial?: string;
+    kid?: string;
+    reason?: string;
+  }): Promise<{ success: boolean; revoked: number }> {
+    const response = await this.fetch('/v1/certs/revoke', {
+      method: 'POST',
+      body: JSON.stringify(data),
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({ error: response.statusText }));
+      throw new Error(error.error || 'Failed to revoke certificate');
+    }
+    return await response.json();
+  }
+
   /**
    * Get JWKS URL for user
    */
@@ -499,4 +589,3 @@ class RegistryAPI {
 }
 
 export const api = new RegistryAPI();
-