auths-dev · bordumb · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
diff --git a/crates/auths-cli/src/commands/device/pair/lan_server.rs b/crates/auths-cli/src/commands/device/pair/lan_server.rs
@@ -126,7 +126,7 @@ impl LanPairingServer {
     }
 
     /// Shut down the server without waiting for a response.
-    #[allow(dead_code)]
+    #[allow(dead_code)] // public API for callers that need graceful shutdown without waiting
     pub fn shutdown(self) {
         self.cancel.cancel();
     }

diff --git a/crates/auths-cli/src/commands/emergency.rs b/crates/auths-cli/src/commands/emergency.rs
@@ -147,15 +147,6 @@ pub struct ReportCommand {
     pub repo: Option<PathBuf>,
 }
 
-/// Incident type for interactive flow.
-#[derive(Debug, Clone, Copy)]
-#[allow(dead_code)]
-pub enum IncidentType {
-    DeviceLostStolen,
-    KeyExposed,
-    FreezeEverything,
-}
-
 /// Incident report output.
 #[derive(Debug, Serialize, Deserialize)]
 pub struct IncidentReport {

diff --git a/crates/auths-cli/src/commands/id/register.rs b/crates/auths-cli/src/commands/id/register.rs
@@ -7,6 +7,7 @@ use serde::Serialize;
 use auths_id::ports::registry::RegistryBackend;
 use auths_id::storage::attestation::AttestationSource;
 use auths_id::storage::identity::IdentityStorage;
+use auths_infra_http::HttpRegistryClient;
 use auths_sdk::error::RegistrationError;
 pub use auths_sdk::registration::DEFAULT_REGISTRY_URL;
 use auths_sdk::result::RegistrationOutcome;
@@ -44,12 +45,15 @@ pub fn handle_register(repo_path: &Path, registry: &str) -> Result<()> {
     let attestation_store = Arc::new(RegistryAttestationStorage::new(repo_path));
     let attestation_source: Arc<dyn AttestationSource + Send + Sync> = attestation_store;
 
+    let registry_client = HttpRegistryClient::new();
+
     match rt.block_on(auths_sdk::registration::register_identity(
         identity_storage,
         backend,
         attestation_source,
         registry,
         None,
+        &registry_client,
     )) {
         Ok(outcome) => display_registration_result(&outcome),
         Err(RegistrationError::AlreadyRegistered) => {

diff --git a/crates/auths-cli/src/commands/init.rs b/crates/auths-cli/src/commands/init.rs
@@ -17,6 +17,7 @@ use auths_id::attestation::export::AttestationSink;
 use auths_id::ports::registry::RegistryBackend;
 use auths_id::storage::attestation::AttestationSource;
 use auths_id::storage::identity::IdentityStorage;
+use auths_infra_http::HttpRegistryClient;
 use auths_sdk::context::AuthsContext;
 use auths_sdk::ports::git_config::GitConfigProvider;
 use auths_sdk::registration::DEFAULT_REGISTRY_URL;
@@ -634,12 +635,15 @@ fn submit_registration(
     let attestation_store = Arc::new(RegistryAttestationStorage::new(repo_path));
     let attestation_source: Arc<dyn AttestationSource + Send + Sync> = attestation_store;
 
+    let registry_client = HttpRegistryClient::new();
+
     match rt.block_on(auths_sdk::registration::register_identity(
         identity_storage,
         backend,
         attestation_source,
         registry_url,
         proof_url,
+        &registry_client,
     )) {
         Ok(outcome) => {
             out.print_success(&format!("Identity registered at {}", outcome.registry));

diff --git a/crates/auths-cli/src/errors/cli_error.rs b/crates/auths-cli/src/errors/cli_error.rs
@@ -1,7 +1,6 @@
 //! Typed CLI error variants with actionable help text.
 
 /// Structured CLI errors with built-in suggestion and documentation links.
-#[allow(dead_code)]
 #[derive(thiserror::Error, Debug)]
 pub enum CliError {
     #[error("key rotation failed — no pre-rotation commitment found")]

diff --git a/crates/auths-core/src/ports/network.rs b/crates/auths-core/src/ports/network.rs
@@ -250,6 +250,18 @@ pub trait WitnessClient: Send + Sync {
     ) -> impl Future<Output = Result<Vec<Vec<u8>>, NetworkError>> + Send;
 }
 
+/// Response from a registry POST operation.
+///
+/// Carries the HTTP status code and body so callers can dispatch on
+/// status-specific business logic (e.g., 201 Created vs. 409 Conflict).
+#[derive(Debug)]
+pub struct RegistryResponse {
+    /// HTTP status code.
+    pub status: u16,
+    /// Response body bytes.
+    pub body: Vec<u8>,
+}
+
 /// Fetches and pushes data to a remote registry service.
 ///
 /// Implementations handle the transport protocol (e.g., HTTP, gRPC).
@@ -297,4 +309,27 @@ pub trait RegistryClient: Send + Sync {
         path: &str,
         data: &[u8],
     ) -> impl Future<Output = Result<(), NetworkError>> + Send;
+
+    /// POSTs a JSON payload to a registry endpoint and returns the raw response.
+    ///
+    /// Args:
+    /// * `registry_url`: Base URL of the registry service.
+    /// * `path`: The logical path within the registry (e.g., `"v1/identities"`).
+    /// * `json_body`: Serialized JSON bytes to send as the request body.
+    ///
+    /// Usage:
+    /// ```ignore
+    /// let resp = client.post_json("https://registry.example.com", "v1/identities", &body).await?;
+    /// match resp.status {
+    ///     201 => { /* success */ }
+    ///     409 => { /* conflict */ }
+    ///     _ => { /* error */ }
+    /// }
+    /// ```
+    fn post_json(
+        &self,
+        registry_url: &str,
+        path: &str,
+        json_body: &[u8],
+    ) -> impl Future<Output = Result<RegistryResponse, NetworkError>> + Send;
 }
diff --git a/crates/auths-core/src/storage/android_keystore.rs b/crates/auths-core/src/storage/android_keystore.rs
@@ -20,7 +20,7 @@ use crate::storage::keychain::{IdentityDID, KeyAlias, KeyStorage};
 /// - Ed25519 support (with P-256 fallback and conversion layer)
 ///
 pub struct AndroidKeystoreStorage {
-    #[allow(dead_code)]
+    #[allow(dead_code)] // stub platform impl — field required for API parity
     service_name: String,
 }
 

diff --git a/crates/auths-core/src/storage/linux_secret_service.rs b/crates/auths-core/src/storage/linux_secret_service.rs
@@ -91,22 +91,6 @@ impl LinuxSecretServiceStorage {
 
         Ok(collection)
     }
-
-    /// Build attributes map for a key.
-    #[allow(dead_code)]
-    fn build_attributes<'a>(
-        &'a self,
-        alias: &'a str,
-        identity_did: Option<&'a str>,
-    ) -> HashMap<&'a str, &'a str> {
-        let mut attrs = HashMap::new();
-        attrs.insert(ATTR_SERVICE, self.service_name.as_str());
-        attrs.insert(ATTR_ALIAS, alias);
-        if let Some(did) = identity_did {
-            attrs.insert(ATTR_IDENTITY, did);
-        }
-        attrs
-    }
 }
 
 impl KeyStorage for LinuxSecretServiceStorage {
@@ -357,30 +341,6 @@ impl KeyStorage for LinuxSecretServiceStorage {
 mod tests {
     use super::*;
 
-    #[test]
-    fn test_build_attributes() {
-        let storage = LinuxSecretServiceStorage {
-            service_name: "test.service".to_string(),
-        };
-
-        let attrs = storage.build_attributes("my-alias", Some("did:keri:test"));
-        assert_eq!(attrs.get(ATTR_SERVICE), Some(&"test.service"));
-        assert_eq!(attrs.get(ATTR_ALIAS), Some(&"my-alias"));
-        assert_eq!(attrs.get(ATTR_IDENTITY), Some(&"did:keri:test"));
-    }
-
-    #[test]
-    fn test_build_attributes_without_identity() {
-        let storage = LinuxSecretServiceStorage {
-            service_name: "test.service".to_string(),
-        };
-
-        let attrs = storage.build_attributes("my-alias", None);
-        assert_eq!(attrs.get(ATTR_SERVICE), Some(&"test.service"));
-        assert_eq!(attrs.get(ATTR_ALIAS), Some(&"my-alias"));
-        assert!(!attrs.contains_key(ATTR_IDENTITY));
-    }
-
     #[test]
     fn test_backend_name() {
         let storage = LinuxSecretServiceStorage {

diff --git a/crates/auths-core/src/witness/receipt.rs b/crates/auths-core/src/witness/receipt.rs
@@ -212,35 +212,6 @@ impl ReceiptBuilder {
     }
 }
 
-/// The signing payload for agent commit receipts.
-///
-/// Signs tree hash + parent hashes to avoid the chicken-and-egg problem
-/// where embedding a receipt in the commit message would change the commit hash.
-#[allow(dead_code)]
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-pub struct CommitReceiptPayload {
-    /// Git tree object hash (20 bytes).
-    pub tree_hash: Vec<u8>,
-    /// Parent commit hashes (20 bytes each).
-    pub parent_hashes: Vec<Vec<u8>>,
-}
-
-#[allow(dead_code)]
-impl CommitReceiptPayload {
-    /// Produce deterministic bytes for signing.
-    ///
-    /// Format: `tree_hash || num_parents (4 bytes LE) || parent_1 || parent_2 || ...`
-    pub fn signing_bytes(&self) -> Vec<u8> {
-        let mut buf = Vec::with_capacity(20 + 4 + self.parent_hashes.len() * 20);
-        buf.extend_from_slice(&self.tree_hash);
-        buf.extend_from_slice(&(self.parent_hashes.len() as u32).to_le_bytes());
-        for parent in &self.parent_hashes {
-            buf.extend_from_slice(parent);
-        }
-        buf
-    }
-}
-
 impl From<Receipt> for auths_verifier::witness::WitnessReceipt {
     fn from(r: Receipt) -> Self {
         Self {
@@ -407,29 +378,4 @@ mod tests {
         let result = Receipt::from_trailer_value(&encoded);
         assert!(result.is_err());
     }
-
-    #[test]
-    fn commit_receipt_payload_signing_bytes_deterministic() {
-        let payload = CommitReceiptPayload {
-            tree_hash: vec![0xaa; 20],
-            parent_hashes: vec![vec![0xbb; 20], vec![0xcc; 20]],
-        };
-        let bytes1 = payload.signing_bytes();
-        let bytes2 = payload.signing_bytes();
-        assert_eq!(bytes1, bytes2);
-        // 20 (tree) + 4 (count) + 40 (2 parents)
-        assert_eq!(bytes1.len(), 64);
-    }
-
-    #[test]
-    fn commit_receipt_payload_no_parents() {
-        let payload = CommitReceiptPayload {
-            tree_hash: vec![0xaa; 20],
-            parent_hashes: vec![],
-        };
-        let bytes = payload.signing_bytes();
-        assert_eq!(bytes.len(), 24); // 20 + 4
-        // num_parents should be 0
-        assert_eq!(&bytes[20..24], &[0, 0, 0, 0]);
-    }
 }
diff --git a/crates/auths-core/src/witness/server.rs b/crates/auths-core/src/witness/server.rs
@@ -265,7 +265,7 @@ pub async fn run_server(state: WitnessServerState, addr: SocketAddr) -> Result<(
 /// For production deployments behind a reverse proxy, prefer [`run_server`] and terminate
 /// TLS at the proxy layer instead.
 #[cfg(feature = "tls")]
-#[allow(dead_code)]
+#[allow(dead_code)] // feature-gated public API — available when tls feature is enabled
 pub async fn run_server_tls(
     state: WitnessServerState,
     addr: SocketAddr,
@@ -634,27 +634,6 @@ mod tests {
         event
     }
 
-    /// Build a valid non-inception event (rotation) with proper SAID.
-    #[allow(dead_code)]
-    fn make_valid_rot_event(prefix: &str, seq: u64, prior_said: &str) -> serde_json::Value {
-        let mut event = serde_json::json!({
-            "v": "KERI10JSON000000_",
-            "t": "rot",
-            "d": "",
-            "i": prefix,
-            "s": seq,
-            "p": prior_said
-        });
-
-        // Compute SAID
-        let said_payload = serde_json::to_vec(&event).unwrap();
-        event["d"] = serde_json::Value::String(
-            crate::crypto::said::compute_said(&said_payload).into_inner(),
-        );
-
-        event
-    }
-
     #[tokio::test(flavor = "multi_thread")]
     async fn health_endpoint() {
         let state = test_state();

diff --git a/crates/auths-crypto/Cargo.toml b/crates/auths-crypto/Cargo.toml
@@ -5,6 +5,8 @@ edition = "2024"
 publish = true
 license.workspace = true
 description = "Cryptographic primitives for Auths: KERI key parsing and DID:key encoding"
+keywords = ["cryptography", "ed25519", "did", "verification", "signing"]
+categories = ["cryptography"]
 
 [features]
 default = ["native"]

diff --git a/crates/auths-id/tests/cases/mod.rs b/crates/auths-id/tests/cases/mod.rs
@@ -1,6 +1,7 @@
 mod concurrent_writes;
 mod keri;
 mod lifecycle;
+mod proptest_keri;
 mod recovery;
 mod registry_contract;
 mod rotation_edge_cases;