feat: handle did:key → did:web DID transitions, prefer did:web derivation#66
Conversation
- Gracefully handle did:key ↔ did:web transitions during agent matching - Prefer did:web:<domain>:agents:<id> when deriving DID from stored keys - Add name-based filtering for agent resolution - Add _did_method() helper for DID method extraction
|
✅ Documentation validation passed!
|
|
✅ SDK server contract tests passed (test_server_integration.py). Cross-product scenarios are validated in capiscio-e2e-tests. |
There was a problem hiding this comment.
Pull request overview
Adds SDK-side support for the DID method upgrade path (did:key ↔ did:web) during agent identity recovery and local-key agent resolution, aiming to reduce reconnect friction when the server transitions DID formats.
Changes:
- Introduces
_did_method()and uses it to soften DID mismatches caused by DID method transitions during local key→agent matching. - Updates local key agent resolution to optionally filter by agent name when
self.nameis provided. - Adjusts
_init_identity()recovery from existing keys to prefer constructing adid:web:<domain>:agents:<agent_id>DID whenserver_urlandagent_idare available.
Comments suppressed due to low confidence (2)
capiscio_sdk/connect.py:616
- Same as above: in the directory-scan path, the mismatch handling will accept any DID-method change (not just did:key ↔ did:web). This broad acceptance can mask real identity mismatches; please constrain the allowed method transitions to the specific upgrade path (key<->web) and continue rejecting other method changes.
# did:key ↔ did:web transitions are expected when
# server upgrades DID method; agent_id already confirms identity.
if _did_method(local_did) != _did_method(server_did):
logger.debug(f"DID method transition for {agent_id}: {local_did} → {server_did}")
else:
logger.warning(f"DID mismatch for {agent_id}: local={local_did}, server={server_did}")
continue # Don't use mismatched agent
capiscio_sdk/connect.py:716
- Deriving
did:webfromurlparse(self.server_url).netloccan produce an invalid DID when the registry URL includes a port or credentials (e.g.http://localhost:8080yieldsdid:web:localhost:8080:..., but the port must be percent-encoded aslocalhost%3A8080). Useurlparse(...).hostnameandurlparse(...).portand percent-encode the:<port>when present (or reuse the existing DID helpers that already follow the did:web spec).
if self.server_url and self.agent_id:
try:
from urllib.parse import urlparse
domain = urlparse(self.server_url).netloc
if domain:
did = f"did:web:{domain}:agents:{self.agent_id}"
except Exception:
…tations - Add _is_did_transition() helper: only allow did:key ↔ did:web transitions - Update test_init_identity_uses_existing to expect did:web when server_url and agent_id are set
|
✅ Documentation validation passed!
|
|
✅ All checks passed! Ready for review. |
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
|
✅ SDK server contract tests passed (test_server_integration.py). Cross-product scenarios are validated in capiscio-e2e-tests. |
|
✅ Documentation validation passed!
|
|
✅ All checks passed! Ready for review. |
|
✅ SDK server contract tests passed (test_server_integration.py). Cross-product scenarios are validated in capiscio-e2e-tests. |
|
✅ Documentation validation passed!
|
|
✅ All checks passed! Ready for review. |
|
✅ SDK server contract tests passed (test_server_integration.py). Cross-product scenarios are validated in capiscio-e2e-tests. |
Summary
SDK-side changes for the
did:key→did:webDID upgrade path.Changes
did:key↔did:webtransitions (logs at debug level instead of rejecting). This is expected when the server upgrades DID method;agent_idalready confirms identity.did:web:<domain>:agents:<id>overdid:keywhen server URL and agent ID are available.self.nameis specified, preventing mismatches in multi-agent environments._did_method()for clean DID method extraction.Related PRs
feat/jwk-didweb-support(did:web derivation in Go core)feat/jwk-didweb-support(VerifiedLevel cap)"