open#9 Add trust mode gate to AppView-dependent commands
open#10 Add ledger command for local grant management with PDS verification
open#11 Add config command with get and set subcommands
open#12 Add trust_mode config field with standard and zero-trust options
Comments — 1
sablenote2026-03-02 23:37
Zero-Trust Mode Design Spec
Trust Model
Opake has two trust modes controlled by an explicit config field:
standard (default): AppView enabled. inbox command queries AppView for grant discovery. Requires appview_url in config.
zero-trust: No AppView dependency. All discovery is manual via the ledger command. Only direct PDS operations are used.
Config Field
trust_mode: "standard" | "zero-trust" — explicit field in config.toml, not derived from appview_url presence. This lets users have an AppView URL configured but choose not to use it.
Grant Verification
Both inbox (standard) and ledger (both modes) verify grants against the source PDS on open. Each grant URI is checked via getRecord against the owner's PDS. Dead/revoked grants are marked as such in the display.
Content Key Stability
Design assumes content keys are reused across file updates (same AES-256-GCM key, new nonce per version). This means grants are durable across file updates — a grant URI remains valid as long as the grant record exists on the owner's PDS. This is what makes the ledger useful as a persistent bookmark.
Error UX
Commands that require AppView (e.g. inbox) show a helpful error in zero-trust mode: explain what's unavailable and suggest the alternative (ledger command, download --grant).
No Grant Caching
No local crypto cache. The ledger stores grant URIs as bookmarks, not wrapped keys or grant metadata. Verification is always live against the source PDS.
Zero-Trust Mode Design Spec
Trust Model
Opake has two trust modes controlled by an explicit config field:
inboxcommand queries AppView for grant discovery. Requiresappview_urlin config.ledgercommand. Only direct PDS operations are used.Config Field
trust_mode: "standard" | "zero-trust" — explicit field in config.toml, not derived from appview_url presence. This lets users have an AppView URL configured but choose not to use it.Grant Verification
Both
inbox(standard) andledger(both modes) verify grants against the source PDS on open. Each grant URI is checked viagetRecordagainst the owner's PDS. Dead/revoked grants are marked as such in the display.Content Key Stability
Design assumes content keys are reused across file updates (same AES-256-GCM key, new nonce per version). This means grants are durable across file updates — a grant URI remains valid as long as the grant record exists on the owner's PDS. This is what makes the ledger useful as a persistent bookmark.
Error UX
Commands that require AppView (e.g.
inbox) show a helpful error in zero-trust mode: explain what's unavailable and suggest the alternative (ledgercommand,download --grant).No Grant Caching
No local crypto cache. The ledger stores grant URIs as bookmarks, not wrapped keys or grant metadata. Verification is always live against the source PDS.