No working path to bootstrap identity + device on a single machine #102
Description
Problem
When initializing a new repository with auths id create and then trying to link a device, there is no working single-machine path. The identity gets created but has zero active devices, making it unusable for signing.
Steps to reproduce
# 1. Create identity in a new repo — works
auths id create \
--metadata-file meta.json \
--local-key-alias capsec-main \
--repo /path/to/my-repo
# 2. Check devices — none
auths device list --repo /path/to/my-repo
# "No active devices."
# 3. Try to link a device — requires device-did, which you don't have yet
auths device link --identity-key-alias capsec-main --device-key-alias ??? --device-did ???
# Chicken-and-egg: you need a device DID to link, but the device doesn't exist yet
# 4. Try pairing instead — server fails to start
auths device pair --repo /path/to/my-repo
# Starts a local server on a random port, but:
curl http://192.168.0.48:56230/health
# "Failed to connect to server"
# 5. Result: identity exists, zero devices, can't sign anythingRoot cause
auths id create creates the identity (KERI inception event) but does not automatically link the device that just created the key. The key material is in the local keychain under the alias, but no device authorization is written to the repo.
auths device link requires --device-did as a mandatory argument, but on a fresh single-machine setup there is no device DID yet — the identity was just created. This is a chicken-and-egg problem.
auths device pair is designed for cross-device pairing (QR code / short code between two machines) and doesn't work for the single-machine case where you just want to authorize the device that created the identity.
Expected behavior
auths id create should automatically link the creating device, or there should be a simple command to do so:
# Option A: id create auto-links the device
auths id create --metadata-file meta.json --local-key-alias main --repo .
# Identity created: did:keri:E...
# Device linked: did:key:z6Mk...
# 1 active device
# Option B: a dedicated self-link command
auths device link-self --identity-key-alias main --repo .
# Device linked: did:key:z6Mk...Either way, after creating an identity, you should be able to immediately sign commits without a second machine or a pairing dance.
Workaround
Copy allowed_signers from another repo where the device is already linked:
cp /path/to/other-repo/.auths/allowed_signers /path/to/new-repo/.auths/allowed_signersThis works because the device key is the same (same machine, same keychain), but it shouldn't be necessary.
Impact
This blocks single-developer adoption. The most common onboarding flow — cargo install auths && auths id create && git commit — doesn't work without manual workarounds. The verify-commits GitHub Action will fail because no device is authorized to sign.