Reggie uses Ed25519 keys throughout. Every entry is signed; every identity is rooted in a key chain.
Where keys live
| Location | What lives there |
|---|---|
~/.config/reggie/config.toml |
Active identity DID + 32-byte secret seed (mode 0600 on Unix) |
| Sigil chain | Public verifying keys for HMR / MHR / ENR records |
| Entry payload | Per-entry signature over JCS-canonicalized content |
Derivation
For each entry, a per-entry signing key is derived from your identity using HKDF-SHA256:
entry_key = HKDF-SHA256(
ikm = identity_secret,
info = "<namespace>/<kind>/<name>",
salt = b"oas-lineage-v1",
)
This means a single identity can sign an unlimited number of entries without ever exposing the root key.
Rotation
To rotate a key for an existing entry without breaking lineage:
reggie rotate l1fe/agent/web-research
Reggie:
- Derives a new key from your active identity (different
info). - Signs a rotation record with the old key, naming the new public key.
- Anchors the rotation on Sigil so lineage verifiers can still trust the chain.
Future versions of the entry use the new key. Old versions stay verifiable forever.