The actor in a crossing. Metadata only — keys live in storage at :pki:keys:{id}. The identity carries the id; the storage holds the key material.
class Identity
attr_reader :id, :name, :roles, :type, :code_version, :token, :scopes
end
"adapter:http", "boundary:echo", "engine:seal", "alice"). This is also the PKI key name — :pki:keys:{id} is where the keypair lives.:human, :service, :boundary).Query methods: human?, service?, scope?(:name).
claims returns a JWT-ready hash. to_h is an alias for claims.
Identity is metadata only. No public_key, no private_key fields. The id IS the reference — Activities::PKI.sign(storage, identity.id, payload) looks up the keypair at :pki:keys:{id}. Multiple runtimes can share an identity metadata struct while the actual key material varies by storage mount (dev uses in-memory, prod uses SSM-provisioned, etc.).
identity: keyword on the DSL. The Crossing struct unpacks effective_identity(reg) into the from_addr field on every emitted record.from_addr is the producing identity's id. Queries like context.by_identity("adapter:http") filter by this value.authorize(identity:, requires:) checks the identity's scopes against the boundary's requirements.IDP::YamlStore loads identities from YAML and provisions their keys into storage (:pki:keys:{id}). Mock OIDC, same claims shape.id is the PKI key name. Activities::PKI.sign(storage, id, payload) signs as that identity.Crossing#sign(storage) uses the boundary's identity id to sign; Crossing#verified? verifies against the same.wanderland-core/lib/wanderland/identity.rb
wanderland.dev