dokugent certify¶
Certifies a previously previewed agent by bundling verified files into a signed, timestamped output. This is the final checkpoint before deployment or publishing.
What It Does¶
- Locates
.dokugent/ops/previews/<agent>/latestoutput - Copies and renames files into a
.dokugent/certified/<version>/folder - Generates SHA256 digests for certification
- Writes metadata and logs:
*.cert.json*.cert.sha256certify@*.log(saved under.dokugent/ops/logs/certified/<agent>/)- Updates symlink:
certified/latest
Behavior Overview¶
- Resolves latest preview and parses agent name from specs
- Checks
.dokugent/keys/<agent>.private.pemfor signing eligibility - Flattens files into readable, cert-friendly naming:
- Applies SHA256 digests (no public/private key signing yet)
- Summarizes certified state in:
{
"agentId": "happybot",
"signingKeyVersion": "carmel",
"sha256": "72551f33...",
"timestamp": "2025-05-24_19-15-55-492",
"path": ".dokugent/ops/certified/happybot/happybot@2025-05-24_19-15-55-492.cert.json"
}
- Certification validity:
- Default duration: 180 days
- Configurable via CLI flag:
--length - Valid options: 30, 90, 180, 365 (days)
- Certificate is considered expired once the duration lapses from
validFrom
Output Folder Structure¶
.dokugent/ops/certified/happybot/
├── happybot@2025-05-24_19-15-55-492.cert.json
├── happybot@2025-05-24_19-15-55-492.cert.sha256
└── certify@2025-05-24_19-15-55-492.log
.dokugent/ops/logs/certified/happybot
└── certify@2025-05-24_19-15-55-492.log
Also:
Output Locks¶
All certified files are set to read-only (chmod 444) to preserve integrity. This ensures artifacts can be inspected or verified without accidental mutation. Certified output includes SHA256 checksum and signing identity metadata for traceability and trust. Certified outputs now include signingKeyVersion and a SHA256 hash to ensure tamper-evidence and agent traceability.