feat: argon2id memory-hard PoW, key rotation with chain continuity, pre-rotation commitments

Add Argon2id proof-of-work with SHA-256 pre-filter (12-bit) for
GPU-farm resistance. Three server-assigned presets (light/standard/
hardened) with bounded verification concurrency via semaphore.

Implement rotation_chain_id (SHA-256 of first public key) linking
successive DIDs across key rotations. Trust scores, rate limits,
and fingerprints follow the chain, not individual DIDs. First-write-
wins prevents fork attacks on the rotation endpoint.

Add KERI-inspired pre-rotation commitment: agents commit SHA-256 of
their next public key before rotation. Mandatory from Tier 1, with
72-hour update lockout to prevent attacker overwrite.

New endpoints: POST /rotate-key, POST /pre-commit-key.
New package: airlock/rotation/ (chain registry + precommit).
68 new tests (601 → 669 total).

Author: shivdeep1

airlock/config.py

@@ -130,6 +130,13 @@ class AirlockConfig(BaseSettings):
     pow_ttl_seconds: int = Field(default=120, ge=30, le=600)
     pow_difficulty_new_did: int = Field(default=22, ge=1, le=32)
 
+    # Argon2id memory-hard PoW (replaces SHA-256 when enabled)
+    pow_algorithm: str = "sha256"  # "sha256" or "argon2id"
+    pow_argon2id_preset: str = "standard"  # "light", "standard", "hardened"
+    pow_argon2id_pre_filter_bits: int = Field(default=12, ge=4, le=24)
+    pow_argon2id_max_concurrent: int = Field(default=8, ge=1, le=64)
+    pow_argon2id_verify_timeout_seconds: float = Field(default=10.0, ge=1.0, le=60.0)
+
     # -----------------------------------------------------------------------
     # Privacy mode
     # -----------------------------------------------------------------------
@@ -163,6 +170,16 @@ class AirlockConfig(BaseSettings):
     # Falls back to gateway_seed_hex if empty.
     crl_signing_key_hex: str = ""
 
+    # -----------------------------------------------------------------------
+    # Key Rotation
+    # -----------------------------------------------------------------------
+    key_rotation_enabled: bool = False
+    key_rotation_grace_seconds: int = Field(default=60, ge=0, le=300)
+    key_rotation_max_per_24h: int = Field(default=3, ge=1, le=10)
+    key_rotation_trust_penalty: float = Field(default=0.02, ge=0.0, le=0.1)
+    pre_rotation_required_tier: int = Field(default=1, ge=0, le=3)  # TrustTier value
+    pre_rotation_update_lockout_hours: int = Field(default=72, ge=1, le=720)
+
     # Event bus drain timeout during shutdown (seconds).
     event_bus_drain_timeout_seconds: float = Field(default=30.0, ge=1.0, le=600.0)
 

airlock/gateway/app.py

@@ -29,6 +29,8 @@
 from airlock.gateway.startup_validate import AirlockStartupError, validate_startup_config
 from airlock.registry.agent_store import AgentRegistryStore
 from airlock.reputation.store import ReputationStore
+from airlock.rotation.chain import RotationChainRegistry
+from airlock.rotation.precommit import PreRotationCommitment
 
 logger = logging.getLogger(__name__)
 
@@ -49,6 +51,17 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
         except AirlockStartupError as exc:
             logger.error("Startup aborted: %s", exc)
             raise
+
+        # Argon2id fail-fast: production + argon2id enabled requires argon2-cffi
+        if cfg.is_production and cfg.pow_algorithm == "argon2id":
+            from airlock.pow import argon2_available
+
+            if not argon2_available():
+                raise RuntimeError(
+                    "pow_algorithm is 'argon2id' but argon2-cffi is not installed. "
+                    "Install with: pip install argon2-cffi"
+                )
+
         configure_airlock_logging(log_json=cfg.log_json, log_level=cfg.log_level)
         app.state.started_at_monotonic = time.monotonic()
         app.state.shutting_down = False
@@ -189,6 +202,19 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
         app.state.pow_challenges: dict[str, Any] = {}
         app.state.redis_client = redis_client
 
+        # Key rotation (behind feature flag)
+        if cfg.key_rotation_enabled:
+            app.state.chain_registry = RotationChainRegistry()
+            app.state.precommit_store: dict[str, PreRotationCommitment] = {}
+        else:
+            app.state.chain_registry = None
+            app.state.precommit_store = {}
+
+        # Argon2id bounded verification worker pool
+        import asyncio as _asyncio
+
+        app.state.argon2id_semaphore = _asyncio.Semaphore(cfg.pow_argon2id_max_concurrent)
+
         registry_url = (cfg.default_registry_url or "").strip().rstrip("/")
         if registry_url:
             app.state.registry_http_client = httpx.AsyncClient(