Spanda device and operator identity extends the audit DeviceIdentity model with trust metadata for
secure communication.
identity RoverIdentity {
id: "rover-001";
public_key: "...";
cert: "certs/rover-001.pem";
}
Required field: id. Optional: public_key, cert, trust.
identity OperatorConsole {
id: "operator-console";
trust: verified;
}
Trust tiers: untrusted, restricted, trusted, certified, verified.
identity.sign capabilityidentity.verify capabilityIdentity feeds spanda-audit provenance and security.* audit events. Device IDs appear in signed
envelopes; key material is never logged.
See also Secure communication and Trust boundaries.