Skip to content

Commit 996740c

Browse files
committed
Document the unified CLI surface and supported algorithms
1 parent fc7dccf commit 996740c

1 file changed

Lines changed: 57 additions & 8 deletions

File tree

README.md

Lines changed: 57 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -68,20 +68,69 @@ newgrp plugdev
6868
```
6969

7070
### 3. Run the Authenticator
71-
Launch the virtual authenticator in the foreground. It will automatically handle WebAuthn requests from your browser!
71+
Launch the virtual authenticator in the foreground. It will automatically
72+
handle WebAuthn requests from your browser:
7273

7374
```bash
74-
RUST_LOG=info cargo run -p pc-hid-runner -- start --foreground
75+
RUST_LOG=info cargo run -p pc-hid-runner -- attach --foreground
7576
```
7677

78+
`attach` and `detach` are the new primary verbs; the legacy `start` and
79+
`stop` aliases continue to work.
80+
81+
---
82+
83+
## CLI Reference
84+
85+
The `pc-hid-runner` binary is the single management tool. Every subcommand
86+
takes an optional `--state-dir <path>` (defaults to
87+
`$XDG_DATA_HOME/feitian-mldsa-authenticator`).
88+
89+
### Lifecycle
90+
91+
| Command | Purpose |
92+
|---------|---------|
93+
| `pc-hid-runner attach [--foreground]` | Start the daemon and expose the virtual security key |
94+
| `pc-hid-runner detach` | Stop a running daemon and remove the virtual device |
95+
| `pc-hid-runner status` | Report whether the daemon is currently running |
96+
| `pc-hid-runner reset [--yes]` | Wipe all credentials and PIN state (daemon must be detached) |
97+
98+
### PIN management
99+
100+
`pin` subcommands must be run with the daemon detached; the daemon reloads
101+
the persisted PIN state on its next `attach`.
102+
103+
| Command | Purpose |
104+
|---------|---------|
105+
| `pc-hid-runner pin status` | Show whether a PIN is set, retries remaining, and blocked state |
106+
| `pc-hid-runner pin set [--pin <PIN>]` | Set a new PIN on a PIN-less device |
107+
| `pc-hid-runner pin change [--current <PIN> --new <PIN>]` | Change the existing PIN |
108+
| `pc-hid-runner pin remove [--current <PIN>]` | Remove the PIN entirely |
109+
110+
When `--pin` / `--current` / `--new` are omitted, the CLI reads the values
111+
interactively from stdin.
112+
113+
### Attach-time flags
114+
115+
| Flag | Purpose |
116+
|------|---------|
117+
| `--foreground` | Run in the foreground (useful for systemd integration) |
118+
| `--manual-user-presence` | Require manual approval rather than auto-approving user presence |
119+
| `--suppress-attestation` | Hide attestation certificates for privacy testing |
120+
77121
---
78122

79-
## Configuration Options
123+
## Supported Algorithms
80124

81-
When running the `pc-hid-runner`, you can append several useful flags to customize its behavior:
125+
The authenticator advertises all of the following COSE algorithms in
126+
`authenticatorGetInfo` and will register and assert credentials against any
127+
of them:
82128

83-
* `--manual-user-presence` : Require manual approval when a site requests user presence (default is auto-approve).
84-
* `--state-dir <path>` : Change where the authenticator saves its internal state and credentials (defaults to `$XDG_DATA_HOME/feitian-mldsa-authenticator`).
85-
* `--suppress-attestation` : Hide attestation certificates for privacy testing.
129+
* `ES256` (-7) — classical NIST P-256 ECDSA
130+
* `ML-DSA-44` (-48) — post-quantum, NIST level 2
131+
* `ML-DSA-65` (-49) — post-quantum, NIST level 3
132+
* `ML-DSA-87` (-50) — post-quantum, NIST level 5
86133

87-
*Note: Omit the `--foreground` flag to run the authenticator quietly as a background daemon. You can manage a daemonized instance using the `status` and `stop` subcommands.*
134+
PIN/UV uses the standard CTAP2.1 protocols (1 and 2). The authenticator
135+
also handles `authenticatorReset` (CTAP command 0x07) so credentials can be
136+
wiped over the wire if needed.

0 commit comments

Comments
 (0)