Using the Cipherclerk

The dregg cipherclerk manages your agent identity, capability tokens, and proof generation. It runs as a browser extension with all cryptographic operations happening locally -- your keys never leave your device.

Identity Management

Creating an Identity

A dregg identity is an Ed25519 keypair. The cipherclerk generates this from a 24-word BIP39 mnemonic using BLAKE3-based hierarchical derivation at path dregg/0. The mnemonic is your master backup -- store it securely offline.

Sub-agent Derivation

From a single mnemonic you can derive multiple agent identities. Each lives at a different path (dregg/1, dregg/2, etc.). This lets you run multiple agents with independent identities backed by a single recovery phrase.

Restoring a Cipherclerk

Enter your 24-word mnemonic and optional passphrase. The cipherclerk deterministically re-derives the same keypair at dregg/0 and any sub-agents you had.

Token Management

Viewing Held Tokens

The "Tokens" tab shows all capability tokens in your cipherclerk. Each displays:

Label -- Human-readable name (e.g., "root:dns")
Service -- Which service this token grants access to
Type -- Root (can forge new tokens) or Attenuated (restricted copy)
ID -- Unique identifier for lookup

Receiving Tokens

Other agents delegate tokens to you. When you receive a delegation, the cipherclerk validates it (structure, expiry, size limits) before adding it to your collection. Delegated tokens do NOT carry the root key -- you can further attenuate and present them, but cannot mint new root tokens.

Delegating Tokens

To delegate a token to another agent, select a token and choose "Delegate". You specify the recipient's public key and any additional restrictions. The resulting token is strictly weaker than what you hold.

Proof Generation

When a web page or application requests authorization, the cipherclerk generates a STARK proof locally. This is computationally intensive but fast (sub-second on modern hardware). The proof size is approximately 24 KiB.

For details on what each proof mode reveals to the verifier, see Privacy Modes.

Receipt Chain (State History)

Every action you take that modifies state produces a TurnReceipt. These receipts form a linked chain -- your verifiable history. You can export this chain and present it to any verifier without contacting a federation. IVC (Incrementally Verifiable Computation) compresses the entire chain to a constant-size proof.

Backup and Recovery

Mnemonic -- Recovers your identity and derived sub-agents.
Token export -- Tokens can be exported as encoded strings (em2_ prefix) and re-imported on another device.
Receipt chain -- Your state history is portable. Export it as a file to carry to another federation.

Your mnemonic phrase provides complete control over your identity and all derived sub-agents. Never share it. Never store it digitally unencrypted.