chore: sync II spec to release-2026-06-15 with robust link rewriting

marc0olo · marc0olo · commit 697992af16db · 2026-06-16T14:11:55.000+02:00
Syncs the Internet Identity spec from dfinity/internet-identity release-2026-06-15 (pinned 18130689 → 1f4104b5): regenerates the two reference specs and the internet-identity.did interface (adds SSO credential migration types, DoH email-recovery additions, and message_id correlation). Also hardens the sync script's link rewriting. Upstream serves the same internal-page destinations under multiple URL forms (internetcomputer.org/docs/current/... and docs.internetcomputer.org/...), and the two source specs are not migrated in lockstep. The old hardcoded full-URL map silently stopped matching when vc-spec.md switched to the docs subdomain, and the validation regex only knew the path form, so the unrewritten absolute links would have shipped: - Normalize the volatile domain/prefix to a canonical path#fragment, then look up a shared PATH_MAP (encodes only the irregular split-doc anchors) - Validation now catches both URL forms, failing the build on any unmapped link instead of passing silently - Generate the adaptation-log comment from the rewrites actually applied Supersedes #294 (same release, blocked by the bot-PR policy after a human fix commit) and #290 (release-2026-06-05-hotfix; its content is a subset of 06-15).
diff --git a/.sources/VERSIONS b/.sources/VERSIONS
@@ -62,4 +62,4 @@ motoko-core           v2.4.0
 cdk-rs                ic-cdk v0.20.1 / ic-cdk-timers v1.0.0 / ic-cdk-executor v2.0.0  317f55c
 candid                2025-12-18  # candid v0.10.20, didc v0.5.4                2e4a2cf
 response-verification v3.1.0                                                    18c5a37
-internetidentity      release-2026-06-01                                         18130689
+internetidentity      release-2026-06-15                                         1f4104b5
diff --git a/.sources/internetidentity b/.sources/internetidentity
@@ -1 +1 @@
-Subproject commit 18130689eda68a3ec51af2aaa7ba13eb32e6568e
+Subproject commit 1f4104b53ddaecf745426769e895013168591b17
diff --git a/docs/references/internet-identity-spec.md b/docs/references/internet-identity-spec.md
@@ -718,16 +718,15 @@ On the flip side, implementing `canister_inspect_message` adds code, and thus a
 Therefore, the Internet Identity Canister intentionally does not implement `canister_inspect_message`.
 
 <!--
-Link replacements from source (source used absolute/relative paths pointing outside this site):
-  - internetcomputer.org [/docs]/current/references/ic-interface-spec#id-classes → ./ic-interface-spec/index.md#id-classes
-  - internetcomputer.org [/docs]/current/references/ic-interface-spec/#canister-signatures → ./ic-interface-spec/index.md#canister-signatures (×2)
-  - internetcomputer.org [/docs]/current/references/ic-interface-spec/#signatures → ./ic-interface-spec/index.md#signatures
-  - internetcomputer.org [/docs]/current/references/ic-interface-spec#authentication → ./ic-interface-spec/https-interface.md#authentication
-  - internetcomputer.org [/docs]/current/references/ic-interface-spec/#system-api-inspect-message → ./ic-interface-spec/canister-interface.md#system-api-inspect-message
-  - internetcomputer.org [/docs]/current/references/http-gateway-protocol-spec → ./http-gateway-protocol-spec.md
-  - internetcomputer.org [/docs]/current/developer-docs/web-apps/custom-domains/using-custom-domains → ../guides/frontends/custom-domains.md
-  - vc-spec.md (relative, same dir in source repo) → ./verifiable-credentials-spec.md
+Link replacements from source (absolute public-docs links rewritten to internal paths):
+  - developer-docs/web-apps/custom-domains/using-custom-domains → ../guides/frontends/custom-domains.md
+  - references/http-gateway-protocol-spec → ./http-gateway-protocol-spec.md
+  - references/ic-interface-spec#authentication → ./ic-interface-spec/https-interface.md#authentication
+  - references/ic-interface-spec#canister-signatures → ./ic-interface-spec/index.md#canister-signatures
+  - references/ic-interface-spec#id-classes → ./ic-interface-spec/index.md#id-classes
+  - references/ic-interface-spec#system-api-inspect-message → ./ic-interface-spec/canister-interface.md#system-api-inspect-message
 Other changes from source:
+  - `](vc-spec.md)` (relative, same dir in source repo) → `](./verifiable-credentials-spec.md)`
   - `# The Internet Identity Specification` H1 removed (Starlight renders frontmatter title as H1)
   - `<CodeBlock language="candid">{IICandidInterface}</CodeBlock>` replaced with download link to /references/internet-identity.did
   - Mermaid sequenceDiagram blocks converted to PlantUML (site uses remarkPlantUML, not Mermaid)
diff --git a/docs/references/verifiable-credentials-spec.md b/docs/references/verifiable-credentials-spec.md
@@ -407,9 +407,9 @@ Given the interactive nature of the flow, the relying party should not expect to
 The relying party may also close the II window after some timeout. The user should then be notified by the relying party that the flow failed.
 
 <!--
-Link replacements from source (source used absolute paths pointing to the retired portal):
-  - internetcomputer.org/docs/current/references/ii-spec#alternative-frontend-origins → ./internet-identity-spec.md#alternative-frontend-origins (×4)
-  - internetcomputer.org/docs/current/references/ic-interface-spec#canister-signatures → ./ic-interface-spec/index.md#canister-signatures
+Link replacements from source (absolute public-docs links rewritten to internal paths):
+  - references/ic-interface-spec#canister-signatures → ./ic-interface-spec/index.md#canister-signatures
+  - references/internet-identity-spec#alternative-frontend-origins → ./internet-identity-spec.md#alternative-frontend-origins
 Other changes from source:
   - `# II Verifiable Credential Spec (MVP)` H1 removed (Starlight renders frontmatter title as H1)
 -->
diff --git a/public/references/internet-identity.did b/public/references/internet-identity.did
@@ -246,6 +246,21 @@ type CaptchaConfig = record {
     };
 };
 
+// One entry of the `sso_credential_migration` backfill. Maps the
+// (iss, aud) pair of stored SSO credentials to the discovery domain (and
+// optional human-readable name) they were registered through. Field names
+// match the `discovered_oidc_configs` query output so the deployer can
+// transcribe its result field-for-field.
+type SsoCredentialMigrationEntry = record {
+    discovery_domain : text;
+    // Matches the stored credential's `iss`.
+    issuer : text;
+    // Matches the stored credential's `aud`.
+    client_id : text;
+    // Human-readable SSO label; stamped onto the credential's `sso_name`.
+    name : opt text;
+};
+
 // Init arguments of II which can be supplied on install and upgrade.
 //
 // Each field is wrapped is `opt` to indicate whether the field should
@@ -286,6 +301,15 @@ type InternetIdentityInit = record {
     // (production) or `beta.dfinity.org` (everything else), keyed off
     // `is_production`.
     sso_discoverable_domains : opt vec text;
+    // One-shot backfill of the `sso_domain` / `sso_name` fields on stored
+    // OpenID credentials. When set, a batched timer-driven migration stamps
+    // every stored credential whose (iss, aud) matches an entry and whose
+    // `sso_domain` is not set yet. Idempotent — already-stamped credentials
+    // are skipped, so re-submitting (e.g. with a corrected list) is safe.
+    // When unset, no backfill runs. The deployer builds the list from the
+    // running canister's `discovered_oidc_configs` query before
+    // submitting the upgrade proposal.
+    sso_credential_migration : opt vec SsoCredentialMigrationEntry;
     // Configuration for Web Analytics
     analytics_config : opt opt AnalyticsConfig;
     // Configuration to show dapps explorer or not
@@ -299,6 +323,9 @@ type InternetIdentityInit = record {
     backend_canister_id : opt principal;
     // Backend origin, needed to sync configuration with frontend.
     backend_origin : opt text;
+    // Deploy flag for the legacy DNSSEC email-recovery path. Defaults to
+    // off (DoH-only); `opt true` re-enables it.
+    enable_dnssec_email_recovery : opt bool;
     // DNSSEC verification configuration. Trust anchors used by any feature
     // that verifies DNS records against the IANA-rooted DNSSEC chain
     // (currently the email-recovery DKIM/DMARC flow). See
@@ -544,13 +571,28 @@ type EmailRecoverySubmitDkimLeafArg = record {
     // least one hop required; bounded by `MAX_CNAME_HOPS = 4` at the
     // canister side. For the Gmail-style direct-TXT case this is a
     // single-element vec.
+    //
+    // When the FE cannot walk a fully-signed DNSSEC resolution for the
+    // leaf — the DKIM record CNAMEs into an unsigned zone (e.g.
+    // `selector1._domainkey.outlook.com` is a signed CNAME into the
+    // unsigned `outbound.protection.outlook.com`) — it must NOT submit
+    // an empty vec here; it drives `email_recovery_resolve_via_doh`
+    // instead, which resolves the key over the canister's DoH path.
     hops : vec SignedRRset;
     // Delegation chains for signed zones touched by `hops` that
     // weren't already covered by the skeleton chain anchored at
     // prepare time. Empty for same-zone resolution.
     extra_chains : vec DelegationChain;
 };
 
+// Argument to email_recovery_resolve_via_doh. Wrapped in a record (like
+// EmailRecoverySubmitDkimLeafArg) so the method can grow fields without a
+// breaking interface change; nonce is the lookup key and is always
+// required.
+type EmailRecoveryResolveViaDohArg = record {
+    nonce : text;
+};
+
 // DNSSEC proof bundle and supporting types — see
 // `internet_identity_interface::types::dnssec`.
 type Rrsig = record {
@@ -595,15 +637,28 @@ type DnsProofBundle = record {
     hops : vec SignedRRset;
 };
 
+// Why a DoH resolution failed, as a typed discriminant rather than a
+// free-form string. The FE reads this directly to segment the
+// `doh_reason` analytics property — no string parsing.
+type DohFailureReason = variant {
+    AllProvidersFailed;
+    QuorumFailed : record { agreeing : nat32; total : nat32 };
+    ResponseMalformed : text;
+};
+
 type EmailRecoveryError = variant {
     Unauthorized : principal;
     NonceUnknown;
     NonceExpired;
     DomainNotAllowlisted : text;
-    DohFetchFailed : text;
+    DohFetchFailed : DohFailureReason;
     DomainNotSupported : text;
     EmailVerificationFailed : text;
     DkimLeafMismatch;
+    // email_recovery_submit_dkim_leaf was called with an empty `hops`
+    // vector; an FE that can't walk DNSSEC must drive
+    // email_recovery_resolve_via_doh instead.
+    EmptyDkimLeafHops;
     NoDkimLeafExpected;
     AddressMismatch;
     SubjectNotSigned;
@@ -614,6 +669,7 @@ type EmailRecoveryError = variant {
 
 type EmailRecoveryStatus = variant {
     Pending;
+    ResolvingDoh;
     NeedDkimLeaf : record { selector : text };
     RegistrationSucceeded;
     RecoveryReady : record {
@@ -625,6 +681,24 @@ type EmailRecoveryStatus = variant {
     Expired;
 };
 
+// Which trust path the canister used (or will use) to verify the
+// challenge email. Public — already chosen by the FE and derivable
+// from the public deploy config.
+type VerificationPath = variant { Doh; Dnssec };
+
+// Strictly-public, user-copyable diagnostics for one pending challenge
+// (see email_recovery_diagnostics). Intended for a support ticket so a
+// case can be lined up across the SMTP gateway logs and the canister's
+// production logs via message_id. NO email address, anchor, principal,
+// delegation/seed, or inner error string — reason_code is the failing
+// variant's name only.
+type EmailRecoveryDiagnostics = record {
+    message_id : opt text;
+    reason_code : text;
+    verification_path : VerificationPath;
+    created_at : Timestamp;
+};
+
 type EmailRecoveryGetDelegationArgs = record {
     nonce       : text;
     session_key : SessionKey;
@@ -671,6 +745,13 @@ type SmtpRequest = record {
     message : opt SmtpMessage;
     envelope : opt SmtpEnvelope;
     gateway_flags : opt vec text;
+    // Optional gateway-supplied correlation id for one inbound message
+    // (e.g. the RFC 5322 Message-ID or a gateway-assigned tracking id).
+    // The canister does not interpret it; it lets a reported case be
+    // lined up across the SMTP gateway logs and the canister's production
+    // logs during support investigations. Capped at 256 bytes; oversize
+    // values are rejected with code 555.
+    message_id : opt text;
 };
 
 // Error returned by `smtp_request` / `smtp_request_validate`.
@@ -1489,7 +1570,14 @@ service : (opt InternetIdentityInit) -> {
     email_recovery_credential_prepare_add : (IdentityNumber, EmailRecoveryDnsInput) -> (variant { Ok : EmailRecoveryChallenge; Err : EmailRecoveryError });
     email_recovery_prepare_delegation : (EmailRecoveryDnsInput, SessionKey) -> (variant { Ok : EmailRecoveryChallenge; Err : EmailRecoveryError });
     email_recovery_status : (text) -> (EmailRecoveryStatus) query;
-    email_recovery_submit_dkim_leaf : (EmailRecoverySubmitDkimLeafArg) -> (variant { Ok : EmailRecoveryStatus; Err : EmailRecoveryError });
+    email_recovery_diagnostics : (text) -> (opt EmailRecoveryDiagnostics) query;
+    email_recovery_submit_dkim_leaf : (EmailRecoverySubmitDkimLeafArg) -> (variant { Ok; Err : EmailRecoveryError });
+    // Resolves the DKIM key over the canister's own allowlist-gated DoH
+    // path, called with just the nonce. Used for the pure-DoH (Gmail)
+    // case and as the fallback when the FE can't walk a fully-signed
+    // DNSSEC resolution (the DKIM record CNAMEs into an unsigned zone).
+    // Polled: the FE calls it repeatedly while the status is ResolvingDoh.
+    email_recovery_resolve_via_doh : (EmailRecoveryResolveViaDohArg) -> (variant { Ok; Err : EmailRecoveryError });
     email_recovery_get_delegation : (EmailRecoveryGetDelegationArgs) -> (variant { Ok : SignedDelegation; Err : EmailRecoveryError }) query;
     email_recovery_credential_remove : (IdentityNumber, text) -> (variant { Ok; Err : EmailRecoveryError });
 
diff --git a/scripts/sync-ii-spec.mjs b/scripts/sync-ii-spec.mjs
