diff --git a/Cargo.lock b/Cargo.lock
index d756dd4b2..22ba2add5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -75,6 +75,70 @@ dependencies = [
  "as-slice 0.2.1",
 ]
 
+[[package]]
+name = "android-tzdata"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
+
+[[package]]
+name = "android_system_properties"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "anstream"
+version = "0.6.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9"
+
+[[package]]
+name = "anstyle-parse"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2109dbce0e72be3ec00bed26e6a7479ca384ad226efdd66db8fa2e3a38c83125"
+dependencies = [
+ "anstyle",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "anyhow"
 version = "1.0.95"
@@ -175,11 +239,14 @@ dependencies = [
  "ariel-os-macros",
  "ariel-os-random",
  "ariel-os-storage",
+ "build-rs",
+ "cbor-edn",
  "cbor-macro",
  "cboritem",
  "cfg-if",
  "coap-handler",
  "coap-handler-implementations",
+ "coap-numbers",
  "coapcore",
  "critical-section",
  "embassy-futures",
@@ -192,6 +259,9 @@ dependencies = [
  "hexlit",
  "lakers",
  "lakers-crypto-rustcrypto",
+ "minicbor 0.26.0",
+ "serde",
+ "serde_yml",
  "static_cell",
 ]
 
@@ -758,6 +828,18 @@ dependencies = [
  "embedded-io-async",
 ]
 
+[[package]]
+name = "build-rs"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b00b8763668c99f8d9101b8a0dd82106f58265464531a79b2cef0d9a30c17dd2"
+
+[[package]]
+name = "bumpalo"
+version = "3.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1628fb46dfa0b37568d12e5edd512553eccf6a22a78e8bde00bb4aed84d5bdbf"
+
 [[package]]
 name = "bytemuck"
 version = "1.21.0"
@@ -818,6 +900,26 @@ dependencies = [
  "uuid",
 ]
 
+[[package]]
+name = "cbor-edn"
+version = "0.0.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30b5f29dd0a9183b2f232c235428d21da5177ed3cdb7d19d1a2c2a791d56fb27"
+dependencies = [
+ "chrono",
+ "clap",
+ "clio",
+ "data-encoding",
+ "data-encoding-macro",
+ "encoding_rs",
+ "eyre",
+ "hex",
+ "hexfloat2",
+ "num-bigint",
+ "num-traits",
+ "peg",
+]
+
 [[package]]
 name = "cbor-macro"
 version = "0.1.0"
@@ -904,7 +1006,12 @@ version = "0.4.39"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7e36cc9d416881d2e24f9a963be5fb1cd90966419ac844274161d10488b3e825"
 dependencies = [
+ "android-tzdata",
+ "iana-time-zone",
+ "js-sys",
  "num-traits",
+ "wasm-bindgen",
+ "windows-targets",
 ]
 
 [[package]]
@@ -935,6 +1042,61 @@ dependencies = [
  "libloading",
 ]
 
+[[package]]
+name = "clap"
+version = "4.5.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92b7b18d71fad5313a1e320fa9897994228ce274b60faa4d694fe0ea89cd9e6d"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.5.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a35db2071778a7344791a4fb4f95308b5673d219dee3ae348b86642574ecc90c"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.5.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf4ced95c6f4a675af3da73304b9ac4ed991640c36374e4b46795c49e17cf1ed"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.96",
+]
+
+[[package]]
+name = "clap_lex"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"
+
+[[package]]
+name = "clio"
+version = "0.3.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7fc6734af48458f72f5a3fa7b840903606427d98a710256e808f76a965047d9"
+dependencies = [
+ "cfg-if",
+ "clap",
+ "is-terminal",
+ "libc",
+ "tempfile",
+ "walkdir",
+ "windows-sys 0.42.0",
+]
+
 [[package]]
 name = "coap-blinky"
 version = "0.0.0"
@@ -1110,6 +1272,12 @@ dependencies = [
  "unicode-width",
 ]
 
+[[package]]
+name = "colorchoice"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
+
 [[package]]
 name = "const-default"
 version = "1.0.0"
@@ -1140,6 +1308,12 @@ version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2459fc9262a1aa204eb4b5764ad4f189caec88aea9634389c0a25f8be7f6265e"
 
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
 [[package]]
 name = "cortex-m"
 version = "0.7.7"
@@ -1336,6 +1510,26 @@ version = "2.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0e60eed09d8c01d3cee5b7d30acb059b76614c918fa0f992e0dd6eeb10daad6f"
 
+[[package]]
+name = "data-encoding-macro"
+version = "0.1.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b16d9d0d88a5273d830dac8b78ceb217ffc9b1d5404e5597a3542515329405b"
+dependencies = [
+ "data-encoding",
+ "data-encoding-macro-internal",
+]
+
+[[package]]
+name = "data-encoding-macro-internal"
+version = "0.1.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1145d32e826a7748b69ee8fc62d3e6355ff7f1051df53141e7048162fc90481b"
+dependencies = [
+ "data-encoding",
+ "syn 2.0.96",
+]
+
 [[package]]
 name = "debug-helper"
 version = "0.3.13"
@@ -2073,6 +2267,15 @@ version = "0.3.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f"
 
+[[package]]
+name = "encoding_rs"
+version = "0.8.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
+dependencies = [
+ "cfg-if",
+]
+
 [[package]]
 name = "enum-as-inner"
 version = "0.6.1"
@@ -2159,7 +2362,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d"
 dependencies = [
  "libc",
- "windows-sys",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -2532,6 +2735,16 @@ dependencies = [
  "rand",
 ]
 
+[[package]]
+name = "eyre"
+version = "0.6.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7cd915d99f24784cdc19fd37ef22b97e3ff0ae756c7e492e9fbfe897d61e2aec"
+dependencies = [
+ "indenter",
+ "once_cell",
+]
+
 [[package]]
 name = "fastrand"
 version = "2.3.0"
@@ -2982,6 +3195,12 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
+[[package]]
+name = "hexfloat2"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "befe65164a090041cdf6e0d21a0ec3198d856fbfe2b76e324a073e790bb49f8c"
+
 [[package]]
 name = "hexlit"
 version = "0.5.5"
@@ -3047,6 +3266,29 @@ dependencies = [
  "once_cell",
 ]
 
+[[package]]
+name = "iana-time-zone"
+version = "0.1.61"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "235e081f3925a06703c2d0117ea8b91f042756fd6e7a6e5d901e8ca1a996b220"
+dependencies = [
+ "android_system_properties",
+ "core-foundation-sys",
+ "iana-time-zone-haiku",
+ "js-sys",
+ "wasm-bindgen",
+ "windows-core",
+]
+
+[[package]]
+name = "iana-time-zone-haiku"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "icu_collections"
 version = "1.5.0"
@@ -3192,6 +3434,12 @@ dependencies = [
  "icu_properties",
 ]
 
+[[package]]
+name = "indenter"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce23b50ad8242c51a442f3ff322d56b02f08852c77e4c0b4d3fd684abc89c683"
+
 [[package]]
 name = "indexmap"
 version = "1.9.3"
@@ -3249,9 +3497,15 @@ checksum = "e19b23d53f35ce9f56aebc7d1bb4e6ac1e9c0db7ac85c8d1760c04379edced37"
 dependencies = [
  "hermit-abi",
  "libc",
- "windows-sys",
+ "windows-sys 0.59.0",
 ]
 
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
+
 [[package]]
 name = "itertools"
 version = "0.10.5"
@@ -3276,6 +3530,16 @@ version = "1.0.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
 
+[[package]]
+name = "js-sys"
+version = "0.3.77"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1cfaf33c695fc6e08064efbc1f72ec937429614f25eef83af942d0e227c3a28f"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "konst"
 version = "0.3.16"
@@ -3454,6 +3718,16 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "libyml"
+version = "0.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3302702afa434ffa30847a83305f0a69d6abd74293b6554c18ec85c7ef30c980"
+dependencies = [
+ "anyhow",
+ "version_check",
+]
+
 [[package]]
 name = "linked_list_allocator"
 version = "0.10.5"
@@ -3910,6 +4184,33 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
 
+[[package]]
+name = "peg"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "295283b02df346d1ef66052a757869b2876ac29a6bb0ac3f5f7cd44aebe40e8f"
+dependencies = [
+ "peg-macros",
+ "peg-runtime",
+]
+
+[[package]]
+name = "peg-macros"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bdad6a1d9cf116a059582ce415d5f5566aabcd4008646779dab7fdc2a9a9d426"
+dependencies = [
+ "peg-runtime",
+ "proc-macro2",
+ "quote",
+]
+
+[[package]]
+name = "peg-runtime"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3aeb8f54c078314c2065ee649a7241f46b9d8e418e1a9581ba0546657d7aa3a"
+
 [[package]]
 name = "percent-encoding"
 version = "2.3.1"
@@ -4564,7 +4865,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -4579,6 +4880,15 @@ version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
 
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
@@ -4740,6 +5050,21 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serde_yml"
+version = "0.0.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59e2dd588bf1597a252c3b920e0143eb99b0f76e4e082f4c92ce34fbc9e71ddd"
+dependencies = [
+ "indexmap 2.7.1",
+ "itoa",
+ "libyml",
+ "memchr",
+ "ryu",
+ "serde",
+ "version_check",
+]
+
 [[package]]
 name = "sha2"
 version = "0.10.8"
@@ -5135,7 +5460,7 @@ dependencies = [
  "getrandom",
  "once_cell",
  "rustix",
- "windows-sys",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -5579,6 +5904,12 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
 [[package]]
 name = "uuid"
 version = "1.12.1"
@@ -5615,12 +5946,80 @@ dependencies = [
  "vcell",
 ]
 
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "wasi"
 version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "rustversion",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6"
+dependencies = [
+ "bumpalo",
+ "log",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.96",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.96",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d"
+dependencies = [
+ "unicode-ident",
+]
+
 [[package]]
 name = "winapi"
 version = "0.3.9"
@@ -5643,7 +6042,7 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
 dependencies = [
- "windows-sys",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -5668,6 +6067,30 @@ dependencies = [
  "serde_cbor",
 ]
 
+[[package]]
+name = "windows-core"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.42.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a3e1820f08b8513f676f7ab6c1f99ff312fb97b553d30ff4dd86f9f15728aa7"
+dependencies = [
+ "windows_aarch64_gnullvm 0.42.2",
+ "windows_aarch64_msvc 0.42.2",
+ "windows_i686_gnu 0.42.2",
+ "windows_i686_msvc 0.42.2",
+ "windows_x86_64_gnu 0.42.2",
+ "windows_x86_64_gnullvm 0.42.2",
+ "windows_x86_64_msvc 0.42.2",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.59.0"
@@ -5683,28 +6106,46 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
 dependencies = [
- "windows_aarch64_gnullvm",
- "windows_aarch64_msvc",
- "windows_i686_gnu",
+ "windows_aarch64_gnullvm 0.52.6",
+ "windows_aarch64_msvc 0.52.6",
+ "windows_i686_gnu 0.52.6",
  "windows_i686_gnullvm",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_gnullvm",
- "windows_x86_64_msvc",
+ "windows_i686_msvc 0.52.6",
+ "windows_x86_64_gnu 0.52.6",
+ "windows_x86_64_gnullvm 0.52.6",
+ "windows_x86_64_msvc 0.52.6",
 ]
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -5717,24 +6158,48 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
diff --git a/_typos.toml b/_typos.toml
index 690c0ee4e..7d6159c21 100644
--- a/_typos.toml
+++ b/_typos.toml
@@ -4,6 +4,7 @@ hsi = "hsi"
 extint = "extint"     # External interrupt
 synopsys = "synopsys" # Manufacturer name
 COSE = "COSE"         # A technology we use
+EDN = "EDN"           # EDN is the acronym of CBOR Diagnostic Notation
 
 [files]
 extend-exclude = [
diff --git a/laze-project.yml b/laze-project.yml
index 50ebfd702..b2e05668f 100644
--- a/laze-project.yml
+++ b/laze-project.yml
@@ -857,7 +857,7 @@ modules:
           - ariel-os/coap-server
 
   - name: coap-server-config-storage
-    help: Configure the CoAP server to accept requests depending on runtime configuration
+    help: Configure the CoAP server to accept requests depending on build- and runtime configuration
     depends:
       - coap
       - sw/storage
@@ -867,6 +867,9 @@ modules:
       global:
         FEATURES:
           - ariel-os/coap-server-config-storage
+        PEERS_YML: ${appdir}/peers.yml
+        CARGO_ENV:
+          - PEERS_YML=${PEERS_YML}
 
   - name: coap-server-config-unprotected
     help: Configure the CoAP server to accept any request without authorization checks.
diff --git a/src/ariel-os-coap/Cargo.toml b/src/ariel-os-coap/Cargo.toml
index 72c285db8..b02d6ad84 100644
--- a/src/ariel-os-coap/Cargo.toml
+++ b/src/ariel-os-coap/Cargo.toml
@@ -45,6 +45,15 @@ hexlit = "0.5.5"
 # For the udp_nal
 embedded-io-async = "0.6.1"
 
+[build-dependencies]
+serde_yml = "0.0.12"
+serde = "1"
+# "blessed" by Cargo basing its build script API on it <https://blog.rust-lang.org/inside-rust/2024/12/13/this-development-cycle-in-cargo-1.84.html#build-script-api>
+build-rs = "0.1.2"
+cbor-edn = "0.0.8"
+coap-numbers = "0.2"
+minicbor = { version = "0.26", features = ["std"] }
+
 [lints]
 workspace = true
 
diff --git a/src/ariel-os-coap/build.rs b/src/ariel-os-coap/build.rs
new file mode 100644
index 000000000..de0ccca40
--- /dev/null
+++ b/src/ariel-os-coap/build.rs
@@ -0,0 +1,116 @@
+use serde::Deserialize;
+use std::fmt::Write;
+
+/// Second-level item for deserializing a `peers.yml`
+///
+/// (The top level is a list thereof).
+#[derive(Deserialize)]
+struct Peer {
+    kccs: String,
+    scope: Scope,
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(untagged)]
+enum Scope {
+    String(String),
+    Aif(std::collections::HashMap<String, Permission>),
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(untagged)]
+enum Permission {
+    Set(Vec<SinglePermission>),
+    Single(SinglePermission),
+}
+
+#[derive(Debug, Deserialize, Copy, Clone)]
+#[allow(clippy::upper_case_acronyms, reason = "used to guide serde values")]
+#[repr(u8)]
+enum SinglePermission {
+    GET = coap_numbers::code::GET,
+    POST = coap_numbers::code::POST,
+    PUT = coap_numbers::code::PUT,
+    DELETE = coap_numbers::code::DELETE,
+    FETCH = coap_numbers::code::FETCH,
+    PATCH = coap_numbers::code::PATCH,
+    #[allow(non_camel_case_types, reason = "that's how that code is named")]
+    iPATCH = coap_numbers::code::IPATCH,
+}
+
+impl Permission {
+    fn mask(&self) -> u32 {
+        match self {
+            Permission::Set(p) => p.iter().fold(0, |old, value| old | value.mask()),
+            Permission::Single(p) => p.mask(),
+        }
+    }
+}
+
+impl SinglePermission {
+    /// The `Tperm` unsigned integer representation of the REST-specific AIF model described in
+    /// RFC9237.
+    fn mask(&self) -> u32 {
+        1 << (*self as u8 - 1)
+    }
+}
+
+fn main() {
+    if !build::cargo_feature("coap-server-config-storage") {
+        return;
+    }
+
+    build::rerun_if_env_changed("PEERS_YML");
+    let peers_yml = std::path::PathBuf::from(std::env::var("PEERS_YML").unwrap());
+
+    build::rerun_if_changed(&peers_yml);
+    let peers_file =
+        std::fs::File::open(peers_yml).expect("no peers.yml usable in specified location");
+
+    let peers: Vec<Peer> = serde_yml::from_reader(peers_file).expect("failed to parse peers.yml");
+
+    let mut chain_once_per_kccs = String::new();
+    for peer in peers {
+        let kccs = cbor_edn::StandaloneItem::parse(&peer.kccs)
+            .expect("data in kccs is not valid CBOR Diagnostic Notation (EDN)")
+            .to_cbor()
+            .expect("CBOR Diagnostic Notation (EDN) is not expressible in CBOR");
+        // FIXME: Should we pre-parse the KCCS and have the parsed credentials as const in flash? Or
+        // just parsed enough that there is no CBOR parsing but credential and material point to
+        // overlapping slices?
+        let scope = match peer.scope {
+            Scope::String(s) if s == "allow-all" => {
+                "coapcore::scope::UnionScope::AllowAll".to_string()
+            }
+            Scope::Aif(aif) => {
+                let data: Vec<_> = aif
+                    .into_iter()
+                    .map(|(toid, tperm)| (toid, tperm.mask()))
+                    .collect();
+                let mut bytes = vec![];
+                minicbor::encode(data, &mut bytes).unwrap();
+                format!("coapcore::scope::UnionScope::AifValue(coapcore::scope::AifValue::parse(&{bytes:?}).unwrap())")
+            }
+            e => panic!("Scope configuration {e:?} is not recognized"),
+        };
+        write!(
+            chain_once_per_kccs,
+            ".chain(core::iter::once((lakers::Credential::parse_ccs(
+                            &{kccs:?}).unwrap(),
+                            {scope},
+                            )))"
+        )
+        .expect("writing to String is infallible");
+    }
+
+    let peers_data = format!(
+        "
+        pub(super) fn kccs() -> impl Iterator<Item=(lakers::Credential, coapcore::scope::UnionScope)> {{
+            core::iter::empty()
+                {chain_once_per_kccs}
+        }}
+    ");
+
+    let peers_file = build::out_dir().join("peers.rs");
+    std::fs::write(peers_file, peers_data).unwrap();
+}
diff --git a/src/ariel-os-coap/src/stored.rs b/src/ariel-os-coap/src/stored.rs
index 62cffba92..6abad231d 100644
--- a/src/ariel-os-coap/src/stored.rs
+++ b/src/ariel-os-coap/src/stored.rs
@@ -4,6 +4,10 @@ use ariel_os_debug::log::{debug, info};
 use cbor_macro::cbo;
 use coapcore::seccfg::ServerSecurityConfig;
 
+mod flash_peers {
+    include!(concat!(env!("OUT_DIR"), "/peers.rs"));
+}
+
 pub async fn server_security_config() -> impl ServerSecurityConfig {
     StoredPolicy::load().await
 }
@@ -18,11 +22,53 @@ impl ServerSecurityConfig for StoredPolicy {
     // FIXME: Decide based on peers.rs input (but so far tokens are not implemented)
     const PARSES_TOKENS: bool = false;
     const HAS_EDHOC: bool = true;
-    type GeneralClaims = coapcore::seccfg::ConfigBuilderClaims;
+    type GeneralClaims = StoredClaims;
 
     fn own_edhoc_credential(&self) -> Option<(lakers::Credential, lakers::BytesP256ElemLen)> {
         Some(self.own_edhoc_credential)
     }
+
+    fn expand_id_cred_x(
+        &self,
+        id_cred_x: lakers::IdCred,
+    ) -> Option<(lakers::Credential, StoredClaims)> {
+        for (credential, scope) in flash_peers::kccs() {
+            if credential.by_kid().is_ok_and(|by_kid| by_kid == id_cred_x)
+                || credential
+                    .by_value()
+                    .is_ok_and(|by_value| by_value == id_cred_x)
+            {
+                return Some((credential, StoredClaims { scope }));
+            }
+        }
+        None
+    }
+}
+
+/// Generates a private key and some credential matching it.
+///
+/// The 60 byte is kind of arbitrary; it's long enough for this, but needs to also accommodate
+/// anything that gets loaded. It currently contains an Key ID b"", which is convenient because it
+/// enables sending the key by reference.
+fn generate_credpair() -> (heapless::Vec<u8, 60>, lakers::BytesP256ElemLen) {
+    use lakers::CryptoTrait;
+    let mut crypto = lakers_crypto_rustcrypto::Crypto::new(ariel_os_random::crypto_rng());
+    let (private, public) = crypto.p256_generate_key_pair();
+    let mut credential = heapless::Vec::from_slice(&cbo!(
+        r#"{
+        /cnf/ 8: {/ COSE_Key / 1: {
+            /kty/  1: /EC2/ 2,
+            /kid/  2: '',
+            /crv/ -1: /P-256/ 1,
+            /x/   -2: h'0000000000000000000000000000000000000000000000000000000000000000'
+        }}
+    }"#
+    ))
+    .expect("Fits by construction");
+    let public_start = credential.len() - 32;
+    credential[public_start..].copy_from_slice(&public);
+    debug!("Generated private/public key pair.");
+    (credential, private)
 }
 
 impl StoredPolicy {
@@ -32,38 +78,14 @@ impl StoredPolicy {
         // becomes a thing.
         const OWN_CREDENTIAL_KEY: &str = "ariel-os-coap.own-edhoc-credential";
 
-        let mut storage = ariel_os_storage::lock().await;
-        let (credential, key) = match storage
-            .get(OWN_CREDENTIAL_KEY)
+        let (credential, key) = match ariel_os_storage::get(OWN_CREDENTIAL_KEY)
             .await
             .expect("flash error prevents startup")
         {
             Some(credpair) => credpair,
             None => {
-                use lakers::CryptoTrait;
-                let mut crypto =
-                    lakers_crypto_rustcrypto::Crypto::new(ariel_os_random::crypto_rng());
-                let (private, public) = crypto.p256_generate_key_pair();
-                // 60 byte is kind of arbitrary; it's long enough for this, but needs to also
-                // accommodate anything that gets loaded.
-                let mut credential = heapless::Vec::<u8, 60>::from_slice(&cbo!(
-                    r#"{
-                    /cnf/ 8: {/ COSE_Key / 1: {
-                        1: 2,
-                        / empty key ID is handy because it enables sending by reference /
-                        2: '',
-                        -1: 1,
-                        -2: h'0000000000000000000000000000000000000000000000000000000000000000'
-                    }}
-                }"#
-                ))
-                .expect("Fits by construction");
-                let public_start = credential.len() - 32;
-                credential[public_start..].copy_from_slice(&public);
-                debug!("Generated private/public key pair.");
-                let credpair = (credential, private);
-                storage
-                    .insert(OWN_CREDENTIAL_KEY, credpair.clone())
+                let credpair = generate_credpair();
+                ariel_os_storage::insert(OWN_CREDENTIAL_KEY, credpair.clone())
                     .await
                     .expect("flash error prevents startup");
                 credpair
diff --git a/tests/coap/README.md b/tests/coap/README.md
index a6f42b4cc..7c6dd9f42 100644
--- a/tests/coap/README.md
+++ b/tests/coap/README.md
@@ -27,6 +27,19 @@ This application is a work in progress demo of running CoAP with OSCORE/EDHOC se
     * Add `-s coap-server-config-unprotected` to the laze invocation; this replaces the demokeys setup.
     * All resources are now only accessible without `--credentials`. (The "fauxhoc" script does not work in that mode).
 
+* CoAP with more than just demo keys:
+    * Add `-s coap-server-config-storage` to the laze invocation; this replaces the demokeys setup.
+    * Alter the client.diag file have the `peer_cred` reflect the "CoAP server identity" line it procduces at startup
+      <!-- FIXME: should be trivial after https://github.com/knurling-rs/defmt/pull/916 -->
+      after running the hex values there through https://cbor.me's bytes to diagnostic converter.
+
+    The build system now reads `peers.yml`, which currently encodes the same authorization for the demo key as the demo setup,
+    but in a user configurable way:
+    You can add your own private key there, or replace the demo key, and configure resources that should be accessible.
+
+    Instead of using a hard-coded key, the device generates one at first startup,
+    and reports the credential that contains its public key in the standard output.
+
 ## Roadmap
 
 Eventually, all of this should be covered by 20-line examples.
diff --git a/tests/coap/peers.yml b/tests/coap/peers.yml
new file mode 100644
index 000000000..03fbb8f33
--- /dev/null
+++ b/tests/coap/peers.yml
@@ -0,0 +1,22 @@
+# The format of this may yet change (especially since it should eventually
+# source the user's public keys from well-known locations as per
+# <https://ariel-os.github.io/ariel-os/dev/docs/book/tooling/coap.html#outlook-interacting-with-an-ariel-os-coap-server-from-the-host>);
+# the general gist is that it lists who may do what on the device.
+
+- kccs: |
+    # The CWT Claims Set that needs to be used (by value or by reference) by
+    # the client to gain access to the device.
+    #
+    # It is expressed in CBOR diagnostic notation (which at the YAML level is
+    # just a string), and compatible with aiocoap's credentials.
+    {2: "42-50-31-FF-EF-37-32-39", 8: {1: {1: 2, 2: h'2b', -1: 1, -2: h'ac75e9ece3e50bfc8ed60399889522405c47bf16df96660a41298cb4307f7eb6', -3: h'6e5de611388a4b8a8211334ac7d37ecb52a387d257e6db3c2a93df21ff3affc8'}}}
+  scope:
+    # Authorizations assigned to clients authenticating with the credential
+    # above. Keys are paths on the device, values are single or lists of CoAP
+    # methods that may be performed.
+    #
+    # Instead of a dictionary, the scope can also be a single string
+    # "allow-all".
+    /stdout: [GET, FETCH]
+    /.well-known/core: GET
+    /poem: GET