Skip to main content

Module release

aion_context

Module release 

Source
Expand description

Release orchestration — RFC-0032.

One call site that composes the Phase-A primitives into a complete signed model release: manifest (RFC-0022), AIBOM (RFC-0029), SLSA v1.1 statement (RFC-0024), three DSSE envelopes (RFC-0023), three transparency-log entries (RFC-0025), an OCI primary manifest, and two OCI attestation referrers (RFC-0030).

Nothing here is a new primitive. Every byte the builder emits is produced by code that already has Hegel property tests in its home module. What this module asserts is the integration contract: if ReleaseBuilder::seal returned Ok, then SignedRelease::verify with the matching key is Ok; any tampering of any component breaks verify.

§Example

use aion_context::aibom::{FrameworkRef, License, LicenseScope};
use aion_context::crypto::SigningKey;
use aion_context::key_registry::KeyRegistry;
use aion_context::release::ReleaseBuilder;
use aion_context::transparency_log::TransparencyLog;
use aion_context::types::AuthorId;

let mut log = TransparencyLog::new();
let signer = AuthorId::new(50_001);
let master = SigningKey::generate();
let key = SigningKey::generate();
let mut registry = KeyRegistry::new();
registry
    .register_author(signer, master.verifying_key(), key.verifying_key(), 0)
    .unwrap();

let mut b = ReleaseBuilder::new("acme-7b-chat", "0.3.1", "safetensors");
b.primary_artifact("model.safetensors", vec![0xAA; 128])
    .add_framework(FrameworkRef {
        name: "pytorch".into(),
        version: "2.3.1".into(),
        cpe: None,
    })
    .add_license(License {
        spdx_id: "Apache-2.0".into(),
        scope: LicenseScope::Weights,
        text_uri: None,
    })
    .builder_id("https://example.com/ci/run/1")
    .current_aion_version(1);
let signed = b.seal(signer, &key, &mut log).unwrap();
signed.verify(&registry, 1).unwrap();

Structs§

LogSeq
Transparency-log position returned from TransparencyLog::append.
ReleaseBuilder
Builder that collects everything needed for a signed release.
SignedRelease
Everything produced by ReleaseBuilder::seal.
SignedReleaseComponents
Named-field input bag for SignedRelease::from_components.