Crate apohara_sealchain_core 

apohara-sealchain-core — the apohara-seal-v1 receipt engine.

Native Rust reimplementation of the Python core/seal reference. This crate is sync; network-backed layers (TSA, Rekor) own a private runtime internally so the public API stays runtime-agnostic.

Where the Python reference is internally inconsistent (the C2PA hash input and the Rekor signed-checkpoint verification), this crate defines the canonical behavior and documents the divergence.

Re-exports

pub use artifact::render_chain;

pub use artifact::verify_artifact_bytes;

pub use artifact::LayerResult;

pub use artifact::default_receipt_path;

pub use artifact::seal_artifact;

pub use artifact::verify_artifact;

pub use dashboard::generated_at_now;

pub use dashboard::render_html as render_dashboard;

pub use dashboard::DashboardEntry;

pub use dashboard::VerifyStatus;

pub use error::SealError;

pub use excluded::strip_excluded;

pub use index::index_find;

pub use index::index_insert;

pub use index::index_list;

pub use index::present_layers;

pub use index::rebuild as index_rebuild;

pub use index::scan_receipts;

pub use index::IndexRecord;

pub use jcs::canonicalize;

pub use keystore::decrypt_keystore;

pub use keystore::encrypt_keystore;

pub use keystore::from_overrides;

pub use keystore::info as keystore_info;

pub use keystore::load_or_generate;

pub use keystore::load_or_generate_with_passphrase;

pub use keystore::rotate as rotate_keystore;

pub use keystore::ArchivedKey;

pub use keystore::Keys;

pub use keystore::KeystoreInfo;

pub use layers::rekor::check_shard_active;

pub use layers::rekor::classify_shard;

pub use layers::rekor::load_shards as load_rekor_shards;

pub use layers::rekor::resolve_shard as resolve_rekor_shard;

pub use layers::rekor::submit as submit_rekor_anchor;

pub use layers::rekor::verify_anchor as verify_rekor_anchor;

pub use layers::rekor::RekorAnchor;

pub use layers::rekor::ShardActiveness;

pub use layers::rekor::ShardKey;

pub use layers::rekor::DEFAULT_REKOR_V2_URL;

pub use layers::tsa::request_token as request_tsa_token;

pub use layers::tsa::verify_token as verify_tsa_token;

pub use layers::tsa::TsaToken;

pub use layers::tsa::DEFAULT_TSA_URL;

pub use policy::evaluate as evaluate_policy;

pub use policy::evaluate_now as evaluate_policy_now;

pub use policy::Policy;

pub use policy::PolicyReport;

pub use provenance::model_signing_statement;

pub use provenance::provenance_statement;

pub use provenance::MODEL_SIGNING_PREDICATE_TYPE_V1;

pub use provenance::PREDICATE_TYPE_V1;

pub use provenance::STATEMENT_TYPE_V1;

pub use schema::detect_schema;

pub use schema::SchemaVersion;

pub use schema::SealBlock;

pub use schema::SealedRecord;

pub use seal::build_preimage;

pub use seal::seal_deterministic;

pub use trust_profile::known_qualified_tsa_hosts;

pub use trust_profile::named_profile;

pub use trust_profile::profile_names;

pub use trust_profile::trust_profile;

pub use trust_profile::MatrixRow;

pub use trust_profile::NamedProfile;

pub use trust_profile::TrustProfile;

pub use verify::verify;

Modules

artifact

File seal/verify orchestrator.

dashboard

Transparency dashboard: render a self-contained, offline HTML report from a set of receipts. Native-only (it reuses the native verify path + policy). Transparency dashboard.

error

Error taxonomy for the seal engine.

excluded

Volatile-key exclusion.

index

Local receipt index (sqlite). Native-only convenience/discovery layer — rebuildable from receipts, never a source of truth. Local receipt index, native only.

jcs

RFC 8785 JSON Canonicalization Scheme.

keystore

Key material loading, generation, encryption at rest, and rotation.

layers

Cryptographic layers stacked on the shared preimage.

policy

Attestation policy engine: evaluate a receipt against required layers, a minimum layer count, qualified-TSA, and a maximum age. Native-only — the wasm verify-only build does not enforce policies. Attestation policy engine.

provenance

in-toto/SLSA-style provenance predicate for sealed artifacts. Pure serde_json mapping, available in both the native and wasm verify-only builds (it never touches the network or filesystem). in-toto/SLSA-style provenance for sealed artifacts.

schema

Wire schema for apohara-seal-v1 records and schema detection.

seal

Deterministic seal construction.

trust_profile

Canonical machine-readable Trust Profile (named profiles + proof matrix + qualified-TSA allowlist). Pure serde over an embedded constant, so it is available in both the native and wasm verify-only builds. Canonical machine-readable Trust Profile.

verify

Verification with strict error/mismatch separation.

Constants

METHOD_V1

The seal method identifier for the v1 (a.k.a. v4 / apohara) schema.