Skip to main content

Module commit_kel

Module commit_kel 

Source
Expand description

KEL-native commit verdict — the heart of Epic B.

Given a commit, the signer’s device KEL, the root KEL, and the pinned trusted roots, decide whether the commit is authorized purely by replaying the log: the device is a delegated identifier the root anchored and has not revoked, and the commit’s SSH signature was made by the device’s current key — all verified in-process (no ssh-keygen, no allowed_signers). Every failure is a distinguishable CommitVerdict, never a bare “invalid signature”.

Structs§

WitnessedVerdict
A commit verdict paired with the signer KEL’s witness-quorum status.

Enums§

CommitVerdict
The outcome of KEL-native commit verification. Distinguishable so the CLI/UX can explain why a commit failed (never a generic InvalidSignature).
VerifierWitnessPolicy
Verifier-side witness policy — independent of the signer’s own WitnessPolicy.
WitnessGateStatus
Witness-quorum status of a verified signer KEL, surfaced for CLI display (D.9).

Constants§

ANCHOR_SEQ_TRAILER
The CESR commit trailer key carrying the signer’s in-band KEL position — the delegator-anchoring sequence in force when the commit was signed. Lets the verifier order a commit against a later revocation by KEL position.
SCOPE_TRAILER
The CESR commit trailer key carrying the capability the commit exercises, checked against the agent’s delegator-anchored scope.

Functions§

anchor_seq_trailer
Format the signing-position commit trailer (Auths-Anchor-Seq: <seq>).
scope_trailer
Format a scope-claim commit trailer (Auths-Scope: <cap>[,<cap>…]).
verify_commit_against_kel
Verify a commit purely by KEL replay + delegation + in-process SSH-signature check.
verify_commit_against_kel_scoped
Verify a commit and additionally enforce the agent’s delegator-anchored scope/expiry against an injected signing time now (Unix epoch seconds).
verify_commit_against_kel_witnessed
Verify a commit and gate the signer’s root KEL on M-of-N witness receipts.