Skip to main content

verify_commit_against_kel_scoped

Function verify_commit_against_kel_scoped 

Source
pub async fn verify_commit_against_kel_scoped(
    commit_bytes: &[u8],
    device_kel: &[Event],
    root_kel: &[Event],
    pinned_roots: &[String],
    provider: &dyn CryptoProvider,
    now: i64,
) -> CommitVerdict
Expand description

Verify a commit and additionally enforce the agent’s delegator-anchored scope/expiry against an injected signing time now (Unix epoch seconds).

Identical to verify_commit_against_kel plus: a delegated signer whose delegator anchored a scope seal is rejected when the commit exercises a capability outside that scope (CommitVerdict::OutsideAgentScope) or signs at/after the anchored expiry (CommitVerdict::AgentExpired, checked against now).

Args:

  • commit_bytes: The signed commit.
  • device_kel: The signer’s KEL.
  • root_kel: The delegator’s KEL (carries the scope seal).
  • pinned_roots: Trusted root DIDs.
  • provider: Crypto provider for signature verification.
  • now: The signing time to check expiry against (injected at the boundary).

Usage:

let verdict = verify_commit_against_kel_scoped(commit, &device_kel, &root_kel, &pinned, &provider, now).await;