Module spec_validation 

Pure validation for parsed ExecutionCellDocument.

Functions

authority_derivation_signing_payload

Build the canonical JSON payload that the grantor signs and the supervisor verifies.

check_policy_pack_version

Validate a policy pack’s declared spec.version against the runtime’s compiled-in supported floor. P4-04.

enforce_derivation_scope_policy

Enforce the derivation-token scope policy after signature verification (L5-16 / I6 / O6).

validate_execution_cell_document

Reject specs that violate MVP invariants (stricter than JSON Schema alone).

validate_tenant_id_for_subject_token

Reject a tenant_id that contains any NATS subject-token reserved char.

verify_authority_derivation

Verify an AuthorityDerivationToken against the declared spec authority.

verify_signed_trust_keyset_chain

Verify a chain of signed trust-keyset envelopes for replay-safety (SEC-25 Phase 3).

verify_signed_trust_keyset_envelope

Verify a SEC-25 signed trust-keyset envelope and return its raw payload bytes.