pub fn evaluate(input: EvaluateInput<'_>) -> EvaluationVerdictExpand description
Primary entry point for the portable kernel core.
Performs in order:
- Capability signature / issuer / time-bound verification.
- Subject binding (agent_id match).
- Portable scope match.
- Guard pipeline (fail-closed).
Returns Ok(EvaluationVerdict) for Allow or Deny. An Err is only
returned when the underlying verify_canonical machinery reports an
internal failure that is not a clean verify-false; semantically this
is still a deny at the caller’s level and chio-kernel maps it onto
KernelError::Internal.