Expand description
Pure-compute verdict evaluation.
evaluate walks a (capability, request, guards) tuple through the
sync checks that do not require I/O or mutable kernel state:
- Issuer trust + signature + time-bound verification via
crate::capability_verify::verify_capability. - Subject-binding check (agent_id == capability.subject hex).
- Portable scope match via
crate::scope::resolve_matching_grants. - Guard pipeline: every registered guard is invoked in order;
fail-closed on error or
Deny.
What it does NOT do (fenced into chio-kernel proper):
- Revocation membership lookup (stateful
RevocationStore). - Budget mutation (stateful
BudgetStore). - Delegation-chain ancestor inspection against the receipt store.
- DPoP proof verification with nonce replay (LRU-backed).
- Governed-transaction policy evaluation (pulls in chio-governance).
- Payment authorisation (async adapter trait).
- Tool dispatch to wrapped servers (async transport).
- Receipt persistence / Merkle checkpointing (SQL / IO).
The caller – today chio-kernel::ChioKernel::evaluate_tool_call_sync and
tomorrow chio-kernel-wasm::BrowserKernel::evaluate – wraps this pure
core in the I/O checks it needs.
Verified-core boundary note:
formal/proof-manifest.toml names this module as covered Rust surface for
the current bounded verified core. The covered semantics stop at pure
capability verification, subject binding, portable scope matching, and the
synchronous guard pipeline; revocation lookups, budget mutation, DPoP, and
tool dispatch stay outside this module and outside the present proof claim.
Structs§
- Evaluate
Input - Inputs to
evaluate. Grouped into a struct so the call site stays tidy and future fields (e.g. a policy-digest override) can be added without breaking the public signature. - Evaluation
Verdict - Verdict + context produced by
evaluate.
Enums§
- Kernel
Core Error - Errors the portable core can raise.
Functions§
- evaluate
- Primary entry point for the portable kernel core.