affidavit 26.6.22

Provenance Layer β€” receipt assembly and certification (verify a witness against a format standard; never decide honesty).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120

# affidavit πŸ“œ

**The Provenance Layer for High-Assurance Systems.**

[![Rust](https://img.shields.io/badge/rust-1.78%2B-blue.svg)](https://www.rust-lang.org)
[![License](https://img.shields.io/badge/license-MIT%2FApache--2.0-blue.svg)](LICENSE-MIT)
[![1000x Initiative](https://img.shields.io/badge/1000x-Initiative%20Complete-green.svg)](STATUS.md)

`affidavit` is a cryptographic provenance engine designed to make the unverifiable unconstructable. It assembles, seals, and certifies **provenance receipts**β€”append-only, content-addressed BLAKE3 chains of operation-events that provide an immutable record of what a process actually did.

---

## πŸ›οΈ Doctrine: Certify, Don't Decide

In complex systems, "honesty" is often undecidable. `affidavit` shifts the burden from detection to certification:

1.  **Witness-Based Verification:** The verifier doesn't hunt for fraud; it checks a *witness* (the receipt) against a formal format standard.
2.  **Decidable Pipeline:** Every stage of the 7-stage certify pipeline is decidable, yielding a definitive `ACCEPT` or `REJECT` verdict.
3.  **Unconstructable Bypass:** Valid receipts cannot be "faked" or manually constructed. They must pass through canonical, sealed seams in the library.
4.  **Content-Addressed Integrity:** Every event is linked via a rolling BLAKE3 hash. A single bit flip in any historical event invalidates the entire chain.

---

## πŸš€ The 1000x Initiative

`affidavit` has been supercharged with 30+ features focused on **Combinatorial Maximalism** and world-class DX:

*   ⚑ **High-Performance:** Parallelized verification across multi-core architectures.
*   πŸ” **Deep Introspection:** Auto-generate DFG/Petri models from receipts.
*   πŸ›‘οΈ **Chaos Engineering:** Built-in mutation testing to stress-test your verifiers.
*   πŸ€– **Intelligent CLI:** 65+ canonical verbs, ontology-driven help, and powerful ad-hoc querying.

---

## πŸ› οΈ Installation & Quick Start

### Build from Source
Ensure you have the latest stable Rust toolchain installed.

```bash
git clone https://github.com/seanchatmangpt/affidavit
cd affidavit
cargo build --release --all-features
```

### The "Golden Run" in 30 Seconds
Run the end-to-end smoke test to see `affidavit` in action:

```bash
./examples/golden_run.sh
```

---

## πŸ“– Core Concepts

### The Provenance Receipt
A receipt is the primary unit of evidence. It consists of:
- **Events:** Discrete operation records with monotonic sequence numbers.
- **Commitments:** BLAKE3 digests of payload data (payloads are never stored in the receipt).
- **Chain Seal:** A rolling hash that binds the entire history together.

### The 7-Stage Certify Pipeline
Each receipt passes through a rigorous validation gauntlet:
1.  **Decode:** Structural presence and version parsing.
2.  **Format Check:** Verification against the `core/v1` standard.
3.  **Chain Integrity:** Cryptographic re-computation of the rolling hash.
4.  **Continuity:** Logical sequence and uniqueness validation.
5.  **Commitment Verify:** Structural validation of all payload digests.
6.  **Profile Evaluation:** Conformance scoring against business logic.
7.  **Final Verdict:** Atomic `ACCEPT` or `REJECT` output.

---

## πŸ’» CLI Surface

Affidavit v26.6.22 expanded the CLI ontology to encompass **59 canonical verbs**, generating a massive CLI surface capable of advanced provenance, auditing, and analysis workflows.

**Core Verbs (The Provenance Loop):**
- `affi emit` β€” Record a new operation-event.
- `affi assemble` β€” Finalize and seal the current receipt.
- `affi verify` β€” Run the certify pipeline against a receipt.
- `affi show` β€” Inspect receipt details.

**Western Electric Quality (Real-Time Monitoring):**
- `affi quality monitor` β€” Start Western Electric live statistical process control monitoring.
- `affi quality portfolio` β€” Analyze portfolio health across repositories.
- `affi quality trend-analysis` β€” Display historical degradation metrics.

**SBOM & Supply Chain Provenance:**
- `affi sbom scan` β€” Generate SBOM representation (SPDX/CycloneDX).
- `affi sbom attest` β€” Sign and bind an SBOM to the cryptographic provenance chain.
- `affi sbom blast-radius` β€” Calculate vulnerability risk propagation in the dependency graph.
- `affi sbom compliance` β€” Run NTIA minimum-element compliance verification.

**Advanced Auditing:**
- `affi receipt model` β€” Generate architectural models from provenance.
- `affi causality-chain` β€” Track root cause and event lineage.
- `affi security-debt` β€” Calculate pending remediation metrics.

**For the complete list of all 65+ verbs, run `affi --help` or explore the [command reference](CLAUDE.md#cli-surface).**

---

## πŸ›‘οΈ Security Model

`affidavit` is designed for high-stakes environments where provenance is non-negotiable:
- **Zero-Knowledge Payloads:** We store commitments, not raw data, protecting sensitive information.
- **Deterministic Hashing:** Canonical JSON serialization ensures hashes are stable across platforms.
- **Memory Safety:** Written in 100% `safe` Rust (enforced via `#![deny(unsafe_code)]`).

---

## 🀝 Contributing

We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on how to participate in the provenance revolution.

## πŸ“„ License

Dual-licensed under [MIT](LICENSE-MIT) or [Apache 2.0](LICENSE-APACHE).