ans-types 0.1.4

Shared types for the Agent Name Service (ANS) ecosystem
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305

//! Badge data models from the Transparency Log API.

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use uuid::Uuid;

/// Badge status values.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[non_exhaustive]
pub enum BadgeStatus {
    /// Agent is registered and in good standing.
    Active,
    /// Certificate expires within 30 days.
    Warning,
    /// AHP has marked this version for retirement; consumers should migrate.
    Deprecated,
    /// Certificate has expired.
    Expired,
    /// Registration has been explicitly revoked.
    Revoked,
}

impl BadgeStatus {
    /// Check if this status is valid for establishing connections.
    pub fn is_valid_for_connection(&self) -> bool {
        matches!(self, Self::Active | Self::Warning | Self::Deprecated)
    }

    /// Check if this status is fully active (not deprecated).
    pub fn is_active(&self) -> bool {
        matches!(self, Self::Active | Self::Warning)
    }

    /// Check if this status indicates the badge should be rejected.
    pub fn should_reject(&self) -> bool {
        matches!(self, Self::Expired | Self::Revoked)
    }
}

/// Event types for badge events.
///
/// These match the TL API swagger spec eventType enum.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[non_exhaustive]
pub enum EventType {
    /// Agent was initially registered.
    AgentRegistered,
    /// Agent certificates were renewed.
    AgentRenewed,
    /// AHP has marked this version for retirement.
    AgentDeprecated,
    /// Agent registration was revoked.
    AgentRevoked,
}

/// Full badge response from the Transparency Log API.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
#[non_exhaustive]
pub struct Badge {
    /// Current status of the badge.
    pub status: BadgeStatus,
    /// Badge payload containing the signed event.
    pub payload: BadgePayload,
    /// Schema version (e.g., "V1").
    pub schema_version: String,
    /// Signature over the badge.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub signature: Option<String>,
    /// Merkle proof for transparency log inclusion.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub merkle_proof: Option<MerkleProof>,
}

impl Badge {
    /// Get the agent's ANS name.
    pub fn agent_name(&self) -> &str {
        &self.payload.producer.event.ans_name
    }

    /// Get the agent's host FQDN.
    pub fn agent_host(&self) -> &str {
        &self.payload.producer.event.agent.host
    }

    /// Get the agent's version string.
    pub fn agent_version(&self) -> &str {
        &self.payload.producer.event.agent.version
    }

    /// Get the server certificate fingerprint.
    pub fn server_cert_fingerprint(&self) -> &str {
        &self
            .payload
            .producer
            .event
            .attestations
            .server_cert
            .fingerprint
    }

    /// Get the identity certificate fingerprint.
    pub fn identity_cert_fingerprint(&self) -> &str {
        &self
            .payload
            .producer
            .event
            .attestations
            .identity_cert
            .fingerprint
    }

    /// Get the agent ID (UUID).
    pub fn agent_id(&self) -> Uuid {
        self.payload.producer.event.ans_id
    }

    /// Get the event type.
    pub fn event_type(&self) -> EventType {
        self.payload.producer.event.event_type
    }

    /// Check if this badge is valid for connections.
    pub fn is_valid(&self) -> bool {
        self.status.is_valid_for_connection()
    }
}

/// Badge payload containing the producer and signed event.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
#[non_exhaustive]
pub struct BadgePayload {
    /// Log ID for this entry.
    pub log_id: Uuid,
    /// Producer information with signed event.
    pub producer: Producer,
}

/// Producer information with the agent event and signature.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
#[non_exhaustive]
pub struct Producer {
    /// The agent event details.
    pub event: AgentEvent,
    /// Key ID used for signing.
    pub key_id: String,
    /// Signature over the event.
    pub signature: String,
}

/// Agent event containing all registration/verification details.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
#[non_exhaustive]
pub struct AgentEvent {
    /// Agent's unique ID.
    pub ans_id: Uuid,
    /// Full ANS name (e.g., "<ans://v1.0.0.agent.example.com>").
    pub ans_name: String,
    /// Type of event.
    pub event_type: EventType,
    /// Agent information.
    pub agent: AgentInfo,
    /// Certificate attestations.
    pub attestations: Attestations,
    /// When this registration expires.
    pub expires_at: DateTime<Utc>,
    /// When this registration was issued.
    pub issued_at: DateTime<Utc>,
    /// Registration Authority ID.
    pub ra_id: String,
    /// Event timestamp.
    pub timestamp: DateTime<Utc>,
}

/// Basic agent information.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[non_exhaustive]
pub struct AgentInfo {
    /// Agent's host FQDN.
    pub host: String,
    /// Human-readable agent name.
    pub name: String,
    /// Agent version string.
    pub version: String,
}

/// Certificate attestations.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
#[non_exhaustive]
pub struct Attestations {
    /// Domain validation method used.
    pub domain_validation: String,
    /// Identity certificate attestation.
    pub identity_cert: CertAttestation,
    /// Server certificate attestation.
    pub server_cert: CertAttestation,
}

/// Certificate attestation with fingerprint and type.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[non_exhaustive]
pub struct CertAttestation {
    /// Certificate fingerprint in `SHA256:<hex>` format.
    pub fingerprint: String,
    /// Certificate type (e.g., "X509-DV-SERVER", "X509-OV-CLIENT").
    #[serde(rename = "type")]
    pub cert_type: String,
}

/// Merkle proof for transparency log inclusion verification.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
#[non_exhaustive]
pub struct MerkleProof {
    /// Hash of the leaf node.
    pub leaf_hash: String,
    /// Index of the leaf in the tree.
    pub leaf_index: u64,
    /// Proof path (sibling hashes).
    pub path: Vec<String>,
    /// Root hash of the tree.
    pub root_hash: String,
    /// Signature over the root.
    pub root_signature: String,
    /// Total size of the tree.
    pub tree_size: u64,
    /// Version of the tree.
    pub tree_version: u64,
}

#[allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_badge_status_valid_for_connection() {
        assert!(BadgeStatus::Active.is_valid_for_connection());
        assert!(BadgeStatus::Warning.is_valid_for_connection());
        assert!(BadgeStatus::Deprecated.is_valid_for_connection());
        assert!(!BadgeStatus::Expired.is_valid_for_connection());
        assert!(!BadgeStatus::Revoked.is_valid_for_connection());
    }

    #[test]
    fn test_badge_status_should_reject() {
        assert!(!BadgeStatus::Active.should_reject());
        assert!(!BadgeStatus::Warning.should_reject());
        assert!(!BadgeStatus::Deprecated.should_reject());
        assert!(BadgeStatus::Expired.should_reject());
        assert!(BadgeStatus::Revoked.should_reject());
    }

    #[test]
    fn test_deserialize_badge() {
        let json = r#"{
            "status": "ACTIVE",
            "payload": {
                "logId": "019be7f3-5720-77c9-9672-adae3394502f",
                "producer": {
                    "event": {
                        "ansId": "7b93c61c-e261-488c-89a3-f948119be0a0",
                        "ansName": "ans://v1.0.0.agent.example.com",
                        "eventType": "AGENT_REGISTERED",
                        "agent": {
                            "host": "agent.example.com",
                            "name": "Test Agent",
                            "version": "v1.0.0"
                        },
                        "attestations": {
                            "domainValidation": "ACME-DNS-01",
                            "identityCert": {
                                "fingerprint": "SHA256:aebdc9da0c20d6d5e4999a773839095ed050a9d7252bf212056fddc0c38f3496",
                                "type": "X509-OV-CLIENT"
                            },
                            "serverCert": {
                                "fingerprint": "SHA256:e7b64d16f42055d6faf382a43dc35b98be76aba0db145a904b590a034b33b904",
                                "type": "X509-DV-SERVER"
                            }
                        },
                        "expiresAt": "2027-01-22T22:58:52.000000Z",
                        "issuedAt": "2026-01-22T22:58:51.839533Z",
                        "raId": "gd-ra-us-west-2-ote-db21525-9ffa069a429b4a938e09d1e3e701958c",
                        "timestamp": "2026-01-22T23:04:02.890851Z"
                    },
                    "keyId": "ra-gd-ra-us-west-2-ote",
                    "signature": "eyJhbGci..."
                }
            },
            "schemaVersion": "V1"
        }"#;

        let badge: Badge = serde_json::from_str(json).unwrap();
        assert_eq!(badge.status, BadgeStatus::Active);
        assert_eq!(badge.agent_host(), "agent.example.com");
        assert_eq!(badge.agent_version(), "v1.0.0");
        assert!(badge.server_cert_fingerprint().starts_with("SHA256:"));
    }
}