1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
//! # Mucosal Boundary Family — stdlib antigens (ADR-027 + Amendment 1)
//!
//! Canonical trust-boundary failure-classes — the data-flow surfaces where a
//! system meets the outside world and the boundary discipline is absent or
//! mis-applied. Adopters mark boundary functions with `#[mucosal]` /
//! `#[mucosal_delegate]` / `#[mucosal_tolerant]`; these stdlib `#[antigen]`
//! declarations name the failure-classes that an undefended-or-mis-defended
//! boundary presents.
//!
//! ## Antigen-category (ADR-028)
//!
//! All mucosal stdlib antigens are `SubstrateAlignment`: the representation
//! of "this boundary is defended" (the presence/absence/kind of a
//! `#[mucosal]` declaration + its handler chain) diverges from the actual
//! defense state. The witness checks the declaration substrate — is the
//! boundary declared, does the delegate resolve, does the handler's kind
//! match — not runtime sanitization correctness (ADR-027: sanitization
//! presence ≠ correctness; the discipline fires at the boundary regardless).
//!
//! ## Biology grounding (per ADR-027 — NON-NEGOTIABLE)
//!
//! Biology grounds the TIER-CLAIM (mucosal surfaces are a distinct immune
//! tier with selective permeability) + the four functional disciplines, NOT
//! per-variant tissue mapping. The `MucosalKind` taxonomy is
//! software-engineering scope-selection by data-flow type. These antigens
//! are the failure-classes the boundary primitives defend against; they are
//! not per-variant biology-grounded.
//!
//! ## How these antigens are evaluated
//!
//! `cargo antigen mucosal-map` walks the scan report's mucosal declarations
//! and runs `audit_mucosal` (incl. the Change-5 three-tier delegate
//! kind-matching diagnosis). The `fingerprint` uses the uniform
//! `doc_contains("ADR-027")` form.
use crateantigen;
// ============================================================================
// 1. UndefendedTrustBoundary
// ============================================================================
/// A data-flow boundary admitting external input with no boundary declaration.
///
/// The boundary carries no `#[mucosal]` / `#[mucosal_tolerant]` declaration —
/// neither actively defended nor intentionally tolerated; it is simply
/// undecided (the third response state per ADR-027 Amendment 1 Change 6).
///
/// **The failure mode**: unknown boundaries are where attacks land. A
/// function that receives caller-supplied data without a boundary
/// declaration leaves the audit unable to distinguish "defended elsewhere"
/// from "nobody thought about this." `cargo antigen mucosal-map --undefended`
/// surfaces these.
///
/// **Category**: `SubstrateAlignment` — the absence of a `#[mucosal]`
/// declaration diverges from the actual presence of a trust boundary.
;
// ============================================================================
// 2. DelegatedDefenseWithoutMatchingHandler
// ============================================================================
/// A `#[mucosal_delegate]` whose handler lacks a matching `#[mucosal(kind)]`.
///
/// The `handled_by` target does not carry a `#[mucosal(kind = X)]` matching
/// the delegated boundary kind — the delegation falsely attests defense that
/// the handler does not actually provide (the Change-5 split-defense problem).
///
/// **The failure mode**: `#[mucosal_delegate(boundary = UserInput,
/// handled_by = sanitize_db)]` passes a naive "does the handler exist?"
/// check even when `sanitize_db` only carries `#[mucosal(kind =
/// DatabaseQuery)]`. The audit's three-tier diagnosis (Change 5) catches
/// this via set-membership kind-matching, emitting
/// `mucosal-discipline-delegate-target-kind-mismatch`.
///
/// **Category**: `SubstrateAlignment` — the delegation claims the boundary
/// is handled, but the handler's declared kind-set diverges from the
/// delegated kind.
;
// ============================================================================
// 3. ToleratedBoundaryWithoutReview
// ============================================================================
/// A `#[mucosal_tolerant]` boundary whose tolerance has gone stale or unowned.
///
/// The review deadline (`until`) has passed without re-attestation, or the
/// declaration carries no `reviewed_by` — an intentional-tolerance decision
/// that has gone stale or was never owned.
///
/// **The failure mode**: active tolerance (deliberately permitting
/// unauthenticated input) is the riskier boundary state, so ADR-027
/// Amendment 1 raises its rationale floor to ≥40 chars and adds a review
/// cadence. A tolerant boundary past its `until` date, or with no reviewer,
/// is tolerance that nobody is accountable for — the IBD-analog of immune
/// tolerance gone unchecked.
///
/// **Category**: `SubstrateAlignment` — the tolerance declaration's review
/// state diverges from a current, owned tolerance decision.
;