crtx-ledger 0.1.1

Append-only event log, hash chain, trace assembly, and audit records.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

//! Append-only ledger: events, hash chaining, traces. No semantic interpretation.
//!
//! This crate is the **substrate-layer ledger** (BUILD_SPEC §8): it owns the
//! append-only event log, the BLAKE3 hash chain that makes events immutable,
//! the JSONL mirror used for inspectability and disaster recovery
//! (BUILD_SPEC §7), trace assembly (event ordinals, open / attach / close),
//! and the audit-verify pass.
//!
//! It performs **no semantic interpretation** — that lives in `cortex-memory`
//! and `cortex-reflect`. It performs **no SQL** — that lives in `cortex-store`
//! (the JSONL log here is a separate, equal-priority mirror, not a SQL
//! abstraction).
//!
//! Module map:
//! - [`hash`] — BLAKE3 framing, payload + event hash computation, sealing.
//! - [`trace`] — `TraceAssembler`: open / attach / close, dense ordinals.
//! - [`jsonl`] — `JsonlLog`: append-only with fsync per write, iter, verify.
//! - [`audit`] — `verify_chain(path) -> Report` with per-row reasons,
//!   plus [`audit::verify_signed_chain`] enforcing the Ed25519 signature
//!   chain (Lane 3.D.6, ADR 0010 §1-§2).
//! - [`signed_row`] — On-disk envelope carrying the per-row Ed25519
//!   signature ([`signed_row::SignedRow`] + [`signed_row::RowSignature`]).
//! - [`anchor_chain`] — Bridge between an [`cortex_core::Event`] and the
//!   canonical [`cortex_core::canonical::AttestationPreimage`] that gets
//!   signed; also defines the `identity.rotate` payload shape.
//! - [`anchor`] — ADR 0013 position-bound external anchor parse / format /
//!   verify primitive.
//! - [`external_sink`] — ADR 0013 Mechanism C foundation: typed
//!   [`external_sink::ExternalSink`] selector, v1 receipt sidecar parser,
//!   and the [`external_sink::ots`] quarantine boundary around the
//!   `opentimestamps` crate (operator decisions #3 + #4 — see the
//!   module-level doctrine notes).

#![deny(unsafe_code, missing_debug_implementations)]
#![warn(missing_docs)]

pub mod anchor;
pub mod anchor_chain;
pub mod audit;
pub mod external_sink;
pub mod hash;
pub mod jsonl;
pub mod sha256;
pub mod signed_row;
pub mod trace;

pub use anchor::{
    current_anchor, parse_anchor, verify_anchor, AnchorParseError, AnchorVerification,
    AnchorVerifyError, LedgerAnchor, ANCHOR_FORMAT_HEADER_V1,
};
pub use anchor_chain::{
    extract_rotation_payload, is_identity_rotate, row_preimage, RotationPayload,
    GENESIS_PREV_SIGNATURE, IDENTITY_ROTATE_PAYLOAD_KIND,
};
pub use audit::{
    verify_chain, verify_signed_chain, FailureReason, HashKind, Report, RowFailure,
    SignedChainOutcome,
};
pub use external_sink::ots::adapter::{
    calendar_operator, enforce_disjoint_authority_quorum, submit as submit_ots,
    verify_receipt as verify_ots_receipt,
    verify_receipt_with_defaults as verify_ots_receipt_with_defaults, BitcoinHeaderSource,
    CalendarClient, HttpsHeadersBitcoinHeaderSource, NoopCalendarClient, OtsBrokenEdge,
    OtsVerificationOutcome, OtsWitness, StaticBitcoinHeaderSource, UreqCalendarClient,
    DEFAULT_HTTPS_HEADER_PROVIDERS, DEFAULT_HTTPS_HEADER_QUORUM_N, DEFAULT_OTS_CALENDAR_URL,
    DEFAULT_OTS_CALENDAR_URLS, OTS_CALENDAR_OPERATORS, OTS_DISJOINT_AUTHORITY_MIN_OPERATORS,
};
pub use external_sink::ots::{
    DefaultOtsParser, OtsError, OtsParser, TypedOtsProof, BITCOIN_ATTESTATION_TAG,
    OTS_BITCOIN_CONFIRMED_BLOCK_HEADER_MISMATCH_INVARIANT,
    OTS_BITCOIN_CONFIRMED_MERKLE_PATH_INVALID_INVARIANT, OTS_BITCOIN_HEADER_POW_INVALID_INVARIANT,
    OTS_BITCOIN_HEADER_QUORUM_PROVIDERS_DISAGREE_INVARIANT,
    OTS_BITCOIN_HEADER_QUORUM_UNREACHABLE_INVARIANT,
    OTS_DISJOINT_AUTHORITY_QUORUM_NOT_MET_INVARIANT,
    OTS_PENDING_NO_BITCOIN_ATTESTATION_YET_INVARIANT, OTS_TAG_WHITELIST_UNKNOWN_TAG_INVARIANT,
    PENDING_ATTESTATION_TAG,
};
pub use external_sink::rekor::{
    rekor_canonical_set_body, submit as rekor_submit, verify_receipt as rekor_verify_receipt,
    InclusionProof as RekorInclusionProof, RekorError, RekorReceiptBody, RekorVerification,
    REKOR_DEFAULT_ENDPOINT, REKOR_EXTERNAL_AUTHORITY_STATUS,
    REKOR_INCLUSION_PROOF_INVALID_INVARIANT, REKOR_KIND_HASHEDREKORD_V0_0_1,
    REKOR_SET_SIGNATURE_INVALID_INVARIANT, REKOR_SUBMIT_FAILED_INVARIANT,
    REKOR_TRUSTED_ROOT_STALE_INVARIANT, REKOR_VERIFY_FAILED_INVARIANT,
    REKOR_VERIFY_SIGNATURE_MISMATCH_INVARIANT,
};
pub use external_sink::trusted_root::{
    active_trusted_root, ActiveTrustedRoot, TransparencyLogInstance, TransparencyLogPublicKey,
    TrustRootStalenessAnchor, TrustRootStalenessError, TrustedRoot, TrustedRootIoError,
    TrustedRootKeyError, TrustedRootParseError, ValidityPeriod, CACHED_ROOT_STATUS,
    DEFAULT_MAX_TRUST_ROOT_AGE, EMBEDDED_ROOT_STATUS, EMBEDDED_TRUSTED_ROOT_SNAPSHOT_DATE,
    REKOR_TRUSTED_ROOT_TLOG_LOGID_NO_MATCH_INVARIANT,
    STABLE_INVARIANT_TRUSTED_ROOT_CACHE_FUTURE_DATED, TRUSTED_ROOT_CACHE_FUTURE_MTIME_TOLERANCE,
    TRUSTED_ROOT_CACHE_STALE_INVARIANT, TRUSTED_ROOT_JSON, TRUSTED_ROOT_PARSE_INVARIANT,
    TRUSTED_ROOT_SNAPSHOT_STALE_INVARIANT, TRUSTED_ROOT_STALE_INVARIANT,
};
pub use external_sink::{
    anchor_text_sha256, parse_external_receipt, parse_external_receipt_history,
    read_external_receipt_history, verify_external_receipts, ExternalReceipt,
    ExternalReceiptHistoryIoError, ExternalReceiptParseError, ExternalReceiptVerification,
    ExternalReceiptVerifyError, ExternalSink, ANCHOR_TEXT_HASH_MISMATCH_INVARIANT,
    EXTERNAL_RECEIPT_FORMAT_HEADER_V1, PARSED_ONLY_VERIFICATION_STATUS,
};
pub use hash::{canonical_payload_bytes, event_hash, payload_hash, seal, DOMAIN_TAG_EVENT_HASH};
pub use jsonl::{
    append_policy_decision_test_allow, append_signed_policy_decision_test_allow,
    schema_migration_v1_to_v2_policy_decision_test_allow, JsonlError, JsonlLog,
    APPEND_ATTESTATION_REQUIRED_RULE_ID, APPEND_EVENT_SOURCE_TIER_GATE_RULE_ID,
    APPEND_RUNTIME_MODE_RULE_ID, APPEND_SIGNED_KEY_STATE_CURRENT_USE_RULE_ID,
    APPEND_SIGNED_TRUST_TIER_MINIMUM_RULE_ID, SCHEMA_MIGRATION_ATTESTATION_REQUIRED_RULE_ID,
    SCHEMA_MIGRATION_AUTHORITY_CLASS_RULE_ID,
    SCHEMA_MIGRATION_CURRENT_USE_TEMPORAL_AUTHORITY_RULE_ID,
};
pub use signed_row::{RowSignature, SignedRow};
pub use trace::{TraceAssembler, TraceError};

/// Back-compat shim: retained so `cortex-cli`'s `audit verify` subcommand
/// keeps compiling against the pre-Lane-1.B API surface. New callers MUST
/// use [`verify_chain`] (which takes a path and returns a typed [`Report`])
/// instead.
///
/// This is a deliberate no-op: the CLI's verify path will be wired to the
/// real audit walker in a follow-up lane that touches `cortex-cli`. The
/// shim returns `Ok(())` so the existing "stub" semantics are preserved.
///
/// **Do not** call this from new code in this crate or downstream — it
/// will be removed when the CLI is migrated.
pub fn verify_hash_chain_stub() -> cortex_core::CortexResult<()> {
    Ok(())
}