crtx-verifier 0.1.0

Pure independent-witness reducer for trusted release/compliance evidence (ADR 0041).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

//! Independent trusted evidence verifier for `cortex release readiness` and
//! `cortex compliance evidence`.
//!
//! Implements [ADR 0041](../../../docs/adr/0041-independent-trusted-evidence-verifier.md):
//! a pure reducer
//! `verify(EvidenceInput, &[IndependentWitness], now, max_age) -> VerifiedTrustState`
//! that promotes a release-readiness or compliance-evidence claim to
//! [`VerifiedTrustState::FullChainVerified`] only when **disjoint-authority**
//! witnesses cross-confirm the producer-supplied evidence digest — without
//! the producer being its own witness.
//!
//! ## Doctrine boundaries
//!
//! - **No I/O on the trust path.** This crate forbids `tokio`, `reqwest`, and
//!   `std::fs`. All bytes and verifying keys must be loaded by the CLI before
//!   invocation; the verifier consumes only in-memory values. See the crate's
//!   `Cargo.toml` for the manifest assertion.
//! - **Disjoint authority** per [ADR 0013] is enforced by
//!   [`witness::AuthorityDomain`]: two witnesses sharing a domain are
//!   [`invariant::WITNESS_AUTHORITY_OVERLAP`].
//! - **Subject binding.** Every witness's `asserted_subject_blake3` MUST equal
//!   the producer-supplied [`input::EvidenceInput::evidence_blake3`].
//! - **Defense in depth.** [`verify::verify_with_policy`] composes with an
//!   ADR 0026 policy decision so the trust path falls closed independently
//!   of witness composition.
//! - **Boundary contract.** Per ADR 0041 §"Doctrine boundary":
//!   - CAN claim: `release_readiness_artifact_present`,
//!     `compliance_evidence_present`,
//!     `external_anchor_crossed_at(event_count, hash)` for the bound position,
//!     `independent_verification: true`.
//!   - CANNOT claim: trusted run-history beyond `SignedLedgerChainHead`,
//!     cross-system trust authority, production actor identity, anchor stream
//!     monotonicity, doctrine promotion.
//!
//! [ADR 0013]: ../../../docs/adr/0013-ledger-external-anchoring.md

#![deny(unsafe_code, missing_debug_implementations)]
#![warn(missing_docs)]

pub mod input;
pub mod invariant;
pub mod state;
pub mod verify;
pub mod witness;

pub use input::{EvidenceInput, EvidenceKind, SourceRef};
pub use invariant::{
    COMPOSITION_CEILING_BELOW_REQUIRED, COMPOSITION_POLICY_FAIL_CLOSED, WITNESS_AUTHORITY_OVERLAP,
    WITNESS_DISAGREEMENT, WITNESS_MISSING, WITNESS_SIGNATURE_INVALID, WITNESS_STALE,
    WITNESS_TIER_INSUFFICIENT,
};
pub use state::{BrokenEdge, VerifiedTrustState};
pub use verify::{
    ceiling_from_state, verify, verify_with_options, verify_with_policy, VerifyOptions,
};
pub use witness::{
    AuthorityDomain, IndependentWitness, SelfSignedAlgorithm, SelfSignedKeyEntry,
    SelfSignedKeyRegistry, WitnessClass, WitnessPayload, WitnessSignature, WitnessSummary,
    WitnessTier,
};