koi-common 0.4.2

Shared types, traits, and utilities for the Koi local network toolkit
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242

//! Trust posture — the mode oracle every mode-transparent primitive consults.
//!
//! ADR-020 §0/§1. Koi's native trust vocabulary is "secure/non-secure"
//! (ADR-016 §2); this extends that single bit into two orthogonal dimensions so
//! the *same* consumer code path works whether a node is unsecured,
//! authenticated, or confidential. The dial lives inside Koi's primitives — they
//! all key off this type, and consumers never branch on it.
//!
//! Neutral vocabulary only (STACK-0001 K2): `Open` / `Authenticated` /
//! `Confidential` are standard security terms, never a consumer codename. A
//! consumer layer may *alias* the level as its own "degree"; that naming never
//! enters Koi.

use serde::{Deserialize, Serialize};
use utoipa::ToSchema;

/// A node's (or a discovered peer's) trust posture: two orthogonal cryptographic
/// dimensions.
///
/// - `signed` — a usable cryptographic identity is present (the node can sign and
///   speak mTLS). This is exactly Koi's historical "secure" bit (ADR-016 §2).
/// - `encrypted` — group-key confidentiality is available (the future
///   Confidential rung; stays `false` until the `seal`/`open` encryption rung
///   lands, ADR-020 §4).
///
/// Every mode-transparent primitive (sign/verify, serve, client_for,
/// require_auth, seal/open) consults this and adapts. Wire-stable (serde +
/// schema) so a peer's posture can travel in discovery and the published wire
/// contract (ADR-020 §9).
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Default, Serialize, Deserialize, ToSchema)]
pub struct Posture {
    /// A usable cryptographic identity is present (can sign / speak mTLS).
    pub signed: bool,
    /// Group-key confidentiality is available (the future Confidential rung).
    pub encrypted: bool,
}

impl Posture {
    /// No identity, no confidentiality — the default for an unsecured node.
    pub const OPEN: Posture = Posture {
        signed: false,
        encrypted: false,
    };

    /// Construct from the two dimensions.
    pub const fn new(signed: bool, encrypted: bool) -> Self {
        Self { signed, encrypted }
    }

    /// The named level this posture resolves to.
    ///
    /// `encrypted` without `signed` is meaningless (no confidential trust without
    /// an identity), so any unsigned posture is [`PostureLevel::Open`].
    pub const fn level(self) -> PostureLevel {
        match (self.signed, self.encrypted) {
            (false, _) => PostureLevel::Open,
            (true, false) => PostureLevel::Authenticated,
            (true, true) => PostureLevel::Confidential,
        }
    }

    /// Back-compat with Koi's native "secure/non-secure" vocabulary (ADR-016 §2):
    /// a node is "secure" exactly when it holds an identity.
    pub const fn is_secure(self) -> bool {
        self.signed
    }
}

/// The named trust level derived from a [`Posture`] (ADR-020 §1).
///
/// A graduated ladder; each rung is a superset of the last, so the derived
/// ordering (`Open < Authenticated < Confidential`) answers "at least this
/// level". Neutral, standard security vocabulary (STACK-0001 K2).
#[derive(
    Debug, Clone, Copy, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize, ToSchema,
)]
#[serde(rename_all = "snake_case")]
pub enum PostureLevel {
    /// No identity — plaintext, anonymous (freshness only).
    Open,
    /// A cryptographic identity is present — signed / mTLS, authenticated-as-CN.
    Authenticated,
    /// Authenticated plus group-key confidentiality (the future rung).
    Confidential,
}

impl PostureLevel {
    /// The stable wire string (snake_case) used in mDNS TXT stamping and the
    /// published wire contract (ADR-020 §8/§9). The inverse of [`from_wire`].
    ///
    /// [`from_wire`]: PostureLevel::from_wire
    pub const fn as_wire(self) -> &'static str {
        match self {
            PostureLevel::Open => "open",
            PostureLevel::Authenticated => "authenticated",
            PostureLevel::Confidential => "confidential",
        }
    }

    /// Parse a wire string back into a level (the inverse of [`as_wire`]).
    /// Returns `None` for any unrecognized token.
    ///
    /// [`as_wire`]: PostureLevel::as_wire
    pub fn from_wire(s: &str) -> Option<Self> {
        match s {
            "open" => Some(PostureLevel::Open),
            "authenticated" => Some(PostureLevel::Authenticated),
            "confidential" => Some(PostureLevel::Confidential),
            _ => None,
        }
    }

    /// The [`Posture`] booleans this level implies — the inverse of
    /// [`Posture::level`].
    pub const fn to_posture(self) -> Posture {
        match self {
            PostureLevel::Open => Posture::OPEN,
            PostureLevel::Authenticated => Posture::new(true, false),
            PostureLevel::Confidential => Posture::new(true, true),
        }
    }
}

impl From<Posture> for PostureLevel {
    fn from(p: Posture) -> Self {
        p.level()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn open_is_neither_and_not_secure() {
        assert_eq!(Posture::OPEN, Posture::new(false, false));
        assert_eq!(Posture::OPEN.level(), PostureLevel::Open);
        assert!(!Posture::OPEN.is_secure());
    }

    #[test]
    fn default_posture_is_open() {
        assert_eq!(Posture::default(), Posture::OPEN);
    }

    #[test]
    fn signed_only_is_authenticated_and_secure() {
        let p = Posture::new(true, false);
        assert_eq!(p.level(), PostureLevel::Authenticated);
        assert!(p.is_secure());
    }

    #[test]
    fn signed_and_encrypted_is_confidential() {
        let p = Posture::new(true, true);
        assert_eq!(p.level(), PostureLevel::Confidential);
        assert!(p.is_secure());
    }

    #[test]
    fn encrypted_without_signed_degrades_to_open() {
        // Confidentiality without an identity is meaningless.
        let p = Posture::new(false, true);
        assert_eq!(p.level(), PostureLevel::Open);
        assert!(!p.is_secure());
    }

    #[test]
    fn level_ordering_is_a_graduated_ladder() {
        assert!(PostureLevel::Open < PostureLevel::Authenticated);
        assert!(PostureLevel::Authenticated < PostureLevel::Confidential);
    }

    #[test]
    fn from_posture_for_level() {
        assert_eq!(
            PostureLevel::from(Posture::new(true, false)),
            PostureLevel::Authenticated
        );
    }

    #[test]
    fn posture_serde_round_trip() {
        let p = Posture::new(true, false);
        let json = serde_json::to_string(&p).unwrap();
        assert_eq!(json, r#"{"signed":true,"encrypted":false}"#);
        let back: Posture = serde_json::from_str(&json).unwrap();
        assert_eq!(back, p);
    }

    #[test]
    fn posture_level_serializes_snake_case() {
        assert_eq!(
            serde_json::to_string(&PostureLevel::Authenticated).unwrap(),
            r#""authenticated""#
        );
        assert_eq!(
            serde_json::to_string(&PostureLevel::Confidential).unwrap(),
            r#""confidential""#
        );
        let back: PostureLevel = serde_json::from_str(r#""open""#).unwrap();
        assert_eq!(back, PostureLevel::Open);
    }

    #[test]
    fn as_wire_matches_serde_snake_case() {
        // The TXT wire string must equal the serde token so the contract is one
        // vocabulary, not two.
        for level in [
            PostureLevel::Open,
            PostureLevel::Authenticated,
            PostureLevel::Confidential,
        ] {
            let serde = serde_json::to_string(&level).unwrap();
            assert_eq!(format!("\"{}\"", level.as_wire()), serde);
        }
    }

    #[test]
    fn from_wire_round_trips_as_wire() {
        for level in [
            PostureLevel::Open,
            PostureLevel::Authenticated,
            PostureLevel::Confidential,
        ] {
            assert_eq!(PostureLevel::from_wire(level.as_wire()), Some(level));
        }
        assert_eq!(PostureLevel::from_wire("bogus"), None);
        assert_eq!(PostureLevel::from_wire("Authenticated"), None); // case-sensitive
    }

    #[test]
    fn to_posture_is_inverse_of_level() {
        for posture in [
            Posture::OPEN,
            Posture::new(true, false),
            Posture::new(true, true),
        ] {
            assert_eq!(posture.level().to_posture(), posture);
        }
    }
}