libverify-core 0.7.3

Platform-agnostic SDLC verification engine — evidence model, controls, assessment
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207

use serde::{Deserialize, Serialize};

use crate::control::{Control, ControlFinding, ControlStatus, evaluate_all};
use crate::evidence::EvidenceBundle;
use crate::profile::{ControlProfile, ProfileOutcome, SeverityLabels, apply_profile};
use crate::registry::ControlRegistry;

/// Complete assessment result combining raw control findings with profile-mapped outcomes.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct AssessmentReport {
    pub profile_name: String,
    pub findings: Vec<ControlFinding>,
    pub outcomes: Vec<ProfileOutcome>,
    pub severity_labels: SeverityLabels,
}

/// Assessment report with optional raw evidence bundle for audit trails.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct VerificationResult {
    #[serde(flatten)]
    pub report: AssessmentReport,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub evidence: Option<EvidenceBundle>,
}

impl VerificationResult {
    pub fn new(report: AssessmentReport, evidence: Option<EvidenceBundle>) -> Self {
        Self { report, evidence }
    }
}

/// Batch verification report for multiple change requests.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct BatchReport {
    pub reports: Vec<BatchEntry>,
    pub total_pass: usize,
    pub total_review: usize,
    pub total_fail: usize,
    pub skipped: Vec<SkippedEntry>,
}

/// A single entry in a batch report.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct BatchEntry {
    pub subject_id: String,
    #[serde(flatten)]
    pub result: VerificationResult,
}

/// A skipped entry in a batch report.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct SkippedEntry {
    pub subject_id: String,
    pub reason: String,
}

/// Evaluates all controls against evidence and maps findings through a profile.
pub fn assess(
    evidence: &EvidenceBundle,
    controls: &[Box<dyn Control>],
    profile: &dyn ControlProfile,
) -> AssessmentReport {
    let findings: Vec<ControlFinding> = evaluate_all(controls, evidence)
        .into_iter()
        .filter(|f| f.status != ControlStatus::NotApplicable)
        .collect();
    let outcomes = apply_profile(profile, &findings);

    AssessmentReport {
        profile_name: profile.name().to_string(),
        findings,
        outcomes,
        severity_labels: profile.severity_labels(),
    }
}

/// Assess using a control registry and profile.
pub fn assess_with_registry(
    evidence: &EvidenceBundle,
    registry: &ControlRegistry,
    profile: &dyn ControlProfile,
) -> AssessmentReport {
    assess(evidence, registry.controls(), profile)
}

// ---------------------------------------------------------------------------
// Fleet-level aggregation
// ---------------------------------------------------------------------------

use crate::profile::GateDecision;
use std::collections::HashMap;

/// Fleet-level aggregation of verification results across multiple repositories.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct FleetReport {
    /// Per-repo summaries, sorted by fail count descending (worst first).
    pub repos: Vec<RepoSummary>,
    /// Control-level statistics across the fleet.
    pub control_stats: Vec<ControlFleetStat>,
    /// Fleet-wide totals.
    pub total_pass: usize,
    pub total_review: usize,
    pub total_fail: usize,
}

/// Summary of a single repository's verification results.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct RepoSummary {
    pub repo_id: String,
    pub pass: usize,
    pub review: usize,
    pub fail: usize,
    /// Failing control IDs for quick triage.
    pub failing_controls: Vec<String>,
}

/// Fleet-wide statistics for a single control.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct ControlFleetStat {
    pub control_id: String,
    /// Number of repos where this control failed.
    pub fail_count: usize,
    /// Number of repos where this control was reviewed.
    pub review_count: usize,
    /// Number of repos where this control passed.
    pub pass_count: usize,
    /// SOC2 TSC criteria mapping.
    pub tsc_criteria: Vec<String>,
}

impl FleetReport {
    /// Build a fleet report from a set of (repo_id, assessment_report) pairs.
    pub fn from_assessments(entries: Vec<(String, &AssessmentReport)>) -> Self {
        let mut repos = Vec::new();
        let mut control_map: HashMap<String, (usize, usize, usize)> = HashMap::new();
        let mut total_pass = 0;
        let mut total_review = 0;
        let mut total_fail = 0;

        for (repo_id, report) in &entries {
            let mut pass = 0;
            let mut review = 0;
            let mut fail = 0;
            let mut failing_controls = Vec::new();

            for outcome in &report.outcomes {
                let key = outcome.control_id.as_str().to_string();
                let entry = control_map.entry(key.clone()).or_insert((0, 0, 0));

                match outcome.decision {
                    GateDecision::Pass => {
                        pass += 1;
                        entry.2 += 1;
                    }
                    GateDecision::Review => {
                        review += 1;
                        entry.1 += 1;
                    }
                    GateDecision::Fail => {
                        fail += 1;
                        entry.0 += 1;
                        failing_controls.push(key);
                    }
                }
            }

            total_pass += pass;
            total_review += review;
            total_fail += fail;

            repos.push(RepoSummary {
                repo_id: repo_id.clone(),
                pass,
                review,
                fail,
                failing_controls,
            });
        }

        // Sort repos by fail count descending (worst first)
        repos.sort_by(|a, b| b.fail.cmp(&a.fail));

        // Build control stats sorted by fail count descending
        let mut control_stats: Vec<ControlFleetStat> = control_map
            .into_iter()
            .map(|(id, (fail, review, pass))| ControlFleetStat {
                tsc_criteria: crate::control::builtin_tsc_mapping(&id)
                    .iter()
                    .map(|s| s.to_string())
                    .collect(),
                control_id: id,
                fail_count: fail,
                review_count: review,
                pass_count: pass,
            })
            .collect();
        control_stats.sort_by(|a, b| b.fail_count.cmp(&a.fail_count));

        FleetReport {
            repos,
            control_stats,
            total_pass,
            total_review,
            total_fail,
        }
    }
}