openvet-policy

Requirement language and Kleene evaluator for OpenVet.

Given a TOML-defined policy and the audits collected for a single subject across all configured logs, returns a Pass / Fail verdict with structured per-requirement diagnostics.

TOML shape

# Bare form: default-on requirement, value is the expression.
[requirement]
safe-to-deploy = "safe-to-deploy and not unsafe-code"

# Table form: opt-in by overriding into the requirement set.
[requirement.sandbox]
condition = "sandboxed"
default = false

# Per-subject overrides. Matcher fields are AND'd; "*" / omitted = wildcard.
[[override]]
registry = "cargo"
package = "libc"
requirements = { add = ["sandbox"], remove = ["safe-to-deploy"] }

[[override]]
package = "serde"
requirements = ["safe-to-deploy"]   # replace form

# Cross-log claim renames: "log:claim" → canonical name.
[alias]
safe-to-run = ["google:safe-to-run", "mozilla:runtime-safe"]

Evaluation

Three-valued logic per audit (True, False, Unknown) with standard short-circuiting (False short-circuits and, True short-circuits or, not Unknown == Unknown).

A requirement passes for a subject iff at least one audit returns True and no audit returns False. Fail variants distinguish "nobody had enough info" (NotAsserted) from "an audit explicitly disagrees" (Contradicted), and the latter includes a snapshot of the relevant claims so the failure message can show why.

A subject passes iff all of its effective requirements pass.

use openvet_policy::{parse_str, evaluate};

let policy = parse_str(r#"
    [requirement]
    safe-to-deploy = "safe-to-deploy"
"#)?;
let verdict = evaluate(&policy, &subject, &[("alice", &audit)]);
println!("{verdict}");
# Ok::<(), openvet_policy::PolicyError>(())