tsafe-attest 1.1.0

Attestation pipeline for tsafe — secret scanner + env-injection contract + run-evidence harness (algol-merged)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

//! Attestation pipeline for tsafe — secret scanner + env-injection
//! contract + run-evidence harness.
//!
//! # Provenance
//!
//! Phase 3 lifted the algol Phase 2.1 scanner (`algol/src/scan.rs` @
//! `4e81948`, built on `6956cfd`). Phase 4 lifts the env-injection
//! contract pipeline (`algol/src/{audit,enforce,event_log,events,plan,
//! redact}.rs` @ `6956cfd`) and converges the hash family + schema
//! namespace.
//!
//! Re-licensed `AGPL-3.0-or-later` per:
//!
//! - `ecosystem-catalog/docs/adr/draft-algol-into-tsafe-merge.md`
//! - `ecosystem-catalog/portfolio-algol-tsafe-migration-2026-05-21.md`
//! - `ecosystem-catalog/portfolio-algol-tsafe-phase0-audit-2026-05-21.md`
//! - `ecosystem-catalog/portfolio-algol-tsafe-phase2-scanner-2026-05-21.md`
//! - `ecosystem-catalog/portfolio-algol-tsafe-phase2-1-precision-recovery-2026-05-21.md`
//! - `ecosystem-catalog/portfolio-algol-tsafe-phase4-attest-run-2026-05-21.md`
//! - operator decisions 2026-05-21
//!
//! # Public surface
//!
//! - [`scan`] — Phase 3 scanner module
//! - [`model`] — `ScanReport`, `ScanFinding`, severity, finding kinds
//! - [`redact`] — content redaction + `short_hash` (Phase 4 BLAKE3 family)
//! - [`hash`] — BLAKE3 canonical + SHA-256 deprecation API
//! - [`events`] — CloudEvents projection types (`tsafe.audit_event.v1`)
//! - [`event_log`] — append-only audit log + lifecycle event constructors
//! - [`audit`] — markdown audit-report renderer (`tsafe attest audit`)
//! - [`enforce`] — env-injection enforcement harness (`tsafe attest run`)
//! - [`plan`] — contract derivation from scan reports (`tsafe attest plan`)
//!
//! # Hash family — BLAKE3 canonical
//!
//! Per ec ADR-0003 (hash convergence), all new content-hash output is
//! BLAKE3 (`blake3:<64 hex>`). SHA-256 hashes are still accepted on
//! parse during the v1.x compat window for legacy `algol.*` artifacts.
//! Phase 4 swept four fingerprint slots in `RunEvidence`, four schema
//! names, and the `ALGOL-FINDING-NNNN` ID prefix; see `CHANGELOG.md`.
//!
//! # Schema namespace (Phase 4 rename wave)
//!
//! New emissions use the `tsafe.*` namespace:
//!
//! - `algol.run.v1`         -> `tsafe.run.v1`
//! - `algol.contract.v1`    -> `tsafe.contract.v1`
//! - `algol.scan.v1`        -> `tsafe.scan.v1`
//! - `algol.audit_event.v1` -> `tsafe.audit_event.v1`
//! - `ALGOL-FINDING-NNNN`   -> `TSAFE-FINDING-NNNN`
//!
//! Parsers accept legacy names during the v1.x compat window.

pub mod audit;
pub mod enforce;
pub mod event_log;
pub mod events;
pub mod hash;
pub mod model;
pub mod plan;
pub mod redact;
pub mod scan;

pub use model::{
    is_supported_scan_schema, CiSecretReference, FindingKind, ObservedEnvRead, ScanFinding,
    ScanReport, ScanSummary, Severity, ATTEST_VERSION, LEGACY_SCAN_SCHEMA, SCAN_SCHEMA,
};
pub use scan::{
    is_high_risk_env_name, is_sensitive_env_name, print_summary, scan_repo, write_scan,
};