1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
//! Probe data contracts shared between generation and enforcement.
/// One labeled byte input probe.
#[derive(Clone, Debug, Eq, PartialEq)]
pub struct LabeledProbe {
/// Human-readable probe label used in findings.
pub label: String,
/// Probe input bytes.
pub input: Vec<u8>,
}
impl LabeledProbe {
/// Build a labeled probe.
///
/// The label is copied into every finding that this probe triggers, so a
/// contributor can map a failure back to the exact input that produced it.
/// Labels should be deterministic and stable across runs so that CI logs
/// remain comparable between commits.
#[must_use]
#[inline]
pub fn new(label: impl Into<String>, input: Vec<u8>) -> Self {
Self {
label: label.into(),
input,
}
}
}
/// Deterministic probes required by reference-trust enforcement.
#[derive(Clone, Debug, Default, Eq, PartialEq)]
pub struct ReferenceTrustProbes {
/// Boundary-focused probes.
pub boundary: Vec<LabeledProbe>,
/// Determinism and shape property probes.
pub property: Vec<LabeledProbe>,
/// Raw byte probes for independent references and codec round trips.
pub byte_reference: Vec<Vec<u8>>,
}
impl ReferenceTrustProbes {
/// Build a probe set from each required family.
///
/// Reference-trust gates require three independent families of probes:
/// boundary values catch edge-case bugs, property probes catch shape and
/// determinism bugs, and raw byte probes catch codec bugs. Supplying all
/// three families is the minimum evidence required to claim that the CPU
/// reference has been independently verified.
#[must_use]
#[inline]
pub fn new(
boundary: Vec<LabeledProbe>,
property: Vec<LabeledProbe>,
byte_reference: Vec<Vec<u8>>,
) -> Self {
Self {
boundary,
property,
byte_reference,
}
}
}