cortex_core/

lib.rs

//! Core types, identifiers, errors, and schema constants for Cortex.
//!
//! `cortex-core` is the **shape layer**: it defines the typed primitives that
//! every other crate in the workspace agrees on (events, traces, IDs, errors,
//! schema version). It performs **no I/O**, **no network calls**, and **no
//! LLM invocations** — those live in `cortex-ledger`, `cortex-store`,
//! `cortex-llm`, etc. (BUILD_SPEC §8.)
//!
//! The intent is that any change to a type re-exported from this crate is
//! immediately visible everywhere it is used, and any wire-format change is
//! gated by a [`SCHEMA_VERSION`] bump (see [`version`] for the bump policy).

#![deny(unsafe_code, missing_debug_implementations)]
#![warn(missing_docs)]

pub mod attestor;
pub mod audit;
pub mod authority;
pub mod axiom_trust;
pub mod boundary;
pub mod canonical;
pub mod claim_language;
pub mod claims;
pub mod consumer_advisory;
pub mod error;
pub mod event;
pub mod ids;
pub mod policy;
pub mod proof;
pub mod salience_v2;
pub mod schema_migration;
pub mod semantic_trust;
pub mod source_attestation;
pub mod summary;
pub mod trace;
pub mod version;

pub use attestor::{
    attest, sign_rotation, verify, verify_rotation, Attestation, Attestor, IdentityRotation,
    InMemoryAttestor, RotationEnvelope, VerifyError,
};
pub use audit::{AuditRecord, Outcome};
pub use authority::{
    revalidate_temporal_authority, KeyLifecycleState, TemporalAuthorityEvidence,
    TemporalAuthorityReason, TemporalAuthorityReport, TrustTier,
};
pub use axiom_trust::{
    accepted_axiom_source_commits, is_axiom_source_commit_fresh, parse_authority_feedback_loop,
    parse_axiom_execution_trust, parse_cortex_context_trust, ActorAttestation, AmplificationRisk,
    ArtifactLifecycleState, AuthorityClaimStatus, AuthorityFeedbackLoop, AxiomExecutionTrust,
    AxiomExecutionTrustEnvelope, CompatibilityTrustLabel, ConfidenceCeiling,
    ContextAllowedClaimLanguage, ContextAllowedUse, ContextConfidence, ContextConfidenceScale,
    ContextConfidenceValue, ContextForbiddenUse, ContextPolicyResult, ContextPolicyResultValue,
    ContextProofState, ContextProofStateValue, ContextProvenanceClass, ContextQuarantineState,
    ContextRedactionState, ContextRedactionStatus, ContextSemanticTrust, ContextSourceAnchor,
    ContextSourceAnchorType, ContradictionState, CortexContextTrust, CortexContextTrustEnvelope,
    ExecutionPolicyDecision, ExecutionPolicyResult, ExecutionSourceAnchor,
    ExecutionSourceAnchorType, ExecutionToolProvenance, ExecutionTrustLevel,
    FeedbackAuthorityClaims, FeedbackAxiomAction, FeedbackInitiatingContext,
    FeedbackReturnedArtifact, NamedQuarantineOutputs, PromotionState, QuarantineOutput, RepoTrust,
    RepoTrustResult, ReproducibilityLevel, TargetDomainValidation, TargetDomainValidationResult,
    TokenRevocationResult, TokenScope, TrustExchangeFieldError, TrustExchangeValidation,
    TruthCeiling, AUTHORITY_FEEDBACK_LOOP_SCHEMA, AXIOM_EXECUTION_TRUST_SCHEMA,
    AXIOM_EXECUTION_TRUST_SOURCE_COMMIT_STALE_INVARIANT, CORTEX_AXIOM_ACCEPTED_SOURCE_COMMITS_ENV,
    CORTEX_CONTEXT_TRUST_SCHEMA, DEFAULT_ACCEPTED_AXIOM_SOURCE_COMMITS,
    TRUST_EXCHANGE_SCHEMA_VERSION,
};
pub use boundary::{
    default_allowed_claim_language, default_forbidden_boundary_uses, AllowedClaimLanguage,
    BoundaryContradictionState, BoundaryQuarantineState, BoundaryRedactionState,
    BoundarySourceAnchor, BoundaryToolInvocation, BoundaryToolOutcome, CapabilityTokenDecision,
    CapabilityTokenState, CortexAxiomConstraintEnvelopeV1, ExecutionTrustState,
    ForbiddenBoundaryUse, OperatorApprovalState, PaiAxiomExecutionReceiptV1, RuntimeIntegrityState,
    BOUNDARY_SCHEMA_VERSION, CORTEX_TO_AXIOM_CONSTRAINT_ENVELOPE_V1,
    PAI_AXIOM_TO_CORTEX_EXECUTION_RECEIPT_V1,
};
pub use canonical::{
    canonical_rotation_input, canonical_signing_input, AttestationPreimage, LineageBinding,
    SourceIdentity, DOMAIN_TAG_ATTESTATION_PREIMAGE, DOMAIN_TAG_ROTATION_ENVELOPE,
    SCHEMA_VERSION_ATTESTATION,
};
pub use claim_language::{
    map_axiom_claims, AxiomClaimInput, AxiomConstraint, AxiomConstraintKind,
    AxiomConstraintSeverity, AxiomElementKind, AxiomEvidenceKind, AxiomStatus, CortexClaimMapping,
    CortexClaimRole,
};
pub use claims::{
    effective_ceiling, mix_authority_to_weakest, mix_claims_to_weakest,
    mix_reportable_claims_to_weakest, AuthorityClass, ClaimCeiling, ClaimProofState,
    ReportableClaim, RuntimeMode,
};
pub use consumer_advisory::{
    contains_exec_shaped_string, AdvisoryFlag, ConsumerAdvisory, ExecutionTrustClass,
    RenderTrustClass,
};
pub use error::{CoreError, CoreResult};
pub use error::{CortexError, CortexResult};
pub use event::{Event, EventSource, EventType};
pub use ids::{
    AuditRecordId, ContextPackId, ContradictionId, CorrelationId, DecayJobId, DoctrineId,
    EpisodeId, EventId, MemoryId, PrincipleId, TraceId,
};
pub use policy::{
    compose_policy_outcomes, BreakGlassAuditShape, BreakGlassAuthorization, BreakGlassReasonCode,
    BreakGlassScope, PolicyContribution, PolicyDecision, PolicyEngine, PolicyError, PolicyOutcome,
    PolicyRuleId,
};
pub use proof::{
    FailingEdge, ProofClosureReport, ProofEdge, ProofEdgeFailure, ProofEdgeKind, ProofState,
};
pub use salience_v2::{CrossSessionSalience, OutcomeMemoryRelation};
pub use schema_migration::{
    schema_migration_v1_to_v2_event, SchemaMigrationEventError, SchemaMigrationPayloadError,
    SchemaMigrationV1ToV2Payload, SCHEMA_MIGRATION_V1_TO_V2_EVENT_KIND,
    SCHEMA_MIGRATION_V1_TO_V2_ID, SCHEMA_MIGRATION_V1_TO_V2_TARGET,
};
pub use semantic_trust::{
    evaluate_semantic_trust, ProvenanceClass, SemanticTrustClass, SemanticTrustInput,
    SemanticTrustReport, SemanticUse,
};
pub use source_attestation::SourceAttestation;
pub use summary::{validate_summary_spans, SourceAuthority, SummarySpan, SummarySpanError};
pub use trace::{Trace, TraceStatus};
pub use version::{crate_version, schema};

/// Current schema version for persisted Cortex rows and JSON envelopes.
///
/// See [`version`] for the bump policy.
///
/// **Bumped to 2** in the schema v2 atomic cutover commit (ADR 0018). Forward-
/// only: a v1 binary opening a v2 store fails closed with `Exit::SchemaMismatch`
/// (ADR 0033 §6). Rollback is restore-from-blessed-pre-v2-backup; in-place
/// down-migration is forbidden by ADR 0033 §3.
pub const SCHEMA_VERSION: u16 = 2;

// Compile-time assertion that the migration target and the live schema version
// agree. If a future commit bumps `SCHEMA_VERSION` to a value other than the
// `schema_migration::SCHEMA_MIGRATION_V1_TO_V2_TARGET` it should also update the
// boundary event type and the migration verifier. This guard makes that drift
// a build failure rather than a runtime surprise.
const _: () = assert!(
    SCHEMA_VERSION == schema_migration::SCHEMA_MIGRATION_V1_TO_V2_TARGET,
    "cortex_core::SCHEMA_VERSION must equal SCHEMA_MIGRATION_V1_TO_V2_TARGET; \
     update the schema_migration module or the migration verifier together"
);