Crate cortex_ledger

Expand description

Append-only ledger: events, hash chaining, traces. No semantic interpretation.

This crate is the substrate-layer ledger (BUILD_SPEC §8): it owns the append-only event log, the BLAKE3 hash chain that makes events immutable, the JSONL mirror used for inspectability and disaster recovery (BUILD_SPEC §7), trace assembly (event ordinals, open / attach / close), and the audit-verify pass.

It performs no semantic interpretation — that lives in cortex-memory and cortex-reflect. It performs no SQL — that lives in cortex-store (the JSONL log here is a separate, equal-priority mirror, not a SQL abstraction).

Module map:

hash — BLAKE3 framing, payload + event hash computation, sealing.
trace — TraceAssembler: open / attach / close, dense ordinals.
jsonl — JsonlLog: append-only with fsync per write, iter, verify.
audit — verify_chain(path) -> Report with per-row reasons, plus audit::verify_signed_chain enforcing the Ed25519 signature chain (Lane 3.D.6, ADR 0010 §1-§2).
signed_row — On-disk envelope carrying the per-row Ed25519 signature (signed_row::SignedRow + signed_row::RowSignature).
anchor_chain — Bridge between an cortex_core::Event and the canonical cortex_core::canonical::AttestationPreimage that gets signed; also defines the identity.rotate payload shape.
anchor — ADR 0013 position-bound external anchor parse / format / verify primitive.
external_sink — ADR 0013 Mechanism C foundation: typed external_sink::ExternalSink selector, v1 receipt sidecar parser, and the external_sink::ots quarantine boundary around the opentimestamps crate (operator decisions #3 + #4 — see the module-level doctrine notes).

Re-exports§

pub use anchor::current_anchor;
pub use anchor::parse_anchor;
pub use anchor::verify_anchor;
pub use anchor::AnchorParseError;
pub use anchor::AnchorVerification;
pub use anchor::AnchorVerifyError;
pub use anchor::LedgerAnchor;
pub use anchor::ANCHOR_FORMAT_HEADER_V1;
pub use anchor_chain::extract_rotation_payload;
pub use anchor_chain::is_identity_rotate;
pub use anchor_chain::row_preimage;
pub use anchor_chain::RotationPayload;
pub use anchor_chain::GENESIS_PREV_SIGNATURE;
pub use anchor_chain::IDENTITY_ROTATE_PAYLOAD_KIND;
pub use audit::verify_chain;
pub use audit::verify_signed_chain;
pub use audit::FailureReason;
pub use audit::HashKind;
pub use audit::Report;
pub use audit::RowFailure;
pub use audit::SignedChainOutcome;
pub use external_sink::ots::adapter::calendar_operator;
pub use external_sink::ots::adapter::enforce_disjoint_authority_quorum;
pub use external_sink::ots::adapter::submit as submit_ots;
pub use external_sink::ots::adapter::verify_receipt as verify_ots_receipt;
pub use external_sink::ots::adapter::verify_receipt_with_defaults as verify_ots_receipt_with_defaults;
pub use external_sink::ots::adapter::BitcoinHeaderSource;
pub use external_sink::ots::adapter::CalendarClient;
pub use external_sink::ots::adapter::HttpsHeadersBitcoinHeaderSource;
pub use external_sink::ots::adapter::NoopCalendarClient;
pub use external_sink::ots::adapter::OtsBrokenEdge;
pub use external_sink::ots::adapter::OtsVerificationOutcome;
pub use external_sink::ots::adapter::OtsWitness;
pub use external_sink::ots::adapter::StaticBitcoinHeaderSource;
pub use external_sink::ots::adapter::UreqCalendarClient;
pub use external_sink::ots::adapter::DEFAULT_HTTPS_HEADER_PROVIDERS;
pub use external_sink::ots::adapter::DEFAULT_HTTPS_HEADER_QUORUM_N;
pub use external_sink::ots::adapter::DEFAULT_OTS_CALENDAR_URL;
pub use external_sink::ots::adapter::DEFAULT_OTS_CALENDAR_URLS;
pub use external_sink::ots::adapter::OTS_CALENDAR_OPERATORS;
pub use external_sink::ots::adapter::OTS_DISJOINT_AUTHORITY_MIN_OPERATORS;
pub use external_sink::ots::DefaultOtsParser;
pub use external_sink::ots::OtsError;
pub use external_sink::ots::OtsParser;
pub use external_sink::ots::TypedOtsProof;
pub use external_sink::ots::BITCOIN_ATTESTATION_TAG;
pub use external_sink::ots::OTS_BITCOIN_CONFIRMED_BLOCK_HEADER_MISMATCH_INVARIANT;
pub use external_sink::ots::OTS_BITCOIN_CONFIRMED_MERKLE_PATH_INVALID_INVARIANT;
pub use external_sink::ots::OTS_BITCOIN_HEADER_POW_INVALID_INVARIANT;
pub use external_sink::ots::OTS_BITCOIN_HEADER_QUORUM_PROVIDERS_DISAGREE_INVARIANT;
pub use external_sink::ots::OTS_BITCOIN_HEADER_QUORUM_UNREACHABLE_INVARIANT;
pub use external_sink::ots::OTS_DISJOINT_AUTHORITY_QUORUM_NOT_MET_INVARIANT;
pub use external_sink::ots::OTS_PENDING_NO_BITCOIN_ATTESTATION_YET_INVARIANT;
pub use external_sink::ots::OTS_TAG_WHITELIST_UNKNOWN_TAG_INVARIANT;
pub use external_sink::ots::PENDING_ATTESTATION_TAG;
pub use external_sink::rekor::rekor_canonical_set_body;
pub use external_sink::rekor::submit as rekor_submit;
pub use external_sink::rekor::verify_receipt as rekor_verify_receipt;
pub use external_sink::rekor::InclusionProof as RekorInclusionProof;
pub use external_sink::rekor::RekorError;
pub use external_sink::rekor::RekorReceiptBody;
pub use external_sink::rekor::RekorVerification;
pub use external_sink::rekor::REKOR_DEFAULT_ENDPOINT;
pub use external_sink::rekor::REKOR_EXTERNAL_AUTHORITY_STATUS;
pub use external_sink::rekor::REKOR_INCLUSION_PROOF_INVALID_INVARIANT;
pub use external_sink::rekor::REKOR_KIND_HASHEDREKORD_V0_0_1;
pub use external_sink::rekor::REKOR_SET_SIGNATURE_INVALID_INVARIANT;
pub use external_sink::rekor::REKOR_SUBMIT_FAILED_INVARIANT;
pub use external_sink::rekor::REKOR_TRUSTED_ROOT_STALE_INVARIANT;
pub use external_sink::rekor::REKOR_VERIFY_FAILED_INVARIANT;
pub use external_sink::rekor::REKOR_VERIFY_SIGNATURE_MISMATCH_INVARIANT;
pub use external_sink::trusted_root::active_trusted_root;
pub use external_sink::trusted_root::ActiveTrustedRoot;
pub use external_sink::trusted_root::TransparencyLogInstance;
pub use external_sink::trusted_root::TransparencyLogPublicKey;
pub use external_sink::trusted_root::TrustRootStalenessAnchor;
pub use external_sink::trusted_root::TrustRootStalenessError;
pub use external_sink::trusted_root::TrustedRoot;
pub use external_sink::trusted_root::TrustedRootIoError;
pub use external_sink::trusted_root::TrustedRootKeyError;
pub use external_sink::trusted_root::TrustedRootParseError;
pub use external_sink::trusted_root::ValidityPeriod;
pub use external_sink::trusted_root::CACHED_ROOT_STATUS;
pub use external_sink::trusted_root::DEFAULT_MAX_TRUST_ROOT_AGE;
pub use external_sink::trusted_root::EMBEDDED_ROOT_STATUS;
pub use external_sink::trusted_root::EMBEDDED_TRUSTED_ROOT_SNAPSHOT_DATE;
pub use external_sink::trusted_root::REKOR_TRUSTED_ROOT_TLOG_LOGID_NO_MATCH_INVARIANT;
pub use external_sink::trusted_root::STABLE_INVARIANT_TRUSTED_ROOT_CACHE_FUTURE_DATED;
pub use external_sink::trusted_root::TRUSTED_ROOT_CACHE_FUTURE_MTIME_TOLERANCE;
pub use external_sink::trusted_root::TRUSTED_ROOT_CACHE_STALE_INVARIANT;
pub use external_sink::trusted_root::TRUSTED_ROOT_JSON;
pub use external_sink::trusted_root::TRUSTED_ROOT_PARSE_INVARIANT;
pub use external_sink::trusted_root::TRUSTED_ROOT_SNAPSHOT_STALE_INVARIANT;
pub use external_sink::trusted_root::TRUSTED_ROOT_STALE_INVARIANT;
pub use external_sink::anchor_text_sha256;
pub use external_sink::parse_external_receipt;
pub use external_sink::parse_external_receipt_history;
pub use external_sink::read_external_receipt_history;
pub use external_sink::verify_external_receipts;
pub use external_sink::ExternalReceipt;
pub use external_sink::ExternalReceiptHistoryIoError;
pub use external_sink::ExternalReceiptParseError;
pub use external_sink::ExternalReceiptVerification;
pub use external_sink::ExternalReceiptVerifyError;
pub use external_sink::ExternalSink;
pub use external_sink::ANCHOR_TEXT_HASH_MISMATCH_INVARIANT;
pub use external_sink::EXTERNAL_RECEIPT_FORMAT_HEADER_V1;
pub use external_sink::PARSED_ONLY_VERIFICATION_STATUS;
pub use hash::canonical_payload_bytes;
pub use hash::event_hash;
pub use hash::payload_hash;
pub use hash::seal;
pub use hash::DOMAIN_TAG_EVENT_HASH;
pub use jsonl::append_policy_decision_test_allow;
pub use jsonl::append_signed_policy_decision_test_allow;
pub use jsonl::schema_migration_v1_to_v2_policy_decision_test_allow;
pub use jsonl::JsonlError;
pub use jsonl::JsonlLog;
pub use jsonl::APPEND_ATTESTATION_REQUIRED_RULE_ID;
pub use jsonl::APPEND_EVENT_SOURCE_TIER_GATE_RULE_ID;
pub use jsonl::APPEND_RUNTIME_MODE_RULE_ID;
pub use jsonl::APPEND_SIGNED_KEY_STATE_CURRENT_USE_RULE_ID;
pub use jsonl::APPEND_SIGNED_TRUST_TIER_MINIMUM_RULE_ID;
pub use jsonl::SCHEMA_MIGRATION_ATTESTATION_REQUIRED_RULE_ID;
pub use jsonl::SCHEMA_MIGRATION_AUTHORITY_CLASS_RULE_ID;
pub use jsonl::SCHEMA_MIGRATION_CURRENT_USE_TEMPORAL_AUTHORITY_RULE_ID;
pub use signed_row::RowSignature;
pub use signed_row::SignedRow;
pub use trace::TraceAssembler;
pub use trace::TraceError;

Modules§

anchor: Position-bound external anchor primitive (ADR 0013).
anchor_chain: Bridge between an Event persisted in the JSONL mirror and the canonical AttestationPreimage that gets signed (T-3.D.6, ADR 0010 §1-§2).
audit: Per-row audit verification of a JSONL ledger file.
external_sink: External anchor receipt primitive (ADR 0013 Mechanism C foundation).
hash: Domain-tagged, length-prefixed BLAKE3 hash chain (T-1.B.1 + T-1.B.6).
jsonl: Append-only JSONL event log: JsonlLog.
sha256: SHA-256 wrapper module.
signed_row: On-disk wire shape for a JSONL row that participates in the Ed25519 signature chain (T-3.D.6, ADR 0010 §1-§2).
trace: Trace assembly: open, attach event, close. Emits dense, monotonic ordinals.

Functions§

verify_hash_chain_stub: Back-compat shim: retained so cortex-cli’s audit verify subcommand keeps compiling against the pre-Lane-1.B API surface. New callers MUST use verify_chain (which takes a path and returns a typed Report) instead.