Skip to main content

Module audit

cortex_ledger

Module audit 

Source
Expand description

Per-row audit verification of a JSONL ledger file.

verify_chain walks the file and returns a Report listing every row that fails one of the canonical chain invariants, with a typed reason (FailureReason). Unlike crate::JsonlLog::verify_chain which short-circuits on the first failure, this audit collects all failures so an operator can see the full damage in one pass.

Failure modes covered:

  • FailureReason::Orphanprev_event_hash does not match the event_hash of the row immediately preceding it.
  • [FailureReason::HashBreak { kind: PayloadHashMismatch }] — the stored payload_hash does not match blake3(canonical_payload).
  • [FailureReason::HashBreak { kind: EventHashMismatch }] — the stored event_hash does not match the framing recompute over prev_event_hash + payload_hash.
  • FailureReason::OrdinalGap — when ordinals are present (we don’t store them inline in the JSONL today, but external trace-event tables may carry them), a gap or duplicate is reported. For the JSONL-only audit we treat the file order as the canonical sequence and report nothing here unless callers pass an external ordinal stream (future expansion). For now, this variant exists in the public API so audit consumers don’t break when we wire SQL ordinals in.
  • FailureReason::Decode — the row failed to parse as an cortex_core::Event.

§Acceptance test (T-1.B.4)

corruption_fixture_produces_expected_failure_report builds a deliberately-broken file (good row, then a row with a mutated payload, then an orphan whose prev_event_hash is wrong) and asserts the report names exactly those failures.

Structs§

Report
Verification report.
RowFailure
One row’s failure record.
SchemaMigrationBoundaryFailure
Stable failure record for the v1 -> v2 boundary invariant.
SchemaMigrationBoundaryReport
Report for verify_schema_migration_v1_to_v2_boundary.
SchemaMigrationBoundaryRow
One observed schema_migration.v1_to_v2 boundary row.
SignedChainOutcome
Outcome of verify_signed_chain over a JSONL file.

Enums§

FailureReason
What broke at a given row.
HashKind
Which hash field broke.
SchemaMigrationBoundaryFailureDetail
Why the v1 -> v2 boundary invariant failed.

Constants§

POST_CUTOVER_V2_AUDIT_DISPATCH_UNSUPPORTED_INVARIANT
Stable invariant name for schema v2 non-boundary rows that are recognized as post-cutover audit-dispatch work but not yet verifiable by this build.
SCHEMA_MIGRATION_V1_TO_V2_BOUNDARY_DUPLICATE_INVARIANT
Stable invariant name for duplicate v1 -> v2 boundary rows.
SCHEMA_MIGRATION_V1_TO_V2_BOUNDARY_MISSING_INVARIANT
Stable invariant name for a required v1 -> v2 boundary row that is absent.
UNSUPPORTED_EVENT_SCHEMA_VERSION_INVARIANT
Stable invariant name for unsupported event schema versions.

Functions§

verify_chain
Walk path, checking every row, and produce a Report of failures.
verify_schema_migration_v1_to_v2_boundary
Scan a JSONL ledger for the schema_migration.v1_to_v2 boundary row.
verify_signed_chain
Verify the Ed25519 signature chain end-to-end (Lane 3.D.6 / ADR 0010 §1-§2).