Crate cortex_verifier 

Independent trusted evidence verifier for cortex release readiness and cortex compliance evidence.

Implements ADR 0041: a pure reducer verify(EvidenceInput, &[IndependentWitness], now, max_age) -> VerifiedTrustState that promotes a release-readiness or compliance-evidence claim to VerifiedTrustState::FullChainVerified only when disjoint-authority witnesses cross-confirm the producer-supplied evidence digest — without the producer being its own witness.

Doctrine boundaries

• No I/O on the trust path. This crate forbids tokio, reqwest, and std::fs. All bytes and verifying keys must be loaded by the CLI before invocation; the verifier consumes only in-memory values. See the crate’s Cargo.toml for the manifest assertion.
• Disjoint authority per ADR 0013 is enforced by witness::AuthorityDomain: two witnesses sharing a domain are invariant::WITNESS_AUTHORITY_OVERLAP.
• Subject binding. Every witness’s asserted_subject_blake3 MUST equal the producer-supplied input::EvidenceInput::evidence_blake3.
• Defense in depth. verify::verify_with_policy composes with an ADR 0026 policy decision so the trust path falls closed independently of witness composition.
• Boundary contract. Per ADR 0041 §“Doctrine boundary”:
  • CAN claim: release_readiness_artifact_present, compliance_evidence_present, external_anchor_crossed_at(event_count, hash) for the bound position, independent_verification: true.
  • CANNOT claim: trusted run-history beyond SignedLedgerChainHead, cross-system trust authority, production actor identity, anchor stream monotonicity, doctrine promotion.

Re-exports

pub use input::EvidenceInput;

pub use input::EvidenceKind;

pub use input::SourceRef;

pub use invariant::COMPOSITION_CEILING_BELOW_REQUIRED;

pub use invariant::COMPOSITION_POLICY_FAIL_CLOSED;

pub use invariant::WITNESS_AUTHORITY_OVERLAP;

pub use invariant::WITNESS_DISAGREEMENT;

pub use invariant::WITNESS_MISSING;

pub use invariant::WITNESS_SIGNATURE_INVALID;

pub use invariant::WITNESS_STALE;

pub use invariant::WITNESS_TIER_INSUFFICIENT;

pub use state::BrokenEdge;

pub use state::VerifiedTrustState;

pub use verify::ceiling_from_state;

pub use verify::verify;

pub use verify::verify_with_options;

pub use verify::verify_with_policy;

pub use verify::VerifyOptions;

pub use witness::AuthorityDomain;

pub use witness::IndependentWitness;

pub use witness::SelfSignedAlgorithm;

pub use witness::SelfSignedKeyEntry;

pub use witness::SelfSignedKeyRegistry;

pub use witness::WitnessClass;

pub use witness::WitnessPayload;

pub use witness::WitnessSignature;

pub use witness::WitnessSummary;

pub use witness::WitnessTier;

Modules

input

Producer-supplied evidence input for the trusted-evidence reducer.

invariant

Stable invariant names emitted by [crate::verify].

state

VerifiedTrustState — the output of the trusted-evidence reducer.

verify

Pure trusted-evidence reducer.

witness

Independent witness types for the trusted evidence reducer.