Skip to main content

cortex_verifier/
input.rs

1//! Producer-supplied evidence input for the trusted-evidence reducer.
2//!
3//! This is the data the CLI loads before invoking [`crate::verify`]. Per ADR
4//! 0041 §"Pure trust path", the verifier does not read filesystems or the
5//! network — every byte the trust decision rests on is here.
6
7use cortex_core::{AuthorityClass, ClaimCeiling, ClaimProofState, RuntimeMode};
8use serde::{Deserialize, Serialize};
9
10/// Class of evidence being witnessed. Decides which witness composition is
11/// required for `FullChainVerified`.
12#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
13#[serde(rename_all = "snake_case")]
14pub enum EvidenceKind {
15    /// `cortex release readiness` evidence.
16    ReleaseReadiness,
17    /// `cortex compliance evidence` evidence.
18    ComplianceEvidence,
19}
20
21impl EvidenceKind {
22    /// Stable lowercase wire string for this kind.
23    #[must_use]
24    pub const fn wire_str(self) -> &'static str {
25        match self {
26            Self::ReleaseReadiness => "release_readiness",
27            Self::ComplianceEvidence => "compliance_evidence",
28        }
29    }
30}
31
32/// Source reference the producer declared on the evidence input (e.g.
33/// `signed://fixture/evidence`, `https://...`). The verifier does not fetch
34/// these; they are recorded for reporting.
35pub type SourceRef = String;
36
37/// Producer-supplied evidence input. Built by the CLI from the evidence file /
38/// inline JSON and the producer's declared `evidence_blake3`.
39///
40/// Every witness's `asserted_subject_blake3` MUST equal
41/// [`EvidenceInput::evidence_blake3`].
42#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
43pub struct EvidenceInput {
44    /// Which surface (release-readiness or compliance-evidence) requested this
45    /// reduction.
46    pub kind: EvidenceKind,
47    /// Lowercase BLAKE3 hex of the exact producer-supplied evidence bytes.
48    pub evidence_blake3: String,
49    /// Runtime mode the producer declares it ran under.
50    pub runtime_mode: RuntimeMode,
51    /// Authority class declared on the evidence input.
52    pub authority_class: AuthorityClass,
53    /// Proof closure state declared by the producer.
54    pub proof_state: ClaimProofState,
55    /// Producer-requested ceiling. The verifier still clamps to the weakest
56    /// supporting signal per `cortex_core::effective_ceiling`.
57    pub requested_ceiling: ClaimCeiling,
58    /// Declared source refs (informational; not used to make a trust decision).
59    pub source_refs: Vec<SourceRef>,
60    /// Marker that this evidence path is advisory-only by construction
61    /// (e.g. `dev` runtime mode, `pre_v2_backup` evidence kind). When set, the
62    /// verifier short-circuits to `verifier.witness.tier_insufficient` per
63    /// ADR 0041 acceptance criterion §132 — local/dev/pre-v2 stay advisory even
64    /// with witnesses present.
65    pub advisory_only: bool,
66}
67
68impl EvidenceInput {
69    /// True when the evidence path is advisory-only by construction.
70    #[must_use]
71    pub const fn is_advisory_only(&self) -> bool {
72        self.advisory_only
73    }
74}