Skip to main content

cortex_verifier/
lib.rs

1//! Independent trusted evidence verifier for `cortex release readiness` and
2//! `cortex compliance evidence`.
3//!
4//! Implements [ADR 0041](../../../docs/adr/0041-independent-trusted-evidence-verifier.md):
5//! a pure reducer
6//! `verify(EvidenceInput, &[IndependentWitness], now, max_age) -> VerifiedTrustState`
7//! that promotes a release-readiness or compliance-evidence claim to
8//! [`VerifiedTrustState::FullChainVerified`] only when **disjoint-authority**
9//! witnesses cross-confirm the producer-supplied evidence digest — without
10//! the producer being its own witness.
11//!
12//! ## Doctrine boundaries
13//!
14//! - **No I/O on the trust path.** This crate forbids `tokio`, `reqwest`, and
15//!   `std::fs`. All bytes and verifying keys must be loaded by the CLI before
16//!   invocation; the verifier consumes only in-memory values. See the crate's
17//!   `Cargo.toml` for the manifest assertion.
18//! - **Disjoint authority** per [ADR 0013] is enforced by
19//!   [`witness::AuthorityDomain`]: two witnesses sharing a domain are
20//!   [`invariant::WITNESS_AUTHORITY_OVERLAP`].
21//! - **Subject binding.** Every witness's `asserted_subject_blake3` MUST equal
22//!   the producer-supplied [`input::EvidenceInput::evidence_blake3`].
23//! - **Defense in depth.** [`verify::verify_with_policy`] composes with an
24//!   ADR 0026 policy decision so the trust path falls closed independently
25//!   of witness composition.
26//! - **Boundary contract.** Per ADR 0041 §"Doctrine boundary":
27//!   - CAN claim: `release_readiness_artifact_present`,
28//!     `compliance_evidence_present`,
29//!     `external_anchor_crossed_at(event_count, hash)` for the bound position,
30//!     `independent_verification: true`.
31//!   - CANNOT claim: trusted run-history beyond `SignedLedgerChainHead`,
32//!     cross-system trust authority, production actor identity, anchor stream
33//!     monotonicity, doctrine promotion.
34//!
35//! [ADR 0013]: ../../../docs/adr/0013-ledger-external-anchoring.md
36
37#![deny(unsafe_code, missing_debug_implementations)]
38#![warn(missing_docs)]
39
40pub mod input;
41pub mod invariant;
42pub mod state;
43pub mod verify;
44pub mod witness;
45
46pub use input::{EvidenceInput, EvidenceKind, SourceRef};
47pub use invariant::{
48    COMPOSITION_CEILING_BELOW_REQUIRED, COMPOSITION_POLICY_FAIL_CLOSED, WITNESS_AUTHORITY_OVERLAP,
49    WITNESS_DISAGREEMENT, WITNESS_MISSING, WITNESS_SIGNATURE_INVALID, WITNESS_STALE,
50    WITNESS_TIER_INSUFFICIENT,
51};
52pub use state::{BrokenEdge, VerifiedTrustState};
53pub use verify::{
54    ceiling_from_state, verify, verify_with_options, verify_with_policy, VerifyOptions,
55};
56pub use witness::{
57    AuthorityDomain, IndependentWitness, SelfSignedAlgorithm, SelfSignedKeyEntry,
58    SelfSignedKeyRegistry, WitnessClass, WitnessPayload, WitnessSignature, WitnessSummary,
59    WitnessTier,
60};