Skip to main content

Module verify

cortex_verifier

Module verify 

Source
Expand description

Pure trusted-evidence reducer.

verify(input, witnesses, now, max_age) -> VerifiedTrustState. No I/O. No filesystem reads, no network calls, no clock reads — now is injected.

Order of checks (each is a hard fail when violated):

  1. Advisory-only short-circuit — local / dev / pre-v2 evidence cannot be promoted by witnesses (witness.tier_insufficient).
  2. Subject binding — every witness’s asserted_subject_blake3 must match input.evidence_blake3 (witness.disagreement).
  3. Domain integrity — every witness’s authority_domain must equal class.required_authority_domain() and no two witnesses may share a domain (witness.authority_overlap).
  4. Freshness — now - witness.asserted_at <= max_age (witness.stale).
  5. Tier sufficiency — remote-CI and reproducible-build witnesses must be ThirdParty (witness.tier_insufficient).
  6. Signature — Ed25519 verify over the canonical preimage (witness.signature_invalid).
  7. Class coverage — FullChainVerified requires one witness from each of the four ADR 0041 classes; missing classes drop the result to Partial, never to a falsely-trusted state.
  8. Composition — effective ceiling for the input must be at or above the required ceiling for the claim kind (composition.ceiling_below_required).

Structs§

VerifyOptions
Options for verify_with_options. Groups the optional policy decision and the optional operator-supplied key registry so the call site stays readable as the option count grows.

Functions§

ceiling_from_state
Map a VerifiedTrustState result to a ClaimCeiling for downstream composition with runtime_claim_preflight_with_policy. Non-promoted states fall to DevOnly so any verifier-side bug cannot lift the trust path silently.
verify
Pure reducer over independent witnesses.
verify_with_options
Full-featured verify entry point: composes ADR 0026 policy AND resolves SelfSigned witnesses against the operator-supplied key registry.
verify_with_policy
Same as verify, but composes with an ADR 0026 policy decision so the trust path falls closed independently of witness composition when policy returns Reject or Quarantine. The verifier honours Allow and Warn without ceiling impact (mirrors runtime_claim_preflight_with_policy).