Skip to main content

ConstitutionalKernel

Struct ConstitutionalKernel 

Source
pub struct ConstitutionalKernel { /* private fields */ }
Expand description

An ergonomic wrapper around the CGR Kernel.

Provides a minimal adjudication interface suitable for common SDK use cases: a single actor performing an action, with caller-supplied authority signing material, signed provenance, and an active bailment from that authority. Callers needing fine-grained control over the adjudication context should use exo_gatekeeper::Kernel directly.

§Examples

use exochain_sdk::kernel::ConstitutionalKernel;
use exo_core::Did;

let authority = exochain_sdk::identity::Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
assert!(kernel.verify_integrity());
assert_eq!(kernel.invariant_count(), 8);

let actor = Did::new("did:exo:alice").expect("valid");
let verdict = kernel.adjudicate(&actor, "read:profile");
assert!(verdict.is_permitted());

Implementations§

Source§

impl ConstitutionalKernel

Source

pub fn new() -> Self

Construct a new kernel with the default constitution and all eight constitutional invariants.

§Examples
let kernel = ConstitutionalKernel::new();
assert_eq!(kernel.invariant_count(), 8);
assert!(kernel.verify_integrity());
Source

pub fn with_authority_identity(authority: Identity) -> Self

Construct a new kernel with an authority signing identity.

This is the common SDK path: the identity’s DID becomes the authority grantor and bailor for the default adjudication context, and its secret key signs the canonical authority/provenance payloads that the kernel verifies.

§Examples
let authority = Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
assert!(kernel.verify_integrity());
Source

pub fn with_authority( authority_did: Did, authority_public_key: PublicKey, authority_signer: Arc<dyn Fn(&[u8]) -> Signature + Send + Sync>, ) -> Self

Construct a new kernel with caller-supplied authority signing material.

The signer must produce an Ed25519 signature over the message bytes it receives. The supplied public key is embedded in the adjudication context, and the gatekeeper verifies every signature cryptographically.

§Examples
let authority_did = crypto::Did::new("did:exo:authority").expect("valid");
let (authority_public_key, authority_secret_key) = crypto::generate_keypair();
let kernel = ConstitutionalKernel::with_authority(
    authority_did,
    authority_public_key,
    Arc::new(move |message: &[u8]| crypto::sign(message, &authority_secret_key)),
);
assert!(kernel.verify_integrity());
Source

pub fn adjudicate(&self, actor: &Did, action: &str) -> KernelVerdict

Adjudicate action performed by actor using the signed SDK context.

The SDK supplies a minimal signed default context:

  • A single Judicial role for actor.
  • A one-link authority chain from the configured authority to actor granting read.
  • An active bailment from the configured authority to actor scoped to the requested permission set.
  • Full human-override preservation.
  • Signed provenance with timestamp "sdk".

If the kernel was created with Self::new rather than Self::with_authority or Self::with_authority_identity, this method fails closed with a denied verdict.

Callers needing richer context should reach for exo_gatekeeper::Kernel directly.

The action is flagged as is_self_grant = false and modifies_kernel = false by default. Helpers are available for the common deny-cases used in tests: see Self::adjudicate_self_grant, Self::adjudicate_kernel_modification, and Self::adjudicate_without_bailment.

§Examples
use exochain_sdk::kernel::ConstitutionalKernel;
use exo_core::Did;

let authority = exochain_sdk::identity::Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
let actor = Did::new("did:exo:alice").expect("valid");
let verdict = kernel.adjudicate(&actor, "data:read");
assert!(verdict.is_permitted());
Source

pub fn adjudicate_self_grant(&self, actor: &Did, action: &str) -> KernelVerdict

Same as Self::adjudicate but sets is_self_grant = true so the kernel can enforce the NoSelfGrant invariant.

Useful for exercising the invariant in tests: a permitted verdict here would indicate a constitutional defect.

§Examples
use exochain_sdk::kernel::ConstitutionalKernel;
use exo_core::Did;

let authority = exochain_sdk::identity::Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
let actor = Did::new("did:exo:self-granter").expect("valid");
let verdict = kernel.adjudicate_self_grant(&actor, "escalate-self");
assert!(verdict.is_denied());
Source

pub fn adjudicate_kernel_modification( &self, actor: &Did, action: &str, ) -> KernelVerdict

Same as Self::adjudicate but sets modifies_kernel = true so the kernel can enforce the KernelImmutability invariant.

§Examples
use exochain_sdk::kernel::ConstitutionalKernel;
use exo_core::Did;

let authority = exochain_sdk::identity::Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
let actor = Did::new("did:exo:patcher").expect("valid");
let verdict = kernel.adjudicate_kernel_modification(&actor, "patch-kernel");
assert!(verdict.is_denied());
Source

pub fn adjudicate_without_bailment( &self, actor: &Did, action: &str, ) -> KernelVerdict

Same as Self::adjudicate but omits the default bailment so the kernel can enforce the ConsentRequired invariant.

§Examples
use exochain_sdk::kernel::ConstitutionalKernel;
use exo_core::Did;

let authority = exochain_sdk::identity::Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
let actor = Did::new("did:exo:unauth").expect("valid");
let verdict = kernel.adjudicate_without_bailment(&actor, "read-data");
assert!(verdict.is_denied());
Source

pub fn verify_integrity(&self) -> bool

Verify that the kernel’s stored constitution hash matches the configured constitution text.

Returns false if the constitution in memory has drifted from the hash the kernel was initialised with — which should never happen in practice, but is checked defensively because constitutional integrity is a load-bearing invariant.

§Examples
let kernel = ConstitutionalKernel::new();
assert!(kernel.verify_integrity());
Source

pub fn invariant_count(&self) -> usize

Number of constitutional invariants enforced by this kernel (always 8).

§Examples
assert_eq!(ConstitutionalKernel::new().invariant_count(), 8);

Trait Implementations§

Source§

impl Debug for ConstitutionalKernel

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for ConstitutionalKernel

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more