pub struct ConstitutionalKernel { /* private fields */ }Expand description
An ergonomic wrapper around the CGR Kernel.
Provides a minimal adjudication interface suitable for common SDK use
cases: a single actor performing an action, with caller-supplied authority
signing material, signed provenance, and an active bailment from that
authority. Callers needing fine-grained control over the adjudication
context should use exo_gatekeeper::Kernel directly.
§Examples
use exochain_sdk::kernel::ConstitutionalKernel;
use exo_core::Did;
let authority = exochain_sdk::identity::Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
assert!(kernel.verify_integrity());
assert_eq!(kernel.invariant_count(), 8);
let actor = Did::new("did:exo:alice").expect("valid");
let verdict = kernel.adjudicate(&actor, "read:profile");
assert!(verdict.is_permitted());Implementations§
Source§impl ConstitutionalKernel
impl ConstitutionalKernel
Sourcepub fn new() -> Self
pub fn new() -> Self
Construct a new kernel with the default constitution and all eight constitutional invariants.
§Examples
let kernel = ConstitutionalKernel::new();
assert_eq!(kernel.invariant_count(), 8);
assert!(kernel.verify_integrity());Construct a new kernel with an authority signing identity.
This is the common SDK path: the identity’s DID becomes the authority grantor and bailor for the default adjudication context, and its secret key signs the canonical authority/provenance payloads that the kernel verifies.
§Examples
let authority = Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
assert!(kernel.verify_integrity());Construct a new kernel with caller-supplied authority signing material.
The signer must produce an Ed25519 signature over the message bytes it receives. The supplied public key is embedded in the adjudication context, and the gatekeeper verifies every signature cryptographically.
§Examples
let authority_did = crypto::Did::new("did:exo:authority").expect("valid");
let (authority_public_key, authority_secret_key) = crypto::generate_keypair();
let kernel = ConstitutionalKernel::with_authority(
authority_did,
authority_public_key,
Arc::new(move |message: &[u8]| crypto::sign(message, &authority_secret_key)),
);
assert!(kernel.verify_integrity());Sourcepub fn adjudicate(&self, actor: &Did, action: &str) -> KernelVerdict
pub fn adjudicate(&self, actor: &Did, action: &str) -> KernelVerdict
Adjudicate action performed by actor using the signed SDK context.
The SDK supplies a minimal signed default context:
- A single Judicial role for
actor. - A one-link authority chain from the configured authority to
actorgrantingread. - An active bailment from the configured authority to
actorscoped to the requested permission set. - Full human-override preservation.
- Signed provenance with timestamp
"sdk".
If the kernel was created with Self::new rather than
Self::with_authority or Self::with_authority_identity, this
method fails closed with a denied verdict.
Callers needing richer context should reach for
exo_gatekeeper::Kernel directly.
The action is flagged as is_self_grant = false and
modifies_kernel = false by default. Helpers are available for the
common deny-cases used in tests: see
Self::adjudicate_self_grant,
Self::adjudicate_kernel_modification, and
Self::adjudicate_without_bailment.
§Examples
use exochain_sdk::kernel::ConstitutionalKernel;
use exo_core::Did;
let authority = exochain_sdk::identity::Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
let actor = Did::new("did:exo:alice").expect("valid");
let verdict = kernel.adjudicate(&actor, "data:read");
assert!(verdict.is_permitted());Sourcepub fn adjudicate_self_grant(&self, actor: &Did, action: &str) -> KernelVerdict
pub fn adjudicate_self_grant(&self, actor: &Did, action: &str) -> KernelVerdict
Same as Self::adjudicate but sets is_self_grant = true so the
kernel can enforce the NoSelfGrant invariant.
Useful for exercising the invariant in tests: a permitted verdict here would indicate a constitutional defect.
§Examples
use exochain_sdk::kernel::ConstitutionalKernel;
use exo_core::Did;
let authority = exochain_sdk::identity::Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
let actor = Did::new("did:exo:self-granter").expect("valid");
let verdict = kernel.adjudicate_self_grant(&actor, "escalate-self");
assert!(verdict.is_denied());Sourcepub fn adjudicate_kernel_modification(
&self,
actor: &Did,
action: &str,
) -> KernelVerdict
pub fn adjudicate_kernel_modification( &self, actor: &Did, action: &str, ) -> KernelVerdict
Same as Self::adjudicate but sets modifies_kernel = true so the
kernel can enforce the KernelImmutability invariant.
§Examples
use exochain_sdk::kernel::ConstitutionalKernel;
use exo_core::Did;
let authority = exochain_sdk::identity::Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
let actor = Did::new("did:exo:patcher").expect("valid");
let verdict = kernel.adjudicate_kernel_modification(&actor, "patch-kernel");
assert!(verdict.is_denied());Sourcepub fn adjudicate_without_bailment(
&self,
actor: &Did,
action: &str,
) -> KernelVerdict
pub fn adjudicate_without_bailment( &self, actor: &Did, action: &str, ) -> KernelVerdict
Same as Self::adjudicate but omits the default bailment so the
kernel can enforce the ConsentRequired invariant.
§Examples
use exochain_sdk::kernel::ConstitutionalKernel;
use exo_core::Did;
let authority = exochain_sdk::identity::Identity::generate("authority");
let kernel = ConstitutionalKernel::with_authority_identity(authority);
let actor = Did::new("did:exo:unauth").expect("valid");
let verdict = kernel.adjudicate_without_bailment(&actor, "read-data");
assert!(verdict.is_denied());Sourcepub fn verify_integrity(&self) -> bool
pub fn verify_integrity(&self) -> bool
Verify that the kernel’s stored constitution hash matches the configured constitution text.
Returns false if the constitution in memory has drifted from the
hash the kernel was initialised with — which should never happen in
practice, but is checked defensively because constitutional integrity
is a load-bearing invariant.
§Examples
let kernel = ConstitutionalKernel::new();
assert!(kernel.verify_integrity());Sourcepub fn invariant_count(&self) -> usize
pub fn invariant_count(&self) -> usize
Number of constitutional invariants enforced by this kernel (always 8).
§Examples
assert_eq!(ConstitutionalKernel::new().invariant_count(), 8);Trait Implementations§
Source§impl Debug for ConstitutionalKernel
impl Debug for ConstitutionalKernel
Auto Trait Implementations§
impl !RefUnwindSafe for ConstitutionalKernel
impl !UnwindSafe for ConstitutionalKernel
impl Freeze for ConstitutionalKernel
impl Send for ConstitutionalKernel
impl Sync for ConstitutionalKernel
impl Unpin for ConstitutionalKernel
impl UnsafeUnpin for ConstitutionalKernel
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more