lex_vcs/attestation.rs
1//! Persistent evidence about a stage (#132).
2//!
3//! [`Operation`](crate::Operation) records *what* changed.
4//! [`Intent`](crate::Intent) records *why*. An [`Attestation`] records
5//! *what we know about the result*: did this stage typecheck, did its
6//! examples pass, did a spec prove it, did `lex agent-tool` run it
7//! cleanly under a sandbox.
8//!
9//! Today every verification (`lex check`, `lex agent-tool --spec ...`,
10//! `lex audit --effect ...`) runs, prints a verdict, and exits. The
11//! evidence is ephemeral — there's no persistent answer to "has this
12//! stage ever been spec-checked?" beyond rerunning. That makes
13//! attestations useless as a CI gate and useless as a trust signal
14//! across sessions.
15//!
16//! This module is the foundational data layer for tier-2's evidence
17//! story. Producers (`lex check` emits `TypeCheck`, `lex agent-tool`
18//! emits `Spec` / `Examples` / `DiffBody` / `SandboxRun`) and
19//! consumers (`lex blame --with-evidence`, `GET /v1/stage/<id>/
20//! attestations`) wire to it in subsequent slices.
21//!
22//! # Identity
23//!
24//! [`AttestationId`] is the lowercase-hex SHA-256 of the canonical
25//! form of `(stage_id, op_id, intent_id, kind, result, produced_by)`.
26//! `cost`, `timestamp`, and `signature` are deliberately *not* in the
27//! hash so two independent runs of the same logical verification —
28//! same stage, same kind, same producer, same outcome — produce the
29//! same `attestation_id`. This is the dedup property the issue calls
30//! out: harnesses can ask "has this exact verification been done?"
31//! by checking for the id without rerunning.
32//!
33//! # Storage
34//!
35//! ```text
36//! <root>/attestations/<AttestationId>.json
37//! <root>/attestations/by-stage/<StageId>/<AttestationId>
38//! ```
39//!
40//! The primary file under `attestations/` is the source of truth.
41//! `by-stage/` is a per-stage index — empty marker files whose names
42//! point at the primary record. Rebuildable from primary records on
43//! demand; we write it eagerly so `lex stage <id> --attestations` is
44//! a directory listing rather than a full scan.
45//!
46//! `by-spec/` (mentioned in the issue) is deferred until a producer
47//! actually emits `Spec` attestations against persisted spec ids.
48//!
49//! # Trust model
50//!
51//! Attestations are claims, not proofs. The store doesn't trust
52//! attestations from outside — it just stores them. A maintainer
53//! choosing to skip CI for a stage that already has a passing spec
54//! attestation from a known producer is a *policy* decision, not a
55//! guarantee the store enforces. The optional Ed25519 signature
56//! field exists so an attestation can be cryptographically tied to
57//! a producer (e.g. a CI runner's public key) and the policy
58//! decision auditable. Verifying signatures is out of scope for the
59//! data layer.
60
61use serde::{Deserialize, Serialize};
62use std::collections::BTreeSet;
63use std::fs;
64use std::io::{self, Write};
65use std::path::{Path, PathBuf};
66use std::time::{SystemTime, UNIX_EPOCH};
67
68use crate::canonical;
69use crate::intent::IntentId;
70use crate::operation::{OpId, StageId};
71
72/// Content-addressed identity of an attestation. Lowercase-hex
73/// SHA-256 of the canonical form of
74/// `(stage_id, op_id, intent_id, kind, result, produced_by)`.
75pub type AttestationId = String;
76
77/// Reference to a spec file. Free-form string so callers can use
78/// either a content hash or a logical name; the data layer doesn't
79/// care which. Producers should pick one and stick with it for
80/// dedup to work as expected.
81pub type SpecId = String;
82
83/// Content hash of a file (examples list, body source, etc.). Kept
84/// as a string for the same reason as [`OpId`]: we want this crate
85/// to have no view into the hash function used by callers.
86pub type ContentHash = String;
87
88/// What was verified. The variants mirror the verdict surfaces
89/// `lex agent-tool` and the store-write gate already produce.
90#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
91#[serde(tag = "kind", rename_all = "snake_case")]
92pub enum AttestationKind {
93 /// `lex agent-tool --examples FILE` — body was run against
94 /// `{input, expected}` pairs.
95 Examples {
96 file_hash: ContentHash,
97 count: usize,
98 },
99 /// `lex spec check` or `lex agent-tool --spec FILE` — a
100 /// behavioral contract was checked against the body.
101 Spec {
102 spec_id: SpecId,
103 method: SpecMethod,
104 #[serde(default, skip_serializing_if = "Option::is_none")]
105 trials: Option<usize>,
106 },
107 /// `lex agent-tool --diff-body 'src'` — a second body was run on
108 /// the same inputs and the outputs compared.
109 DiffBody {
110 other_body_hash: ContentHash,
111 input_count: usize,
112 },
113 /// Emitted by the store-write gate (#130) on every accepted op.
114 /// The store can answer "the HEAD typechecks" as a queryable
115 /// fact rather than an implicit invariant.
116 TypeCheck,
117 /// Emitted by `lex audit --effect K` when no violations are
118 /// found. Useful as a trust signal that a stage was checked
119 /// against a specific effect-policy revision.
120 EffectAudit,
121 /// Emitted by `lex agent-tool` on a successful sandboxed run.
122 /// `effects` is the set the sandbox actually allowed; useful for
123 /// answering "did this code run under fs_write?" after the fact.
124 SandboxRun {
125 effects: BTreeSet<String>,
126 },
127 /// Human-issued override (lex-tea v3, #172). Records that a
128 /// human took an action that bypassed an automatic verdict
129 /// — e.g. activating a stage despite a `Spec::Failed` or
130 /// `TypeCheck::Failed` attestation. Subject to the same
131 /// trust trail as agent attestations: the audit fact lives
132 /// in the log alongside what it overrode.
133 ///
134 /// `actor` is the human's identifier (today: `LEX_TEA_USER`
135 /// env var or `--actor` flag; v3b adds session auth).
136 /// `target_attestation_id` points at the attestation being
137 /// overridden, when one exists; for unconditional pins
138 /// (e.g. activate-by-default) it can be `None`.
139 Override {
140 actor: String,
141 reason: String,
142 #[serde(default, skip_serializing_if = "Option::is_none")]
143 target_attestation_id: Option<AttestationId>,
144 },
145 /// `lex stage defer` (lex-tea v3b, #172). Records that a human
146 /// looked at the stage and chose to revisit it later. No state
147 /// change — purely an audit/triage signal so dashboards and AI
148 /// reviewers can see "this isn't abandoned, it's snoozed."
149 Defer {
150 actor: String,
151 reason: String,
152 },
153 /// `lex stage block` (lex-tea v3b, #172). Records that a human
154 /// has decided this stage should not activate. `lex stage pin`
155 /// and any other activation path consults the attestation log
156 /// and refuses while a Block is the latest decision for the
157 /// stage. Reversed by [`AttestationKind::Unblock`].
158 Block {
159 actor: String,
160 reason: String,
161 },
162 /// `lex stage unblock` (lex-tea v3b, #172). Counterpart to
163 /// [`AttestationKind::Block`]. The attestation log is append-
164 /// only, so we encode "block lifted" as a separate, later fact
165 /// rather than mutating the original block.
166 Unblock {
167 actor: String,
168 reason: String,
169 },
170 /// `lex run --trace` finalized a [`lex_trace::TraceTree`] (#246).
171 /// Links the trace blob to the stage that was the run's entry
172 /// point. The trace itself stays at
173 /// `<store>/traces/<run_id>/trace.json` (per
174 /// `docs/design/trace-vs-vcs.md`); this attestation is the
175 /// audit-side hook so `lex attest filter --kind trace` and
176 /// cross-store sync can reason about runs without copying the
177 /// trace bytes.
178 ///
179 /// `root_target` is the entry function's `SigId` — the call site
180 /// the user (or agent) typed on the command line. Distinct from
181 /// `Attestation::stage_id`, which records the *content-addressed*
182 /// stage the entry function resolved to; the same `root_target`
183 /// across multiple body edits surfaces as multiple
184 /// `(stage_id, root_target)` rows in the attestation log.
185 Trace {
186 run_id: TraceRunId,
187 root_target: super::operation::SigId,
188 },
189 /// Retroactive producer quarantine (#248). Declares "as of
190 /// `blocked_at`, attestations produced by `tool_id` are no
191 /// longer trusted; the branch advance gate must refuse to move
192 /// past any op whose attestations were produced by this tool
193 /// at or after `blocked_at`."
194 ///
195 /// Distinct from `policy.json`'s `blocked_producers` (#181):
196 /// that is a *forward-going* read-time tag for the activity
197 /// feed; this is a write-time gate on branch advance, retro-
198 /// active to a specific timestamp. The two compose cleanly —
199 /// `blocked_producers` filters what reviewers see; `ProducerBlock`
200 /// stops a compromised tool's history from being promoted past
201 /// a known-bad point.
202 ///
203 /// Stored at the attestation log under `stage_id == tool_id`
204 /// so the by-stage index doubles as a by-tool lookup for these
205 /// records — no schema break, no separate index needed.
206 /// `Attestation::stage_id` carries the `tool_id` for these
207 /// records; the variant payload duplicates it for clarity in
208 /// the JSON.
209 ProducerBlock {
210 tool_id: String,
211 reason: String,
212 blocked_at: u64,
213 },
214 /// Counterpart to [`AttestationKind::ProducerBlock`] (#248). The
215 /// attestation log is append-only, so revoking a producer block
216 /// is a separate, later fact rather than a delete. The branch
217 /// advance gate honors the most recent verdict for each
218 /// `tool_id` by timestamp.
219 ProducerUnblock {
220 tool_id: String,
221 reason: String,
222 unblocked_at: u64,
223 },
224 /// Auto-emitted by `Store::apply_operation_checked` when an op
225 /// is rejected for `TypeError` (#281). Records the failed op's
226 /// id, the structured type-error envelope, and an optional
227 /// suggested-transform payload (left empty by the gate; the
228 /// `lex repair --apply` flow populates it via LLM call). The
229 /// hint is attached to the candidate stage that didn't
230 /// typecheck, so `lex_vcs::AttestationLog::list_for_stage`
231 /// surfaces it on the next read.
232 ///
233 /// Schema: `errors` and `suggested_transform` are
234 /// `serde_json::Value` to keep this crate independent of
235 /// `lex-types::TypeError` (which lives downstream) and to let
236 /// the slice-2 LLM integration ship without a schema bump.
237 RepairHint {
238 failed_op_id: super::operation::OpId,
239 errors: serde_json::Value,
240 #[serde(default, skip_serializing_if = "Option::is_none")]
241 suggested_transform: Option<serde_json::Value>,
242 },
243 /// Records one iteration of `lex repair --apply` (#281). The
244 /// repair loop emits a chain of `RepairAttempt`s — one per
245 /// applied transform — so the audit trail walks the agent's
246 /// fix progression.
247 RepairAttempt {
248 hint_id: super::operation::OpId,
249 /// Outcome tag: `passed` / `failed` / `skipped`.
250 outcome: String,
251 #[serde(default, skip_serializing_if = "Option::is_none")]
252 applied_op_id: Option<super::operation::OpId>,
253 },
254 /// Positive trust signal for a producer (#293). Complement to
255 /// [`Self::ProducerBlock`]. Computed from a producer's recent
256 /// history of (passed, failed, inconclusive) attestations;
257 /// not manually set. `score_thousandths` is in `[0, 1000]`
258 /// (representing `0.0 .. 1.0`); fixed-point because
259 /// `AttestationKind` is `Eq` for content-addressed hashing,
260 /// which `f64` doesn't implement. Consumers (the
261 /// `required_attestations` gate) may waive a requirement
262 /// when the latest score for a tool exceeds a configured
263 /// threshold in `policy.required_attestations[].skip_if_producer_trust_thousandths_above`.
264 ///
265 /// Refuses to grant trust to a tool with an active
266 /// `ProducerBlock` (the hard veto wins).
267 ///
268 /// Stored under `stage_id == tool_id` so the by-stage index
269 /// doubles as a per-tool lookup — same trick `ProducerBlock`
270 /// uses.
271 ProducerTrust {
272 tool_id: String,
273 /// Score × 1000, clamped to `[0, 1000]`. Derived from
274 /// `passed / (passed + failed + inconclusive)` over the
275 /// last `window` attestations from this tool.
276 score_thousandths: u32,
277 /// Free-form reference to the evidence corpus the score
278 /// was derived from — e.g. "window=1000 as of <head_op>".
279 evidence: String,
280 granted_by: String,
281 },
282 /// Records that the `required_attestations` gate waived a
283 /// requirement because the producer's `ProducerTrust` score
284 /// exceeded the configured threshold (#293). Audit signal —
285 /// not load-bearing for gate decisions, but ensures every
286 /// skip is recoverable from the attestation log.
287 TrustWaived {
288 /// Tool whose trust score caused the waiver.
289 producer: String,
290 /// Latest score (× 1000) consulted at gate time.
291 score_thousandths: u32,
292 /// Threshold (× 1000) from the policy rule.
293 threshold_thousandths: u32,
294 /// Which required-attestation kind tag was skipped
295 /// (e.g. `spec`, `type_check`).
296 kind_tag: String,
297 },
298}
299
300/// Walk a tool's `ProducerBlock` / `ProducerUnblock` attestations
301/// and return the active block timestamp, if any (#248). The
302/// attestation log is append-only, so a tool's state is whichever
303/// `ProducerBlock` / `ProducerUnblock` record has the latest
304/// `timestamp`. Returns `Some(blocked_at)` when the latest verdict
305/// is a `ProducerBlock` and `None` when the latest is an unblock or
306/// no verdict exists.
307///
308/// Ties: a `ProducerUnblock` at the same wall-clock second as a
309/// `ProducerBlock` wins, so re-running an unblock immediately after
310/// a block leaves the tool unblocked. Mirrors the tie-breaking in
311/// [`is_stage_blocked`].
312pub fn active_producer_block(
313 attestations: &[Attestation],
314 tool_id: &str,
315) -> Option<u64> {
316 let mut latest: Option<&Attestation> = None;
317 for a in attestations {
318 let matches = match &a.kind {
319 AttestationKind::ProducerBlock { tool_id: tid, .. }
320 | AttestationKind::ProducerUnblock { tool_id: tid, .. } => tid == tool_id,
321 _ => false,
322 };
323 if !matches {
324 continue;
325 }
326 match latest {
327 None => latest = Some(a),
328 Some(prev) if a.timestamp > prev.timestamp => latest = Some(a),
329 Some(prev) if a.timestamp == prev.timestamp
330 && matches!(a.kind, AttestationKind::ProducerUnblock { .. }) =>
331 {
332 latest = Some(a);
333 }
334 _ => {}
335 }
336 }
337 match latest.map(|a| &a.kind) {
338 Some(AttestationKind::ProducerBlock { blocked_at, .. }) => Some(*blocked_at),
339 _ => None,
340 }
341}
342
343/// Stable identifier for a [`lex_trace::TraceTree`]. Mirrors the
344/// `run_id` field on the trace JSON; kept as a `String` so this
345/// crate doesn't pull `lex-trace` in.
346pub type TraceRunId = String;
347
348/// Walk a stage's attestations and return whether the latest
349/// Block/Unblock decision is currently a Block. Used by
350/// activation paths (e.g. `lex stage pin`) to refuse when a
351/// human has signalled the stage shouldn't ship.
352///
353/// "Latest" is defined by `timestamp`, which matches what users
354/// see in `lex stage <id> --attestations`. Ties go to Unblock so
355/// retrying an unblock right after a block (same wall-clock
356/// second) doesn't leave the stage stuck.
357pub fn is_stage_blocked(attestations: &[Attestation]) -> bool {
358 let mut latest: Option<&Attestation> = None;
359 for a in attestations {
360 if !matches!(a.kind, AttestationKind::Block { .. } | AttestationKind::Unblock { .. }) {
361 continue;
362 }
363 match latest {
364 None => latest = Some(a),
365 Some(prev) if a.timestamp > prev.timestamp => latest = Some(a),
366 Some(prev) if a.timestamp == prev.timestamp
367 && matches!(a.kind, AttestationKind::Unblock { .. }) =>
368 {
369 latest = Some(a);
370 }
371 _ => {}
372 }
373 }
374 matches!(latest.map(|a| &a.kind), Some(AttestationKind::Block { .. }))
375}
376
377/// Verification method for [`AttestationKind::Spec`]. Mirrors the
378/// tag the spec checker already uses — kept as a string so the
379/// vcs crate doesn't have to pull `spec-checker` in.
380#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
381#[serde(rename_all = "snake_case")]
382pub enum SpecMethod {
383 /// Exhaustive search; `trials` is unset.
384 Exhaustive,
385 /// Random sampling; `trials` carries the sample count.
386 Random,
387 /// Symbolic execution.
388 Symbolic,
389}
390
391/// Whether the verification succeeded. `Inconclusive` is its own
392/// state because some checkers (e.g. random-sampling spec checks
393/// over an unbounded input space) can pass within their budget
394/// without proving the contract holds in general.
395#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
396#[serde(tag = "result", rename_all = "snake_case")]
397pub enum AttestationResult {
398 Passed,
399 Failed { detail: String },
400 Inconclusive { detail: String },
401}
402
403/// Who produced this attestation. `tool` is the CLI / harness name
404/// (`"lex check"`, `"lex agent-tool"`, `"ci-runner@v3"`). `version`
405/// pins the tool revision so a regression in the producer is
406/// distinguishable from a regression in the code being verified.
407/// `model` is set when an LLM was the proximate producer — for
408/// `--spec`-style runs the harness is the producer; for `lex
409/// agent-tool` the model is, and we want both recorded.
410#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
411pub struct ProducerDescriptor {
412 pub tool: String,
413 pub version: String,
414 #[serde(default, skip_serializing_if = "Option::is_none")]
415 pub model: Option<String>,
416}
417
418/// Optional cost record. Excluded from the attestation hash so
419/// rerunning a verification on a different machine (different
420/// wall-clock, different token pricing) doesn't break dedup.
421#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
422pub struct Cost {
423 #[serde(default, skip_serializing_if = "Option::is_none")]
424 pub tokens_in: Option<u64>,
425 #[serde(default, skip_serializing_if = "Option::is_none")]
426 pub tokens_out: Option<u64>,
427 /// USD cents (avoid floating-point in persisted form).
428 #[serde(default, skip_serializing_if = "Option::is_none")]
429 pub usd_cents: Option<u64>,
430 #[serde(default, skip_serializing_if = "Option::is_none")]
431 pub wall_time_ms: Option<u64>,
432}
433
434/// Optional Ed25519 signature over the attestation hash. Verifying
435/// it is the consumer's job; the data layer just stores the bytes.
436#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
437pub struct Signature {
438 /// Hex-encoded Ed25519 public key.
439 pub public_key: String,
440 /// Hex-encoded signature over the lowercase-hex `attestation_id`.
441 pub signature: String,
442}
443
444/// The persisted attestation. See module docs for what each field
445/// is, what's in the hash, and what isn't.
446#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
447pub struct Attestation {
448 pub attestation_id: AttestationId,
449 pub stage_id: StageId,
450 #[serde(default, skip_serializing_if = "Option::is_none")]
451 pub op_id: Option<OpId>,
452 #[serde(default, skip_serializing_if = "Option::is_none")]
453 pub intent_id: Option<IntentId>,
454 pub kind: AttestationKind,
455 pub result: AttestationResult,
456 pub produced_by: ProducerDescriptor,
457 #[serde(default, skip_serializing_if = "Option::is_none")]
458 pub cost: Option<Cost>,
459 /// Wall-clock seconds since epoch when this attestation was
460 /// produced. Excluded from `attestation_id` so the dedup
461 /// property holds across runs.
462 pub timestamp: u64,
463 #[serde(default, skip_serializing_if = "Option::is_none")]
464 pub signature: Option<Signature>,
465}
466
467impl Attestation {
468 /// Build an attestation against a stage, computing its
469 /// content-addressed id. `timestamp` defaults to the current
470 /// wall clock; pass to [`Attestation::with_timestamp`] in tests.
471 #[allow(clippy::too_many_arguments)]
472 pub fn new(
473 stage_id: impl Into<StageId>,
474 op_id: Option<OpId>,
475 intent_id: Option<IntentId>,
476 kind: AttestationKind,
477 result: AttestationResult,
478 produced_by: ProducerDescriptor,
479 cost: Option<Cost>,
480 ) -> Self {
481 let now = SystemTime::now()
482 .duration_since(UNIX_EPOCH)
483 .map(|d| d.as_secs())
484 .unwrap_or(0);
485 Self::with_timestamp(stage_id, op_id, intent_id, kind, result, produced_by, cost, now)
486 }
487
488 /// Build an attestation with a caller-controlled `timestamp`.
489 /// Used in tests to keep golden hashes stable.
490 #[allow(clippy::too_many_arguments)]
491 pub fn with_timestamp(
492 stage_id: impl Into<StageId>,
493 op_id: Option<OpId>,
494 intent_id: Option<IntentId>,
495 kind: AttestationKind,
496 result: AttestationResult,
497 produced_by: ProducerDescriptor,
498 cost: Option<Cost>,
499 timestamp: u64,
500 ) -> Self {
501 let stage_id = stage_id.into();
502 let attestation_id = compute_attestation_id(
503 &stage_id,
504 op_id.as_deref(),
505 intent_id.as_deref(),
506 &kind,
507 &result,
508 &produced_by,
509 );
510 Self {
511 attestation_id,
512 stage_id,
513 op_id,
514 intent_id,
515 kind,
516 result,
517 produced_by,
518 cost,
519 timestamp,
520 signature: None,
521 }
522 }
523
524 /// Attach a signature. The signature is not part of the hash;
525 /// the same logical attestation produced by an unsigned harness
526 /// dedupes against a signed one. Callers who *want* signature
527 /// to be part of identity should hash signature into the
528 /// `produced_by.tool` string explicitly.
529 pub fn with_signature(mut self, signature: Signature) -> Self {
530 self.signature = Some(signature);
531 self
532 }
533}
534
535fn compute_attestation_id(
536 stage_id: &str,
537 op_id: Option<&str>,
538 intent_id: Option<&str>,
539 kind: &AttestationKind,
540 result: &AttestationResult,
541 produced_by: &ProducerDescriptor,
542) -> AttestationId {
543 let view = CanonicalAttestationView {
544 stage_id,
545 op_id,
546 intent_id,
547 kind,
548 result,
549 produced_by,
550 };
551 canonical::hash(&view)
552}
553
554/// Hashable shadow of [`Attestation`] omitting the fields we
555/// deliberately exclude from identity (`attestation_id`, `cost`,
556/// `timestamp`, `signature`). Lives only as a transient.
557#[derive(Serialize)]
558struct CanonicalAttestationView<'a> {
559 stage_id: &'a str,
560 #[serde(skip_serializing_if = "Option::is_none")]
561 op_id: Option<&'a str>,
562 #[serde(skip_serializing_if = "Option::is_none")]
563 intent_id: Option<&'a str>,
564 kind: &'a AttestationKind,
565 result: &'a AttestationResult,
566 produced_by: &'a ProducerDescriptor,
567}
568
569// ---- Persistence -------------------------------------------------
570
571/// Persistent log of [`Attestation`] records.
572///
573/// Mirrors [`crate::OpLog`] / [`crate::IntentLog`] in shape: one
574/// canonical-JSON file per attestation, atomic writes via tempfile +
575/// rename, idempotent on re-puts. Maintains two secondary indices
576/// for cheap reverse lookups:
577///
578/// * `by-stage/<StageId>/<AttestationId>` — every attestation,
579/// indexed by the stage it records evidence for.
580/// * `by-run/<TraceRunId>/<AttestationId>` (#246) — only
581/// `AttestationKind::Trace` entries are indexed here, so
582/// `list_for_run` is `O(traces of that run)` rather than scanning
583/// the whole log.
584pub struct AttestationLog {
585 dir: PathBuf,
586 by_stage: PathBuf,
587 by_run: PathBuf,
588}
589
590impl AttestationLog {
591 pub fn open(root: &Path) -> io::Result<Self> {
592 let dir = root.join("attestations");
593 let by_stage = dir.join("by-stage");
594 let by_run = dir.join("by-run");
595 fs::create_dir_all(&by_stage)?;
596 fs::create_dir_all(&by_run)?;
597 Ok(Self { dir, by_stage, by_run })
598 }
599
600 fn primary_path(&self, id: &AttestationId) -> PathBuf {
601 self.dir.join(format!("{id}.json"))
602 }
603
604 /// Persist an attestation. Idempotent on existing ids — content
605 /// addressing guarantees the same logical attestation produces
606 /// the same id, so re-putting is a no-op for the primary file.
607 /// The by-stage index is also re-written idempotently.
608 pub fn put(&self, attestation: &Attestation) -> io::Result<()> {
609 let primary = self.primary_path(&attestation.attestation_id);
610 if !primary.exists() {
611 let bytes = serde_json::to_vec(attestation)
612 .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?;
613 let tmp = primary.with_extension("json.tmp");
614 let mut f = fs::File::create(&tmp)?;
615 f.write_all(&bytes)?;
616 f.sync_all()?;
617 fs::rename(&tmp, &primary)?;
618 }
619 // Index entry: empty marker file. Reading the index is a
620 // directory listing; resolving each entry is a primary-file
621 // read by id.
622 let stage_dir = self.by_stage.join(&attestation.stage_id);
623 fs::create_dir_all(&stage_dir)?;
624 let idx = stage_dir.join(&attestation.attestation_id);
625 if !idx.exists() {
626 fs::File::create(&idx)?;
627 }
628 // by-run secondary index for Trace attestations (#246) —
629 // only the variants that carry a `run_id` are indexed; every
630 // other kind skips this directory entirely.
631 if let AttestationKind::Trace { run_id, .. } = &attestation.kind {
632 let run_dir = self.by_run.join(run_id);
633 fs::create_dir_all(&run_dir)?;
634 let idx = run_dir.join(&attestation.attestation_id);
635 if !idx.exists() {
636 fs::File::create(&idx)?;
637 }
638 }
639 Ok(())
640 }
641
642 /// Remove an attestation from the log along with both index
643 /// entries (#258). Idempotent on missing files.
644 ///
645 /// **Not** part of the day-to-day API — the attestation log is
646 /// append-only by design (#132). The only legitimate caller is
647 /// the migration tool, which supervises a destructive,
648 /// `--confirm`-gated batch.
649 pub fn delete(&self, attestation: &Attestation) -> io::Result<()> {
650 let primary = self.primary_path(&attestation.attestation_id);
651 match fs::remove_file(&primary) {
652 Ok(()) | Err(_) => {} // best-effort; missing is fine
653 }
654 let stage_idx = self.by_stage
655 .join(&attestation.stage_id)
656 .join(&attestation.attestation_id);
657 let _ = fs::remove_file(&stage_idx);
658 if let AttestationKind::Trace { run_id, .. } = &attestation.kind {
659 let run_idx = self.by_run.join(run_id).join(&attestation.attestation_id);
660 let _ = fs::remove_file(&run_idx);
661 }
662 Ok(())
663 }
664
665 pub fn get(&self, id: &AttestationId) -> io::Result<Option<Attestation>> {
666 let path = self.primary_path(id);
667 if !path.exists() {
668 return Ok(None);
669 }
670 let bytes = fs::read(&path)?;
671 let attestation: Attestation = serde_json::from_slice(&bytes)
672 .map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?;
673 Ok(Some(attestation))
674 }
675
676 /// Enumerate every attestation in the log. Walks
677 /// `<root>/attestations/*.json` directly — no per-stage index
678 /// — so cost is `O(total attestations)`. Used by `lex attest
679 /// filter` for CI / dashboard queries that span stages.
680 /// Order is not stable; callers that need stable ordering
681 /// should sort by `timestamp` or `attestation_id`.
682 pub fn list_all(&self) -> io::Result<Vec<Attestation>> {
683 let mut out = Vec::new();
684 if !self.dir.exists() {
685 return Ok(out);
686 }
687 for entry in fs::read_dir(&self.dir)? {
688 let entry = entry?;
689 let p = entry.path();
690 // Skip the by-stage/ subdir and the .tmp staging files
691 // a crashed put might have left behind.
692 if p.is_dir() {
693 continue;
694 }
695 if p.extension().is_none_or(|e| e != "json") {
696 continue;
697 }
698 let bytes = fs::read(&p)?;
699 // A corrupt primary file shouldn't take down a filter
700 // query — log to stderr and skip.
701 match serde_json::from_slice::<Attestation>(&bytes) {
702 Ok(att) => out.push(att),
703 Err(e) => eprintln!(
704 "warning: skipping unreadable attestation {}: {e}",
705 p.display()
706 ),
707 }
708 }
709 Ok(out)
710 }
711
712 /// Enumerate attestations for a given stage. Order is not
713 /// stable across calls (it follows directory iteration order).
714 /// Callers that need a stable ordering should sort by
715 /// `timestamp` or `attestation_id`.
716 pub fn list_for_stage(&self, stage_id: &StageId) -> io::Result<Vec<Attestation>> {
717 let stage_dir = self.by_stage.join(stage_id);
718 if !stage_dir.exists() {
719 return Ok(Vec::new());
720 }
721 let mut out = Vec::new();
722 for entry in fs::read_dir(&stage_dir)? {
723 let entry = entry?;
724 let id = match entry.file_name().into_string() {
725 Ok(s) => s,
726 Err(_) => continue,
727 };
728 if let Some(att) = self.get(&id)? {
729 out.push(att);
730 }
731 }
732 Ok(out)
733 }
734
735 /// Enumerate `AttestationKind::Trace` entries for a given
736 /// `run_id` (#246). Walks the `by-run/<run_id>/` directory; cost
737 /// is `O(trace attestations for that run)`, typically 1.
738 /// Returns an empty vec if the run has no Trace attestations.
739 /// Order is not stable.
740 pub fn list_for_run(&self, run_id: &TraceRunId) -> io::Result<Vec<Attestation>> {
741 let run_dir = self.by_run.join(run_id);
742 if !run_dir.exists() {
743 return Ok(Vec::new());
744 }
745 let mut out = Vec::new();
746 for entry in fs::read_dir(&run_dir)? {
747 let entry = entry?;
748 let id = match entry.file_name().into_string() {
749 Ok(s) => s,
750 Err(_) => continue,
751 };
752 if let Some(att) = self.get(&id)? {
753 out.push(att);
754 }
755 }
756 Ok(out)
757 }
758}
759
760// ---- Tests --------------------------------------------------------
761
762#[cfg(test)]
763mod tests {
764 use super::*;
765
766 fn ci_runner() -> ProducerDescriptor {
767 ProducerDescriptor {
768 tool: "lex check".into(),
769 version: "0.1.0".into(),
770 model: None,
771 }
772 }
773
774 fn typecheck_passed() -> Attestation {
775 Attestation::with_timestamp(
776 "stage-abc",
777 Some("op-123".into()),
778 None,
779 AttestationKind::TypeCheck,
780 AttestationResult::Passed,
781 ci_runner(),
782 None,
783 1000,
784 )
785 }
786
787 #[test]
788 fn same_logical_verification_hashes_equal() {
789 // Dedup invariant: same stage, same kind, same producer,
790 // same outcome → same `attestation_id` regardless of
791 // wall-clock or cost.
792 let a = typecheck_passed();
793 let b = Attestation::with_timestamp(
794 "stage-abc",
795 Some("op-123".into()),
796 None,
797 AttestationKind::TypeCheck,
798 AttestationResult::Passed,
799 ci_runner(),
800 Some(Cost {
801 tokens_in: Some(0),
802 tokens_out: Some(0),
803 usd_cents: Some(0),
804 wall_time_ms: Some(42),
805 }),
806 99999,
807 );
808 assert_eq!(a.attestation_id, b.attestation_id);
809 }
810
811 #[test]
812 fn different_stages_hash_differently() {
813 let a = typecheck_passed();
814 let b = Attestation::with_timestamp(
815 "stage-XYZ",
816 Some("op-123".into()),
817 None,
818 AttestationKind::TypeCheck,
819 AttestationResult::Passed,
820 ci_runner(),
821 None,
822 1000,
823 );
824 assert_ne!(a.attestation_id, b.attestation_id);
825 }
826
827 #[test]
828 fn different_op_ids_hash_differently() {
829 let a = typecheck_passed();
830 let b = Attestation::with_timestamp(
831 "stage-abc",
832 Some("op-XYZ".into()),
833 None,
834 AttestationKind::TypeCheck,
835 AttestationResult::Passed,
836 ci_runner(),
837 None,
838 1000,
839 );
840 assert_ne!(a.attestation_id, b.attestation_id);
841 }
842
843 #[test]
844 fn different_intents_hash_differently() {
845 let a = Attestation::with_timestamp(
846 "stage-abc", None,
847 Some("intent-A".into()),
848 AttestationKind::TypeCheck, AttestationResult::Passed,
849 ci_runner(), None, 1000,
850 );
851 let b = Attestation::with_timestamp(
852 "stage-abc", None,
853 Some("intent-B".into()),
854 AttestationKind::TypeCheck, AttestationResult::Passed,
855 ci_runner(), None, 1000,
856 );
857 assert_ne!(a.attestation_id, b.attestation_id);
858 }
859
860 #[test]
861 fn different_kinds_hash_differently() {
862 let a = typecheck_passed();
863 let b = Attestation::with_timestamp(
864 "stage-abc",
865 Some("op-123".into()),
866 None,
867 AttestationKind::EffectAudit,
868 AttestationResult::Passed,
869 ci_runner(),
870 None,
871 1000,
872 );
873 assert_ne!(a.attestation_id, b.attestation_id);
874 }
875
876 #[test]
877 fn passed_vs_failed_hash_differently() {
878 // Critical: a Failed attestation must not collide with a
879 // Passed one for the same logical verification. Otherwise
880 // a flaky producer could overwrite the negative evidence
881 // by re-running and getting Passed.
882 let a = typecheck_passed();
883 let b = Attestation::with_timestamp(
884 "stage-abc",
885 Some("op-123".into()),
886 None,
887 AttestationKind::TypeCheck,
888 AttestationResult::Failed { detail: "arity mismatch".into() },
889 ci_runner(),
890 None,
891 1000,
892 );
893 assert_ne!(a.attestation_id, b.attestation_id);
894 }
895
896 #[test]
897 fn different_producers_hash_differently() {
898 let a = typecheck_passed();
899 let mut other = ci_runner();
900 other.tool = "third-party-runner".into();
901 let b = Attestation::with_timestamp(
902 "stage-abc",
903 Some("op-123".into()),
904 None,
905 AttestationKind::TypeCheck,
906 AttestationResult::Passed,
907 other,
908 None,
909 1000,
910 );
911 assert_ne!(
912 a.attestation_id, b.attestation_id,
913 "an attestation from a different producer is a different fact",
914 );
915 }
916
917 #[test]
918 fn signature_is_excluded_from_hash() {
919 // A signed and unsigned attestation of the same logical
920 // fact must dedupe. Otherwise late-signing a record would
921 // create two attestations that say the same thing.
922 let a = typecheck_passed();
923 let b = typecheck_passed().with_signature(Signature {
924 public_key: "ed25519:fffe".into(),
925 signature: "0xabcd".into(),
926 });
927 assert_eq!(a.attestation_id, b.attestation_id);
928 }
929
930 #[test]
931 fn attestation_id_is_64_char_lowercase_hex() {
932 let a = typecheck_passed();
933 assert_eq!(a.attestation_id.len(), 64);
934 assert!(a
935 .attestation_id
936 .chars()
937 .all(|c| c.is_ascii_digit() || ('a'..='f').contains(&c)));
938 }
939
940 #[test]
941 fn round_trip_through_serde_json() {
942 let a = Attestation::with_timestamp(
943 "stage-abc",
944 Some("op-123".into()),
945 Some("intent-A".into()),
946 AttestationKind::Spec {
947 spec_id: "clamp.spec".into(),
948 method: SpecMethod::Random,
949 trials: Some(1000),
950 },
951 AttestationResult::Passed,
952 ProducerDescriptor {
953 tool: "lex agent-tool".into(),
954 version: "0.1.0".into(),
955 model: Some("claude-opus-4-7".into()),
956 },
957 Some(Cost {
958 tokens_in: Some(1234),
959 tokens_out: Some(567),
960 usd_cents: Some(2),
961 wall_time_ms: Some(3400),
962 }),
963 99,
964 )
965 .with_signature(Signature {
966 public_key: "ed25519:abc".into(),
967 signature: "0x1234".into(),
968 });
969 let json = serde_json::to_string(&a).unwrap();
970 let back: Attestation = serde_json::from_str(&json).unwrap();
971 assert_eq!(a, back);
972 }
973
974 /// Golden hash. If this changes, the canonical form has shifted
975 /// — every `AttestationId` in every existing store has changed
976 /// too. Update with care; same protective shape as the
977 /// `Operation` and `Intent` golden tests.
978 #[test]
979 fn canonical_form_is_stable_for_a_known_input() {
980 let a = Attestation::with_timestamp(
981 "stage-abc",
982 Some("op-123".into()),
983 None,
984 AttestationKind::TypeCheck,
985 AttestationResult::Passed,
986 ProducerDescriptor {
987 tool: "lex check".into(),
988 version: "0.1.0".into(),
989 model: None,
990 },
991 None,
992 0,
993 );
994 assert_eq!(
995 a.attestation_id,
996 "a4ef921f7bb0db70779c5b698cda1744d49165a4a56aa8414bdbafc85bcbc16b",
997 "canonical-form regression: the AttestationId for a known input changed",
998 );
999 }
1000
1001 // ---- AttestationLog ----
1002
1003 #[test]
1004 fn log_round_trips_through_disk() {
1005 let tmp = tempfile::tempdir().unwrap();
1006 let log = AttestationLog::open(tmp.path()).unwrap();
1007 let a = typecheck_passed();
1008 log.put(&a).unwrap();
1009 let read_back = log.get(&a.attestation_id).unwrap().unwrap();
1010 assert_eq!(a, read_back);
1011 }
1012
1013 #[test]
1014 fn log_get_unknown_returns_none() {
1015 let tmp = tempfile::tempdir().unwrap();
1016 let log = AttestationLog::open(tmp.path()).unwrap();
1017 assert!(log
1018 .get(&"nonexistent".to_string())
1019 .unwrap()
1020 .is_none());
1021 }
1022
1023 #[test]
1024 fn log_put_is_idempotent() {
1025 let tmp = tempfile::tempdir().unwrap();
1026 let log = AttestationLog::open(tmp.path()).unwrap();
1027 let a = typecheck_passed();
1028 log.put(&a).unwrap();
1029 log.put(&a).unwrap();
1030 let read_back = log.get(&a.attestation_id).unwrap().unwrap();
1031 assert_eq!(a, read_back);
1032 }
1033
1034 #[test]
1035 fn list_for_stage_returns_only_that_stage() {
1036 let tmp = tempfile::tempdir().unwrap();
1037 let log = AttestationLog::open(tmp.path()).unwrap();
1038
1039 let on_abc_1 = typecheck_passed();
1040 let on_abc_2 = Attestation::with_timestamp(
1041 "stage-abc",
1042 Some("op-123".into()),
1043 None,
1044 AttestationKind::EffectAudit,
1045 AttestationResult::Passed,
1046 ci_runner(),
1047 None,
1048 2000,
1049 );
1050 let on_xyz = Attestation::with_timestamp(
1051 "stage-xyz",
1052 Some("op-456".into()),
1053 None,
1054 AttestationKind::TypeCheck,
1055 AttestationResult::Passed,
1056 ci_runner(),
1057 None,
1058 1000,
1059 );
1060
1061 log.put(&on_abc_1).unwrap();
1062 log.put(&on_abc_2).unwrap();
1063 log.put(&on_xyz).unwrap();
1064
1065 let mut on_abc = log.list_for_stage(&"stage-abc".to_string()).unwrap();
1066 on_abc.sort_by_key(|a| a.timestamp);
1067 assert_eq!(on_abc.len(), 2);
1068 assert_eq!(on_abc[0], on_abc_1);
1069 assert_eq!(on_abc[1], on_abc_2);
1070
1071 let on_xyz_listed = log.list_for_stage(&"stage-xyz".to_string()).unwrap();
1072 assert_eq!(on_xyz_listed.len(), 1);
1073 assert_eq!(on_xyz_listed[0], on_xyz);
1074 }
1075
1076 #[test]
1077 fn list_for_unknown_stage_is_empty() {
1078 let tmp = tempfile::tempdir().unwrap();
1079 let log = AttestationLog::open(tmp.path()).unwrap();
1080 let v = log.list_for_stage(&"never-attested".to_string()).unwrap();
1081 assert!(v.is_empty());
1082 }
1083
1084 #[test]
1085 fn list_all_returns_every_persisted_attestation() {
1086 // Cross-stage enumeration: `list_all` walks the primary
1087 // directory regardless of stage, so a CI / dashboard query
1088 // can filter across the whole log without iterating the
1089 // by-stage index.
1090 let tmp = tempfile::tempdir().unwrap();
1091 let log = AttestationLog::open(tmp.path()).unwrap();
1092 let on_abc = typecheck_passed();
1093 let on_xyz = Attestation::with_timestamp(
1094 "stage-xyz",
1095 Some("op-456".into()),
1096 None,
1097 AttestationKind::TypeCheck,
1098 AttestationResult::Passed,
1099 ci_runner(),
1100 None,
1101 2000,
1102 );
1103 log.put(&on_abc).unwrap();
1104 log.put(&on_xyz).unwrap();
1105 let mut all = log.list_all().unwrap();
1106 all.sort_by_key(|a| a.attestation_id.clone());
1107 assert_eq!(all.len(), 2);
1108 let ids: BTreeSet<_> = all.iter().map(|a| a.attestation_id.clone()).collect();
1109 assert!(ids.contains(&on_abc.attestation_id));
1110 assert!(ids.contains(&on_xyz.attestation_id));
1111 }
1112
1113 #[test]
1114 fn list_all_on_empty_log_is_empty() {
1115 let tmp = tempfile::tempdir().unwrap();
1116 let log = AttestationLog::open(tmp.path()).unwrap();
1117 let v = log.list_all().unwrap();
1118 assert!(v.is_empty());
1119 }
1120
1121 #[test]
1122 fn passed_and_failed_for_same_stage_both_persist() {
1123 // Failure attestations are evidence too; they must not be
1124 // overwritten by a later passing attestation. The hash
1125 // distinction (tested above) plus the by-stage listing
1126 // should keep both visible.
1127 let tmp = tempfile::tempdir().unwrap();
1128 let log = AttestationLog::open(tmp.path()).unwrap();
1129
1130 let passed = typecheck_passed();
1131 let failed = Attestation::with_timestamp(
1132 "stage-abc",
1133 Some("op-123".into()),
1134 None,
1135 AttestationKind::TypeCheck,
1136 AttestationResult::Failed { detail: "arity mismatch".into() },
1137 ci_runner(),
1138 None,
1139 500,
1140 );
1141
1142 log.put(&failed).unwrap();
1143 log.put(&passed).unwrap();
1144
1145 let listing = log.list_for_stage(&"stage-abc".to_string()).unwrap();
1146 assert_eq!(listing.len(), 2, "both passing and failing evidence must persist");
1147 }
1148
1149 fn human_decision(kind: AttestationKind, ts: u64) -> Attestation {
1150 Attestation::with_timestamp(
1151 "stage-abc",
1152 None, None,
1153 kind,
1154 AttestationResult::Passed,
1155 ProducerDescriptor {
1156 tool: "lex stage".into(),
1157 version: "0.1.0".into(),
1158 model: None,
1159 },
1160 None,
1161 ts,
1162 )
1163 }
1164
1165 #[test]
1166 fn is_stage_blocked_empty_log_is_false() {
1167 assert!(!is_stage_blocked(&[]));
1168 }
1169
1170 #[test]
1171 fn is_stage_blocked_only_unrelated_attestations() {
1172 // TypeCheck/Override attestations don't gate activation —
1173 // only Block/Unblock do.
1174 let attestations = vec![
1175 typecheck_passed(),
1176 human_decision(
1177 AttestationKind::Override {
1178 actor: "alice".into(),
1179 reason: "ship".into(),
1180 target_attestation_id: None,
1181 },
1182 500,
1183 ),
1184 ];
1185 assert!(!is_stage_blocked(&attestations));
1186 }
1187
1188 #[test]
1189 fn is_stage_blocked_block_alone_blocks() {
1190 let attestations = vec![human_decision(
1191 AttestationKind::Block { actor: "alice".into(), reason: "x".into() },
1192 500,
1193 )];
1194 assert!(is_stage_blocked(&attestations));
1195 }
1196
1197 #[test]
1198 fn is_stage_blocked_later_unblock_clears_block() {
1199 let attestations = vec![
1200 human_decision(
1201 AttestationKind::Block { actor: "alice".into(), reason: "x".into() },
1202 500,
1203 ),
1204 human_decision(
1205 AttestationKind::Unblock { actor: "alice".into(), reason: "ok".into() },
1206 600,
1207 ),
1208 ];
1209 assert!(!is_stage_blocked(&attestations));
1210 }
1211
1212 #[test]
1213 fn is_stage_blocked_later_block_re_blocks() {
1214 let attestations = vec![
1215 human_decision(
1216 AttestationKind::Block { actor: "a".into(), reason: "1".into() },
1217 500,
1218 ),
1219 human_decision(
1220 AttestationKind::Unblock { actor: "a".into(), reason: "2".into() },
1221 600,
1222 ),
1223 human_decision(
1224 AttestationKind::Block { actor: "a".into(), reason: "3".into() },
1225 700,
1226 ),
1227 ];
1228 assert!(is_stage_blocked(&attestations));
1229 }
1230
1231 #[test]
1232 fn is_stage_blocked_unblock_wins_at_same_timestamp() {
1233 // Tie-break favours Unblock so a hasty re-attempt at the
1234 // same wall-clock second can't strand the stage.
1235 let attestations = vec![
1236 human_decision(
1237 AttestationKind::Block { actor: "a".into(), reason: "1".into() },
1238 500,
1239 ),
1240 human_decision(
1241 AttestationKind::Unblock { actor: "a".into(), reason: "2".into() },
1242 500,
1243 ),
1244 ];
1245 assert!(!is_stage_blocked(&attestations));
1246 }
1247}