Skip to main content

NamespacePolicy

metamorphic_log::policy

Struct NamespacePolicy 

Source 
pub struct NamespacePolicy { /* private fields */ }
Expand description

The versioned, canonical, signed-in-log per-namespace policy record.

Construct via NamespacePolicy::new (which validates well-formedness), serialize via NamespacePolicy::canonical_bytes, and parse via NamespacePolicy::parse. See the module docs for the field set and the invariant wall.

Implementations§

Source§

impl NamespacePolicy

Source

pub const RECORD_TYPE: &'static str = "namespace-policy"

The canonical context-label record type for a namespace policy.

Source

pub fn new( namespace: Namespace, policy_schema_version: u32, security_level: SecurityLevel, checkpoint_suite: CheckpointSuite, commitment_hash: CommitmentHash, vrf_mode: VrfMode, effective_from: u64, created_at: u64, prev_policy_hash: Option<[u8; 64]>, ) -> Result<Self>

Build and validate a namespace policy.

Enforces the v0.1 well-formedness rules: commitment_hash must equal the one derived from security_level (the bundle), vrf_mode must be Classical, PureCnsa2 requires Cat-5, and prev_policy_hash (if present) must be exactly 64 bytes. policy_schema_version must be >= 1.

§Errors

Returns Error::MalformedPolicy for any violation.

Source

pub fn genesis( namespace: Namespace, security_level: SecurityLevel, checkpoint_suite: CheckpointSuite, effective_from: u64, created_at: u64, ) -> Result<Self>

Convenience constructor for the bundled DX surface (#324 Q3): the commitment_hash is derived from security_level, vrf_mode is Classical, and this is the genesis version (policy_schema_version = 1, prev_policy_hash = None).

§Errors

Returns Error::MalformedPolicy (e.g. PureCnsa2 below Cat-5).

Source

pub fn namespace(&self) -> &Namespace

The governed namespace.

Source

pub fn policy_schema_version(&self) -> u32

The record / migration-sequence version.

Source

pub fn security_level(&self) -> SecurityLevel

The declared security level.

Source

pub fn checkpoint_suite(&self) -> CheckpointSuite

The declared checkpoint-signature suite.

Source

pub fn commitment_hash(&self) -> CommitmentHash

The declared commitment-hash strength.

Source

pub fn vrf_mode(&self) -> VrfMode

The declared VRF privacy mode.

Source

pub fn effective_from(&self) -> u64

The tree size / checkpoint index at which this version takes force.

Source

pub fn created_at(&self) -> u64

The informational creation timestamp (Unix milliseconds).

Source

pub fn prev_policy_hash(&self) -> Option<&[u8; 64]>

The 64-byte previous-version hash, or None for the genesis version.

Source

pub fn declared_checkpoint_posture(&self) -> (Suite, SignatureLevel)

The declared (Suite, SignatureLevel) checkpoint posture — what an observed checkpoint signature must match.

Source

pub fn context_label(&self) -> Result<ContextLabel>

The canonical context label for this policy, <namespace>/namespace-policy/v1.

§Errors

Propagates ContextLabel::parse errors (cannot occur for a valid namespace).

Source

pub fn canonical_bytes(&self) -> Vec<u8>

Build the canonical, byte-reproducible serialization of this policy.

canonical(policy) =
    u32_be(POLICY_FORMAT_VERSION = 1)
 || lp(namespace)
 || u32_be(policy_schema_version)
 || u8(security_level tag)
 || u8(checkpoint_suite tag)
 || u8(commitment_hash tag)
 || u8(vrf_mode tag)
 || u64_be(effective_from)
 || u64_be(created_at)
 || lp(prev_policy_hash)   // 0-length for genesis
Source

pub fn parse(bytes: &[u8]) -> Result<Self>

Parse a policy from its canonical bytes, validating the layout, the enum tags, and the v0.1 well-formedness rules.

§Errors

Returns Error::MalformedPolicy for an unknown format version, an unknown enum tag, a length-prefix overrun, trailing bytes, a prev_policy_hash that is present but not 64 bytes, or any rule violation.

Source

pub fn policy_hash(&self) -> Result<[u8; 64]>

The intra-chain policy_hash: the 64-byte SHA3-512 content hash over the canonical bytes under the <namespace>/namespace-policy/v1 label.

The next version chains to this digest via prev_policy_hash. Note this is computed over the policy bytes, not the SignedPolicy envelope, so the (hedged, non-reproducible) signature never affects the chain.

§Errors

Propagates NamespacePolicy::context_label errors.

Source

pub fn rfc6962_leaf_hash(&self) -> Hash

The RFC 6962 Merkle leaf hash SHA-256(0x00 || canonical) over the raw canonical policy bytes (the Layer-0 leaf hash; independent of NamespacePolicy::policy_hash).

Source

pub fn enforce_checkpoint_signing_key(&self, public_key_b64: &str) -> Result<()>

Enforce that an observed checkpoint hybrid signing public key matches this policy’s declared checkpoint posture.

The observed posture is read from the key’s self-describing tag via the typed, opaque metamorphic_crypto::signature_posture accessor (no wire tags re-derived here); a structurally malformed key surfaces as a mismatch rather than a panic.

§Errors

Returns Error::PostureMismatch if the observed (Suite, SignatureLevel) differs from NamespacePolicy::declared_checkpoint_posture.

Source

pub fn enforce_checkpoint_signature(&self, signature_b64: &str) -> Result<()>

Enforce that an observed checkpoint composite signature matches this policy’s declared checkpoint posture (the signature counterpart to NamespacePolicy::enforce_checkpoint_signing_key, via metamorphic_crypto::signature_posture_from_signature).

§Errors

Returns Error::PostureMismatch on any disagreement.

Source

pub fn enforce_vrf_suite_id(&self, observed_suite_id: u8) -> Result<()>

Enforce that an observed CONIKS VRF suite id (the Slice-4 crate::vrf::Vrf::suite_id, #332) matches this policy’s declared VrfMode.

§Errors

Returns Error::PostureMismatch if the observed suite id differs from the one the declared mode requires (or if the declared mode has no built construction in v0.1).

Source

pub fn enforce_commitment_hash(&self, observed: CommitmentHash) -> Result<()>

Enforce that an observed commitment-hash parameter matches this policy’s declared CommitmentHash.

§Errors

Returns Error::PostureMismatch on disagreement.

Source§

impl NamespacePolicy

Source

pub fn enforce_observed(&self, observed: &ObservedPosture) -> Result<()>

Enforce declared == observed across all three posture axes at once (checkpoint signature, CONIKS VRF suite, commitment hash). Any single mismatch is a hard rejection.

§Errors

Returns the first Error::PostureMismatch encountered.

Trait Implementations§

Source§

impl Clone for NamespacePolicy

Source§

fn clone(&self) -> NamespacePolicy

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for NamespacePolicy

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Eq for NamespacePolicy

Source§

impl PartialEq for NamespacePolicy

Source§

fn eq(&self, other: &NamespacePolicy) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl StructuralPartialEq for NamespacePolicy

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.