Struct DeviationStore 

pub struct DeviationStore { /* private fields */ }

An in-memory collection of Deviations.

The store is currently append-only. Future versions may add update/delete and persistence (file-backed JSON/OSCAL format) — tracked as PKIX-dbhe.

Implementations

impl DeviationStore

pub const fn new() -> Self

Create an empty store.

pub fn add(&mut self, deviation: Deviation) -> Result<(), DeviationAddError>

Add a deviation to the store.

Errors

• DeviationAddError::EmptyField if deviation.justification or deviation.authorized_by is empty.
• DeviationAddError::DuplicateId if a deviation with the same id already exists in the store.

pub fn all(&self) -> &[Deviation]

Return all deviations in the store.

pub fn active_at(&self, now_unix: u64) -> impl Iterator<Item = &Deviation>

Return all deviations that are active at now_unix.

pub fn active_for_lint<'a>( &'a self, lint_id: &'a str, now_unix: u64, ) -> impl Iterator<Item = &'a Deviation>

Return all deviations targeting lint_id that are active at now_unix.

pub fn expired_at(&self, now_unix: u64) -> impl Iterator<Item = &Deviation>

Return all deviations that have expired as of now_unix.

Used by corpus-reporting tools to surface deviations that need renewal.

pub fn find_deviation( &self, lint_id: &str, cert: &Certificate, now_unix: u64, ) -> Option<&Deviation>

Check whether a specific finding should be deviated.

Returns the active deviation that matches cert and lint_id at now_unix, or None if no deviation applies.

Resolution rule (PKIX-hy2e.10)

Among all matching deviations, the one with the highest Deviation::priority wins. Ties are broken by store-insertion order — the first-added deviation at the winning priority wins.

Operators merging deviation files from multiple authors should set Deviation::priority explicitly to express specificity: site-local / lab-scoped waivers get higher priorities than workspace-wide wildcard waivers. The default priority is 0, so a single-author store behaves identically to the pre-PKIX- hy2e.10 “first-match-wins” rule.

pub fn find_deviation_for_chain( &self, lint_id: &str, chain: &[Certificate], now_unix: u64, ) -> Option<&Deviation>

Returns the active deviation that matches lint_id and at least one certificate in chain at now_unix, or None if no deviation applies.

Used by DeviationRunner::run_path to apply path-scope deviations that target an intermediate CA’s properties (rather than the leaf’s). Per RFC 5280 §6.1, a path-scope finding can fire because of any cert in the chain, including intermediate CAs; a deviation scoped to an intermediate must be applicable even though the path finding has no single “owning” cert.

Resolution rule (PKIX-hy2e.10 + PKIX-hy2e.11)

1. A deviation matches if Deviation::target_lint equals lint_id AND at least one cert in chain is in scope.
2. Among all matching deviations, the highest Deviation::priority wins.
3. Priority ties are broken by store-insertion order.

Trait Implementations

impl Clone for DeviationStore

fn clone(&self) -> DeviationStore

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for DeviationStore

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for DeviationStore

fn default() -> DeviationStore

Returns the “default value” for a type.

impl Eq for DeviationStore

impl PartialEq for DeviationStore

fn eq(&self, other: &DeviationStore) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for DeviationStore

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for DeviationStore