Expand description
Receipts and verdicts — SPEC §17.5–§17.6.
Additive primitives that sit on top of verify_bundle:
VerificationReceipt: hybrid-signed attestation that a bundle was verified with a specific decision at a specific time. Chains byprev_hashso the chain is tamper-evident.PolicyVerdict: HMAC-bound cached policy decision; lets a commercial policy backend skip live evaluation on subsequent calls.
Wire format unchanged: these wrap output of the verifier rather than adding fields to existing signed objects.
Functions§
- bundle_
hash - SHA-256 of a fixed-shape canonical form of a ProofBundle (SPEC §17.5).
- issue_
policy_ verdict - Construct and HMAC-bind a PolicyVerdict.
- issue_
verification_ receipt - Construct and hybrid-sign a VerificationReceipt over a (bundle, result,
prev) triple.
prev_hashisNonefor genesis (becomes 32 zero bytes). - policy_
verdict_ sign_ bytes_ buf - Canonical signable bytes for a PolicyVerdict. Public so tests and alternative issuance backends can recompute the bytes. Keys: agent_id, allow, context_hash, issued_at, scope, valid_until, verdict_id, version.
- receipt_
hash - SHA-256 of a receipt’s canonical signable bytes. Use as
prev_hashfor the next receipt in the chain. - verification_
receipt_ sign_ bytes_ buf - Canonical signable bytes for a VerificationReceipt. Public so tests (and any AuditProvider that wants to chain its own signatures) can recompute the bytes.
- verifier_
context_ hash - SHA-256 of the canonical-byte representation of the policy-relevant
subset of a VerifierContext. Used as
context_hashon a PolicyVerdict.invocations_in_windowis excluded — closures don’t serialize. Keys in lex order: current_alt_m, current_lat, current_lon, current_speed_mps, has_amount, has_location, has_speed, requested_amount, requested_currency. - verify_
policy_ verdict - Check a PolicyVerdict’s HMAC and validity. Returns
Ok(())on success (cached allow); returnsErr("policy_verdict_denied: ...")on cached deny; any otherErrindicates the verdict is unusable. - verify_
verification_ receipt - Verify the hybrid signature on a VerificationReceipt against the receipt’s declared verifier_pub. Returns Ok(()) iff both component signatures verify.