Struct VerifyOptions 

pub struct VerifyOptions<'a> {

    pub required_scope: String,
    pub is_revoked: Option<Box<dyn Fn(&str) -> bool + 'a>>,
    pub revocation: Option<Box<dyn RevocationProvider + 'a>>,
    pub force_revocation_check: bool,
    pub now: Option<i64>,
    pub session_context: Vec<u8>,
    pub stream: Option<StreamContext>,
    pub context: VerifierContext<'a>,
    pub policy: Option<Box<dyn PolicyProvider + 'a>>,
    pub audit: Option<Box<dyn AuditProvider + 'a>>,
    pub constraint_evaluators: Option<BTreeMap<String, Box<dyn ConstraintEvaluator + 'a>>>,
    pub policy_verdict: Option<PolicyVerdict>,
    pub policy_secret: Option<Vec<u8>>,
    pub anchor_resolver: Option<Box<dyn AnchorResolver + 'a>>,
}

Options passed to verify_bundle.

Fields

required_scope: String

Required scope; empty string skips scope checking.

is_revoked: Option<Box<dyn Fn(&str) -> bool + 'a>>

👎Deprecated since 1.0.0-alpha.7:

use revocation (SPEC §17.1) instead

Legacy v1 revocation closure.

Deprecated: Use revocation (SPEC §17.1) instead. The closure has no way to surface lookup failures; revocation returns Result<bool, String> and fails closed on error. Slated for removal in v1.0.0-beta.1. When both fields are set, revocation wins.

revocation: Option<Box<dyn RevocationProvider + 'a>>

Pluggable revocation provider (SPEC §17.1). Takes precedence over is_revoked. A provider error fails the bundle as revocation_error.

force_revocation_check: bool

Force a fresh revocation check for high-stakes endpoints. The SDK cannot fetch revocation state itself; callers must provide is_revoked or a revocation provider when this is true.

now: Option<i64>

Override current time (unix seconds); None = SystemTime::now().

session_context: Vec<u8>

Optional verifier-reconstructed 32-byte v1.1 session context.

stream: Option<StreamContext>

Optional verifier-tracked v1.1 stream context.

context: VerifierContext<'a>

Application inputs for evaluating first-class constraints. Default is empty; constraint-bearing certs fail closed if required context is absent.

policy: Option<Box<dyn PolicyProvider + 'a>>

Advanced verifier-local policy evaluator (SPEC §17.2). Evaluated after all cryptographic checks pass. Deny → scope_denied; provider error → policy_error.

audit: Option<Box<dyn AuditProvider + 'a>>

Audit-receipt persistence hook (SPEC §17.3). Invoked on every Verify (success AND failure). Provider errors are swallowed — auditing cannot alter the verdict.

constraint_evaluators: Option<BTreeMap<String, Box<dyn ConstraintEvaluator + 'a>>>

Per-Verify registry of extension constraint evaluators (SPEC §17.7). Built-in types are evaluated by the SDK directly; the registry is only consulted for unknown types.

policy_verdict: Option<PolicyVerdict>

Fast-path cached policy decision (SPEC §17.6). When present and valid (MAC matches policy_secret, within window, agent/scope/ context_hash matches), the verifier skips the live policy hook. Stale verdicts fall back to live policy.

policy_secret: Option<Vec<u8>>

HMAC secret used to verify policy_verdict.mac.

anchor_resolver: Option<Box<dyn AnchorResolver + 'a>>

Anchor resolver (SPEC §17.8). When set on a Valid=true verification, the verifier populates VerifyResult.anchor. Resolver errors are non-fatal.

Trait Implementations

impl<'a> Default for VerifyOptions<'a>

fn default() -> Self

Returns the “default value” for a type.