Expand description
Trust state machine — v0.1 minimal subset, extended in v3.2 (RFC-001).
Tier semantics:
- UNTRUSTED: card pinned, no claim verified yet; messages ignored.
- ORG_VERIFIED: (v3.2 / RFC-001 §5) peer shares a verified
org_didwith us — organisational trust, NOT personal. Bilateral SAS is still required to cross into VERIFIED. Promotion from UNTRUSTED is one-way. - VERIFIED: SAS confirmed bilateral; messages accepted. Promotion accepts UNTRUSTED-or-ORG_VERIFIED as source (RFC-001 §5: “a SAS-paired peer that happens to share our org is recorded at VERIFIED, not downgraded”).
- ATTESTED: reserved (v0.2+) — used today only for self-attest.
- TRUSTED: reserved (v0.2+).
Promotion is one-way. Demotion would be ambiguous in a bilateral setting
and is deliberately not modeled. RFC-001 §5 invariant:
“ORG_VERIFIED never satisfies a >= VERIFIED policy check.”
That invariant is captured by tier_order (ORG_VERIFIED=1 < VERIFIED=2)
and by AC2 property test (tests/trust_ceiling_prop.rs) asserting no
claim-event walk reaches VERIFIED without a SasConfirmed step.
Enums§
Functions§
- add_
agent_ card_ pin - Pin a peer’s card into our trust at the given tier (default UNTRUSTED).
- add_
self_ to_ trust - Self-pin our own keypair into trust at ATTESTED. Convenience for
wire init. - effective_
tier - Effective trust tier — what the daemon can ACT on, not just what trust.json was promoted to.
- empty_
trust - get_
tier - project_
recipients - RFC-001 §6 project fan-out: the pinned peer handles eligible to receive a
wire send --project <tag>broadcast. - promote_
to_ org_ verified - Promote UNTRUSTED → ORG_VERIFIED. Returns
Err(reason)if not pinned or already past UNTRUSTED. - promote_
to_ verified - Promote UNTRUSTED or ORG_VERIFIED → VERIFIED. Returns
Err(reason)if not pinned or already past VERIFIED. - resolve_
peer_ did - Resolve a bare peer handle to the full DID stored in trust. Falls back
to
did:wire:<peer_handle>(the bare-handle form) when the peer isn’t pinned — preserves pre-pair best-effort routing for unknown peers. - tier_
order - Tier ranking — higher is more trusted. Useful for
>=gating.
Type Aliases§
- Trust
- Trust state — kept as a free-form JSON Value so we can persist + read with any conforming impl. v0.2+ may swap this for a typed struct.