Skip to main content

Crate taudit_core

Crate taudit_core 

Source
Expand description

§taudit-core — workspace-internal authority graph + rules engine

§Architecture

taudit-core is the workspace-internal engine: graph mutation, BFS propagation, rule evaluation, baselines, suppressions, ignore-pattern handling, and the cross-sink helpers (compute_fingerprint, compute_finding_group_id, rule_id_for) that JSON / SARIF / CloudEvents sinks call directly.

The stable wire types (everything that crosses the JSON / SARIF / CloudEvents boundary — Finding, FindingCategory, Severity, Recommendation, FindingSource, FixEffort, FindingExtras, NodeKind, EdgeKind, TrustZone, AuthorityCompleteness, IdentityScope, GapKind, Node, Edge, PipelineSource, ParamSpec, AuthorityEdgeSummary, PropagationPath, NodeId, EdgeId, every META_* metadata-key constant) live in the taudit-api crate.

Each module here re-exports the wire types it used to own so existing in-tree imports (use taudit_core::finding::Finding, use taudit_core::graph::NodeKind, …) keep compiling unchanged.

§API stability

taudit-core is a workspace-internal library, NOT a stable public API. External consumers (tsign, axiom, custom automation, SIEMs, third-party tooling) should depend on taudit-api directly (for the Rust contract) or consume the JSON / SARIF / CloudEvents output contracts (for cross-language integration). Both are versioned and treated as load-bearing:

  • taudit-api 0.x — the Rust wire-type contract. While at 0.x additive changes can ship in any minor; breaking changes require a 0.{N+1} minor bump and a CHANGELOG migration note. At 1.0 this lifts to standard semver.
  • contracts/schemas/taudit-report.schema.json — JSON output
  • schemas/finding.v1.json — single finding object
  • schemas/baseline.v1.json — baseline file format
  • contracts/schemas/taudit-cloudevent-finding-v1.schema.json — CloudEvents extension attributes
  • SARIF 2.1.0 — partialFingerprints keys are stable

Symbols marked #[doc(hidden)] here are required to be pub for inter-crate visibility within this workspace (sink crates call compute_fingerprint, compute_finding_group_id, rule_id_for, downgrade_severity directly), but their signatures may change between minor taudit versions without a SemVer bump on taudit-core. Treat them as pub(crate-tree), not pub.

See ADR 0001 (graph as product) and the v1.1.0 release notes for the full rationale behind this split.

Modules§

baselines
Per-pipeline baseline files (.taudit/baselines/<hash>.json).
custom_rules
error
exploit_path
Exploit graph view rendering.
finding
Finding-engine module for taudit-core.
graph
Authority-graph engine for taudit-core.
ignore
map
ports
propagation
rules
summary
Deterministic propagation aggregates for triage (ADR 0002 Phase 3).
suppressions
.taudit-suppressions.yml — per-finding waivers with audit trail.

Constants§

MAX_INPUT_FILE_BYTES
Maximum size in bytes of any single pipeline / config / invariant YAML taudit will read.

Functions§

read_capped
Read path to a String, but refuse files larger than MAX_INPUT_FILE_BYTES.
read_capped_with_symlink_fence
Read path to a String, but only if it is either (a) not a symlink or (b) a symlink whose canonical target is a descendant of cwd_canonical. Also enforces MAX_INPUT_FILE_BYTES.